bpf: Fix oob access in cgroup local storage

Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:

  ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
  storage = ctx->prog_item->cgroup_storage[stype];

  if (stype == BPF_CGROUP_STORAGE_SHARED)
    ptr = &READ_ONCE(storage->buf)->data[0];
  else
    ptr = this_cpu_ptr(storage->percpu_buf);

For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.

To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.

Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
Reported-by: Lonial Con <kongln9170@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20250730234733.530041-4-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 02aa41e301a5b3d4ca2c67a8e0d4d8c52f0c8894..cc700925b802fe0bb88844cc36120a9136788eaf 100644 (file)
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -283,6 +283,7 @@ struct bpf_map_owner {
        enum bpf_prog_type type;
        bool jited;
        bool xdp_has_frags;
+       u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE];
        const struct btf_type *attach_func_proto;
 };
 

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 6e5b3a67e87f1c7a90b156a58e6cddf4de5b17ac..5d1650af899d048f73b33d1d075e6e374f1691f3 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2378,7 +2378,9 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
 {
        enum bpf_prog_type prog_type = resolve_prog_type(fp);
        struct bpf_prog_aux *aux = fp->aux;
+       enum bpf_cgroup_storage_type i;
        bool ret = false;
+       u64 cookie;
 
        if (fp->kprobe_override)
                return ret;
@@ -2393,11 +2395,24 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
                map->owner->jited = fp->jited;
                map->owner->xdp_has_frags = aux->xdp_has_frags;
                map->owner->attach_func_proto = aux->attach_func_proto;
+               for_each_cgroup_storage_type(i) {
+                       map->owner->storage_cookie[i] =
+                               aux->cgroup_storage[i] ?
+                               aux->cgroup_storage[i]->cookie : 0;
+               }
                ret = true;
        } else {
                ret = map->owner->type  == prog_type &&
                      map->owner->jited == fp->jited &&
                      map->owner->xdp_has_frags == aux->xdp_has_frags;
+               for_each_cgroup_storage_type(i) {
+                       if (!ret)
+                               break;
+                       cookie = aux->cgroup_storage[i] ?
+                                aux->cgroup_storage[i]->cookie : 0;
+                       ret = map->owner->storage_cookie[i] == cookie ||
+                             !cookie;
+               }
                if (ret &&
                    map->owner->attach_func_proto != aux->attach_func_proto) {
                        switch (prog_type) {