libbpf: upgrade 1.5.0 -> 1.6.2

Dropped patches which are now merged in the upstream Changelog: https://github.com/libbpf/libbpf/releases/tag/v1.5.1 https://github.com/libbpf/libbpf/releases/tag/v1.6.0 https://github.com/libbpf/libbpf/releases/tag/v1.6.1 https://github.com/libbpf/libbpf/releases/tag/v1.6.2 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Ankur Tyagi <ankur.tyagi85@gmail.com> 2025-11-14 22:46:59 +1300
committer: Khem Raj <raj.khem@gmail.com> 2025-11-14 07:39:47 -0800
commit: 11a10b9661279c0da2663ed10167572398ff53f3 (patch)
tree: 2156f4a1d8ad0f7d6f02de76575c6c05e3a29ec6
parent: 78f49691d74db266fc94ac5581eb71d71c7c45e0 (diff)
download: meta-openembedded-11a10b9661279c0da2663ed10167572398ff53f3.tar.gz
3 files changed, 2 insertions, 150 deletions
diff --git a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch
deleted file mode 100644
index 873995b644..0000000000
--- a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From ff2eb6e134ebfc225b97b46182af3cc58ed481f6 Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Thu, 10 Apr 2025 11:50:04 +0800
-Subject: [PATCH] libbpf: check for empty BTF data section in btf_parse_elf
-A valid ELF file may contain a SHT_NOBITS .BTF section. This case is
-not handled correctly in btf_parse_elf, which leads to a segfault.
-Add a null check for a buffer returned by elf_getdata() before
-proceeding with its processing.
-Bug report: https://github.com/libbpf/libbpf/issues/894
-Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
-Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
-Upstream-Status: Backport [https://github.com/kernel-patches/bpf-rc/commit/b02b669fd9398d246c8c9ae901c0d8f5bb36a588]
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
- btf.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-diff --git a/btf.c b/btf.c
-index e9673c0e..21d38dcf 100644
--- a/btf.c
-+++ b/btf.c
-@@ -1199,6 +1199,12 @@ static struct btf *btf_parse_elf(const char *path, struct btf *base_btf,
-                goto done;
-        }
- 
-+       if (!secs.btf_data->d_buf) {
-+               pr_warn("BTF data is empty in %s\n", path);
-+               err = -ENODATA;
-+               goto done;
-+       }
-+
-        if (secs.btf_base_data) {
-                dist_base_btf = btf_new(secs.btf_base_data->d_buf, secs.btf_base_data->d_size,
-                                        NULL);
-- 
-2.34.1
diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
deleted file mode 100644
index ebfcb94a2f..0000000000
--- a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001
-From: Viktor Malik <vmalik@redhat.com>
-Date: Tue, 15 Apr 2025 17:50:14 +0200
-Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog
-As shown in [1], it is possible to corrupt a BPF ELF file such that
-arbitrary BPF instructions are loaded by libbpf. This can be done by
-setting a symbol (BPF program) section offset to a large (unsigned)
-number such that <section start + symbol offset> overflows and points
-before the section data in the memory.
-Consider the situation below where:
- prog_start = sec_start + symbol_offset    <-- size_t overflow here
- prog_end   = prog_start + prog_size
-    prog_start        sec_start        prog_end        sec_end
-        |                |                 |              |
-        v                v                 v              v
-    .....................|################################|............
-The report in [1] also provides a corrupted BPF ELF which can be used as
-a reproducer:
-    $ readelf -S crash
-    Section Headers:
-      [Nr] Name              Type             Address           Offset
-           Size              EntSize          Flags  Link  Info  Align
-    ...
-      [ 2] uretprobe.mu[...] PROGBITS         0000000000000000  00000040
-           0000000000000068  0000000000000000  AX       0     0     8
-    $ readelf -s crash
-    Symbol table '.symtab' contains 8 entries:
-       Num:    Value          Size Type    Bind   Vis      Ndx Name
-    ...
-         6: ffffffffffffffb8   104 FUNC    GLOBAL DEFAULT    2 handle_tp
-Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
-point before the actual memory where section 2 is allocated.
-This is also reported by AddressSanitizer:
-    =================================================================
-    ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
-    READ of size 104 at 0x7c7302fe0000 thread T0
-        #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
-        #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
-        #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
-        #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
-        #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
-        #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
-        #6 0x000000400c16 in main /poc/poc.c:8
-        #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
-        #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
-        #9 0x000000400b34 in _start (/poc/poc+0x400b34)
-    0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
-    allocated by thread T0 here:
-        #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
-        #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
-        #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
-        #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
-The problem here is that currently, libbpf only checks that the program
-end is within the section bounds. There used to be a check
-`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
-removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
-sections to support overriden weak functions").
-Add a check for detecting the overflow of `sec_off + prog_sz` to
-bpf_object__init_prog to fix this issue.
-[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
-Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
-Reported-by: lmarch2 <2524158037@qq.com>
-Signed-off-by: Viktor Malik <vmalik@redhat.com>
-Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
-Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
-Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
-Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
-CVE: CVE-2025-29481
-Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
- src/libbpf.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/libbpf.c b/src/libbpf.c
-index b2591f5..56250b5 100644
--- a/src/libbpf.c
-+++ b/src/libbpf.c
-@@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
-                        return -LIBBPF_ERRNO__FORMAT;
-                }
- 
-               if (sec_off + prog_sz > sec_sz) {
-+               if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
-                        pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
-                                sec_name, sec_off);
-                        return -LIBBPF_ERRNO__FORMAT;
diff --git a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb b/meta-oe/recipes-kernel/libbpf/libbpf_1.6.2.bb
index 36312c386b..28732b1e66 100644
--- a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb
+++ b/meta-oe/recipes-kernel/libbpf/libbpf_1.6.2.bb
@@ -8,11 +8,8 @@ LIC_FILES_CHKSUM = "file://../LICENSE.LGPL-2.1;md5=b370887980db5dd40659b50909238
 DEPENDS = "zlib elfutils"
-SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=master \
+SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=${BPN}-${PV}"
-           file://0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch \
+SRCREV = "45e89348ec74617c11cd5241ccd0ffc91dfd03c4"
-           file://CVE-2025-29481.patch;striplevel=2 \
-"
-SRCREV = "09b9e83102eb8ab9e540d36b4559c55f3bcdb95d"
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 COMPATIBLE_HOST = "(x86_64|i.86|arm|aarch64|riscv64|powerpc|powerpc64|mips64).*-linux"
author	Ankur Tyagi <ankur.tyagi85@gmail.com>	2025-11-14 22:46:59 +1300
committer	Khem Raj <raj.khem@gmail.com>	2025-11-14 07:39:47 -0800
commit	11a10b9661279c0da2663ed10167572398ff53f3 (patch)
tree	2156f4a1d8ad0f7d6f02de76575c6c05e3a29ec6
parent	78f49691d74db266fc94ac5581eb71d71c7c45e0 (diff)
download	meta-openembedded-11a10b9661279c0da2663ed10167572398ff53f3.tar.gz

diff --git a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch deleted file mode 100644 index 873995b644..0000000000 --- a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch +++ /dev/null
@@ -1,43 +0,0 @@
1	From ff2eb6e134ebfc225b97b46182af3cc58ed481f6 Mon Sep 17 00:00:00 2001
2	From: Changqing Li <changqing.li@windriver.com>
3	Date: Thu, 10 Apr 2025 11:50:04 +0800
4	Subject: [PATCH] libbpf: check for empty BTF data section in btf_parse_elf
5
6	A valid ELF file may contain a SHT_NOBITS .BTF section. This case is
7	not handled correctly in btf_parse_elf, which leads to a segfault.
8
9	Add a null check for a buffer returned by elf_getdata() before
10	proceeding with its processing.
11
12	Bug report: https://github.com/libbpf/libbpf/issues/894
13
14	Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
15	Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
16
17	Upstream-Status: Backport [https://github.com/kernel-patches/bpf-rc/commit/b02b669fd9398d246c8c9ae901c0d8f5bb36a588]
18
19	Signed-off-by: Changqing Li <changqing.li@windriver.com>
20	---
21	btf.c \| 6 ++++++
22	1 file changed, 6 insertions(+)
23
24	diff --git a/btf.c b/btf.c
25	index e9673c0e..21d38dcf 100644
26	--- a/btf.c
27	+++ b/btf.c
28	@@ -1199,6 +1199,12 @@ static struct btf btf_parse_elf(const char path, struct btf *base_btf,
29	goto done;
30	}
31
32	+ if (!secs.btf_data->d_buf) {
33	+ pr_warn("BTF data is empty in %s\n", path);
34	+ err = -ENODATA;
35	+ goto done;
36	+ }
37	+
38	if (secs.btf_base_data) {
39	dist_base_btf = btf_new(secs.btf_base_data->d_buf, secs.btf_base_data->d_size,
40	NULL);
41	--
42	2.34.1
43


diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch deleted file mode 100644 index ebfcb94a2f..0000000000 --- a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch +++ /dev/null
@@ -1,102 +0,0 @@
1	From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001
2	From: Viktor Malik <vmalik@redhat.com>
3	Date: Tue, 15 Apr 2025 17:50:14 +0200
4	Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog
5
6	As shown in [1], it is possible to corrupt a BPF ELF file such that
7	arbitrary BPF instructions are loaded by libbpf. This can be done by
8	setting a symbol (BPF program) section offset to a large (unsigned)
9	number such that <section start + symbol offset> overflows and points
10	before the section data in the memory.
11
12	Consider the situation below where:
13	- prog_start = sec_start + symbol_offset <-- size_t overflow here
14	- prog_end = prog_start + prog_size
15
16	prog_start sec_start prog_end sec_end
17	\| \| \| \|
18	v v v v
19	.....................\|################################\|............
20
21	The report in [1] also provides a corrupted BPF ELF which can be used as
22	a reproducer:
23
24	$ readelf -S crash
25	Section Headers:
26	[Nr] Name Type Address Offset
27	Size EntSize Flags Link Info Align
28	...
29	[ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
30	0000000000000068 0000000000000000 AX 0 0 8
31
32	$ readelf -s crash
33	Symbol table '.symtab' contains 8 entries:
34	Num: Value Size Type Bind Vis Ndx Name
35	...
36	6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
37
38	Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
39	point before the actual memory where section 2 is allocated.
40
41	This is also reported by AddressSanitizer:
42
43	=================================================================
44	==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
45	READ of size 104 at 0x7c7302fe0000 thread T0
46	#0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
47	#1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
48	#2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
49	#3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
50	#4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
51	#5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
52	#6 0x000000400c16 in main /poc/poc.c:8
53	#7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
54	#8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
55	#9 0x000000400b34 in _start (/poc/poc+0x400b34)
56
57	0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
58	allocated by thread T0 here:
59	#0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
60	#1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
61	#2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
62	#3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
63
64	The problem here is that currently, libbpf only checks that the program
65	end is within the section bounds. There used to be a check
66	`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
67	removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
68	sections to support overriden weak functions").
69
70	Add a check for detecting the overflow of `sec_off + prog_sz` to
71	bpf_object__init_prog to fix this issue.
72
73	[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
74
75	Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
76	Reported-by: lmarch2 <2524158037@qq.com>
77	Signed-off-by: Viktor Malik <vmalik@redhat.com>
78	Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
79	Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
80	Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
81	Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
82
83	CVE: CVE-2025-29481
84	Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800]
85	Signed-off-by: Peter Marko <peter.marko@siemens.com>
86	---
87	src/libbpf.c \| 2 +-
88	1 file changed, 1 insertion(+), 1 deletion(-)
89
90	diff --git a/src/libbpf.c b/src/libbpf.c
91	index b2591f5..56250b5 100644
92	--- a/src/libbpf.c
93	+++ b/src/libbpf.c
94	@@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object obj, Elf_Data sec_data,
95	return -LIBBPF_ERRNO__FORMAT;
96	}
97
98	- if (sec_off + prog_sz > sec_sz) {
99	+ if (sec_off + prog_sz > sec_sz \|\| sec_off + prog_sz < sec_off) {
100	pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
101	sec_name, sec_off);
102	return -LIBBPF_ERRNO__FORMAT;


diff --git a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb b/meta-oe/recipes-kernel/libbpf/libbpf_1.6.2.bb index 36312c386b..28732b1e66 100644 --- a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb +++ b/meta-oe/recipes-kernel/libbpf/libbpf_1.6.2.bb
@@ -8,11 +8,8 @@ LIC_FILES_CHKSUM = "file://../LICENSE.LGPL-2.1;md5=b370887980db5dd40659b50909238
8		8
9	DEPENDS = "zlib elfutils"	9	DEPENDS = "zlib elfutils"
10		10
11	SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=master \	11	SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=${BPN}-${PV}"
12	file://0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch \	12	SRCREV = "45e89348ec74617c11cd5241ccd0ffc91dfd03c4"
13	file://CVE-2025-29481.patch;striplevel=2 \
14	"
15	SRCREV = "09b9e83102eb8ab9e540d36b4559c55f3bcdb95d"
16		13
17	PACKAGE_ARCH = "${MACHINE_ARCH}"	14	PACKAGE_ARCH = "${MACHINE_ARCH}"
18	COMPATIBLE_HOST = "(x86_64\|i.86\|arm\|aarch64\|riscv64\|powerpc\|powerpc64\|mips64).*-linux"	15	COMPATIBLE_HOST = "(x86_64\|i.86\|arm\|aarch64\|riscv64\|powerpc\|powerpc64\|mips64).*-linux"