Re: [PATCH v2 1/2] bpf: Tighten cgroup storage cookie checks for prog arrays

[Yonghong Song]

On 6/2/26 1:15 AM, bot+bpf-ci@xxxxxxxxxx wrote:
> > bpf: Tighten cgroup storage cookie checks for prog arrays
> >
> > The recent KCTF-reported cgroup local storage issue assigned
> > CVE-2025-38502 was fixed by commit abad3d0bad72 ("bpf: Fix oob access
> > in cgroup local storage").
> >
> > However, the previous fixes are still incomplete. The current prog-array
> > compatibility check treats a program with no cgroup storage as
> > compatible with any stored storage cookie. This allows a storage-less
> > program to bridge a tail-call chain between an entry program and a
> > storage-using callee even though runtime cgroup local storage still
> > follows the caller context.
> >
> > Require exact per-type storage_cookie equality when checking prog-array
> > compatibility. This blocks zero-storage bridge programs from joining a
> > prog-array owned by a storage-using program and closes the residual
> > A -> B(no storage) -> C(storage) path.
> >
> > This also aligns with Amery Hung's earlier NULL-storage tail-call fix by
> > requiring storage use to match consistently across prog-array users.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: 7d9c3427894f ("bpf: Make cgroup storages shared between programs on the same cgroup")
> > Tested-by: Amery Hung <ameryhung@xxxxxxxxx>
> > Signed-off-by: Lin Ma <malin89@xxxxxxxxxx>
> > Signed-off-by: Rongzhen Cui <cuirongzhen@xxxxxxxxxx>
> > Signed-off-by: Jingguo Tan <tanjingguo@xxxxxxxxxx>
> Should the Fixes: tag point to abad3d0bad72 instead of 7d9c3427894f?
>
> The code this patch removes is the '|| !cookie' clause in
> __bpf_prog_map_compatible():
>
>    ret = map->owner->storage_cookie[i] == cookie ||
>          !cookie;
>
> That permissive '|| !cookie' clause, which treats a storage-less program
> as compatible with any stored cookie, was introduced by abad3d0bad72
> ("bpf: Fix oob access in cgroup local storage").
>
> The commit referenced by the current tag, 7d9c3427894f ("bpf: Make
> cgroup storages shared between programs on the same cgroup"), only added
> the shared cgroup-storage feature and does not touch
> __bpf_prog_map_compatible() or add the storage_cookie[] check.
>
> Would this be more accurate?
>
>    Fixes: abad3d0bad72 ("bpf: Fix oob access in cgroup local storage")

Agree. The above fix tag seems better.

> This same question was raised on the v1 thread by the bpf-ci review bot
> (https://lore.kernel.org/bpf/20260601095158.1186318-1-malin89@xxxxxxxxxx/),
> noting that the patch removes the '|| !cookie' logic introduced in
> abad3d0bad72 rather than the original shared storage feature.  The reply
> disagreed and kept the tag pointing at 7d9c3427894f in v2, but the
> reviewer did not acknowledge that explanation, so it may be worth
> settling before this is applied.
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26806034423