Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSS-Fuzz issue 53386 #613

Closed
oss-fuzz-robot opened this issue Nov 14, 2022 · 3 comments
Closed

OSS-Fuzz issue 53386 #613

oss-fuzz-robot opened this issue Nov 14, 2022 · 3 comments
Labels
fuzz-issue pending-fix

Comments

@oss-fuzz-robot
Copy link

OSS-Fuzz has found a bug in this project. Please see https://oss-fuzz.com/testcase?key=6713312801062912 for details and reproducers.

This issue is mirrored from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53386 and will auto-close if the status changes there.

If you have trouble accessing this report, please file an issue at https://github.com/google/oss-fuzz/issues/new.
@anakryiko
Copy link
Member 

/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer: Running 1 inputs 100 time(s) each.
--
  | Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-1c0c5015ceeebdc9190291e842f9b3d6f9e313c7
  | AddressSanitizer:DEADLYSIGNAL
  | =================================================================
  | ==39767==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000005b7c48 bp 0x7fff74f7a990 sp 0x7fff74f7a860 T0)
  | ==39767==The signal is caused by a READ memory access.
  | ==39767==Hint: address points to the zero page.
  | SCARINESS: 10 (null-deref)
  | #0 0x5b7c48 in btf_is_var libbpf/src/btf.h:0:9
  | #1 0x5b7c48 in map_is_mmapable libbpf/src/libbpf.c:1604:8
  | #2 0x5b7c48 in bpf_object__init_internal_map libbpf/src/libbpf.c:1648:6
  | #3 0x5ad3d9 in bpf_object__init_kconfig_map libbpf/src/libbpf.c:2022:8
  | #4 0x5ad3d9 in bpf_object__init_maps libbpf/src/libbpf.c:2648:15
  | #5 0x573424 in bpf_object_open libbpf/src/libbpf.c:7279:16
  | #6 0x5739dd in bpf_object__open_mem libbpf/src/libbpf.c:7316:20
  | #7 0x56c638 in LLVMFuzzerTestOneInput libbpf/fuzz/bpf-object-fuzzer.c:16:8
  | #8 0x43df33 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
  | #9 0x429692 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
  | #10 0x42ef3c in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
  | #11 0x458472 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
  | #12 0x7fdff04220b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/libc-start.c:308:16
  | #13 0x41f85d in _start
  |  
  | AddressSanitizer can not provide additional info.
  | SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x5b7c48)
  | ==39767==ABORTING
  |  
  |  
  | +----------------------------------------Release Build Unsymbolized Stacktrace (diff)----------------------------------------+
  |  
  | ==39767==Hint: address points to the zero page.
  | SCARINESS: 10 (null-deref)
  | #0 0x5b7c48  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x5b7c48)
  | #1 0x5ad3d9  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x5ad3d9)
  | #2 0x573424  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x573424)
  | #3 0x5739dd  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x5739dd)
  | #4 0x56c638  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x56c638)
  | #5 0x43df33  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x43df33)
  | #6 0x429692  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x429692)
  | #7 0x42ef3c  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x42ef3c)
  | #8 0x458472  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x458472)
  | #9 0x7fdff04220b2  (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) (BuildId: 099b9225bcb0d019d9d60884be583eb31bb5f44e)
  | #10 0x41f85d  (/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_libbpf_de156b97b3344a85362109c26793849406020210/revisions/bpf-object-fuzzer+0x41f85d)

@anakryiko anakryiko added the bug Something isn't working label Nov 15, 2022
@anakryiko
Copy link
Member

#617 should fix this, once implemented.

@anakryiko anakryiko added fuzz-issue and removed bug Something isn't working labels Nov 15, 2022
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Aug 23, 2023
@anakryiko @intel-lab-lkp
libbpf: add basic BTF sanity validation
e55ce82 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 23, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
403b9dc 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 23, 2023
@anakryiko
libbpf: add basic BTF sanity validation
23a12a0 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 23, 2023
@anakryiko
libbpf: add basic BTF sanity validation
8fee7e0 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 24, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
404dc84 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
2c4db8d 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
cb0ed07 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
5fb9393 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 24, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
bc73d31 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
8198e57 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
cf67648 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 24, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
38ffea5 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
31d8a21 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
022b322 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
75f9920 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Aug 24, 2023
@anakryiko @intel-lab-lkp
libbpf: add basic BTF sanity validation
9b2dc68 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. But even with such simple
checks it fixes a bunch of crashes found by OSS fuzzer ([0]-[5]) and
will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

v1->v2:
  - fix array index_type vs type copy/paste error (Eduard);
  - add type ID check in FUNC_PROTO validation (Eduard);
  - move sanity check to btf parsing time (Martin).

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
86af6c1 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. But even with such simple
checks it fixes a bunch of crashes found by OSS fuzzer ([0]-[5]) and
will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

v1->v2:
  - fix array index_type vs type copy/paste error (Eduard);
  - add type ID check in FUNC_PROTO validation (Eduard);
  - move sanity check to btf parsing time (Martin).

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
04b59d8 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. But even with such simple
checks it fixes a bunch of crashes found by OSS fuzzer ([0]-[5]) and
will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

v1->v2:
  - fix array index_type vs type copy/paste error (Eduard);
  - add type ID check in FUNC_PROTO validation (Eduard);
  - move sanity check to btf parsing time (Martin).

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Aug 25, 2023
@anakryiko @intel-lab-lkp
libbpf: add basic BTF sanity validation
e4dcfc4 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 25, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
11b8fd8 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 25, 2023
@anakryiko
libbpf: add basic BTF sanity validation
0cf0190 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 25, 2023
@anakryiko
libbpf: add basic BTF sanity validation
365eff1 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 27, 2023
@anakryiko
libbpf: add basic BTF sanity validation
c298e87 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 27, 2023
@anakryiko
libbpf: add basic BTF sanity validation
e5b8142 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 28, 2023
@anakryiko
libbpf: add basic BTF sanity validation
be74752 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 28, 2023
@anakryiko
libbpf: add basic BTF sanity validation
1fd7dd2 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Sep 8, 2023
@anakryiko
libbpf: Add basic BTF sanity validation
3903802 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Link: https://lore.kernel.org/bpf/20230825202152.1813394-1-andrii@kernel.org
anakryiko added a commit to anakryiko/libbpf that referenced this issue Sep 15, 2023
@anakryiko
libbpf: Add basic BTF sanity validation
59906a6 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf#482
  [1] libbpf#483
  [2] libbpf#485
  [3] libbpf#613
  [4] libbpf#618
  [5] libbpf#619

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf#617
Link: https://lore.kernel.org/bpf/20230825202152.1813394-1-andrii@kernel.org
anakryiko added a commit that referenced this issue Sep 15, 2023
@anakryiko
libbpf: Add basic BTF sanity validation
2dbdd3b 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] #482
  [1] #483
  [2] #485
  [3] #613
  [4] #618
  [5] #619

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: #617
Link: https://lore.kernel.org/bpf/20230825202152.1813394-1-andrii@kernel.org
@oss-fuzz-robot
Copy link
Author

OSS-Fuzz has closed this bug. Please see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53386 for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzz-issue pending-fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anakryiko @oss-fuzz-robot