lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250715075755.114339-1-shankari.ak0208@gmail.com>
Date: Tue, 15 Jul 2025 13:27:55 +0530
From: Shankari Anand <shankari.ak0208@...il.com>
To: bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	John Fastabend <john.fastabend@...il.com>,
	Andrii Nakryiko <andrii@...nel.org>,
	Martin KaFai Lau <martin.lau@...ux.dev>,
	Eduard Zingerman <eddyz87@...il.com>,
	Song Liu <song@...nel.org>,
	Yonghong Song <yonghong.song@...ux.dev>,
	KP Singh <kpsingh@...nel.org>,
	Stanislav Fomichev <sdf@...ichev.me>,
	Hao Luo <haoluo@...gle.com>,
	Jiri Olsa <jolsa@...nel.org>,
	Shankari Anand <shankari.ak0208@...il.com>,
	syzbot+ad4661d6ca888ce7fe11@...kaller.appspotmail.com
Subject: [PATCH] bpf: restrict verifier access to bpf_lru_node.ref

syzbot reported a data race on the `ref` field of `struct bpf_lru_node`:
https://syzkaller.appspot.com/bug?extid=ad4661d6ca888ce7fe11

This race arises when user programs read the `.ref` field from a BPF map
that uses LRU logic, potentially exposing unprotected state.

Accesses to `ref` are already wrapped with READ_ONCE() and WRITE_ONCE().
However, the BPF verifier currently allows unprivileged programs to
read this field via BTF-enabled pointer, bypassing internal assumptions.

To mitigate this, the verifier is updated to disallow access
to the `.ref` field in `struct bpf_lru_node`.
This is done by checking both the base type and field name
in `check_ptr_to_btf_access()` and returning -EACCES if matched.

Reported-by: syzbot+ad4661d6ca888ce7fe11@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/6847e661.a70a0220.27c366.005d.GAE@google.com/T/
Signed-off-by: Shankari Anand <shankari.ak0208@...il.com>
---
 kernel/bpf/verifier.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 169845710c7e..775ce454268c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7159,6 +7159,19 @@ static int check_ptr_to_btf_access(struct bpf_verifier_env *env,
 		}
 
 		ret = btf_struct_access(&env->log, reg, off, size, atype, &btf_id, &flag, &field_name);
+
+		/* Block access to sensitive kernel-internal fields */
+		if (field_name && reg->btf && btf_is_kernel(reg->btf)) {
+			const struct btf_type *base_type = btf_type_by_id(reg->btf, reg->btf_id);
+			const char *type_name = btf_name_by_offset(reg->btf, base_type->name_off);
+
+			if (strcmp(type_name, "bpf_lru_node") == 0 &&
+				strcmp(field_name, "ref") == 0) {
+				verbose(env,
+					"access to field 'ref' in struct bpf_lru_node is not allowed\n");
+				return -EACCES;
+			}
+		}
 	}
 
 	if (ret < 0)

base-commit: 155a3c003e555a7300d156a5252c004c392ec6b0
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ