[PATCH] bpf: reject NULL data/sig in bpf_verify_pkcs7_signature
Daniel Borkmann
daniel at iogearbox.net
Tue May 19 22:44:05 UTC 2026
On 5/19/26 10:09 PM, KP Singh wrote:
> __bpf_dynptr_data() can return NULL (FILE dynptrs, any non-contiguous
> backing). bpf_verify_pkcs7_signature() forwards the pointer to
> verify_pkcs7_signature() unchecked, causing a NULL deref in
> asn1_ber_decoder() reachable from a sleepable BPF LSM at lsm.s/bpf.
>
> NULL-check both pointers and reject with -EINVAL. Mirrors the guards
> already in kernel/bpf/crypto.c.
>
> Fixes: 865b0566d8f1 ("bpf: Add bpf_verify_pkcs7_signature() kfunc")
> Reported-by: Xianrui Dong <dongxianrui1 at gmail.com>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
Acked-by: Daniel Borkmann <daniel at iogearbox.net>
More information about the Linux-security-module-archive
mailing list