From: sashiko-bot@kernel.org
To: "Aaron Tomlin" <atomlin@atomlin.com>
Cc: bpf@vger.kernel.org
Subject: Re: [RFC PATCH v3] bpf: introduce TAINT_UNSAFE_BPF for mutating helpers
Date: Sun, 03 May 2026 17:01:13 +0000 [thread overview]
Message-ID: <20260503170113.D6786C2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260503164700.548164-1-atomlin@atomlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Premature kernel tainting in bpf_prog_load() before the program is fully loaded and exposed.
--
commit b04c8335f7a6d97d5ae1eb32256b36d77ac00d40
Author: Aaron Tomlin <atomlin@atomlin.com>
bpf: introduce TAINT_UNSAFE_BPF for mutating helpers
This patch introduces a new kernel taint flag (TAINT_UNSAFE_BPF / "V") to
indicate when an eBPF program utilizing destructive or mutating helpers is
loaded.
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
[ ... ]
> @@ -3083,6 +3083,13 @@ static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size)
> if (err < 0)
> goto free_used_maps;
>
> + /*
> + * The program has passed the verifier. If it utilises unsafe
> + * helpers, formally taint the kernel now.
> + */
> + if (prog->aux->taints_kernel)
> + add_taint(TAINT_UNSAFE_BPF, LOCKDEP_STILL_OK);
> +
> err = bpf_prog_mark_insn_arrays_ready(prog);
> if (err < 0)
> goto free_used_maps;
Is it possible for the kernel to be tainted prematurely here?
If bpf_prog_mark_insn_arrays_ready() or bpf_prog_alloc_id() fail, the BPF
program load is aborted, the program is freed, and it is never exposed to
user space or executed. Consequently, the kernel's execution flow and memory
could not have been compromised by the program.
Should the add_taint() call be deferred until after bpf_prog_alloc_id()
completes successfully, which is the point where the program is actually
exposed and cannot be gone underneath us?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260503164700.548164-1-atomlin@atomlin.com?part=1
next prev parent reply other threads:[~2026-05-03 17:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-03 16:47 [RFC PATCH v3] bpf: introduce TAINT_UNSAFE_BPF for mutating helpers Aaron Tomlin
2026-05-03 17:01 ` sashiko-bot [this message]
2026-05-03 19:51 ` Alexei Starovoitov
2026-05-03 20:14 ` Aaron Tomlin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260503170113.D6786C2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=atomlin@atomlin.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox