Skip to content

Commit b831f83

Browse files
committed
Merge tag 'bpf-6.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Pull bpf fixes from Alexei Starovoitov: - Fix crash when btf_parse_base() returns an error (Martin Lau) - Fix out of bounds access in btf_name_valid_section() (Jeongjun Park) * tag 'bpf-6.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: selftests/bpf: Add a selftest to check for incorrect names bpf: add check for invalid name in btf_name_valid_section() bpf: Fix a crash when btf_parse_base() returns an error pointer
2 parents d759ee2 + 5390f31 commit b831f83

File tree

2 files changed

+38
-2
lines changed
  • kernel/bpf
  • tools/testing/selftests/bpf/prog_tests

2 files changed

+38
-2
lines changed

kernel/bpf/btf.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -823,9 +823,11 @@ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
823823
const char *src = btf_str_by_offset(btf, offset);
824824
const char *src_limit;
825825

826+
if (!*src)
827+
return false;
828+
826829
/* set a limit on identifier length */
827830
src_limit = src + KSYM_NAME_LEN;
828-
src++;
829831
while (*src && src < src_limit) {
830832
if (!isprint(*src))
831833
return false;
@@ -6283,7 +6285,7 @@ static struct btf *btf_parse_module(const char *module_name, const void *data,
62836285

62846286
errout:
62856287
btf_verifier_env_free(env);
6286-
if (base_btf != vmlinux_btf)
6288+
if (!IS_ERR(base_btf) && base_btf != vmlinux_btf)
62876289
btf_free(base_btf);
62886290
if (btf) {
62896291
kvfree(btf->data);

tools/testing/selftests/bpf/prog_tests/btf.c

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3550,6 +3550,40 @@ static struct btf_raw_test raw_tests[] = {
35503550
},
35513551
BTF_STR_SEC("\0x\0?.foo bar:buz"),
35523552
},
3553+
{
3554+
.descr = "datasec: name with non-printable first char not is ok",
3555+
.raw_types = {
3556+
/* int */
3557+
BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */
3558+
/* VAR x */ /* [2] */
3559+
BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_VAR, 0, 0), 1),
3560+
BTF_VAR_STATIC,
3561+
/* DATASEC ?.data */ /* [3] */
3562+
BTF_TYPE_ENC(3, BTF_INFO_ENC(BTF_KIND_DATASEC, 0, 1), 4),
3563+
BTF_VAR_SECINFO_ENC(2, 0, 4),
3564+
BTF_END_RAW,
3565+
},
3566+
BTF_STR_SEC("\0x\0\7foo"),
3567+
.err_str = "Invalid name",
3568+
.btf_load_err = true,
3569+
},
3570+
{
3571+
.descr = "datasec: name '\\0' is not ok",
3572+
.raw_types = {
3573+
/* int */
3574+
BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */
3575+
/* VAR x */ /* [2] */
3576+
BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_VAR, 0, 0), 1),
3577+
BTF_VAR_STATIC,
3578+
/* DATASEC \0 */ /* [3] */
3579+
BTF_TYPE_ENC(3, BTF_INFO_ENC(BTF_KIND_DATASEC, 0, 1), 4),
3580+
BTF_VAR_SECINFO_ENC(2, 0, 4),
3581+
BTF_END_RAW,
3582+
},
3583+
BTF_STR_SEC("\0x\0"),
3584+
.err_str = "Invalid name",
3585+
.btf_load_err = true,
3586+
},
35533587
{
35543588
.descr = "type name '?foo' is not ok",
35553589
.raw_types = {

0 commit comments

Comments
 (0)