bpf: Guard __get_user acesss with access_ok for uprobe_multi data

As reported by sashiko [1] we need to use access_ok to check the user
space data bounds before we use __get-user to get it.

[1] https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/
Fixes: 0b779b61f651 ("bpf: Add cookies support for uprobe_multi link")
Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link")
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20260611114230.950379-2-jolsa@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 90432f0fc2a8eb281f09f0ac281d28320ee17e71..b5a12af2d3f8a68d1405570e3cf510a951fab91f 100644 (file)
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -3224,6 +3224,7 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
        unsigned long __user *uoffsets;
        u64 __user *ucookies;
        void __user *upath;
+       unsigned long size;
        u32 flags, cnt, i;
        struct path path;
        char *name;
@@ -3261,6 +3262,16 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
        uref_ctr_offsets = u64_to_user_ptr(attr->link_create.uprobe_multi.ref_ctr_offsets);
        ucookies = u64_to_user_ptr(attr->link_create.uprobe_multi.cookies);
 
+       /*
+        * All uoffsets/uref_ctr_offsets/ucookies arrays have the same value
+        * size, we need to check their address range is safe for __get_user
+        * calls.
+        */
+       size = sizeof(*uoffsets) * cnt;
+       if (!access_ok(uoffsets, size) || !access_ok(uref_ctr_offsets, size) ||
+           !access_ok(ucookies, size))
+               return -EFAULT;
+
        name = strndup_user(upath, PATH_MAX);
        if (IS_ERR(name)) {
                err = PTR_ERR(name);