Re: [PATCH v4 08/10] hornet: Add a light skeleton data extractor scripts

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v4 08/10] hornet: Add a light skeleton data extractor scripts
Date: Thu, 16 Apr 2026 21:44:47 +0000	[thread overview]
Message-ID: <20260416214447.D7713C2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416173500.176716-9-bboscaccy@linux.microsoft.com>

Sashiko AI review found 4 potential issue(s):
- [High] Unquoted `printf $(...)` causes binary data corruption and format string evaluation.
- [High] Overly broad `grep` patterns match struct assignments, leading to payload duplication.
- [Medium] Unquoted script argument `$1` allows command-line argument injection in `gcc`.
- [Low] Redundant and duplicate scripts create unnecessary maintenance burden.
--

commit 18ddbefea00184030f4d5a0c406b61b4fd5670fd
Author: Blaise Boscaccy <bboscaccy@linux.microsoft.com>

hornet: Add a light skeleton data extractor scripts

This commit introduces scripts to extract eBPF instruction and map data
payloads from autogenerated light skeleton headers for use in signing.

> diff --git a/scripts/hornet/extract-insn.sh b/scripts/hornet/extract-insn.sh
> new file mode 100755
> index 0000000000000..52338f057ff6b
> --- /dev/null
> +++ b/scripts/hornet/extract-insn.sh
[ ... ]
> +if [ $ARGC -ne $EXPECTED_ARGS ] ; then
> +    usage
> +else
> +    printf $(gcc -E $1 | grep "opts_insn" | \
                        ^^

Could an unquoted $1 cause gcc to interpret filenames starting with a
hyphen as command-line options, or fail if the path contains spaces?

> +		 awk -F"=" '{print $2}' | sed 's/;\+$//' | sed 's/\"//g')

Does this overly broad grep match both the array declarations and
subsequent struct assignments?

If grep matches opts.insns = (void *)opts_insn;, the pipeline will extract
both the hex payload and the struct assignment, leading to payload duplication.

Also, can this printf $(...) construct corrupt the binary data?

If the extracted payload contains the byte 0x25 (%), printf will evaluate
it as a format specifier. For example, \x25\x64 (%d) will evaluate to 0. If
the payload starts with a hyphen, printf will interpret it as an option.

> diff --git a/scripts/hornet/extract-map.sh b/scripts/hornet/extract-map.sh
> new file mode 100755
> index 0000000000000..c309f505c6238
> --- /dev/null
> +++ b/scripts/hornet/extract-map.sh
[ ... ]
> +if [ $ARGC -ne $EXPECTED_ARGS ] ; then
> +    usage
> +else
> +    printf $(gcc -E $1 | grep "opts_data" | \
> +		 awk -F"=" '{print $2}' | sed 's/;\+$//' | sed 's/\"//g')
> +fi

This isn't a bug, but extract-insn.sh and extract-map.sh appear to duplicate
the functionality of extract-skel.sh, which cleanly accepts the target
field (insn or data) as a command-line parameter.

Could these redundant scripts be consolidated to avoid duplicating the
unquoted printf and grep issues across multiple files?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260416173500.176716-1-bboscaccy@linux.microsoft.com?part=8

next prev parent reply	other threads:[~2026-04-16 21:44 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-16 17:33 [PATCH v4 00/10] Reintroduce Hornet LSM Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 01/10] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2026-04-16 19:26   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 02/10] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2026-04-16 19:56   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2026-04-16 20:17   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 04/10] lsm: framework for BPF integrity verification Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 05/10] lsm: security: Add additional enum values for bpf integrity checks Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 06/10] security: Hornet LSM Blaise Boscaccy
2026-04-16 21:24   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 07/10] hornet: Introduce gen_sig Blaise Boscaccy
2026-04-16 21:33   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 08/10] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2026-04-16 21:44   ` sashiko-bot [this message]
2026-04-16 17:33 ` [PATCH v4 09/10] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2026-04-16 21:55   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 10/10] ipe: Add BPF program load policy enforcement via Hornet integration Blaise Boscaccy
2026-04-16 21:03   ` Fan Wu
2026-04-16 22:17   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260416214447.D7713C2BCAF@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox