TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
v6.6.90
twx-linux/kernel/bpf
History
Eduard Zingerman 3a467d938d bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs 
commit ac6542ad92759cda383ad62b4e4cbfc28136abc1 upstream.

bpf_prog_aux->func field might be NULL if program does not have
subprograms except for main sub-program. The fixed commit does
bpf_prog_aux->func access unconditionally, which might lead to null
pointer dereference.

The bug could be triggered by replacing the following BPF program:

    SEC("tc")
    int main_changes(struct __sk_buff *sk)
    {
        bpf_skb_pull_data(sk, 0);
        return 0;
    }

With the following BPF program:

    SEC("freplace")
    long changes_pkt_data(struct __sk_buff *sk)
    {
        return bpf_skb_pull_data(sk, 0);
    }

bpf_prog_aux instance itself represents the main sub-program,
use this property to fix the bug.

Fixes: 81f6d0530ba0 ("bpf: check changes_pkt_data property for extension programs")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202412111822.qGw6tOyB-lkp@intel.com/
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20241212070711.427443-1-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-05-09 09:43:55 +02:00
..
preload bpf: make preloaded map iterators to display map elements count 2023-07-06 12:42:25 -07:00
arraymap.c bpf: Check percpu map value size first 2024-10-17 15:24:15 +02:00
bloom_filter.c bpf: Check bloom filter map value size 2024-05-17 12:02:11 +02:00
bpf_cgrp_storage.c bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it creates storage 2025-05-02 07:50:53 +02:00
bpf_inode_storage.c Networking changes for 6.4. 2023-04-26 16:07:23 -07:00
bpf_iter.c
bpf_local_storage.c bpf: bpf_local_storage: Always use bpf_mem_alloc in PREEMPT_RT 2025-02-08 09:52:06 +01:00
bpf_lru_list.c bpf: Address KCSAN report on bpf_lru_list 2023-05-12 12:01:03 -07:00
bpf_lru_list.h bpf: lru: Remove unused declaration bpf_lru_promote() 2023-08-08 17:21:42 -07:00
bpf_lsm.c
bpf_struct_ops_types.h
bpf_struct_ops.c bpf: Support default .validate() and .update() behavior for struct_ops links 2023-08-14 22:23:39 -07:00
bpf_task_storage.c bpf: Teach verifier that certain helpers accept NULL pointer. 2023-04-04 16:57:16 -07:00
btf.c bpf: Check size for BTF-based ctx access of pointer members 2024-12-19 18:11:25 +01:00
cgroup_iter.c
cgroup.c cgroup/bpf: use a dedicated workqueue for cgroup bpf destruction 2024-11-08 16:28:24 +01:00
core.c bpf: refactor bpf_helper_changes_pkt_data to use helper number 2025-05-09 09:43:54 +02:00
cpumap.c bpf: report RCU QS in cpumap kthread 2024-03-26 18:20:12 -04:00
cpumask.c bpf: Convert bpf_cpumask to bpf_mem_cache_free_rcu. 2023-07-12 23:45:23 +02:00
devmap.c bpf: fix OOB devmap writes when deleting elements 2024-12-14 19:59:56 +01:00
disasm.c bpf: change bpf_alu_sign_string and bpf_movsx_string to static 2023-08-04 16:15:50 -07:00
disasm.h
dispatcher.c
hashtab.c bpf: Call free_htab_elem() after htab_unlock_bucket() 2024-12-14 20:00:08 +01:00
helpers.c bpf: Add MEM_WRITE attribute 2024-11-01 01:58:30 +01:00
inode.c bpf: convert to ctime accessor functions 2023-07-24 10:30:07 +02:00
Kconfig bpf: Add fd-based tcx multi-prog infra with link support 2023-07-19 10:07:27 -07:00
link_iter.c
local_storage.c cgroup changes for v6.4-rc1 2023-04-29 10:05:22 -07:00
log.c bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log 2023-05-16 22:34:50 -07:00
lpm_trie.c bpf: Fix exact match conditions in trie_get_next_key() 2024-12-14 19:59:51 +01:00
Makefile bpf: Add fd-based tcx multi-prog infra with link support 2023-07-19 10:07:27 -07:00
map_in_map.c bpf: Optimize the free of inner map 2024-06-21 14:38:15 +02:00
map_in_map.h bpf: Add map and need_defer parameters to .map_fd_put_ptr() 2024-01-25 15:35:22 -08:00
map_iter.c bpf: allow any program to use the bpf_map_sum_elem_count kfunc 2023-07-19 09:48:53 -07:00
memalloc.c bpf: Use c->unit_size to select target cache during free 2024-01-25 15:35:28 -08:00
mmap_unlock_work.h
mprog.c bpf: Handle bpf_mprog_query with NULL entry 2023-10-06 17:11:20 -07:00
net_namespace.c
offload.c bpf: Avoid dummy bpf_offload_netdev in __bpf_prog_dev_bound_init 2023-09-11 22:06:06 -07:00
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c bpf: Avoid deadlock when using queue and stack maps from NMI 2023-09-11 19:04:49 -07:00
reuseport_array.c bpf: Centralize permissions checks for all BPF map types 2023-06-19 14:04:04 +02:00
ringbuf.c bpf: Use raw_spinlock_t in ringbuf 2025-03-22 12:50:37 -07:00
stackmap.c bpf: Fix stackmap overflow check on 32-bit arches 2024-03-26 18:19:39 -04:00
syscall.c bpf: skip non exist keys in generic_map_lookup_batch 2025-02-27 04:10:51 -08:00
sysfs_btf.c
task_iter.c bpf: Fix iter/task tid filtering 2024-11-01 01:58:25 +01:00
tcx.c bpf: Handle bpf_mprog_query with NULL entry 2023-10-06 17:11:20 -07:00
tnum.c
trampoline.c bpf, x64: Fix tailcall infinite loop 2023-11-20 11:58:55 +01:00
verifier.c bpf: fix null dereference when computing changes_pkt_data of prog w/o subprogs 2025-05-09 09:43:55 +02:00