Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2466944imu; Wed, 21 Nov 2018 12:07:11 -0800 (PST) X-Google-Smtp-Source: AJdET5fVARG8RoHy/a5GS2k1FLPtwclAjMJiVmChNNT9Q6UvfPsUJYjzNGxovSSW0zponcP9DyfD X-Received: by 2002:a63:f74f:: with SMTP id f15mr7284395pgk.190.1542830831693; Wed, 21 Nov 2018 12:07:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542830831; cv=none; d=google.com; s=arc-20160816; b=cMDjilhMMHLMPdiQTd3P3tUM/dXz+6plp1QzUY6c4Kh4WWVD5WCaj7yyNT40dWn4kG j+O9HoP31Y+YWV4aFbbL0xIKcf+c/IkB+oZ6aqJZ/R/WsSaGYZjzFRohjpOv2qRI0WRw UpV6b900pd7kmiq5harcpAepuTmrW9cPyVNm//MJ6Sz1GVeJXnGJ/pFT+ttdw5bjIn/n d8O+9R7YDwISH/T35gnFEtHU93fxyyJHzxqMaLzOBPSrc9kIvskJlbn1kRSqEnkcFZVf o3Dm0PRVPXKS4bUu6GA9/1At+Uno6Qp7AJEELYDRVjBS4cm0J3c4db2sWsZxehG3SH5n cyYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+y0+HMCgkTMUY378kVyZT/5XfnJg2CUDxwv1cJf63Do=; b=ui99jr5W0tFxT1g+jc+M4aqiVtM1mbUCl+9qDd41u3d+Upixp4dQZRZG5nRem+b+am vcrZfd7jtyVDLHDWYiHbv2N5zqde6gVt6Rk+DRzza9+nmgBTH8/Bpk8mLqqutevj0uHc BAIdkrICS1gbTrkmO2W9XO7UzQUr+Dl5CZaPWsTg82TMsGmBiNKl93MSM4h5YEYzhTvj HyvbkOiLjwH4EiDXXrpeAIakagY385w42oCsYRAp4BfWdV29XchDx3zXju/Xa60sCPJV BMazmP3UQZttJfjlRjWrbrA5ci1LJi7dR66kMQsSF53x+Fj6sKKNiMTgRkhxt9/nD2Gi T4DQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kqM8oOGx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c15si43593169pgg.446.2018.11.21.12.06.54; Wed, 21 Nov 2018 12:07:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kqM8oOGx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731025AbeKVEVW (ORCPT + 99 others); Wed, 21 Nov 2018 23:21:22 -0500 Received: from mail-qk1-f193.google.com ([209.85.222.193]:34079 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729279AbeKVEVW (ORCPT ); Wed, 21 Nov 2018 23:21:22 -0500 Received: by mail-qk1-f193.google.com with SMTP id a132so5411032qkg.1; Wed, 21 Nov 2018 09:46:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+y0+HMCgkTMUY378kVyZT/5XfnJg2CUDxwv1cJf63Do=; b=kqM8oOGxk9x+SO5aXUg96yaqCYXOEcus3T6WejXDLvnakJocq3mnqg8uWtcDcX14Sc nI/J29m0c2/XrDz2AijIvc6t+6HGTYUaXTbO/1VMiBVrcy+il/uuoK5s+cb/4UaA4uf4 g7+syzOp3RcOv+9znxVqly1wSrc5ddzFVgXz/IYe9pofOVULJ02W6xeWtMoKlMLZ3TyW bX+IUIuIGzbotywbfGZZUEx5zl4yHwnO2GeRVu5LpsF+j3OfJY/EKUn5KTOOYX2gCF4K RZUsMvxvVd12mApqsKn3TTIUDYUzGxzSL2yYtrfV7udyiM8yeRrqWBm/5PMLIIaLohyc Plvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+y0+HMCgkTMUY378kVyZT/5XfnJg2CUDxwv1cJf63Do=; b=I8Uh8WcHSkXp4wZX92o3I67gt753NASiAPOrnKo9xc7vWBH2yLwCtTCmf4NRZsvVQC eCW512ZXEkYRv2BBOO0Ttr9WR90yDCvlQgu9hy6ic2EC4nDCOrCm3qBnl7e1DcDglKa8 6hIqcm6bKSPJtTCxpg1Sb5ebWit0D7ThiFrPhqoqaEfePNIF7e4gZZYE0kEVc1QU74+/ O++1vpC0l+FGIENhQThki1wZyGZSh/+Am1XkefyPXbyU1l369zXEwhdQ/vij1zQf/jRO lBAuOQ8jsHtXkmJkeRQunHVIEMQ2S7SIfDNbea71KOAGmBPkpG+oEHlx2OuTl5QN5F6O 8DGg== X-Gm-Message-State: AA+aEWbgr7GnVEpWKYpfTNnn/MV6c/WZjPLkUJyi5Of2MLKvSt20eUno OBnRg+Md2h5nrMtEA6Aq/VZzqFUDUwuFJvxDyXU= X-Received: by 2002:a37:41d2:: with SMTP id o201mr6410640qka.24.1542822361006; Wed, 21 Nov 2018 09:46:01 -0800 (PST) MIME-Version: 1.0 References: <1542786192-19164-1-git-send-email-wen.yang99@zte.com.cn> <20181121093044.3c34b66b@cakuba.netronome.com> In-Reply-To: <20181121093044.3c34b66b@cakuba.netronome.com> From: Y Song Date: Wed, 21 Nov 2018 09:45:24 -0800 Message-ID: Subject: Re: [PATCH 3/4] tools: bpftool: fix potential NULL pointer dereference in do_load To: Jakub Kicinski Cc: wen.yang99@zte.com.cn, Alexei Starovoitov , Daniel Borkmann , Quentin Monnet , Jiong Wang , guro@fb.com, Sandipan Das , John Fastabend , netdev , LKML , zhong.weidong@zte.com.cn, wang.yi59@zte.com.cn, julia.lawall@lip6.fr Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 21, 2018 at 9:30 AM Jakub Kicinski wrote: > > On Wed, 21 Nov 2018 09:18:06 -0800, Y Song wrote: > > On Tue, Nov 20, 2018 at 11:42 PM Wen Yang wrote: > > > > > > This patch fixes a possible null pointer dereference in > > > do_load, detected by the semantic patch > > > deref_null.cocci, with the following warning: > > > > > > ./tools/bpf/bpftool/prog.c:1021:23-25: ERROR: map_replace is NULL but dereferenced. > > > > > > The following code has potential null pointer references: > > > 881 map_replace = reallocarray(map_replace, old_map_fds + 1, > > > 882 sizeof(*map_replace)); > > > 883 if (!map_replace) { > > > 884 p_err("mem alloc failed"); > > > 885 goto err_free_reuse_maps; > > > 886 } > > > > > > ... > > > 1019 err_free_reuse_maps: > > > 1020 for (i = 0; i < old_map_fds; i++) > > > 1021 close(map_replace[i].fd); > > > 1022 free(map_replace); > > > > I did not see any issues here. > > We have code looks like: > > 867 struct map_replace *map_replace = NULL; > > 868 struct bpf_program *prog = NULL, *pos; > > 869 unsigned int old_map_fds = 0; > > ... > > 948 map_replace = reallocarray(map_replace, > > old_map_fds + 1, > > 949 sizeof(*map_replace)); > > 950 if (!map_replace) { > > 951 p_err("mem alloc failed"); > > 952 goto err_free_reuse_maps; > > 953 } > > 954 map_replace[old_map_fds].idx = idx; > > 955 map_replace[old_map_fds].name = name; > > 956 map_replace[old_map_fds].fd = fd; > > 957 old_map_fds++; > > ... > > > > old_map_fds becomes non zero if and only if map_replace is not NULL. > > Note that this is a realloc in a loop, and map_replace will become NULL > again if realloc fails. We should check the return value of realloc() > without loosing the pointer to the old value. No? Or right. Agreed. The right fix seems to restore the old map_replace in the error path and jump to err_free_reuse_maps if reallocarray fails. > > > > Signed-off-by: Wen Yang > > > Reviewed-by: Tan Hu > > > CC: Julia Lawall > > > --- > > > tools/bpf/bpftool/prog.c | 5 +++-- > > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > > > diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c > > > index 5302ee2..de42187 100644 > > > --- a/tools/bpf/bpftool/prog.c > > > +++ b/tools/bpf/bpftool/prog.c > > > @@ -1017,8 +1017,9 @@ static int do_load(int argc, char **argv) > > > err_close_obj: > > > bpf_object__close(obj); > > > err_free_reuse_maps: > > > - for (i = 0; i < old_map_fds; i++) > > > - close(map_replace[i].fd); > > > + if (map_replace) > > > + for (i = 0; i < old_map_fds; i++) > > > + close(map_replace[i].fd); > > > free(map_replace); > > > return -1; > > > } > > > -- > > > 2.9.5 > > > >