forked from luck/tmp_suning_uos_patched
bpf: Fix missing prog untrack in release_maps
Commitda765a2f59
("bpf: Add poke dependency tracking for prog array maps") wrongly assumed that in case of prog load errors, we're cleaning up all program tracking via bpf_free_used_maps(). However, it can happen that we're still at the point where we didn't copy map pointers into the prog's aux section such that env->prog->aux->used_maps is still zero, running into a UAF. In such case, the verifier has similar release_maps() helper that drops references to used maps from its env. Consolidate the release code into __bpf_free_used_maps() and call it from all sides to fix it. Fixes:da765a2f59
("bpf: Add poke dependency tracking for prog array maps") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/1c2909484ca524ae9f55109b06f22b6213e76376.1576514756.git.daniel@iogearbox.net
This commit is contained in:
parent
5133498f4a
commit
a2ea07465c
|
@ -818,6 +818,8 @@ struct bpf_prog * __must_check bpf_prog_inc_not_zero(struct bpf_prog *prog);
|
|||
void bpf_prog_put(struct bpf_prog *prog);
|
||||
int __bpf_prog_charge(struct user_struct *user, u32 pages);
|
||||
void __bpf_prog_uncharge(struct user_struct *user, u32 pages);
|
||||
void __bpf_free_used_maps(struct bpf_prog_aux *aux,
|
||||
struct bpf_map **used_maps, u32 len);
|
||||
|
||||
void bpf_prog_free_id(struct bpf_prog *prog, bool do_idr_lock);
|
||||
void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock);
|
||||
|
|
|
@ -2048,18 +2048,24 @@ static void bpf_free_cgroup_storage(struct bpf_prog_aux *aux)
|
|||
}
|
||||
}
|
||||
|
||||
static void bpf_free_used_maps(struct bpf_prog_aux *aux)
|
||||
void __bpf_free_used_maps(struct bpf_prog_aux *aux,
|
||||
struct bpf_map **used_maps, u32 len)
|
||||
{
|
||||
struct bpf_map *map;
|
||||
int i;
|
||||
u32 i;
|
||||
|
||||
bpf_free_cgroup_storage(aux);
|
||||
for (i = 0; i < aux->used_map_cnt; i++) {
|
||||
map = aux->used_maps[i];
|
||||
for (i = 0; i < len; i++) {
|
||||
map = used_maps[i];
|
||||
if (map->ops->map_poke_untrack)
|
||||
map->ops->map_poke_untrack(map, aux);
|
||||
bpf_map_put(map);
|
||||
}
|
||||
}
|
||||
|
||||
static void bpf_free_used_maps(struct bpf_prog_aux *aux)
|
||||
{
|
||||
__bpf_free_used_maps(aux, aux->used_maps, aux->used_map_cnt);
|
||||
kfree(aux->used_maps);
|
||||
}
|
||||
|
||||
|
|
|
@ -8298,18 +8298,8 @@ static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env)
|
|||
/* drop refcnt of maps used by the rejected program */
|
||||
static void release_maps(struct bpf_verifier_env *env)
|
||||
{
|
||||
enum bpf_cgroup_storage_type stype;
|
||||
int i;
|
||||
|
||||
for_each_cgroup_storage_type(stype) {
|
||||
if (!env->prog->aux->cgroup_storage[stype])
|
||||
continue;
|
||||
bpf_cgroup_storage_release(env->prog,
|
||||
env->prog->aux->cgroup_storage[stype]);
|
||||
}
|
||||
|
||||
for (i = 0; i < env->used_map_cnt; i++)
|
||||
bpf_map_put(env->used_maps[i]);
|
||||
__bpf_free_used_maps(env->prog->aux, env->used_maps,
|
||||
env->used_map_cnt);
|
||||
}
|
||||
|
||||
/* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */
|
||||
|
|
Loading…
Reference in New Issue
Block a user