[PATCH bpf 0/2] Add return value check for BPF_LSM_CGROUP
From: Xu Kuohai
Date: Sat May 23 2026 - 05:22:49 EST
Quan Sun reported a NULL pointer dereference caused by invalid return value of
BPF_LSM_CGROUP program [1].
The cause is that the BPF_LSM_CGROUP programs use bpf_set_retval() helper to
set return value for the target LSM hook, and the value is not validated,
making any arbitrary value legally accepted.
To fix it, add return value check for BPF_LSM_CGROUP programs.
[1] https://lore.kernel.org/all/567d3206-74a5-44e5-99c6-779c425f399e@xxxxxxxxxxxxxxxx
Xu Kuohai (2):
bpf: Add return value check for BPF_LSM_CGROUP
selftests/bpf: Add return value tests for lsm cgroup
kernel/bpf/verifier.c | 10 +++++
.../selftests/bpf/progs/verifier_lsm.c | 45 +++++++++++++++++++
2 files changed, 55 insertions(+)
--
2.43.0