2 files changed, 145 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch
new file mode 100644
index 0000000000..873995b644
--- /dev/null
+++ b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch
@@ -0,0 +1,43 @@
+From ff2eb6e134ebfc225b97b46182af3cc58ed481f6 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 10 Apr 2025 11:50:04 +0800
+Subject: [PATCH] libbpf: check for empty BTF data section in btf_parse_elf
+A valid ELF file may contain a SHT_NOBITS .BTF section. This case is
+not handled correctly in btf_parse_elf, which leads to a segfault.
+Add a null check for a buffer returned by elf_getdata() before
+proceeding with its processing.
+Bug report: https://github.com/libbpf/libbpf/issues/894
+Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
+Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
+Upstream-Status: Backport [https://github.com/kernel-patches/bpf-rc/commit/b02b669fd9398d246c8c9ae901c0d8f5bb36a588]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ btf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/btf.c b/btf.c
+index e9673c0e..21d38dcf 100644
+--- a/btf.c
+++ b/btf.c
+@@ -1199,6 +1199,12 @@ static struct btf *btf_parse_elf(const char *path, struct btf *base_btf,
+                goto done;
+        }
+ 
+       if (!secs.btf_data->d_buf) {
+               pr_warn("BTF data is empty in %s\n", path);
+               err = -ENODATA;
+               goto done;
+       }
+
+        if (secs.btf_base_data) {
+                dist_base_btf = btf_new(secs.btf_base_data->d_buf, secs.btf_base_data->d_size,
+                                        NULL);
+-- 
+2.34.1
diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
new file mode 100644
index 0000000000..ebfcb94a2f
--- /dev/null
+++ b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
@@ -0,0 +1,102 @@
+From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001
+From: Viktor Malik <vmalik@redhat.com>
+Date: Tue, 15 Apr 2025 17:50:14 +0200
+Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog
+As shown in [1], it is possible to corrupt a BPF ELF file such that
+arbitrary BPF instructions are loaded by libbpf. This can be done by
+setting a symbol (BPF program) section offset to a large (unsigned)
+number such that <section start + symbol offset> overflows and points
+before the section data in the memory.
+Consider the situation below where:
+- prog_start = sec_start + symbol_offset    <-- size_t overflow here
+- prog_end   = prog_start + prog_size
+    prog_start        sec_start        prog_end        sec_end
+        |                |                 |              |
+        v                v                 v              v
+    .....................|################################|............
+The report in [1] also provides a corrupted BPF ELF which can be used as
+a reproducer:
+    $ readelf -S crash
+    Section Headers:
+      [Nr] Name              Type             Address           Offset
+           Size              EntSize          Flags  Link  Info  Align
+    ...
+      [ 2] uretprobe.mu[...] PROGBITS         0000000000000000  00000040
+           0000000000000068  0000000000000000  AX       0     0     8
+    $ readelf -s crash
+    Symbol table '.symtab' contains 8 entries:
+       Num:    Value          Size Type    Bind   Vis      Ndx Name
+    ...
+         6: ffffffffffffffb8   104 FUNC    GLOBAL DEFAULT    2 handle_tp
+Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
+point before the actual memory where section 2 is allocated.
+This is also reported by AddressSanitizer:
+    =================================================================
+    ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
+    READ of size 104 at 0x7c7302fe0000 thread T0
+        #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
+        #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
+        #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
+        #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
+        #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
+        #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
+        #6 0x000000400c16 in main /poc/poc.c:8
+        #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
+        #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
+        #9 0x000000400b34 in _start (/poc/poc+0x400b34)
+    0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
+    allocated by thread T0 here:
+        #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
+        #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
+        #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
+        #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
+The problem here is that currently, libbpf only checks that the program
+end is within the section bounds. There used to be a check
+`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
+removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
+sections to support overriden weak functions").
+Add a check for detecting the overflow of `sec_off + prog_sz` to
+bpf_object__init_prog to fix this issue.
+[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
+Reported-by: lmarch2 <2524158037@qq.com>
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
+CVE: CVE-2025-29481
+Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/libbpf.c b/src/libbpf.c
+index b2591f5..56250b5 100644
+--- a/src/libbpf.c
+++ b/src/libbpf.c
+@@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
+                        return -LIBBPF_ERRNO__FORMAT;
+                }
+ 
+-               if (sec_off + prog_sz > sec_sz) {
+               if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
+                        pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
+                                sec_name, sec_off);
+                        return -LIBBPF_ERRNO__FORMAT;

diff --git a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch new file mode 100644 index 0000000000..873995b644 --- /dev/null +++ b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch
@@ -0,0 +1,43 @@
	1	From ff2eb6e134ebfc225b97b46182af3cc58ed481f6 Mon Sep 17 00:00:00 2001
	2	From: Changqing Li <changqing.li@windriver.com>
	3	Date: Thu, 10 Apr 2025 11:50:04 +0800
	4	Subject: [PATCH] libbpf: check for empty BTF data section in btf_parse_elf
	5
	6	A valid ELF file may contain a SHT_NOBITS .BTF section. This case is
	7	not handled correctly in btf_parse_elf, which leads to a segfault.
	8
	9	Add a null check for a buffer returned by elf_getdata() before
	10	proceeding with its processing.
	11
	12	Bug report: https://github.com/libbpf/libbpf/issues/894
	13
	14	Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev>
	15	Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
	16
	17	Upstream-Status: Backport [https://github.com/kernel-patches/bpf-rc/commit/b02b669fd9398d246c8c9ae901c0d8f5bb36a588]
	18
	19	Signed-off-by: Changqing Li <changqing.li@windriver.com>
	20	---
	21	btf.c \| 6 ++++++
	22	1 file changed, 6 insertions(+)
	23
	24	diff --git a/btf.c b/btf.c
	25	index e9673c0e..21d38dcf 100644
	26	--- a/btf.c
	27	+++ b/btf.c
	28	@@ -1199,6 +1199,12 @@ static struct btf btf_parse_elf(const char path, struct btf *base_btf,
	29	goto done;
	30	}
	31
	32	+ if (!secs.btf_data->d_buf) {
	33	+ pr_warn("BTF data is empty in %s\n", path);
	34	+ err = -ENODATA;
	35	+ goto done;
	36	+ }
	37	+
	38	if (secs.btf_base_data) {
	39	dist_base_btf = btf_new(secs.btf_base_data->d_buf, secs.btf_base_data->d_size,
	40	NULL);
	41	--
	42	2.34.1
	43


diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch new file mode 100644 index 0000000000..ebfcb94a2f --- /dev/null +++ b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
@@ -0,0 +1,102 @@
	1	From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001
	2	From: Viktor Malik <vmalik@redhat.com>
	3	Date: Tue, 15 Apr 2025 17:50:14 +0200
	4	Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog
	5
	6	As shown in [1], it is possible to corrupt a BPF ELF file such that
	7	arbitrary BPF instructions are loaded by libbpf. This can be done by
	8	setting a symbol (BPF program) section offset to a large (unsigned)
	9	number such that <section start + symbol offset> overflows and points
	10	before the section data in the memory.
	11
	12	Consider the situation below where:
	13	- prog_start = sec_start + symbol_offset <-- size_t overflow here
	14	- prog_end = prog_start + prog_size
	15
	16	prog_start sec_start prog_end sec_end
	17	\| \| \| \|
	18	v v v v
	19	.....................\|################################\|............
	20
	21	The report in [1] also provides a corrupted BPF ELF which can be used as
	22	a reproducer:
	23
	24	$ readelf -S crash
	25	Section Headers:
	26	[Nr] Name Type Address Offset
	27	Size EntSize Flags Link Info Align
	28	...
	29	[ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
	30	0000000000000068 0000000000000000 AX 0 0 8
	31
	32	$ readelf -s crash
	33	Symbol table '.symtab' contains 8 entries:
	34	Num: Value Size Type Bind Vis Ndx Name
	35	...
	36	6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
	37
	38	Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
	39	point before the actual memory where section 2 is allocated.
	40
	41	This is also reported by AddressSanitizer:
	42
	43	=================================================================
	44	==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
	45	READ of size 104 at 0x7c7302fe0000 thread T0
	46	#0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
	47	#1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
	48	#2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
	49	#3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
	50	#4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
	51	#5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
	52	#6 0x000000400c16 in main /poc/poc.c:8
	53	#7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
	54	#8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
	55	#9 0x000000400b34 in _start (/poc/poc+0x400b34)
	56
	57	0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
	58	allocated by thread T0 here:
	59	#0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
	60	#1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
	61	#2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
	62	#3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
	63
	64	The problem here is that currently, libbpf only checks that the program
	65	end is within the section bounds. There used to be a check
	66	`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
	67	removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
	68	sections to support overriden weak functions").
	69
	70	Add a check for detecting the overflow of `sec_off + prog_sz` to
	71	bpf_object__init_prog to fix this issue.
	72
	73	[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
	74
	75	Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
	76	Reported-by: lmarch2 <2524158037@qq.com>
	77	Signed-off-by: Viktor Malik <vmalik@redhat.com>
	78	Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
	79	Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
	80	Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
	81	Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
	82
	83	CVE: CVE-2025-29481
	84	Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800]
	85	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	86	---
	87	src/libbpf.c \| 2 +-
	88	1 file changed, 1 insertion(+), 1 deletion(-)
	89
	90	diff --git a/src/libbpf.c b/src/libbpf.c
	91	index b2591f5..56250b5 100644
	92	--- a/src/libbpf.c
	93	+++ b/src/libbpf.c
	94	@@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object obj, Elf_Data sec_data,
	95	return -LIBBPF_ERRNO__FORMAT;
	96	}
	97
	98	- if (sec_off + prog_sz > sec_sz) {
	99	+ if (sec_off + prog_sz > sec_sz \|\| sec_off + prog_sz < sec_off) {
	100	pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
	101	sec_name, sec_off);
	102	return -LIBBPF_ERRNO__FORMAT;