fix a segfault caused by passing a non-null buffer to bpf_prog_load #59
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
During error handling bcc will attempt to write the message to the provided buffer. It checks for a provided buffer either by checking the log_buf_size parameter or by checking log_buf to see if it's non-null. Because of the inconsistent checks on bcc's side and the specific parameters that rust-bcc passes, this is only a problem when the call to bpf_prog_load returns certain errors. The flow that causes the segfault looks like this: rust-bcc sets log_level=0,log_size=0 as the initial parameters. bcc will issue the syscall, but upon failure will reissue the bcc_prog_load_xattr with log_level set to 1. At this point, the same error will be produced and outputted to a new, temporary buffer (since the provided log_size is 0). Following this, it will attempt to log to the user provided buffer as log_level is now > 0, checking to see if the provided buffer is non-null. As rust-bcc provided a non-null ptr, bcc attempts to write to a zero buffer which causes a SIGSEGV. Relevant links: Checks for log_buf_size: https://github.com/iovisor/bcc/blob/d147588ebe35b7cd2b4d253a7da18bef253ea78d/src/cc/libbpf.c#L519 Checks for log_buf: https://github.com/iovisor/bcc/blob/d147588ebe35b7cd2b4d253a7da18bef253ea78d/src/cc/libbpf.c#L641
snowp
changed the title
brayniac
approved these changes
Sep 11, 2019
|
Awesome! Thanks for the PR! |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
During error handling bcc will attempt to write the message to the
provided buffer. It checks for a provided buffer either by checking the
log_buf_size parameter or by checking log_buf to see if it's non-null.
Because of the inconsistent checks on bcc's side and the specific
parameters that rust-bcc passes, this is only a problem when the call to
bpf_prog_load returns certain errors.
The flow that causes the segfault looks like this: rust-bcc sets log_level=0,log_size=0
as the initial parameters. bcc will issue the syscall, but upon failure will reissue
the bcc_prog_load_xattr with log_level set to 1. At this point, the same error will be
produced and outputted to a new, temporary buffer (since the provided
log_size is 0). Following this, it will attempt to log to the user provided
buffer as log_level is now > 0, checking to see if the provided buffer
is non-null. As rust-bcc provided a non-null ptr, bcc attempts to write
to a zero buffer which causes a SIGSEGV.
Relevant links:
Checks for log_buf_size:
https://github.com/iovisor/bcc/blob/d147588ebe35b7cd2b4d253a7da18bef253ea78d/src/cc/libbpf.c#L519
Checks for log_buf:
https://github.com/iovisor/bcc/blob/d147588ebe35b7cd2b4d253a7da18bef253ea78d/src/cc/libbpf.c#L641