[PATCH bpf-next v2 0/2] bpf: Mask pseudo pointer values in verifier logs

[PATCH bpf-next v2 0/2] bpf: Mask pseudo pointer values in verifier logs

[Nuoqi Gui]

Verifier log printing already hides ldimm64 immediates for map FD and
map value pseudo sources when pointer leaks are not allowed. The same
print path also sees rewritten immediates for BPF_PSEUDO_MAP_IDX,
BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID, but those sources were
not included in the pointer classification.

Extend the existing masking so all pointer-producing ldimm64 pseudo
sources print as 0x0 when allow_ptr_leaks is false.

Patch 1 extends the disassembler-side masking.
Patch 2 adds verifier selftest coverage for pseudo-BTF ksym logs.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Changes in v2:
- Replace the CAP_BPF gate with verifier-log masking in print_bpf_insn().
- Also mask BPF_PSEUDO_MAP_IDX and BPF_PSEUDO_MAP_IDX_VALUE immediates.
- Update selftests to check masked pseudo-BTF ksym logs.
- Link to v1: https://patch.msgid.link/20260620-f01-13-pseudo-btf-id-cap-bpf-v1-0-f950f69fe60c@mails.tsinghua.edu.cn

To: Quentin Monnet <qmo@kernel.org>
To: Alexei Starovoitov <ast@kernel.org>
To: Daniel Borkmann <daniel@iogearbox.net>
To: Andrii Nakryiko <andrii@kernel.org>
To: Eduard Zingerman <eddyz87@gmail.com>
To: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: Martin KaFai Lau <martin.lau@linux.dev>
To: Song Liu <song@kernel.org>
To: Yonghong Song <yonghong.song@linux.dev>
To: Jiri Olsa <jolsa@kernel.org>
To: Emil Tsalapatis <emil@etsalapatis.com>
To: Hao Luo <haoluo@google.com>
To: Shuah Khan <shuah@kernel.org>
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: bpf@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org

---
Nuoqi Gui (2):
      bpf: Mask pseudo pointer values in verifier logs
      selftests/bpf: Cover pseudo-BTF ksym log masking

 kernel/bpf/disasm.c                                 |  5 ++++-
 tools/testing/selftests/bpf/progs/verifier_unpriv.c | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
---
base-commit: a3847994b4d20c0701ccc54fe110920ea78e73dc
change-id: 20260619-f01-13-pseudo-btf-id-cap-bpf-585f98eac268

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

[PATCH bpf-next v2 1/2] bpf: Mask pseudo pointer values in verifier logs

[Nuoqi Gui]

print_bpf_insn() masks ldimm64 immediates for pointer-bearing pseudo
sources when pointer leaks are not allowed, but the mask only covers
BPF_PSEUDO_MAP_FD and BPF_PSEUDO_MAP_VALUE.

BPF_PSEUDO_MAP_IDX, BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID can
also be resolved to kernel pointer values before the verifier log prints
the instruction. Include them in the existing pointer classification so
the log prints 0x0 instead of the rewritten address.

Fixes: 4976b718c355 ("bpf: Introduce pseudo_btf_id")
Fixes: 387544bfa291 ("bpf: Introduce fd_idx")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 kernel/bpf/disasm.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/disasm.c b/kernel/bpf/disasm.c
index f8a3c7eb451e..0391b3bc0073 100644
--- a/kernel/bpf/disasm.c
+++ b/kernel/bpf/disasm.c
@@ -323,7 +323,10 @@ void print_bpf_insn(const struct bpf_insn_cbs *cbs,
 			 */
 			u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
 			bool is_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD ||
-				      insn->src_reg == BPF_PSEUDO_MAP_VALUE;
+				      insn->src_reg == BPF_PSEUDO_MAP_VALUE ||
+				      insn->src_reg == BPF_PSEUDO_MAP_IDX ||
+				      insn->src_reg == BPF_PSEUDO_MAP_IDX_VALUE ||
+				      insn->src_reg == BPF_PSEUDO_BTF_ID;
 			char tmp[64];
 
 			if (is_ptr && !allow_ptr_leaks)

-- 
2.34.1

[PATCH bpf-next v2 2/2] selftests/bpf: Cover pseudo-BTF ksym log masking

[Nuoqi Gui]

Add verifier_unpriv coverage for a raw socket-filter load of the
bpf_prog_active typed ksym. The test verifies that the unprivileged load
remains accepted and that the verbose verifier log prints the ldimm64
immediate as 0x0 instead of exposing a nonzero kernel address.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 tools/testing/selftests/bpf/progs/verifier_unpriv.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
index c16f8382cf17..16de1595f015 100644
--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
@@ -6,6 +6,8 @@
 #include "../../../include/linux/filter.h"
 #include "bpf_misc.h"
 
+extern const int bpf_prog_active __ksym;
+
 #define BPF_SK_LOOKUP(func) \
 	/* struct bpf_sock_tuple tuple = {} */ \
 	"r2 = 0;"			\
@@ -77,6 +79,23 @@ __naked void dummy_prog_loop1_socket(void)
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("unpriv: pseudo btf id log masks address")
+__success_unpriv
+__msg_unpriv("0: (18) r1 = 0x0")
+__not_msg_unpriv("0: (18) r1 = 0x{{[1-9a-f][0-9a-f]*}}")
+__retval_unpriv(0)
+__log_level(2)
+__naked void pseudo_btf_id_log_masks_address(void)
+{
+	asm volatile ("r1 = %[bpf_prog_active] ll;"
+		      "r0 = 0;"
+		      "exit;"
+	:
+	: __imm_addr(bpf_prog_active)
+	: __clobber_all);
+}
+
 SEC("socket")
 __description("unpriv: return pointer")
 __success __failure_unpriv __msg_unpriv("R0 leaks addr")

-- 
2.34.1

Re: [PATCH bpf-next v2 0/2] bpf: Mask pseudo pointer values in verifier logs

[Eduard Zingerman]

On Tue, 2026-06-23 at 18:43 +0800, Nuoqi Gui wrote:
> Verifier log printing already hides ldimm64 immediates for map FD and
> map value pseudo sources when pointer leaks are not allowed. The same
> print path also sees rewritten immediates for BPF_PSEUDO_MAP_IDX,
> BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID, but those sources were
> not included in the pointer classification.
> 
> Extend the existing masking so all pointer-producing ldimm64 pseudo
> sources print as 0x0 when allow_ptr_leaks is false.
> 
> Patch 1 extends the disassembler-side masking.
> Patch 2 adds verifier selftest coverage for pseudo-BTF ksym logs.
> 
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

[...]

Re: [PATCH bpf-next v2 0/2] bpf: Mask pseudo pointer values in verifier logs

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Tue, 23 Jun 2026 18:43:37 +0800 you wrote:
> Verifier log printing already hides ldimm64 immediates for map FD and
> map value pseudo sources when pointer leaks are not allowed. The same
> print path also sees rewritten immediates for BPF_PSEUDO_MAP_IDX,
> BPF_PSEUDO_MAP_IDX_VALUE, and BPF_PSEUDO_BTF_ID, but those sources were
> not included in the pointer classification.
> 
> Extend the existing masking so all pointer-producing ldimm64 pseudo
> sources print as 0x0 when allow_ptr_leaks is false.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v2,1/2] bpf: Mask pseudo pointer values in verifier logs
    https://git.kernel.org/bpf/bpf/c/72a85e9464a5
  - [bpf-next,v2,2/2] selftests/bpf: Cover pseudo-BTF ksym log masking
    https://git.kernel.org/bpf/bpf/c/8a870967ca61

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html