libbpf: Validate that .BTF and .BTF.ext sections contain data

.BTF and .BTF.ext ELF sections should have SHT_PROGBITS type and contain data. If they are not, ELF is invalid or corrupted, so bail out. Otherwise this can lead to data->d_buf being NULL and SIGSEGV later on. Reported by oss-fuzz project. Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20211103173213.1376990-4-andrii@kernel.org
author: Andrii Nakryiko <andrii@kernel.org> 2021-11-03 20:32:11 +0300
committer: Alexei Starovoitov <ast@kernel.org> 2021-11-03 23:25:37 +0300
commit: 62554d52e71797eefa3fc15b54008038837bb2d4 (patch)
tree: bca9ea3dbbbc86ca5a738ed497a31dbc0b32871e
parent: 88918dc12dc357a06d8d722a684617b1c87a4654 (diff)
download: linux-62554d52e71797eefa3fc15b54008038837bb2d4.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index f836a1936597..0dc6465271ce 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3270,8 +3270,12 @@ static int bpf_object__elf_collect(struct bpf_object *obj)
 		} else if (strcmp(name, MAPS_ELF_SEC) == 0) {
 			obj->efile.btf_maps_shndx = idx;
 		} else if (strcmp(name, BTF_ELF_SEC) == 0) {
+			if (sh->sh_type != SHT_PROGBITS)
+				return -LIBBPF_ERRNO__FORMAT;
 			btf_data = data;
 		} else if (strcmp(name, BTF_EXT_ELF_SEC) == 0) {
+			if (sh->sh_type != SHT_PROGBITS)
+				return -LIBBPF_ERRNO__FORMAT;
 			btf_ext_data = data;
 		} else if (sh->sh_type == SHT_SYMTAB) {
 			/* already processed during the first pass above */
author	Andrii Nakryiko <andrii@kernel.org>	2021-11-03 20:32:11 +0300
committer	Alexei Starovoitov <ast@kernel.org>	2021-11-03 23:25:37 +0300
commit	62554d52e71797eefa3fc15b54008038837bb2d4 (patch)
tree	bca9ea3dbbbc86ca5a738ed497a31dbc0b32871e
parent	88918dc12dc357a06d8d722a684617b1c87a4654 (diff)
download	linux-62554d52e71797eefa3fc15b54008038837bb2d4.tar.xz