bpf: don't leak memory in bpf getsockopt when optlen == 0

fomichev · kernel-patches-bot · commit a3a2e2a24517 · 2021-01-12T08:39:04.000-08:00
optlen == 0 indicates that the kernel should ignore BPF buffer and use the original one from the user. We, however, forget to free the temporary buffer that we've allocated for BPF. Reported-by: Martin KaFai Lau <kafai@fb.com> Fixes: d8fe449 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE") Signed-off-by: Stanislav Fomichev <sdf@google.com>
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
@@ -1391,12 +1391,13 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
 		if (ctx.optlen != 0) {
 			*optlen = ctx.optlen;
 			*kernel_optval = ctx.optval;
+			/* export and don't free sockopt buf */
+			return 0;
 		}
 	}
 
 out:
-	if (ret)
-		sockopt_free_buf(&ctx);
+	sockopt_free_buf(&ctx);
 	return ret;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1391,12 +1391,13 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock sk, int level,`
`1391`	`1391`	`if (ctx.optlen != 0) {`
`1392`	`1392`	`*optlen = ctx.optlen;`
`1393`	`1393`	`*kernel_optval = ctx.optval;`
	`1394`	`+ /* export and don't free sockopt buf */`
	`1395`	`+ return 0;`
`1394`	`1396`	`}`
`1395`	`1397`	`}`
`1396`	`1398`
`1397`	`1399`	`out:`
`1398`		`- if (ret)`
`1399`		`- sockopt_free_buf(&ctx);`
	`1400`	`+ sockopt_free_buf(&ctx);`
`1400`	`1401`	`return ret;`
`1401`	`1402`	`}`
`1402`	`1403`