Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Smatch: potential NULL pointer dereferencing in prog_dump() #157

Open
qmonnet opened this issue Sep 2, 2024 · 0 comments
Open

Smatch: potential NULL pointer dereferencing in prog_dump() #157

qmonnet opened this issue Sep 2, 2024 · 0 comments
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@qmonnet
Copy link
Member

qmonnet commented Sep 2, 2024 

Commit b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info
during prog dump") from Dec 7, 2018 (linux-next), leads to the
following Smatch static checker warning:

	./tools/bpf/bpftool/prog.c:827 prog_dump()
	error: we previously assumed 'ksyms' could be null (see line 793)

tools/bpf/bpftool/prog.c
    775                 if (info->nr_jited_func_lens && info->jited_func_lens) {
    776                         struct kernel_sym *sym = NULL;
    777                         struct bpf_func_info *record;
    778                         char sym_name[SYM_MAX_NAME];
    779                         unsigned char *img = buf;
    780                         __u64 *ksyms = NULL;
    781                         __u32 *lens;
    782                         __u32 i;
    783                         if (info->nr_jited_ksyms) {
    784                                 kernel_syms_load(&dd);
    785                                 ksyms = u64_to_ptr(info->jited_ksyms);
    786                         }

ksyms is NULL on else path

    787 
    788                         if (json_output)
    789                                 jsonw_start_array(json_wtr);
    790 
    791                         lens = u64_to_ptr(info->jited_func_lens);
    792                         for (i = 0; i < info->nr_jited_func_lens; i++) {
    793                                 if (ksyms) {
    794                                         sym = kernel_syms_search(&dd, ksyms[i]);
    795                                         if (sym)
    796                                                 sprintf(sym_name, "%s", sym->name);
    797                                         else
    798                                                 sprintf(sym_name, "0x%016llx", ksyms[i]);
    799                                 } else {
    800                                         strcpy(sym_name, "unknown");
    801                                 }
    802 
    803                                 if (func_info) {
    804                                         record = func_info + i * info->func_info_rec_size;
    805                                         btf_dumper_type_only(btf, record->type_id,
    806                                                              func_sig,
    807                                                              sizeof(func_sig));
    808                                 }
    809 
    810                                 if (json_output) {
    811                                         jsonw_start_object(json_wtr);
    812                                         if (func_info && func_sig[0] != '\0') {
    813                                                 jsonw_name(json_wtr, "proto");
    814                                                 jsonw_string(json_wtr, func_sig);
    815                                         }
    816                                         jsonw_name(json_wtr, "name");
    817                                         jsonw_string(json_wtr, sym_name);
    818                                         jsonw_name(json_wtr, "insns");
    819                                 } else {
    820                                         if (func_info && func_sig[0] != '\0')
    821                                                 printf("%s:\n", func_sig);
    822                                         printf("%s:\n", sym_name);
    823                                 }
    824 
    825                                 if (disasm_print_insn(img, lens[i], opcodes,
    826                                                       name, disasm_opt, btf,
--> 827                                                       prog_linfo, ksyms[i], i,
                                                                          ^^^^^^^^
Dereferenced

    828                                                       linum))
    829                                         goto exit_free;
    830 
    831                                 img += lens[i];
    832 
    833                                 if (json_output)
    834                                         jsonw_end_object(json_wtr);
    835                                 else
    836                                         printf("\n");
    837                         }
    838 
    839                         if (json_output)
    840                                 jsonw_end_array(json_wtr);
    841                 } else {
    842                         if (disasm_print_insn(buf, member_len, opcodes, name,
    843                                               disasm_opt, btf, NULL, 0, 0,
    844                                               false))
    845                                 goto exit_free;
    846                 }

https://lore.kernel.org/bpf/[email protected]/
@qmonnet qmonnet added bug Something isn't working good first issue Good for newcomers labels Sep 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@qmonnet