bpf: Disable file_alloc_security hook · tjh.dev/kernel@b4bf1d2

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

bpf: Disable file_alloc_security hook

A use-after-free bug may be triggered by calling bpf_inode_storage_get()
in a BPF LSM program hooked to file_alloc_security. Disable the hook to
prevent this from happening.

The cause of the bug is shown in the trace below. In alloc_file(), a
file struct is first allocated through kmem_cache_alloc(). Then,
file_alloc_security hook is invoked. Since the zero initialization or
assignment of f->f_inode happen after this LSM hook, a BPF program may
get a dangeld inode pointer by walking the file struct.

alloc_file()
-> alloc_empty_file()
-> f = kmem_cache_alloc()
-> init_file()
-> security_file_alloc() // f->f_inode not init-ed yet!
-> f->f_inode = NULL;
-> file_init_path()
-> f->f_inode = path->dentry->d_inode

Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Dongliang Mu <dzm91@hust.edu.cn>
Closes: https://lore.kernel.org/bpf/1d2d1968.47cd3.19ab9528e94.Coremail.kaiyanm@hust.edu.cn/
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20251126202927.2584874-1-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Amery Hung and committed by

Alexei Starovoitov 4 months ago b4bf1d23 19f4091b

1 changed file

expand all

kernel

bpf

bpf_lsm.c

kernel/bpf/bpf_lsm.c

··· 51 51 BTF_ID(func, bpf_lsm_audit_rule_match) 52 52 #endif 53 53 BTF_ID(func, bpf_lsm_ismaclabel) 54 + BTF_ID(func, bpf_lsm_file_alloc_security) 54 55 BTF_SET_END(bpf_lsm_disabled_hooks) 55 56 56 57 /* List of LSM hooks that should operate on 'current' cgroup regardless