Merge "Debian: libbpf: fix CVE-2022-3534/CVE-2022-3606"

2025-11-24 15:31:49 +00:00
parent 6c097bb822 4b66332c57
commit 692cc1f2f5
6 changed files with 203 additions and 0 deletions
--- a/base/libbpf/PKG-INFO
+++ b/base/libbpf/PKG-INFO
@@ -0,0 +1,15 @@
+Metadata-Version: 0.1
+Name: libbpf
+Version: 0.4.0-1
+Summary: libbpf
+Home-page: https://salsa.debian.org/sudip/libbpf
+Author: Sudip Mukherjee
+Author-email: sudipm.mukherjee@gmail.com
+License: LGPL-2.1
+
+Description:
+eBPF helper library (shared library)
+libbpf is a library for loading eBPF programs and reading and
+manipulating eBPF objects from user-space.
+
+Platform: UNKNOWN
--- a/base/libbpf/debian/meta_data.yaml
+++ b/base/libbpf/debian/meta_data.yaml
@@ -0,0 +1,11 @@
+---
+debname: libbpf
+debver: 0.4.0-1
+dl_path:
+  name: libbpf-debian-0.4.0-1.tar.gz
+  url: https://salsa.debian.org/sudip/libbpf/-/archive/debian/0.4.0-1/libbpf-debian-0.4.0-1.tar.gz
+  md5sum: 5f732b912a64410253ccab942749f01b
+  sha256sum: 6abacc8b8c896300531c9bea67b28a203be4692980edbaca24059776bfbbefa7
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true
--- a/base/libbpf/debian/patches/0001-libbpf-Fix-use-after-free-in-btf_dump_name_dups.patch
+++ b/base/libbpf/debian/patches/0001-libbpf-Fix-use-after-free-in-btf_dump_name_dups.patch
@@ -0,0 +1,137 @@
+From 947de57ded525376d793e5e340c968ccbb35fbcf Mon Sep 17 00:00:00 2001
+From: Xu Kuohai <xukuohai@huawei.com>
+Date: Tue, 11 Oct 2022 08:01:03 -0400
+Subject: [PATCH 1/2] libbpf: Fix use-after-free in btf_dump_name_dups
+
+ASAN reports an use-after-free in btf_dump_name_dups:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0xffff927006db at pc 0xaaaab5dfb618 bp 0xffffdd89b890 sp 0xffffdd89b928
+READ of size 2 at 0xffff927006db thread T0
+    #0 0xaaaab5dfb614 in __interceptor_strcmp.part.0 (test_progs+0x21b614)
+    #1 0xaaaab635f144 in str_equal_fn tools/lib/bpf/btf_dump.c:127
+    #2 0xaaaab635e3e0 in hashmap_find_entry tools/lib/bpf/hashmap.c:143
+    #3 0xaaaab635e72c in hashmap__find tools/lib/bpf/hashmap.c:212
+    #4 0xaaaab6362258 in btf_dump_name_dups tools/lib/bpf/btf_dump.c:1525
+    #5 0xaaaab636240c in btf_dump_resolve_name tools/lib/bpf/btf_dump.c:1552
+    #6 0xaaaab6362598 in btf_dump_type_name tools/lib/bpf/btf_dump.c:1567
+    #7 0xaaaab6360b48 in btf_dump_emit_struct_def tools/lib/bpf/btf_dump.c:912
+    #8 0xaaaab6360630 in btf_dump_emit_type tools/lib/bpf/btf_dump.c:798
+    #9 0xaaaab635f720 in btf_dump__dump_type tools/lib/bpf/btf_dump.c:282
+    #10 0xaaaab608523c in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:236
+    #11 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
+    #12 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
+    #13 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
+    #14 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
+    #15 0xaaaab5d65990  (test_progs+0x185990)
+
+0xffff927006db is located 11 bytes inside of 16-byte region [0xffff927006d0,0xffff927006e0)
+freed by thread T0 here:
+    #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
+    #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
+    #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
+    #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
+    #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
+    #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
+    #6 0xaaaab6353e10 in btf__add_field tools/lib/bpf/btf.c:2032
+    #7 0xaaaab6084fcc in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:232
+    #8 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
+    #9 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
+    #10 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
+    #11 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
+    #12 0xaaaab5d65990  (test_progs+0x185990)
+
+previously allocated by thread T0 here:
+    #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
+    #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
+    #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
+    #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
+    #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
+    #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
+    #6 0xaaaab6353ff0 in btf_add_enum_common tools/lib/bpf/btf.c:2070
+    #7 0xaaaab6354080 in btf__add_enum tools/lib/bpf/btf.c:2102
+    #8 0xaaaab6082f50 in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:162
+    #9 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
+    #10 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
+    #11 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
+    #12 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
+    #13 0xaaaab5d65990  (test_progs+0x185990)
+
+The reason is that the key stored in hash table name_map is a string
+address, and the string memory is allocated by realloc() function, when
+the memory is resized by realloc() later, the old memory may be freed,
+so the address stored in name_map references to a freed memory, causing
+use-after-free.
+
+Fix it by storing duplicated string address in name_map.
+
+Fixes: 919d2b1dbb07 ("libbpf: Allow modification of BTF and add btf__add_str API")
+Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/bpf/20221011120108.782373-2-xukuohai@huaweicloud.com
+Signed-off-by: Iulian Mocanu <iulian.mocanu@windriver.com>
+---
+ src/btf_dump.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/src/btf_dump.c b/src/btf_dump.c
+index 5e2809d..11ba924 100644
+--- a/src/btf_dump.c
+++ b/src/btf_dump.c
+@@ -188,6 +188,17 @@ static int btf_dump_resize(struct btf_dump *d)
+ 	return 0;
+ }
+ 
+static void btf_dump_free_names(struct hashmap *map)
+{
+	size_t bkt;
+	struct hashmap_entry *cur;
+
+	hashmap__for_each_entry(map, cur, bkt)
+		free((void *)cur->key);
+
+	hashmap__free(map);
+}
+
+ void btf_dump__free(struct btf_dump *d)
+ {
+ 	int i;
+@@ -206,8 +217,8 @@ void btf_dump__free(struct btf_dump *d)
+ 	free(d->cached_names);
+ 	free(d->emit_queue);
+ 	free(d->decl_stack);
+-	hashmap__free(d->type_names);
+-	hashmap__free(d->ident_names);
+	btf_dump_free_names(d->type_names);
+	btf_dump_free_names(d->ident_names);
+ 
+ 	free(d);
+ }
+@@ -1396,11 +1407,23 @@ static void btf_dump_emit_type_chain(struct btf_dump *d,
+ static size_t btf_dump_name_dups(struct btf_dump *d, struct hashmap *name_map,
+ 				 const char *orig_name)
+ {
+	char *old_name, *new_name;
+ 	size_t dup_cnt = 0;
+	int err;
+
+	new_name = strdup(orig_name);
+	if (!new_name)
+		return 1;
+ 
+ 	hashmap__find(name_map, orig_name, (void **)&dup_cnt);
+ 	dup_cnt++;
+-	hashmap__set(name_map, orig_name, (void *)dup_cnt, NULL, NULL);
+
+	err = hashmap__set(name_map, new_name, (void *)dup_cnt,
+			   (const void **)&old_name, NULL);
+	if (err)
+		free(new_name);
+
+	free(old_name);
+ 
+ 	return dup_cnt;
+ }
+-- 
+2.47.3
+
--- a/base/libbpf/debian/patches/0002-libbpf-Fix-null-pointer-dereference-in-find_prog_by_.patch
+++ b/base/libbpf/debian/patches/0002-libbpf-Fix-null-pointer-dereference-in-find_prog_by_.patch
@@ -0,0 +1,37 @@
+From e13c23b7db2d12cf4adf138f992eeca7f9488bee Mon Sep 17 00:00:00 2001
+From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Date: Wed, 12 Oct 2022 10:23:53 +0800
+Subject: [PATCH 2/2] libbpf: Fix null-pointer dereference in
+ find_prog_by_sec_insn()
+
+When there are no program sections, obj->programs is left unallocated,
+and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL,
+and will cause null-pointer dereference in the following access to
+prog->sec_idx.
+
+Guard the search with obj->nr_programs similar to what's being done in
+__bpf_program__iter() to prevent null-pointer access from happening.
+
+Fixes: db2b8b06423c ("libbpf: Support CO-RE relocations for multi-prog sections")
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.com
+Signed-off-by: Iulian Mocanu <iulian.mocanu@windriver.com>
+---
+ src/libbpf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: libbpf-0.4.0/src/libbpf.c
+===================================================================
+--- libbpf-0.4.0.orig/src/libbpf.c
+++ libbpf-0.4.0/src/libbpf.c
+@@ -3724,6 +3724,9 @@ static struct bpf_program *find_prog_by_
+ 	int l = 0, r = obj->nr_programs - 1, m;
+ 	struct bpf_program *prog;
+ 
+	if (!obj->nr_programs)
+		return NULL;
+
+ 	while (l < r) {
+ 		m = l + (r - l + 1) / 2;
+ 		prog = &obj->programs[m];
--- a/base/libbpf/debian/patches/series
+++ b/base/libbpf/debian/patches/series
@@ -0,0 +1,2 @@
+0001-libbpf-Fix-use-after-free-in-btf_dump_name_dups.patch
+0002-libbpf-Fix-null-pointer-dereference-in-find_prog_by_.patch
--- a/1
+++ b/1
@@ -3,6 +3,7 @@ base/cluster-resource-agents
 base/dhcp
 base/dnsmasq
 base/haproxy
+base/libbpf
 base/libfdt
 base/lighttpd
 base/linuxptp