From: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
To: "Nuoqi Gui" <gnq25@mails.tsinghua.edu.cn>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>
Cc: "Martin KaFai Lau" <martin.lau@linux.dev>,
"John Fastabend" <john.fastabend@gmail.com>,
"Shuah Khan" <shuah@kernel.org>, <bpf@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH bpf 0/2] bpf: Preserve rdonly_cast dynptr slice lifetime
Date: Mon, 15 Jun 2026 11:40:01 +0200 [thread overview]
Message-ID: <DJ9IUWKK7EFS.XXLT3ZAGOPC4@gmail.com> (raw)
In-Reply-To: <20260615-f01-09-rdonly-cast-dynptr-lifetime-v1-0-2dd0a369e153@mails.tsinghua.edu.cn>
On Mon Jun 15, 2026 at 10:57 AM CEST, Nuoqi Gui wrote:
> bpf_rdonly_cast() is an identity operation at runtime, but the verifier
> currently assigns the result fresh return-state metadata. When the source
> pointer comes from bpf_dynptr_slice(), that drops the relationship needed
> to invalidate the alias when the dynptr is released.
>
> Preserve the dynptr-slice lifetime metadata across bpf_rdonly_cast(), and
> add verifier selftests covering cases where a dynptr slice is cast and then
> read after the dynptr is released or after the originating dynptr stack slot is
> overwritten while a clone still holds the reference. Also cover the valid clone
> case where the cast alias is derived from the clone and remains usable after
> the original dynptr is overwritten.
>
> This fixes regressions introduced by 66e3a13e7c2c ("bpf: Add
> bpf_dynptr_slice and bpf_dynptr_slice_rdwr") and a35b9af4ec2c ("bpf: Add a
> kfunc for generic type cast").
>
> Impact is bounded to verifier lifetime tracking for CAP-required BPF
> programs. The evidence confirms stale read acceptance after dynptr release,
> including a typed field-read shape, but does not demonstrate unprivileged
> reachability, cross-context disclosure, controlled reuse, arbitrary kernel
> read, write-capable aliasing, privilege escalation, crash, or KASAN/UAF
> signal. No CVE, embargo, or security escalation is claimed.
>
> Validation:
> - The new dynptr_fail.c subtests exercise the verifier's dynptr-slice
> lifetime invariant across bpf_rdonly_cast(): a cast alias of a
> bpf_dynptr_slice() result must be invalidated when the dynptr is released or
> its stack slot overwritten, while a cast alias derived from a surviving clone
> must stay usable.
Won't fix. The semantics of bpf_rdonly_cast() do not require soruce provenance
tracking, and thus don't need any invalidation. It can take any unknown value
and produces safe to read pointer. Please try to reason about whether it's a
real issue before posting AI's output directly.
pw-bot: cr
> - Unpatched bpf at 76f62d237538: test_progs -t dynptr FAILs as expected,
> because the four __failure subtests
> (dynptr_rdonly_cast_{,typed_}slice_after_{release,overwrite}) are wrongly
> accepted - the stale read survives dynptr release.
> - Patched with this series: test_progs -t dynptr PASSes, because those four
> casts are now rejected with "invalid mem access 'scalar'" and the two
> __success clone subtests remain accepted (all six dynptr_rdonly_cast_*
> subtests OK, rc 0).
>
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
> Nuoqi Gui (2):
> bpf: Preserve dynptr slice lifetime across rdonly_cast
> selftests/bpf: Cover rdonly_cast dynptr slice lifetime
>
> include/linux/bpf_verifier.h | 5 +
> kernel/bpf/verifier.c | 36 ++++--
> tools/testing/selftests/bpf/progs/dynptr_fail.c | 160 ++++++++++++++++++++++++
> 3 files changed, 193 insertions(+), 8 deletions(-)
> ---
> base-commit: 76f62d237538b456354a44e796a541cde03c6e28
> change-id: 20260615-f01-09-rdonly-cast-dynptr-lifetime-de114e5a1838
>
> Best regards,
> --
> Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
next prev parent reply other threads:[~2026-06-15 9:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-15 8:57 [PATCH bpf 0/2] bpf: Preserve rdonly_cast dynptr slice lifetime Nuoqi Gui
2026-06-15 8:57 ` [PATCH bpf 1/2] bpf: Preserve dynptr slice lifetime across rdonly_cast Nuoqi Gui
2026-06-15 11:24 ` sashiko-bot
2026-06-15 8:57 ` [PATCH bpf 2/2] selftests/bpf: Cover rdonly_cast dynptr slice lifetime Nuoqi Gui
2026-06-15 9:08 ` sashiko-bot
2026-06-15 9:40 ` Kumar Kartikeya Dwivedi [this message]
2026-06-15 17:24 ` [PATCH bpf 0/2] bpf: Preserve " Eduard Zingerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJ9IUWKK7EFS.XXLT3ZAGOPC4@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gnq25@mails.tsinghua.edu.cn \
--cc=john.fastabend@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox