| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240406151457.4774-1-m.lobanov@rosalinux.ru>
Date: Sat, 6 Apr 2024 11:14:55 -0400
From: Mikhail Lobanov <m.lobanov@...alinux.ru>
To: Martin KaFai Lau <martin.lau@...ux.dev>
Cc: Mikhail Lobanov <m.lobanov@...alinux.ru>,
Alexei Starovoitov <ast@...nel.org>,
Andrii Nakryiko <andrii@...nel.org>,
Song Liu <song@...nel.org>,
Roman Gushchin <roman.gushchin@...ux.dev>,
bpf@...r.kernel.org,
linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: [PATCH] bpf: dereference of null in __cgroup_bpf_query() function
In the __cgroup_bpf_query() function, it is possible to dereference
the null pointer in the line id = prog->aux->id; since there is no
check for a non-zero value of the variable prog.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment")
Cc: stable@...r.kernel.org
Signed-off-by: Mikhail Lobanov <m.lobanov@...alinux.ru>
---
kernel/bpf/cgroup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 491d20038cbe..7f2db96f0c6a 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1092,6 +1092,8 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr,
i = 0;
hlist_for_each_entry(pl, progs, node) {
prog = prog_list_prog(pl);
+ if (!prog_list_prog(pl))
+ continue;
id = prog->aux->id;
if (copy_to_user(prog_ids + i, &id, sizeof(id)))
return -EFAULT;
--
2.43.0
Powered by blists - more mailing lists