[packages/kernel] - security fix from upstream

arekm arekm at pld-linux.org
Wed Apr 27 09:15:11 CEST 2016


commit 86d8ac69cca9b0a708b66f420dc15fb18d2e2f0f
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Wed Apr 27 09:15:04 2016 +0200

    - security fix from upstream

 kernel-small_fixes.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
---
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index d4b6034..5c9ff24 100644
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -26,3 +26,49 @@
  				exit
  			fi
  		done
+From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh at google.com>
+Date: Tue, 26 Apr 2016 22:26:26 +0200
+Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
+
+When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
+references a non-map file descriptor as a map file descriptor, the error
+handling code called fdput() twice instead of once (in __bpf_map_get() and
+in replace_map_fd_with_map_ptr()). If the file descriptor table of the
+current task is shared, this causes f_count to be decremented too much,
+allowing the struct file to be freed while it is still in use
+(use-after-free). This can be exploited to gain root privileges by an
+unprivileged user.
+
+This bug was introduced in
+commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
+exploitable since
+commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
+previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
+
+(posted publicly according to request by maintainer)
+
+Signed-off-by: Jann Horn <jannh at google.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Alexei Starovoitov <ast at kernel.org>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ kernel/bpf/verifier.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 618ef77..db2574e 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
+ 			if (IS_ERR(map)) {
+ 				verbose("fd %d is not pointing to valid bpf_map\n",
+ 					insn->imm);
+-				fdput(f);
+ 				return PTR_ERR(map);
+ 			}
+ 
+-- 
+cgit v0.12
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/86d8ac69cca9b0a708b66f420dc15fb18d2e2f0f



More information about the pld-cvs-commit mailing list