diff options
| author | Tadeusz Struk <tadeusz.struk@linaro.org> | 2022-05-17 21:04:20 +0300 |
|---|---|---|
| committer | Andrii Nakryiko <andrii@kernel.org> | 2022-06-03 02:26:47 +0300 |
| commit | 4c46091ee985ae84c60c5e95055d779fcd291d87 (patch) | |
| tree | b456c3fbf1da30ab6823c273c73b568b76ee568a /Documentation/sphinx | |
| parent | de4b4b94fad90f876ab12e87999109e31a1871b4 (diff) | |
| download | linux-4c46091ee985ae84c60c5e95055d779fcd291d87.tar.xz | |
bpf: Fix KASAN use-after-free Read in compute_effective_progs
Syzbot found a Use After Free bug in compute_effective_progs().
The reproducer creates a number of BPF links, and causes a fault
injected alloc to fail, while calling bpf_link_detach on them.
Link detach triggers the link to be freed by bpf_link_free(),
which calls __cgroup_bpf_detach() and update_effective_progs().
If the memory allocation in this function fails, the function restores
the pointer to the bpf_cgroup_link on the cgroup list, but the memory
gets freed just after it returns. After this, every subsequent call to
update_effective_progs() causes this already deallocated pointer to be
dereferenced in prog_list_length(), and triggers KASAN UAF error.
To fix this issue don't preserve the pointer to the prog or link in the
list, but remove it and replace it with a dummy prog without shrinking
the table. The subsequent call to __cgroup_bpf_detach() or
__cgroup_bpf_detach() will correct it.
Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment")
Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Cc: <stable@vger.kernel.org>
Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4
Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org
Diffstat (limited to 'Documentation/sphinx')
0 files changed, 0 insertions, 0 deletions