BPF_PSEUDO_BTF_ID is resolved before the main verifier pass. The resolver
looks up the referenced kernel symbol through kallsyms and rewrites the
ldimm64 immediate to the concrete address that later becomes verifier
state.
Require CAP_BPF before doing that materialization. This keeps typed ksym
address resolution on the privileged side and prevents loaders without
CAP_BPF from receiving a verifier log that contains the resolved address.
Fixes: 4976b718c3551 ("bpf: Introduce pseudo_btf_id")
Signed-off-by: Nuoqi Gui <[email protected]>
---
kernel/bpf/verifier.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ed7ba0e6a9ce..dbf5df995fc2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -17639,6 +17639,11 @@ static int check_pseudo_btf_id(struct bpf_verifier_env
*env,
int btf_fd;
int err;
+ if (!env->bpf_capable) {
+ verbose(env, "BPF_PSEUDO_BTF_ID loads require CAP_BPF\n");
+ return -EACCES;
+ }
+
btf_fd = insn[1].imm;
if (btf_fd) {
btf = btf_get_by_fd(btf_fd);
--
2.34.1
