From: Jiri Olsa <olsajiri@gmail.com>
To: sashiko-reviews@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCHv2 bpf-next 1/6] bpf: Use user_path_at for path resolution in uprobe_multi
Date: Thu, 11 Jun 2026 11:37:37 +0200 [thread overview]
Message-ID: <aiqB4eSTxR4Aw9YJ@krava> (raw)
In-Reply-To: <20260610145235.CB1441F00893@smtp.kernel.org>
On Wed, Jun 10, 2026 at 02:52:35PM +0000, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
>
> Pre-existing issues:
> - [Critical] Missing `access_ok()` checks before calling `__get_user()` on user-controlled arrays, leading to arbitrary kernel memory read.
> --
>
> commit e18574361f20d4f27005e4d927610e3ce16986dd
> Author: Jiri Olsa <jolsa@kernel.org>
>
> bpf: Use user_path_at for path resolution in uprobe_multi
>
> Resolve the uprobe_multi user path with user_path_at() instead of copying
> the string with strndup_user() and passing it to kern_path(). This removes
> the temporary allocation and keeps the lookup logic in one helper.
>
> > diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> > index 90432f0fc2a8e..970ce7bbf99e1 100644
> > --- a/kernel/trace/bpf_trace.c
> > +++ b/kernel/trace/bpf_trace.c
>
> [ ... ]
>
> > @@ -3261,14 +3260,7 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
> > uref_ctr_offsets = u64_to_user_ptr(attr->link_create.uprobe_multi.ref_ctr_offsets);
> > ucookies = u64_to_user_ptr(attr->link_create.uprobe_multi.cookies);
> >
> > - name = strndup_user(upath, PATH_MAX);
> > - if (IS_ERR(name)) {
> > - err = PTR_ERR(name);
> > - return err;
> > - }
> > -
> > - err = kern_path(name, LOOKUP_FOLLOW, &path);
> > - kfree(name);
> > + err = user_path_at(AT_FDCWD, upath, LOOKUP_FOLLOW, &path);
> > if (err)
> > return err;
> >
>
> [Severity: Critical]
> This isn't a bug introduced by this patch, but while looking at
> bpf_uprobe_multi_link_attach(), I noticed the user-provided arrays
> uoffsets, uref_ctr_offsets, and ucookies are accessed shortly after this
> path resolution:
>
> kernel/trace/bpf_trace.c:bpf_uprobe_multi_link_attach() {
> ...
> if (__get_user(uprobes[i].offset, uoffsets + i)) {
> ...
> if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {
> ...
> if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
> ...
> }
>
> Are these arrays validated with access_ok() before __get_user() is called?
>
> Because __get_user() bypasses the access_ok() address-space bounds check
> on most architectures, could an attacker supply kernel addresses for these
> arrays, causing the kernel to read arbitrary memory and store it into the
> uprobes structures?
>
> If an attacker retrieves these contents by querying the link info via
> bpf_obj_get_info_by_fd() (which calls bpf_uprobe_multi_link_fill_link_info()
> and copies the memory back to user space), could this act as an arbitrary
> kernel memory read primitive to bypass kernel lockdown and KASLR?
ugh right.. will include fix for this in next version
jirka
next prev parent reply other threads:[~2026-06-11 9:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 14:36 [PATCHv2 bpf-next 0/6] bpf: Allow uprobe_multi binary specified by file descriptor Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 1/6] bpf: Use user_path_at for path resolution in uprobe_multi Jiri Olsa
2026-06-10 14:52 ` sashiko-bot
2026-06-11 9:37 ` Jiri Olsa [this message]
2026-06-10 14:36 ` [PATCHv2 bpf-next 2/6] bpf: Add support to specify uprobe_multi target via file descriptor Jiri Olsa
2026-06-10 15:51 ` bot+bpf-ci
2026-06-11 9:37 ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 3/6] libbpf: Add path_fd to struct bpf_link_create_opts Jiri Olsa
2026-06-10 14:50 ` sashiko-bot
2026-06-11 9:37 ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 4/6] selftests/bpf: Add uprobe_multi path_fd test Jiri Olsa
2026-06-10 14:50 ` sashiko-bot
2026-06-11 9:37 ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 5/6] selftests/bpf: Add uprobe_multi path_fd fail tests Jiri Olsa
2026-06-10 14:48 ` sashiko-bot
2026-06-11 9:37 ` Jiri Olsa
2026-06-10 14:36 ` [PATCHv2 bpf-next 6/6] selftests/bpf: Fix typo in verify_umulti_link_info Jiri Olsa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiqB4eSTxR4Aw9YJ@krava \
--to=olsajiri@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox