[backport]backport patches from upstream

backport-libbpf-disassociate-section-handler-on-explicit-bpf_.patch backport-libbpf-Use-correct-return-pointer-in-attach_raw_tp.patch backport-libbpf-Use-elf_getshdrnum-instead-of-e_shnum.patch
2023-05-13 11:26:06 +08:00 · 2023-05-13 11:26:06 +08:00 · 3411589e85
commit 3411589e85
parent eab96bfae5
4 changed files with 178 additions and 1 deletions
--- a/backport-libbpf-Use-correct-return-pointer-in-attach_raw_tp.patch
+++ b/backport-libbpf-Use-correct-return-pointer-in-attach_raw_tp.patch
@ -0,0 +1,35 @@
+From eb77c7210b8fd8af593c5da918bbbc7c36fb5814 Mon Sep 17 00:00:00 2001
+From: Jiri Olsa <jolsa@kernel.org>
+Date: Mon, 14 Nov 2022 15:52:57 +0100
+Subject: [PATCH] libbpf: Use correct return pointer in attach_raw_tp
+
+We need to pass '*link' to final libbpf_get_error,
+because that one holds the return value, not 'link'.
+
+Fixes: 4fa5bcfe07f7 ("libbpf: Allow BPF program auto-attach handlers to bail out")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20221114145257.882322-1-jolsa@kernel.org
+
+Conflict:NA
+Reference:https://github.com/libbpf/libbpf/commit/eb77c7210b8fd8af593c5da918bbbc7c36fb5814
+---
+ src/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libbpf.c b/src/libbpf.c
+index b5df6ac..e17867d 100644
+--- a/src/libbpf.c
+++ b/src/libbpf.c
+@@ -11234,7 +11234,7 @@ static int attach_raw_tp(const struct bpf_program *prog, long cookie, struct bpf
+ 	}
+ 
+ 	*link = bpf_program__attach_raw_tracepoint(prog, tp_name);
+-	return libbpf_get_error(link);
+	return libbpf_get_error(*link);
+ }
+ 
+ /* Common logic for all BPF program types that attach to a btf_id */
+-- 
+2.33.0
+
--- a/backport-libbpf-Use-elf_getshdrnum-instead-of-e_shnum.patch
+++ b/backport-libbpf-Use-elf_getshdrnum-instead-of-e_shnum.patch
@ -0,0 +1,84 @@
+From 741277511035893c72a34df05da3b943afa747a4 Mon Sep 17 00:00:00 2001
+From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Date: Wed, 12 Oct 2022 10:23:51 +0800
+Subject: [PATCH] libbpf: Use elf_getshdrnum() instead of e_shnum
+
+This commit replace e_shnum with the elf_getshdrnum() helper to fix two
+oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
+reports are incorrectly marked as fixed and while still being
+reproducible in the latest libbpf.
+
+  # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
+  libbpf: loading object 'fuzz-object' from buffer
+  libbpf: sec_cnt is 0
+  libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
+  libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
+  =================================================================
+  ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
+  WRITE of size 4 at 0x6020000000c0 thread T0
+  SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
+      #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
+      #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
+      #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
+      ...
+
+The issue lie in libbpf's direct use of e_shnum field in ELF header as
+the section header count. Where as libelf implemented an extra logic
+that, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the
+initial section header as the real section header count (part of ELF
+spec to accommodate situation where section header counter is larger
+than SHN_LORESERVE).
+
+The above inconsistency lead to libbpf writing into a zero-entry calloc
+area. So intead of using e_shnum directly, use the elf_getshdrnum()
+helper provided by libelf to retrieve the section header counter into
+sec_cnt.
+
+Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic")
+Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
+Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
+Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
+Link: https://lore.kernel.org/bpf/20221012022353.7350-2-shung-hsi.yu@suse.com
+Conflict:context adaption
+Reference:https://github.com/libbpf/libbpf/commit/741277511035893c72a34df05da3b943afa747a4
+---
+ src/libbpf.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/libbpf.c b/src/libbpf.c
+index 184ce16..2e8ac13 100644
+--- a/src/libbpf.c
+++ b/src/libbpf.c
+@@ -597,7 +597,7 @@ struct elf_state {
+ 	size_t shstrndx; /* section index for section name strings */
+ 	size_t strtabidx;
+ 	struct elf_sec_desc *secs;
+-	int sec_cnt;
+	size_t sec_cnt;
+ 	int maps_shndx;
+	int btf_maps_shndx;
+ 	__u32 btf_maps_sec_btf_id;
+@@ -3312,10 +3312,15 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
+ 	Elf64_Shdr *sh;
+ 
+ 	/* ELF section indices are 0-based, but sec #0 is special "invalid"
+-	 * section. e_shnum does include sec #0, so e_shnum is the necessary
+-	 * size of an array to keep all the sections.
+	 * section. Since section count retrieved by elf_getshdrnum() does
+	 * include sec #0, it is already the necessary size of an array to keep
+	 * all the sections.
+ 	 */
+-	obj->efile.sec_cnt = obj->efile.ehdr->e_shnum;
+	if (elf_getshdrnum(obj->efile.elf, &obj->efile.sec_cnt)) {
+		pr_warn("elf: failed to get the number of sections for %s: %s\n",
+			obj->path, elf_errmsg(-1));
+		return -LIBBPF_ERRNO__FORMAT;
+	}
+ 	obj->efile.secs = calloc(obj->efile.sec_cnt, sizeof(*obj->efile.secs));
+ 	if (!obj->efile.secs)
+ 		return -ENOMEM;
+-- 
+2.33.0
+
--- a/backport-libbpf-disassociate-section-handler-on-explicit-bpf_.patch
+++ b/backport-libbpf-disassociate-section-handler-on-explicit-bpf_.patch
@ -0,0 +1,49 @@
+From 3fd6eebb2d4d10546f0dc89cbc14ad110c4e5717 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Mon, 27 Mar 2023 11:52:00 -0700
+Subject: [PATCH] libbpf: disassociate section handler on explicit
+ bpf_program__set_type() call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If user explicitly overrides programs's type with
+bpf_program__set_type() API call, we need to disassociate whatever
+SEC_DEF handler libbpf determined initially based on program's SEC()
+definition, as it's not goind to be valid anymore and could lead to
+crashes and/or confusing failures.
+
+Also, fix up bpf_prog_test_load() helper in selftests/bpf, which is
+force-setting program type (even if that's completely unnecessary; this
+is quite a legacy piece of code), and thus should expect auto-attach to
+not work, yet one of the tests explicitly relies on auto-attach for
+testing.
+
+Instead, force-set program type only if it differs from the desired one.
+
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20230327185202.1929145-2-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Müller <deso@posteo.net>
+
+Conflict:NA
+Reference:https://github.com/libbpf/libbpf/commit/3fd6eebb2d4d10546f0dc89cbc14ad110c4e5717
+---
+ src/libbpf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libbpf.c b/src/libbpf.c
+index 15737d7..49cd304 100644
+--- a/src/libbpf.c
+++ b/src/libbpf.c
+@@ -8468,6 +8468,7 @@ int bpf_program__set_type(struct bpf_program *prog, enum bpf_prog_type type)
+ 		return libbpf_err(-EBUSY);
+ 
+ 	prog->type = type;
+	prog->sec_def = NULL;
+ 	return 0;
+ }
+ 
+-- 
+2.33.0
+
--- a/libbpf.spec
+++ b/libbpf.spec
@ -4,7 +4,7 @@

 Name:           %{githubname}
 Version:        %{githubver}
-Release:        7
+Release:        8
 Summary:        Libbpf library

 License:        LGPLv2 or BSD
@ -27,6 +27,9 @@ Patch0011:      backport-libbpf-Handle-size-overflow-for-ringbuf-mmap.patch
 Patch0012:      backport-libbpf-Use-page-size-as-max_entries-when-probing-rin.patch
 Patch0013:      backport-libbpf-Fix-alen-calculation-in-libbpf_nla_dump_error.patch
 Patch0014:      backport-libbpf-Disable-SEC-pragma-macro-on-GCC.patch
+Patch0015:      backport-libbpf-disassociate-section-handler-on-explicit-bpf_.patch
+Patch0016:      backport-libbpf-Use-correct-return-pointer-in-attach_raw_tp.patch
+Patch0017:      backport-libbpf-Use-elf_getshdrnum-instead-of-e_shnum.patch

 # This package supersedes libbpf from kernel-tools,
 # which has default Epoch: 0. By having Epoch: 1
@ -79,6 +82,12 @@ developing applications that use %{name}
 %{_libdir}/libbpf.a

 %changelog
+* Sat May 13 2023 zhangmingyi <zhangmingyi5@huawei.com> -2:0.8.1-8
+- backport patches from upstream:
+  backport-libbpf-disassociate-section-handler-on-explicit-bpf_.patch
+  backport-libbpf-Use-correct-return-pointer-in-attach_raw_tp.patch
+  backport-libbpf-Use-elf_getshdrnum-instead-of-e_shnum.patch
+
 * Fri May 12 2023 zhangmingyi <zhangmingyi5@huawei.com> -2:0.8.1-7
 - backport patches from upstream:
  backport-libbpf-Disable-SEC-pragma-macro-on-GCC.patch