path: root/kernel/bpf
diff options
authorJann Horn <>2016-04-26 22:26:26 +0200
committerDavid S. Miller <>2016-04-26 17:37:21 -0400
commit8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 (patch)
treec5dcdbb7bab11bd1cb7cb67a7b434e5b324c820a /kernel/bpf
parent38bd10c447f8e8980753149a8a65108159871df5 (diff)
bpf: fix double-fdput in replace_map_fd_with_map_ptr()
When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user. This bug was introduced in commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only exploitable since commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because previously, CAP_SYS_ADMIN was required to reach the vulnerable code. (posted publicly according to request by maintainer) Signed-off-by: Jann Horn <> Signed-off-by: Linus Torvalds <> Acked-by: Alexei Starovoitov <> Acked-by: Daniel Borkmann <> Signed-off-by: David S. Miller <>
Diffstat (limited to 'kernel/bpf')
1 files changed, 0 insertions, 1 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 618ef77c302a..db2574e7b8b0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
- fdput(f);
return PTR_ERR(map);