On Mon, Dec 16, 2019 at 10:52 AM Yonghong Song <yhs@xxxxxx> wrote:
>
>
>
> On 12/16/19 8:49 AM, Daniel Borkmann wrote:
> > Commit da765a2f5993 ("bpf: Add poke dependency tracking for prog array
> > maps") wrongly assumed that in case of prog load errors, we're cleaning
> > up all program tracking via bpf_free_used_maps().
> >
> > However, it can happen that we're still at the point where we didn't copy
> > map pointers into the prog's aux section such that env->prog->aux->used_maps
> > is still zero, running into a UAF. In such case, the verifier has similar
> > release_maps() helper that drops references to used maps from its env.
> >
> > Consolidate the release code into __bpf_free_used_maps() and call it from
> > all sides to fix it.
> >
> > Fixes: da765a2f5993 ("bpf: Add poke dependency tracking for prog array maps")
> > Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
>
> Acked-by: Yonghong Song <yhs@xxxxxx>
Applied. Thanks
