[PATCH bpf-next v1 1/2] bpf: Disable file_alloc

BPF List
 help / color / mirror / Atom feed

* [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook
@ 2025-11-26 20:29 Amery Hung
  2025-11-26 20:29 ` [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest Amery Hung
  2025-11-28 23:20 ` [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Amery Hung @ 2025-11-26 20:29 UTC (permalink / raw)
  To: bpf
  Cc: alexei.starovoitov, andrii, daniel, kaiyanm, dddddd, dzm91,
	ameryhung, kernel-team

A use-after-free bug may be triggered by calling bpf_inode_storage_get()
in a BPF LSM program hooked to file_alloc_security. Disable the hook to
prevent this from happening.

The cause of the bug is shown in the trace below. In alloc_file(), a
file struct is first allocated through kmem_cache_alloc(). Then,
file_alloc_security hook is invoked. Since the zero initialization or
assignment of f->f_inode happen after this LSM hook, a BPF program may
get a dangeld inode pointer by walking the file struct.

  alloc_file()
  -> alloc_empty_file()
     -> f = kmem_cache_alloc()
     -> init_file()
        -> security_file_alloc() // f->f_inode not init-ed yet!
     -> f->f_inode = NULL;
  -> file_init_path()
     -> f->f_inode = path->dentry->d_inode

Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/1d2d1968.47cd3.19ab9528e94.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 kernel/bpf/bpf_lsm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 0a59df1c550a..7cb6e8d4282c 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -51,6 +51,7 @@ BTF_ID(func, bpf_lsm_key_getsecurity)
 BTF_ID(func, bpf_lsm_audit_rule_match)
 #endif
 BTF_ID(func, bpf_lsm_ismaclabel)
+BTF_ID(func, bpf_lsm_file_alloc_security)
 BTF_SET_END(bpf_lsm_disabled_hooks)
 
 /* List of LSM hooks that should operate on 'current' cgroup regardless
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest
  2025-11-26 20:29 [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook Amery Hung
@ 2025-11-26 20:29 ` Amery Hung
  2025-11-28 23:20 ` [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Amery Hung @ 2025-11-26 20:29 UTC (permalink / raw)
  To: bpf
  Cc: alexei.starovoitov, andrii, daniel, kaiyanm, dddddd, dzm91,
	ameryhung, kernel-team

file_alloc_security hook is disabled. Use other LSM hooks in selftests
instead.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
 tools/testing/selftests/bpf/prog_tests/test_lsm.c | 2 +-
 tools/testing/selftests/bpf/progs/lsm_tailcall.c  | 8 ++++----
 tools/testing/selftests/bpf/progs/verifier_lsm.c  | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
index 2a27f3714f5c..bdc4fc06bc5a 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
@@ -139,7 +139,7 @@ static void test_lsm_tailcall(void)
 	if (CHECK_FAIL(!err))
 		goto close_prog;
 
-	prog_fd = bpf_program__fd(skel->progs.lsm_file_alloc_security_prog);
+	prog_fd = bpf_program__fd(skel->progs.lsm_kernfs_init_security_prog);
 	if (CHECK_FAIL(prog_fd < 0))
 		goto close_prog;
 
diff --git a/tools/testing/selftests/bpf/progs/lsm_tailcall.c b/tools/testing/selftests/bpf/progs/lsm_tailcall.c
index 49c075ce2d4c..6e7e58051e64 100644
--- a/tools/testing/selftests/bpf/progs/lsm_tailcall.c
+++ b/tools/testing/selftests/bpf/progs/lsm_tailcall.c
@@ -20,14 +20,14 @@ int lsm_file_permission_prog(void *ctx)
 	return 0;
 }
 
-SEC("lsm/file_alloc_security")
-int lsm_file_alloc_security_prog(void *ctx)
+SEC("lsm/kernfs_init_security")
+int lsm_kernfs_init_security_prog(void *ctx)
 {
 	return 0;
 }
 
-SEC("lsm/file_alloc_security")
-int lsm_file_alloc_security_entry(void *ctx)
+SEC("lsm/kernfs_init_security")
+int lsm_kernfs_init_security_entry(void *ctx)
 {
 	bpf_tail_call_static(ctx, &jmp_table, 0);
 	return 0;
diff --git a/tools/testing/selftests/bpf/progs/verifier_lsm.c b/tools/testing/selftests/bpf/progs/verifier_lsm.c
index 32e5e779cb96..6af9100a37ff 100644
--- a/tools/testing/selftests/bpf/progs/verifier_lsm.c
+++ b/tools/testing/selftests/bpf/progs/verifier_lsm.c
@@ -4,7 +4,7 @@
 #include <bpf/bpf_helpers.h>
 #include "bpf_misc.h"
 
-SEC("lsm/file_alloc_security")
+SEC("lsm/file_permission")
 __description("lsm bpf prog with -4095~0 retval. test 1")
 __success
 __naked int errno_zero_retval_test1(void *ctx)
@@ -15,7 +15,7 @@ __naked int errno_zero_retval_test1(void *ctx)
 	::: __clobber_all);
 }
 
-SEC("lsm/file_alloc_security")
+SEC("lsm/file_permission")
 __description("lsm bpf prog with -4095~0 retval. test 2")
 __success
 __naked int errno_zero_retval_test2(void *ctx)
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook
  2025-11-26 20:29 [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook Amery Hung
  2025-11-26 20:29 ` [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest Amery Hung
@ 2025-11-28 23:20 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-11-28 23:20 UTC (permalink / raw)
  To: Amery Hung
  Cc: bpf, alexei.starovoitov, andrii, daniel, kaiyanm, dddddd, dzm91,
	kernel-team

Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Wed, 26 Nov 2025 12:29:26 -0800 you wrote:
> A use-after-free bug may be triggered by calling bpf_inode_storage_get()
> in a BPF LSM program hooked to file_alloc_security. Disable the hook to
> prevent this from happening.
> 
> The cause of the bug is shown in the trace below. In alloc_file(), a
> file struct is first allocated through kmem_cache_alloc(). Then,
> file_alloc_security hook is invoked. Since the zero initialization or
> assignment of f->f_inode happen after this LSM hook, a BPF program may
> get a dangeld inode pointer by walking the file struct.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v1,1/2] bpf: Disable file_alloc_security hook
    https://git.kernel.org/bpf/bpf-next/c/b4bf1d23dc1d
  - [bpf-next,v1,2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest
    https://git.kernel.org/bpf/bpf-next/c/a3a60cc120d6

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-11-28 23:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-26 20:29 [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook Amery Hung
2025-11-26 20:29 ` [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest Amery Hung
2025-11-28 23:20 ` [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox