On 6/2/26 1:15 AM, [email protected] wrote:
bpf: Tighten cgroup storage cookie checks for prog arrays The recent KCTF-reported cgroup local storage issue assigned CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access in cgroup local storage"). However, the previous fixes are still incomplete. The current prog-array compatibility check treats a program with no cgroup storage as compatible with any stored storage cookie. This allows a storage-less program to bridge a tail-call chain between an entry program and a storage-using callee even though runtime cgroup local storage still follows the caller context. Require exact per-type storage_cookie equality when checking prog-array compatibility. This blocks zero-storage bridge programs from joining a prog-array owned by a storage-using program and closes the residual A -> B(no storage) -> C(storage) path. This also aligns with Amery Hung's earlier NULL-storage tail-call fix by requiring storage use to match consistently across prog-array users. Cc: [email protected] Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup") Tested-by: Amery Hung <[email protected]> Signed-off-by: Lin Ma <[email protected]> Signed-off-by: Rongzhen Cui <[email protected]> Signed-off-by: Jingguo Tan <[email protected]>Should the Fixes: tag point to abad3d0bad72 instead of 7d9c3427894f? The code this patch removes is the '|| !cookie' clause in __bpf_prog_map_compatible(): ret = map->owner->storage_cookie[i] == cookie || !cookie; That permissive '|| !cookie' clause, which treats a storage-less program as compatible with any stored cookie, was introduced by abad3d0bad72 ("bpf: Fix oob access in cgroup local storage"). The commit referenced by the current tag, 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup"), only added the shared cgroup-storage feature and does not touch __bpf_prog_map_compatible() or add the storage_cookie[] check. Would this be more accurate? Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")
Agree. The above fix tag seems better.
This same question was raised on the v1 thread by the bpf-ci review bot (https://lore.kernel.org/bpf/[email protected]/), noting that the patch removes the '|| !cookie' logic introduced in abad3d0bad72 rather than the original shared storage feature. The reply disagreed and kept the tag pointing at 7d9c3427894f in v2, but the reviewer did not acknowledge that explanation, so it may be worth settling before this is applied. --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26806034423
