* [PATCH] bpf: crypto: reject unterminated type and algorithm names
@ 2026-04-17 7:31 Pengpeng Hou
2026-04-18 21:33 ` Vadim Fedorenko
0 siblings, 1 reply; 2+ messages in thread
From: Pengpeng Hou @ 2026-04-17 7:31 UTC (permalink / raw)
To: Vadim Fedorenko, Alexei Starovoitov
Cc: Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, bpf,
linux-kernel, Pengpeng Hou, stable
bpf_crypto_ctx_create() validates the overall size of
struct bpf_crypto_params, but it does not verify that the fixed-width
type[14] and algo[128] fields are NUL-terminated before passing them to
string consumers.
A caller can therefore fill either field without a terminator and cause
bpf_crypto_get_type(), has_algo(), or alloc_tfm() to read past the end
of the fixed buffer.
Reject parameter blocks whose type or algorithm name does not contain a
terminating NUL within the advertised field width.
Fixes: 3e1c6f35409f ("bpf: make common crypto API for TC/XDP programs")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
kernel/bpf/crypto.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
index 51f89cecefb4..8732689803a6 100644
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@@ -155,6 +155,12 @@ bpf_crypto_ctx_create(const struct bpf_crypto_params *params, u32 params__sz,
return NULL;
}
+ if (strnlen(params->type, sizeof(params->type)) == sizeof(params->type) ||
+ strnlen(params->algo, sizeof(params->algo)) == sizeof(params->algo)) {
+ *err = -EINVAL;
+ return NULL;
+ }
+
type = bpf_crypto_get_type(params->type);
if (IS_ERR(type)) {
*err = PTR_ERR(type);
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] bpf: crypto: reject unterminated type and algorithm names
2026-04-17 7:31 [PATCH] bpf: crypto: reject unterminated type and algorithm names Pengpeng Hou
@ 2026-04-18 21:33 ` Vadim Fedorenko
0 siblings, 0 replies; 2+ messages in thread
From: Vadim Fedorenko @ 2026-04-18 21:33 UTC (permalink / raw)
To: Pengpeng Hou, Alexei Starovoitov
Cc: Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, John Fastabend,
KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, bpf,
linux-kernel, stable
On 17.04.2026 08:31, Pengpeng Hou wrote:
> bpf_crypto_ctx_create() validates the overall size of
> struct bpf_crypto_params, but it does not verify that the fixed-width
> type[14] and algo[128] fields are NUL-terminated before passing them to
> string consumers.
>
> A caller can therefore fill either field without a terminator and cause
> bpf_crypto_get_type(), has_algo(), or alloc_tfm() to read past the end
> of the fixed buffer.
How can this happen for static defined type/algo structures?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-18 21:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 7:31 [PATCH] bpf: crypto: reject unterminated type and algorithm names Pengpeng Hou
2026-04-18 21:33 ` Vadim Fedorenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox