From: sashiko-bot@kernel.org
To: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc()
Date: Sat, 11 Jul 2026 09:55:04 +0000 [thread overview]
Message-ID: <20260711095505.0CC961F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260711-execmem-x86-rox-bpf-v0-v2-1-bfd956d35119@kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Uninitialized kernel memory is copied into an executable BPF dispatcher region, leaking data and creating unintended ROP/JOP gadgets.
--
--- Patch [1]: [PATCH bpf-next v2 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc() ---
commit 12eba9f58f961b936cd08cfa17b30375eb214d2a
Author: Mike Rapoport (Microsoft) <rppt@kernel.org>
bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc()
This commit changes bpf_dispatcher->rw_image allocation to use vmalloc()
instead of bpf_jit_alloc_exec() since the rel32 offsets are calculated
against the final image, removing the need for the temporary buffer to live
in the module address range.
> diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
> index ea2d60dc1feeb..d85b3e8ad2e4e 100644
> --- a/kernel/bpf/dispatcher.c
> +++ b/kernel/bpf/dispatcher.c
> @@ -148,7 +148,10 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
> d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero, false);
> if (!d->image)
> goto out;
> - d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE);
> + /* d->rw_image doesn't need to be in module memory range, so we
> + * can use vmalloc.
> + */
> + d->rw_image = vmalloc(PAGE_SIZE);
[Severity: High]
This isn't a bug introduced by this patch, but since we are changing the
allocation here, does this code leak uninitialized kernel memory into the
executable dispatcher image?
vmalloc() does not zero-initialize the memory, and neither did the previous
bpf_jit_alloc_exec() call. When the architecture-specific code generates the
dispatcher instructions into this buffer, it only writes a few hundred bytes.
Later, bpf_dispatcher_update() copies exactly 2048 bytes from this partially
uninitialized temporary buffer into the executable RO+X dispatcher image:
bpf_dispatcher_update()
...
bpf_arch_text_copy(new, tmp, PAGE_SIZE / 2);
Could this overwrite the safe int3 trap instructions placed by
bpf_prog_pack_alloc() with random bytes from the uninitialized kernel memory,
potentially creating unintended ROP/JOP gadgets? Would it be safer to use
vzalloc() here instead?
> if (!d->rw_image) {
> bpf_prog_pack_free(d->image, PAGE_SIZE);
> d->image = NULL;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260711-execmem-x86-rox-bpf-v0-v2-0-bfd956d35119@kernel.org?part=1
next prev parent reply other threads:[~2026-07-11 9:55 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-11 9:43 [PATCH bpf-next v2 0/5] bpf, x86: enable EXECMEM_ROX_CACHE for BPF allocations Mike Rapoport (Microsoft)
2026-07-11 9:43 ` [PATCH bpf-next v2 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc() Mike Rapoport (Microsoft)
2026-07-11 9:55 ` sashiko-bot [this message]
2026-07-11 16:28 ` Mike Rapoport
2026-07-11 9:43 ` [PATCH bpf-next v2 2/5] bpf: drop __weak from bpf_jit_alloc_exec() and bpf_jit_free_exec() Mike Rapoport (Microsoft)
2026-07-11 9:43 ` [PATCH bpf-next v2 3/5] bpf: alloc_prog_pack(): skip ROX management for already ROX memory Mike Rapoport (Microsoft)
2026-07-11 10:00 ` sashiko-bot
2026-07-11 15:27 ` Mike Rapoport
2026-07-11 9:43 ` [PATCH bpf-next v2 4/5] bpf, x86: make sure allocation in arch_bpf_trampoline_size() is writable Mike Rapoport (Microsoft)
2026-07-11 10:02 ` sashiko-bot
2026-07-11 15:36 ` Mike Rapoport
2026-07-11 9:43 ` [PATCH bpf-next v2 5/5] x86/bpf: enable EXECMEM_ROX_CACHE for BPF allocations Mike Rapoport (Microsoft)
2026-07-11 9:59 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260711095505.0CC961F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=rppt@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.