* [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook
@ 2025-11-26 20:29 Amery Hung
2025-11-26 20:29 ` [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest Amery Hung
2025-11-28 23:20 ` [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Amery Hung @ 2025-11-26 20:29 UTC (permalink / raw)
To: bpf
Cc: alexei.starovoitov, andrii, daniel, kaiyanm, dddddd, dzm91,
ameryhung, kernel-team
A use-after-free bug may be triggered by calling bpf_inode_storage_get()
in a BPF LSM program hooked to file_alloc_security. Disable the hook to
prevent this from happening.
The cause of the bug is shown in the trace below. In alloc_file(), a
file struct is first allocated through kmem_cache_alloc(). Then,
file_alloc_security hook is invoked. Since the zero initialization or
assignment of f->f_inode happen after this LSM hook, a BPF program may
get a dangeld inode pointer by walking the file struct.
alloc_file()
-> alloc_empty_file()
-> f = kmem_cache_alloc()
-> init_file()
-> security_file_alloc() // f->f_inode not init-ed yet!
-> f->f_inode = NULL;
-> file_init_path()
-> f->f_inode = path->dentry->d_inode
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/1d2d1968.47cd3.19ab9528e94.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
kernel/bpf/bpf_lsm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 0a59df1c550a..7cb6e8d4282c 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -51,6 +51,7 @@ BTF_ID(func, bpf_lsm_key_getsecurity)
BTF_ID(func, bpf_lsm_audit_rule_match)
#endif
BTF_ID(func, bpf_lsm_ismaclabel)
+BTF_ID(func, bpf_lsm_file_alloc_security)
BTF_SET_END(bpf_lsm_disabled_hooks)
/* List of LSM hooks that should operate on 'current' cgroup regardless
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest
2025-11-26 20:29 [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook Amery Hung
@ 2025-11-26 20:29 ` Amery Hung
2025-11-28 23:20 ` [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Amery Hung @ 2025-11-26 20:29 UTC (permalink / raw)
To: bpf
Cc: alexei.starovoitov, andrii, daniel, kaiyanm, dddddd, dzm91,
ameryhung, kernel-team
file_alloc_security hook is disabled. Use other LSM hooks in selftests
instead.
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
tools/testing/selftests/bpf/prog_tests/test_lsm.c | 2 +-
tools/testing/selftests/bpf/progs/lsm_tailcall.c | 8 ++++----
tools/testing/selftests/bpf/progs/verifier_lsm.c | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/test_lsm.c b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
index 2a27f3714f5c..bdc4fc06bc5a 100644
--- a/tools/testing/selftests/bpf/prog_tests/test_lsm.c
+++ b/tools/testing/selftests/bpf/prog_tests/test_lsm.c
@@ -139,7 +139,7 @@ static void test_lsm_tailcall(void)
if (CHECK_FAIL(!err))
goto close_prog;
- prog_fd = bpf_program__fd(skel->progs.lsm_file_alloc_security_prog);
+ prog_fd = bpf_program__fd(skel->progs.lsm_kernfs_init_security_prog);
if (CHECK_FAIL(prog_fd < 0))
goto close_prog;
diff --git a/tools/testing/selftests/bpf/progs/lsm_tailcall.c b/tools/testing/selftests/bpf/progs/lsm_tailcall.c
index 49c075ce2d4c..6e7e58051e64 100644
--- a/tools/testing/selftests/bpf/progs/lsm_tailcall.c
+++ b/tools/testing/selftests/bpf/progs/lsm_tailcall.c
@@ -20,14 +20,14 @@ int lsm_file_permission_prog(void *ctx)
return 0;
}
-SEC("lsm/file_alloc_security")
-int lsm_file_alloc_security_prog(void *ctx)
+SEC("lsm/kernfs_init_security")
+int lsm_kernfs_init_security_prog(void *ctx)
{
return 0;
}
-SEC("lsm/file_alloc_security")
-int lsm_file_alloc_security_entry(void *ctx)
+SEC("lsm/kernfs_init_security")
+int lsm_kernfs_init_security_entry(void *ctx)
{
bpf_tail_call_static(ctx, &jmp_table, 0);
return 0;
diff --git a/tools/testing/selftests/bpf/progs/verifier_lsm.c b/tools/testing/selftests/bpf/progs/verifier_lsm.c
index 32e5e779cb96..6af9100a37ff 100644
--- a/tools/testing/selftests/bpf/progs/verifier_lsm.c
+++ b/tools/testing/selftests/bpf/progs/verifier_lsm.c
@@ -4,7 +4,7 @@
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"
-SEC("lsm/file_alloc_security")
+SEC("lsm/file_permission")
__description("lsm bpf prog with -4095~0 retval. test 1")
__success
__naked int errno_zero_retval_test1(void *ctx)
@@ -15,7 +15,7 @@ __naked int errno_zero_retval_test1(void *ctx)
::: __clobber_all);
}
-SEC("lsm/file_alloc_security")
+SEC("lsm/file_permission")
__description("lsm bpf prog with -4095~0 retval. test 2")
__success
__naked int errno_zero_retval_test2(void *ctx)
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook
2025-11-26 20:29 [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook Amery Hung
2025-11-26 20:29 ` [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest Amery Hung
@ 2025-11-28 23:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-11-28 23:20 UTC (permalink / raw)
To: Amery Hung
Cc: bpf, alexei.starovoitov, andrii, daniel, kaiyanm, dddddd, dzm91,
kernel-team
Hello:
This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Wed, 26 Nov 2025 12:29:26 -0800 you wrote:
> A use-after-free bug may be triggered by calling bpf_inode_storage_get()
> in a BPF LSM program hooked to file_alloc_security. Disable the hook to
> prevent this from happening.
>
> The cause of the bug is shown in the trace below. In alloc_file(), a
> file struct is first allocated through kmem_cache_alloc(). Then,
> file_alloc_security hook is invoked. Since the zero initialization or
> assignment of f->f_inode happen after this LSM hook, a BPF program may
> get a dangeld inode pointer by walking the file struct.
>
> [...]
Here is the summary with links:
- [bpf-next,v1,1/2] bpf: Disable file_alloc_security hook
https://git.kernel.org/bpf/bpf-next/c/b4bf1d23dc1d
- [bpf-next,v1,2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest
https://git.kernel.org/bpf/bpf-next/c/a3a60cc120d6
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-11-28 23:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-26 20:29 [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook Amery Hung
2025-11-26 20:29 ` [PATCH bpf-next v1 2/2] selftests/bpf: Remove usage of lsm/file_alloc_security in selftest Amery Hung
2025-11-28 23:20 ` [PATCH bpf-next v1 1/2] bpf: Disable file_alloc_security hook patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox