42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From: Jann Horn <jannh@google.com>
|
|
Date: Tue, 26 Apr 2016 22:26:26 +0200
|
|
Subject: [1/3] bpf: fix double-fdput in replace_map_fd_with_map_ptr()
|
|
Origin: https://git.kernel.org/linus/8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
|
|
|
|
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
|
|
references a non-map file descriptor as a map file descriptor, the error
|
|
handling code called fdput() twice instead of once (in __bpf_map_get() and
|
|
in replace_map_fd_with_map_ptr()). If the file descriptor table of the
|
|
current task is shared, this causes f_count to be decremented too much,
|
|
allowing the struct file to be freed while it is still in use
|
|
(use-after-free). This can be exploited to gain root privileges by an
|
|
unprivileged user.
|
|
|
|
This bug was introduced in
|
|
commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
|
|
exploitable since
|
|
commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
|
|
previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
|
|
|
|
(posted publicly according to request by maintainer)
|
|
|
|
Signed-off-by: Jann Horn <jannh@google.com>
|
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Acked-by: Alexei Starovoitov <ast@kernel.org>
|
|
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
---
|
|
kernel/bpf/verifier.c | 1 -
|
|
1 file changed, 1 deletion(-)
|
|
|
|
--- a/kernel/bpf/verifier.c
|
|
+++ b/kernel/bpf/verifier.c
|
|
@@ -2003,7 +2003,6 @@ static int replace_map_fd_with_map_ptr(s
|
|
if (IS_ERR(map)) {
|
|
verbose("fd %d is not pointing to valid bpf_map\n",
|
|
insn->imm);
|
|
- fdput(f);
|
|
return PTR_ERR(map);
|
|
}
|
|
|