diff options
Diffstat (limited to 'meta-oe/recipes-kernel/libbpf')
| -rw-r--r-- | meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch | 43 | ||||
| -rw-r--r-- | meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch | 102 | ||||
| -rw-r--r-- | meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb (renamed from meta-oe/recipes-kernel/libbpf/libbpf_1.4.2.bb) | 9 |
3 files changed, 151 insertions, 3 deletions
diff --git a/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch new file mode 100644 index 0000000000..873995b644 --- /dev/null +++ b/meta-oe/recipes-kernel/libbpf/files/0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | From ff2eb6e134ebfc225b97b46182af3cc58ed481f6 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Changqing Li <changqing.li@windriver.com> | ||
| 3 | Date: Thu, 10 Apr 2025 11:50:04 +0800 | ||
| 4 | Subject: [PATCH] libbpf: check for empty BTF data section in btf_parse_elf | ||
| 5 | |||
| 6 | A valid ELF file may contain a SHT_NOBITS .BTF section. This case is | ||
| 7 | not handled correctly in btf_parse_elf, which leads to a segfault. | ||
| 8 | |||
| 9 | Add a null check for a buffer returned by elf_getdata() before | ||
| 10 | proceeding with its processing. | ||
| 11 | |||
| 12 | Bug report: https://github.com/libbpf/libbpf/issues/894 | ||
| 13 | |||
| 14 | Signed-off-by: Ihor Solodrai <ihor.solodrai@linux.dev> | ||
| 15 | Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com> | ||
| 16 | |||
| 17 | Upstream-Status: Backport [https://github.com/kernel-patches/bpf-rc/commit/b02b669fd9398d246c8c9ae901c0d8f5bb36a588] | ||
| 18 | |||
| 19 | Signed-off-by: Changqing Li <changqing.li@windriver.com> | ||
| 20 | --- | ||
| 21 | btf.c | 6 ++++++ | ||
| 22 | 1 file changed, 6 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/btf.c b/btf.c | ||
| 25 | index e9673c0e..21d38dcf 100644 | ||
| 26 | --- a/btf.c | ||
| 27 | +++ b/btf.c | ||
| 28 | @@ -1199,6 +1199,12 @@ static struct btf *btf_parse_elf(const char *path, struct btf *base_btf, | ||
| 29 | goto done; | ||
| 30 | } | ||
| 31 | |||
| 32 | + if (!secs.btf_data->d_buf) { | ||
| 33 | + pr_warn("BTF data is empty in %s\n", path); | ||
| 34 | + err = -ENODATA; | ||
| 35 | + goto done; | ||
| 36 | + } | ||
| 37 | + | ||
| 38 | if (secs.btf_base_data) { | ||
| 39 | dist_base_btf = btf_new(secs.btf_base_data->d_buf, secs.btf_base_data->d_size, | ||
| 40 | NULL); | ||
| 41 | -- | ||
| 42 | 2.34.1 | ||
| 43 | |||
diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch new file mode 100644 index 0000000000..ebfcb94a2f --- /dev/null +++ b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch | |||
| @@ -0,0 +1,102 @@ | |||
| 1 | From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Viktor Malik <vmalik@redhat.com> | ||
| 3 | Date: Tue, 15 Apr 2025 17:50:14 +0200 | ||
| 4 | Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog | ||
| 5 | |||
| 6 | As shown in [1], it is possible to corrupt a BPF ELF file such that | ||
| 7 | arbitrary BPF instructions are loaded by libbpf. This can be done by | ||
| 8 | setting a symbol (BPF program) section offset to a large (unsigned) | ||
| 9 | number such that <section start + symbol offset> overflows and points | ||
| 10 | before the section data in the memory. | ||
| 11 | |||
| 12 | Consider the situation below where: | ||
| 13 | - prog_start = sec_start + symbol_offset <-- size_t overflow here | ||
| 14 | - prog_end = prog_start + prog_size | ||
| 15 | |||
| 16 | prog_start sec_start prog_end sec_end | ||
| 17 | | | | | | ||
| 18 | v v v v | ||
| 19 | .....................|################################|............ | ||
| 20 | |||
| 21 | The report in [1] also provides a corrupted BPF ELF which can be used as | ||
| 22 | a reproducer: | ||
| 23 | |||
| 24 | $ readelf -S crash | ||
| 25 | Section Headers: | ||
| 26 | [Nr] Name Type Address Offset | ||
| 27 | Size EntSize Flags Link Info Align | ||
| 28 | ... | ||
| 29 | [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040 | ||
| 30 | 0000000000000068 0000000000000000 AX 0 0 8 | ||
| 31 | |||
| 32 | $ readelf -s crash | ||
| 33 | Symbol table '.symtab' contains 8 entries: | ||
| 34 | Num: Value Size Type Bind Vis Ndx Name | ||
| 35 | ... | ||
| 36 | 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp | ||
| 37 | |||
| 38 | Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will | ||
| 39 | point before the actual memory where section 2 is allocated. | ||
| 40 | |||
| 41 | This is also reported by AddressSanitizer: | ||
| 42 | |||
| 43 | ================================================================= | ||
| 44 | ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490 | ||
| 45 | READ of size 104 at 0x7c7302fe0000 thread T0 | ||
| 46 | #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76) | ||
| 47 | #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856 | ||
| 48 | #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928 | ||
| 49 | #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930 | ||
| 50 | #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067 | ||
| 51 | #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090 | ||
| 52 | #6 0x000000400c16 in main /poc/poc.c:8 | ||
| 53 | #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4) | ||
| 54 | #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667) | ||
| 55 | #9 0x000000400b34 in _start (/poc/poc+0x400b34) | ||
| 56 | |||
| 57 | 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8) | ||
| 58 | allocated by thread T0 here: | ||
| 59 | #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b) | ||
| 60 | #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600) | ||
| 61 | #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018) | ||
| 62 | #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740 | ||
| 63 | |||
| 64 | The problem here is that currently, libbpf only checks that the program | ||
| 65 | end is within the section bounds. There used to be a check | ||
| 66 | `while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was | ||
| 67 | removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program | ||
| 68 | sections to support overriden weak functions"). | ||
| 69 | |||
| 70 | Add a check for detecting the overflow of `sec_off + prog_sz` to | ||
| 71 | bpf_object__init_prog to fix this issue. | ||
| 72 | |||
| 73 | [1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md | ||
| 74 | |||
| 75 | Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions") | ||
| 76 | Reported-by: lmarch2 <2524158037@qq.com> | ||
| 77 | Signed-off-by: Viktor Malik <vmalik@redhat.com> | ||
| 78 | Signed-off-by: Andrii Nakryiko <andrii@kernel.org> | ||
| 79 | Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> | ||
| 80 | Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md | ||
| 81 | Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com | ||
| 82 | |||
| 83 | CVE: CVE-2025-29481 | ||
| 84 | Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800] | ||
| 85 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 86 | --- | ||
| 87 | src/libbpf.c | 2 +- | ||
| 88 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 89 | |||
| 90 | diff --git a/src/libbpf.c b/src/libbpf.c | ||
| 91 | index b2591f5..56250b5 100644 | ||
| 92 | --- a/src/libbpf.c | ||
| 93 | +++ b/src/libbpf.c | ||
| 94 | @@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data, | ||
| 95 | return -LIBBPF_ERRNO__FORMAT; | ||
| 96 | } | ||
| 97 | |||
| 98 | - if (sec_off + prog_sz > sec_sz) { | ||
| 99 | + if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) { | ||
| 100 | pr_warn("sec '%s': program at offset %zu crosses section boundary\n", | ||
| 101 | sec_name, sec_off); | ||
| 102 | return -LIBBPF_ERRNO__FORMAT; | ||
diff --git a/meta-oe/recipes-kernel/libbpf/libbpf_1.4.2.bb b/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb index 928482ba36..36312c386b 100644 --- a/meta-oe/recipes-kernel/libbpf/libbpf_1.4.2.bb +++ b/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb | |||
| @@ -8,13 +8,16 @@ LIC_FILES_CHKSUM = "file://../LICENSE.LGPL-2.1;md5=b370887980db5dd40659b50909238 | |||
| 8 | 8 | ||
| 9 | DEPENDS = "zlib elfutils" | 9 | DEPENDS = "zlib elfutils" |
| 10 | 10 | ||
| 11 | SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=libbpf-1.4.2" | 11 | SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=master \ |
| 12 | SRCREV = "1b357586a7a62db7fe27af4ebe4bdefe6986cfd6" | 12 | file://0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch \ |
| 13 | file://CVE-2025-29481.patch;striplevel=2 \ | ||
| 14 | " | ||
| 15 | SRCREV = "09b9e83102eb8ab9e540d36b4559c55f3bcdb95d" | ||
| 13 | 16 | ||
| 14 | PACKAGE_ARCH = "${MACHINE_ARCH}" | 17 | PACKAGE_ARCH = "${MACHINE_ARCH}" |
| 15 | COMPATIBLE_HOST = "(x86_64|i.86|arm|aarch64|riscv64|powerpc|powerpc64|mips64).*-linux" | 18 | COMPATIBLE_HOST = "(x86_64|i.86|arm|aarch64|riscv64|powerpc|powerpc64|mips64).*-linux" |
| 16 | 19 | ||
| 17 | S = "${WORKDIR}/git/src" | 20 | S = "${UNPACKDIR}/${BP}/src" |
| 18 | 21 | ||
| 19 | EXTRA_OEMAKE += "DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir}" | 22 | EXTRA_OEMAKE += "DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir}" |
| 20 | EXTRA_OEMAKE:append:class-native = " UAPIDIR=${includedir}" | 23 | EXTRA_OEMAKE:append:class-native = " UAPIDIR=${includedir}" |