Subject: Potential negative index dereference in
tools/bpf/bpf_jit_disasm.c due to unchecked readlink() return value
In tools/bpf/bpf_jit_disasm.c, function get_exec_path uses the return
value of readlink() as an array index without checking for negative
values. According to the man page, readlink() returns -1 on error.
Using this negative value as an array index (tpath[len] = 0;) causes
out-of-bounds memory access, which can lead to undefined behavior or a
crash.
Relevant code (lines 46-48):
len = readlink(path, tpath, size);
tpath[len] = 0;
If readlink() fails, len will be -1, resulting in tpath[-1] = 0;
There is no check for (len < 0) before using len as an index.
Proposed fix:
Add a check for (len < 0) after readlink(), and handle the error case
appropriately before using len as an index.
Suggested patch:
len = readlink(path, tpath, size);
if (len < 0) {
tpath[0] = 0;
free(path);
return;
}
tpath[len] = 0;
