linux/kernel/bpf
Jann Horn 8358b02bf6 bpf: fix double-fdput in replace_map_fd_with_map_ptr()
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
references a non-map file descriptor as a map file descriptor, the error
handling code called fdput() twice instead of once (in __bpf_map_get() and
in replace_map_fd_with_map_ptr()). If the file descriptor table of the
current task is shared, this causes f_count to be decremented too much,
allowing the struct file to be freed while it is still in use
(use-after-free). This can be exploited to gain root privileges by an
unprivileged user.

This bug was introduced in
commit 0246e64d9a ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
exploitable since
commit 1be7f75d16 ("bpf: enable non-root eBPF programs") because
previously, CAP_SYS_ADMIN was required to reach the vulnerable code.

(posted publicly according to request by maintainer)

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-04-26 17:37:21 -04:00
..
Makefile bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
arraymap.c bpf: check for reserved flag bits in array and stack maps 2016-03-08 15:28:31 -05:00
core.c bpf: Mark __bpf_prog_run() stack frame as non-standard 2016-02-29 08:35:11 +01:00
hashtab.c bpf: pre-allocate hash map elements 2016-03-08 15:28:31 -05:00
helpers.c bpf: avoid copying junk bytes in bpf_get_current_comm() 2016-03-09 23:27:30 -05:00
inode.c bpf, inode: allow for rename and link ops 2015-12-12 18:44:23 -05:00
percpu_freelist.c bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
percpu_freelist.h bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
stackmap.c bpf: convert stackmap to pre-allocation 2016-03-08 15:28:31 -05:00
syscall.c bpf: add missing map_flags to bpf_map_show_fdinfo 2016-03-25 11:36:41 -04:00
verifier.c bpf: fix double-fdput in replace_map_fd_with_map_ptr() 2016-04-26 17:37:21 -04:00