d05879b12f3a62db75f020edf0101777441e4ad9 - third_party/kernel

commit	d05879b12f3a62db75f020edf0101777441e4ad9	[log] [tgz]
author	Jakub Sitnicki <jakub@cloudflare.com>	Mon May 27 13:20:07 2024 +0200
committer	Oleksandr Tymoshenko <ovt@google.com>	Wed Jun 26 18:10:17 2024 +0000
tree	6799459ca0e90b8a531cee892079e7cc4443951f
parent	4ed4cc6b4a1961ea7ddf452d35e19916e7882ad5 [diff]

bpf: Allow delete from sockmap/sockhash only if update is allowed [ Upstream commit 98e948fb60d41447fd8d2d0c3b8637fc6b6dc26d ] We have seen an influx of syzkaller reports where a BPF program attached to a tracepoint triggers a locking rule violation by performing a map_delete on a sockmap/sockhash. We don't intend to support this artificial use scenario. Extend the existing verifier allowed-program-type check for updating sockmap/sockhash to also cover deleting from a map. From now on only BPF programs which were previously allowed to update sockmap/sockhash can delete from these map types. BUG=b/349318577 TEST=presubmit RELEASE_NOTE=Fixes CVE-2024-38662 in the Linux kernel cos-patch: security-moderate Fixes: ff9105993240 ("bpf, sockmap: Prevent lock inversion deadlock in map delete elem") Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> Reported-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com Acked-by: John Fastabend <john.fastabend@gmail.com> Closes: https://syzkaller.appspot.com/bug?extid=ec941d6e24f633a59172 Link: https://lore.kernel.org/bpf/20240527-sockmap-verify-deletes-v1-1-944b372f2101@cloudflare.com Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> Change-Id: I848b4a07da1360ab44d36bd3e0b13d87f9cbed4d Signed-off-by: Oleksandr Tymoshenko <ovt@google.com> Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/75037 Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com> Reviewed-by: Kevin Berry <kpberry@google.com> Reviewed-by: Arnav Kansal <rnv@google.com>