diff options
author | Eduard Zingerman <eddyz87@gmail.com> | 2022-06-24 04:06:12 +0200 |
---|---|---|
committer | Daniel Borkmann <daniel@iogearbox.net> | 2022-06-24 16:50:39 +0200 |
commit | fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9 (patch) | |
tree | 46a04997bd50ee0681e7c256c39ad9f08ab1211a /kernel | |
parent | bpf: Replace hard-coded 0 with BPF_K in check_alu_op (diff) | |
download | linux-fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9.tar.xz linux-fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9.zip |
bpf: Fix for use-after-free bug in inline_bpf_loop
As reported by Dan Carpenter, the following statements in inline_bpf_loop()
might cause a use-after-free bug:
struct bpf_prog *new_prog;
// ...
new_prog = bpf_patch_insn_data(env, position, insn_buf, *cnt);
// ...
env->prog->insnsi[call_insn_offset].imm = callback_offset;
The bpf_patch_insn_data() might free the memory used by env->prog.
Fixes: 1ade23711971 ("bpf: Inline calls to bpf_loop when callback is known")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220624020613.548108-2-eddyz87@gmail.com
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/bpf/verifier.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f228141c01c5..4938477912cd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -14417,7 +14417,7 @@ static struct bpf_prog *inline_bpf_loop(struct bpf_verifier_env *env, /* Note: insn_buf[12] is an offset of BPF_CALL_REL instruction */ call_insn_offset = position + 12; callback_offset = callback_start - call_insn_offset - 1; - env->prog->insnsi[call_insn_offset].imm = callback_offset; + new_prog->insnsi[call_insn_offset].imm = callback_offset; return new_prog; } |