| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <6f7f5948f0c7e228f5c60b0fa8817185626861892c6189957e3d0219deb6035e@mail.kernel.org>
Date: Wed, 3 Dec 2025 23:57:42 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: ameryhung@...il.com,bpf@...r.kernel.org
Cc: netdev@...r.kernel.org,alexei.starovoitov@...il.com,andrii@...nel.org,daniel@...earbox.net,tj@...nel.org,martin.lau@...nel.org,ameryhung@...il.com,kernel-team@...a.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v8 1/6] bpf: Allow verifier to fixup kernel module kfuncs
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index f0ca69f88..bb7eca102 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -22493,8 +22493,7 @@ static int fixup_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
>
> if (!bpf_jit_supports_far_kfunc_call())
> insn->imm = BPF_CALL_IMM(desc->addr);
> - if (insn->off)
> - return 0;
> +
Can module kfuncs incorrectly match special_kfunc_list[] entries? The
removed early return allowed module kfuncs (insn->off != 0) to reach the
special kfunc checks below without verifying desc->offset == 0.
Looking at the code after this change, fixup_kfunc_call() compares
desc->func_id against special_kfunc_list[] entries:
> if (desc->func_id == special_kfunc_list[KF_bpf_obj_new_impl] ||
> desc->func_id == special_kfunc_list[KF_bpf_percpu_obj_new_impl]) {
> struct btf_struct_meta *kptr_struct_meta = env->insn_aux_data[insn_idx].kptr_struct_meta;
> [ ... ]
> } else if (desc->func_id == special_kfunc_list[KF_bpf_obj_drop_impl] ||
> desc->func_id == special_kfunc_list[KF_bpf_percpu_obj_drop_impl] ||
> desc->func_id == special_kfunc_list[KF_bpf_refcount_acquire_impl]) {
> [ ... ]
The special_kfunc_list[] array contains BTF IDs from btf_vmlinux. Module
kfuncs have their own BTF ID namespace, so a module kfunc with BTF ID 5
is different from a kernel kfunc with BTF ID 5. However, the comparison
desc->func_id == special_kfunc_list[...] doesn't check desc->offset,
which distinguishes kernel kfuncs (offset 0) from module kfuncs (offset
!= 0).
Other code already follows the pattern of checking offset before
comparing against special_kfunc_list[]:
is_bpf_throw_kfunc() (line 12910):
return bpf_pseudo_kfunc_call(insn) && insn->off == 0 &&
insn->imm == special_kfunc_list[KF_bpf_throw];
is_sleepable_insn() (line 556):
if (bpf_pseudo_kfunc_call(insn) && insn->off == 0 &&
(is_bpf_wq_set_callback_impl_kfunc(insn->imm) || ...))
check_kfunc_call() (line 13974):
} else if (!insn->off && insn->imm == special_kfunc_list[KF___bpf_trap]) {
If a module kfunc happens to have the same BTF ID as one of the ~50
special kernel kfuncs, won't it be incorrectly treated as that special
kfunc and have the wrong fixup applied?
The intended fix appears to be allowing module kfuncs to reach the
__prog argument fixup code (lines 22564-22573), but removing the early
return also exposes them to the special kfunc checks. Should the special
kfunc comparisons also verify desc->offset == 0?
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19912520845
Powered by blists - more mailing lists