openstlinux/linux-st
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
18644cec714aabbab173729192c7594ee57a406b
linux-st/kernel
History
Alexei Starovoitov 18644cec71 bpf: Fix use-after-free in fmod_ret check 
Fix the following issue:
[  436.749342] BUG: KASAN: use-after-free in bpf_trampoline_put+0x39/0x2a0
[  436.749995] Write of size 4 at addr ffff8881ef38b8a0 by task kworker/3:5/2243
[  436.750712]
[  436.752677] Workqueue: events bpf_prog_free_deferred
[  436.753183] Call Trace:
[  436.756483]  bpf_trampoline_put+0x39/0x2a0
[  436.756904]  bpf_prog_free_deferred+0x16d/0x3d0
[  436.757377]  process_one_work+0x94a/0x15b0
[  436.761969]
[  436.762130] Allocated by task 2529:
[  436.763323]  bpf_trampoline_lookup+0x136/0x540
[  436.763776]  bpf_check+0x2872/0xa0a8
[  436.764144]  bpf_prog_load+0xb6f/0x1350
[  436.764539]  __do_sys_bpf+0x16d7/0x3720
[  436.765825]
[  436.765988] Freed by task 2529:
[  436.767084]  kfree+0xc6/0x280
[  436.767397]  bpf_trampoline_put+0x1fd/0x2a0
[  436.767826]  bpf_check+0x6832/0xa0a8
[  436.768197]  bpf_prog_load+0xb6f/0x1350
[  436.768594]  __do_sys_bpf+0x16d7/0x3720

prog->aux->trampoline = tr should be set only when prog is valid.
Otherwise prog freeing will try to put trampoline via prog->aux->trampoline,
but it may not point to a valid trampoline.

Fixes: 6ba43b761c ("bpf: Attachment verification for BPF_MODIFY_RETURN")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: KP Singh <kpsingh@google.com>
Link: https://lore.kernel.org/bpf/20200529043839.15824-2-alexei.starovoitov@gmail.com
2020-05-29 22:25:58 +02:00
..
bpf
bpf: Fix use-after-free in fmod_ret check
2020-05-29 22:25:58 +02:00
cgroup
Merge branch 'for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
2020-04-03 11:30:20 -07:00
configs
compiler: remove CONFIG_OPTIMIZE_INLINING entirely
2020-04-07 10:43:42 -07:00
debug
Merge tag 'spdx-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/spdx
2020-04-03 13:12:26 -07:00
dma
dma-debug: fix displaying of dma allocation type
2020-04-08 21:46:57 +02:00
events
perf/core: fix parent pid/tid in task exit events
2020-04-22 23:10:14 +02:00
gcov
kernel/gcov/fs.c: gcov_seq_next() should increase position index
2020-04-10 15:36:22 -07:00
irq
genirq: Remove setup_irq() and remove_irq()
2020-04-14 10:08:50 +02:00
livepatch
locking
locking/lockdep: Improve 'invalid wait context' splat
2020-04-08 12:05:07 +02:00
power
PM: hibernate: Freeze kernel threads in software_resume()
2020-04-27 10:30:30 +02:00
printk
printk: queue wake_up_klogd irq_work only if per-CPU areas are ready
2020-04-10 13:18:57 -07:00
rcu
Merge branch 'urgent-for-mingo' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into core/urgent
2020-04-14 08:36:41 +02:00
sched
sched/core: Fix reset-on-fork from RT with uclamp
2020-04-22 23:10:13 +02:00
time
proc, time/namespace: Show clock symbolic names in /proc/pid/timens_offsets
2020-04-16 12:10:54 +02:00
trace
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-05-15 13:10:06 -07:00
.gitignore
.gitignore: add SPDX License Identifier
2020-03-25 11:50:48 +01:00
acct.c
async.c
audit_fsnotify.c
fsnotify: use helpers to access data by data_type
2020-03-23 18:19:06 +01:00
audit_tree.c
audit_watch.c
Merge tag 'fsnotify_for_v5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2020-04-06 08:58:42 -07:00
audit.c
audit: check the length of userspace generated audit records
2020-04-20 17:10:58 -04:00
audit.h
audit: trigger accompanying records when no rules present
2020-03-12 10:42:51 -04:00
auditfilter.c
audit: fix error handling in audit_data_to_entry()
2020-02-22 20:36:47 -05:00
auditsc.c
audit: trigger accompanying records when no rules present
2020-03-12 10:42:51 -04:00
backtracetest.c
bounds.c
capability.c
compat.c
y2038: remove unused time32 interfaces
2020-02-21 11:22:15 -08:00
configs.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
context_tracking.c
context-tracking: Introduce CONFIG_HAVE_TIF_NOHZ
2020-02-14 16:05:04 +01:00
cpu_pm.c
cpu.c
Merge tag 'smp-core-2020-03-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2020-03-30 18:06:39 -07:00
crash_core.c
crash_dump.c
cred.c
kernel: doc: remove outdated comment cred.c
2020-03-25 10:04:01 -05:00
delayacct.c
dma.c
elfcore.c
exec_domain.c
exit.c
proc: Put thread_pid in release_task not proc_flush_pid
2020-04-24 15:49:00 -05:00
extable.c
kernel/extable.c: use address-of operator on section symbols
2020-04-07 10:43:42 -07:00
fail_function.c
fork.c
fork: prevent accidental access to clone3 features
2020-05-08 17:31:50 +02:00
freezer.c
futex.c
Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2020-03-30 16:17:15 -07:00
gen_kheaders.sh
groups.c
hung_task.c
iomem.c
irq_work.c
lockdep: Annotate irq_work
2020-03-21 16:00:24 +01:00
jump_label.c
kallsyms.c
kallsyms: unexport kallsyms_lookup_name() and kallsyms_on_each_symbol()
2020-04-07 10:43:44 -07:00
kcmp.c
kernel/kcmp.c: Use new infrastructure to fix deadlocks in execve
2020-03-25 10:04:01 -05:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kernel/kcov.c: fix typos in kcov_remote_start documentation
2020-05-07 19:27:20 -07:00
kexec_core.c
kexec_elf.c
kexec_file.c
kexec_internal.h
kexec.c
kheaders.c
kmod.c
kmod: make request_module() return an error when autoloading is disabled
2020-04-10 15:36:22 -07:00
kprobes.c
ksysfs.c
kthread.c
kthread: Do not preempt current task if it is going to call schedule()
2020-03-20 13:06:20 +01:00
latencytop.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
Makefile
kcov: ignore fault-inject and stacktrace
2020-01-31 10:30:41 -08:00
module_signature.c
module_signing.c
module-internal.h
module.c
Merge tag 'modules-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux
2020-04-09 12:52:34 -07:00
notifier.c
x86/mm: split vmalloc_sync_all()
2020-03-21 18:56:06 -07:00
nsproxy.c
padata.c
crypto: pcrypt - simplify error handling in pcrypt_create_aead()
2020-03-06 12:28:24 +11:00
panic.c
params.c
pid_namespace.c
pid: Improve the comment about waiting in zap_pid_ns_processes
2020-02-28 16:29:12 -06:00
pid.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2020-04-10 12:59:56 -07:00
profile.c
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
ptrace.c
range.c
reboot.c
relay.c
resource.c
rseq.c
seccomp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2020-03-31 17:29:33 -07:00
signal.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2020-04-23 13:30:18 -07:00
smp.c
cpu/hotplug: Move bringup of secondary CPUs out of smp_init()
2020-03-25 12:59:37 +01:00
smpboot.c
smpboot.h
softirq.c
lockdep: Rename trace_{hard,soft}{irq_context,irqs_enabled}()
2020-03-21 16:03:54 +01:00
stackleak.c
stacktrace.c
stop_machine.c
sys_ni.c
sys.c
sys/sysinfo: Respect boottime inside time namespace
2020-03-03 19:34:32 +01:00
sysctl_binary.c
sysctl-test.c
sysctl.c
mm/compaction: Disable compact_unevictable_allowed on RT
2020-04-02 09:35:31 -07:00
task_work.c
task_work_run: don't take ->pi_lock unconditionally
2020-03-02 14:06:33 -07:00
taskstats.c
test_kprobes.c
torture.c
Merge tag 'smp-core-2020-03-30' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2020-03-30 18:06:39 -07:00
tracepoint.c
tsacct.c
ucount.c
ucount: Make sure ucounts in /proc/sys/user don't regress again
2020-04-07 21:51:27 +02:00
uid16.c
uid16.h
umh.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2020-05-15 13:10:06 -07:00
up.c
smp/up: Make smp_call_function_single() match SMP semantics
2020-02-07 15:34:12 +01:00
user_namespace.c
user-return-notifier.c
user.c
utsname_sysctl.c
utsname.c
watchdog_hld.c
watchdog.c
workqueue_internal.h
workqueue.c
workqueue: Remove the warning in wq_worker_sleeping()
2020-04-08 11:35:20 +02:00