public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/kernel/bpf
History
Song Liu d24d2a2b0a bpf: bpf_prog_pack: Set proper size before freeing ro_header 
bpf_prog_pack_free() uses header->size to decide whether the header
should be freed with module_memfree() or the bpf_prog_pack logic.
However, in kvmalloc() failure path of bpf_jit_binary_pack_alloc(),
header->size is not set yet. As a result, bpf_prog_pack_free() may treat
a slice of a pack as a standalone kvmalloc'd header and call
module_memfree() on the whole pack. This in turn causes use-after-free by
other users of the pack.

Fix this by setting ro_header->size before freeing ro_header.

Fixes: 33c9805860 ("bpf: Introduce bpf_jit_binary_pack_[alloc|finalize|free]")
Reported-by: syzbot+2f649ec6d2eea1495a8f@syzkaller.appspotmail.com
Reported-by: syzbot+ecb1e7e51c52f68f7481@syzkaller.appspotmail.com
Reported-by: syzbot+87f65c75f4a72db05445@syzkaller.appspotmail.com
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220217183001.1876034-1-song@kernel.org
2022-02-17 13:15:36 -08:00
..
preload bpf: Convert bpf_preload.ko to use light skeleton. 2022-02-10 23:31:51 +01:00
arraymap.c bpf: generalise tail call map compatibility check 2022-01-21 14:14:03 -08:00
bloom_filter.c bpf: Add missing map_get_next_key method to bloom filter map. 2021-12-29 09:38:31 -08:00
bpf_inode_storage.c bpf: Allow bpf_local_storage to be used by sleepable programs 2021-12-29 17:54:40 -08:00
bpf_iter.c bpf: Add support for bpf iterator programs to use sleepable helpers 2022-01-24 19:55:40 -08:00
bpf_local_storage.c bpf: Allow bpf_local_storage to be used by sleepable programs 2021-12-29 17:54:40 -08:00
bpf_lru_list.c
bpf_lru_list.h
bpf_lsm.c bpf: Fix renaming task_getsecid_subj->current_getsecid_subj. 2022-01-24 20:20:51 -08:00
bpf_struct_ops.c
bpf_struct_ops_types.h
bpf_task_storage.c bpf: Allow bpf_local_storage to be used by sleepable programs 2021-12-29 17:54:40 -08:00
btf.c libbpf: Split bpf_core_apply_relo() 2022-02-16 10:05:42 -08:00
cgroup.c cgroup/bpf: fast path skb BPF filtering 2022-01-27 10:15:00 -08:00
core.c bpf: bpf_prog_pack: Set proper size before freeing ro_header 2022-02-17 13:15:36 -08:00
cpumap.c bpf: generalise tail call map compatibility check 2022-01-21 14:14:03 -08:00
devmap.c bpf: generalise tail call map compatibility check 2022-01-21 14:14:03 -08:00
disasm.c
disasm.h
dispatcher.c
hashtab.c
helpers.c bpf: make bpf_copy_from_user_task() gpl only 2022-01-31 12:44:37 -08:00
inode.c bpf: Convert bpf_preload.ko to use light skeleton. 2022-02-10 23:31:51 +01:00
Kconfig
local_storage.c bpf: Use struct_size() helper 2021-12-21 15:35:48 -08:00
lpm_trie.c bpf: Fix typo in a comment in bpf lpm_trie. 2021-12-30 18:42:34 -08:00
Makefile
map_in_map.c
map_in_map.h
map_iter.c
mmap_unlock_work.h
net_namespace.c net: Add includes masked by netdevice.h including uapi/bpf.h 2021-12-29 20:03:05 -08:00
offload.c
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c
reuseport_array.c bpf: Use struct_size() helper 2021-12-21 15:35:48 -08:00
ringbuf.c bpf: Use VM_MAP instead of VM_ALLOC for ringbuf 2022-02-02 23:15:24 -08:00
stackmap.c bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack() 2022-01-15 12:21:23 +11:00
syscall.c bpf: Convert bpf_preload.ko to use light skeleton. 2022-02-10 23:31:51 +01:00
sysfs_btf.c
task_iter.c
tnum.c
trampoline.c Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-02-09 18:40:56 -08:00
verifier.c bpf: Reject kfunc calls that overflow insn->imm 2022-02-15 10:05:11 -08:00