Commit 2e93791d authored Jul 17, 2024 by Jiri Olsa Committed by Liu Jian Jul 17, 2024

bpf: Set run context for rawtp test_run callback

stable inclusion
from stable-v6.6.35
commit d387805d4b4a46ee01e3dae133c81b6d80195e5b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACS7Y
CVE: CVE-2024-40908

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d387805d4b4a46ee01e3dae133c81b6d80195e5b



---------------------------

[ Upstream commit d0d1df8ba18abc57f28fb3bc053b2bf319367f2c ]

syzbot reported crash when rawtp program executed through the
test_run interface calls bpf_get_attach_cookie helper or any
other helper that touches task->bpf_ctx pointer.

Setting the run context (task->bpf_ctx pointer) for test_run
callback.

Fixes: 7adfc6c9 ("bpf: Add bpf_get_attach_cookie() BPF helper to access bpf_cookie value")
Reported-by:  <syzbot+3ab78ff125b7979e45f9@syzkaller.appspotmail.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Closes: https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9
Link: https://lore.kernel.org/bpf/20240604150024.359247-1-jolsa@kernel.org


Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liu Jian <liujian56@huawei.com>

parent 6b484f45

net/bpf/test_run.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -707,10 +707,16 @@ static void
		__bpf_prog_test_run_raw_tp(void *data)
		{
		struct bpf_raw_tp_test_run_info *info = data;
		struct bpf_trace_run_ctx run_ctx = {};
		struct bpf_run_ctx *old_run_ctx;

		old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx);

		rcu_read_lock();
		info->retval = bpf_prog_run(info->prog, info->ctx);
		rcu_read_unlock();

		bpf_reset_run_ctx(old_run_ctx);
		}

		int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,