From: sashiko-bot@kernel.org
To: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 14/17] bpf: Report Policy helper and kfunc errors
Date: Mon, 13 Jul 2026 16:09:48 +0000 [thread overview]
Message-ID: <20260713160948.D3A691F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713153910.2556007-15-memxor@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The verifier reads and dereferences an uninitialized stack variable `meta.func_name` when `bpf_fetch_kfunc_arg_meta` fails early with `-EACCES`, leading to an out-of-bounds read or kernel panic when formatting diagnostic messages.
--
--- Patch [14]: [PATCH bpf-next v3 14/17] bpf: Report Policy helper and kfunc errors ---
commit 64c35288a6fbbafb58f170cb81136c83e594cbdd
Author: Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Report Policy helper and kfunc errors
This commit augments selected helper and kfunc allowability failures with
Policy reports to explain which requested operation is forbidden and why.
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 44e1907ac792d..c67646f981342 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> @@ -13961,8 +13985,14 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
> return 0;
>
> err = bpf_fetch_kfunc_arg_meta(env, insn->imm, insn->off, &meta);
> - if (err == -EACCES && meta.func_name)
> + if (err == -EACCES && meta.func_name) {
> verbose(env, "calling kernel function %s is not allowed\n", meta.func_name);
> + operation = bpf_diag_scratch_printf(env, 1, "kfunc %s", meta.func_name);
[Severity: High]
This is a pre-existing issue, but could meta.func_name be uninitialized here
when bpf_fetch_kfunc_arg_meta() fails early?
Looking at bpf_fetch_kfunc_arg_meta(), if fetch_kfunc_meta() fails and
returns -EACCES, the function returns early before the meta struct is
initialized:
err = fetch_kfunc_meta(env, func_id, offset, &kfunc);
if (err)
return err;
memset(meta, 0, sizeof(*meta));
Because meta is declared on the stack in check_kfunc_call(), an early error
return leaves it containing uninitialized stack garbage. If this garbage
evaluates to non-NULL in the err == -EACCES && meta.func_name check, won't
this lead to an out-of-bounds memory read when attempting to format the
garbage pointer as a string in verbose() and bpf_diag_scratch_printf()?
> + bpf_diag_report_policy(env, insn_idx, operation,
> + "this program cannot call the kfunc",
> + "Use a kfunc allowed for this program type and attach "
> + "point, or change the program context.");
> + }
> if (err)
> return err;
> desc_btf = meta.btf;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713153910.2556007-1-memxor@gmail.com?part=14
next prev parent reply other threads:[~2026-07-13 16:09 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 15:38 [PATCH bpf-next v3 00/17] Redesign Verification Errors Kumar Kartikeya Dwivedi
2026-07-13 15:38 ` [PATCH bpf-next v3 01/17] bpf: Add verifier diagnostics report helpers Kumar Kartikeya Dwivedi
2026-07-13 15:50 ` sashiko-bot
2026-07-13 15:38 ` [PATCH bpf-next v3 02/17] bpf: Add source and instruction diagnostic context Kumar Kartikeya Dwivedi
2026-07-13 15:38 ` [PATCH bpf-next v3 03/17] bpf: Add verifier diagnostic event log Kumar Kartikeya Dwivedi
2026-07-13 15:54 ` sashiko-bot
2026-07-13 15:38 ` [PATCH bpf-next v3 04/17] bpf: Prune verifier diagnostics when switching paths Kumar Kartikeya Dwivedi
2026-07-13 16:02 ` sashiko-bot
2026-07-13 15:38 ` [PATCH bpf-next v3 05/17] bpf: Track verifier register diagnostic events Kumar Kartikeya Dwivedi
2026-07-13 16:06 ` sashiko-bot
2026-07-13 15:38 ` [PATCH bpf-next v3 06/17] bpf: Track verifier reference " Kumar Kartikeya Dwivedi
2026-07-13 15:38 ` [PATCH bpf-next v3 07/17] bpf: Track verifier context " Kumar Kartikeya Dwivedi
2026-07-13 15:38 ` [PATCH bpf-next v3 08/17] bpf: Report Register Type Safety errors Kumar Kartikeya Dwivedi
2026-07-13 15:38 ` [PATCH bpf-next v3 09/17] bpf: Report Memory Safety bounds errors Kumar Kartikeya Dwivedi
2026-07-13 15:38 ` [PATCH bpf-next v3 10/17] bpf: Report Resource Lifetime reference leaks Kumar Kartikeya Dwivedi
2026-07-13 16:04 ` sashiko-bot
2026-07-13 15:39 ` [PATCH bpf-next v3 11/17] bpf: Report Call Type Safety argument errors Kumar Kartikeya Dwivedi
2026-07-13 15:51 ` sashiko-bot
2026-07-13 15:39 ` [PATCH bpf-next v3 12/17] bpf: Report Execution Context Safety errors Kumar Kartikeya Dwivedi
2026-07-13 15:53 ` sashiko-bot
2026-07-13 15:39 ` [PATCH bpf-next v3 13/17] bpf: Report Program Structure CFG errors Kumar Kartikeya Dwivedi
2026-07-13 15:39 ` [PATCH bpf-next v3 14/17] bpf: Report Policy helper and kfunc errors Kumar Kartikeya Dwivedi
2026-07-13 16:09 ` sashiko-bot [this message]
2026-07-13 15:39 ` [PATCH bpf-next v3 15/17] bpf: Report Verifier Limit errors Kumar Kartikeya Dwivedi
2026-07-13 15:39 ` [PATCH bpf-next v3 16/17] bpf: Report Verifier Internal errors Kumar Kartikeya Dwivedi
2026-07-13 15:39 ` [PATCH bpf-next v3 17/17] bpf: Gate verifier diagnostics on log level Kumar Kartikeya Dwivedi
2026-07-14 3:36 ` kernel test robot
2026-07-14 6:10 ` [syzbot ci] Re: Redesign Verification Errors syzbot ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713160948.D3A691F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=memxor@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox