bpf: Fix KASAN use-after-free Read in compute_effective_progs #3012
Conversation
|
Master branch: b2531d4 |
|
Master branch: 0d2d264 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
b443b6f
to
c17fa2e
Compare
|
Master branch: 0d2d264 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
c17fa2e
to
a71a094
Compare
|
Master branch: 16d1e00 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
a71a094
to
812dfc2
Compare
|
Master branch: 418fbe8 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
812dfc2
to
e0c794c
Compare
|
Master branch: 418fbe8 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
e0c794c
to
2fbb4cd
Compare
|
Master branch: ac6a658 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
2fbb4cd
to
9d7abba
Compare
|
Master branch: 68084a1 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
9d7abba
to
ca6283b
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=641542 expired. Closing PR. |
|
Master branch: 68084a1 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
ca6283b
to
d8acb79
Compare
|
Master branch: 70a1b25 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
6daa0b0
to
ce598f3
Compare
|
Master branch: 4050764 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
ce598f3
to
6309dac
Compare
|
Master branch: f9a3eca |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
6309dac
to
789615f
Compare
|
Master branch: fe73656 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
789615f
to
e4da88c
Compare
|
Master branch: 1ec5ee8 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
e4da88c
to
da3cd94
Compare
|
Master branch: 608b638 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
da3cd94
to
32f578c
Compare
|
Master branch: 677fb75 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
32f578c
to
7879033
Compare
|
Master branch: 7e062cd |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
7879033
to
8cb1667
Compare
|
Master branch: 7e062cd |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
8cb1667
to
1386f1b
Compare
|
Master branch: 1626f57 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
1386f1b
to
939f9ae
Compare
Syzbot found a Use After Free bug in compute_effective_progs(). The reproducer creates a number of BPF links, and causes a fault injected alloc to fail, while calling bpf_link_detach on them. Link detach triggers the link to be freed by bpf_link_free(), which calls __cgroup_bpf_detach() and update_effective_progs(). If the memory allocation in this function fails, the function restores the pointer to the bpf_cgroup_link on the cgroup list, but the memory gets freed just after it returns. After this, every subsequent call to update_effective_progs() causes this already deallocated pointer to be dereferenced in prog_list_length(), and triggers KASAN UAF error. To fix this issue don't preserve the pointer to the prog or link in the list, but remove it and replace it with a dummy prog without shrinking the table. The subsequent call to __cgroup_bpf_detach() or __cgroup_bpf_detach() will correct it. Cc: "Alexei Starovoitov" <ast@kernel.org> Cc: "Daniel Borkmann" <daniel@iogearbox.net> Cc: "Andrii Nakryiko" <andrii@kernel.org> Cc: "Martin KaFai Lau" <kafai@fb.com> Cc: "Song Liu" <songliubraving@fb.com> Cc: "Yonghong Song" <yhs@fb.com> Cc: "John Fastabend" <john.fastabend@gmail.com> Cc: "KP Singh" <kpsingh@kernel.org> Cc: <netdev@vger.kernel.org> Cc: <bpf@vger.kernel.org> Cc: <stable@vger.kernel.org> Cc: <linux-kernel@vger.kernel.org> Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 Fixes: af6eea5 ("bpf: Implement bpf_link-based cgroup BPF program attachment") Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com> Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
|
Master branch: 4b4b4f9 |
kernel-patches-bot
force-pushed
the
series/629219=>bpf-next
branch
from
939f9ae
to
d2fa67f
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=641542 irrelevant now. Closing PR. |
Pull request for series with
subject: bpf: Fix KASAN use-after-free Read in compute_effective_progs
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=641542