Re: [PATCH] bpf: verifier: fix NULL deref in map_kptr_match_type() for scalar regs

[sashiko-bot@kernel.org]

Sashiko AI review found 2 potential issue(s):
- [High] Type confusion and non-deterministic behavior by accessing union member `reg->btf` before validating register type.
- [Low] Compiler warning due to mixed declarations and executable code.
--

commit e1d023d433c4be96ed8eba9f6b8df2ec2929d841
Author: Avinash Pal <avinashpal441@gmail.com>

bpf: verifier: fix NULL deref in map_kptr_match_type() for scalar regs

This commit attempts to fix a NULL pointer dereference in
map_kptr_match_type() by adding an early return if reg->btf is NULL.
It targets a crash that occurs when storing a scalar value into a kptr slot.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=221372

> For scalar registers reg->btf is NULL. map_kptr_match_type() passes
> this directly to btf_is_kernel(), which performs a container_of()-based
> offset access and triggers a general protection fault:

Since base_type(reg->type) != PTR_TO_BTF_ID evaluates to true for scalars,
wouldn't the code jump to bad_type before ever reaching btf_is_kernel()?

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 69d75515ed3f7..15b8f71074f93 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -4545,6 +4545,18 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
>  			       struct btf_field *kptr_field,
>  			       struct bpf_reg_state *reg, u32 regno)
>  {
> +	/*
> +	 * If the source register has no BTF type (e.g. it is a scalar),
> +	 * it cannot possibly match a kptr slot. Reject early to avoid
> +	 * passing a NULL reg->btf to btf_is_kernel(), which would cause
> +	 * a NULL pointer dereference inside that function.
> +	 */
> +	if (!reg->btf) {
> +		verbose(env, "R%d is not a pointer, cannot store into kptr slot\n",
> +			regno);
> +		return -EACCES;
> +	}
> +

Does placing this executable code before the variable declarations trigger a
-Wdeclaration-after-statement compiler warning?

>  	const char *targ_name = btf_type_name(kptr_field->kptr.btf, kptr_field->kptr.btf_id);
>  	int perm_flags;
>  	const char *reg_name = "";

In struct bpf_reg_state, btf is part of a union:

struct bpf_reg_state {
    ...
    union {
        int range;
        ...
        struct {
            struct btf *btf;
            u32 btf_id;
        };
        ...
    };
    ...
};

By checking !reg->btf at the top of the function, does this read an inactive
union member before validating the register type?

For instance, if the register is a PTR_TO_PACKET with range == 0, could
reg->btf incorrectly evaluate to NULL here and return -EACCES instead of safely
falling through to the bad_type check below?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260419040426.9672-1-avinashpal441@gmail.com?part=1