Unverified Commit 3eff6f28 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!8607 CVE-2024-35895 

Merge Pull Request from: @ci-robot 
 
PR sync from: Liu Jian <liujian56@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/AZ2VOQSD76N7SWPWBDRMT6DJSGYKV3FL/ 
CVE-2024-35895

Jakub Sitnicki (3):
  bpf, sockmap: Prevent lock inversion deadlock in map delete elem
  bpf: Allow delete from sockmap/sockhash only if update is allowed
  Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete
    elem"


-- 
2.34.1
 
https://gitee.com/src-openeuler/kernel/issues/I9QG7M 
 
Link:https://gitee.com/openeuler/kernel/pulls/8607

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents acdd1308 94d6a0c0

kernel/bpf/verifier.c

+7 −3
Original line number Diff line number Diff line
@@ -4943,7 +4943,8 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id) 
	enum bpf_attach_type eatype = env->prog->expected_attach_type;

	enum bpf_prog_type type = resolve_prog_type(env->prog);



	if (func_id != BPF_FUNC_map_update_elem)

	if (func_id != BPF_FUNC_map_update_elem &&

	    func_id != BPF_FUNC_map_delete_elem)

		return false;



	/* It's not possible to get access to a locked struct sock in these
@@ -4954,6 +4955,11 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id) 
		if (eatype == BPF_TRACE_ITER)

			return true;

		break;

	case BPF_PROG_TYPE_SOCK_OPS:

		/* map_update allowed only via dedicated helpers with event type checks */

		if (func_id == BPF_FUNC_map_delete_elem)

			return true;

		break;

	case BPF_PROG_TYPE_SOCKET_FILTER:

	case BPF_PROG_TYPE_SCHED_CLS:

	case BPF_PROG_TYPE_SCHED_ACT:
@@ -5041,7 +5047,6 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env, 
	case BPF_MAP_TYPE_SOCKMAP:

		if (func_id != BPF_FUNC_sk_redirect_map &&

		    func_id != BPF_FUNC_sock_map_update &&

		    func_id != BPF_FUNC_map_delete_elem &&

		    func_id != BPF_FUNC_msg_redirect_map &&

		    func_id != BPF_FUNC_sk_select_reuseport &&

		    func_id != BPF_FUNC_map_lookup_elem &&
@@ -5051,7 +5056,6 @@ static int check_map_func_compatibility(struct bpf_verifier_env *env, 
	case BPF_MAP_TYPE_SOCKHASH:

		if (func_id != BPF_FUNC_sk_redirect_hash &&

		    func_id != BPF_FUNC_sock_hash_update &&

		    func_id != BPF_FUNC_map_delete_elem &&

		    func_id != BPF_FUNC_msg_redirect_hash &&

		    func_id != BPF_FUNC_sk_select_reuseport &&

		    func_id != BPF_FUNC_map_lookup_elem &&