Re: [PATCH bpf v9 7/8] powerpc/bpf: fix buffer overflow in JIT for large BPF programs

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Stale exception table due to missing updates during additional JIT passes, leading to kernel panic on BPF_PROBE_MEM.
- [Medium] Unratelimited error log on JIT convergence failure enables log spam (Denial of Service).
--

commit b6894df59a3f875e5bd3f27ed0af4e32b5c00461
Author: Abhishek Dubey <adubey@linux.ibm.com>

powerpc/bpf: fix buffer overflow in JIT for large BPF programs

This commit fixes a buffer overflow in the PowerPC BPF JIT by ensuring
the pass-0 size calculation falls through to the epilogue when the exit
address is out of range. It converts the fixed two-pass code generation
into a loop that iterates up to CODEGEN_MAX_PASSES until the program size
converges.

Link: https://lore.kernel.org/bpf/20260529015855.364704-2-adubey@linux.ibm.com/T/#mfcb23909d977b949727cca4f59ee56a13fd69b92

> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 7255d29f269bb..8396ff556f026 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c

[ ... ]

> @@ -335,8 +335,10 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
>  	code_base = (u32 *)(image + FUNCTION_DESCR_SIZE);
>  	fcode_base = (u32 *)(fimage + FUNCTION_DESCR_SIZE);
>  
> -	/* Code generation passes 1-2 */
> -	for (pass = 1; pass < 3; pass++) {
> +	/* Code generation passes 1-2+, loop until program size converges. */
> +	for (pass = 1; pass <= CODEGEN_MAX_PASSES; pass++) {
> +		u32 prev_proglen = proglen;
> +
>  		/* Now build the prologue, body code & epilogue for real. */
>  		cgctx.idx = 0;
>  		cgctx.alt_exit_addr = 0;

[Severity: High]
Does this loop need to reset cgctx.exentry_idx along with cgctx.idx?

Since CODEGEN_MAX_PASSES is now 3, the exception table could be populated
with stale instruction offsets if the JIT requires 3 passes.

Looking at bpf_add_extable_entry(), there is a hardcoded pass check:

bpf_add_extable_entry() {
        /* Populate extable entries only in the last pass */
        if (pass != 2)
                return 0;
        ...
}

If the program takes 3 passes to converge, this would leave the exception
table populated exclusively during pass 2. During pass 3, instruction sizes
shrink and absolute offsets shift, leaving the exception table with stale
relative offsets.

When a page fault occurs on a valid BPF_PROBE_MEM, could the kernel fail to
find the matching exception table entry and panic?

>  		bpf_jit_build_prologue(code_base, &cgctx);
>  		if (bpf_jit_build_body(fp, code_base, fcode_base, &cgctx, addrs, pass,
>  				       extra_pass)) {
>  			bpf_arch_text_copy(&fhdr->size, &hdr->size, sizeof(hdr->size));
>  			bpf_jit_binary_pack_free(fhdr, hdr);
>  			goto out_err;
>  		}
> +		addrs[fp->len] = cgctx.idx * 4;
>  		bpf_jit_build_epilogue(code_base, fcode_base, &cgctx);
>  
> +		proglen = cgctx.idx * 4;
> +
>  		if (bpf_jit_enable > 1)
>  			pr_info("Pass %d: shrink = %d, seen = 0x%x\n", pass,
> -				proglen - (cgctx.idx * 4), cgctx.seen);
> +				prev_proglen - proglen, cgctx.seen);
> +
> +		/* Check if program size has converged, but ensure minimum passes */
> +		if (pass >= CODEGEN_MIN_PASSES && proglen == prev_proglen)
> +			break;
> +
> +		if (pass == CODEGEN_MAX_PASSES && proglen != prev_proglen) {
> +			pr_err("BPF JIT: Program did not converge after %d passes\n",
> +								CODEGEN_MAX_PASSES);

[Severity: Medium]
Could this unconditional pr_err() cause log spam?

If a user loads a pathological BPF program that fails to converge, they
could repeatedly trigger this compilation failure and flood the kernel logs.

Should this use pr_err_ratelimited() instead, similar to other
user-triggerable JIT failures?

> +			bpf_arch_text_copy(&fhdr->size, &hdr->size, sizeof(hdr->size));
> +			bpf_jit_binary_pack_free(fhdr, hdr);
> +			goto out_err;
> +		}
>  	}
>  
>  	if (bpf_jit_enable > 1)

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260623231411.6216-1-adubey@linux.ibm.com?part=7