public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed
From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Quan Sun <2022090917019@std.uestc.edu.cn>,
	daniel@iogearbox.net, bpf@vger.kernel.org
Cc: dddddd@hust.edu.cn, M202472210@hust.edu.cn, dzm91@hust.edu.cn,
	hust-os-kernel-patches@googlegroups.com, edumazet@google.com,
	kuniyu@google.com
Subject: Re: Uninitialized Stack Variable / NULL Pointer Dereference in __sys_socket_create via BPF LSM hooks
Date: Tue, 21 Apr 2026 17:11:52 +0800	[thread overview]
Message-ID: <927ceffb-15a4-4aec-a3f6-0854f24e4bcc@linux.dev> (raw)
In-Reply-To: <567d3206-74a5-44e5-99c6-779c425f399e@std.uestc.edu.cn>


On 4/21/26 2:32 PM, Quan Sun wrote:
> Our fuzzing found an Uninitialized Stack Variable vulnerability in the 
> Linux Socket Subsystem. The issue is triggered when a 
> `BPF_PROG_TYPE_LSM` attached to the `bpf_lsm_socket_create` cgroup 
> hook uses the `bpf_set_retval()` helper to return a value greater than 
> 0 (e.g., `1`). This bypasses the actual `socket_create` execution but 
> returns a success status back to `__sys_socket_create`, which then 
> accesses the uninitialized stack variable `sock` leading to a NULL 
> pointer dereference or potential privilege escalation.
>
> Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn>
> Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
> Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
>
> ## Root Cause
>
> This vulnerability is caused by treating a manipulated return value 
> from an LSM hook as complete success in `__sys_socket_create` without 
> ensuring that the underlying object has been fully initialized.
>
> 1. `__sys_socket_create()` in `net/socket.c` reserves a pointer 
> variable `struct socket *sock;` on the kernel stack without 
> zero-initializing it.
> 2. It calls `sock_create(family, type, protocol, &sock);` to allocate 
> and initialize the socket object.
> 3. `sock_create` proceeds to allocate the socket internally and 
> invokes the `security_socket_create` LSM hook (which triggers 
> `bpf_lsm_socket_create`).
> 4. If a BPF program is attached to the cgroup LSM hook for 
> `bpf_lsm_socket_create`, it can call `bpf_set_retval(1)` and return `1`.
> 5. Because the BPF hook completes without an error code (< 0), 
> `sock_create` interprets this bypass as success and promptly returns 
> `1` (or a positive bypass value) back to `__sys_socket_create()`. 
> However, the critical variable `sock` is never populated.
> 6. The caller `__sys_socket_create()` checks if `sock_create()`'s 
> return value is `< 0`. Since `1` is not less than `0`, it assumes the 
> `sock` pointer is valid.
> 7. Subsequent socket operations inside `__sys_socket_create()`, such 
> as `sock_map_fd(sock, ...)`, attempt to dereference the uninitialized 
> `sock` stack pointer.
>

A similar topic to the one you reported before [1], and it seems Feng is 
working on this [2].

[1] 
https://lore.kernel.org/bpf/973a1b7b-8ee7-407a-890a-11455d9cc5bf@std.uestc.edu.cn/

[2] 
https://lore.kernel.org/all/20260408094816.228322-1-yangfeng59949@163.com/


If you really want to panic the kernel, you can see that the following 
hooks probably cause this problem as well:

- security_task_alloc
- security_inode_readlink
- security_task_movememory
- security_inode_follow_link
- security_fs_context_submount
- security_dentry_create_files_as
- security_perf_event_alloc
- security_inode_get_acl



      parent reply	other threads:[~2026-04-21  9:12 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-21  6:32 Uninitialized Stack Variable / NULL Pointer Dereference in __sys_socket_create via BPF LSM hooks Quan Sun
2026-04-21  8:47 ` Kuniyuki Iwashima
2026-04-21  9:17   ` Matt Bobrowski
2026-04-21  9:59     ` Kuniyuki Iwashima
2026-04-21 13:05       ` Xu Kuohai
2026-04-21 20:20         ` Matt Bobrowski
2026-04-21  8:50 ` Matt Bobrowski
2026-04-21  9:11 ` Jiayuan Chen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=927ceffb-15a4-4aec-a3f6-0854f24e4bcc@linux.dev \
    --to=jiayuan.chen@linux.dev \
    --cc=2022090917019@std.uestc.edu.cn \
    --cc=M202472210@hust.edu.cn \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=dddddd@hust.edu.cn \
    --cc=dzm91@hust.edu.cn \
    --cc=edumazet@google.com \
    --cc=hust-os-kernel-patches@googlegroups.com \
    --cc=kuniyu@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox