Re: [PATCH net-next v4 2/9] net: filter: keep original BPF program around

[PATCH net-next v4 0/9] BPF updates · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 1/9] net: filter: add jited flag to indicate jit compiled filters · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 6/9] net: ppp: use sk_unattached_filter api · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 2/9] net: filter: keep original BPF program around · Daniel Borkmann <hidden> · 2014-03-28
Re: [PATCH net-next v4 2/9] net: filter: keep original BPF program around · Eric Dumazet <hidden> · 2014-09-12
Re: [PATCH net-next v4 2/9] net: filter: keep original BPF program around · Alexei Starovoitov <hidden> · 2014-09-12
Re: [PATCH net-next v4 2/9] net: filter: keep original BPF program around · Daniel Borkmann <hidden> · 2014-09-12
Re: [PATCH net-next v4 2/9] net: filter: keep original BPF program around · David Miller <davem@davemloft.net> · 2014-09-13
[PATCH net-next v4 4/9] net: ptp: use sk_unattached_filter_create() for BPF · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 5/9] net: ptp: do not reimplement PTP/BPF classifier · Daniel Borkmann <hidden> · 2014-03-28
Re: [PATCH net-next v4 5/9] net: ptp: do not reimplement PTP/BPF classifier · Richard Cochran <richardcochran@gmail.com> · 2014-03-31
Re: [PATCH net-next v4 5/9] net: ptp: do not reimplement PTP/BPF classifier · Daniel Borkmann <hidden> · 2014-03-31
[PATCH net-next v4 9/9] doc: filter: extend BPF documentation to document new internals · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 3/9] net: filter: move filter accounting to filter core · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 7/9] net: isdn: use sk_unattached_filter api · Daniel Borkmann <hidden> · 2014-03-28
[PATCH net-next v4 8/9] net: filter: rework/optimize internal BPF interpreter's instruction set · Daniel Borkmann <hidden> · 2014-03-28
Re: [PATCH net-next v4 0/9] BPF updates · David Miller <davem@davemloft.net> · 2014-03-31

From: David Miller <davem@davemloft.net>
Date: 2014-09-13 21:05:07

From: Daniel Borkmann <redacted>
Date: Fri, 12 Sep 2014 08:09:31 +0200

quoted

[PATCH] net: filter: fix possible use after free

If kmemdup() fails, we free fp->orig_prog and return -ENOMEM

sk_attach_filter()
  -> sk_filter_uncharge(sk, fp)
   -> sk_filter_release(fp)
    -> call_rcu(&fp->rcu, sk_filter_release_rcu)
     -> sk_filter_release_rcu()
      -> sk_release_orig_filter()
         fprog = fp->orig_prog; // not NULL, but points to freed memory
	  kfree(fprog->filter); // use after free, potential corruption
           kfree(fprog); // double free or corruption

Note: This was fixed in 3.17+ with commit 278571baca2a
("net: filter: simplify socket charging")

Found by AddressSanitizer

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: a3ea269b8bcdb ("net: filter: keep original BPF program around")

Thanks Eric!

Acked-by: Daniel Borkmann <redacted>

Queued up for -stable, thanks.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help