From: Feng Yang <yangfeng59949@163.com>
To: jiayuan.chen@linux.dev
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, eddyz87@gmail.com,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
mattbobrowski@google.com, memxor@gmail.com, song@kernel.org,
yangfeng59949@163.com, yonghong.song@linux.dev
Subject: Re: [PATCH bpf] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc
Date: Thu, 9 Apr 2026 18:25:18 +0800 [thread overview]
Message-ID: <20260409102518.258752-1-yangfeng59949@163.com> (raw)
In-Reply-To: <409f3694-a054-4288-acd9-7900cc8f8620@linux.dev>
On Wed, 8 Apr 2026 20:16:45 +0800 Jiayuan Chen wrote:
[...]
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 594260c1f382..3bfc67983e12 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -18413,8 +18413,10 @@ static bool return_retval_range(struct bpf_verifier_env *env, struct bpf_retval_
> > *range = retval_range(0, 0);
> > break;
> > case BPF_TRACE_RAW_TP:
> > - case BPF_MODIFY_RETURN:
> > return false;
> > + case BPF_MODIFY_RETURN:
> > + bpf_security_get_retval_range(env->prog, range);
> > + break;
>
> This is a breaking change. The verifier rejection log should be more
> descriptive
> so users can understand why their program is being rejected.
It should be easy to see from the existing error log that the return value does not meet the requirements:
At program exit the register R0 has smin=1 smax=1 should have been in [-4095, 0]
processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
>
> > case BPF_TRACE_ITER:
> > default:
> > break;
>
> Also, I think a whitelist approach would be better here.
> The known danger is specifically those security hooks whose return
> values get fed into ERR_PTR() by callers, such as:
> - security_task_alloc
> - security_inode_readlink
> - security_task_movememory
> - security_inode_follow_link
> - security_fs_context_submount
> - security_dentry_create_files_as
> - security_perf_event_alloc
> - security_inode_get_acl
prev parent reply other threads:[~2026-04-09 10:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 9:48 [PATCH bpf] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc Feng Yang
2026-04-08 11:53 ` Jiri Olsa
2026-04-09 10:24 ` Feng Yang
2026-04-08 12:16 ` Jiayuan Chen
2026-04-09 10:25 ` Feng Yang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260409102518.258752-1-yangfeng59949@163.com \
--to=yangfeng59949@163.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=jiayuan.chen@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mattbobrowski@google.com \
--cc=memxor@gmail.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox