backport patches from upstream

backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch backport-libbpf-Fix-str_has_sfxs-return-value.patch backport-libbpf-Initialize-err-in-probe_map_create.patch (cherry picked from commit e55c477544ff210c205ad481d168cd7a30ad43ad)
2024-04-15 16:44:16 +08:00 · 2024-04-15 16:44:16 +08:00 · 0c1a912a36
commit 0c1a912a36
parent 02c54b85b8
4 changed files with 145 additions and 1 deletions
--- a/backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch
+++ b/backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch
@ -0,0 +1,65 @@
+From c008eb921eec064f01263b2a5577dc668b27b0cc Mon Sep 17 00:00:00 2001
+From: Mingyi Zhang <zhangmingyi5@huawei.com>
+Date: Thu, 21 Dec 2023 11:39:47 +0800
+Subject: [PATCH] libbpf: Fix NULL pointer dereference in
+ bpf_object__collect_prog_relos
+
+An issue occurred while reading an ELF file in libbpf.c during fuzzing:
+
+	Program received signal SIGSEGV, Segmentation fault.
+	0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
+	4206 in libbpf.c
+	(gdb) bt
+	#0 0x0000000000958e97 in bpf_object.collect_prog_relos () at libbpf.c:4206
+	#1 0x000000000094f9d6 in bpf_object.collect_relos () at libbpf.c:6706
+	#2 0x000000000092bef3 in bpf_object_open () at libbpf.c:7437
+	#3 0x000000000092c046 in bpf_object.open_mem () at libbpf.c:7497
+	#4 0x0000000000924afa in LLVMFuzzerTestOneInput () at fuzz/bpf-object-fuzzer.c:16
+	#5 0x000000000060be11 in testblitz_engine::fuzzer::Fuzzer::run_one ()
+	#6 0x000000000087ad92 in tracing::span::Span::in_scope ()
+	#7 0x00000000006078aa in testblitz_engine::fuzzer::util::walkdir ()
+	#8 0x00000000005f3217 in testblitz_engine::entrypoint::main::{{closure}} ()
+	#9 0x00000000005f2601 in main ()
+	(gdb)
+
+scn_data was null at this code(tools/lib/bpf/src/libbpf.c):
+
+	if (rel->r_offset % BPF_INSN_SZ || rel->r_offset >= scn_data->d_size) {
+
+The scn_data is derived from the code above:
+
+	scn = elf_sec_by_idx(obj, sec_idx);
+	scn_data = elf_sec_data(obj, scn);
+
+	relo_sec_name = elf_sec_str(obj, shdr->sh_name);
+	sec_name = elf_sec_name(obj, scn);
+	if (!relo_sec_name || !sec_name)// don't check whether scn_data is NULL
+		return -EINVAL;
+
+In certain special scenarios, such as reading a malformed ELF file,
+it is possible that scn_data may be a null pointer
+
+Signed-off-by: Mingyi Zhang <zhangmingyi5@huawei.com>
+Signed-off-by: Xin Liu <liuxin350@huawei.com>
+Signed-off-by: Changye Wu <wuchangye@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20231221033947.154564-1-liuxin350@huawei.com
+---
+ src/libbpf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libbpf.c b/src/libbpf.c
+index ac54ebc06..ebcfb2147 100644
+--- a/src/libbpf.c
+++ b/src/libbpf.c
+@@ -4355,6 +4355,8 @@ bpf_object__collect_prog_relos(struct bpf_object *obj, Elf64_Shdr *shdr, Elf_Dat
+ 
+ 	scn = elf_sec_by_idx(obj, sec_idx);
+ 	scn_data = elf_sec_data(obj, scn);
+	if (!scn_data)
+		return -LIBBPF_ERRNO__FORMAT;
+ 
+ 	relo_sec_name = elf_sec_str(obj, shdr->sh_name);
+ 	sec_name = elf_sec_name(obj, scn);
--- a/backport-libbpf-Fix-str_has_sfxs-return-value.patch
+++ b/backport-libbpf-Fix-str_has_sfxs-return-value.patch
@ -0,0 +1,35 @@
+From 8663289b5199c67bc2bcf82a1ec91ef874df2813 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 19 Jul 2022 12:53:01 +0300
+Subject: [PATCH] libbpf: Fix str_has_sfx()'s return value
+
+The return from strcmp() is inverted so it wrongly returns true instead
+of false and vice versa.
+
+Fixes: a1c9d61b19cb ("libbpf: Improve library identification for uprobe binary path resolution")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Cc: Alan Maguire <alan.maguire@oracle.com>
+Link: https://lore.kernel.org/bpf/YtZ+/dAA195d99ak@kili
+---
+ src/libbpf_internal.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/libbpf_internal.h b/src/libbpf_internal.h
+index f01dbab49..4135ae0a2 100644
+--- a/src/libbpf_internal.h
+++ b/src/libbpf_internal.h
+@@ -108,9 +108,9 @@ static inline bool str_has_sfx(const char *str, const char *sfx)
+ 	size_t str_len = strlen(str);
+ 	size_t sfx_len = strlen(sfx);
+ 
+-	if (sfx_len <= str_len)
+-		return strcmp(str + str_len - sfx_len, sfx);
+-	return false;
+	if (sfx_len > str_len)
+		return false;
+	return strcmp(str + str_len - sfx_len, sfx) == 0;
+ }
+ 
+ /* Symbol versioning is different between static and shared library.
--- a/backport-libbpf-Initialize-err-in-probe_map_create.patch
+++ b/backport-libbpf-Initialize-err-in-probe_map_create.patch
@ -0,0 +1,35 @@
+From bd1e5cff31d49a9b4beb293a8d96b609cd535fb7 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 31 Jul 2022 19:51:09 -0700
+Subject: [PATCH] libbpf: Initialize err in probe_map_create
+
+GCC-11 warns about the possibly unitialized err variable in
+probe_map_create:
+
+libbpf_probes.c: In function 'probe_map_create':
+libbpf_probes.c:361:38: error: 'err' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+  361 |                 return fd < 0 && err == exp_err ? 1 : 0;
+      |                                  ~~~~^~~~~~~~~~
+
+Fixes: 878d8def0603 ("libbpf: Rework feature-probing APIs")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Link: https://lore.kernel.org/bpf/20220801025109.1206633-1-f.fainelli@gmail.com
+---
+ src/libbpf_probes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libbpf_probes.c b/src/libbpf_probes.c
+index 0b5398786..6d495656f 100644
+--- a/src/libbpf_probes.c
+++ b/src/libbpf_probes.c
+@@ -193,7 +193,7 @@ static int probe_map_create(enum bpf_map_type map_type)
+ 	LIBBPF_OPTS(bpf_map_create_opts, opts);
+ 	int key_size, value_size, max_entries;
+ 	__u32 btf_key_type_id = 0, btf_value_type_id = 0;
+-	int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err;
+	int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err = 0;
+
+	opts.map_ifindex = ifindex;
+
--- a/libbpf.spec
+++ b/libbpf.spec
@ -4,7 +4,7 @@

 Name:           %{githubname}
 Version:        %{githubver}
-Release:        11
+Release:        12
 Summary:        Libbpf library

 License:        LGPLv2 or BSD
@ -38,6 +38,9 @@ Patch0021:      backport-libbpf-Fix-realloc-API-handling-in-zero-sized-edge-case
 Patch0022:      backport-libbpf-Set-close-on-exec-flag-on-gzopen.patch
 Patch0023:      backport-libbpf-Fix-is_pow_of_2.patch
 Patch0024:      backport-libbpf-make-RINGBUF-map-size-adjustments-more-eagerly.patch
+Patch0025:      backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch
+Patch0026:      backport-libbpf-Fix-str_has_sfxs-return-value.patch
+Patch0027:      backport-libbpf-Initialize-err-in-probe_map_create.patch

 # This package supersedes libbpf from kernel-tools,
 # which has default Epoch: 0. By having Epoch: 1
@ -90,6 +93,12 @@ developing applications that use %{name}
 %{_libdir}/libbpf.a

 %changelog
+* Mon Apr 15 2024 zhangmingyi <zhangmingyi5@huawei.com> 2:0.8.1-12
+- backport patches from upstream:
+  backport-libbpf-Fix-NULL-pointer-dereference-in_bpf_object__c.patch
+  backport-libbpf-Fix-str_has_sfxs-return-value.patch
+  backport-libbpf-Initialize-err-in-probe_map_create.patch
+
 * Thu Dec 7 2023 zhangmingyi <zhangmingyi5@huawei.com> 2:0.8.1-11
 - backport patches from upstream:
  backport-libbpf-Fix-realloc-API-handling-in-zero-sized-edge-cases.patch