iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/kernel/bpf
History
Yuntao Wang 7f845de286 bpf: Fix potential array overflow in bpf_trampoline_get_progs() 
commit a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d upstream.

The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not
include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of
the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline
can exceed BPF_MAX_TRAMP_PROGS.

When this happens, the assignment '*progs++ = aux->prog' in
bpf_trampoline_get_progs() will cause progs array overflow as the
progs field in the bpf_tramp_progs struct can only hold at most
BPF_MAX_TRAMP_PROGS bpf programs.

Fixes: 88fd9e5352fe ("bpf: Refactor trampoline update code")
Signed-off-by: Yuntao Wang <ytcoode@gmail.com>
Link: https://lore.kernel.org/r/20220430130803.210624-1-ytcoode@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-06-06 08:42:45 +02:00
..
preload
bpf: Fix umd memory leak in copy_process()
2021-03-30 14:32:03 +02:00
arraymap.c
bpf: Fix potential race in tail call compatibility check
2021-11-02 19:48:21 +01:00
bpf_inode_storage.c
bpf: Change inode_storage's lookup_elem return value from NULL to -EBADF
2021-03-30 14:31:56 +02:00
bpf_iter.c
bpf: Fix an unitialized value in bpf_iter
2021-03-04 11:37:33 +01:00
bpf_local_storage.c
bpf: Use hlist_add_head_rcu when linking to local_storage
2020-09-19 01:12:35 +02:00
bpf_lru_list.c
bpf_lru_list: Read double-checked variable once without lock
2021-03-04 11:37:29 +01:00
bpf_lru_list.h
bpf: Fix a typo "inacitve" -> "inactive"
2020-04-06 21:54:10 +02:00
bpf_lsm.c
bpf: Update verification logic for LSM programs
2020-11-06 13:15:21 -08:00
bpf_struct_ops_types.h
bpf: tcp: Support tcp_congestion_ops in bpf
2020-01-09 08:46:18 -08:00
bpf_struct_ops.c
bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog
2021-10-06 15:55:50 +02:00
btf.c
bpf: Disallow BPF_LOG_KERNEL log level for bpf(BPF_BTF_LOAD)
2022-01-27 10:53:54 +01:00
cgroup.c
bpf, cgroup: Fix problematic bounds check
2021-02-10 09:29:12 +01:00
core.c
bpf: Prevent increasing bpf_jit_limit above max
2021-11-18 14:03:42 +01:00
cpumap.c
bpf, cpumap: Remove rcpu pointer from cpu_map_build_skb signature
2020-09-28 23:30:42 +02:00
devmap.c
bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc
2021-12-17 10:14:41 +01:00
disasm.c
bpf: Introduce BPF nospec instruction for mitigating Spectre v4
2021-08-04 12:46:44 +02:00
disasm.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 295
2019-06-05 17:36:38 +02:00
dispatcher.c
bpf: Remove bpf_image tree
2020-03-13 12:49:52 -07:00
hashtab.c
bpf: Fix integer overflow involving bucket_size
2021-08-18 08:59:10 +02:00
helpers.c
bpf: Fix potentially incorrect results with bpf_get_local_storage()
2021-09-03 10:09:31 +02:00
inode.c
bpf: link: Refuse non-O_RDWR flags in BPF_OBJ_GET
2021-04-14 08:42:00 +02:00
local_storage.c
bpf: Fix NULL pointer dereference in bpf_get_local_storage() helper
2021-09-03 10:09:21 +02:00
lpm_trie.c
bpf: Add map_meta_equal map ops
2020-08-28 15:41:30 +02:00
Makefile
bpf: Don't rely on GCC __attribute__((optimize)) to disable GCSE
2020-10-29 20:01:46 -07:00
map_in_map.c
bpf: Relax max_entries check for most of the inner map types
2020-08-28 15:41:30 +02:00
map_in_map.h
bpf: Add map_meta_equal map ops
2020-08-28 15:41:30 +02:00
map_iter.c
bpf: Implement link_query callbacks in map element iterators
2020-08-21 14:01:39 -07:00
net_namespace.c
bpf: Add support for forced LINK_DETACH command
2020-08-01 20:38:28 -07:00
offload.c
bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill
2020-02-17 16:53:49 +01:00
percpu_freelist.c
bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI
2020-10-06 00:04:11 +02:00
percpu_freelist.h
bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI
2020-10-06 00:04:11 +02:00
prog_iter.c
bpf: Refactor bpf_iter_reg to have separate seq_info member
2020-07-25 20:16:32 -07:00
queue_stack_maps.c
bpf: Add map_meta_equal map ops
2020-08-28 15:41:30 +02:00
reuseport_array.c
bpf, net: Rework cookie generator as per-cpu one
2020-09-30 11:50:35 -07:00
ringbuf.c
bpf: Use VM_MAP instead of VM_ALLOC for ringbuf
2022-02-08 18:30:39 +01:00
stackmap.c
bpf: Adjust BPF stack helper functions to accommodate skip > 0
2022-04-08 14:40:43 +02:00
syscall.c
bpf: Add schedule points in batch ops
2022-03-02 11:42:49 +01:00
sysfs_btf.c
bpf: Fix sysfs export of empty BTF section
2020-09-21 21:50:24 +02:00
task_iter.c
bpf: Save correct stopping point in file seq iteration
2021-01-19 18:27:28 +01:00
tnum.c
bpf: Verifier, do explicit ALU32 bounds tracking
2020-03-30 14:59:53 -07:00
trampoline.c
bpf: Fix potential array overflow in bpf_trampoline_get_progs()
2022-06-06 08:42:45 +02:00
verifier.c
bpf: Don't promote bogus looking registers after null check.
2022-01-27 10:54:00 +01:00