| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c099f784-f1bc-4a77-b93e-adf79faca065@huaweicloud.com>
Date: Thu, 25 Dec 2025 19:59:13 +0800
From: Xu Kuohai <xukuohai@...weicloud.com>
To: Yonghong Song <yonghong.song@...ux.dev>, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman
<eddyz87@...il.com>, Puranjay Mohan <puranjay@...nel.org>,
Anton Protopopov <a.s.protopopov@...il.com>,
Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>
Subject: Re: [PATCH bpf-next v2] bpf: arm64: Fix panic due to missing BTI at
indirect jump targets
On 12/24/2025 2:32 AM, Yonghong Song wrote:
[...]
>> +
>> +/*
>> + * This function collects possible indirect jump targets in a BPF program. Since indirect jump
>> + * targets can only be read from indirect arrays used as jump table, it traverses all jump
>> + * tables used by @prog. For each instruction found in the jump tables, it sets the corresponding
>> + * bit in @bitmap.
>> + */
>> +void bpf_prog_collect_indirect_targets(const struct bpf_prog *prog, unsigned long *bitmap)
>> +{
>> + struct bpf_insn_array *insn_array;
>> + struct bpf_map *map;
>> + u32 xlated_off;
>> + int i, j;
>> +
>> + for (i = 0; i < prog->aux->used_map_cnt; i++) {
>> + map = prog->aux->used_maps[i];
>> + if (!is_jump_table(map))
>> + continue;
>> +
>> + insn_array = cast_insn_array(map);
>> + for (j = 0; j < map->max_entries; j++) {
>> + xlated_off = insn_array->values[j].xlated_off;
>> + if (xlated_off == INSN_DELETED)
>> + continue;
>> + if (xlated_off < prog->aux->subprog_start)
>> + continue;
>> + xlated_off -= prog->aux->subprog_start;
>> + if (xlated_off >= prog->len)
>> + continue;
>
> The above codes are duplicated with bpf_prog_update_insn_ptrs().
> Maybe we can have a helper for the above?
>
I tried using function callbacks to factor out the duplicated code,
but the result felt a bit over-engineered. For these two functions,
simple duplication seems clearer and simpler.
>> + __set_bit(xlated_off, bitmap);
>> + }
>> + }
>> +}
>> +
>> +void bpf_prog_set_insn_array_type(struct bpf_map *map, int type)
>> +{
>> + struct bpf_insn_array *insn_array = cast_insn_array(map);
>> +
>> + insn_array->type = type;
>> +}
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index d6b8a77fbe3b..ee6f4ddfbb79 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -20288,6 +20288,12 @@ static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *in
>> return -EINVAL;
>> }
>> + /*
>> + * Explicitly mark this map as a jump table such that it can be
>> + * distinguished later from other instruction arrays
>> + */
>> + bpf_prog_set_insn_array_type(map, BPF_INSN_ARRAY_JUMP_TABLE);
>
> I think we do not need this for now. If a new indirect_jump type is introduced,
> verifier/jit can be adjusted that time if necessary.
>
As Anton noted, even though jump tables are currently the only type
of instruction array, users may still create insn_arrays that are not
used as jump tables. In such cases, there is no need to emit BTIs.
>> +
>> for (i = 0; i < n - 1; i++) {
>> other_branch = push_stack(env, env->gotox_tmp_buf->items[i],
>> env->insn_idx, env->cur_state->speculative);
>
>
>
Powered by blists - more mailing lists