Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memleak due to fentry attach failure If it fails to attach fentry, the allocated bpf trampoline image will be left in the system. That can be verified by checking /proc/kallsyms. This meamleak can be verified by a simple bpf program as follows: SEC("fentry/trap_init") int fentry_run() { return 0; } It will fail to attach trap_init because this function is freed after kernel init, and then we can find the trampoline image is left in the system by checking /proc/kallsyms. $ tail /proc/kallsyms ffffffffc0613000 t bpf_trampoline_6442453466_1 [bpf] ffffffffc06c3000 t bpf_trampoline_6442453466_1 [bpf] $ bpftool btf dump file /sys/kernel/btf/vmlinux | grep "FUNC 'trap_init'" [2522] FUNC 'trap_init' type_id=119 linkage=static $ echo $((6442453466 & 0x7fffffff)) 2522 Note that there are two left bpf trampoline images, that is because the libbpf will fallback to raw tracepoint if -EINVAL is returned.
Product status
e21aa341785c679dd409c8cb71f864c00fe6c463 (git) before 20109ddd5bea2c24d790debf5d02584ef24c3f5e
e21aa341785c679dd409c8cb71f864c00fe6c463 (git) before f72c67d1a82dada7d6d504c806e111e913721a30
e21aa341785c679dd409c8cb71f864c00fe6c463 (git) before 6aa27775db63ba8c7c73891c7dfb71ddc230c48d
e21aa341785c679dd409c8cb71f864c00fe6c463 (git) before 108598c39eefbedc9882273ac0df96127a629220
e21d2b92354b3cd25dd774ebb0f0e52ff04a7861 (git)
85d177f56e5256e14b74a65940f981f6e3e8bb32 (git)
5.12
Any version before 5.12
6.1.39 (semver)
6.3.13 (semver)
6.4.4 (semver)
6.5 (original_commit_for_fix)
References
git.kernel.org/...c/20109ddd5bea2c24d790debf5d02584ef24c3f5e
git.kernel.org/...c/f72c67d1a82dada7d6d504c806e111e913721a30
git.kernel.org/...c/6aa27775db63ba8c7c73891c7dfb71ddc230c48d
git.kernel.org/...c/108598c39eefbedc9882273ac0df96127a629220
