2 files changed, 103 insertions, 0 deletions
diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
new file mode 100644
index 0000000000..ebfcb94a2f
--- /dev/null
+++ b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
@@ -0,0 +1,102 @@
+From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001
+From: Viktor Malik <vmalik@redhat.com>
+Date: Tue, 15 Apr 2025 17:50:14 +0200
+Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog
+As shown in [1], it is possible to corrupt a BPF ELF file such that
+arbitrary BPF instructions are loaded by libbpf. This can be done by
+setting a symbol (BPF program) section offset to a large (unsigned)
+number such that <section start + symbol offset> overflows and points
+before the section data in the memory.
+Consider the situation below where:
+- prog_start = sec_start + symbol_offset    <-- size_t overflow here
+- prog_end   = prog_start + prog_size
+    prog_start        sec_start        prog_end        sec_end
+        |                |                 |              |
+        v                v                 v              v
+    .....................|################################|............
+The report in [1] also provides a corrupted BPF ELF which can be used as
+a reproducer:
+    $ readelf -S crash
+    Section Headers:
+      [Nr] Name              Type             Address           Offset
+           Size              EntSize          Flags  Link  Info  Align
+    ...
+      [ 2] uretprobe.mu[...] PROGBITS         0000000000000000  00000040
+           0000000000000068  0000000000000000  AX       0     0     8
+    $ readelf -s crash
+    Symbol table '.symtab' contains 8 entries:
+       Num:    Value          Size Type    Bind   Vis      Ndx Name
+    ...
+         6: ffffffffffffffb8   104 FUNC    GLOBAL DEFAULT    2 handle_tp
+Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
+point before the actual memory where section 2 is allocated.
+This is also reported by AddressSanitizer:
+    =================================================================
+    ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
+    READ of size 104 at 0x7c7302fe0000 thread T0
+        #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
+        #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
+        #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
+        #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
+        #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
+        #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
+        #6 0x000000400c16 in main /poc/poc.c:8
+        #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
+        #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
+        #9 0x000000400b34 in _start (/poc/poc+0x400b34)
+    0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
+    allocated by thread T0 here:
+        #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
+        #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
+        #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
+        #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
+The problem here is that currently, libbpf only checks that the program
+end is within the section bounds. There used to be a check
+`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
+removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
+sections to support overriden weak functions").
+Add a check for detecting the overflow of `sec_off + prog_sz` to
+bpf_object__init_prog to fix this issue.
+[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
+Reported-by: lmarch2 <2524158037@qq.com>
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
+CVE: CVE-2025-29481
+Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/libbpf.c b/src/libbpf.c
+index b2591f5..56250b5 100644
+--- a/src/libbpf.c
+++ b/src/libbpf.c
+@@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
+                        return -LIBBPF_ERRNO__FORMAT;
+                }
+ 
+-               if (sec_off + prog_sz > sec_sz) {
+               if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
+                        pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
+                                sec_name, sec_off);
+                        return -LIBBPF_ERRNO__FORMAT;
diff --git a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb b/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb
index 58bb7bca09..45caca0114 100644
--- a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb
+++ b/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib elfutils"
 SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=master \
           file://0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch \
+           file://CVE-2025-29481.patch;striplevel=2 \
 "
 SRCREV = "09b9e83102eb8ab9e540d36b4559c55f3bcdb95d"

diff --git a/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch new file mode 100644 index 0000000000..ebfcb94a2f --- /dev/null +++ b/meta-oe/recipes-kernel/libbpf/files/CVE-2025-29481.patch
@@ -0,0 +1,102 @@
		1	From 806b4e0a9f658d831119cece11a082ba1578b800 Mon Sep 17 00:00:00 2001
		2	From: Viktor Malik <vmalik@redhat.com>
		3	Date: Tue, 15 Apr 2025 17:50:14 +0200
		4	Subject: [PATCH] libbpf: Fix buffer overflow in bpf_object__init_prog
		5
		6	As shown in [1], it is possible to corrupt a BPF ELF file such that
		7	arbitrary BPF instructions are loaded by libbpf. This can be done by
		8	setting a symbol (BPF program) section offset to a large (unsigned)
		9	number such that <section start + symbol offset> overflows and points
		10	before the section data in the memory.
		11
		12	Consider the situation below where:
		13	- prog_start = sec_start + symbol_offset <-- size_t overflow here
		14	- prog_end = prog_start + prog_size
		15
		16	prog_start sec_start prog_end sec_end
		17	\| \| \| \|
		18	v v v v
		19	.....................\|################################\|............
		20
		21	The report in [1] also provides a corrupted BPF ELF which can be used as
		22	a reproducer:
		23
		24	$ readelf -S crash
		25	Section Headers:
		26	[Nr] Name Type Address Offset
		27	Size EntSize Flags Link Info Align
		28	...
		29	[ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
		30	0000000000000068 0000000000000000 AX 0 0 8
		31
		32	$ readelf -s crash
		33	Symbol table '.symtab' contains 8 entries:
		34	Num: Value Size Type Bind Vis Ndx Name
		35	...
		36	6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
		37
		38	Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
		39	point before the actual memory where section 2 is allocated.
		40
		41	This is also reported by AddressSanitizer:
		42
		43	=================================================================
		44	==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
		45	READ of size 104 at 0x7c7302fe0000 thread T0
		46	#0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
		47	#1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
		48	#2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
		49	#3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
		50	#4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
		51	#5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
		52	#6 0x000000400c16 in main /poc/poc.c:8
		53	#7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
		54	#8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
		55	#9 0x000000400b34 in _start (/poc/poc+0x400b34)
		56
		57	0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
		58	allocated by thread T0 here:
		59	#0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
		60	#1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
		61	#2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
		62	#3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
		63
		64	The problem here is that currently, libbpf only checks that the program
		65	end is within the section bounds. There used to be a check
		66	`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
		67	removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
		68	sections to support overriden weak functions").
		69
		70	Add a check for detecting the overflow of `sec_off + prog_sz` to
		71	bpf_object__init_prog to fix this issue.
		72
		73	[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
		74
		75	Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
		76	Reported-by: lmarch2 <2524158037@qq.com>
		77	Signed-off-by: Viktor Malik <vmalik@redhat.com>
		78	Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
		79	Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
		80	Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
		81	Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
		82
		83	CVE: CVE-2025-29481
		84	Upstream-Status: Backport [https://github.com/libbpf/libbpf/commit/806b4e0a9f658d831119cece11a082ba1578b800]
		85	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		86	---
		87	src/libbpf.c \| 2 +-
		88	1 file changed, 1 insertion(+), 1 deletion(-)
		89
		90	diff --git a/src/libbpf.c b/src/libbpf.c
		91	index b2591f5..56250b5 100644
		92	--- a/src/libbpf.c
		93	+++ b/src/libbpf.c
		94	@@ -889,7 +889,7 @@ bpf_object__add_programs(struct bpf_object obj, Elf_Data sec_data,
		95	return -LIBBPF_ERRNO__FORMAT;
		96	}
		97
		98	- if (sec_off + prog_sz > sec_sz) {
		99	+ if (sec_off + prog_sz > sec_sz \|\| sec_off + prog_sz < sec_off) {
		100	pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
		101	sec_name, sec_off);
		102	return -LIBBPF_ERRNO__FORMAT;


diff --git a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb b/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb index 58bb7bca09..45caca0114 100644 --- a/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb +++ b/meta-oe/recipes-kernel/libbpf/libbpf_1.5.0.bb
@@ -10,6 +10,7 @@ DEPENDS = "zlib elfutils"
10		10
11	SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=master \	11	SRC_URI = "git://github.com/libbpf/libbpf.git;protocol=https;branch=master \
12	file://0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch \	12	file://0001-libbpf-check-for-empty-BTF-data-section-in-btf_parse.patch \
		13	file://CVE-2025-29481.patch;striplevel=2 \
13	"	14	"
14	SRCREV = "09b9e83102eb8ab9e540d36b4559c55f3bcdb95d"	15	SRCREV = "09b9e83102eb8ab9e540d36b4559c55f3bcdb95d"
15		16