CVE-2025-38502

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix oob access in cgroup local storage

Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpfcgrunctx holds an bpfprogarrayitem which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpfgetlocal_storage() pick this up from the runtime context:

ctx = containerof(current->bpfctx, struct bpfcgrunctx, runctx); storage = ctx->progitem->cgroupstorage[stype];

if (stype == BPFCGROUPSTORAGESHARED) ptr = &READONCE(storage->buf)->data[0]; else ptr = thiscpuptr(storage->percpu_buf);

For the second program which was called from the originally attached one, this means bpfgetlocal_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access.

To fix this issue, we need to extend bpfmapowner with an array of storagecookie[] to match on i) the exact maps from the original program if the second program was using bpfgetlocalstorage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps.