[PATCH 01/11] hornet: fix TOCTOU in signed program verification

[Fan Wu]

On Mon, Jun 1, 2026 at 8:26 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Fri, May 29, 2026 at 9:11 PM Fan Wu <wufan at kernel.org> wrote:
> > On Wed, May 27, 2026 at 8:09 PM Blaise Boscaccy
> > <bboscaccy at linux.microsoft.com> wrote:
> > >
> > > The signature verification path was vulnerable to a time-of-check vs
> > > time-of-use race at both the program load and program run hook sites:
> > > between the moment a map's contents were hashed for signature
> > > verification and the moment the program run hook re-verified them, an
> > > attacker with sufficient privileges could swap or mutate the map
> > > contents.
> > >
> > > Close the race by snapshotting the map hashes during program load,
> > > attaching them to the program, and re-verifying them from the
> > > security_bpf_prog hook against prog->aux->used_maps. Because used_maps
> > > is the same map set the verifier and runtime resolve against, there is
> > > no longer a window in which the verified set and the executed set can
> > > diverge.
> > >
> > > Since we are no longer targeting the fd_array passed in, drop the map
> > > index data entirely and check for whether or not the set of requested
> > > map hashes is a subset of prog->aux->used_maps.
> > >
> > > Reported-by: Eric Biggers <ebiggers at kernel.org>
> > > Signed-off-by: Blaise Boscaccy <bboscaccy at linux.microsoft.com>
> > > ---
...
> > similar above, they should be removed for the header and for the ipe policy.
>
> I would prefer to see LSM_INT_VERDICT_FAULT preserved as I think it is
> good to have a verdict indicating a general error in the integrity
> verification code, but I do agree with Fan that removing
> VERDICT_UNEXPECTED is probably a good thing to do.
>
> If Fan is insistent on removal of VERDICT_FAULT from the IPE code
> that's fine, just leave it in the LSM header.
>
> Can you get a patch out for this ASAP Blaise?
>
> --
> paul-moore.com

I'm good with keeping LSM_INT_VERDICT_FAULT.

-Fan