diff options
author | Daniel Borkmann <daniel@iogearbox.net> | 2019-12-16 17:49:00 +0100 |
---|---|---|
committer | Alexei Starovoitov <ast@kernel.org> | 2019-12-16 19:59:29 +0100 |
commit | a2ea07465c8d7984cc6b8b1f0b3324f9b138094a (patch) | |
tree | ffc04818616b047ecbd2b64f1ae3d9c33108a727 /kernel/power | |
parent | bpf: Clear skb->tstamp in bpf_redirect when necessary (diff) | |
download | linux-a2ea07465c8d7984cc6b8b1f0b3324f9b138094a.tar.xz linux-a2ea07465c8d7984cc6b8b1f0b3324f9b138094a.zip |
bpf: Fix missing prog untrack in release_maps
Commit da765a2f5993 ("bpf: Add poke dependency tracking for prog array
maps") wrongly assumed that in case of prog load errors, we're cleaning
up all program tracking via bpf_free_used_maps().
However, it can happen that we're still at the point where we didn't copy
map pointers into the prog's aux section such that env->prog->aux->used_maps
is still zero, running into a UAF. In such case, the verifier has similar
release_maps() helper that drops references to used maps from its env.
Consolidate the release code into __bpf_free_used_maps() and call it from
all sides to fix it.
Fixes: da765a2f5993 ("bpf: Add poke dependency tracking for prog array maps")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/1c2909484ca524ae9f55109b06f22b6213e76376.1576514756.git.daniel@iogearbox.net
Diffstat (limited to 'kernel/power')
0 files changed, 0 insertions, 0 deletions