bpf: Fix for use-after-free bug in inline_bpf_loop - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Eduard Zingerman <eddyz87@gmail.com>	2022-06-24 05:06:12 +0300
committer	Daniel Borkmann <daniel@iogearbox.net>	2022-06-24 16:50:39 +0200
commit	fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9 (patch)
tree	46a04997bd50ee0681e7c256c39ad9f08ab1211a /tools/testing/selftests/bpf/test_verifier.c
parent	395e942d34a25824457da379baf434b5d6da4dcc (diff)
download	linux-fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9.tar.bz2

bpf: Fix for use-after-free bug in inline_bpf_loop

As reported by Dan Carpenter, the following statements in inline_bpf_loop() might cause a use-after-free bug: struct bpf_prog *new_prog; // ... new_prog = bpf_patch_insn_data(env, position, insn_buf, *cnt); // ... env->prog->insnsi[call_insn_offset].imm = callback_offset; The bpf_patch_insn_data() might free the memory used by env->prog. Fixes: 1ade23711971 ("bpf: Inline calls to bpf_loop when callback is known") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20220624020613.548108-2-eddyz87@gmail.com

Diffstat (limited to 'tools/testing/selftests/bpf/test_verifier.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: