Skip to content

Commit

Permalink
bpf: fix uninitialized value usage
Browse files Browse the repository at this point in the history
it was reported by clang with the option -fsanitize=memory:

Uninitialized bytes in MemcmpInterceptorCommon at offset 0 inside [0x7070000002a0, 56)
==3791089==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x482a2c in memcmp (fuzzer+0x482a2c)
    #1 0x7fed2f120ebb in _hsh_add src/libseccomp/src/gen_bpf.c:598:9
    #2 0x7fed2f121715 in _gen_bpf_action_hsh src/libseccomp/src/gen_bpf.c:796:6
    #3 0x7fed2f121a53 in _gen_bpf_node src/libseccomp/src/gen_bpf.c:831:11
    #4 0x7fed2f121a53 in _gen_bpf_chain.isra.0 src/libseccomp/src/gen_bpf.c:1072:13
    #5 0x7fed2f121f16 in _gen_bpf_chain_lvl_res src/libseccomp/src/gen_bpf.c:977:12
    #6 0x7fed2f121c74 in _gen_bpf_chain.isra.0 src/libseccomp/src/gen_bpf.c:1124:12
    #7 0x7fed2f12253c in _gen_bpf_syscall src/libseccomp/src/gen_bpf.c:1520:10
    #8 0x7fed2f12253c in _gen_bpf_syscalls src/libseccomp/src/gen_bpf.c:1615:18
    #9 0x7fed2f12253c in _gen_bpf_arch src/libseccomp/src/gen_bpf.c:1683:7
    #10 0x7fed2f12253c in _gen_bpf_build_bpf src/libseccomp/src/gen_bpf.c:2056:11
    #11 0x7fed2f12253c in gen_bpf_generate src/libseccomp/src/gen_bpf.c:2321:7
    #12 0x7fed2f11f41c in seccomp_export_bpf src/libseccomp/src/api.c:724:7

  Uninitialized value was created by a heap allocation
    #0 0x4547ef in realloc (fuzzer+0x4547ef)
    #1 0x7fed2f121244 in _blk_resize src/libseccomp/src/gen_bpf.c:362:8
    #2 0x7fed2f121244 in _blk_append src/libseccomp/src/gen_bpf.c:394:6

Signed-off-by: Giuseppe Scrivano <[email protected]>
  • Loading branch information
giuseppe committed Mar 18, 2021
1 parent c305ef3 commit 064e793
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 2 deletions.
10 changes: 8 additions & 2 deletions src/gen_bpf.c
Original file line number Diff line number Diff line change
Expand Up @@ -351,15 +351,18 @@ static struct bpf_blk *_blk_resize(struct bpf_state *state,
{
unsigned int size_adj = (AINC_BLK > size_add ? AINC_BLK : size_add);
struct bpf_instr *new;
size_t old_size, new_size;

if (blk == NULL)
return NULL;

if ((blk->blk_cnt + size_adj) <= blk->blk_alloc)
return blk;

old_size = blk->blk_alloc * sizeof(*new);
blk->blk_alloc += size_adj;
new = realloc(blk->blks, blk->blk_alloc * sizeof(*(blk->blks)));
new_size = blk->blk_alloc * sizeof(*new);
new = zrealloc(blk->blks, old_size, new_size);
if (new == NULL) {
_blk_free(state, blk);
return NULL;
Expand Down Expand Up @@ -443,10 +446,13 @@ static int _bpf_append_blk(struct bpf_program *prg, const struct bpf_blk *blk)
bpf_instr_raw *i_iter;
unsigned int old_cnt = prg->blk_cnt;
unsigned int iter;
size_t old_size, new_size;

/* (re)allocate the program memory */
old_size = BPF_PGM_SIZE(prg);
prg->blk_cnt += blk->blk_cnt;
i_new = realloc(prg->blks, BPF_PGM_SIZE(prg));
new_size = BPF_PGM_SIZE(prg);
i_new = zrealloc(prg->blks, old_size, new_size);
if (i_new == NULL) {
rc = -ENOMEM;
goto bpf_append_blk_failure;
Expand Down
25 changes: 25 additions & 0 deletions src/helper.c
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,28 @@ void *zmalloc(size_t size)

return ptr;
}

/**
* Change the size of an allocated buffer
* @param ptr pointer to the allocated buffer. If NULL it is equivalent to zmalloc.
* @param old_size the current size of the allocated buffer
* @param size the new size of the buffer
*
* This function changes the size of an allocated memory buffer and return a pointer
* to the buffer on success, the new buffer portion is initialized to zero. NULL is
* returned on failure. The returned buffer could be different than the specified
* ptr param.
*
*/
void *zrealloc(void *ptr, size_t old_size, size_t size)
{
/* NOTE: unlike malloc() zero size allocations always return NULL */
if (size == 0)
return NULL;

ptr = realloc(ptr, size);
if (!ptr)
return NULL;
memset(ptr + old_size, 0, size - old_size);
return ptr;
}
1 change: 1 addition & 0 deletions src/helper.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,6 @@
#define _FILTER_HELPER_H

void *zmalloc(size_t size);
void *zrealloc(void *ptr, size_t old_size, size_t size);

#endif

0 comments on commit 064e793

Please sign in to comment.