diff options
| author | Eduard Zingerman <[email protected]> | 2023-03-28 00:47:38 +0000 |
|---|---|---|
| committer | Andrii Nakryiko <[email protected]> | 2023-03-28 03:02:15 +0000 |
| commit | d08ab82f59d55b0e5acfeb453081278dfc33f232 (patch) | |
| tree | 6165d102a7aba9310cec8108cd584897bc9aa1a7 /tools/bpf/bpftool/json_writer.c | |
| parent | selftests/bpf: Don't assume page size is 4096 (diff) | |
| download | kernel-d08ab82f59d55b0e5acfeb453081278dfc33f232.tar.gz kernel-d08ab82f59d55b0e5acfeb453081278dfc33f232.zip | |
libbpf: Fix double-free when linker processes empty sections
Double-free error in bpf_linker__free() was reported by James Hilliard.
The error is caused by miss-use of realloc() in extend_sec().
The error occurs when two files with empty sections of the same name
are linked:
- when first file is processed:
- extend_sec() calls realloc(dst->raw_data, dst_align_sz)
with dst->raw_data == NULL and dst_align_sz == 0;
- dst->raw_data is set to a special pointer to a memory block of
size zero;
- when second file is processed:
- extend_sec() calls realloc(dst->raw_data, dst_align_sz)
with dst->raw_data == <special pointer> and dst_align_sz == 0;
- realloc() "frees" dst->raw_data special pointer and returns NULL;
- extend_sec() exits with -ENOMEM, and the old dst->raw_data value
is preserved (it is now invalid);
- eventually, bpf_linker__free() attempts to free dst->raw_data again.
This patch fixes the bug by avoiding -ENOMEM exit for dst_align_sz == 0.
The fix was suggested by Andrii Nakryiko <[email protected]>.
Reported-by: James Hilliard <[email protected]>
Signed-off-by: Eduard Zingerman <[email protected]>
Signed-off-by: Andrii Nakryiko <[email protected]>
Tested-by: James Hilliard <[email protected]>
Link: https://lore.kernel.org/bpf/CADvTj4o7ZWUikKwNTwFq0O_AaX+46t_+Ca9gvWMYdWdRtTGeHQ@mail.gmail.com/
Link: https://lore.kernel.org/bpf/[email protected]
Diffstat (limited to 'tools/bpf/bpftool/json_writer.c')
0 files changed, 0 insertions, 0 deletions