Skip to content

Commit

Permalink
Fix use after free ebpf_object_t code
Browse files Browse the repository at this point in the history 
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
  • Loading branch information
@Alan-Jowett
Alan-Jowett committed Apr 12, 2023
1 parent 675890b commit c2ec0e8
Showing 1 changed file with 3 additions and 18 deletions.
21 changes: 3 additions & 18 deletions libs/platform/ebpf_object.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,26 +217,11 @@ _Requires_lock_held_(&_ebpf_object_tracking_list_lock) static void _ebpf_object_
void
ebpf_object_release_reference(ebpf_core_object_t* object)
{
int32_t new_ref_count;

if (!object) {
return;
}

ebpf_assert(object->base.marker == _ebpf_object_marker);
ebpf_lock_state_t state = ebpf_lock_lock(&_ebpf_object_tracking_list_lock);

new_ref_count = ebpf_interlocked_decrement_int32(&object->base.reference_count);
ebpf_assert(new_ref_count != -1);
_ebpf_object_release_reference_under_lock(object);

if (new_ref_count == 0) {
EBPF_LOG_MESSAGE_POINTER_ENUM(
EBPF_TRACELOG_LEVEL_VERBOSE, EBPF_TRACELOG_KEYWORD_BASE, "eBPF object terminated", object, object->type);
ebpf_lock_state_t state = ebpf_lock_lock(&_ebpf_object_tracking_list_lock);
_ebpf_object_tracking_list_remove(object);
ebpf_lock_unlock(&_ebpf_object_tracking_list_lock, state);
object->base.marker = ~object->base.marker;
object->free_function(object);
}
ebpf_lock_unlock(&_ebpf_object_tracking_list_lock, state);
}

ebpf_object_type_t
Expand Down

0 comments on commit c2ec0e8

Please sign in to comment.