From: Jiri Olsa <olsajiri@gmail.com>
To: sashiko-reviews@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data
Date: Mon, 15 Jun 2026 09:58:58 +0200 [thread overview]
Message-ID: <ai-wwq183bfjoxkg@krava> (raw)
In-Reply-To: <20260611115503.AC16D1F00893@smtp.kernel.org>
On Thu, Jun 11, 2026 at 11:55:02AM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [High] Missing access_ok() check for the usyms array in bpf_kprobe_multi_link_attach() allows arbitrary kernel memory read.
> --
>
> commit e5440667240e003d50bb838ad4b19e526ef6c703
> Author: Jiri Olsa <jolsa@kernel.org>
>
> bpf: Guard __get_user acesss with access_ok for uprobe_multi data
>
> This patch adds access_ok checks for uprobe_multi arrays before calling
> __get_user. It ensures that the user space data bounds are safe.
>
> Link: https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/
>
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
>
> [ ... ]
>
> > @@ -3261,6 +3262,16 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> > uref_ctr_offsets = u64_to_user_ptr(attr->link_create.uprobe_multi.ref_ctr_offsets);
> > ucookies = u64_to_user_ptr(attr->link_create.uprobe_multi.cookies);
> >
> > + /*
> > + * All uoffsets/uref_ctr_offsets/ucookies arrays have the same value
> > + * size, we need to check their address range is safe for __get_user
> > + * calls.
> > + */
> > + size = sizeof(*uoffsets) * cnt;
> > + if (!access_ok(uoffsets, size) || !access_ok(uref_ctr_offsets, size) ||
> > + !access_ok(ucookies, size))
> > + return -EFAULT;
>
> [Severity: High]
> This is a pre-existing issue, but while you are adding these access checks
> for uprobes, does bpf_kprobe_multi_link_attach() have an identical missing
> check for the usyms array?
>
> Looking at bpf_kprobe_multi_link_attach(), it calls copy_user_syms() with
> the unchecked user pointer usyms:
>
> kernel/trace/bpf_trace.c:bpf_kprobe_multi_link_attach() {
> ...
> struct user_syms us;
>
> err = copy_user_syms(&us, usyms, cnt);
> if (err)
> goto error;
> ...
> }
>
> And copy_user_syms() iteratively calls __get_user(usymbol, usyms + i)
> without any prior access checks on the array:
>
> kernel/trace/bpf_trace.c:copy_user_syms() {
> ...
> for (p = buf, i = 0; i < cnt; i++) {
> if (__get_user(usymbol, usyms + i)) {
> err = -EFAULT;
> goto error;
> }
> ...
> }
>
> Since __get_user() bypasses bounds checking, couldn't an attacker provide
> a kernel address for usyms and read arbitrary kernel memory into usymbol?
>
> A subsequent strncpy_from_user() call would use usymbol as its source
> pointer, potentially acting as a side-channel oracle to leak kernel
> information or bypass kernel address layout randomization.
>
> Should copy_user_syms() or bpf_kprobe_multi_link_attach() also include
> an access_ok() check for the usyms array?
I'm not sure it's possible to exploit it, but the contract for __get_user is
clear, so I think we should call access_ok also in here, I'll send the fix
jirka
next prev parent reply other threads:[~2026-06-15 7:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 11:42 [PATCHv3 bpf-next 0/7] bpf: Allow uprobe_multi binary specified by file descriptor Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data Jiri Olsa
2026-06-11 11:55 ` sashiko-bot
2026-06-15 7:58 ` Jiri Olsa [this message]
2026-06-11 11:42 ` [PATCHv3 bpf-next 2/7] bpf: Use user_path_at for path resolution in uprobe_multi Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 3/7] bpf: Add support to specify uprobe_multi target via file descriptor Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 4/7] libbpf: Add path_fd to struct bpf_link_create_opts Jiri Olsa
2026-06-11 11:53 ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 5/7] selftests/bpf: Add uprobe_multi path_fd test Jiri Olsa
2026-06-11 11:52 ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 6/7] selftests/bpf: Add uprobe_multi path_fd fail tests Jiri Olsa
2026-06-11 11:54 ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 7/7] selftests/bpf: Fix typo in verify_umulti_link_info Jiri Olsa
2026-06-15 0:30 ` [PATCHv3 bpf-next 0/7] bpf: Allow uprobe_multi binary specified by file descriptor patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ai-wwq183bfjoxkg@krava \
--to=olsajiri@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.