Re: [PATCH bpf-next v2 1/2] bpf: Mask pseudo pointer values in verifier logs

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Translated BPF program dump (BPF_OBJ_GET_INFO_BY_FD) leaks physical kernel addresses from BPF_PSEUDO_BTF_ID instructions to users without CAP_PERFMON.
--

commit 302eadb037a969e2a3c9dbab8e1a08cf49f16888
Author: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

bpf: Mask pseudo pointer values in verifier logs

This commit updates print_bpf_insn() to mask additional pointer-bearing
pseudo sources like BPF_PSEUDO_BTF_ID in verifier logs when pointer leaks
are not allowed.

> diff --git a/kernel/bpf/disasm.c b/kernel/bpf/disasm.c
> index f8a3c7eb451e4..0391b3bc00734 100644
> --- a/kernel/bpf/disasm.c
> +++ b/kernel/bpf/disasm.c
> @@ -323,7 +323,10 @@ void print_bpf_insn(const struct bpf_insn_cbs *cbs,
>  			 */
>  			u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
>  			bool is_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD ||
> -				      insn->src_reg == BPF_PSEUDO_MAP_VALUE;
> +				      insn->src_reg == BPF_PSEUDO_MAP_VALUE ||
> +				      insn->src_reg == BPF_PSEUDO_MAP_IDX ||
> +				      insn->src_reg == BPF_PSEUDO_MAP_IDX_VALUE ||
> +				      insn->src_reg == BPF_PSEUDO_BTF_ID;

[Severity: High]
This isn't a bug introduced by this patch, but does the kernel still leak
physical addresses from BPF_PSEUDO_BTF_ID instructions when a user without
CAP_PERFMON calls BPF_OBJ_GET_INFO_BY_FD to dump the translated program?

In kernel/bpf/verifier.c:convert_pseudo_ld_imm64(), the verifier clears
the src_reg for non-func pseudo loads after resolving the address:

	if (insn->src_reg == BPF_PSEUDO_FUNC)
		continue;
	insn->src_reg = 0;

Later, when dumping the instructions in
kernel/bpf/syscall.c:bpf_insn_prepare_dump():

	imm = ((u64)insns[i + 1].imm << 32) | (u32)insns[i].imm;
	map = bpf_map_from_imm(prog, imm, &off, &type);
	if (map) {
		insns[i].src_reg = type;
		insns[i].imm = map->id;
		insns[i + 1].imm = off;
		continue;
	}

Because BPF_PSEUDO_BTF_ID resolves to a kernel symbol rather than a map,
bpf_map_from_imm() returns NULL. Since src_reg was zeroed by the verifier,
this code has no way to distinguish the leaked physical kernel address from
a normal 64-bit constant.

Could this allow users to retrieve raw kernel pointers, since there is no
fallback bpf_dump_raw_ok(f_cred) check here?

>  			char tmp[64];
>  
>  			if (is_ptr && !allow_ptr_leaks)

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260623-f01-13-pseudo-btf-id-cap-bpf-v2-0-a190ebb8f3e2@mails.tsinghua.edu.cn?part=1