tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Fix oob access in cgroup local storage

Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:

ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
storage = ctx->prog_item->cgroup_storage[stype];

if (stype == BPF_CGROUP_STORAGE_SHARED)
ptr = &READ_ONCE(storage->buf)->data[0];
else
ptr = this_cpu_ptr(storage->percpu_buf);

For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.

To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.

Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
Reported-by: Lonial Con <kongln9170@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Daniel Borkmann and committed by
Alexei Starovoitov abad3d0b 9621e60f

+16
+1
include/linux/bpf.h
··· 283 283 enum bpf_prog_type type; 284 284 bool jited; 285 285 bool xdp_has_frags; 286 + u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; 286 287 const struct btf_type *attach_func_proto; 287 288 }; 288 289
+15
kernel/bpf/core.c
··· 2378 2378 { 2379 2379 enum bpf_prog_type prog_type = resolve_prog_type(fp); 2380 2380 struct bpf_prog_aux *aux = fp->aux; 2381 + enum bpf_cgroup_storage_type i; 2381 2382 bool ret = false; 2383 + u64 cookie; 2382 2384 2383 2385 if (fp->kprobe_override) 2384 2386 return ret; ··· 2395 2393 map->owner->jited = fp->jited; 2396 2394 map->owner->xdp_has_frags = aux->xdp_has_frags; 2397 2395 map->owner->attach_func_proto = aux->attach_func_proto; 2396 + for_each_cgroup_storage_type(i) { 2397 + map->owner->storage_cookie[i] = 2398 + aux->cgroup_storage[i] ? 2399 + aux->cgroup_storage[i]->cookie : 0; 2400 + } 2398 2401 ret = true; 2399 2402 } else { 2400 2403 ret = map->owner->type == prog_type && 2401 2404 map->owner->jited == fp->jited && 2402 2405 map->owner->xdp_has_frags == aux->xdp_has_frags; 2406 + for_each_cgroup_storage_type(i) { 2407 + if (!ret) 2408 + break; 2409 + cookie = aux->cgroup_storage[i] ? 2410 + aux->cgroup_storage[i]->cookie : 0; 2411 + ret = map->owner->storage_cookie[i] == cookie || 2412 + !cookie; 2413 + } 2403 2414 if (ret && 2404 2415 map->owner->attach_func_proto != aux->attach_func_proto) { 2405 2416 switch (prog_type) {