BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc()
Date: Fri, 26 Jun 2026 18:59:39 +0000	[thread overview]
Message-ID: <20260626185939.863571F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626-execmem-x86-rox-bpf-v0-v1-1-45a0b0ed4fe9@kernel.org>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Uninitialized vmalloc memory is copied into the executable BPF dispatcher image, creating an information leak and potential W^X bypass.
--

commit a818beebb25a7db7c07963818946c91a734b9050
Author: Mike Rapoport (Microsoft) <rppt@kernel.org>

bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc()

This patch changes the allocation of the temporary bpf_dispatcher->rw_image
from bpf_jit_alloc_exec() to vmalloc(). This saves space in the module address
range since the temporary buffer doesn't require executable permissions.

> diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c
> index b77db7413f8c7..a7a6a375cdd31 100644
> --- a/kernel/bpf/dispatcher.c
> +++ b/kernel/bpf/dispatcher.c
[ ... ]
> @@ -148,7 +148,10 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from,
>  		d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero);
>  		if (!d->image)
>  			goto out;
> -		d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE);
> +		/* d->rw_image doesn't need to be in module memory range, so we
> +		 * can use vmalloc.
> +		 */
> +		d->rw_image = vmalloc(PAGE_SIZE);

[Severity: High]
This is a pre-existing issue, but does allocating this temporary buffer without
zeroing it leak uninitialized memory into the executable dispatcher image?

When bpf_dispatcher_update() updates the dispatcher, it unconditionally copies
PAGE_SIZE / 2 bytes (2048 bytes) from this buffer into the executable RO+X
image:

kernel/bpf/dispatcher.c:bpf_dispatcher_update() {
    ...
    arch_prepare_bpf_dispatcher(d->rw_image, ...);
    ...
    if (IS_ERR(bpf_arch_text_copy(new, tmp, PAGE_SIZE / 2)))
    ...
}

Since arch_prepare_bpf_dispatcher() only writes a small number of
instructions into the buffer, the rest of the 2048 bytes copied by
bpf_arch_text_copy() comes from whatever was previously in this allocation.

Could this allow malicious gadgets to be sprayed into vmalloc space from
userspace and then copied into executable memory, potentially bypassing W^X
protections?

Would it be safer to use vzalloc() here to ensure the unused portions of the
buffer are padded with zeroes?

>  		if (!d->rw_image) {
>  			bpf_prog_pack_free(d->image, PAGE_SIZE);
>  			d->image = NULL;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626-execmem-x86-rox-bpf-v0-v1-0-45a0b0ed4fe9@kernel.org?part=1

  reply	other threads:[~2026-06-26 18:59 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 18:42 [PATCH bpf-next 0/5] bpf, x86: enable EXECMEM_ROX_CACHE for BPF allocations Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 1/5] bpf: dispatcher: allocate bpf_dispatcher->rw_image with vmalloc() Mike Rapoport (Microsoft)
2026-06-26 18:59   ` sashiko-bot [this message]
2026-06-26 18:42 ` [PATCH bpf-next 2/5] bpf: drop __weak from bpf_jit_alloc_exec() and bpf_jit_free_exec() Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 3/5] bpf: alloc_prog_pack(): skip ROX management for already ROX memory Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 4/5] bpf, x86: make sure allocation in arch_bpf_trampoline_size() is writable Mike Rapoport (Microsoft)
2026-06-26 18:42 ` [PATCH bpf-next 5/5] x86/bpf: enable EXECMEM_ROX_CACHE for BPF allocations Mike Rapoport (Microsoft)
2026-06-26 18:59   ` sashiko-bot
2026-06-27 14:44     ` Alexei Starovoitov
2026-07-09 12:53       ` Mike Rapoport
2026-07-09 12:53     ` Mike Rapoport
2026-07-09  8:03 ` [PATCH bpf-next 0/5] bpf, x86: " Mike Rapoport
2026-07-09 12:12   ` Daniel Borkmann
2026-07-09 12:55     ` Mike Rapoport
2026-07-10 12:30       ` Daniel Borkmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626185939.863571F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox