Re: Potential write after free to a task local storage within an eBPF program

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/12/23 6:04 AM, Ori Glassman wrote:

I think I am able to write to an non allocated task local storage memory within an eBPF program (raw_tracepoint program), could anyone confirm this is really a bug, and that I'm not missing anything? Here's the code (thanks!):

Not a bug. There is no use-after-free issue. bpf_task_storage_delete() deletes the value from map_a but it does not mean the value is freed immediately. The value is still protected under the RCU grace period.


----------------------------------------------------
long *ptr;
struct task_struct *task = bpf_get_current_task_btf();
ptr = bpf_task_storage_get(&map_a, task, 0, (1ULL << 0)); // create if doesn't exist
if (ptr)
     *ptr = 200;
int ret = bpf_task_storage_delete(&map_a, task);
if (ret != 0)
     return 0;
 if (ptr)
     *ptr = 300; // writing to an un-mapped address

const char fmt[] = "%ld";
bpf_trace_printk(fmt, sizeof(fmt), *ptr); // this prints 300
----------------------------------------------------

My system is ('uname -a'): 'Linux ip-172-31-3-230 5.15.0-1027-aws #31-Ubuntu SMP Wed Nov 30 20:19:26 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux'




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux