[PATCH 02/11] hornet: invert map set check logic
Blaise Boscaccy
bboscaccy at linux.microsoft.com
Thu May 28 03:08:11 UTC 2026
In a multi-map hash verification scenario, a logic bug may have
allowed an attacker to provide duplicate maps to satisfy the hash
check count. Instead, invert the logic to verify each map discretely
Signed-off-by: Blaise Boscaccy <bboscaccy at linux.microsoft.com>
---
security/hornet/hornet_lsm.c | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/security/hornet/hornet_lsm.c b/security/hornet/hornet_lsm.c
index 516038413f321..35d9522d6bc72 100644
--- a/security/hornet/hornet_lsm.c
+++ b/security/hornet/hornet_lsm.c
@@ -191,7 +191,6 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
struct bpf_map *map;
int i, j;
bool found;
- int covered_count = 0;
security = hornet_bpf_prog_security(prog);
@@ -200,18 +199,18 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
mutex_lock(&prog->aux->used_maps_mutex);
- /* Verify every used_map has a matching signed hash */
- for (j = 0; j < prog->aux->used_map_cnt; j++) {
- map = prog->aux->used_maps[j];
+ /* Verify every signed map exists in used_maps */
+ for (i = 0; i < security->signed_hash_count; i++) {
+ found = false;
+ for (j = 0; j < prog->aux->used_map_cnt; j++) {
+ map = prog->aux->used_maps[j];
- if (!READ_ONCE(map->frozen) || !map->ops->map_get_hash)
- continue;
+ if (!READ_ONCE(map->frozen) || !map->ops->map_get_hash)
+ continue;
- if (map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash))
- continue;
+ if (map->ops->map_get_hash(map, SHA256_DIGEST_SIZE, hash))
+ continue;
- found = false;
- for (i = 0; i < security->signed_hash_count; i++) {
if (memcmp(hash,
&security->signed_hashes[i * SHA256_DIGEST_SIZE],
SHA256_DIGEST_SIZE) == 0) {
@@ -223,15 +222,10 @@ static int hornet_check_prog_maps(struct bpf_prog *prog)
mutex_unlock(&prog->aux->used_maps_mutex);
return -EPERM;
}
- covered_count++;
}
mutex_unlock(&prog->aux->used_maps_mutex);
- /* Ensure all signed hashes were accounted for */
- if (covered_count != security->signed_hash_count)
- return -EPERM;
-
return 0;
}
--
2.53.0
More information about the Linux-security-module-archive
mailing list