BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs
Date: Wed, 01 Jul 2026 10:34:13 +0000	[thread overview]
Message-ID: <20260701103414.03E1C1F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260701-kasan-v3-10-bd09bb942d86@bootlin.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] Uninitialized stack memory is passed to the kernel via bpf_prog_test_run_opts, causing potential information leaks and triggering MSAN warnings.
- [Medium] The KASAN report parser is susceptible to spurious failures due to kernel log interleaving.
--

commit e974c567c6b3da1ae6e1c27c442840d9bd396091
Author: Alexis Lothoré (eBPF Foundation) <alexis.lothore@bootlin.com>

selftests/bpf: add tests to validate KASAN on JIT programs

This patch adds a basic KASAN test runner that loads and test-runs BPF programs
designed to trigger memory management bugs. The test captures kernel logs and
ensures the expected KASAN splat is emitted by searching for the corresponding
first lines in the report.

> diff --git a/tools/testing/selftests/bpf/prog_tests/kasan.c b/tools/testing/selftests/bpf/prog_tests/kasan.c
> new file mode 100644
> index 0000000000000..ff070c39eaac1
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/kasan.c

[ ... ]

> +static int check_kasan_report_in_kernel_logs(char *buf, struct test_ctx *ctx,
> +					     bool is_write, int size)
> +{
> +	char *access_desc_start, *access_desc_end, *tmp;

[ ... ]

> +	/* Find next line */
> +	access_desc_start = strchr(kasan_report_start, '\n');
> +	if (!access_desc_start)
> +		return 1;
> +	access_desc_start++;
> +
> +	access_desc_end = strchr(access_desc_start, '\n');
> +	if (!access_desc_end)
> +		return 1;
> +
> +	nsize = snprintf(access_log, READ_CHUNK_SIZE, KASAN_PATTERN_REPORT,
> +			 is_write ? "Write" : "Read", size);
> +
> +	tmp = memmem(access_desc_start, access_desc_end - access_desc_start,
> +		     access_log, nsize);

[Severity: Medium]
Could this fail if other kernel components interleave log messages between the
KASAN header and the access description?

The parser assumes the exact next newline-delimited block contains the access
description. However, the report_lock used by KASAN internally only serializes
KASAN reports with each other, not with general printk output from other CPUs
or contexts. If another component prints a message precisely between the KASAN
header and the access description, the search bounds might be restricted to an
unrelated interleaved log line, causing memmem() to fail and making the test
flaky.

> +
> +	if (!tmp)
> +		return 1;
> +
> +	return 0;
> +}

[ ... ]

> +static void exec_subtest(struct test_ctx *ctx, struct test_spec *test,
> +			 int access_size, bool on_stack)
> +{
> +	LIBBPF_OPTS(bpf_test_run_opts, topts);
> +	struct bpf_prog_info info;
> +	uint8_t buf[ETH_HLEN];

[Severity: Medium]
Should buf be initialized before being passed to bpf_prog_test_run_opts()?

Uninitialized stack memory from the test executable is assigned to
topts.data_in and leaked into the kernel space via copy_from_user():

	topts.data_in = buf;
	ret = bpf_prog_test_run_opts(bpf_program__fd(ctx->prog), &topts);

This uninitialized access can trigger userspace dynamic analysis tools such as
MemorySanitizer (MSAN) when running the BPF selftests, causing spurious test
suite failures.

> +	int ret, prog_fd;
> +	__u32 info_len;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260701-kasan-v3-0-bd09bb942d86@bootlin.com?part=10

      reply	other threads:[~2026-07-01 10:34 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 10:02 [PATCH bpf-next v3 00/10] bpf: add support for KASAN checks in JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 01/10] bpf: propagate original instruction offset when patching program Alexis Lothoré (eBPF Foundation)
2026-07-01 10:20   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 02/10] bpf: mark instructions accessing program stack Alexis Lothoré (eBPF Foundation)
2026-07-01 10:19   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 03/10] bpf: add BPF_JIT_KASAN for KASAN instrumentation of JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:12   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 13:43   ` Andrey Konovalov
2026-07-01 10:02 ` [PATCH bpf-next v3 04/10] bpf, x86: add helper to emit kasan checks in x86 " Alexis Lothoré (eBPF Foundation)
2026-07-01 10:16   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 05/10] bpf, x86: refactor BPF_ST management in do_jit Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 06/10] bpf, x86: emit KASAN checks into x86 JITed programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:18   ` sashiko-bot
2026-07-01 10:44   ` bot+bpf-ci
2026-07-01 10:02 ` [PATCH bpf-next v3 07/10] bpf, x86: enable KASAN for JITed programs on x86 Alexis Lothoré (eBPF Foundation)
2026-07-01 10:15   ` sashiko-bot
2026-07-01 10:02 ` [PATCH bpf-next v3 08/10] selftests/bpf: add helper to check whether eBPF KASAN is active Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 09/10] selftests/bpf: move bpf_jit_harden helper into testing_helpers Alexis Lothoré (eBPF Foundation)
2026-07-01 10:02 ` [PATCH bpf-next v3 10/10] selftests/bpf: add tests to validate KASAN on JIT programs Alexis Lothoré (eBPF Foundation)
2026-07-01 10:34   ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701103414.03E1C1F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox