Unverified Commit 49b18315 authored May 20, 2026 by KP Singh Committed by Kumar Kartikeya Dwivedi May 20, 2026

bpf: Reject NULL data/sig in bpf_verify_pkcs7_signature



__bpf_dynptr_data() can return NULL (FILE dynptrs, any non-contiguous
backing). bpf_verify_pkcs7_signature() forwards the pointer to
verify_pkcs7_signature() unchecked, causing a NULL deref in
asn1_ber_decoder() reachable from a sleepable BPF LSM at lsm.s/bpf.

NULL-check both pointers and reject with -EINVAL. Mirrors the guards
already in kernel/bpf/crypto.c.

Fixes: 865b0566 ("bpf: Add bpf_verify_pkcs7_signature() kfunc")
Reported-by: Xianrui Dong <dongxianrui1@gmail.com>
Signed-off-by: KP Singh <kpsingh@kernel.org>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Song Liu <song@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20260520024059.313468-1-kpsingh@kernel.org


Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>

parent 201166d7

kernel/bpf/helpers.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -4241,8 +4241,13 @@ __bpf_kfunc int bpf_verify_pkcs7_signature(struct bpf_dynptr *data_p,

		data_len = __bpf_dynptr_size(data_ptr);
		data = __bpf_dynptr_data(data_ptr, data_len);
		if (!data)
		return -EINVAL;

		sig_len = __bpf_dynptr_size(sig_ptr);
		sig = __bpf_dynptr_data(sig_ptr, sig_len);
		if (!sig)
		return -EINVAL;

		return verify_pkcs7_signature(data, data_len, sig, sig_len,
		trusted_keyring->key,

tools/testing/selftests/bpf/prog_tests/kfunc_dynptr_param.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -14,7 +14,7 @@ static struct {
		const char *prog_name;
		int expected_runtime_err;
		} kfunc_dynptr_tests[] = {
		{"dynptr_data_null", -EBADMSG},
		{"dynptr_data_null", -EINVAL},
		};

		static bool kfunc_not_supported;