[Medium] patch libbpf for CVE-2025-29481 (#13383)

jykanase · web-flow · commit a98d6e6bb3e9 · 2025-04-15T18:59:23.000+05:30
diff --git a/SPECS/libbpf/CVE-2025-29481.patch b/SPECS/libbpf/CVE-2025-29481.patch
@@ -0,0 +1,26 @@
+From cad2b9b3001ecc231444782e77a9bfbd9d8f5d13 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Mon, 14 Apr 2025 08:39:11 +0000
+Subject: [PATCH] CVE-2025-29481
+
+Upstream patch reference: https://lore.kernel.org/bpf/20250410073407.131211-1-vmalik@redhat.com/
+---
+ src/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libbpf.c b/src/libbpf.c
+index 2ca30cc..f62a432 100644
+--- a/src/libbpf.c
++++ b/src/libbpf.c
+@@ -816,7 +816,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
+ 			return -LIBBPF_ERRNO__FORMAT;
+ 		}
+ 
+-		if (sec_off + prog_sz > sec_sz) {
++		if (sec_off >= sec_sz || sec_off + prog_sz > sec_sz) {
+ 			pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
+ 				sec_name, sec_off);
+ 			return -LIBBPF_ERRNO__FORMAT;
+-- 
+2.45.2
+
diff --git a/SPECS/libbpf/libbpf.spec b/SPECS/libbpf/libbpf.spec
@@ -1,12 +1,13 @@
 Summary:        Libbpf library
 Name:           libbpf
 Version:        1.0.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        LGPLv2 OR BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/%{name}/%{name}
 Source0:        https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2025-29481.patch
 BuildRequires:  elfutils-devel
 BuildRequires:  elfutils-libelf-devel
 BuildRequires:  gcc
@@ -31,7 +32,7 @@ developing applications that use %{name}
 %global make_flags DESTDIR=%{buildroot} OBJDIR=%{_builddir} CFLAGS="%{build_cflags} -fPIC" LDFLAGS="%{build_ldflags} -Wl,--no-as-needed" LIBDIR=/%{_libdir} NO_PKG_CONFIG=1
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 %make_build -C ./src %{make_flags}
@@ -50,6 +51,9 @@ find %{buildroot} -type f -name "*.a" -delete -print
 %{_libdir}/pkgconfig/libbpf.pc
 
 %changelog
+* Mon Apr 14 2025 Jyoti Kanase <v-jykanase@microsoft.com> -  1.0.1-2
+- Patch for CVE-2025-29481
+
 * Mon Oct 03 2022 Muhammad Falak <mwani@microsoft.com> - 1.0.1-1
 - Bump version to 1.0.1
 
