bpf: fix NULL deref in btf_type_is_resolve_source_only

Commit 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec") added invocations of btf_type_is_resolve_source_only before btf_type_nosize_or_null which checks for the NULL pointer. Swap the order of btf_type_nosize_or_null and btf_type_is_resolve_source_only to make sure the do the NULL pointer check first. Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Stanislav Fomichev <sdf@google.com> Acked-by: Andrii Nakryiko <andriin@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Stanislav Fomichev <sdf@google.com> 2019-06-19 15:01:05 -0400
committer: Daniel Borkmann <daniel@iogearbox.net> 2019-06-24 09:53:19 -0400
commit: e4f07120210a1794c1f1ae64d209a2fbc7bd2682 (patch)
tree: d606d6fca52f90e1729dc690f1ec88e705d89b93 /kernel/bpf
parent: 56f0f84e69c7a7f229dfa524b13b0ceb6ce9b09e (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index cad09858a5f2..546ebee39e2a 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -1928,8 +1928,8 @@ static int btf_array_resolve(struct btf_verifier_env *env,
        /* Check array->index_type */
        index_type_id = array->index_type;
        index_type = btf_type_by_id(btf, index_type_id);
-        if (btf_type_is_resolve_source_only(index_type) ||
+        if (btf_type_nosize_or_null(index_type) ||
-            btf_type_nosize_or_null(index_type)) {
+            btf_type_is_resolve_source_only(index_type)) {
                btf_verifier_log_type(env, v->t, "Invalid index");
                return -EINVAL;
        }
@@ -1948,8 +1948,8 @@ static int btf_array_resolve(struct btf_verifier_env *env,
        /* Check array->type */
        elem_type_id = array->type;
        elem_type = btf_type_by_id(btf, elem_type_id);
-        if (btf_type_is_resolve_source_only(elem_type) ||
+        if (btf_type_nosize_or_null(elem_type) ||
-            btf_type_nosize_or_null(elem_type)) {
+            btf_type_is_resolve_source_only(elem_type)) {
                btf_verifier_log_type(env, v->t,
                                      "Invalid elem");
                return -EINVAL;
@@ -2170,8 +2170,8 @@ static int btf_struct_resolve(struct btf_verifier_env *env,
                const struct btf_type *member_type = btf_type_by_id(env->btf,
                                                                member_type_id);
-                if (btf_type_is_resolve_source_only(member_type) ||
+                if (btf_type_nosize_or_null(member_type) ||
-                    btf_type_nosize_or_null(member_type)) {
+                    btf_type_is_resolve_source_only(member_type)) {
                        btf_verifier_log_member(env, v->t, member,
                                                "Invalid member");
                        return -EINVAL;
author	Stanislav Fomichev <sdf@google.com>	2019-06-19 15:01:05 -0400
committer	Daniel Borkmann <daniel@iogearbox.net>	2019-06-24 09:53:19 -0400
commit	e4f07120210a1794c1f1ae64d209a2fbc7bd2682 (patch)
tree	d606d6fca52f90e1729dc690f1ec88e705d89b93 /kernel/bpf
parent	56f0f84e69c7a7f229dfa524b13b0ceb6ce9b09e (diff)

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index cad09858a5f2..546ebee39e2a 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c
@@ -1928,8 +1928,8 @@ static int btf_array_resolve(struct btf_verifier_env *env,
1928	/* Check array->index_type */	1928	/* Check array->index_type */
1929	index_type_id = array->index_type;	1929	index_type_id = array->index_type;
1930	index_type = btf_type_by_id(btf, index_type_id);	1930	index_type = btf_type_by_id(btf, index_type_id);
1931	if (btf_type_is_resolve_source_only(index_type) \|\|	1931	if (btf_type_nosize_or_null(index_type) \|\|
1932	btf_type_nosize_or_null(index_type)) {	1932	btf_type_is_resolve_source_only(index_type)) {
1933	btf_verifier_log_type(env, v->t, "Invalid index");	1933	btf_verifier_log_type(env, v->t, "Invalid index");
1934	return -EINVAL;	1934	return -EINVAL;
1935	}	1935	}
@@ -1948,8 +1948,8 @@ static int btf_array_resolve(struct btf_verifier_env *env,
1948	/* Check array->type */	1948	/* Check array->type */
1949	elem_type_id = array->type;	1949	elem_type_id = array->type;
1950	elem_type = btf_type_by_id(btf, elem_type_id);	1950	elem_type = btf_type_by_id(btf, elem_type_id);
1951	if (btf_type_is_resolve_source_only(elem_type) \|\|	1951	if (btf_type_nosize_or_null(elem_type) \|\|
1952	btf_type_nosize_or_null(elem_type)) {	1952	btf_type_is_resolve_source_only(elem_type)) {
1953	btf_verifier_log_type(env, v->t,	1953	btf_verifier_log_type(env, v->t,
1954	"Invalid elem");	1954	"Invalid elem");
1955	return -EINVAL;	1955	return -EINVAL;
@@ -2170,8 +2170,8 @@ static int btf_struct_resolve(struct btf_verifier_env *env,
2170	const struct btf_type *member_type = btf_type_by_id(env->btf,	2170	const struct btf_type *member_type = btf_type_by_id(env->btf,
2171	member_type_id);	2171	member_type_id);
2172		2172
2173	if (btf_type_is_resolve_source_only(member_type) \|\|	2173	if (btf_type_nosize_or_null(member_type) \|\|
2174	btf_type_nosize_or_null(member_type)) {	2174	btf_type_is_resolve_source_only(member_type)) {
2175	btf_verifier_log_member(env, v->t, member,	2175	btf_verifier_log_member(env, v->t, member,
2176	"Invalid member");	2176	"Invalid member");
2177	return -EINVAL;	2177	return -EINVAL;