bpf: Fix NULL dereference in bpf_task_storage

iamkafai · Alexei Starovoitov · commit 09a3dac7b579 · 2020-11-11T18:14:49.000-08:00
In bpf_pid_task_storage_update_elem(), it missed to test the !task_storage_ptr(task) which then could trigger a NULL pointer exception in bpf_local_storage_update(). Fixes: 4cf1bc1 ("bpf: Implement task local storage") Signed-off-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Roman Gushchin <guro@fb.com> Acked-by: KP Singh <kpsingh@google.com> Link: https://lore.kernel.org/bpf/20201112001919.2028357-1-kafai@fb.com
diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c
@@ -150,7 +150,7 @@ static int bpf_pid_task_storage_update_elem(struct bpf_map *map, void *key,
 	 */
 	WARN_ON_ONCE(!rcu_read_lock_held());
 	task = pid_task(pid, PIDTYPE_PID);
-	if (!task) {
+	if (!task || !task_storage_ptr(task)) {
 		err = -ENOENT;
 		goto out;
 	}

Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ static int bpf_pid_task_storage_update_elem(struct bpf_map map, void key,`
`150`	`150`	`*/`
`151`	`151`	`WARN_ON_ONCE(!rcu_read_lock_held());`
`152`	`152`	`task = pid_task(pid, PIDTYPE_PID);`
`153`		`- if (!task) {`
	`153`	`+ if (!task \|\| !task_storage_ptr(task)) {`
`154`	`154`	`err = -ENOENT;`
`155`	`155`	`goto out;`
`156`	`156`	`}`