summaryrefslogtreecommitdiffstats
path: root/kernel/audit_fsnotify.c
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@fb.com>2018-01-08 16:51:17 +0100
committerDaniel Borkmann <daniel@iogearbox.net>2018-01-08 18:19:03 +0100
commit5896351ea9360072f8bdd9eee186861a9d13db6d (patch)
treea5f33a910ae80287db97600e8631b0425d4c204a /kernel/audit_fsnotify.c
parentMerge branch 'ipv6-ipv4-nexthop-align' (diff)
downloadlinux-5896351ea9360072f8bdd9eee186861a9d13db6d.tar.xz
linux-5896351ea9360072f8bdd9eee186861a9d13db6d.zip
bpf: fix verifier GPF in kmalloc failure path
syzbot reported the following panic in the verifier triggered by kmalloc error injection: kasan: GPF could be caused by NULL-ptr deref or user memory access RIP: 0010:copy_func_state kernel/bpf/verifier.c:403 [inline] RIP: 0010:copy_verifier_state+0x364/0x590 kernel/bpf/verifier.c:431 Call Trace: pop_stack+0x8c/0x270 kernel/bpf/verifier.c:449 push_stack kernel/bpf/verifier.c:491 [inline] check_cond_jmp_op kernel/bpf/verifier.c:3598 [inline] do_check+0x4b60/0xa050 kernel/bpf/verifier.c:4731 bpf_check+0x3296/0x58c0 kernel/bpf/verifier.c:5489 bpf_prog_load+0xa2a/0x1b00 kernel/bpf/syscall.c:1198 SYSC_bpf kernel/bpf/syscall.c:1807 [inline] SyS_bpf+0x1044/0x4420 kernel/bpf/syscall.c:1769 when copy_verifier_state() aborts in the middle due to kmalloc failure some of the frames could have been partially copied while current free_verifier_state() loop for (i = 0; i <= state->curframe; i++) assumed that all frames are non-null. Simply fix it by adding 'if (!state)' to free_func_state(). Also avoid stressing copy frame logic more if kzalloc fails in push_stack() free env->cur_state right away. Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)") Reported-by: syzbot+32ac5a3e473f2e01cfc7@syzkaller.appspotmail.com Reported-by: syzbot+fa99e24f3c29d269a7d5@syzkaller.appspotmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel/audit_fsnotify.c')
0 files changed, 0 insertions, 0 deletions