Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libbpf: implement BTF validator #617

Closed
anakryiko opened this issue Nov 15, 2022 · 3 comments
Closed

libbpf: implement BTF validator #617

anakryiko opened this issue Nov 15, 2022 · 3 comments
Labels
feature New feature or request

Comments

@anakryiko
Copy link
Member

Validate BTF for basic sanity before using its contents. This will prevent most of reported fuzz errors and will increase overall robustness.
@anakryiko anakryiko added the feature New feature or request label Nov 15, 2022
This was referenced Nov 15, 2022
Open
Closed
Closed
Closed
Closed
Closed
@retpolanne
Copy link

Hey @anakryiko, I'm getting back on track with this patch.

So, what I've been trying to do is to add a function btf_validate_data on bpf_object__init_btf. I've also added the fix to #484 there.

Now I need to figure out which BTF validations I should add to the libbpf side. I'm not very familiar with BTF, sorry (checking kernel/bpf/btf.c I can see an explanation on the BTF verification), and as you mentioned on my patch [1] I shouldn't be overzealous.

Also, can I send you patches off list before I send them to the mailing list? Or is it better to send it on the bpf mailing list for feedbacks?

[1] https://lore.kernel.org/bpf/20220929160558.5034-1-annemacedo@linux.microsoft.com/T/#md5c1ccff88ddfcb0cba844de49fdf750c1c22d79

@anakryiko
Copy link
Member Author

hey @retpolanne, I think that maybe implementing validation as BTF API would make sense, as it will allow other use cases to reuse this logic. So maybe add btf__validate() API to libbpf/src/btf.c and then use that from libbpf.c?

Other than that, adding call to btf__validate() from bpf_object__init_btf() makes sense.

Please send patches straight to mailing list.

@retpolanne
Copy link

@anakryiko that sounds like a great idea! I’m also checking kernel/bpf/btf.c and saw some of the validations there such as iterating through types. That sounds like a plan.

As I’m working I’ll send it to the mailing list then, thanks!

@evverx evverx mentioned this issue May 4, 2023
Closed
@anakryiko anakryiko mentioned this issue May 12, 2023
Closed
@anakryiko anakryiko mentioned this issue Jun 27, 2023
Closed
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Aug 23, 2023
@anakryiko @intel-lab-lkp
libbpf: add basic BTF sanity validation
e55ce82 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 23, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
403b9dc 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 23, 2023
@anakryiko
libbpf: add basic BTF sanity validation
23a12a0 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 23, 2023
@anakryiko
libbpf: add basic BTF sanity validation
8fee7e0 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 24, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
404dc84 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
2c4db8d 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
cb0ed07 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
5fb9393 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 24, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
bc73d31 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
8198e57 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
cf67648 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 24, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
38ffea5 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
31d8a21 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
022b322 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
75f9920 
Implement a simple and straightforward BTF sanity check when loading BTF
information for BPF ELF file. Right now it's very basic and just
validates that all the string offsets and type IDs are within valid
range. But even with such simple checks it fixes a bunch of crashes
found by OSS fuzzer ([0]-[5]) and will allow fuzzer to make further
progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Aug 24, 2023
@anakryiko @intel-lab-lkp
libbpf: add basic BTF sanity validation
9b2dc68 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. But even with such simple
checks it fixes a bunch of crashes found by OSS fuzzer ([0]-[5]) and
will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

v1->v2:
  - fix array index_type vs type copy/paste error (Eduard);
  - add type ID check in FUNC_PROTO validation (Eduard);
  - move sanity check to btf parsing time (Martin).

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
86af6c1 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. But even with such simple
checks it fixes a bunch of crashes found by OSS fuzzer ([0]-[5]) and
will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

v1->v2:
  - fix array index_type vs type copy/paste error (Eduard);
  - add type ID check in FUNC_PROTO validation (Eduard);
  - move sanity check to btf parsing time (Martin).

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 24, 2023
@anakryiko
libbpf: add basic BTF sanity validation
04b59d8 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. But even with such simple
checks it fixes a bunch of crashes found by OSS fuzzer ([0]-[5]) and
will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

v1->v2:
  - fix array index_type vs type copy/paste error (Eduard);
  - add type ID check in FUNC_PROTO validation (Eduard);
  - move sanity check to btf parsing time (Martin).

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this issue Aug 25, 2023
@anakryiko @intel-lab-lkp
libbpf: add basic BTF sanity validation
e4dcfc4 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
danielocfb pushed a commit to danielocfb/kernel-patches-bpf that referenced this issue Aug 25, 2023
@anakryiko @d-e-s-o
libbpf: add basic BTF sanity validation
11b8fd8 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 25, 2023
@anakryiko
libbpf: add basic BTF sanity validation
0cf0190 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 25, 2023
@anakryiko
libbpf: add basic BTF sanity validation
365eff1 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 27, 2023
@anakryiko
libbpf: add basic BTF sanity validation
c298e87 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 27, 2023
@anakryiko
libbpf: add basic BTF sanity validation
e5b8142 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Aug 28, 2023
@anakryiko
libbpf: add basic BTF sanity validation
be74752 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf-rc bot pushed a commit to kernel-patches/bpf-rc that referenced this issue Aug 28, 2023
@anakryiko
libbpf: add basic BTF sanity validation
1fd7dd2 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
kernel-patches-daemon-bpf bot pushed a commit to kernel-patches/bpf that referenced this issue Sep 8, 2023
@anakryiko
libbpf: Add basic BTF sanity validation
3903802 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf/libbpf#482
  [1] libbpf/libbpf#483
  [2] libbpf/libbpf#485
  [3] libbpf/libbpf#613
  [4] libbpf/libbpf#618
  [5] libbpf/libbpf#619

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf/libbpf#617
Link: https://lore.kernel.org/bpf/20230825202152.1813394-1-andrii@kernel.org
anakryiko added a commit to anakryiko/libbpf that referenced this issue Sep 15, 2023
@anakryiko
libbpf: Add basic BTF sanity validation
59906a6 
Implement a simple and straightforward BTF sanity check when parsing BTF
data. Right now it's very basic and just validates that all the string
offsets and type IDs are within valid range. For FUNC we also check that
it points to FUNC_PROTO kinds.

Even with such simple checks it fixes a bunch of crashes found by OSS
fuzzer ([0]-[5]) and will allow fuzzer to make further progress.

Some other invariants will be checked in follow up patches (like
ensuring there is no infinite type loops), but this seems like a good
start already.

Adding FUNC -> FUNC_PROTO check revealed that one of selftests has
a problem with FUNC pointing to VAR instead, so fix it up in the same
commit.

  [0] libbpf#482
  [1] libbpf#483
  [2] libbpf#485
  [3] libbpf#613
  [4] libbpf#618
  [5] libbpf#619

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Reviewed-by: Song Liu <song@kernel.org>
Closes: libbpf#617
Link: https://lore.kernel.org/bpf/20230825202152.1813394-1-andrii@kernel.org
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anakryiko @retpolanne