1 --- linux-2.6.33/scripts/mod/modpost.c~ 2010-02-24 19:52:17.000000000 +0100
2 +++ linux-2.6.33/scripts/mod/modpost.c 2010-03-07 14:26:47.242168558 +0100
7 -#include "../../include/generated/autoconf.h"
8 +// PLD architectures don't use CONFIG_SYMBOL_PREFIX
9 +//#include "../../include/generated/autoconf.h"
10 #include "../../include/linux/license.h"
12 /* Some toolchains use a `_' prefix for all user symbols. */
14 --- linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh~ 2011-07-22 04:17:23.000000000 +0200
15 +++ linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh 2011-08-25 21:26:04.799150642 +0200
17 $cc -print-file-name=lib${lib}.${ext} | grep -q /
20 + for libt in tinfow tinfo ; do
21 + $cc -print-file-name=lib${libt}.${ext} | grep -q /
22 + if [ $? -eq 0 ]; then
29 From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
30 From: Jann Horn <jannh@google.com>
31 Date: Tue, 26 Apr 2016 22:26:26 +0200
32 Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
34 When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
35 references a non-map file descriptor as a map file descriptor, the error
36 handling code called fdput() twice instead of once (in __bpf_map_get() and
37 in replace_map_fd_with_map_ptr()). If the file descriptor table of the
38 current task is shared, this causes f_count to be decremented too much,
39 allowing the struct file to be freed while it is still in use
40 (use-after-free). This can be exploited to gain root privileges by an
43 This bug was introduced in
44 commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
46 commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
47 previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
49 (posted publicly according to request by maintainer)
51 Signed-off-by: Jann Horn <jannh@google.com>
52 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
53 Acked-by: Alexei Starovoitov <ast@kernel.org>
54 Acked-by: Daniel Borkmann <daniel@iogearbox.net>
55 Signed-off-by: David S. Miller <davem@davemloft.net>
57 kernel/bpf/verifier.c | 1 -
58 1 file changed, 1 deletion(-)
60 diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
61 index 618ef77..db2574e 100644
62 --- a/kernel/bpf/verifier.c
63 +++ b/kernel/bpf/verifier.c
64 @@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
66 verbose("fd %d is not pointing to valid bpf_map\n",