]> git.pld-linux.org Git - packages/kernel.git/blobdiff - kernel-small_fixes.patch
projects / packages / kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- 4.14.176
[packages/kernel.git] / kernel-small_fixes.patch
diff --git a/kernel-small_fixes.patch b/kernel-small_fixes.patch
index 5c9ff24b1b0f50dc54988023210ad336a9bb7890..a227229931d63172b9dc579d98a0799465ecca09 100644 (file)
--- a/kernel-small_fixes.patch
+++ b/kernel-small_fixes.patch
@@ -26,49 +26,18 @@
                                exit
                        fi
                done
-From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
-From: Jann Horn <jannh@google.com>
-Date: Tue, 26 Apr 2016 22:26:26 +0200
-Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
-
-When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
-references a non-map file descriptor as a map file descriptor, the error
-handling code called fdput() twice instead of once (in __bpf_map_get() and
-in replace_map_fd_with_map_ptr()). If the file descriptor table of the
-current task is shared, this causes f_count to be decremented too much,
-allowing the struct file to be freed while it is still in use
-(use-after-free). This can be exploited to gain root privileges by an
-unprivileged user.
-
-This bug was introduced in
-commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
-exploitable since
-commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
-previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
-
-(posted publicly according to request by maintainer)
-
-Signed-off-by: Jann Horn <jannh@google.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Acked-by: Alexei Starovoitov <ast@kernel.org>
-Acked-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- kernel/bpf/verifier.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 618ef77..db2574e 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
-                       if (IS_ERR(map)) {
-                               verbose("fd %d is not pointing to valid bpf_map\n",
-                                       insn->imm);
--                              fdput(f);
-                               return PTR_ERR(map);
-                       }
+--- linux-4.14/security/selinux/include/classmap.h     2017-11-12 19:46:13.000000000 +0100
++++ linux-4.20/security/selinux/include/classmap.h     2018-12-24 00:55:59.000000000 +0100
+@@ -238,9 +238,11 @@
+         { "access", NULL } },
+       { "infiniband_endport",
+         { "manage_subnet", NULL } },
++      { "xdp_socket",
++        { COMMON_SOCK_PERMS, NULL } },
+       { NULL }
+   };
  
--- 
-cgit v0.12
-
+-#if PF_MAX > 44
++#if PF_MAX > 45
+ #error New address family defined, please update secclass_map.
+ #endif
The Linux kernel (the core of the Linux operating system)
This page took 0.031439 seconds and 4 git commands to generate.