From: sashiko-bot@kernel.org
To: "Alexis Lothoré (eBPF Foundation)" <alexis.lothore@bootlin.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH RFC bpf-next 7/8] bpf, x86: enable KASAN for JITed programs on x86
Date: Sat, 25 Apr 2026 06:33:22 +0000 [thread overview]
Message-ID: <20260425063323.856BCC2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260413-kasan-v1-7-1a5831230821@bootlin.com>
Sashiko AI review found 1 potential issue(s):
- [High] The x86 JIT compiler misses KASAN instrumentation for BPF_ST (store immediate to memory) and BPF_ATOMIC (atomic read-modify-write) instructions.
--
commit b74234d98543fb8b6b97cccfe13819f42ebebe33
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: enable KASAN for JITed programs on x86
Mark x86 as supporting KASAN checks in JITed programs so that the
corresponding JIT compiler inserts checks on the translated
instructions.
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index f3f7cb01d69d0..cc140108b74c5 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -235,6 +235,7 @@ config X86
> select HAVE_SAMPLE_FTRACE_DIRECT if X86_64
> select HAVE_SAMPLE_FTRACE_DIRECT_MULTI if X86_64
> select HAVE_EBPF_JIT
> + select HAVE_EBPF_JIT_KASAN if X86_64
Is it safe to enable KASAN for eBPF JIT on x86 when some memory access
instructions appear to be missing KASAN checks?
Looking at arch/x86/net/bpf_jit_comp.c, while BPF_LDX | BPF_MEM and
BPF_STX | BPF_MEM correctly call emit_kasan_check(), BPF_ST | BPF_MEM
and BPF_STX | BPF_ATOMIC directly emit x86 memory access instructions without
instrumentation.
For example, BPF_ST | BPF_MEM does not include the check:
arch/x86/net/bpf_jit_comp.c:do_jit() {
...
case BPF_ST | BPF_MEM | BPF_W:
if (is_ereg(dst_reg))
EMIT2(0x41, 0xC7);
else
EMIT1(0xC7);
goto st;
...
}
Similarly, atomic operations are missing the check:
arch/x86/net/bpf_jit_comp.c:do_jit() {
...
case BPF_STX | BPF_ATOMIC | BPF_W:
case BPF_STX | BPF_ATOMIC | BPF_DW:
if (insn->imm == (BPF_AND | BPF_FETCH) ||
...
}
Could this allow an eBPF program to bypass KASAN memory safety validation
by using immediate stores or atomic operations?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260413-kasan-v1-0-1a5831230821@bootlin.com?part=7
next prev parent reply other threads:[~2026-04-25 6:33 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 18:28 [PATCH RFC bpf-next 0/8] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-04-13 18:28 ` [PATCH RFC bpf-next 1/8] kasan: expose generic kasan helpers Alexis Lothoré (eBPF Foundation)
2026-04-13 22:19 ` Andrey Konovalov
2026-04-14 13:12 ` Alexis Lothoré
2026-04-14 14:36 ` Alexei Starovoitov
2026-04-14 15:10 ` Andrey Konovalov
2026-04-14 15:58 ` Alexei Starovoitov
2026-04-19 21:48 ` Andrey Konovalov
2026-04-19 22:51 ` Alexei Starovoitov
2026-04-20 14:27 ` Alexis Lothoré
2026-04-24 23:31 ` Ihor Solodrai
2026-04-14 18:41 ` Alexis Lothoré
2026-04-14 19:16 ` Alexei Starovoitov
2026-04-14 20:44 ` Alexis Lothoré
2026-04-25 3:13 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 2/8] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-04-24 23:18 ` Ihor Solodrai
2026-04-28 21:37 ` Alexis Lothoré
2026-04-25 5:05 ` sashiko-bot
2026-06-04 12:08 ` Alexis Lothoré
2026-06-04 16:24 ` Alexei Starovoitov
2026-06-04 17:14 ` Alexis Lothoré
2026-06-04 17:29 ` Alexei Starovoitov
2026-04-13 18:28 ` [PATCH RFC bpf-next 3/8] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-04-13 22:20 ` Andrey Konovalov
2026-04-14 13:24 ` Alexis Lothoré
2026-04-14 14:38 ` Alexei Starovoitov
2026-05-22 14:14 ` Alexis Lothoré
2026-05-22 17:13 ` Emil Tsalapatis
2026-05-25 9:05 ` Alexis Lothoré
2026-05-25 18:01 ` Emil Tsalapatis
2026-04-25 5:18 ` sashiko-bot
2026-04-29 21:04 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 4/8] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-04-25 5:46 ` sashiko-bot
2026-04-29 21:31 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 5/8] bpf, x86: emit KASAN checks into " Alexis Lothoré (eBPF Foundation)
2026-04-25 6:08 ` sashiko-bot
2026-04-29 21:59 ` Alexis Lothoré
2026-04-13 18:28 ` [PATCH RFC bpf-next 6/8] selftests/bpf: do not run verifier JIT tests when BPF_JIT_KASAN is enabled Alexis Lothoré (eBPF Foundation)
2026-04-25 6:21 ` sashiko-bot
2026-04-13 18:28 ` [PATCH RFC bpf-next 7/8] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-04-25 6:33 ` sashiko-bot [this message]
2026-04-13 18:28 ` [PATCH RFC bpf-next 8/8] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-04-13 22:20 ` Andrey Konovalov
2026-04-14 13:43 ` Alexis Lothoré
2026-04-25 6:50 ` sashiko-bot
2026-04-24 23:10 ` [PATCH RFC bpf-next 0/8] bpf: add support for KASAN checks in JITed programs Ihor Solodrai
2026-04-24 23:28 ` Alexei Starovoitov
2026-04-27 8:54 ` Alexis Lothoré
2026-04-27 8:45 ` Alexis Lothoré
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260425063323.856BCC2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alexis.lothore@bootlin.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.