| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <350280f2-275d-42a4-85a8-58156207201c@linux.dev>
Date: Thu, 25 Dec 2025 21:12:43 -0800
From: Yonghong Song <yonghong.song@...ux.dev>
To: Xu Kuohai <xukuohai@...weicloud.com>, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman
<eddyz87@...il.com>, Puranjay Mohan <puranjay@...nel.org>,
Anton Protopopov <a.s.protopopov@...il.com>,
Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>
Subject: Re: [PATCH bpf-next v2] bpf: arm64: Fix panic due to missing BTI at
indirect jump targets
On 12/25/25 3:59 AM, Xu Kuohai wrote:
> On 12/24/2025 2:32 AM, Yonghong Song wrote:
>
> [...]
>
>>> +
>>> +/*
>>> + * This function collects possible indirect jump targets in a BPF
>>> program. Since indirect jump
>>> + * targets can only be read from indirect arrays used as jump
>>> table, it traverses all jump
>>> + * tables used by @prog. For each instruction found in the jump
>>> tables, it sets the corresponding
>>> + * bit in @bitmap.
>>> + */
>>> +void bpf_prog_collect_indirect_targets(const struct bpf_prog *prog,
>>> unsigned long *bitmap)
>>> +{
>>> + struct bpf_insn_array *insn_array;
>>> + struct bpf_map *map;
>>> + u32 xlated_off;
>>> + int i, j;
>>> +
>>> + for (i = 0; i < prog->aux->used_map_cnt; i++) {
>>> + map = prog->aux->used_maps[i];
>>> + if (!is_jump_table(map))
>>> + continue;
>>> +
>>> + insn_array = cast_insn_array(map);
>>> + for (j = 0; j < map->max_entries; j++) {
>>> + xlated_off = insn_array->values[j].xlated_off;
>>> + if (xlated_off == INSN_DELETED)
>>> + continue;
>>> + if (xlated_off < prog->aux->subprog_start)
>>> + continue;
>>> + xlated_off -= prog->aux->subprog_start;
>>> + if (xlated_off >= prog->len)
>>> + continue;
>>
>> The above codes are duplicated with bpf_prog_update_insn_ptrs().
>> Maybe we can have a helper for the above?
>>
>
> I tried using function callbacks to factor out the duplicated code,
> but the result felt a bit over-engineered. For these two functions,
> simple duplication seems clearer and simpler.
I am okay with this then.
>
>>> + __set_bit(xlated_off, bitmap);
>>> + }
>>> + }
>>> +}
>>> +
>>> +void bpf_prog_set_insn_array_type(struct bpf_map *map, int type)
>>> +{
>>> + struct bpf_insn_array *insn_array = cast_insn_array(map);
>>> +
>>> + insn_array->type = type;
>>> +}
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index d6b8a77fbe3b..ee6f4ddfbb79 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -20288,6 +20288,12 @@ static int check_indirect_jump(struct
>>> bpf_verifier_env *env, struct bpf_insn *in
>>> return -EINVAL;
>>> }
>>> + /*
>>> + * Explicitly mark this map as a jump table such that it can be
>>> + * distinguished later from other instruction arrays
>>> + */
>>> + bpf_prog_set_insn_array_type(map, BPF_INSN_ARRAY_JUMP_TABLE);
>>
>> I think we do not need this for now. If a new indirect_jump type is
>> introduced,
>> verifier/jit can be adjusted that time if necessary.
>>
>
> As Anton noted, even though jump tables are currently the only type
> of instruction array, users may still create insn_arrays that are not
> used as jump tables. In such cases, there is no need to emit BTIs.
Okay. Thanks for explanation.
>
>>> +
>>> for (i = 0; i < n - 1; i++) {
>>> other_branch = push_stack(env, env->gotox_tmp_buf->items[i],
>>> env->insn_idx, env->cur_state->speculative);
>>
>>
>>
>
Powered by blists - more mailing lists