Commit b0315e36 authored Nov 30, 2024 by Hou Tao Committed by Pu Lehui Nov 30, 2024

bpf: Check validity of link->type in bpf_link_show_fdinfo()

mainline inclusion
from mainline-v6.12-rc5
commit 8421d4c8762bd022cb491f2f0f7019ef51b4f0a7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB705A
CVE: CVE-2024-53099

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8421d4c8762b



--------------------------------

If a newly-added link type doesn't invoke BPF_LINK_TYPE(), accessing
bpf_link_type_strs[link->type] may result in an out-of-bounds access.

To spot such missed invocations early in the future, checking the
validity of link->type in bpf_link_show_fdinfo() and emitting a warning
when such invocations are missed.

Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20241024013558.1135167-3-houtao@huaweicloud.com


Conflicts:
	kernel/bpf/syscall.c
[The conflicts were due to some minor issue.]
Signed-off-by: Pu Lehui <pulehui@huawei.com>

parent 904d8467

kernel/bpf/syscall.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -2430,15 +2430,20 @@ static void bpf_link_show_fdinfo(struct seq_file m, struct file filp)
		{
		const struct bpf_link *link = filp->private_data;
		const struct bpf_prog *prog = link->prog;
		enum bpf_link_type type = link->type;
		char prog_tag[sizeof(prog->tag) * 2 + 1] = { };

		bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
		if (type < ARRAY_SIZE(bpf_link_type_strs) && bpf_link_type_strs[type]) {
		seq_printf(m, "link_type:\t%s\n", bpf_link_type_strs[type]);
		} else {
		WARN_ONCE(1, "missing BPF_LINK_TYPE(...) for link type %u\n", type);
		seq_printf(m, "link_type:\t<%u>\n", type);
		}
		seq_printf(m,
		"link_type:\t%s\n"
		"link_id:\t%u\n"
		"prog_tag:\t%s\n"
		"prog_id:\t%u\n",
		bpf_link_type_strs[link->type],
		link->id,
		prog_tag,
		prog->aux->id);