-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: Fix KASAN use-after-free Read in compute_effective_progs #3012
Conversation
Master branch: b2531d4 |
Master branch: 0d2d264 |
b443b6f
to
c17fa2e
Compare
Master branch: 0d2d264 |
c17fa2e
to
a71a094
Compare
Master branch: 16d1e00 |
a71a094
to
812dfc2
Compare
Master branch: 418fbe8 |
812dfc2
to
e0c794c
Compare
Master branch: 418fbe8 |
e0c794c
to
2fbb4cd
Compare
Master branch: ac6a658 |
2fbb4cd
to
9d7abba
Compare
Master branch: 68084a1 |
9d7abba
to
ca6283b
Compare
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=641542 expired. Closing PR. |
Master branch: 68084a1 |
ca6283b
to
d8acb79
Compare
Master branch: 70a1b25 |
6daa0b0
to
ce598f3
Compare
Master branch: 4050764 |
ce598f3
to
6309dac
Compare
Master branch: f9a3eca |
6309dac
to
789615f
Compare
Master branch: fe73656 |
789615f
to
e4da88c
Compare
Master branch: 1ec5ee8 |
e4da88c
to
da3cd94
Compare
Master branch: 608b638 |
da3cd94
to
32f578c
Compare
Master branch: 677fb75 |
32f578c
to
7879033
Compare
Master branch: 7e062cd |
7879033
to
8cb1667
Compare
Master branch: 7e062cd |
8cb1667
to
1386f1b
Compare
Master branch: 1626f57 |
1386f1b
to
939f9ae
Compare
Syzbot found a Use After Free bug in compute_effective_progs(). The reproducer creates a number of BPF links, and causes a fault injected alloc to fail, while calling bpf_link_detach on them. Link detach triggers the link to be freed by bpf_link_free(), which calls __cgroup_bpf_detach() and update_effective_progs(). If the memory allocation in this function fails, the function restores the pointer to the bpf_cgroup_link on the cgroup list, but the memory gets freed just after it returns. After this, every subsequent call to update_effective_progs() causes this already deallocated pointer to be dereferenced in prog_list_length(), and triggers KASAN UAF error. To fix this issue don't preserve the pointer to the prog or link in the list, but remove it and replace it with a dummy prog without shrinking the table. The subsequent call to __cgroup_bpf_detach() or __cgroup_bpf_detach() will correct it. Cc: "Alexei Starovoitov" <ast@kernel.org> Cc: "Daniel Borkmann" <daniel@iogearbox.net> Cc: "Andrii Nakryiko" <andrii@kernel.org> Cc: "Martin KaFai Lau" <kafai@fb.com> Cc: "Song Liu" <songliubraving@fb.com> Cc: "Yonghong Song" <yhs@fb.com> Cc: "John Fastabend" <john.fastabend@gmail.com> Cc: "KP Singh" <kpsingh@kernel.org> Cc: <netdev@vger.kernel.org> Cc: <bpf@vger.kernel.org> Cc: <stable@vger.kernel.org> Cc: <linux-kernel@vger.kernel.org> Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 Fixes: af6eea5 ("bpf: Implement bpf_link-based cgroup BPF program attachment") Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com> Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Master branch: 4b4b4f9 |
939f9ae
to
d2fa67f
Compare
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=641542 irrelevant now. Closing PR. |
Pull request for series with
subject: bpf: Fix KASAN use-after-free Read in compute_effective_progs
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=641542