[PATCH] bpf: crypto: reject unterminated type and algorithm names

Next message: Pengpeng Hou: "[PATCH] tomoyo: reject short exec.envp[] names before suffix checks"
Previous message: Pengpeng Hou: "[PATCH] ARM: setup: NUL-terminate the fpe emulator type"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Fri Apr 17 2026 - 03:32:04 EST

bpf_crypto_ctx_create() validates the overall size of
struct bpf_crypto_params, but it does not verify that the fixed-width
type[14] and algo[128] fields are NUL-terminated before passing them to
string consumers.

A caller can therefore fill either field without a terminator and cause
bpf_crypto_get_type(), has_algo(), or alloc_tfm() to read past the end
of the fixed buffer.

Reject parameter blocks whose type or algorithm name does not contain a
terminating NUL within the advertised field width.

Fixes: 3e1c6f35409f ("bpf: make common crypto API for TC/XDP programs")
Cc: stable@xxxxxxxxxxxxxxx

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
kernel/bpf/crypto.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/kernel/bpf/crypto.c b/kernel/bpf/crypto.c
index 51f89cecefb4..8732689803a6 100644
--- a/kernel/bpf/crypto.c
+++ b/kernel/bpf/crypto.c
@@ -155,6 +155,12 @@ bpf_crypto_ctx_create(const struct bpf_crypto_params *params, u32 params__sz,
return NULL;
}

+ if (strnlen(params->type, sizeof(params->type)) == sizeof(params->type) ||
+ strnlen(params->algo, sizeof(params->algo)) == sizeof(params->algo)) {
+ *err = -EINVAL;
+ return NULL;
+ }
+
type = bpf_crypto_get_type(params->type);
if (IS_ERR(type)) {
*err = PTR_ERR(type);
--
2.50.1 (Apple Git-155)