linux/kernel/bpf at fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9 - linux - Gitea: Git with a cup of tea

mirror/linux

Files

History

Eduard Zingerman fb4e3b33e3 bpf: Fix for use-after-free bug in inline_bpf_loop

As reported by Dan Carpenter, the following statements in inline_bpf_loop()
might cause a use-after-free bug:

  struct bpf_prog *new_prog;
  // ...
  new_prog = bpf_patch_insn_data(env, position, insn_buf, *cnt);
  // ...
  env->prog->insnsi[call_insn_offset].imm = callback_offset;

The bpf_patch_insn_data() might free the memory used by env->prog.

Fixes: 1ade237119 ("bpf: Inline calls to bpf_loop when callback is known")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220624020613.548108-2-eddyz87@gmail.com

2022-06-24 16:50:39 +02:00

..

bpf: Remove redundant slash

2022-03-07 22:19:32 -08:00

arraymap.c

bpf: add bpf_map_lookup_percpu_elem for percpu map

2022-05-11 18:16:54 -07:00

bloom_filter.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

bpf_inode_storage.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

bpf_iter.c

bpf: Inline calls to bpf_loop when callback is known

2022-06-20 17:40:51 -07:00

bpf_local_storage.c

bpf: Fix usage of trace RCU in local storage.

2022-04-19 17:55:45 -07:00

bpf_lru_list.c

bpf_lru_list: Read double-checked variable once without lock

2021-02-10 15:54:26 -08:00

bpf_lru_list.h

printk: stop including cache.h from printk.h

2022-05-13 07:20:07 -07:00

bpf_lsm.c

bpf, x86: Attach a cookie to fentry/fexit/fmod_ret/lsm.

2022-05-10 21:58:31 -07:00

bpf_struct_ops_types.h

bpf: Add dummy BPF STRUCT_OPS for test purpose

2021-11-01 14:10:00 -07:00

bpf_struct_ops.c

bpf: Require only one of cong_avoid() and cong_control() from a TCP CC

2022-06-23 09:49:57 -07:00

bpf_task_storage.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

btf.c

Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

2022-06-17 19:35:19 -07:00

cgroup.c

bpf: Fix KASAN use-after-free Read in compute_effective_progs

2022-06-02 16:26:47 -07:00

core.c

bpf, x64: Add predicate for bpf2bpf with tailcalls support in JIT

2022-06-21 18:52:04 +02:00

cpumap.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

devmap.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

disasm.c

bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause

2021-09-02 14:49:23 +02:00

disasm.h

bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause

2021-09-02 14:49:23 +02:00

dispatcher.c

bpf: Remove bpf_image tree

2020-03-13 12:49:52 -07:00

hashtab.c

bpf: add bpf_map_lookup_percpu_elem for percpu map

2022-05-11 18:16:54 -07:00

helpers.c

bpf: Fix non-static bpf_func_proto struct definitions

2022-06-17 16:00:51 +02:00

inode.c

bpf: Convert bpf_preload.ko to use light skeleton.

2022-02-10 23:31:51 +01:00

Kconfig

rcu: Make the TASKS_RCU Kconfig option be selected

2022-04-20 16:52:58 -07:00

link_iter.c

bpf: Add bpf_link iterator

2022-05-10 11:20:45 -07:00

local_storage.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

lpm_trie.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

Makefile

bpf: Add bpf_link iterator

2022-05-10 11:20:45 -07:00

map_in_map.c

bpf: Allow storing unreferenced kptr in map

2022-04-25 17:31:35 -07:00

map_in_map.h

bpf: Add map_meta_equal map ops

2020-08-28 15:41:30 +02:00

map_iter.c

bpf: Introduce MEM_RDONLY flag

2021-12-18 13:27:41 -08:00

mmap_unlock_work.h

bpf: Introduce helper bpf_find_vma

2021-11-07 11:54:51 -08:00

net_namespace.c

net: Add includes masked by netdevice.h including uapi/bpf.h

2021-12-29 20:03:05 -08:00

offload.c

bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill

2020-02-17 16:53:49 +01:00

percpu_freelist.c

bpf: avoid grabbing spin_locks of all cpus when no free elems

2022-06-11 14:25:35 -07:00

percpu_freelist.h

bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI

2020-10-06 00:04:11 +02:00

prog_iter.c

bpf: Refactor bpf_iter_reg to have separate seq_info member

2020-07-25 20:16:32 -07:00

queue_stack_maps.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

reuseport_array.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

ringbuf.c

bpf: Dynptr support for ring buffers

2022-05-23 14:31:28 -07:00

stackmap.c

bpf: Compute map_btf_id during build time

2022-04-26 11:35:21 -07:00

syscall.c

bpf: Fix non-static bpf_func_proto struct definitions

2022-06-17 16:00:51 +02:00

sysfs_btf.c

bpf: Load and verify kernel module BTFs

2020-11-10 15:25:53 -08:00

task_iter.c

bpf: Remove redundant assignment to meta.seq in __task_seq_show()

2022-04-11 21:14:34 +02:00

tnum.c

bpf, tnums: Provably sound, faster, and more precise algorithm for tnum_mul

2021-06-01 13:34:15 +02:00

trampoline.c

bpf: Fix potential array overflow in bpf_trampoline_get_progs()

2022-05-11 21:24:20 -07:00

verifier.c

bpf: Fix for use-after-free bug in inline_bpf_loop

2022-06-24 16:50:39 +02:00