Skip to content

bpf: prevent NULL pointer dereference within bpf_lsm_mmap_file #10459

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mattbobrowski wants to merge 3 commits into
base: bpf-next_base
Choose a base branch
from
Open

bpf: prevent NULL pointer dereference within bpf_lsm_mmap_file #10459

mattbobrowski wants to merge 3 commits into from

Conversation

@mattbobrowski
Copy link
Contributor

@mattbobrowski mattbobrowski commented Dec 9, 2025

No description provided.

Kernel Patches Daemon and others added 3 commits December 5, 2025 16:59
adding ci files
caaaee4
@mattbobrowski
bpf: provide strong override definition for bpf_lsm_mmap_file
80b73f5 
Provide a strong override for BPF LSM hook
mmap_file() (bpf_lsm_mmap_file()) such that __nullable suffix
parameter semantics (PTR_MAYBE_NULL) can be enforced by the BPF
verifier onto the supplied BPF LSM program context. By doing this we
force BPF LSM programs attached to mmap_file() (bpf_lsm_mmap_file())
to fundamentally have to NULL check the supplied struct file pointer
parameter before attempting to dereference it, and therefore alleviate
the risk of running into trivial NULL pointer dereference bugs, such
as those reported in [0].

[0] https://lore.kernel.org/bpf/[email protected]/

Reported-by: Kaiyan Mei <[email protected]>
Reported-by: Yinhao Hu <[email protected]>
Reviewed-by: Dongliang Mu <[email protected]>
Closes: https://lore.kernel.org/bpf/[email protected]/
Signed-off-by: Matt Bobrowski <[email protected]>
@mattbobrowski
selftests/bpf: add test case for BPF LSM hook bpf_lsm_mmap_file
a9ea3e1 
Add a trivial test case asserting that the BPF verifier does enforce
__nullable suffix parameter semantics onto the struct file pointer
parameter of BPF LSM hook bpf_lsm_mmap_file(). Dereferences on this
struct file pointer without performing a NULL check are not to be
permitted by the BPF verifier as a direct dereference on it could very
well lead to a NULL pointer dereference.

Signed-off-by: Matt Bobrowski <[email protected]>
@kernel-patches-daemon-bpf kernel-patches-daemon-bpf bot force-pushed the bpf-next_base branch 4 times, most recently from 3119ae5 to 162c0b3 Compare December 14, 2025 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mattbobrowski