bpf: Fix oob access in cgroup local storage

JIRA: https://issues.redhat.com/browse/RHEL-78204

commit abad3d0
Author: Daniel Borkmann <[email protected]>
Date:   Thu Jul 31 01:47:33 2025 +0200

    bpf: Fix oob access in cgroup local storage

    Lonial reported that an out-of-bounds access in cgroup local storage
    can be crafted via tail calls. Given two programs each utilizing a
    cgroup local storage with a different value size, and one program
    doing a tail call into the other. The verifier will validate each of
    the indivial programs just fine. However, in the runtime context
    the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
    BPF program as well as any cgroup local storage flavor the program
    uses. Helpers such as bpf_get_local_storage() pick this up from the
    runtime context:

      ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
      storage = ctx->prog_item->cgroup_storage[stype];

      if (stype == BPF_CGROUP_STORAGE_SHARED)
        ptr = &READ_ONCE(storage->buf)->data[0];
      else
        ptr = this_cpu_ptr(storage->percpu_buf);

    For the second program which was called from the originally attached
    one, this means bpf_get_local_storage() will pick up the former
    program's map, not its own. With mismatching sizes, this can result
    in an unintended out-of-bounds access.

    To fix this issue, we need to extend bpf_map_owner with an array of
    storage_cookie[] to match on i) the exact maps from the original
    program if the second program was using bpf_get_local_storage(), or
    ii) allow the tail call combination if the second program was not
    using any of the cgroup local storage maps.

    Fixes: 7d9c342 ("bpf: Make cgroup storages shared between programs on the same cgroup")
    Reported-by: Lonial Con <[email protected]>
    Signed-off-by: Daniel Borkmann <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Signed-off-by: Alexei Starovoitov <[email protected]>

Signed-off-by: Jerome Marchand <[email protected]>

Author: jeromemarchand

include/linux/bpf.h

@@ -283,6 +283,7 @@ struct bpf_map_owner {
 	enum bpf_prog_type type;
 	bool jited;
 	bool xdp_has_frags;
+	u64 storage_cookie[MAX_BPF_CGROUP_STORAGE_TYPE];
 	const struct btf_type *attach_func_proto;
 };
 

kernel/bpf/core.c

@@ -2383,7 +2383,9 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
 {
 	enum bpf_prog_type prog_type = resolve_prog_type(fp);
 	struct bpf_prog_aux *aux = fp->aux;
+	enum bpf_cgroup_storage_type i;
 	bool ret = false;
+	u64 cookie;
 
 	if (fp->kprobe_override)
 		return ret;
@@ -2398,11 +2400,24 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
 		map->owner->jited = fp->jited;
 		map->owner->xdp_has_frags = aux->xdp_has_frags;
 		map->owner->attach_func_proto = aux->attach_func_proto;
+		for_each_cgroup_storage_type(i) {
+			map->owner->storage_cookie[i] =
+				aux->cgroup_storage[i] ?
+				aux->cgroup_storage[i]->cookie : 0;
+		}
 		ret = true;
 	} else {
 		ret = map->owner->type  == prog_type &&
 		      map->owner->jited == fp->jited &&
 		      map->owner->xdp_has_frags == aux->xdp_has_frags;
+		for_each_cgroup_storage_type(i) {
+			if (!ret)
+				break;
+			cookie = aux->cgroup_storage[i] ?
+				 aux->cgroup_storage[i]->cookie : 0;
+			ret = map->owner->storage_cookie[i] == cookie ||
+			      !cookie;
+		}
 		if (ret &&
 		    map->owner->attach_func_proto != aux->attach_func_proto) {
 			switch (prog_type) {