Hi Greg,
Please cherry-pick this patch series into 5.10.y stable. It includes a feature that fixes CVE-2022-0500 which allows a user with cap_bpf privileges to get root privileges. The patch that fixes the bug is
patch 6/8: bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM
The rest are the depedences required by the fix patch.
This patchset has been merged in mainline v5.17 and backported to v5.16[1] and v5.15[2]
Tested by compile, build and run through the bpf selftest test_progs.
Before:
./test_progs -t ksyms_btf/write_check test_ksyms_btf:PASS:btf_exists 0 nsec test_write_check:FAIL:skel_open unexpected load of a prog writing to ksym memory #44/3 write_check:FAIL #44 ksyms_btf:FAIL Summary: 0/0 PASSED, 0 SKIPPED, 2 FAILED
After:
./test_progs -t ksyms_btf/write_check #44/3 write_check:OK #44 ksyms_btf:OK Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
[1] https://lore.kernel.org/all/Yg6cixLJFoxDmp+I@kroah.com/ [2] https://lore.kernel.org/all/Ymupcl2JshcWjmMD@kroah.com/
Hao Luo (8): bpf: Introduce composable reg, ret and arg types. bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL bpf: Introduce MEM_RDONLY flag bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM. bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. bpf/selftests: Test PTR_TO_RDONLY_MEM
include/linux/bpf.h | 98 +++- include/linux/bpf_verifier.h | 18 + kernel/bpf/btf.c | 8 +- kernel/bpf/cgroup.c | 2 +- kernel/bpf/helpers.c | 10 +- kernel/bpf/map_iter.c | 4 +- kernel/bpf/ringbuf.c | 2 +- kernel/bpf/verifier.c | 477 +++++++++--------- kernel/trace/bpf_trace.c | 22 +- net/core/bpf_sk_storage.c | 2 +- net/core/filter.c | 62 +-- net/core/sock_map.c | 2 +- .../selftests/bpf/prog_tests/ksyms_btf.c | 14 + .../bpf/progs/test_ksyms_btf_write_check.c | 29 ++ 14 files changed, 441 insertions(+), 309 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c