lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1dc18b13-af48-47d4-afdc-35b31410eea8@linux.dev>
Date: Tue, 20 Jan 2026 16:35:26 -0800
From: Ihor Solodrai <ihor.solodrai@...ux.dev>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
 Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>,
 Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman
 <eddyz87@...il.com>, Mykyta Yatsenko <yatsenko@...a.com>,
 Tejun Heo <tj@...nel.org>, Alan Maguire <alan.maguire@...cle.com>,
 Benjamin Tissoires <bentiss@...nel.org>, Jiri Kosina <jikos@...nel.org>,
 Amery Hung <ameryhung@...il.com>, bpf <bpf@...r.kernel.org>,
 LKML <linux-kernel@...r.kernel.org>,
 "open list:HID CORE LAYER" <linux-input@...r.kernel.org>,
 sched-ext@...ts.linux.dev
Subject: Re: [PATCH bpf-next v3 03/13] bpf: Verifier support for
 KF_IMPLICIT_ARGS

On 1/20/26 4:30 PM, Alexei Starovoitov wrote:
> On Tue, Jan 20, 2026 at 2:27 PM Ihor Solodrai <ihor.solodrai@...ux.dev> wrote:
>>
>> Introduction of KF_IMPLICIT_ARGS revealed an issue with zero-extension
>> tracking, because an explicit rX = 0 in place of the verifier-supplied
>> argument is now absent if the arg is implicit (the BPF prog doesn't
>> pass a dummy NULL anymore). To mitigate this, reset the subreg_def of
>> all caller saved registers in check_kfunc_call() [1].
>>
>> [1] https://lore.kernel.org/bpf/b4a760ef828d40dac7ea6074d39452bb0dc82caa.camel@gmail.com/
> 
> ...
> 
>> -       for (i = 0; i < CALLER_SAVED_REGS; i++)
>> -               mark_reg_not_init(env, regs, caller_saved[i]);
>> +       for (i = 0; i < CALLER_SAVED_REGS; i++) {
>> +               u32 regno = caller_saved[i];
>> +
>> +               mark_reg_not_init(env, regs, regno);
>> +               regs[regno].subreg_def = DEF_NOT_SUBREG;
>> +       }
> 
> I'm reading that no follow up is necessary anymore and
> the new selftests cover this part automatically.

With respect to this series, the hunk above is good enough.

But we haven't tracked down why doing

	.subreg_def = DEF_NOT_SUBREG

inside mark_reg_not_init() breaks zero-extension tracking.

May be a dormant bug somewhere.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ