git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	KP Singh <kpsingh@kernel.org>
	Wed, 20 May 2026 02:40:59 +0000 (04:40 +0200)
committer	Kumar Kartikeya Dwivedi <memxor@gmail.com>
	Wed, 20 May 2026 03:12:05 +0000 (05:12 +0200)
commit	49b18315be4eecfc36b75f4aecb4d40a87d68a20
tree	e4ef3d8bf07a51dae94329119e295fad42e142d1	tree \| snapshot
parent	201166d79fc01b607eccdddd4e1a7189f231904b	commit \| diff

bpf: Reject NULL data/sig in bpf_verify_pkcs7_signature

__bpf_dynptr_data() can return NULL (FILE dynptrs, any non-contiguous
backing). bpf_verify_pkcs7_signature() forwards the pointer to
verify_pkcs7_signature() unchecked, causing a NULL deref in
asn1_ber_decoder() reachable from a sleepable BPF LSM at lsm.s/bpf.

NULL-check both pointers and reject with -EINVAL. Mirrors the guards
already in kernel/bpf/crypto.c.

Fixes: 865b0566d8f1 ("bpf: Add bpf_verify_pkcs7_signature() kfunc")
Reported-by: Xianrui Dong <dongxianrui1@gmail.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Song Liu <song@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20260520024059.313468-1-kpsingh@kernel.org
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

kernel/bpf/helpers.c		diff \| blob \| blame \| history
tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c		diff \| blob \| blame \| history