From: sashiko-bot@kernel.org
To: "Longjun Tang" <lange_tang@163.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 3/5] selftests/bpf: add tests for bpf_memcmp
Date: Tue, 23 Jun 2026 03:26:23 +0000 [thread overview]
Message-ID: <20260623032623.A576B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623030803.44798-4-lange_tang@163.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] The `__ign` suffix in `bpf_memcmp` and other string kfuncs bypasses BPF verifier checks, allowing arbitrary kernel memory reads and bypassing CAP_PERFMON capability restrictions.
--
commit 7bc905114c7536361d9f8dec63d9c798b78c1718
Author: Longjun Tang <tanglongjun@kylinos.cn>
selftests/bpf: add tests for bpf_memcmp
Add functional tests for equality, ordering, zero-size, and null-byte
handling. Add negative tests for NULL, user-space, and invalid kernel
pointer arguments.
> diff --git a/tools/testing/selftests/bpf/progs/string_kfuncs_failure1.c b/tools/testing/selftests/bpf/progs/string_kfuncs_failure1.c
> index bddc4e8579d24..a85d64605d0e7 100644
> --- a/tools/testing/selftests/bpf/progs/string_kfuncs_failure1.c
> +++ b/tools/testing/selftests/bpf/progs/string_kfuncs_failure1.c
> @@ -9,6 +9,9 @@
> char *user_ptr = (char *)1;
> char *invalid_kern_ptr = (char *)-1;
>
> +extern int bpf_memcmp(const void *ptr1__ign, const void *ptr2__ign,
> + size_t size) __ksym;
[Severity: Critical]
This is a pre-existing issue, but does using the __ign suffix in the kfunc
declaration of bpf_memcmp allow BPF programs to bypass verifier capability
checks?
Looking at check_kfunc_args() in kernel/bpf/verifier.c, it appears the
verifier completely skips validation for arguments with the __ign suffix:
if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
continue;
Since bpf_memcmp() is available in common_kfunc_set without requiring
CAP_PERFMON, could an attacker pass an arbitrary kernel address as a
SCALAR_VALUE to ptr1__ign or ptr2__ign?
Because bpf_memcmp() uses copy_from_kernel_nofault_allowed() and safely
handles the memory access without crashing, this could potentially provide an
oracle to leak kernel memory byte-by-byte, acting as an unrestricted bypass
for bpf_probe_read_kernel.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623030803.44798-1-lange_tang@163.com?part=3
next prev parent reply other threads:[~2026-06-23 3:26 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 3:07 [PATCH bpf-next 0/5] bpf: add bpf_memcmp and bpf_strpbrk kfuncs Longjun Tang
2026-06-23 3:07 ` [PATCH bpf-next 1/5] bpf: add bpf_memcmp kfunc Longjun Tang
2026-06-23 3:22 ` sashiko-bot
2026-06-23 3:54 ` bot+bpf-ci
2026-06-23 3:07 ` [PATCH bpf-next 2/5] selftests/bpf: rename local bpf_memcmp to avoid conflict Longjun Tang
2026-06-23 3:08 ` [PATCH bpf-next 3/5] selftests/bpf: add tests for bpf_memcmp Longjun Tang
2026-06-23 3:26 ` sashiko-bot [this message]
2026-06-23 3:08 ` [PATCH bpf-next 4/5] bpf: add bpf_strpbrk kfunc Longjun Tang
2026-06-23 3:20 ` sashiko-bot
2026-06-23 3:08 ` [PATCH bpf-next 5/5] selftests/bpf: add tests for bpf_strpbrk Longjun Tang
2026-06-23 3:19 ` sashiko-bot
2026-06-23 3:19 ` [PATCH bpf-next 0/5] bpf: add bpf_memcmp and bpf_strpbrk kfuncs Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623032623.A576B1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=lange_tang@163.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.