From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc()
Date: Fri, 26 Jun 2026 18:59:39 +0000 [thread overview]
Message-ID: <20260626185939.863571F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626-execmem-x86-rox-bpf-v0-v1-1-45a0b0ed4fe9@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Uninitialized vmalloc memory is copied into the executable BPF dispatcher image, creating an information leak and potential W^X bypass.
--
commit a818beebb25a7db7c07963818946c91a734b9050
Author: Mike Rapoport (Microsoft) <rppt@kernel.org>
bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc()
This patch changes the allocation of the temporary bpf_dispatcher->rw_image
from bpf_jit_alloc_exec() to vmalloc(). This saves space in the module address
range since the temporary buffer doesn't require executable permissions.
> diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
> index b77db7413f8c7..a7a6a375cdd31 100644
> --- a/kernel/bpf/dispatcher.c
> +++ b/kernel/bpf/dispatcher.c
[ ... ]
> @@ -148,7 +148,10 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
> d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero);
> if (!d->image)
> goto out;
> - d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE);
> + /* d->rw_image doesn't need to be in module memory range, so we
> + * can use vmalloc.
> + */
> + d->rw_image = vmalloc(PAGE_SIZE);
[Severity: High]
This is a pre-existing issue, but does allocating this temporary buffer without
zeroing it leak uninitialized memory into the executable dispatcher image?
When bpf_dispatcher_update() updates the dispatcher, it unconditionally copies
PAGE_SIZE / 2 bytes (2048 bytes) from this buffer into the executable RO+X
image:
kernel/bpf/dispatcher.c:bpf_dispatcher_update() {
...
arch_prepare_bpf_dispatcher(d->rw_image, ...);
...
if (IS_ERR(bpf_arch_text_copy(new, tmp, PAGE_SIZE / 2)))
...
}
Since arch_prepare_bpf_dispatcher() only writes a small number of
instructions into the buffer, the rest of the 2048 bytes copied by
bpf_arch_text_copy() comes from whatever was previously in this allocation.
Could this allow malicious gadgets to be sprayed into vmalloc space from
userspace and then copied into executable memory, potentially bypassing W^X
protections?
Would it be safer to use vzalloc() here to ensure the unused portions of the
buffer are padded with zeroes?
> if (!d->rw_image) {
> bpf_prog_pack_free(d->image, PAGE_SIZE);
> d->image = NULL;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260626-execmem-x86-rox-bpf-v0-v1-0-45a0b0ed4fe9@kernel.org?part=1
next prev parent reply other threads:[~2026-06-26 18:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 18:42 [PATCH bpf-next 0/5] bpf, x86: enable EXECMEM_ROX_CACHE for BPF allocations Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc() Mike Rapoport (Microsoft)
2026-06-26 18:59 ` sashiko-bot [this message]
2026-06-26 18:42 ` [PATCH bpf-next 2/5] bpf: drop __weak from bpf_jit_alloc_exec() and bpf_jit_free_exec() Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 3/5] bpf: alloc_prog_pack(): skip ROX management for already ROX memory Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 4/5] bpf, x86: make sure allocation in arch_bpf_trampoline_size() is writable Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 5/5] x86/bpf: enable EXECMEM_ROX_CACHE for BPF allocations Mike Rapoport (Microsoft)
2026-06-26 18:59 ` sashiko-bot
2026-06-27 14:44 ` Alexei Starovoitov
2026-07-09 12:53 ` Mike Rapoport
2026-07-09 12:53 ` Mike Rapoport
2026-07-09 8:03 ` [PATCH bpf-next 0/5] bpf, x86: " Mike Rapoport
2026-07-09 12:12 ` Daniel Borkmann
2026-07-09 12:55 ` Mike Rapoport
2026-07-10 12:30 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260626185939.863571F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.