[PATCH] bpf: reject NULL data/sig in bpf_verify_pkcs7_signature
Song Liu
song at kernel.org
Tue May 19 20:54:26 UTC 2026
On Tue, May 19, 2026 at 1:14 PM KP Singh <kpsingh at kernel.org> wrote:
>
> __bpf_dynptr_data() can return NULL (FILE dynptrs, any non-contiguous
> backing). bpf_verify_pkcs7_signature() forwards the pointer to
> verify_pkcs7_signature() unchecked, causing a NULL deref in
> asn1_ber_decoder() reachable from a sleepable BPF LSM at lsm.s/bpf.
>
> NULL-check both pointers and reject with -EINVAL. Mirrors the guards
> already in kernel/bpf/crypto.c.
>
> Fixes: 865b0566d8f1 ("bpf: Add bpf_verify_pkcs7_signature() kfunc")
> Reported-by: Xianrui Dong <dongxianrui1 at gmail.com>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
Acked-by: Song Liu <song at kernel.org>
More information about the Linux-security-module-archive
mailing list