[PATCH bpf 1/2] bpf: Add return value check for BPF_LSM_CGROUP
From: Xu Kuohai
Date: Sat May 23 2026 - 05:21:42 EST
From: Xu Kuohai <xukuohai@xxxxxxxxxx>
BPF_LSM_CGROUP programs use bpf_set_retval() helper to set the return
value, but the value is not validated. This could cause kernel panic
similar to the bug fixed by commit 5d99e198be27 ("bpf, lsm: Add check
for BPF LSM return value").
Fix it by verifying the argument for bpf_set_retval() falls within the
valid return value range for the target hook.
Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
Reported-by: Quan Sun <2022090917019@xxxxxxxxxxxxxxxx>
Closes: https://lore.kernel.org/all/567d3206-74a5-44e5-99c6-779c425f399e@xxxxxxxxxxxxxxxx
Signed-off-by: Xu Kuohai <xukuohai@xxxxxxxxxx>
---
kernel/bpf/verifier.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7fb88e1cd7c4..fe60a695de55 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -10462,6 +10462,9 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
case BPF_FUNC_set_retval:
if (prog_type == BPF_PROG_TYPE_LSM &&
env->prog->expected_attach_type == BPF_LSM_CGROUP) {
+ struct bpf_retval_range range;
+ struct bpf_reg_state *r1 = ®s[BPF_REG_1];
+
if (!env->prog->aux->attach_func_proto->type) {
/* Make sure programs that attach to void
* hooks don't try to modify return value.
@@ -10469,6 +10472,13 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
verbose(env, "BPF_LSM_CGROUP that attach to void LSM hooks can't modify return value!\n");
return -EINVAL;
}
+
+ bpf_lsm_get_retval_range(env->prog, &range);
+ range.return_32bit = true;
+ if (!retval_range_within(range, r1)) {
+ verbose_invalid_scalar(env, r1, range, "At bpf_set_retval", "R1");
+ return -EINVAL;
+ }
}
break;
case BPF_FUNC_dynptr_data:
--
2.43.0