Re: [PATCH bpf-next v1 14/17] bpf: Report Policy helper and kfunc errors

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Out-of-bounds read in `bpf_diag_func_name` when formatting verifier diagnostics.
--

commit 2af8da104307236e989f2e90416035f301412857
Author: Kumar Kartikeya Dwivedi <memxor@gmail.com>

bpf: Report Policy helper and kfunc errors

Augment selected helper and kfunc allowability failures with Policy reports.
These reports explain which requested operation is forbidden and why, without
adding path history for non-path-dependent policy checks.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 325c162e3df0d..f81aad4aeb8e1 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -2829,6 +2829,10 @@ static int add_subprog_and_kfunc(struct bpf_verifier_env *env)
>  
>  		if (!env->bpf_capable) {
>  			verbose(env, "loading/calling other bpf or kernel functions are allowed for CAP_BPF and CAP_SYS_ADMIN\n");
> +			bpf_diag_report_policy(env, i,
> +					       "bpf-to-bpf or kernel function call",
> +					       "loading or calling other BPF or kernel functions requires CAP_BPF or CAP_SYS_ADMIN",
> +					       "Load this program with the required capability, or avoid bpf-to-bpf and kernel function calls in unprivileged programs.");
>  			return -EPERM;
>  		}

[Severity: High]
This isn't a bug introduced by this patch, but was introduced earlier in this
patch series. When a user provides a BPF program with attr->func_info_cnt
smaller than the actual number of subprograms, env->prog->aux->func_info is
allocated with a size smaller than env->subprog_cnt.

If the diagnostic framework is invoked early (for example, here in
add_subprog_and_kfunc(), or during check_subprogs()), it can trigger an
out-of-bounds read.

bpf_diag_func_name() calculates the subprogno and accesses the array without
checking if it falls within func_info_cnt:

kernel/bpf/diagnostics.c:bpf_diag_func_name() {
    ...
	subprogno = subprog - env->subprog_info;
	info = &env->prog->aux->func_info[subprogno];
    ...
}

Since the validation enforcing func_info_cnt == env->subprog_cnt happens
later in check_btf_func(), can this allow a malformed program to trigger
an out-of-bounds heap read before validation occurs?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260605063412.974640-1-memxor@gmail.com?part=14