[PATCH] bpf: reject NULL data/sig in bpf_verify_pkcs7_signature
Amery Hung
ameryhung at gmail.com
Tue May 19 20:36:57 UTC 2026
On Tue, May 19, 2026 at 1:09 PM KP Singh <kpsingh at kernel.org> wrote:
>
> __bpf_dynptr_data() can return NULL (FILE dynptrs, any non-contiguous
> backing). bpf_verify_pkcs7_signature() forwards the pointer to
> verify_pkcs7_signature() unchecked, causing a NULL deref in
> asn1_ber_decoder() reachable from a sleepable BPF LSM at lsm.s/bpf.
>
> NULL-check both pointers and reject with -EINVAL. Mirrors the guards
> already in kernel/bpf/crypto.c.
>
> Fixes: 865b0566d8f1 ("bpf: Add bpf_verify_pkcs7_signature() kfunc")
> Reported-by: Xianrui Dong <dongxianrui1 at gmail.com>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
Reviewed-by: Amery Hung <ameryhung at gmail.com>
> ---
> kernel/bpf/helpers.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 2bb60200c266..b5314c9fed3c 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -4241,8 +4241,13 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,
>
> data_len = __bpf_dynptr_size(data_ptr);
> data = __bpf_dynptr_data(data_ptr, data_len);
> + if (!data)
> + return -EINVAL;
> +
> sig_len = __bpf_dynptr_size(sig_ptr);
> sig = __bpf_dynptr_data(sig_ptr, sig_len);
> + if (!sig)
> + return -EINVAL;
>
> return verify_pkcs7_signature(data, data_len, sig, sig_len,
> trusted_keyring->key,
> --
> 2.53.0
>
>
More information about the Linux-security-module-archive
mailing list