Message ID | 1410581190-31922-1-git-send-email-sasha.levin@oracle.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On 09/13/2014 06:06 AM, Sasha Levin wrote: > Commit "net: bpf: make eBPF interpreter images read-only" has changed bpf_prog > to be vmalloc()ed but never handled some of the errors paths of the old code. > > On error within sk_attach_filter (which userspace can easily trigger), we'd > kfree() the vmalloc()ed memory, and leak the internal bpf_work_struct. > > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> [ This patch is for net-next. ] Acked-by: Daniel Borkmann <dborkman@redhat.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sa, 2014-09-13 at 00:06 -0400, Sasha Levin wrote: > Commit "net: bpf: make eBPF interpreter images read-only" has changed bpf_prog > to be vmalloc()ed but never handled some of the errors paths of the old code. > > On error within sk_attach_filter (which userspace can easily trigger), we'd > kfree() the vmalloc()ed memory, and leak the internal bpf_work_struct. > > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Yeah, thanks, we missed that somehow. Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Bye, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Sasha Levin <sasha.levin@oracle.com> Date: Sat, 13 Sep 2014 00:06:30 -0400 > Commit "net: bpf: make eBPF interpreter images read-only" has changed bpf_prog > to be vmalloc()ed but never handled some of the errors paths of the old code. > > On error within sk_attach_filter (which userspace can easily trigger), we'd > kfree() the vmalloc()ed memory, and leak the internal bpf_work_struct. > > Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/core/filter.c b/net/core/filter.c index dfc716f..09e1c4a 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1074,7 +1074,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk) return -ENOMEM; if (copy_from_user(prog->insns, fprog->filter, fsize)) { - kfree(prog); + __bpf_prog_free(prog); return -EFAULT; } @@ -1082,7 +1082,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk) err = bpf_prog_store_orig_filter(prog, fprog); if (err) { - kfree(prog); + __bpf_prog_free(prog); return -ENOMEM; }
Commit "net: bpf: make eBPF interpreter images read-only" has changed bpf_prog to be vmalloc()ed but never handled some of the errors paths of the old code. On error within sk_attach_filter (which userspace can easily trigger), we'd kfree() the vmalloc()ed memory, and leak the internal bpf_work_struct. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> --- net/core/filter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)