From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B51CF2DC321;
	Tue,  9 Dec 2025 00:18:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765239485; cv=none; b=kpHT22HVIgAiovhqhJ/0MTPIbenVxDEJ+ZOY8s5pei5kBYoX4z5bgb2+/+8w+A/tojtj/BNipm9hcnAhyzNJwsLR1WOq08HR6X7zPDId5B/kxgwPMQKTJOq7RehzjGj7A35FNczM8yDWK905QS/KyfNCyz/h8u1k7e/M697Qkac=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765239485; c=relaxed/simple;
	bh=nZeRiioNTQXfOCmrOO6/i4u7/GV2LK6InlpjJFUMsTM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=OLpoWnL4FWdwt53J05gizSbuJRtCOQyNPFyRh5BQHfqDyANcIvKkk6brAW3g8FbL1GLA6wu7j9zVMoolBNczT+5WnLrTworcQHtqHBQ2Y9pkcFh9x3qkRWqd1w3t5vAfCjcObiYezoU5zB7ySmPU5kRfWkOU3cGfhIYP0EpwMDw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hVxBrJcL; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hVxBrJcL"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 89270C113D0;
	Tue,  9 Dec 2025 00:18:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1765239485;
	bh=nZeRiioNTQXfOCmrOO6/i4u7/GV2LK6InlpjJFUMsTM=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=hVxBrJcLwr7zjM5FPHfNvB9OPt5LmQzq/0n9S97aERd0oq2Hlgw2ExSfKRCLj1KMb
	 K2OyTZqKMGxT9qNpVHlyiS1V8VQuW3tfm2akHK75C6jHqUQk5LPGGBdYgBfRQs9vLZ
	 cwSsRqEsppG/yc7Gf92YBP5wPYD9tIrZrCGz6ygrt/1aArZRpyYobuVO4Hx8F8eHxM
	 ttvMXNr50musCezJsd6El23mcFu3NsOPVUS3IDrRhGvgDaAvkUVDMuELx4Tbaaf3FN
	 TDSbsKUBWX0427x84/XcMr+10buBJOr3zOtgOLX67lMUH2KshWqcaC5YSfxOJgzW4x
	 xvRoLajxvAKrw==
From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev,
	stable@vger.kernel.org
Cc: Amery Hung <ameryhung@gmail.com>,
	Kaiyan Mei <M202472210@hust.edu.cn>,
	Yinhao Hu <dddddd@hust.edu.cn>,
	Dongliang Mu <dzm91@hust.edu.cn>,
	Alexei Starovoitov <ast@kernel.org>,
	Sasha Levin <sashal@kernel.org>,
	kpsingh@kernel.org,
	mattbobrowski@google.com,
	daniel@iogearbox.net,
	andrii@kernel.org,
	bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 6.18-6.12] bpf: Disable file_alloc_security hook
Date: Mon,  8 Dec 2025 19:15:29 -0500
Message-ID: <20251209001610.611575-37-sashal@kernel.org>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251209001610.611575-1-sashal@kernel.org>
References: <20251209001610.611575-1-sashal@kernel.org>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-stable: review
X-Patchwork-Hint: Ignore
X-stable-base: Linux 6.18
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Amery Hung <ameryhung@gmail.com>

[ Upstream commit b4bf1d23dc1da236c92a9d9be68cc63358d1f750 ]

A use-after-free bug may be triggered by calling bpf_inode_storage_get()
in a BPF LSM program hooked to file_alloc_security. Disable the hook to
prevent this from happening.

The cause of the bug is shown in the trace below. In alloc_file(), a
file struct is first allocated through kmem_cache_alloc(). Then,
file_alloc_security hook is invoked. Since the zero initialization or
assignment of f->f_inode happen after this LSM hook, a BPF program may
get a dangeld inode pointer by walking the file struct.

  alloc_file()
  -> alloc_empty_file()
     -> f = kmem_cache_alloc()
     -> init_file()
        -> security_file_alloc() // f->f_inode not init-ed yet!
     -> f->f_inode = NULL;
  -> file_init_path()
     -> f->f_inode = path->dentry->d_inode

Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/1d2d1968.47cd3.19ab9528e94.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20251126202927.2584874-1-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

## Summary

### What the Bug Is
This is a **use-after-free vulnerability** in BPF LSM. When a file is
allocated:
1. `kmem_cache_alloc()` allocates a file struct
2. `security_file_alloc()` is called - **BPF hooks run here**
3. `f->f_inode = NULL` is set **AFTER** the hook (fs/file_table.c:179)

If a BPF program attached to `file_alloc_security` calls
`bpf_inode_storage_get()`, it reads `f->f_inode` which contains
**uninitialized slab memory** - a classic UAF pattern.

### The Fix
Adds `bpf_lsm_file_alloc_security` to the `bpf_lsm_disabled_hooks` set.
This causes the BPF verifier to reject any program trying to attach to
this hook (line 126-130 in bpf_lsm.c).

### Stable Kernel Assessment

| Criterion | Assessment |
|-----------|------------|
| **Fixes real bug** | ✅ UAF vulnerability, reported by security
researchers |
| **Obviously correct** | ✅ Follows established pattern (11 other hooks
already disabled) |
| **Small and contained** | ✅ Single line addition |
| **No new features** | ✅ Actually disables functionality |
| **Tested** | ✅ Reviewed by BPF maintainer |
| **Risk of regression** | ✅ Very low - only affects programs that were
already buggy |

### Dependency Concern
The `bpf_lsm_disabled_hooks` mechanism was introduced in commit
21c7063f6d08a (v6.12-rc1). This fix **only applies to 6.12.y stable
tree**. Older LTS kernels (6.6.y, 6.1.y, 5.15.y, etc.) would require
backporting the entire disabled hooks infrastructure first.

### Missing Stable Tags
The commit lacks "Cc: stable@vger.kernel.org" and "Fixes:" tags.
However:
- This is a security fix (UAF)
- The fix is trivial and safe
- Signed off by BPF maintainer Alexei Starovoitov

### Risk vs Benefit
- **Risk**: Near zero - only prevents BPF programs from attaching to an
  unsafe hook
- **Benefit**: Prevents a UAF vulnerability that could cause crashes or
  be exploited

### Conclusion
This commit should be backported to the 6.12.y stable tree. It fixes a
real security vulnerability with a minimal, safe, one-line change that
follows an established pattern. The absence of explicit stable tags
appears to be an oversight. For older stable trees, this specific patch
won't apply without the disabled hooks infrastructure.

**YES**

 kernel/bpf/bpf_lsm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c
index 0a59df1c550a0..7cb6e8d4282cb 100644
--- a/kernel/bpf/bpf_lsm.c
+++ b/kernel/bpf/bpf_lsm.c
@@ -51,6 +51,7 @@ BTF_ID(func, bpf_lsm_key_getsecurity)
 BTF_ID(func, bpf_lsm_audit_rule_match)
 #endif
 BTF_ID(func, bpf_lsm_ismaclabel)
+BTF_ID(func, bpf_lsm_file_alloc_security)
 BTF_SET_END(bpf_lsm_disabled_hooks)
 
 /* List of LSM hooks that should operate on 'current' cgroup regardless
-- 
2.51.0