diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2025-08-29 16:36:56 +0200 | 
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2025-09-09 15:07:57 -0700 | 
| commit | f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14 (patch) | |
| tree | 447aa73fae3b0ae275566d180e0c69913e34f775 /rust/helpers/wait.c | |
| parent | e4414b01c1cd9887bbde92f946c1ba94e40d6d64 (diff) | |
bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
Stanislav reported that in bpf_crypto_crypt() the destination dynptr's
size is not validated to be at least as large as the source dynptr's
size before calling into the crypto backend with 'len = src_len'. This
can result in an OOB write when the destination is smaller than the
source.
Concretely, in mentioned function, psrc and pdst are both linear
buffers fetched from each dynptr:
  psrc = __bpf_dynptr_data(src, src_len);
  [...]
  pdst = __bpf_dynptr_data_rw(dst, dst_len);
  [...]
  err = decrypt ?
        ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) :
        ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv);
The crypto backend expects pdst to be large enough with a src_len length
that can be written. Add an additional src_len > dst_len check and bail
out if it's the case. Note that these kfuncs are accessible under root
privileges only.
Fixes: 3e1c6f35409f ("bpf: make common crypto API for TC/XDP programs")
Reported-by: Stanislav Fort <disclosure@aisle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://lore.kernel.org/r/20250829143657.318524-1-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'rust/helpers/wait.c')
0 files changed, 0 insertions, 0 deletions
