[PATCH v2] bpf: reject NULL data/sig in bpf_verify_pkcs7_signature
Kumar Kartikeya Dwivedi
memxor at gmail.com
Wed May 20 03:23:46 UTC 2026
On Wed May 20, 2026 at 4:40 AM CEST, KP Singh wrote:
> __bpf_dynptr_data() can return NULL (FILE dynptrs, any non-contiguous
> backing). bpf_verify_pkcs7_signature() forwards the pointer to
> verify_pkcs7_signature() unchecked, causing a NULL deref in
> asn1_ber_decoder() reachable from a sleepable BPF LSM at lsm.s/bpf.
>
> NULL-check both pointers and reject with -EINVAL. Mirrors the guards
> already in kernel/bpf/crypto.c.
>
> Fixes: 865b0566d8f1 ("bpf: Add bpf_verify_pkcs7_signature() kfunc")
> Reported-by: Xianrui Dong <dongxianrui1 at gmail.com>
> Signed-off-by: KP Singh <kpsingh at kernel.org>
> ---
Added missing acks before pushing.
> [...]
More information about the Linux-security-module-archive
mailing list