Misaligned memory access in btf_ext__new() #391

evverx · 2021-10-15T16:32:11Z

I compiled the minimal bpf application from https://github.com/libbpf/libbpf-bootstrap with ASan/UBSan and linked it against libbpf pointing at the master branch (built with ASan/UBSan as well). When I ran it I got a few UBSan warnings (I'm not sure whether it has anything to do with libbpf or the way bpf skeletons are generated by clang/bpftool though):

$ cat /proc/version
Linux version 5.14.10-100.fc33.x86_64 (mockbuild@bkernel02.iad2.fedoraproject.org) (gcc (GCC) 10.3.1 20210422 (Red Hat 10.3.1-1), GNU ld version 2.35-18.fc33) #1 SMP Thu Oct 7 21:39:21 UTC 2021

$ bpftool --version
bpftool v5.14.9
features: libbfd, skeletons

$ clang --version
clang version 11.0.0 (Fedora 11.0.0-3.fc33)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

libbpf: loading object 'minimal_bpf' from buffer
libbpf: elf: section(2) tp/syscalls/sys_enter_write, size 104, link 0, flags 6, type=1
libbpf: sec 'tp/syscalls/sys_enter_write': found program 'handle_tp' at insn offset 0 (0 bytes), code size 13 insns (104 bytes)
libbpf: elf: section(3) license, size 13, link 0, flags 3, type=1
libbpf: license of minimal_bpf is Dual BSD/GPL
libbpf: elf: section(4) .bss, size 4, link 0, flags 3, type=8
libbpf: elf: section(5) .rodata, size 28, link 0, flags 2, type=1
libbpf: elf: section(6) .BTF, size 595, link 0, flags 0, type=1
libbpf: elf: section(7) .BTF.ext, size 160, link 0, flags 0, type=1
libbpf: elf: section(8) .eh_frame, size 48, link 0, flags 2, type=1
libbpf: elf: skipping unrecognized data section(8) .eh_frame
libbpf: elf: section(9) .symtab, size 192, link 15, flags 0, type=2
libbpf: elf: section(10) .reltp/syscalls/sys_enter_write, size 32, link 9, flags 0, type=9
libbpf: elf: section(13) .rel.eh_frame, size 16, link 9, flags 0, type=9
libbpf: elf: skipping relo section(13) .rel.eh_frame for section(8) .eh_frame
btf.c:2754:21: runtime error: member access within misaligned address 0x0000004d6487 for type 'const struct btf_ext_header', which requires 4 byte alignment
0x0000004d6487: note: pointer points here
 6e 73 65 00 9f  eb 01 00 20 00 00 00 00  00 00 00 14 00 00 00 14  00 00 00 6c 00 00 00 80  00 00 00
             ^
    #0 0x4c1a54 in btf_ext_parse_hdr /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2754
    #1 0x4c1f52 in btf_ext__new /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2798
    #2 0x4207ff in bpf_object__init_btf /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:2636
    #3 0x425493 in bpf_object__elf_collect /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:3146
    #4 0x452160 in __bpf_object__open /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6590
    #5 0x4527ca in bpf_object__open_mem /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6655
    #6 0x47d2e8 in bpf_object__open_skeleton /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:11052
    #7 0x403b36 in minimal_bpf__open_opts .output/minimal.skel.h:57
    #8 0x403bee in minimal_bpf__open .output/minimal.skel.h:71
    #9 0x404ec6 in main /home/vagrant/libbpf-bootstrap/examples/c/minimal.c:39
    #10 0x7fca3a7211e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #11 0x4038cd in _start (/home/vagrant/libbpf-bootstrap/examples/c/minimal+0x4038cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior btf.c:2754:21 in
btf.c:2759:9: runtime error: member access within misaligned address 0x0000004d6487 for type 'const struct btf_ext_header', which requires 4 byte alignment
0x0000004d6487: note: pointer points here
 6e 73 65 00 9f  eb 01 00 20 00 00 00 00  00 00 00 14 00 00 00 14  00 00 00 6c 00 00 00 80  00 00 00
             ^
    #0 0x4c1afb in btf_ext_parse_hdr /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2759
    #1 0x4c1f52 in btf_ext__new /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2798
    #2 0x4207ff in bpf_object__init_btf /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:2636
    #3 0x425493 in bpf_object__elf_collect /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:3146
    #4 0x452160 in __bpf_object__open /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6590
    #5 0x4527ca in bpf_object__open_mem /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6655
    #6 0x47d2e8 in bpf_object__open_skeleton /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:11052
    #7 0x403b36 in minimal_bpf__open_opts .output/minimal.skel.h:57
    #8 0x403bee in minimal_bpf__open .output/minimal.skel.h:71
    #9 0x404ec6 in main /home/vagrant/libbpf-bootstrap/examples/c/minimal.c:39
    #10 0x7fca3a7211e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #11 0x4038cd in _start (/home/vagrant/libbpf-bootstrap/examples/c/minimal+0x4038cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior btf.c:2759:9 in
btf.c:2762:16: runtime error: member access within misaligned address 0x0000004d6487 for type 'const struct btf_ext_header', which requires 4 byte alignment
0x0000004d6487: note: pointer points here
 6e 73 65 00 9f  eb 01 00 20 00 00 00 00  00 00 00 14 00 00 00 14  00 00 00 6c 00 00 00 80  00 00 00
             ^
    #0 0x4c1b89 in btf_ext_parse_hdr /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2762
    #1 0x4c1f52 in btf_ext__new /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2798
    #2 0x4207ff in bpf_object__init_btf /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:2636
    #3 0x425493 in bpf_object__elf_collect /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:3146
    #4 0x452160 in __bpf_object__open /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6590
    #5 0x4527ca in bpf_object__open_mem /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6655
    #6 0x47d2e8 in bpf_object__open_skeleton /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:11052
    #7 0x403b36 in minimal_bpf__open_opts .output/minimal.skel.h:57
    #8 0x403bee in minimal_bpf__open .output/minimal.skel.h:71
    #9 0x404ec6 in main /home/vagrant/libbpf-bootstrap/examples/c/minimal.c:39
    #10 0x7fca3a7211e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #11 0x4038cd in _start (/home/vagrant/libbpf-bootstrap/examples/c/minimal+0x4038cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior btf.c:2762:16 in
btf.c:2767:9: runtime error: member access within misaligned address 0x0000004d6487 for type 'const struct btf_ext_header', which requires 4 byte alignment
0x0000004d6487: note: pointer points here
 6e 73 65 00 9f  eb 01 00 20 00 00 00 00  00 00 00 14 00 00 00 14  00 00 00 6c 00 00 00 80  00 00 00
             ^
    #0 0x4c1c3d in btf_ext_parse_hdr /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2767
    #1 0x4c1f52 in btf_ext__new /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2798
    #2 0x4207ff in bpf_object__init_btf /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:2636
    #3 0x425493 in bpf_object__elf_collect /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:3146
    #4 0x452160 in __bpf_object__open /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6590
    #5 0x4527ca in bpf_object__open_mem /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6655
    #6 0x47d2e8 in bpf_object__open_skeleton /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:11052
    #7 0x403b36 in minimal_bpf__open_opts .output/minimal.skel.h:57
    #8 0x403bee in minimal_bpf__open .output/minimal.skel.h:71
    #9 0x404ec6 in main /home/vagrant/libbpf-bootstrap/examples/c/minimal.c:39
    #10 0x7fca3a7211e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #11 0x4038cd in _start (/home/vagrant/libbpf-bootstrap/examples/c/minimal+0x4038cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior btf.c:2767:9 in
btf.c:2772:9: runtime error: member access within misaligned address 0x0000004d6487 for type 'const struct btf_ext_header', which requires 4 byte alignment
0x0000004d6487: note: pointer points here
 6e 73 65 00 9f  eb 01 00 20 00 00 00 00  00 00 00 14 00 00 00 14  00 00 00 6c 00 00 00 80  00 00 00
             ^
    #0 0x4c1d30 in btf_ext_parse_hdr /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2772
    #1 0x4c1f52 in btf_ext__new /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2798
    #2 0x4207ff in bpf_object__init_btf /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:2636
    #3 0x425493 in bpf_object__elf_collect /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:3146
    #4 0x452160 in __bpf_object__open /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6590
    #5 0x4527ca in bpf_object__open_mem /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6655
    #6 0x47d2e8 in bpf_object__open_skeleton /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:11052
    #7 0x403b36 in minimal_bpf__open_opts .output/minimal.skel.h:57
    #8 0x403bee in minimal_bpf__open .output/minimal.skel.h:71
    #9 0x404ec6 in main /home/vagrant/libbpf-bootstrap/examples/c/minimal.c:39
    #10 0x7fca3a7211e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #11 0x4038cd in _start (/home/vagrant/libbpf-bootstrap/examples/c/minimal+0x4038cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior btf.c:2772:9 in
btf.c:2777:22: runtime error: member access within misaligned address 0x0000004d6487 for type 'const struct btf_ext_header', which requires 4 byte alignment
0x0000004d6487: note: pointer points here
 6e 73 65 00 9f  eb 01 00 20 00 00 00 00  00 00 00 14 00 00 00 14  00 00 00 6c 00 00 00 80  00 00 00
             ^
    #0 0x4c1e23 in btf_ext_parse_hdr /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2777
    #1 0x4c1f52 in btf_ext__new /home/vagrant/libbpf-bootstrap/libbpf/src/btf.c:2798
    #2 0x4207ff in bpf_object__init_btf /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:2636
    #3 0x425493 in bpf_object__elf_collect /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:3146
    #4 0x452160 in __bpf_object__open /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6590
    #5 0x4527ca in bpf_object__open_mem /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:6655
    #6 0x47d2e8 in bpf_object__open_skeleton /home/vagrant/libbpf-bootstrap/libbpf/src/libbpf.c:11052
    #7 0x403b36 in minimal_bpf__open_opts .output/minimal.skel.h:57
    #8 0x403bee in minimal_bpf__open .output/minimal.skel.h:71
    #9 0x404ec6 in main /home/vagrant/libbpf-bootstrap/examples/c/minimal.c:39
    #10 0x7fca3a7211e1 in __libc_start_main (/lib64/libc.so.6+0x281e1)
    #11 0x4038cd in _start (/home/vagrant/libbpf-bootstrap/examples/c/minimal+0x4038cd)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior btf.c:2777:22 in
libbpf: looking for externs among 8 symbols...
libbpf: collected 0 externs total
libbpf: map 'minimal_.rodata' (global data): at sec_idx 5, offset 0, flags 480.
libbpf: map 0 is "minimal_.rodata"
libbpf: map 'minimal_.bss' (global data): at sec_idx 4, offset 0, flags 400.
libbpf: map 1 is "minimal_.bss"
libbpf: sec '.reltp/syscalls/sys_enter_write': collecting relocation for section(2) 'tp/syscalls/sys_enter_write'
libbpf: sec '.reltp/syscalls/sys_enter_write': relo #0: insn #2 against 'my_pid'
libbpf: prog 'handle_tp': found data map 1 (minimal_.bss, sec 4, off 0) for insn 2
libbpf: sec '.reltp/syscalls/sys_enter_write': relo #1: insn #6 against '.rodata'
libbpf: prog 'handle_tp': found data map 0 (minimal_.rodata, sec 5, off 0) for insn 6
libbpf: map 'minimal_.rodata': created successfully, fd=4
libbpf: map 'minimal_.bss': created successfully, fd=5

The text was updated successfully, but these errors were encountered:

anakryiko · 2021-10-19T17:26:30Z

There seem to be two points where we lose a proper alignment of BTF and BTF.ext data:

BPF ELF file itself specifies 1-byte alignment for .BTF and .BTF.ext sections. @yonghong-song, it's probably a good idea to fix compiler to use a 4-byte alignment for these sections.
BPF skeleton generation embeds that BPF ELF file as a byte string through a string literal. Given it's a string literal, compiler doesn't enforce any alignment on it at all. We can fix the second issue with skeleton changes.

But ultimately to guarantee no misaligned memory accesses when parsing BTF and BTF.ext, libbpf would need to do a memory copy, if provided source data is mis-aligned. It will incur runtime overhead and add a bit of code complexity. For x86/x86-64 architectures this misalignment is not a problem per se, but for some other arches it will lead to a crash, so we probably have to pay this price.

evverx · 2021-10-19T20:24:00Z

It's probably worth mentioning that the "alignment" check is turned off by default on OSS-Fuzz so it should be safe to include the undefined sanitizer in google/oss-fuzz#6608 in its current form. Though I think once it's fixed something like -fsanitize=alignment -fno-sanitize-recover=alignment should be added to CFLAGS/CXXFLAGS in the build script eventually to catch and hopefully prevent issues like this.

anakryiko · 2021-10-19T23:31:01Z

BPF ELF file itself specifies 1-byte alignment for .BTF and .BTF.ext sections.

Yonghong fixed this in https://reviews.llvm.org/D112106 already.

Perform a memory copy before we do the sanity checks of btf_ext_hdr. This prevents misaligned memory access if raw btf_ext data is not 4-byte aligned ([0]). While at it, also add missing const qualifier. [0] Closes: libbpf/libbpf#391 Reported-by: Evgeny Vereshchagin <evvers@ya.ru> Fixes: 2993e05 ("tools/bpf: add support to read .BTF.ext sections") Signed-off-by: Andrii Nakryiko <andrii@kernel.org>

Perform a memory copy before we do the sanity checks of btf_ext_hdr. This prevents misaligned memory access if raw btf_ext data is not 4-byte aligned ([0]). While at it, also add missing const qualifier. [0] Closes: libbpf/libbpf#391 Fixes: 2993e05 ("tools/bpf: add support to read .BTF.ext sections") Reported-by: Evgeny Vereshchagin <evvers@ya.ru> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20211124002325.1737739-3-andrii@kernel.org

Perform a memory copy before we do the sanity checks of btf_ext_hdr. This prevents misaligned memory access if raw btf_ext data is not 4-byte aligned ([0]). While at it, also add missing const qualifier. [0] Closes: libbpf#391 Fixes: 2993e0515bb4 ("tools/bpf: add support to read .BTF.ext sections") Reported-by: Evgeny Vereshchagin <evvers@ya.ru> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20211124002325.1737739-3-andrii@kernel.org

evverx · 2021-11-27T07:09:13Z

The issue is gone. Thanks!

I tried to turn on the alignment check on OSS-Fuzz and it triggered:

elf_begin.c:223:21: runtime error: member access within misaligned address 0x000002e6ced1 for type 'Elf64_Shdr', which requires 8 byte alignment
0x000002e6ced1: note: pointer points here
 00 00 00  7f 45 4c 46 02 01 01 01  00 f7 00 01 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00
              ^
    #0 0x52f811 in get_shnum /src/libbpf/elfutils/libelf/elf_begin.c:223:21
    #1 0x52f811 in file_read_elf /src/libbpf/elfutils/libelf/elf_begin.c:296:19
    #2 0x52cc76 in __libelf_read_mmaped_file /src/libbpf/elfutils/libelf/elf_begin.c:559:14
    #3 0x53a7f2 in elf_memory /src/libbpf/elfutils/libelf/elf_memory.c:49:10
    #4 0x4ba5e2 in bpf_object__elf_init /src/libbpf/src/libbpf.c:1254:9
    #5 0x4ba5e2 in __bpf_object__open /src/libbpf/src/libbpf.c:6842:8
    #6 0x4c177e in bpf_object__open_mem /src/libbpf/src/libbpf.c:6909:20
    #7 0x4b3598 in LLVMFuzzerTestOneInput /src/bpf-object-fuzzer.c:33:8
    #8 0x43f193 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #9 0x43e97a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp
    #10 0x44021b in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp
    #11 0x440d05 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp
    #12 0x43044d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #13 0x459492 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #14 0x7fab14fb80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #15 0x407d2d in _start (/out/bpf-object-fuzzer+0x407d2d)

I'm not sure whether it's a libbpf issue or a libelf issue though. I'll try to double-check

evverx · 2021-11-27T07:26:50Z

In the meantime, I've just opened google/oss-fuzz#6915 where only libbpf is built with the alignment check

evverx · 2021-11-27T08:31:36Z

With that patch applied UBSan complained about

libbpf.c:3240:11: runtime error: member access within misaligned address 0x00000262b474 for type 'Elf64_Shdr', which requires 8 byte alignment
0x00000262b474: note: pointer points here
  ff ff 36 ff 00 26 00 00  ff d6 ff 70 70 70 70 23  70 70 70 70 00 70 70 70  72 70 70 70 70 70 70 00
              ^
    #0 0x4c0301 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3240:11
    #1 0x4c0301 in __bpf_object__open /src/libbpf/src/libbpf.c:6844:16
    #2 0x4c177e in bpf_object__open_mem /src/libbpf/src/libbpf.c:6909:20
    #3 0x4b3598 in LLVMFuzzerTestOneInput /src/bpf-object-fuzzer.c:33:8
    #4 0x43f193 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #5 0x43e97a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) cxa_noexception.cpp
    #6 0x44021b in fuzzer::Fuzzer::MutateAndTestOne() cxa_noexception.cpp
    #7 0x440d05 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) cxa_noexception.cpp
    #8 0x43044d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #9 0x459492 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7f065d8e70b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x407d2d in _start (/out/bpf-object-fuzzer+0x407d2d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libbpf.c:3240:11 in

which I think is the same issue UBSan complained with libelf built with the alignment check so I closed that PR.

anakryiko · 2021-11-29T22:33:55Z

The first one (in elf_memory()) seems to be the problem with libelf not handling alignment properly. I don't see anywhere the requirement that bytes passed to the elf_memory() should be aligned, so this does seem like libelf bug.

As for the second, Elf64_Shdr * is returned by libelf from elf64_getshdr(), so if it is misaligned, then it's also libelf's fault. But I'm not sure how meaningful it is to go and do memory copies just to re-align the bytes ahead of time. This seems like a very impractical corner case, tbh.

evverx · 2021-11-29T22:40:38Z

@anakryiko agreed. I closed that PR because I didn't want to bother the libbpf project with elfutil bugs. The issues that were fixed in https://reviews.llvm.org/D112106 and 25eb5c4 can be caught in the future (to prevent them from making it into the repository again) by running the libbpf testsuite under UBSan. Judging by https://lore.kernel.org/bpf/20211124002325.1737739-1-andrii@kernel.org/ it's in the works as far as I can see.

anakryiko · 2021-11-29T22:42:58Z

@anakryiko agreed. I closed that PR because I didn't want to bother the libbpf project with elfutil bugs. The issues that were fixed in https://reviews.llvm.org/D112106 and 25eb5c4 can be caught in the future (to prevent them from making it into the repository again) by running the libbpf testsuite under UBSan. Judging by https://lore.kernel.org/bpf/20211124002325.1737739-1-andrii@kernel.org/ it's in the works as far as I can see.

yep, it currently is blocked on some preliminary work with our BPF CI system, but we plan to have test runs with sanitizers.

evverx · 2021-12-06T01:23:56Z

Interestingly, the elfutils project by default allows unaligned access on i386 and x86_64 and kind of turns it off everywhere else. I set ALLOW_UNALIGNED=0 to force it to switch to "aligned" mode even on i386 and x86_64 but UBSan reported those issues anyway. I was told those UBSan reports should be reported to figure out whether they should be fixed or not so in theory once those issues are fixed it should be safe to turn the misaligned check on OSS-Fuzz. Though I don't think it's going to be fixed anytime soon and it certainly should be tested using the elfutils project on OSS-Fuzz first.

[ Upstream commit 401891a ] Perform a memory copy before we do the sanity checks of btf_ext_hdr. This prevents misaligned memory access if raw btf_ext data is not 4-byte aligned ([0]). While at it, also add missing const qualifier. [0] Closes: libbpf/libbpf#391 Fixes: 2993e05 ("tools/bpf: add support to read .BTF.ext sections") Reported-by: Evgeny Vereshchagin <evvers@ya.ru> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20211124002325.1737739-3-andrii@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org>

BugLink: https://bugs.launchpad.net/bugs/1959376 [ Upstream commit 401891a ] Perform a memory copy before we do the sanity checks of btf_ext_hdr. This prevents misaligned memory access if raw btf_ext data is not 4-byte aligned ([0]). While at it, also add missing const qualifier. [0] Closes: libbpf/libbpf#391 Fixes: 2993e05 ("tools/bpf: add support to read .BTF.ext sections") Reported-by: Evgeny Vereshchagin <evvers@ya.ru> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20211124002325.1737739-3-andrii@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

to catch issues like libbpf#391

to catch issues like #391

mainline inclusion from mainline-5.17-rc1 commit 401891a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I5EUVD CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=401891a9debaf0a684502f2aaecf53448cee9414 ------------------------------------------------- Perform a memory copy before we do the sanity checks of btf_ext_hdr. This prevents misaligned memory access if raw btf_ext data is not 4-byte aligned ([0]). While at it, also add missing const qualifier. [0] Closes: libbpf/libbpf#391 Fixes: 2993e05 ("tools/bpf: add support to read .BTF.ext sections") Reported-by: Evgeny Vereshchagin <evvers@ya.ru> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20211124002325.1737739-3-andrii@kernel.org (cherry picked from commit 401891a) Signed-off-by: Wang Yufen <wangyufen@huawei.com>

This was referenced Oct 20, 2021

btf__new can be crashed by a sequence of 24 bytes #390

Closed

Introduce SocketBind{Allow|Deny}= properties powered by source compiled BPF systemd/systemd#17655

Merged

anakryiko changed the title ~~UBsan seems to complain about "member access within misaligned address ... for type 'const struct btf_ext_header'"~~ Misaligned memory access in btf_ext__new() Nov 24, 2021

anakryiko added the bug Something isn't working label Nov 24, 2021

anakryiko self-assigned this Nov 24, 2021

anakryiko closed this as completed in 25eb5c4 Nov 26, 2021

evverx mentioned this issue Jan 6, 2022

bpf: enable bpf lsm only on x86 and x86_64 systemd/systemd#22021

Closed

evverx added a commit to evverx/libbpf that referenced this issue Apr 11, 2022

ci: turn on the alignment check

3577c06

to catch issues like libbpf#391

evverx mentioned this issue Apr 11, 2022

ci: assorted tweaks related to libelf and OSS-Fuzz/CFLite mostly #477

Merged

anakryiko pushed a commit that referenced this issue Apr 11, 2022

ci: turn on the alignment check

14414c6

to catch issues like #391

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Misaligned memory access in btf_ext__new() #391

Misaligned memory access in btf_ext__new() #391

evverx commented Oct 15, 2021 •

edited

anakryiko commented Oct 19, 2021

evverx commented Oct 19, 2021

anakryiko commented Oct 19, 2021 •

edited

evverx commented Nov 27, 2021 •

edited

evverx commented Nov 27, 2021

evverx commented Nov 27, 2021

anakryiko commented Nov 29, 2021

evverx commented Nov 29, 2021

anakryiko commented Nov 29, 2021

evverx commented Dec 6, 2021

Misaligned memory access in btf_ext__new() #391

Misaligned memory access in btf_ext__new() #391

Comments

evverx commented Oct 15, 2021 • edited

anakryiko commented Oct 19, 2021

evverx commented Oct 19, 2021

anakryiko commented Oct 19, 2021 • edited

evverx commented Nov 27, 2021 • edited

evverx commented Nov 27, 2021

evverx commented Nov 27, 2021

anakryiko commented Nov 29, 2021

evverx commented Nov 29, 2021

anakryiko commented Nov 29, 2021

evverx commented Dec 6, 2021

evverx commented Oct 15, 2021 •

edited

anakryiko commented Oct 19, 2021 •

edited

evverx commented Nov 27, 2021 •

edited