git.baikalelectronics.ru Git - kernel.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 16 Dec 2019 16:49:00 +0000 (17:49 +0100)
committer	Alexei Starovoitov <ast@kernel.org>
	Mon, 16 Dec 2019 18:59:29 +0000 (10:59 -0800)
commit	1749b0f2486cef38d5e336a145083a32ab773ee8
tree	ffc04818616b047ecbd2b64f1ae3d9c33108a727	tree \| snapshot
parent	c4dec69dcf9865054a6d6c0ed0d56e5270643c8a	commit \| diff

bpf: Fix missing prog untrack in release_maps

Commit 548054d3df1f ("bpf: Add poke dependency tracking for prog array
maps") wrongly assumed that in case of prog load errors, we're cleaning
up all program tracking via bpf_free_used_maps().

However, it can happen that we're still at the point where we didn't copy
map pointers into the prog's aux section such that env->prog->aux->used_maps
is still zero, running into a UAF. In such case, the verifier has similar
release_maps() helper that drops references to used maps from its env.

Consolidate the release code into __bpf_free_used_maps() and call it from
all sides to fix it.

Fixes: 548054d3df1f ("bpf: Add poke dependency tracking for prog array maps")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/1c2909484ca524ae9f55109b06f22b6213e76376.1576514756.git.daniel@iogearbox.net

include/linux/bpf.h		diff \| blob \| history
kernel/bpf/core.c		diff \| blob \| history
kernel/bpf/verifier.c		diff \| blob \| history