MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,369,842 Commits 589 Branches 4,509 Tags 4.3 GiB
C 97.5%
Assembly 1%
Shell 0.6%
Python 0.3%
Makefile 0.3%
Other 0.1%
19341d5c59
Go to file
Daniel Borkmann 19341d5c59 bpf: Fix oob access in cgroup local storage 
[ Upstream commit abad3d0bad ]

Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:

  ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
  storage = ctx->prog_item->cgroup_storage[stype];

  if (stype == BPF_CGROUP_STORAGE_SHARED)
    ptr = &READ_ONCE(storage->buf)->data[0];
  else
    ptr = this_cpu_ptr(storage->percpu_buf);

For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.

To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.

Fixes: 7d9c342789 ("bpf: Make cgroup storages shared between programs on the same cgroup")
Reported-by: Lonial Con <kongln9170@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-08-15 16:39:14 +02:00
arch sh: Do not use hyphen in exported variable name 2025-08-15 16:39:12 +02:00
block block: restore two stage elevator switch while running nr_hw_queue update 2025-08-15 16:38:24 +02:00
certs sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 2024-09-20 19:52:48 +03:00
crypto crypto: krb5 - Fix memory leak in krb5_test_one_prf() 2025-08-15 16:39:10 +02:00
Documentation cgroup: Add compatibility option for content of /proc/cgroups 2025-08-15 16:39:10 +02:00
drivers drm/xe/vf: Disable CSC support on VF 2025-08-15 16:39:13 +02:00
fs jfs: fix metapage reference count leak in dbAllocCtl 2025-08-15 16:39:13 +02:00
include bpf: Fix oob access in cgroup local storage 2025-08-15 16:39:14 +02:00
init io_uring: fix breakage in EXPERT menu 2025-08-15 16:38:23 +02:00
io_uring io_uring-6.16-20250718 2025-07-18 12:21:26 -07:00
ipc - The 3 patch series "hung_task: extend blocking task stacktrace dump to 2025-05-31 19:12:53 -07:00
kernel bpf: Fix oob access in cgroup local storage 2025-08-15 16:39:14 +02:00
lib kunit/fortify: Add back "volatile" for sizeof() constants 2025-08-15 16:38:22 +02:00
LICENSES LICENSES: add CC0-1.0 license text 2025-05-21 14:54:17 +02:00
mm slub: Fix a documentation build error for krealloc() 2025-08-15 16:38:38 +02:00
net ipv6: annotate data-races around rt->fib6_nsiblings 2025-08-15 16:38:55 +02:00
rust rust: miscdevice: clarify invariant for MiscDeviceRegistration 2025-08-15 16:38:30 +02:00
samples samples: mei: Fix building on musl libc 2025-08-15 16:38:34 +02:00
scripts Rust fixes for v6.16 (2nd) 2025-07-19 09:22:26 -07:00
security landlock: Fix warning from KUnit tests 2025-08-15 16:38:21 +02:00
sound ALSA: usb: scarlett2: Fix missing NULL check 2025-08-15 16:39:13 +02:00
tools perf record: Cache build-ID of hit DSOs only 2025-08-15 16:39:14 +02:00
usr usr/include: openrisc: don't HDRTEST bpf_perf_event.h 2025-05-12 15:03:17 +09:00
virt KVM: Allow CPU to reschedule while setting per-page memory attributes 2025-06-24 12:20:17 -07:00
.clang-format Linux 6.15-rc5 2025-05-06 16:39:25 +10:00
.clippy.toml rust: clean Rust 1.88.0's warning about clippy::disallowed_macros configuration 2025-05-07 00:11:47 +02:00
.cocciconfig
.editorconfig .editorconfig: remove trim_trailing_whitespace option 2024-06-13 16:47:52 +02:00
.get_maintainer.ignore MAINTAINERS: Retire Ralf Baechle 2024-11-12 15:48:59 +01:00
.gitattributes .gitattributes: set diff driver for Rust source code files 2023-05-31 17:48:25 +02:00
.gitignore gitignore: allow .pylintrc to be tracked 2025-08-15 16:39:03 +02:00
.mailmap 11 hotfixes. 9 are cc:stable and the remainder address post-6.15 issues 2025-07-24 19:13:30 -07:00
.pylintrc docs: add a .pylintrc file with sys path for docs scripts 2025-04-09 12:10:33 -06:00
.rustfmt.toml
COPYING
CREDITS mm: update MAINTAINERS entry for HMM 2025-07-19 19:26:16 -07:00
Kbuild drm: ensure drm headers are self-contained and pass kernel-doc 2025-02-12 10:44:43 +02:00
Kconfig io_uring: Rename KConfig to Kconfig 2025-02-19 14:53:27 -07:00
MAINTAINERS 11 hotfixes. 9 are cc:stable and the remainder address post-6.15 issues 2025-07-24 19:13:30 -07:00
Makefile Linux 6.16 2025-07-27 14:26:38 -07:00
README README: Fix spelling 2024-03-18 03:36:32 -06:00

README

Linux kernel

There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML and PDF. Please read Documentation/admin-guide/README.rst first.

In order to build the documentation, use make htmldocs or make pdfdocs. The formatted documentation can also be read online at:

https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory, several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the requirements for building and running the kernel, and information about the problems which may result by upgrading your kernel.