From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:55573 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754643AbcEPSeI (ORCPT ); Mon, 16 May 2016 14:34:08 -0400 Subject: Patch "bpf: fix double-fdput in replace_map_fd_with_map_ptr()" has been added to the 4.5-stable tree To: jannh@google.com, ast@kernel.org, daniel@iogearbox.net, davem@davemloft.net, gregkh@linuxfoundation.org, torvalds@linux-foundation.org Cc: , From: Date: Mon, 16 May 2016 11:26:17 -0700 Message-ID: <146342317783160@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled bpf: fix double-fdput in replace_map_fd_with_map_ptr() to the 4.5-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch and it can be found in the queue-4.5 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Mon May 16 11:20:33 PDT 2016 From: Jann Horn Date: Tue, 26 Apr 2016 22:26:26 +0200 Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr() From: Jann Horn [ Upstream commit 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 ] When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user. This bug was introduced in commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only exploitable since commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because previously, CAP_SYS_ADMIN was required to reach the vulnerable code. (posted publicly according to request by maintainer) Signed-off-by: Jann Horn Signed-off-by: Linus Torvalds Acked-by: Alexei Starovoitov Acked-by: Daniel Borkmann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 1 - 1 file changed, 1 deletion(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2004,7 +2004,6 @@ static int replace_map_fd_with_map_ptr(s if (IS_ERR(map)) { verbose("fd %d is not pointing to valid bpf_map\n", insn->imm); - fdput(f); return PTR_ERR(map); } Patches currently in stable-queue which might be from jannh@google.com are queue-4.5/bpf-fix-double-fdput-in-replace_map_fd_with_map_ptr.patch queue-4.5/bpf-fix-refcnt-overflow.patch queue-4.5/bpf-fix-check_map_func_compatibility-logic.patch