diff options
| author | Eduard Zingerman <eddyz87@gmail.com> | 2025-09-12 12:18:16 -0700 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2025-09-15 13:04:21 -0700 |
| commit | b13448dd64e27752fad252cec7da1a50ab9f0b6f (patch) | |
| tree | 672dedd705e7ba729938dc55bc2ac1f35ebfeab9 /scripts/gdb/linux/pgtable.py | |
| parent | 3ae4c527080ce81b889ffc2780e077770b95ae88 (diff) | |
bpf: potential double-free of env->insn_aux_data
Function bpf_patch_insn_data() has the following structure:
static struct bpf_prog *bpf_patch_insn_data(... env ...)
{
struct bpf_prog *new_prog;
struct bpf_insn_aux_data *new_data = NULL;
if (len > 1) {
new_data = vrealloc(...); // <--------- (1)
if (!new_data)
return NULL;
env->insn_aux_data = new_data; // <---- (2)
}
new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
if (IS_ERR(new_prog)) {
...
vfree(new_data); // <----------------- (3)
return NULL;
}
... happy path ...
}
In case if bpf_patch_insn_single() returns an error the `new_data`
allocated at (1) will be freed at (3). However, at (2) this pointer
is stored in `env->insn_aux_data`. Which is freed unconditionally
by verifier.c:bpf_check() on both happy and error paths.
Thus, leading to double-free.
Fix this by removing vfree() call at (3), ownership over `new_data` is
already passed to `env->insn_aux_data` at this point.
Fixes: 77620d126739 ("bpf: use realloc in bpf_patch_insn_data")
Reported-by: Chris Mason <clm@meta.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250912-patch-insn-data-double-free-v1-1-af05bd85a21a@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'scripts/gdb/linux/pgtable.py')
0 files changed, 0 insertions, 0 deletions