From: Xu Kuohai BPF_LSM_CGROUP programs use bpf_set_retval() helper to set the return value, but the value is not validated. This could cause kernel panic similar to the bug fixed by commit 5d99e198be27 ("bpf, lsm: Add check for BPF LSM return value"). Fix it by verifying the argument for bpf_set_retval() falls within the valid return value range for the target hook. Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor") Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn> Closes: https://lore.kernel.org/all/567d3206-74a5-44e5-99c6-779c425f399e@std.uestc.edu.cn Signed-off-by: Xu Kuohai --- kernel/bpf/verifier.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 7fb88e1cd7c4..fe60a695de55 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10462,6 +10462,9 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn case BPF_FUNC_set_retval: if (prog_type == BPF_PROG_TYPE_LSM && env->prog->expected_attach_type == BPF_LSM_CGROUP) { + struct bpf_retval_range range; + struct bpf_reg_state *r1 = ®s[BPF_REG_1]; + if (!env->prog->aux->attach_func_proto->type) { /* Make sure programs that attach to void * hooks don't try to modify return value. @@ -10469,6 +10472,13 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn verbose(env, "BPF_LSM_CGROUP that attach to void LSM hooks can't modify return value!\n"); return -EINVAL; } + + bpf_lsm_get_retval_range(env->prog, &range); + range.return_32bit = true; + if (!retval_range_within(range, r1)) { + verbose_invalid_scalar(env, r1, range, "At bpf_set_retval", "R1"); + return -EINVAL; + } } break; case BPF_FUNC_dynptr_data: -- 2.43.0