On Thu, 2024-04-11 at 20:27 +0800, Xu Kuohai wrote:
From: Xu Kuohai xukuohai@huawei.com
A bpf prog returning positive number attached to file_alloc_security hook will make kernel panic.
The reason is that the positive number returned by bpf prog is not a valid errno, and could not be filtered out with IS_ERR which is used by the file system to check errors. As a result, the file system uses this positive number as file pointer, causing panic.
Considering that hook file_alloc_security never returned positive number before bpf lsm was introduced, and other bpf lsm hooks may have the same problem, this patch adds lsm return value check in bpf verifier to ensure no unpredicted values will be returned by lsm bpf prog.
Fixes: 520b7aa00d8c ("bpf: lsm: Initialize the BPF LSM hooks") Reported-by: Xin Liu liuxin350@huawei.com Signed-off-by: Xu Kuohai xukuohai@huawei.com
Acked-by: Eduard Zingerman eddyz87@gmail.com