From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51A841B424F; Sun, 7 Sep 2025 20:22:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757276569; cv=none; b=ORGRXB+7wZkFx//pShBCmSVsxZT15N0Q4rWh5OF0rNdTAd7vxmuaghLTos+3wSeHWTc4fmG5RNtlzyrLW4xASQNoFvMurGVv/m74JF6jb6SmigFwyQjSqewIf+UyRgZaqVDYky8QFTAOAyqjYVTqdyvUaTz0YEqRqzdrKDJWOwY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757276569; c=relaxed/simple; bh=Jh6EPOcjom78P9Kxu5JG/bn4m9Eyi0nhGC8V2KIBAM4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hA7l7UVk5O+Kz3+Fx/bCrEopDNgQ3ZO8EW0nMRabsKDJI/JrT8hOT1uSbpgEtH31Q+9yC1pLdT3Zrl6lUUu7rAjkuqALxrH9BF1TvQfYYWI2DyCFaC0CtQinR2uEYSJpNIoVTIbDtGuOvitBL1ZI+pJu4VxHiNDrMieh6PXQsiQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ydUvF6BQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ydUvF6BQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CAD5DC4CEF0; Sun, 7 Sep 2025 20:22:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1757276569; bh=Jh6EPOcjom78P9Kxu5JG/bn4m9Eyi0nhGC8V2KIBAM4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ydUvF6BQwMjlnKD0QitQriDGPeSznBG/9/fwf00Mp9cDUbSxKjVcearUebjXwEK8u p3P4jQrbOhMrjGP4aSZd6qq9DLUGVXkOZxc2JPASdLTZnt0IP2OIgjPEd6x8fEYKRe zx72IacdOT0vEhiA8Go1I5X/RRmluqIGfiGE0tPE= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Lonial Con , Daniel Borkmann , Alexei Starovoitov , Sasha Levin Subject: [PATCH 6.6 004/121] bpf: Fix oob access in cgroup local storage Date: Sun, 7 Sep 2025 21:57:20 +0200 Message-ID: <20250907195609.930557005@linuxfoundation.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20250907195609.817339617@linuxfoundation.org> References: <20250907195609.817339617@linuxfoundation.org> User-Agent: quilt/0.68 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ Upstream commit abad3d0bad72a52137e0c350c59542d75ae4f513 ] Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps. Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup") Reported-by: Lonial Con Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- include/linux/bpf.h | 1 + kernel/bpf/core.c | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/include/linux/bpf.h b/include/linux/bpf.h index b8e0204992857..83da9c81fa86a 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -267,6 +267,7 @@ struct bpf_map_owner { enum bpf_prog_type type; bool jited; bool xdp_has_frags; + u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE]; const struct btf_type *attach_func_proto; }; diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index c3369c66eae8f..3618be05fc352 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -2263,7 +2263,9 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, { enum bpf_prog_type prog_type = resolve_prog_type(fp); struct bpf_prog_aux *aux = fp->aux; + enum bpf_cgroup_storage_type i; bool ret = false; + u64 cookie; if (fp->kprobe_override) return ret; @@ -2278,11 +2280,24 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map, map->owner->jited = fp->jited; map->owner->xdp_has_frags = aux->xdp_has_frags; map->owner->attach_func_proto = aux->attach_func_proto; + for_each_cgroup_storage_type(i) { + map->owner->storage_cookie[i] = + aux->cgroup_storage[i] ? + aux->cgroup_storage[i]->cookie : 0; + } ret = true; } else { ret = map->owner->type == prog_type && map->owner->jited == fp->jited && map->owner->xdp_has_frags == aux->xdp_has_frags; + for_each_cgroup_storage_type(i) { + if (!ret) + break; + cookie = aux->cgroup_storage[i] ? + aux->cgroup_storage[i]->cookie : 0; + ret = map->owner->storage_cookie[i] == cookie || + !cookie; + } if (ret && map->owner->attach_func_proto != aux->attach_func_proto) { switch (prog_type) { -- 2.50.1