2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-support/libseccomp/files/0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch b/meta/recipes-support/libseccomp/files/0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch
new file mode 100644
index 0000000000..0d2910846c
--- /dev/null
+++ b/meta/recipes-support/libseccomp/files/0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch
@@ -0,0 +1,37 @@
+From 83a56d74482ef6b6cc9311b14bf9ea23573f5d4e Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Thu, 13 Feb 2025 12:05:17 +0100
+Subject: [PATCH] api: fix seccomp_export_bpf_mem out-of-bounds read
+*len is the length of the destination buffer, but program->blks is
+probably not anywhere near that long.  It's already been checked above
+that BPF_PGM_SIZE(program) is less than or equal to *len, so that's
+the correct value to use here to avoid either reading or writing too
+much.
+I noticed this because tests/11-basic-basic_errors started failing on
+musl after e797591 ("all: add seccomp_precompute() functionality").
+Upstream-Status: Backport [https://github.com/seccomp/libseccomp/commit/dd759e8c4f5685b526638fba9ec4fc24c37c9aec]
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+(imported from commit e8dbc6b555fb936bdfb8ab86f9a45fda96a8b7a2)
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/api.c b/src/api.c
+index adccef3..65a277a 100644
+--- a/src/api.c
+++ b/src/api.c
+@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
+                if (BPF_PGM_SIZE(program) > *len)
+                        rc = _rc_filter(-ERANGE);
+                else
+-                       memcpy(buf, program->blks, *len);
+                       memcpy(buf, program->blks, BPF_PGM_SIZE(program));
+        }
+        *len = BPF_PGM_SIZE(program);
+ 
diff --git a/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb b/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb
index 97988afa27..998f1b5548 100644
--- a/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb
+++ b/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb
@@ -10,6 +10,7 @@ DEPENDS += "gperf-native"
 SRCREV = "c7c0caed1d04292500ed4b9bb386566053eb9775"
 SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.6;protocol=https \
+           file://0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch \
           file://run-ptest \
           "

diff --git a/meta/recipes-support/libseccomp/files/0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch b/meta/recipes-support/libseccomp/files/0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch new file mode 100644 index 0000000000..0d2910846c --- /dev/null +++ b/meta/recipes-support/libseccomp/files/0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch
@@ -0,0 +1,37 @@
		1	From 83a56d74482ef6b6cc9311b14bf9ea23573f5d4e Mon Sep 17 00:00:00 2001
		2	From: Alyssa Ross <hi@alyssa.is>
		3	Date: Thu, 13 Feb 2025 12:05:17 +0100
		4	Subject: [PATCH] api: fix seccomp_export_bpf_mem out-of-bounds read
		5
		6	*len is the length of the destination buffer, but program->blks is
		7	probably not anywhere near that long. It's already been checked above
		8	that BPF_PGM_SIZE(program) is less than or equal to *len, so that's
		9	the correct value to use here to avoid either reading or writing too
		10	much.
		11
		12	I noticed this because tests/11-basic-basic_errors started failing on
		13	musl after e797591 ("all: add seccomp_precompute() functionality").
		14
		15	Upstream-Status: Backport [https://github.com/seccomp/libseccomp/commit/dd759e8c4f5685b526638fba9ec4fc24c37c9aec]
		16	Signed-off-by: Alyssa Ross <hi@alyssa.is>
		17	Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
		18	Signed-off-by: Paul Moore <paul@paul-moore.com>
		19	(imported from commit e8dbc6b555fb936bdfb8ab86f9a45fda96a8b7a2)
		20	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		21	---
		22	src/api.c \| 2 +-
		23	1 file changed, 1 insertion(+), 1 deletion(-)
		24
		25	diff --git a/src/api.c b/src/api.c
		26	index adccef3..65a277a 100644
		27	--- a/src/api.c
		28	+++ b/src/api.c
		29	@@ -786,7 +786,7 @@ API int seccomp_export_bpf_mem(const scmp_filter_ctx ctx, void *buf,
		30	if (BPF_PGM_SIZE(program) > *len)
		31	rc = _rc_filter(-ERANGE);
		32	else
		33	- memcpy(buf, program->blks, *len);
		34	+ memcpy(buf, program->blks, BPF_PGM_SIZE(program));
		35	}
		36	*len = BPF_PGM_SIZE(program);
		37


diff --git a/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb b/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb index 97988afa27..998f1b5548 100644 --- a/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb +++ b/meta/recipes-support/libseccomp/libseccomp_2.6.0.bb
@@ -10,6 +10,7 @@ DEPENDS += "gperf-native"
10	SRCREV = "c7c0caed1d04292500ed4b9bb386566053eb9775"	10	SRCREV = "c7c0caed1d04292500ed4b9bb386566053eb9775"
11		11
12	SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.6;protocol=https \	12	SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.6;protocol=https \
		13	file://0001-api-fix-seccomp_export_bpf_mem-out-of-bounds-read.patch \
13	file://run-ptest \	14	file://run-ptest \
14	"	15	"
15		16