Re: [PATCHv2 bpf-next 1/6] bpf: Use user_path_at for path resolution in uprobe_multi

BPF List
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Jiri Olsa" <jolsa@kernel.org>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCHv2 bpf-next 1/6] bpf: Use user_path_at for path resolution in uprobe_multi
Date: Wed, 10 Jun 2026 14:52:35 +0000	[thread overview]
Message-ID: <20260610145235.CB1441F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260610143627.804790-2-jolsa@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Missing `access_ok()` checks before calling `__get_user()` on user-controlled arrays, leading to arbitrary kernel memory read.
--

commit e18574361f20d4f27005e4d927610e3ce16986dd
Author: Jiri Olsa <jolsa@kernel.org>

bpf: Use user_path_at for path resolution in uprobe_multi

Resolve the uprobe_multi user path with user_path_at() instead of copying
the string with strndup_user() and passing it to kern_path(). This removes
the temporary allocation and keeps the lookup logic in one helper.

> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index 90432f0fc2a8e..970ce7bbf99e1 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c

[ ... ]

> @@ -3261,14 +3260,7 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
>  	uref_ctr_offsets = u64_to_user_ptr(attr->link_create.uprobe_multi.ref_ctr_offsets);
>  	ucookies = u64_to_user_ptr(attr->link_create.uprobe_multi.cookies);
>  
> -	name = strndup_user(upath, PATH_MAX);
> -	if (IS_ERR(name)) {
> -		err = PTR_ERR(name);
> -		return err;
> -	}
> -
> -	err = kern_path(name, LOOKUP_FOLLOW, &path);
> -	kfree(name);
> +	err = user_path_at(AT_FDCWD, upath, LOOKUP_FOLLOW, &path);
>  	if (err)
>  		return err;
>  

[Severity: Critical]
This isn't a bug introduced by this patch, but while looking at
bpf_uprobe_multi_link_attach(), I noticed the user-provided arrays
uoffsets, uref_ctr_offsets, and ucookies are accessed shortly after this
path resolution:

kernel/trace/bpf_trace.c:bpf_uprobe_multi_link_attach() {
    ...
    if (__get_user(uprobes[i].offset, uoffsets + i)) {
    ...
    if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {
    ...
    if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
    ...
}

Are these arrays validated with access_ok() before __get_user() is called?

Because __get_user() bypasses the access_ok() address-space bounds check
on most architectures, could an attacker supply kernel addresses for these
arrays, causing the kernel to read arbitrary memory and store it into the
uprobes structures?

If an attacker retrieves these contents by querying the link info via
bpf_obj_get_info_by_fd() (which calls bpf_uprobe_multi_link_fill_link_info()
and copies the memory back to user space), could this act as an arbitrary
kernel memory read primitive to bypass kernel lockdown and KASLR?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260610143627.804790-2-jolsa@kernel.org?part=1

next prev parent reply	other threads:[~2026-06-10 14:52 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10 14:36 [PATCHv2 bpf-next 0/6] bpf: Allow uprobe_multi binary specified by file descriptor Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 1/6] bpf: Use user_path_at for path resolution in uprobe_multi Jiri Olsa
2026-06-10 14:52   ` sashiko-bot [this message]
2026-06-11  9:37     ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 2/6] bpf: Add support to specify uprobe_multi target via file descriptor Jiri Olsa
2026-06-10 15:51   ` bot+bpf-ci
2026-06-11  9:37     ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 3/6] libbpf: Add path_fd to struct bpf_link_create_opts Jiri Olsa
2026-06-10 14:50   ` sashiko-bot
2026-06-11  9:37     ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 4/6] selftests/bpf: Add uprobe_multi path_fd test Jiri Olsa
2026-06-10 14:50   ` sashiko-bot
2026-06-11  9:37     ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 5/6] selftests/bpf: Add uprobe_multi path_fd fail tests Jiri Olsa
2026-06-10 14:48   ` sashiko-bot
2026-06-11  9:37     ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 6/6] selftests/bpf: Fix typo in verify_umulti_link_info Jiri Olsa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260610145235.CB1441F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=jolsa@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox