git.ipfire.org Git - thirdparty/linux.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 1 Jun 2026 15:02:45 +0000 (17:02 +0200)
committer	Alexei Starovoitov <ast@kernel.org>
	Tue, 2 Jun 2026 01:36:40 +0000 (18:36 -0700)
commit	61e084152328867fe2279cc790573aae39959cd5
tree	f8dee428074708463deafea1d5454f70ca7970b0	tree \| snapshot
parent	0fb6c9ed6493b4af01be8bb0a384574eba7df636	commit \| diff

libbpf: Skip initial_value override on signed loaders

bpf_gen__map_update_elem() emits code that, when the host-supplied
loader ctx provides a non-NULL map_desc[idx].initial_value, overwrites
the blob value with bytes read from the host (bpf_copy_from_user /
bpf_probe_read_kernel) before the BPF_MAP_UPDATE_ELEM that populates
the program's .data/.rodata/.bss maps.

This override runs after emit_signature_match() has validated map->sha[],
and initial_value is part of neither the signed loader instructions nor
the hashed data blob. For a signed loader this lets an untrusted host
substitute global-variable contents into a program whose code carries
a valid signature, thus weakening what the signature attests to.

The blob already contains the signer-provided value (added via add_data()
and covered by the embedded, signed hash), so simply skip emitting the
override for signed loaders (gen_hash). Runtime initialization stays
available for the unsigned light-skeleton path as before. The jump
offsets within the override block are internal to it, so guarding the
whole block leaves them unchanged.

Fixes: ea923080c145 ("libbpf: Embed and verify the metadata hash in the loader")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260601150248.394863-5-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>