From 580972bf723e4b0eb0648900c4a326a50bbbb569 Mon Sep 17 00:00:00 2001 From: Di Zhu Date: Sun, 26 Sep 2021 12:36:55 +0800 Subject: [PATCH] libbpf: Use SOCK_CLOEXEC when opening the netlink socket Signed-off-by: Di Zhu --- ...CLOEXEC-when-opening-the-netlink-soc.patch | 39 +++++++++++++++++++ libbpf.spec | 13 ++++++- 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100755 backport-0001-libbpf-Use-SOCK_CLOEXEC-when-opening-the-netlink-soc.patch diff --git a/backport-0001-libbpf-Use-SOCK_CLOEXEC-when-opening-the-netlink-soc.patch b/backport-0001-libbpf-Use-SOCK_CLOEXEC-when-opening-the-netlink-soc.patch new file mode 100755 index 0000000..89f7f02 --- /dev/null +++ b/backport-0001-libbpf-Use-SOCK_CLOEXEC-when-opening-the-netlink-soc.patch @@ -0,0 +1,39 @@ +From 456b1cced6ba9b06bf028377236e548ccccfbb60 Mon Sep 17 00:00:00 2001 +From: Di Zhu +Date: Wed, 16 Jun 2021 09:33:27 +0800 +Subject: [PATCH] libbpf: Use SOCK_CLOEXEC when opening the netlink socket + Otherwise, there exists a small window between the opening and closing of the + socket fd where it may leak into processes launched by some other thread. + +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: 949abbe88436 ("libbpf: add function to setup XDP") +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Daniel Borkmann +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/20210317115857.6536-1-memxor@gmail.com + +Conflict:NA +Reference:https://github.com/libbpf/libbpf/commit/bbc65156d75ab64180dbf5f1ae93dd4f1a6d3cc8 +--- + src/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index 312f887..c2b251c 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -41,7 +41,7 @@ int libbpf_netlink_open(__u32 *nl_pid) + memset(&sa, 0, sizeof(sa)); + sa.nl_family = AF_NETLINK; + +- sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); ++ sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE); + if (sock < 0) + return -errno; + +-- +2.23.0 + diff --git a/libbpf.spec b/libbpf.spec index d3add41..34042ef 100644 --- a/libbpf.spec +++ b/libbpf.spec @@ -4,7 +4,7 @@ Name: %{githubname} Version: %{githubver} -Release: 1 +Release: 1.h1 Summary: Libbpf library License: LGPLv2 or BSD @@ -12,6 +12,9 @@ URL: https://github.com/%{githubname}/%{githubname} Source: https://github.com/%{githubname}/%{githubname}/archive/v%{githubver}.tar.gz BuildRequires: gcc elfutils-libelf-devel elfutils-devel +#patches +Patch6000: backport-0001-libbpf-Use-SOCK_CLOEXEC-when-opening-the-netlink-soc.patch + # This package supersedes libbpf from kernel-tools, # which has default Epoch: 0. By having Epoch: 1 # this libbpf will take over smoothly @@ -42,7 +45,7 @@ developing applications that use %{name} %global make_flags DESTDIR=%{buildroot} OBJDIR=%{_builddir} CFLAGS="%{build_cflags} -fPIC" LDFLAGS="%{build_ldflags} -Wl,--no-as-needed" LIBDIR=/%{_libdir} NO_PKG_CONFIG=1 %prep -%autosetup -n %{githubfull} +%autosetup -n %{githubfull} -p1 %build %make_build -C ./src %{make_flags} @@ -63,6 +66,12 @@ developing applications that use %{name} %{_libdir}/libbpf.a %changelog +* Sun Sep 26 2021 zhudi - 0.1.1-1.h1 +- Type:bugfix +- CVE: +- SUG:restart +- DESC: add Use SOCK_CLOEXEC when opening the netlink socket + * Wed Oct 28 2020 hubble_zhu - 0.1.1-1 - update libbpf from v0.0.6 to v0.1.1 -- Gitee