[PATCH 02/11] hornet: invert map set check logic

Linux Security Modules development
 help / color / mirror / Atom feed

From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: "Jonathan Corbet" <corbet@lwn.net>,
	"Shuah Khan" <skhan@linuxfoundation.org>,
	"Paul Moore" <paul@paul-moore.com>,
	"James Morris" <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Eric Biggers" <ebiggers@kernel.org>, "Fan Wu" <wufan@kernel.org>,
	James.Bottomley@HansenPartnership.com,
	"Blaise Boscaccy" <bboscaccy@linux.microsoft.com>,
	linux-security-module@vger.kernel.org
Subject: [PATCH 02/11] hornet: invert map set check logic
Date: Wed, 27 May 2026 20:08:11 -0700	[thread overview]
Message-ID: <20260528030915.2654994-3-bboscaccy@linux.microsoft.com> (raw)
In-Reply-To: <20260528030915.2654994-1-bboscaccy@linux.microsoft.com>

In a multi-map hash verification scenario, a logic bug may have
allowed an attacker to provide duplicate maps to satisfy the hash
check count. Instead, invert the logic to verify each map discretely

Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
---
 security/hornet/hornet_lsm.c | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
index 516038413f321..35d9522d6bc72 100644
--- a/security/hornet/hornet_lsm.c
+++ b/security/hornet/hornet_lsm.c
@@ -191,7 +191,6 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
 	struct bpf_map *map;
 	int i, j;
 	bool found;
-	int covered_count = 0;
 
 	security = hornet_bpf_prog_security(prog);
 
@@ -200,18 +199,18 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
 
 	mutex_lock(&prog->aux->used_maps_mutex);
 
-	/* Verify every used_map has a matching signed hash */
-	for (j = 0; j < prog->aux->used_map_cnt; j++) {
-		map = prog->aux->used_maps[j];
+	/* Verify every signed map exists in used_maps */
+	for (i = 0; i < security->signed_hash_count; i++) {
+		found = false;
+		for (j = 0; j < prog->aux->used_map_cnt; j++) {
+			map = prog->aux->used_maps[j];
 
-		if (!READ_ONCE(map->frozen) || !map->ops->map_get_hash)
-			continue;
+			if (!READ_ONCE(map->frozen) || !map->ops->map_get_hash)
+				continue;
 
-		if (map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash))
-			continue;
+			if (map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash))
+				continue;
 
-		found = false;
-		for (i = 0; i < security->signed_hash_count; i++) {
 			if (memcmp(hash,
 				   &security->signed_hashes[i * SHA256_DIGEST_SIZE],
 				   SHA256_DIGEST_SIZE) == 0) {
@@ -223,15 +222,10 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
 			mutex_unlock(&prog->aux->used_maps_mutex);
 			return -EPERM;
 		}
-		covered_count++;
 	}
 
 	mutex_unlock(&prog->aux->used_maps_mutex);
 
-	/* Ensure all signed hashes were accounted for */
-	if (covered_count != security->signed_hash_count)
-		return -EPERM;
-
 	return 0;
 }
 
-- 
2.53.0

next prev parent reply	other threads:[~2026-05-28  3:09 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-28  3:08 [PATCH 00/11] hornet: security, tooling and selftest fixes Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 01/11] hornet: fix TOCTOU in signed program verification Blaise Boscaccy
2026-05-28  3:08 ` Blaise Boscaccy [this message]
2026-05-28  3:08 ` [PATCH 03/11] hornet: fix off-by-one bug in max used maps check Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 04/11] selftests: hornet: handle cross compilation and test skipping Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 05/11] hornet: gen_sig: fix off-by-one check for used maps Blaise Boscaccy
2026-05-28 21:22   ` Paul Moore
2026-05-28  3:08 ` [PATCH 06/11] hornet: gen_sig: fix error string allocations Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 07/11] hornet: gen_sig: check for bad allocations Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 08/11] hornet: gen_sig: fix missing command line switches Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 09/11] hornet: scripts: set a non-zero error code for usage Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 10/11] hornet: scripts: harden scripts to handle trailing whitespace Blaise Boscaccy
2026-05-28  3:08 ` [PATCH 11/11] hornet: scripts: Improve argument handling and error messages Blaise Boscaccy

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:516038413f32 dfblob:35d9522d6bc7 )
 OR (
bs:"[PATCH 02/11] hornet: invert map set check logic" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260528030915.2654994-3-bboscaccy@linux.microsoft.com \
    --to=bboscaccy@linux.microsoft.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=corbet@lwn.net \
    --cc=ebiggers@kernel.org \
    --cc=jmorris@namei.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=serge@hallyn.com \
    --cc=skhan@linuxfoundation.org \
    --cc=wufan@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox