From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 048CE3DDDC4 for ; Tue, 30 Jun 2026 18:32:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782844356; cv=none; b=u3mhRWz9/DlSsADgw4Um01RjQ5qAJn8v/++zAV+Xrib0pO+uFlT2h0m2/fU/quFDGTWAND1iHe9gTo8dMdrYLuZkLzC7/GqTOLMZV4bQdyUl7cyHK7+1KMg1e3HvPoDOEZdO68j0fN94v4bqeTLxiZCmcYCZBJSL2XNNM4WuK/Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782844356; c=relaxed/simple; bh=sM1wz5EArOoQdUNowIBU8vl6ByIPfqhEp+Lh4HvpLMM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=uMZ2Afe1fIRQUmEJIyjb+0+zAVuAxx7Cog1IDmjpzwk3Dc7KGTTPyFbcHBJ+N150EQGZaZCfiIfgYFDuPbbe0OYQw2vXcs7xamvv76lmv1sRjn2nlMaZwEYlIw3+6TJg6KV/8KgJABUm8rGpmaX3+laB0RgRW8X4fhaF10h+7Fo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FjShgunx; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FjShgunx" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-471eeac43bfso3194920f8f.3 for ; Tue, 30 Jun 2026 11:32:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782844353; x=1783449153; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=jwGaSJfvXwwi2gmvOZ6+HNHrcdSzXT1GIfb82HOsI6I=; b=FjShgunx0rnygnd8vY1QHIr8hMlq22Qo8pyuDUlGBGaExZJ+TMQROApZw641UlX+v5 PWIIt9mlUeuxnbX9Q/QanKZtSL2Slv/nz0awTKbtO2e4o6aZ6v8dOfbkdwaBI/gKrBAo PGwhhQJMKh3AqywpFinQAye/yk7G13Ue61W7HUoyLe03jfyIMMnQGBiZSwAMjVRwXIem /URS/z/Khmb5o8/vEgCZGULAyMInXwqZDJS7FsKAEkur2aMhAzu4H3xDfeGed/35VUs/ qdFL+7jLGVzmDO+xlnYlLNkiNebBPoSizpKq8L7ybFFq4VE92hzsKI4/Sy7YCGRs6hd9 2Pdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782844353; x=1783449153; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jwGaSJfvXwwi2gmvOZ6+HNHrcdSzXT1GIfb82HOsI6I=; b=NwEi+VS9+T8CcZ/1DOJN70UCRKzAg4o1Sp4QQi/YJ1z7Gmy3chuGrEXGtOf/zjuMfm 3PYYFH1AO0zLNhRmHo+RspZd4LSIFLkU8p1L+g778OR8B/mE7YJvqsmM4DdLrdHwj0nr XDisC+YmrAkFItMISRyLDvFJ2faGJz+bHKjYZFCIe8vI8QxA2R0XgapsBWpl719UA8Wa ZwpXt8z48QaPWMXdnVIJAYQQ1SPWR7KirXAWkBi50d/u7hBs4MZogmNTo/FdEYIQD/Zz iXLV+5oQyEjbLX+KDkB1Dd4koHwbP7byG+YKbzFHen5wsVsC7nWqex80+kXfli6rwvSd ke3Q== X-Forwarded-Encrypted: i=1; AHgh+RrhKRYkxrYGyyxNMTHBbuvNxXEyhNq+K6GTShl3eEhZNYx/ln3MZ4T0EuDKXtvS4sF47mjSl9GhoQwo7jA=@vger.kernel.org X-Gm-Message-State: AOJu0YxzQ32LW/ujZMeF+beRmpWzl0SHa/DzzHy20EILKkcpuYuRKPZ5 GK0xqAIC5W0ydoGZzYMqF1wssDxh7nH5Va02zn0IdbZMmFGOVVMa5GRa X-Gm-Gg: AfdE7cnKhiCln10dokeHw13JrnEDQbZtY93gdgTcoYhtcRr8UFJtObmj1Hr/18ecnH/ hFr1NxhSqweHlKNuSz694xusXhN0l0jlvNpUOfEq31dryP/ctElCmCjD4ZZfEaIDgVp5WJntrby wGmsmtcPizi6iVhh/OCWwbjENe8GUInVRWPB+TGsoqpoxSmtQYx7cZIem/TGN1FB34Yi+l2Mz/g mdd0LOsXb+7/MSOT3RseK+OTGxgWi2osbW6LET26xN7l4iuB8kj1h5GMTRyDN17MkrSDh8Xq2sv B2CNemPB7ssMu+BdMqniHiP0KZXaN3SlxalatXs6Ty8RAfBiVwP39bHPwsJ/qb/A8pI6DWQ3SDU Q3GyqRVhtzzrQGCqKAtARTZcsho3p4sDkR8w+tS3S18edki53i7bL3sjjDAwMZ9LilYlmj8bhUm YJ5pRsAGQ25vhPFoew2L7F45PchiOJsswW X-Received: by 2002:a05:6000:61e:b0:475:f0c2:75a3 with SMTP id ffacd0b85a97d-4765ac65bb6mr2639928f8f.52.1782844353412; Tue, 30 Jun 2026 11:32:33 -0700 (PDT) Received: from mail.gmail.com ([2a04:ee41:4:b2de:1ac0:4dff:fe0f:3782]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-47567884770sm10323552f8f.33.2026.06.30.11.32.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jun 2026 11:32:32 -0700 (PDT) Date: Tue, 30 Jun 2026 18:42:35 +0000 From: Anton Protopopov To: Nuoqi Gui Cc: bpf@vger.kernel.org, John Fastabend , Kumar Kartikeya Dwivedi , Martin KaFai Lau , Song Liu , Yonghong Song , Jiri Olsa , Emil Tsalapatis , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Shuah Khan , linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH bpf-next v3 1/2] bpf: Enforce gotox targets against subprog bounds Message-ID: References: <20260628-f01-03-gotox-bpf-next-v3-0-b744432e1361@mails.tsinghua.edu.cn> <20260628-f01-03-gotox-bpf-next-v3-1-b744432e1361@mails.tsinghua.edu.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260628-f01-03-gotox-bpf-next-v3-1-b744432e1361@mails.tsinghua.edu.cn> On 26/06/28 09:59PM, Nuoqi Gui wrote: > During CFG construction, the verifier records the modeled gotox target set > in insn_aux_data->jt. Later, check_indirect_jump() follows targets from > the runtime PTR_TO_INSN register's actual INSN_ARRAY map. > > This lets one gotox instruction observe different INSN_ARRAY maps on > different paths and accept a target outside the calling subprog. The > observed x86 JIT case can then enter another subprog without a matching > BPF call frame and crash when executed. > > Reject every target copied from the actual PTR_TO_INSN map if it is > outside the calling subprog. > > Fixes: 493d9e0d6083 ("bpf, x86: add support for indirect jumps") > Signed-off-by: Nuoqi Gui > --- > kernel/bpf/verifier.c | 19 +++++++++++++++++++ > 1 file changed, 19 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index eb46a81a8c51..05a996a5ecdd 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -17145,9 +17145,11 @@ static int indirect_jump_min_max_index(struct bpf_verifier_env *env, > static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *insn) > { > struct bpf_verifier_state *other_branch; > + struct bpf_subprog_info *subprog; > struct bpf_reg_state *dst_reg; > struct bpf_map *map; > u32 min_index, max_index; > + int subprog_start, subprog_end; > int err = 0; > int n; > int i; > @@ -17188,6 +17190,23 @@ static int check_indirect_jump(struct bpf_verifier_env *env, struct bpf_insn *in > return -EINVAL; > } > > + subprog = bpf_find_containing_subprog(env, env->insn_idx); > + if (verifier_bug_if(!subprog, env, > + "gotox insn %d is outside subprog bounds\n", > + env->insn_idx)) Can this actually happen? > + return -EFAULT; > + subprog_start = subprog->start; > + subprog_end = (subprog + 1)->start; > + > + for (i = 0; i < n; i++) { > + u32 target = env->gotox_tmp_buf->items[i]; > + > + if (target < subprog_start || target >= subprog_end) { > + verbose(env, "gotox target %u outside subprog\n", target); In the previous patch there was more info printed (at least, subprog boundaries looked ok, not 100% sure about map id). > + return -EINVAL; > + } > + } > + > for (i = 0; i < n - 1; i++) { > mark_indirect_target(env, env->gotox_tmp_buf->items[i]); > other_branch = push_stack(env, env->gotox_tmp_buf->items[i], > > -- > 2.34.1 >