Re: [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data

BPF List
 help / color / mirror / Atom feed

From: Jiri Olsa <olsajiri@gmail.com>
To: sashiko-reviews@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data
Date: Mon, 15 Jun 2026 09:58:58 +0200	[thread overview]
Message-ID: <ai-wwq183bfjoxkg@krava> (raw)
In-Reply-To: <20260611115503.AC16D1F00893@smtp.kernel.org>

On Thu, Jun 11, 2026 at 11:55:02AM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> 
> Pre-existing issues:
> - [High] Missing access_ok() check for the usyms array in bpf_kprobe_multi_link_attach() allows arbitrary kernel memory read.
> --
> 
> commit e5440667240e003d50bb838ad4b19e526ef6c703
> Author: Jiri Olsa <jolsa@kernel.org>
> 
> bpf: Guard __get_user acesss with access_ok for uprobe_multi data
> 
> This patch adds access_ok checks for uprobe_multi arrays before calling
> __get_user. It ensures that the user space data bounds are safe.
> 
> Link: https://lore.kernel.org/bpf/20260610145235.CB1441F00893@smtp.kernel.org/
> 
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
> 
> [ ... ]
> 
> > @@ -3261,6 +3262,16 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> >  	uref_ctr_offsets = u64_to_user_ptr(attr->link_create.uprobe_multi.ref_ctr_offsets);
> >  	ucookies = u64_to_user_ptr(attr->link_create.uprobe_multi.cookies);
> >  
> > +	/*
> > +	 * All uoffsets/uref_ctr_offsets/ucookies arrays have the same value
> > +	 * size, we need to check their address range is safe for __get_user
> > +	 * calls.
> > +	 */
> > +	size = sizeof(*uoffsets) * cnt;
> > +	if (!access_ok(uoffsets, size) || !access_ok(uref_ctr_offsets, size) ||
> > +	    !access_ok(ucookies, size))
> > +		return -EFAULT;
> 
> [Severity: High]
> This is a pre-existing issue, but while you are adding these access checks
> for uprobes, does bpf_kprobe_multi_link_attach() have an identical missing
> check for the usyms array?
> 
> Looking at bpf_kprobe_multi_link_attach(), it calls copy_user_syms() with
> the unchecked user pointer usyms:
> 
> kernel/trace/bpf_trace.c:bpf_kprobe_multi_link_attach() {
>     ...
> 		struct user_syms us;
> 
> 		err = copy_user_syms(&us, usyms, cnt);
> 		if (err)
> 			goto error;
>     ...
> }
> 
> And copy_user_syms() iteratively calls __get_user(usymbol, usyms + i)
> without any prior access checks on the array:
> 
> kernel/trace/bpf_trace.c:copy_user_syms() {
>     ...
> 	for (p = buf, i = 0; i < cnt; i++) {
> 		if (__get_user(usymbol, usyms + i)) {
> 			err = -EFAULT;
> 			goto error;
> 		}
>     ...
> }
> 
> Since __get_user() bypasses bounds checking, couldn't an attacker provide
> a kernel address for usyms and read arbitrary kernel memory into usymbol?
> 
> A subsequent strncpy_from_user() call would use usymbol as its source
> pointer, potentially acting as a side-channel oracle to leak kernel
> information or bypass kernel address layout randomization.
> 
> Should copy_user_syms() or bpf_kprobe_multi_link_attach() also include
> an access_ok() check for the usyms array?

I'm not sure it's possible to exploit it, but the contract for __get_user is
clear, so I think we should call access_ok also in here, I'll send the fix

jirka

next prev parent reply	other threads:[~2026-06-15  7:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 11:42 [PATCHv3 bpf-next 0/7] bpf: Allow uprobe_multi binary specified by file descriptor Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 1/7] bpf: Guard __get_user acesss with access_ok for uprobe_multi data Jiri Olsa
2026-06-11 11:55   ` sashiko-bot
2026-06-15  7:58     ` Jiri Olsa [this message]
2026-06-11 11:42 ` [PATCHv3 bpf-next 2/7] bpf: Use user_path_at for path resolution in uprobe_multi Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 3/7] bpf: Add support to specify uprobe_multi target via file descriptor Jiri Olsa
2026-06-11 11:42 ` [PATCHv3 bpf-next 4/7] libbpf: Add path_fd to struct bpf_link_create_opts Jiri Olsa
2026-06-11 11:53   ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 5/7] selftests/bpf: Add uprobe_multi path_fd test Jiri Olsa
2026-06-11 11:52   ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 6/7] selftests/bpf: Add uprobe_multi path_fd fail tests Jiri Olsa
2026-06-11 11:54   ` sashiko-bot
2026-06-11 11:42 ` [PATCHv3 bpf-next 7/7] selftests/bpf: Fix typo in verify_umulti_link_info Jiri Olsa
2026-06-15  0:30 ` [PATCHv3 bpf-next 0/7] bpf: Allow uprobe_multi binary specified by file descriptor patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ai-wwq183bfjoxkg@krava \
    --to=olsajiri@gmail.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox