| Message ID | 1461702386-17490-1-git-send-email-jannh@google.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
On Tue, Apr 26, 2016 at 10:26:26PM +0200, Jann Horn wrote: > When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode > references a non-map file descriptor as a map file descriptor, the error > handling code called fdput() twice instead of once (in __bpf_map_get() and > in replace_map_fd_with_map_ptr()). If the file descriptor table of the > current task is shared, this causes f_count to be decremented too much, > allowing the struct file to be freed while it is still in use > (use-after-free). This can be exploited to gain root privileges by an > unprivileged user. > > This bug was introduced in > commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only > exploitable since > commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because > previously, CAP_SYS_ADMIN was required to reach the vulnerable code. > > (posted publicly according to request by maintainer) > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Alexei Starovoitov <ast@kernel.org>
On 04/26/2016 10:26 PM, Jann Horn wrote: > When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode > references a non-map file descriptor as a map file descriptor, the error > handling code called fdput() twice instead of once (in __bpf_map_get() and > in replace_map_fd_with_map_ptr()). If the file descriptor table of the > current task is shared, this causes f_count to be decremented too much, > allowing the struct file to be freed while it is still in use > (use-after-free). This can be exploited to gain root privileges by an > unprivileged user. > > This bug was introduced in > commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only > exploitable since > commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because > previously, CAP_SYS_ADMIN was required to reach the vulnerable code. > > (posted publicly according to request by maintainer) > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Thanks!
From: Jann Horn <jannh@google.com> Date: Tue, 26 Apr 2016 22:26:26 +0200 > When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode > references a non-map file descriptor as a map file descriptor, the error > handling code called fdput() twice instead of once (in __bpf_map_get() and > in replace_map_fd_with_map_ptr()). If the file descriptor table of the > current task is shared, this causes f_count to be decremented too much, > allowing the struct file to be freed while it is still in use > (use-after-free). This can be exploited to gain root privileges by an > unprivileged user. > > This bug was introduced in > commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only > exploitable since > commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because > previously, CAP_SYS_ADMIN was required to reach the vulnerable code. > > (posted publicly according to request by maintainer) > > Signed-off-by: Jann Horn <jannh@google.com> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Applied and queued up for -stable, thanks Jann.
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2e08f8e..8291251 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2029,7 +2029,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env) if (IS_ERR(map)) { verbose("fd %d is not pointing to valid bpf_map\n", insn->imm); - fdput(f); return PTR_ERR(map); }
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user. This bug was introduced in commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only exploitable since commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because previously, CAP_SYS_ADMIN was required to reach the vulnerable code. (posted publicly according to request by maintainer) Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> --- kernel/bpf/verifier.c | 1 - 1 file changed, 1 deletion(-)