bpf: Require frozen map for calculating map hash

Currently, bpf_map_get_info_by_fd calculates and caches the hash of the
map regardless of the map's frozen state.

This leads to a TOCTOU bug where userspace can call
BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map
contents before freezing.

Therefore, a trusted loader can be tricked into verifying the stale hash
while loading the modified contents.

Fix this by returning -EPERM if the map is not frozen when the hash is
requested. This ensures the hash is only generated for the final,
immutable state of the map.

Fixes: ea2e6467ac36 ("bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD")
Reported-by: Toshi Piazza <toshi.piazza@microsoft.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260205070755.695776-1-kpsingh@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 93bc0f4c65c57be6f045aa5b12f283cb3d6068ad..683c332dbafbe76d7c32419633ddfe0bd1091ed2 100644 (file)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -5328,6 +5328,9 @@ static int bpf_map_get_info_by_fd(struct file *file,
                if (info.hash_size != SHA256_DIGEST_SIZE)
                        return -EINVAL;
 
+               if (!READ_ONCE(map->frozen))
+                       return -EPERM;
+
                err = map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, map->sha);
                if (err != 0)
                        return err;