diff options
author | Andrii Nakryiko <andrii@kernel.org> | 2021-12-14 04:00:32 +0300 |
---|---|---|
committer | Daniel Borkmann <daniel@iogearbox.net> | 2021-12-14 17:37:58 +0300 |
commit | 4581e676d3be9d8c921a48bf18e92c5a8f31bf13 (patch) | |
tree | a4084e42da2abbc4a1725b9e2d98fa7467cfe12e | |
parent | d27a662290963a1cde26cdfdbac71a546c06e94a (diff) | |
download | linux-4581e676d3be9d8c921a48bf18e92c5a8f31bf13.tar.xz |
libbpf: Fix potential uninit memory read
In case of BPF_CORE_TYPE_ID_LOCAL we fill out target result explicitly.
But targ_res itself isn't initialized in such a case, and subsequent
call to bpf_core_patch_insn() might read uninitialized field (like
fail_memsz_adjust in this case). So ensure that targ_res is
zero-initialized for BPF_CORE_TYPE_ID_LOCAL case.
This was reported by Coverity static analyzer.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20211214010032.3843804-1-andrii@kernel.org
-rw-r--r-- | tools/lib/bpf/relo_core.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/tools/lib/bpf/relo_core.c b/tools/lib/bpf/relo_core.c index c770483b4c36..910865e29edc 100644 --- a/tools/lib/bpf/relo_core.c +++ b/tools/lib/bpf/relo_core.c @@ -1223,6 +1223,7 @@ int bpf_core_apply_relo_insn(const char *prog_name, struct bpf_insn *insn, /* TYPE_ID_LOCAL relo is special and doesn't need candidate search */ if (relo->kind == BPF_CORE_TYPE_ID_LOCAL) { /* bpf_insn's imm value could get out of sync during linking */ + memset(&targ_res, 0, sizeof(targ_res)); targ_res.validate = false; targ_res.poison = false; targ_res.orig_val = local_spec->root_type_id; |