mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/kernel/bpf
History
Youlin Li ae5ccad6c7 bpf: Fix wrong reg type conversion in release_reference() 
[ Upstream commit f1db20814a ]

Some helper functions will allocate memory. To avoid memory leaks, the
verifier requires the eBPF program to release these memories by calling
the corresponding helper functions.

When a resource is released, all pointer registers corresponding to the
resource should be invalidated. The verifier use release_references() to
do this job, by apply  __mark_reg_unknown() to each relevant register.

It will give these registers the type of SCALAR_VALUE. A register that
will contain a pointer value at runtime, but of type SCALAR_VALUE, which
may allow the unprivileged user to get a kernel pointer by storing this
register into a map.

Using __mark_reg_not_init() while NOT allow_ptr_leaks can mitigate this
problem.

Fixes: fd978bf7fd ("bpf: Add reference tracking to verifier")
Signed-off-by: Youlin Li <liulin063@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20221103093440.3161-1-liulin063@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2022-11-16 10:03:52 +01:00
..
preload bpf: iterators: Build and use lightweight bootstrap version of bpftool 2022-07-15 12:01:30 -07:00
Kconfig rcu: Make the TASKS_RCU Kconfig option be selected 2022-04-20 16:52:58 -07:00
Makefile bpf: Add bpf_link iterator 2022-05-10 11:20:45 -07:00
arraymap.c bpf: Acquire map uref in .init_seq_private for array map iterator 2022-08-10 10:12:47 -07:00
bloom_filter.c bpf: Compute map_btf_id during build time 2022-04-26 11:35:21 -07:00
bpf_inode_storage.c bpf: Compute map_btf_id during build time 2022-04-26 11:35:21 -07:00
bpf_iter.c bpf: Only allow sleepable program for resched-able iterator 2022-08-10 10:12:48 -07:00
bpf_local_storage.c bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy 2022-10-21 12:38:05 +02:00
bpf_lru_list.c bpf_lru_list: Read double-checked variable once without lock 2021-02-10 15:54:26 -08:00
bpf_lru_list.h printk: stop including cache.h from printk.h 2022-05-13 07:20:07 -07:00
bpf_lsm.c bpf: Only add BTF IDs for socket security hooks when CONFIG_SECURITY_NETWORK is on 2022-10-21 12:38:06 +02:00
bpf_struct_ops.c bpf: Remove is_valid_bpf_tramp_flags() 2022-07-11 21:04:58 +02:00
bpf_struct_ops_types.h bpf: Add dummy BPF STRUCT_OPS for test purpose 2021-11-01 14:10:00 -07:00
bpf_task_storage.c bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy 2022-10-21 12:38:05 +02:00
btf.c bpf: prevent decl_tag from being referenced in func_proto 2022-11-04 00:00:27 +09:00
cgroup.c bpf, cgroup: Reject prog_attach_flags array when effective query 2022-10-21 12:38:11 +02:00
core.c bpf: use bpf_prog_pack for bpf_dispatcher 2022-10-21 12:39:11 +02:00
cpumap.c bpf: Compute map_btf_id during build time 2022-04-26 11:35:21 -07:00
devmap.c bpf, devmap: Compute proper xdp_frame len redirecting frames 2022-07-26 16:26:19 +02:00
disasm.c bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause 2021-09-02 14:49:23 +02:00
disasm.h bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause 2021-09-02 14:49:23 +02:00
dispatcher.c bpf: use bpf_prog_pack for bpf_dispatcher 2022-10-21 12:39:11 +02:00
hashtab.c bpf: Propagate error from htab_lock_bucket() to userspace 2022-10-21 12:38:05 +02:00
helpers.c btf: Export bpf_dynptr definition 2022-10-21 12:37:37 +02:00
inode.c bpf: Convert bpf_preload.ko to use light skeleton. 2022-02-10 23:31:51 +01:00
link_iter.c bpf: Add bpf_link iterator 2022-05-10 11:20:45 -07:00
local_storage.c bpf: Make non-preallocated allocation low priority 2022-07-12 17:44:27 -07:00
lpm_trie.c bpf: Make non-preallocated allocation low priority 2022-07-12 17:44:27 -07:00
map_in_map.c bpf: Allow storing unreferenced kptr in map 2022-04-25 17:31:35 -07:00
map_in_map.h bpf: Add map_meta_equal map ops 2020-08-28 15:41:30 +02:00
map_iter.c bpf: Introduce MEM_RDONLY flag 2021-12-18 13:27:41 -08:00
mmap_unlock_work.h bpf: Introduce helper bpf_find_vma 2021-11-07 11:54:51 -08:00
net_namespace.c net: Add includes masked by netdevice.h including uapi/bpf.h 2021-12-29 20:03:05 -08:00
offload.c
percpu_freelist.c bpf: avoid grabbing spin_locks of all cpus when no free elems 2022-06-11 14:25:35 -07:00
percpu_freelist.h bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI 2020-10-06 00:04:11 +02:00
prog_iter.c bpf: Refactor bpf_iter_reg to have separate seq_info member 2020-07-25 20:16:32 -07:00
queue_stack_maps.c bpf: Compute map_btf_id during build time 2022-04-26 11:35:21 -07:00
reuseport_array.c net: Fix suspicious RCU usage in bpf_sk_reuseport_detach() 2022-08-17 16:42:59 -07:00
ringbuf.c bpf: Dynptr support for ring buffers 2022-05-23 14:31:28 -07:00
stackmap.c bpf: Compute map_btf_id during build time 2022-04-26 11:35:21 -07:00
syscall.c bpf: Ensure correct locking around vulnerable function find_vpid() 2022-10-21 12:38:11 +02:00
sysfs_btf.c bpf: Load and verify kernel module BTFs 2020-11-10 15:25:53 -08:00
task_iter.c bpf: Remove redundant assignment to meta.seq in __task_seq_show() 2022-04-11 21:14:34 +02:00
tnum.c bpf, tnums: Provably sound, faster, and more precise algorithm for tnum_mul 2021-06-01 13:34:15 +02:00
trampoline.c bpf: Use this_cpu_{inc_return|dec} for prog->active 2022-10-21 12:38:06 +02:00
verifier.c bpf: Fix wrong reg type conversion in release_reference() 2022-11-16 10:03:52 +01:00