Bug Summary

File:build-scan/../src/basic/bpf-program.c
Warning:line 156, column 25
Potential leak of memory pointed to by 'copy'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name bpf-program.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -menable-no-infs -menable-no-nans -menable-unsafe-fp-math -fno-signed-zeros -mreassociate -freciprocal-math -fdenormal-fp-math=preserve-sign,preserve-sign -ffp-contract=fast -fno-rounding-math -ffast-math -ffinite-math-only -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debugger-tuning=gdb -resource-dir /usr/lib64/clang/12.0.0 -include config.h -I src/basic/libbasic.a.p -I src/basic -I ../src/basic -I src/shared -I ../src/shared -I src/systemd -I ../src/systemd -I src/journal -I ../src/journal -I src/journal-remote -I ../src/journal-remote -I src/nspawn -I ../src/nspawn -I src/resolve -I ../src/resolve -I src/timesync -I ../src/timesync -I ../src/time-wait-sync -I src/login -I ../src/login -I src/udev -I ../src/udev -I src/libudev -I ../src/libudev -I src/core -I ../src/core -I ../src/libsystemd/sd-bus -I ../src/libsystemd/sd-device -I ../src/libsystemd/sd-hwdb -I ../src/libsystemd/sd-id128 -I ../src/libsystemd/sd-netlink -I ../src/libsystemd/sd-network -I src/libsystemd-network -I ../src/libsystemd-network -I . -I .. -I /usr/include/blkid -I /usr/include/libmount -D _FILE_OFFSET_BITS=64 -internal-isystem /usr/local/include -internal-isystem /usr/lib64/clang/12.0.0/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wwrite-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wno-format-signedness -Wno-error=nonnull -std=gnu99 -fconst-strings -fdebug-compilation-dir /home/mrc0mmand/repos/@redhat-plumbers/systemd-rhel8/build-scan -ferror-limit 19 -fvisibility default -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -analyzer-output=html -faddrsig -o /tmp/scan-build-2021-07-16-221226-1465241-1 -x c ../src/basic/bpf-program.c
1/* SPDX-License-Identifier: LGPL-2.1+ */
2
3#include <fcntl.h>
4#include <sys/stat.h>
5#include <sys/types.h>
6#include <unistd.h>
7
8#include "alloc-util.h"
9#include "bpf-program.h"
10#include "fd-util.h"
11#include "log.h"
12#include "missing.h"
13#include "path-util.h"
14#include "util.h"
15
16int bpf_program_new(uint32_t prog_type, BPFProgram **ret) {
17 _cleanup_(bpf_program_unrefp)__attribute__((cleanup(bpf_program_unrefp))) BPFProgram *p = NULL((void*)0);
18
19 p = new0(BPFProgram, 1)((BPFProgram*) calloc((1), sizeof(BPFProgram)));
20 if (!p)
21 return log_oom()log_oom_internal(LOG_REALM_SYSTEMD, "../src/basic/bpf-program.c"
, 21, __func__);
22
23 p->n_ref = 1;
24 p->prog_type = prog_type;
25 p->kernel_fd = -1;
26
27 *ret = TAKE_PTR(p)({ typeof(p) _ptr_ = (p); (p) = ((void*)0); _ptr_; });
28
29 return 0;
30}
31
32BPFProgram *bpf_program_ref(BPFProgram *p) {
33 if (!p)
34 return NULL((void*)0);
35
36 assert(p->n_ref > 0)do { if ((__builtin_expect(!!(!(p->n_ref > 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p->n_ref > 0"), "../src/basic/bpf-program.c"
, 36, __PRETTY_FUNCTION__); } while (0);
37 p->n_ref++;
38
39 return p;
40}
41
42BPFProgram *bpf_program_unref(BPFProgram *p) {
43 if (!p)
44 return NULL((void*)0);
45
46 assert(p->n_ref > 0)do { if ((__builtin_expect(!!(!(p->n_ref > 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p->n_ref > 0"), "../src/basic/bpf-program.c"
, 46, __PRETTY_FUNCTION__); } while (0);
47 p->n_ref--;
48
49 if (p->n_ref > 0)
50 return NULL((void*)0);
51
52 /* Unfortunately, the kernel currently doesn't implicitly detach BPF programs from their cgroups when the last
53 * fd to the BPF program is closed. This has nasty side-effects since this means that abnormally terminated
54 * programs that attached one of their BPF programs to a cgroup will leave this programs pinned for good with
55 * zero chance of recovery, until the cgroup is removed. This is particularly problematic if the cgroup in
56 * question is the root cgroup (or any other cgroup belonging to a service that cannot be restarted during
57 * operation, such as dbus), as the memory for the BPF program can only be reclaimed through a reboot. To
58 * counter this, we track closely to which cgroup a program was attached to and will detach it on our own
59 * whenever we close the BPF fd. */
60 (void) bpf_program_cgroup_detach(p);
61
62 safe_close(p->kernel_fd);
63 free(p->instructions);
64 free(p->attached_path);
65
66 return mfree(p);
67}
68
69int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *instructions, size_t count) {
70
71 assert(p)do { if ((__builtin_expect(!!(!(p)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p"), "../src/basic/bpf-program.c", 71, __PRETTY_FUNCTION__
); } while (0);
72
73 if (p->kernel_fd >= 0) /* don't allow modification after we uploaded things to the kernel */
74 return -EBUSY16;
75
76 if (!GREEDY_REALLOC(p->instructions, p->allocated, p->n_instructions + count)greedy_realloc((void**) &(p->instructions), &(p->
allocated), (p->n_instructions + count), sizeof((p->instructions
)[0])))
77 return -ENOMEM12;
78
79 memcpy(p->instructions + p->n_instructions, instructions, sizeof(struct bpf_insn) * count);
80 p->n_instructions += count;
81
82 return 0;
83}
84
85int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size) {
86 union bpf_attr attr;
87
88 assert(p)do { if ((__builtin_expect(!!(!(p)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p"), "../src/basic/bpf-program.c", 88, __PRETTY_FUNCTION__
); } while (0);
89
90 if (p->kernel_fd >= 0) { /* make this idempotent */
91 memzero(log_buf, log_size)({ size_t _l_ = (log_size); void *_x_ = (log_buf); _l_ == 0 ?
_x_ : memset(_x_, 0, _l_); });
92 return 0;
93 }
94
95 attr = (union bpf_attr) {
96 .prog_type = p->prog_type,
97 .insns = PTR_TO_UINT64(p->instructions)((uint64_t) ((uintptr_t) (p->instructions))),
98 .insn_cnt = p->n_instructions,
99 .license = PTR_TO_UINT64("GPL")((uint64_t) ((uintptr_t) ("GPL"))),
100 .log_buf = PTR_TO_UINT64(log_buf)((uint64_t) ((uintptr_t) (log_buf))),
101 .log_level = !!log_buf,
102 .log_size = log_size,
103 };
104
105 p->kernel_fd = bpfmissing_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
106 if (p->kernel_fd < 0)
107 return -errno(*__errno_location ());
108
109 return 0;
110}
111
112int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags) {
113 _cleanup_free___attribute__((cleanup(freep))) char *copy = NULL((void*)0);
114 _cleanup_close___attribute__((cleanup(closep))) int fd = -1;
115 union bpf_attr attr;
116 int r;
117
118 assert(p)do { if ((__builtin_expect(!!(!(p)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p"), "../src/basic/bpf-program.c", 118,
__PRETTY_FUNCTION__); } while (0);
1
Assuming 'p' is non-null
2
Taking false branch
3
Loop condition is false. Exiting loop
119 assert(type >= 0)do { if ((__builtin_expect(!!(!(type >= 0)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("type >= 0"), "../src/basic/bpf-program.c"
, 119, __PRETTY_FUNCTION__); } while (0);
4
Assuming 'type' is >= 0
5
Taking false branch
6
Loop condition is false. Exiting loop
120 assert(path)do { if ((__builtin_expect(!!(!(path)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("path"), "../src/basic/bpf-program.c", 120
, __PRETTY_FUNCTION__); } while (0);
7
Assuming 'path' is non-null
8
Taking false branch
9
Loop condition is false. Exiting loop
121
122 if (!IN_SET(flags, 0, BPF_F_ALLOW_OVERRIDE, BPF_F_ALLOW_MULTI)({ _Bool _found = 0; static __attribute__ ((unused)) char _static_assert__macros_need_to_be_extended
[20 - sizeof((int[]){0, (1U << 0), (1U << 1)})/sizeof
(int)]; switch(flags) { case 0: case (1U << 0): case (1U
<< 1): _found = 1; break; default: break; } _found; }))
10
Control jumps to 'case 2:' at line 122
11
 Execution continues on line 122
12
Taking false branch
123 return -EINVAL22;
124
125 /* We need to track which cgroup the program is attached to, and we can only track one attachment, hence let's
126 * refuse this early. */
127 if (p->attached_path) {
13
Assuming field 'attached_path' is null
14
Taking false branch
128 if (!path_equal(p->attached_path, path))
129 return -EBUSY16;
130 if (p->attached_type != type)
131 return -EBUSY16;
132 if (p->attached_flags != flags)
133 return -EBUSY16;
134
135 /* Here's a shortcut: if we previously attached this program already, then we don't have to do so
136 * again. Well, with one exception: if we are in BPF_F_ALLOW_OVERRIDE mode then someone else might have
137 * replaced our program since the last time, hence let's reattach it again, just to be safe. In flags
138 * == 0 mode this is not an issue since nobody else can replace our program in that case, and in flags
139 * == BPF_F_ALLOW_MULTI mode any other's program would be installed in addition to ours hence ours
140 * would remain in effect. */
141 if (flags != BPF_F_ALLOW_OVERRIDE(1U << 0))
142 return 0;
143 }
144
145 /* Ensure we have a kernel object for this. */
146 r = bpf_program_load_kernel(p, NULL((void*)0), 0);
147 if (r
14.1
'r' is >= 0
 < 0)
15
Taking false branch
148 return r;
149
150 copy = strdup(path);
16
Memory is allocated
151 if (!copy)
17
Assuming 'copy' is non-null
18
Taking false branch
152 return -ENOMEM12;
153
154 fd = open(path, O_DIRECTORY0200000|O_RDONLY00|O_CLOEXEC02000000);
155 if (fd < 0)
19
Assuming 'fd' is < 0
20
Taking true branch
156 return -errno(*__errno_location ());
21
Potential leak of memory pointed to by 'copy'
157
158 attr = (union bpf_attr) {
159 .attach_type = type,
160 .target_fd = fd,
161 .attach_bpf_fd = p->kernel_fd,
162 .attach_flags = flags,
163 };
164
165 if (bpfmissing_bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0)
166 return -errno(*__errno_location ());
167
168 free_and_replace(p->attached_path, copy)({ free(p->attached_path); (p->attached_path) = (copy);
(copy) = ((void*)0); 0; });
169 p->attached_type = type;
170 p->attached_flags = flags;
171
172 return 0;
173}
174
175int bpf_program_cgroup_detach(BPFProgram *p) {
176 _cleanup_close___attribute__((cleanup(closep))) int fd = -1;
177
178 assert(p)do { if ((__builtin_expect(!!(!(p)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("p"), "../src/basic/bpf-program.c", 178,
__PRETTY_FUNCTION__); } while (0);
179
180 if (!p->attached_path)
181 return -EUNATCH49;
182
183 fd = open(p->attached_path, O_DIRECTORY0200000|O_RDONLY00|O_CLOEXEC02000000);
184 if (fd < 0) {
185 if (errno(*__errno_location ()) != ENOENT2)
186 return -errno(*__errno_location ());
187
188 /* If the cgroup does not exist anymore, then we don't have to explicitly detach, it got detached
189 * implicitly by the removal, hence don't complain */
190
191 } else {
192 union bpf_attr attr;
193
194 attr = (union bpf_attr) {
195 .attach_type = p->attached_type,
196 .target_fd = fd,
197 .attach_bpf_fd = p->kernel_fd,
198 };
199
200 if (bpfmissing_bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0)
201 return -errno(*__errno_location ());
202 }
203
204 p->attached_path = mfree(p->attached_path);
205
206 return 0;
207}
208
209int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags) {
210 union bpf_attr attr = {
211 .map_type = type,
212 .key_size = key_size,
213 .value_size = value_size,
214 .max_entries = max_entries,
215 .map_flags = flags,
216 };
217 int fd;
218
219 fd = bpfmissing_bpf(BPF_MAP_CREATE, &attr, sizeof(attr));
220 if (fd < 0)
221 return -errno(*__errno_location ());
222
223 return fd;
224}
225
226int bpf_map_update_element(int fd, const void *key, void *value) {
227
228 union bpf_attr attr = {
229 .map_fd = fd,
230 .key = PTR_TO_UINT64(key)((uint64_t) ((uintptr_t) (key))),
231 .value = PTR_TO_UINT64(value)((uint64_t) ((uintptr_t) (value))),
232 };
233
234 if (bpfmissing_bpf(BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr)) < 0)
235 return -errno(*__errno_location ());
236
237 return 0;
238}
239
240int bpf_map_lookup_element(int fd, const void *key, void *value) {
241
242 union bpf_attr attr = {
243 .map_fd = fd,
244 .key = PTR_TO_UINT64(key)((uint64_t) ((uintptr_t) (key))),
245 .value = PTR_TO_UINT64(value)((uint64_t) ((uintptr_t) (value))),
246 };
247
248 if (bpfmissing_bpf(BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr)) < 0)
249 return -errno(*__errno_location ());
250
251 return 0;
252}