From 60d63739cc7bb408f3a2a26760bfe0e35ee7152f Mon Sep 17 00:00:00 2001 From: zhang-mingyi66 Date: Mon, 19 May 2025 21:26:24 +0800 Subject: [PATCH] fix CVE-2024-27050 Signed-off-by: zhang-mingyi66 (cherry picked from commit f426a2a208fe897e145879b8ab9295c756ec7072) --- ...-Use-OPTS_SET-macro-in-bpf_xdp_query.patch | 48 +++++++++++++++++++ libbpf.spec | 8 +++- 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch diff --git a/backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch b/backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch new file mode 100644 index 0000000..2032b69 --- /dev/null +++ b/backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch @@ -0,0 +1,48 @@ +From a20b60f9713527d46ba03a33c8886646e3c83ee6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Tue, 6 Feb 2024 13:59:22 +0100 +Subject: [PATCH] libbpf: Use OPTS_SET() macro in bpf_xdp_query() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the feature_flags and xdp_zc_max_segs fields were added to the libbpf +bpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro. +This causes libbpf to write to those fields unconditionally, which means +that programs compiled against an older version of libbpf (with a smaller +size of the bpf_xdp_query_opts struct) will have its stack corrupted by +libbpf writing out of bounds. + +The patch adding the feature_flags field has an early bail out if the +feature_flags field is not part of the opts struct (via the OPTS_HAS) +macro, but the patch adding xdp_zc_max_segs does not. For consistency, this +fix just changes the assignments to both fields to use the OPTS_SET() +macro. + +Fixes: 13ce2daa259a ("xsk: add new netlink attribute dedicated for ZC max frags") +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20240206125922.1992815-1-toke@redhat.com + +Conflict:only feature_flags, not xdp_zc_max_segs in v1.2.2 +Reference:https://github.com/libbpf/libbpf/commit/a20b60f9713527d46ba03a33c8886646e3c83ee6 +--- + src/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index 84dd5fa..274aef7 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -492,7 +492,7 @@ int bpf_xdp_query(int ifindex, int xdp_flags, struct bpf_xdp_query_opts *opts) + if (err) + return libbpf_err(err); + +- opts->feature_flags = md.flags; ++ OPTS_SET(opts, feature_flags, md.flags); + + skip_feature_flags: + return 0; +-- +2.43.0 + diff --git a/libbpf.spec b/libbpf.spec index ded8cc4..b3adcaf 100644 --- a/libbpf.spec +++ b/libbpf.spec @@ -4,7 +4,7 @@ Name: %{githubname} Version: %{githubver} -Release: 8 +Release: 9 Summary: Libbpf library License: LGPLv2 or BSD @@ -29,7 +29,7 @@ Patch0012: backport-libbpf-Fix-segfault-due-to-libelf-functions-not-sett.pa Patch0013: backport-libbpf-Fixed-getting-wrong-return-address-on-arm64-a.patch Patch0014: backport-libbpf-fix-sym_is_subprog-logic-for-weak-global-subp.patch Patch0015: backport-libbpf-move-global-data-mmap-ing-into-bpf_object__lo.patch - +Patch0016: backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch # This package supersedes libbpf from kernel-tools, # which has default Epoch: 0. By having Epoch: 1 @@ -82,6 +82,10 @@ developing applications that use %{name} %{_libdir}/libbpf.a %changelog +* Fri Mar 14 2025 zhangmingyi 2:1.2.2-9 +- backport patch from upstream: + backport-libbpf-Use-OPTS_SET-macro-in-bpf_xdp_query.patch + * Fri Mar 14 2025 zhangmingyi 2:1.2.2-8 - backport patch from upstream: backport-libbpf-Do-not-resolve-size-on-duplicate-FUNCs.patch -- Gitee