lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMB2axOZeGGXiO-6uXOa0HUefDjoU+7_287K3au0EMLxnWu=4g@mail.gmail.com>
Date: Tue, 30 Dec 2025 22:18:00 -0800
From: Amery Hung <ameryhung@...il.com>
To: Liang Jie <buaajxlj@....com>
Cc: syzbot+4fe468a3f7fac86ea2c9@...kaller.appspotmail.com, andrii@...nel.org, 
	ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net, eddyz87@...il.com, 
	haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org, 
	kpsingh@...nel.org, linux-kernel@...r.kernel.org, martin.lau@...ux.dev, 
	sdf@...ichev.me, song@...nel.org, syzkaller-bugs@...glegroups.com, 
	yonghong.song@...ux.dev, liangjie@...iang.com
Subject: Re: [syzbot] [bpf?] general protection fault in bpf_get_local_storage (2)

On Tue, Dec 30, 2025 at 7:21 PM Liang Jie <buaajxlj@....com> wrote:
>
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 3f0e9c8cefa9
>
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 69988af44b37..2bc27ece5cc5 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
> @@ -1768,6 +1768,9 @@ BPF_CALL_2(bpf_get_local_storage, struct bpf_map *, map, u64, flags)
>         ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
>         storage = ctx->prog_item->cgroup_storage[stype];
>
> +       if (unlikely(!storage))
> +               return (unsigned long)NULL;
> +
>         if (stype == BPF_CGROUP_STORAGE_SHARED)
>                 ptr = &READ_ONCE(storage->buf)->data[0];
>
>

Hi Liang,

I don't think we can do this here due to backward compatibility. The
return type of the helper is RET_PTR_TO_MAP_VALUE. Your proposed fix
would require adding a PTR_MAYBE_NULL and existing BPF programs would
no longer pass the verifier.

Did you look into why the storage pointer is NULL in the first place?

BTW, there is also another similar report and a work-in-progress fix
[1]. Do you think this is a separate issue from that?

Thanks,
Amery

[1] https://lore.kernel.org/bpf/20251203195050.3215728-1-ameryhung@gmail.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ