8358b02bf6
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user. This bug was introduced in commit |
||
---|---|---|
.. | ||
Makefile | ||
arraymap.c | ||
core.c | ||
hashtab.c | ||
helpers.c | ||
inode.c | ||
percpu_freelist.c | ||
percpu_freelist.h | ||
stackmap.c | ||
syscall.c | ||
verifier.c |