BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs
Date: Wed, 01 Jul 2026 10:18:03 +0000	[thread overview]
Message-ID: <20260701101804.0E4111F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-6-bd09bb942d86@bootlin.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] emit_kasan_check fails to save and restore x86 caller-saved registers R10 (BPF_REG_AX) and R11 (AUX_REG), causing BPF register corruption.
--

commit f9acd1352526b0ce263a176070ea1146c5f57a4a
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>

bpf, x86: emit KASAN checks into x86 JITed programs

Insert KASAN shadow memory checks before memory load and store
operations in JIT-compiled BPF programs. This helps detect memory safety
bugs such as use-after-free and out-of-bounds accesses at runtime.

> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index b70cecfec1793..a383ffc8f2899 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c

[ ... ]

> @@ -2605,14 +2640,14 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
>  			}
>  			fallthrough;
>  		case BPF_STX | BPF_ATOMIC | BPF_W:
> -		case BPF_STX | BPF_ATOMIC | BPF_DW:
> +		case BPF_STX | BPF_ATOMIC | BPF_DW: {
> +			bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> +			u32 real_src_reg = src_reg;
> +			u32 real_dst_reg = dst_reg;
> +			u8 *branch_target;
>  			if (insn->imm == (BPF_AND | BPF_FETCH) ||
>  			    insn->imm == (BPF_OR | BPF_FETCH) ||
>  			    insn->imm == (BPF_XOR | BPF_FETCH)) {
>  
>  				/*
>  				 * Can't be implemented with a single x86 insn.
> @@ -2626,7 +2661,19 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
>  				if (dst_reg == BPF_REG_0)
>  					real_dst_reg = BPF_REG_AX;
>  
> +				ip += 3;
> +			}
> +			if (!bpf_atomic_is_load_store(insn)) {
> +				err = emit_kasan_check(env, &prog, real_dst_reg,
> +						       insn, ip, false,
> +						       accesses_stack_only);

[Severity: Critical]
Does emit_kasan_check() correctly preserve x86 caller-saved registers like R10
(BPF_REG_AX) and R11 (AUX_REG)?

Looking at emit_kasan_check(), it saves r8 and r9 before the C function call 
but seems to miss saving r10 and r11:

    /* Save rdi */
    EMIT1(0x57);
    /* Save r8 */
    EMIT2(0x41, 0x50);
    /* Save r9 */
    EMIT2(0x41, 0x51);

    /* mov rdi, addr_reg */

Because the x86-64 System V ABI allows C functions like __asan_load* to 
clobber R10 and R11, failing to save and restore them before the call can 
corrupt BPF registers.

For example, in the atomic block above, BPF_REG_AX (R10) is used to temporarily
save BPF_REG_0 across the emit_kasan_check() call. If __asan_load* clobbers
BPF_REG_AX, the restored BPF_REG_0 will contain garbage, which could be used to
bypass verifier checks and lead to out-of-bounds kernel memory accesses.

> +				if (err)
> +					return err;
>  				branch_target = prog;
> +			}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=6

  reply	other threads:[~2026-07-01 10:18 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 13:43   ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18   ` sashiko-bot [this message]
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701101804.0E4111F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox