bpf: Fix for use-after-free bug in inline_bpf_loop

As reported by Dan Carpenter, the following statements in inline_bpf_loop()
might cause a use-after-free bug:

  struct bpf_prog *new_prog;
  // ...
  new_prog = bpf_patch_insn_data(env, position, insn_buf, *cnt);
  // ...
  env->prog->insnsi[call_insn_offset].imm = callback_offset;

The bpf_patch_insn_data() might free the memory used by env->prog.

Fixes: 1ade23711971 ("bpf: Inline calls to bpf_loop when callback is known")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220624020613.548108-2-eddyz87@gmail.com

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f228141c01c584508f0ea4c457ecc95aa51d445b..4938477912cda6dcfb98a2a2f76f86f93b73c035 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -14417,7 +14417,7 @@ static struct bpf_prog *inline_bpf_loop(struct bpf_verifier_env *env,
        /* Note: insn_buf[12] is an offset of BPF_CALL_REL instruction */
        call_insn_offset = position + 12;
        callback_offset = callback_start - call_insn_offset - 1;
-       env->prog->insnsi[call_insn_offset].imm = callback_offset;
+       new_prog->insnsi[call_insn_offset].imm = callback_offset;
 
        return new_prog;
 }