Re: [PATCH bpf v2] bpf: fix constant blinding bypass for PROBE_MEM32 stores

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Puranjay Mohan <puranjay@kernel.org>
To: CyFun <xcyfun@protonmail.com>,
	"bpf@vger.kernel.org" <bpf@vger.kernel.org>
Cc: "daniel@iogearbox.net" <daniel@iogearbox.net>,
	"ast@kernel.org" <ast@kernel.org>,
	"andrii@kernel.org" <andrii@kernel.org>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH bpf v2] bpf: fix constant blinding bypass for PROBE_MEM32 stores
Date: Mon, 09 Mar 2026 16:41:11 +0000	[thread overview]
Message-ID: <m24impx8ew.fsf@kernel.org> (raw)
In-Reply-To: <ymj6l4pBrhKjzHeR2XYjQcvWswW_741UgkR05M3iYsrzxzhD-3AfAZ1rNJ5k1b6ex0tosQAorJP38DfNDkyqbhkY-DD6RW_qTfuJ0z86psE=@protonmail.com>

CyFun <xcyfun@protonmail.com> writes:

> To: bpf@vger.kernel.org
> Cc: daniel@iogearbox.net, ast@kernel.org, andrii@kernel.org, netdev@vger.kernel.org
> Subject: [PATCH bpf v2] bpf: fix constant blinding bypass for PROBE_MEM32 stores
>
> BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by
> bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to
> survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1.
>
> The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM
> to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification,
> before bpf_jit_blind_constants() runs during JIT compilation. The
> blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not
> BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through
> unblinded.
>
> Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the
> existing BPF_ST|BPF_MEM cases. The blinding transformation is identical:
> load the blinded immediate into BPF_REG_AX via mov+xor, then convert
> the immediate store to a register store (BPF_STX).
>
> The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so
> the architecture JIT emits the correct arena addressing (R12-based on
> x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes
> BPF_MEM mode; construct the instruction directly instead.
>
> Fixes: 6082b6c328b5 ("bpf: Recognize addr_space_cast instruction in the verifier.")
> Signed-off-by: s4ch <xcyfun@protonmail.com>
> ---
> v2: Rebased onto current bpf tree (commit 56145d237385).
>     v1 had a malformed diff header that caused CI to reject it.
> ---
>  kernel/bpf/core.c | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
>
> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> index 3ece2da55..bb2fa75de 100644
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -1422,6 +1422,24 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
>  		*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
>  		*to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX, from->off);
>  		break;
> +
> +	case BPF_ST | BPF_PROBE_MEM32 | BPF_DW:
> +	case BPF_ST | BPF_PROBE_MEM32 | BPF_W:
> +	case BPF_ST | BPF_PROBE_MEM32 | BPF_H:
> +	case BPF_ST | BPF_PROBE_MEM32 | BPF_B:
> +		*to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^
> +				      from->imm);
> +		*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
> +		/* Cannot use BPF_STX_MEM() here: it hardcodes BPF_MEM
> +		 * mode which would lose BPF_PROBE_MEM32 and break the
> +		 * arena addressing in the architecture JIT. */
> +		*to++ = (struct bpf_insn) {
> +			.code  = BPF_STX | BPF_PROBE_MEM32 | BPF_SIZE(from->code),
> +			.dst_reg = from->dst_reg,
> +			.src_reg = BPF_REG_AX,
> +			.off   = from->off,
> +		};
> +		break;
>  	}
>  out:
>  	return to - to_buff;
> --
> 2.53.0

Reviewed-by: Puranjay Mohan <puranjay@kernel.org>

     prev parent reply	other threads:[~2026-03-09 16:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-06  9:03 [PATCH bpf v2] bpf: fix constant blinding bypass for PROBE_MEM32 stores CyFun
2026-03-09 16:21 ` Emil Tsalapatis
2026-03-09 16:41 ` Puranjay Mohan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m24impx8ew.fsf@kernel.org \
    --to=puranjay@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=netdev@vger.kernel.org \
    --cc=xcyfun@protonmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.