CVE-2025-40078

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Explicitly check accesses to bpf_sock_addr<br /> <br /> Syzkaller found a kernel warning on the following sock_addr program:<br /> <br /> 0: r0 = 0<br /> 1: r2 = *(u32 *)(r1 +60)<br /> 2: exit<br /> <br /> which triggers:<br /> <br /> verifier bug: error during ctx access conversion (0)<br /> <br /> This is happening because offset 60 in bpf_sock_addr corresponds to an<br /> implicit padding of 4 bytes, right after msg_src_ip4. Access to this<br /> padding isn&amp;#39;t rejected in sock_addr_is_valid_access and it thus later<br /> fails to convert the access.<br /> <br /> This patch fixes it by explicitly checking the various fields of<br /> bpf_sock_addr in sock_addr_is_valid_access.<br /> <br /> I checked the other ctx structures and is_valid_access functions and<br /> didn&amp;#39;t find any other similar cases. Other cases of (properly handled)<br /> padding are covered in new tests in a subsequent patch.