diff options
| author | KP Singh <kpsingh@kernel.org> | 2023-06-02 02:26:12 +0200 |
|---|---|---|
| committer | Martin KaFai Lau <martin.lau@kernel.org> | 2023-06-02 10:18:07 -0700 |
| commit | b0fd1852bcc21accca6260ef245356d5c141ff66 (patch) | |
| tree | 01b23e0698267c292fef29a60074f607d8a1b97a /tools/testing/selftests/bpf/prog_tests | |
| parent | b320a45638296b63be8d9a901ca8bc43716b1ae1 (diff) | |
| download | linux-b0fd1852bcc21accca6260ef245356d5c141ff66.tar.gz linux-b0fd1852bcc21accca6260ef245356d5c141ff66.tar.bz2 linux-b0fd1852bcc21accca6260ef245356d5c141ff66.zip | |
bpf: Fix UAF in task local storage
When task local storage was generalized for tracing programs, the
bpf_task_local_storage callback was moved from a BPF LSM hook
callback for security_task_free LSM hook to it's own callback. But a
failure case in bad_fork_cleanup_security was missed which, when
triggered, led to a dangling task owner pointer and a subsequent
use-after-free. Move the bpf_task_storage_free to the very end of
free_task to handle all failure cases.
This issue was noticed when a BPF LSM program was attached to the
task_alloc hook on a kernel with KASAN enabled. The program used
bpf_task_storage_get to copy the task local storage from the current
task to the new task being created.
Fixes: a10787e6d58c ("bpf: Enable task local storage for tracing programs")
Reported-by: Kuba Piecuch <jpiecuch@google.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Acked-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20230602002612.1117381-1-kpsingh@kernel.org
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Diffstat (limited to 'tools/testing/selftests/bpf/prog_tests')
0 files changed, 0 insertions, 0 deletions