Re: [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jiri Olsa" <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data
Date: Thu, 11 Jun 2026 11:55:02 +0000	[thread overview]
Message-ID: <20260611115503.AC16D1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611114230.950379-2-jolsa@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Missing access_ok() check for the usyms array in bpf_kprobe_multi_link_attach() allows arbitrary kernel memory read.
--

commit e5440667240e003d50bb838ad4b19e526ef6c703
Author: Jiri Olsa <jolsa@kernel.org>

bpf: Guard __get_user acesss with access_ok for uprobe_multi data

This patch adds access_ok checks for uprobe_multi arrays before calling
__get_user. It ensures that the user space data bounds are safe.

Link: https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/

> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c

[ ... ]

> @@ -3261,6 +3262,16 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
>  	uref_ctr_offsets = u64_to_user_ptr(attr->link_create.uprobe_multi.ref_ctr_offsets);
>  	ucookies = u64_to_user_ptr(attr->link_create.uprobe_multi.cookies);
>  
> +	/*
> +	 * All uoffsets/uref_ctr_offsets/ucookies arrays have the same value
> +	 * size, we need to check their address range is safe for __get_user
> +	 * calls.
> +	 */
> +	size = sizeof(*uoffsets) * cnt;
> +	if (!access_ok(uoffsets, size) || !access_ok(uref_ctr_offsets, size) ||
> +	    !access_ok(ucookies, size))
> +		return -EFAULT;

[Severity: High]
This is a pre-existing issue, but while you are adding these access checks
for uprobes, does bpf_kprobe_multi_link_attach() have an identical missing
check for the usyms array?

Looking at bpf_kprobe_multi_link_attach(), it calls copy_user_syms() with
the unchecked user pointer usyms:

kernel/trace/bpf_trace.c:bpf_kprobe_multi_link_attach() {
    ...
		struct user_syms us;

		err = copy_user_syms(&us, usyms, cnt);
		if (err)
			goto error;
    ...
}

And copy_user_syms() iteratively calls __get_user(usymbol, usyms + i)
without any prior access checks on the array:

kernel/trace/bpf_trace.c:copy_user_syms() {
    ...
	for (p = buf, i = 0; i < cnt; i++) {
		if (__get_user(usymbol, usyms + i)) {
			err = -EFAULT;
			goto error;
		}
    ...
}

Since __get_user() bypasses bounds checking, couldn't an attacker provide
a kernel address for usyms and read arbitrary kernel memory into usymbol?

A subsequent strncpy_from_user() call would use usymbol as its source
pointer, potentially acting as a side-channel oracle to leak kernel
information or bypass kernel address layout randomization.

Should copy_user_syms() or bpf_kprobe_multi_link_attach() also include
an access_ok() check for the usyms array?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611114230.950379-2-jolsa@kernel.org?part=1

next prev parent reply	other threads:[~2026-06-11 11:55 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 11:42 [PATCHv3 bpf-next 0/7] bpf: Allow uprobe_multi binary specified by file descriptor Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data Jiri Olsa
2026-06-11 11:55   ` sashiko-bot [this message]
2026-06-11 11:42 ` [PATCHv3 bpf-next 2/7] bpf: Use user_path_at for path resolution in uprobe_multi Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 3/7] bpf: Add support to specify uprobe_multi target via file descriptor Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 4/7] libbpf: Add path_fd to struct bpf_link_create_opts Jiri Olsa
2026-06-11 11:53   ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 5/7] selftests/bpf: Add uprobe_multi path_fd test Jiri Olsa
2026-06-11 11:52   ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 6/7] selftests/bpf: Add uprobe_multi path_fd fail tests Jiri Olsa
2026-06-11 11:54   ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 7/7] selftests/bpf: Fix typo in verify_umulti_link_info Jiri Olsa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260611115503.AC16D1F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=jolsa@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.