libbpf-tools/bashreadline: Fix uninitialized stack data that leaks kernel pointers#5505
Open
vdasu wants to merge 1 commit intoiovisor:masterfrom
Open
libbpf-tools/bashreadline: Fix uninitialized stack data that leaks kernel pointers#5505vdasu wants to merge 1 commit intoiovisor:masterfrom
vdasu wants to merge 1 commit intoiovisor:masterfrom
Conversation
vdasu
requested review from
brendangregg,
chenhengqi,
ekyooo and
yonghong-song
as code owners
There was a problem hiding this comment.
Pull request overview
This PR hardens libbpf-tools/bashreadline against leaking uninitialized BPF stack contents to userspace. It fits the codebase by fixing a security-sensitive issue in one of the libbpf-based tracing tools without changing the tool’s intended output format.
Changes:
- Zero-initialize the on-stack
struct str_tbefore populating and emitting it. - Capture and validate the return value of
bpf_probe_read_user_str(). - Skip perf event emission when the user-string read fails, preventing stale stack bytes from reaching userspace.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
bashreadlinestack-allocates an 84-bytestruct str_t(4-byte pid + 80-byte command buffer) without zero-initialization, then fills onlydata.pidand the prefix ofdata.strwritten bybpf_probe_read_user_str(which stops at the user string's terminating\0), and finally emits the entire struct viabpf_perf_event_output. The trailing bytes past the user string are never written by any source-level code path and hold stale kernel stack data. This leaks kernel pointers that are sufficient to break KASLR (tested on Linux 6.8 with clang 21).A second related defect is that the
bpf_probe_read_user_strreturn value is silently discarded. On helper failure, 0 bytes are written todata.strbut the event is still emitted with the full 80 bytes of stack residue.Zero-initializing the struct fixes the leak, and dealing with the unchecked helper return prevents failed reads from sending events to userspace.