git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Adin Scannell <amscanne@meta.com>
	Wed, 25 Jun 2025 05:02:15 +0000 (22:02 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 6 Jul 2025 09:00:12 +0000 (11:00 +0200)
commit	ad9c4941d32e1c35d878b50a2e7036282b8a213a
tree	ed3505b96211eef0daf85ed3d6b94f2bfd813abb	tree \| snapshot
parent	c61e284d72d68171686ac0846e92aa420e9eb5d0	commit \| diff

libbpf: Fix possible use-after-free for externs

[ Upstream commit fa6f092cc0a02d0fcee37e9e8172eda372a03d33 ]

The `name` field in `obj->externs` points into the BTF data at initial
open time. However, some functions may invalidate this after opening and
before loading (e.g. `bpf_map__set_value_size`), which results in
pointers into freed memory and undefined behavior.

The simplest solution is to simply `strdup` these strings, similar to
the `essent_name`, and free them at the same time.

In order to test this path, the `global_map_resize` BPF selftest is
modified slightly to ensure the presence of an extern, which causes this
test to fail prior to the fix. Given there isn't an obvious API or error
to test against, I opted to add this to the existing test as an aspect
of the resizing feature rather than duplicate the test.

Fixes: 9d0a23313b1a ("libbpf: Add capability for resizing datasec maps")
Signed-off-by: Adin Scannell <amscanne@meta.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250625050215.2777374-1-amscanne@meta.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

tools/lib/bpf/libbpf.c		diff \| blob \| blame \| history
tools/testing/selftests/bpf/progs/test_global_map_resize.c		diff \| blob \| blame \| history