Re: [PATCH] bpf: Tighten cgroup storage cookie checks for prog arrays

[Yonghong Song]

On 6/1/26 2:51 AM, Lin Ma wrote:
> The recent KCTF-reported cgroup local storage issue assigned
> CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
> in cgroup local storage"). That fix addressed the direct mismatch case
> in tail-call chains.
>
> However, the previous fix is still incomplete. The current prog-array
> compatibility check treats a program with no cgroup storage as
> compatible with any stored storage cookie. This allows a storage-less
> program to bridge a tail-call chain between an entry program and a
> storage-using callee even though runtime cgroup local storage still
> follows the caller context.
>
> Require exact per-type storage_cookie equality when checking prog-array
> compatibility. This blocks zero-storage bridge programs from joining a
> prog-array owned by a storage-using program and closes the residual
> A -> B(no storage) -> C(storage) path without relying on partial
> BPF_PROG_TEST_RUN special cases.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
> Signed-off-by: Rongzhen Cui <cuirongzhen@xxxxxxxxxx>
> Signed-off-by: Jingguo Tan <tanjingguo@xxxxxxxxxx>
> Signed-off-by: Lin Ma <malin89@xxxxxxxxxx>

The patch looks okay to me. But can you add a selftest for this?

> ---
>   kernel/bpf/core.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 8b018ff48875..dccd47c92992 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -2459,8 +2459,12 @@ static bool __bpf_prog_map_compatible(struct bpf_map *map,
>   				break;
>   			cookie = aux->cgroup_storage[i] ?
>   				 aux->cgroup_storage[i]->cookie : 0;
> -			ret = map->owner->storage_cookie[i] == cookie ||
> -			      !cookie;
> +			/*
> +			 * Tail calls keep using the caller cgroup storage
> +			 * context, so prog-array members must use the same
> +			 * storage cookie.
> +			 */
> +			ret = map->owner->storage_cookie[i] == cookie;
>   		}
>   		if (ret &&
>   		    map->owner->attach_func_proto != aux->attach_func_proto) {