| Message ID | 20221205081300.561974-1-linmq006@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2123997wrr;
Mon, 5 Dec 2022 00:14:25 -0800 (PST)
X-Google-Smtp-Source:
AA0mqf5iEAHkkTNfh9WX9D5cWQpq1Z6GXxCZkMBdql5+HzJSc0wSmX/R+LeQoYfNl8JwzZIHmjM3
X-Received: by 2002:a17:906:65c4:b0:7ad:d250:b907 with SMTP id
z4-20020a17090665c400b007add250b907mr67947060ejn.737.1670228065179;
Mon, 05 Dec 2022 00:14:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670228065; cv=none;
d=google.com; s=arc-20160816;
b=WDVKnIgM5lki/fh1n02EM2MR8PdBzX0ivOCIdizjZvrfvlG71FeHi2Kax0dkJIs2tN
x1ZRnPugT6WvfyYnm2ChjM0z+SbNer6AyK7xUiiUKkn2VbGJ2kKq+6zkrfmAYqrXndtZ
ifg23KdWV7Pz5gx5uivNtwsS1XkcyGlNlsfdyuvJ2EtmT/rsLk9fHQUEzVGfzvC4NXdF
Y4BTJTvjvDjzRh4KZplhjn+b5/1Z9vScARBEzPySSeja9KHCDXQs48W3DhNAR5VOZkmI
CZxcrv41zptBzcz9G1HT/tP15Cy55VJiFEMklC3uhGnF4qZXZfiUiHxnHcLzASSUXy74
AYzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=GK4jKzSG54RvyZ+KEwdYXduEIUelDiosExxd97OqALY=;
b=dwQv2WEYJFMuGeIonKPYkgzTEtWM5DhR5dWHwWTgi0HLu1FC/uVj6sTXEMT5l9H38X
n0olWYVdN5kXm7hUqMtV/8R1Pc/utGukTtU563tBX43LSAaU/m1hQUd4VLML1daSBpkS
lKclNAAlhhdHpnJ0TZLbuZlieGur0qgKJPIc4IIDhKOxN+X9pna468CMr6+GwtQK2pBY
wTjotgV4/2R6ZDJ6wLVai3Zw7k0H2YpeisHizmQkMOOg9GF216FCtI0DIPsjPIrEf6pD
5CyWqKzHAqEd/9Vjp+MYnkOEMogH4jLItPH86mNkDGOVhN8ZzJzrw5SmyuUtvh1Ih86V
qLyg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=GzEiHBvW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
b18-20020a056402279200b0045ad02bb8fbsi12796297ede.290.2022.12.05.00.14.00;
Mon, 05 Dec 2022 00:14:25 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20210112 header.b=GzEiHBvW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231906AbiLEINl (ORCPT <rfc822;jaysivo@gmail.com> + 99 others);
Mon, 5 Dec 2022 03:13:41 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37216 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231947AbiLEINi (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 5 Dec 2022 03:13:38 -0500
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com
[IPv6:2607:f8b0:4864:20::52b])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4664514D15;
Mon, 5 Dec 2022 00:13:37 -0800 (PST)
Received: by mail-pg1-x52b.google.com with SMTP id 82so9881931pgc.0;
Mon, 05 Dec 2022 00:13:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=GK4jKzSG54RvyZ+KEwdYXduEIUelDiosExxd97OqALY=;
b=GzEiHBvWfxb9iLcZDo76VVhe4LVU+PAq3Q10apUfIyG+gfqKIrCG5J77Tf/Lrg51rF
NYy009DkwlcuWtYFyWiqmD+YecQKQ3K/8biUs3W/4Z2Tsf8QE7BJJoww/ulP7mj59DJn
v2uvIMWWsYho1jFlD1ARb2HmXc4GaMjCzBifrPdvId8or3CxT7+kFJha+GjAIpUghyST
HcMkyIfCV6Jbzhc/CIV2/3KyOMeKNz8kVqr6ifKvl+iJA46ZauyIl7Bj20BwP3sLjsEf
AbD+By5Wi/a7YQCIHBpaYsq6uE/neU1n3w7eTOnADdlJGo5LJmPakMo/IEA23fwc/HE6
RBPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=GK4jKzSG54RvyZ+KEwdYXduEIUelDiosExxd97OqALY=;
b=AVaroJ0sanKq2aFjc/1Ui51pelMJDk3emm+es/RCn/CNZV/O8Kpc0bq+MDDIESy9Po
v0ypbQjWLWCGDHo1qXn8Gzt1HDofjWZ3IJ5I2De6cpqS4DurduDjJbmFco24gc2Y9HBV
12za8PC/FHsx55kyNDmFkd3Bl9EC6Kldcrow1NIZEjZ+BbSRiCmfozuUAO80zPBECX2D
gs8sbIxL6P3IO3sM9sldoldPiwdRfbDFYY1O/YNpqesmWnxtiDaHdNt3Elx9+3XEP/RV
MBq7z4/cWBoCw+HM7qjCvOXntdUB30VeH8pOVTVCGEBBUpkVivO2sDEd7ftH/6Sriv3p
1Dmw==
X-Gm-Message-State: ANoB5pnu0T3n8gpahEE42xr1z1w2qwF0v70dWGQc6QFndqxXgcUEbRdl
onDRQTzweHX0QMP1mSEqfQw=
X-Received: by 2002:a05:6a00:1303:b0:561:7dc7:510b with SMTP id
j3-20020a056a00130300b005617dc7510bmr84700767pfu.3.1670228016724;
Mon, 05 Dec 2022 00:13:36 -0800 (PST)
Received: from localhost.localdomain ([202.120.234.246])
by smtp.googlemail.com with ESMTPSA id
x193-20020a6331ca000000b00412a708f38asm7827883pgx.35.2022.12.05.00.13.30
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 05 Dec 2022 00:13:36 -0800 (PST)
From: Miaoqian Lin <linmq006@gmail.com>
To: Quentin Monnet <quentin@isovalent.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>,
Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: linmq006@gmail.com
Subject: [PATCH] bpftool: Fix memory leak in do_build_table_cb
Date: Mon, 5 Dec 2022 12:13:00 +0400
Message-Id: <20221205081300.561974-1-linmq006@gmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1751361063558588174?=
X-GMAIL-MSGID: =?utf-8?q?1751361063558588174?=
|
| Series |
bpftool: Fix memory leak in do_build_table_cb
|
|
Commit Message
Miaoqian Lin
Dec. 5, 2022, 8:13 a.m. UTC
strdup() allocates memory for path. We need to release the memory in
the following error paths. Add free() to avoid memory leak.
Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
---
tools/bpf/bpftool/common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On 12/5/22 9:13 AM, Miaoqian Lin wrote: > strdup() allocates memory for path. We need to release the memory in > the following error paths. Add free() to avoid memory leak. > > Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects") > Signed-off-by: Miaoqian Lin <linmq006@gmail.com> > --- > tools/bpf/bpftool/common.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c > index 0cdb4f711510..8a820356525e 100644 > --- a/tools/bpf/bpftool/common.c > +++ b/tools/bpf/bpftool/common.c > @@ -499,9 +499,11 @@ static int do_build_table_cb(const char *fpath, const struct stat *sb, > if (err) { > p_err("failed to append entry to hashmap for ID %u, path '%s': %s", > pinned_info.id, path, strerror(errno)); > - goto out_close; > + goto out_free; > } > > +out_free: > + free(path); It would be ok if you were to add the free(path) into the err condition, but here you also cause the !err to be freed which would trigger as UAF. See the hashmap_insert() where just set the pointer entry->value = <path>.. how was this tested before submission? > out_close: > close(fd); > out_ret: >
Hi, Daniel On 2022/12/6 4:05, Daniel Borkmann wrote: > On 12/5/22 9:13 AM, Miaoqian Lin wrote: >> strdup() allocates memory for path. We need to release the memory in >> the following error paths. Add free() to avoid memory leak. >> >> Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects") >> Signed-off-by: Miaoqian Lin <linmq006@gmail.com> >> --- >> tools/bpf/bpftool/common.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c >> index 0cdb4f711510..8a820356525e 100644 >> --- a/tools/bpf/bpftool/common.c >> +++ b/tools/bpf/bpftool/common.c >> @@ -499,9 +499,11 @@ static int do_build_table_cb(const char *fpath, const struct stat *sb, >> if (err) { >> p_err("failed to append entry to hashmap for ID %u, path '%s': %s", >> pinned_info.id, path, strerror(errno)); >> - goto out_close; >> + goto out_free; >> } >> +out_free: >> + free(path); > > It would be ok if you were to add the free(path) into the err condition, but here you > also cause the !err to be freed which would trigger as UAF. See the hashmap_insert() > where just set the pointer entry->value = <path>.. how was this tested before submission? > Thanks for your review. You're right. Sorry for the mistake, I meant to free it in the error path. I'll send v2 to fix this. I spotted it with static detection tool. >> out_close: >> close(fd); >> out_ret: >> >
diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c index 0cdb4f711510..8a820356525e 100644 --- a/tools/bpf/bpftool/common.c +++ b/tools/bpf/bpftool/common.c @@ -499,9 +499,11 @@ static int do_build_table_cb(const char *fpath, const struct stat *sb, if (err) { p_err("failed to append entry to hashmap for ID %u, path '%s': %s", pinned_info.id, path, strerror(errno)); - goto out_close; + goto out_free; } +out_free: + free(path); out_close: close(fd); out_ret: