bpf: Fix for use-after-free bug in inline_bpf_loop

eddyz87 · borkmann · commit fb4e3b33e3e7 · 2022-06-24T16:50:39.000+02:00
As reported by Dan Carpenter, the following statements in inline_bpf_loop() might cause a use-after-free bug: struct bpf_prog *new_prog; // ... new_prog = bpf_patch_insn_data(env, position, insn_buf, *cnt); // ... env->prog->insnsi[call_insn_offset].imm = callback_offset; The bpf_patch_insn_data() might free the memory used by env->prog. Fixes: 1ade237 ("bpf: Inline calls to bpf_loop when callback is known") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20220624020613.548108-2-eddyz87@gmail.com
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -14417,7 +14417,7 @@ static struct bpf_prog *inline_bpf_loop(struct bpf_verifier_env *env,
 	/* Note: insn_buf[12] is an offset of BPF_CALL_REL instruction */
 	call_insn_offset = position + 12;
 	callback_offset = callback_start - call_insn_offset - 1;
-	env->prog->insnsi[call_insn_offset].imm = callback_offset;
+	new_prog->insnsi[call_insn_offset].imm = callback_offset;
 
 	return new_prog;
 }

Original file line number	Diff line number	Diff line change
`@@ -14417,7 +14417,7 @@ static struct bpf_prog inline_bpf_loop(struct bpf_verifier_env env,`
`14417`	`14417`	`/* Note: insn_buf[12] is an offset of BPF_CALL_REL instruction */`
`14418`	`14418`	`call_insn_offset = position + 12;`
`14419`	`14419`	`callback_offset = callback_start - call_insn_offset - 1;`
`14420`		`- env->prog->insnsi[call_insn_offset].imm = callback_offset;`
	`14420`	`+ new_prog->insnsi[call_insn_offset].imm = callback_offset;`
`14421`	`14421`
`14422`	`14422`	`return new_prog;`
`14423`	`14423`	`}`