git.baikalelectronics.ru Git - kernel.git/commit

author	Jann Horn <jannh@google.com>
	Tue, 26 Apr 2016 20:26:26 +0000 (22:26 +0200)
committer	David S. Miller <davem@davemloft.net>
	Tue, 26 Apr 2016 21:37:21 +0000 (17:37 -0400)
commit	3870b75485d5501417b9175cdf60ef6988230f5c
tree	c5dcdbb7bab11bd1cb7cb67a7b434e5b324c820a	tree \| snapshot
parent	8f5e3a0a53af4be3b976b198cd45293c0295a153	commit \| diff

bpf: fix double-fdput in replace_map_fd_with_map_ptr()

When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
references a non-map file descriptor as a map file descriptor, the error
handling code called fdput() twice instead of once (in __bpf_map_get() and
in replace_map_fd_with_map_ptr()). If the file descriptor table of the
current task is shared, this causes f_count to be decremented too much,
allowing the struct file to be freed while it is still in use
(use-after-free). This can be exploited to gain root privileges by an
unprivileged user.

This bug was introduced in
commit 19802b741abb ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
exploitable since
commit 6c3d98c5fcd7 ("bpf: enable non-root eBPF programs") because
previously, CAP_SYS_ADMIN was required to reach the vulnerable code.

(posted publicly according to request by maintainer)

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>