From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs
Date: Wed, 01 Jul 2026 10:18:03 +0000 [thread overview]
Message-ID: <20260701101804.0E4111F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-6-bd09bb942d86@bootlin.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] emit_kasan_check fails to save and restore x86 caller-saved registers R10 (BPF_REG_AX) and R11 (AUX_REG), causing BPF register corruption.
--
commit f9acd1352526b0ce263a176070ea1146c5f57a4a
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>
bpf, x86: emit KASAN checks into x86 JITed programs
Insert KASAN shadow memory checks before memory load and store
operations in JIT-compiled BPF programs. This helps detect memory safety
bugs such as use-after-free and out-of-bounds accesses at runtime.
> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index b70cecfec1793..a383ffc8f2899 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c
[ ... ]
> @@ -2605,14 +2640,14 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
> }
> fallthrough;
> case BPF_STX | BPF_ATOMIC | BPF_W:
> - case BPF_STX | BPF_ATOMIC | BPF_DW:
> + case BPF_STX | BPF_ATOMIC | BPF_DW: {
> + bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> + u32 real_src_reg = src_reg;
> + u32 real_dst_reg = dst_reg;
> + u8 *branch_target;
> if (insn->imm == (BPF_AND | BPF_FETCH) ||
> insn->imm == (BPF_OR | BPF_FETCH) ||
> insn->imm == (BPF_XOR | BPF_FETCH)) {
>
> /*
> * Can't be implemented with a single x86 insn.
> @@ -2626,7 +2661,19 @@ static int do_jit(struct bpf_verifier_env *env, struct bpf_prog *bpf_prog, int *
> if (dst_reg == BPF_REG_0)
> real_dst_reg = BPF_REG_AX;
>
> + ip += 3;
> + }
> + if (!bpf_atomic_is_load_store(insn)) {
> + err = emit_kasan_check(env, &prog, real_dst_reg,
> + insn, ip, false,
> + accesses_stack_only);
[Severity: Critical]
Does emit_kasan_check() correctly preserve x86 caller-saved registers like R10
(BPF_REG_AX) and R11 (AUX_REG)?
Looking at emit_kasan_check(), it saves r8 and r9 before the C function call
but seems to miss saving r10 and r11:
/* Save rdi */
EMIT1(0x57);
/* Save r8 */
EMIT2(0x41, 0x50);
/* Save r9 */
EMIT2(0x41, 0x51);
/* mov rdi, addr_reg */
Because the x86-64 System V ABI allows C functions like __asan_load* to
clobber R10 and R11, failing to save and restore them before the call can
corrupt BPF registers.
For example, in the atomic block above, BPF_REG_AX (R10) is used to temporarily
save BPF_REG_0 across the emit_kasan_check() call. If __asan_load* clobbers
BPF_REG_AX, the restored BPF_REG_0 will contain garbage, which could be used to
bypass verifier checks and lead to out-of-bounds kernel memory accesses.
> + if (err)
> + return err;
> branch_target = prog;
> + }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=6
next prev parent reply other threads:[~2026-07-01 10:18 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 13:43 ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16 ` sashiko-bot
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18 ` sashiko-bot [this message]
2026-07-01 10:44 ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15 ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701101804.0E4111F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox