From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 JITed programs
Date: Wed, 01 Jul 2026 10:16:45 +0000 [thread overview]
Message-ID: <20260701101645.D14D21F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-4-bd09bb942d86@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] emit_kasan_check() fails to save BPF_REG_AX (R10), leading to memory corruption when combined with constant blinding.
--
commit 4c7e1a72bec793ca4ed19fd754408dd627715a3c
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: add helper to emit kasan checks in x86 JITed programs
This patch adds emit_kasan_check() to emit KASAN shadow memory checks before
memory accesses in x86 JIT-compiled BPF programs. The helper saves temporary
registers before calling the KASAN functions, but deliberately omits r10 and
r11 to reduce overhead.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index 054e043ffcd22..68c5f9f94e5e2 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -1110,6 +1121,90 @@ static void maybe_emit_1mod(u8 **pprog, u32 reg, bool is64)
> *pprog = prog;
> }
>
> +static int emit_kasan_check(struct bpf_verifier_env *env, u8 **pprog,
> + u32 addr_reg, struct bpf_insn *insn, u8 *ip,
> + bool is_write, bool accesses_stack_only)
> +{
[ ... ]
> + /* Save r8 */
> + EMIT2(0x41, 0x50);
> + /* Save r9 */
> + EMIT2(0x41, 0x51);
> +
[Severity: Critical]
Can this lead to data corruption when BPF constant blinding is enabled?
The commit message notes that r10 and r11 are skipped here to reduce
overhead. However, when constant blinding is enabled, bpf_jit_blind_insn()
in kernel/bpf/core.c translates BPF_ST_MEM into a sequence that uses
BPF_REG_AX (which maps to x86's r10) as the source register:
kernel/bpf/core.c:bpf_jit_blind_insn() {
...
case BPF_ST | BPF_MEM | BPF_DW:
*to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
*to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX,
from->off);
...
}
When do_jit() processes this BPF_STX_MEM, it first calls emit_kasan_check(),
which invokes the C function __asan_storeX. Since __asan_storeX is a standard
C function, it is permitted by the System V AMD64 ABI to clobber caller-saved
registers like r10.
Upon returning from the KASAN check, r10 might contain garbage. Then do_jit()
calls emit_stx() which will use this clobbered r10 as the data to be written,
potentially writing corrupted data to memory.
Should BPF_REG_AX (r10) be explicitly saved and restored here to prevent this?
> + /* mov rdi, addr_reg */
> + EMIT_mov(BPF_REG_1, addr_reg);
> +
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=4
next prev parent reply other threads:[~2026-07-01 10:16 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 13:43 ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16 ` sashiko-bot [this message]
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701101645.D14D21F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox