mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2026-06-03 03:23:11 -04:00
d25e65a8b8
Yazhou Tang says: ==================== bpf: Fix call offset truncation and OOB read in bpf_patch_call_args() From: Yazhou Tang <tangyazhou518@outlook.com> This patchset addresses a silent truncation bug in the BPF verifier that occurs when a bpf-to-bpf call involves a massive relative jump offset. Additionally, it fixes a pre-existing out-of-bounds (OOB) read issue in the interpreter fallback path. Because the BPF instruction set utilizes a 32-bit imm field for bpf-to-bpf calls, implicitly downcasting it to the 16-bit insn->off in bpf_patch_call_args() causes incorrect call targets or subprog ID resolution for large BPF programs. While fixing this by swapping the imm and off fields, it was discovered that the original code also had a load-time OOB read vulnerability when the stack depth exceeds MAX_BPF_STACK during JIT fallback. Patch 1/3 fixes the pre-existing OOB read in bpf_patch_call_args(). It changes the function to return an int and explicitly rejects the JIT fallback if the stack depth exceeds MAX_BPF_STACK, preventing a potential stack buffer overflow. Patch 2/3 fixes the s16 truncation bug. 1. Keep the original imm field unchanged and use the off field to store the interpreter function index. 2. Adjust the JMP_CALL_ARGS case in ___bpf_prog_run() accordingly. 3. Restore the legacy xlated dump layout in bpf_insn_prepare_dump(). Patch 3/3 introduces a selftest for this fix. --- Change log: v10: 1. Make the error log in patch 1/3 more clear. (Kuohai) 2. Drop bpftool and disasm_helpers.c changes, and instead restore the legacy xlated dump layout in bpf_insn_prepare_dump(). This avoids requiring bpftool compatibility handling. (Quentin and Alexei) v9: https://lore.kernel.org/bpf/20260429171904.107244-1-tangyazhou@zju.edu.cn/ 1. Modify the selftest in patch 3/3: use __clobber_all in inline asm. (Sashiko AI reviewer) v8: https://lore.kernel.org/bpf/20260429105608.92741-1-tangyazhou@zju.edu.cn/ 1. Update cfg_partition_funcs() in bpftool to use insn->imm for call target calculation. (Sashiko AI reviewer) 2. Modify the selftest in patch 3/3: add a large padding before the call instruction, preventing the kernel panic on kernel without the fix. (Sashiko AI reviewer) 3. Modify the selftest in patch 3/3: make it more clear. v7: https://lore.kernel.org/bpf/20260421144504.823756-1-tangyazhou@zju.edu.cn/ 1. Rebase the patchset to the bpf-next tree to resolve the apply conflict. (Alexei) 2. Add Patch 1/3 to properly fix a pre-existing OOB read in bpf_patch_call_args(). (Sashiko AI reviewer) v6: https://lore.kernel.org/bpf/20260412170334.716778-1-tangyazhou@zju.edu.cn/ 1. Use a different but clearer approach to resolve this issue: keeping the original imm field unchanged and using the off field to store the interpreter function index. (Kuohai) 2. Update the related dumper code and remove a previous workaround in the selftests disasm helpers, which is no longer needed after this fix. v5: https://lore.kernel.org/bpf/20260326090133.221957-1-tangyazhou@zju.edu.cn/ 1. Some minor changes in commit messages. (AI Reviewer) v4: https://lore.kernel.org/bpf/20260326063329.10031-1-tangyazhou@zju.edu.cn/ 1. Remove some redundant commit messages of patch 2/3. (Emil) 2. Change the number of instructions in padding_subprog() from 200,000 to 32,765, which is the minimum number of instructions required to trigger the verifier failure. (Emil) v3: https://lore.kernel.org/bpf/20260323122254.98540-1-tangyazhou@zju.edu.cn/ 1. Resend to fix a typo in v2 and add "Fixes" tag. The rest of the changes are identical to v2. v2 (incorrect): https://lore.kernel.org/bpf/20260323081748.106603-1-tangyazhou@zju.edu.cn/ 1. Move the s16 boundary check from fixup_call_args() to bpf_patch_call_args(), and change the return type of bpf_patch_call_args() to int. (Emil) 2. Add Patch 3/3 to fix the incorrect subprog ID in dumped bpf_pseudo_call instructions, which is caused by the same truncation issue. (Puranjay) 3. Refine the new selftest for clarity and add detailed comments explaining the test design. (Emil) v1: https://lore.kernel.org/bpf/20260316190220.113417-1-tangyazhou@zju.edu.cn/ ==================== Link: https://patch.msgid.link/20260506094714.419842-1-tangyazhou@zju.edu.cn Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Linux kernel ============ The Linux kernel is the core of any Linux operating system. It manages hardware, system resources, and provides the fundamental services for all other software. Quick Start ----------- * Report a bug: See Documentation/admin-guide/reporting-issues.rst * Get the latest kernel: https://kernel.org * Build the kernel: See Documentation/admin-guide/quickly-build-trimmed-linux.rst * Join the community: https://lore.kernel.org/ Essential Documentation ----------------------- All users should be familiar with: * Building requirements: Documentation/process/changes.rst * Code of Conduct: Documentation/process/code-of-conduct.rst * License: See COPYING Documentation can be built with make htmldocs or viewed online at: https://www.kernel.org/doc/html/latest/ Who Are You? ============ Find your role below: * New Kernel Developer - Getting started with kernel development * Academic Researcher - Studying kernel internals and architecture * Security Expert - Hardening and vulnerability analysis * Backport/Maintenance Engineer - Maintaining stable kernels * System Administrator - Configuring and troubleshooting * Maintainer - Leading subsystems and reviewing patches * Hardware Vendor - Writing drivers for new hardware * Distribution Maintainer - Packaging kernels for distros * AI Coding Assistant - LLMs and AI-powered development tools For Specific Users ================== New Kernel Developer -------------------- Welcome! Start your kernel development journey here: * Getting Started: Documentation/process/development-process.rst * Your First Patch: Documentation/process/submitting-patches.rst * Coding Style: Documentation/process/coding-style.rst * Build System: Documentation/kbuild/index.rst * Development Tools: Documentation/dev-tools/index.rst * Kernel Hacking Guide: Documentation/kernel-hacking/hacking.rst * Core APIs: Documentation/core-api/index.rst Academic Researcher ------------------- Explore the kernel's architecture and internals: * Researcher Guidelines: Documentation/process/researcher-guidelines.rst * Memory Management: Documentation/mm/index.rst * Scheduler: Documentation/scheduler/index.rst * Networking Stack: Documentation/networking/index.rst * Filesystems: Documentation/filesystems/index.rst * RCU (Read-Copy Update): Documentation/RCU/index.rst * Locking Primitives: Documentation/locking/index.rst * Power Management: Documentation/power/index.rst Security Expert --------------- Security documentation and hardening guides: * Security Documentation: Documentation/security/index.rst * LSM Development: Documentation/security/lsm-development.rst * Self Protection: Documentation/security/self-protection.rst * Reporting Vulnerabilities: Documentation/process/security-bugs.rst * CVE Procedures: Documentation/process/cve.rst * Embargoed Hardware Issues: Documentation/process/embargoed-hardware-issues.rst * Security Features: Documentation/userspace-api/seccomp_filter.rst Backport/Maintenance Engineer ----------------------------- Maintain and stabilize kernel versions: * Stable Kernel Rules: Documentation/process/stable-kernel-rules.rst * Backporting Guide: Documentation/process/backporting.rst * Applying Patches: Documentation/process/applying-patches.rst * Subsystem Profile: Documentation/maintainer/maintainer-entry-profile.rst * Git for Maintainers: Documentation/maintainer/configure-git.rst System Administrator -------------------- Configure, tune, and troubleshoot Linux systems: * Admin Guide: Documentation/admin-guide/index.rst * Kernel Parameters: Documentation/admin-guide/kernel-parameters.rst * Sysctl Tuning: Documentation/admin-guide/sysctl/index.rst * Tracing/Debugging: Documentation/trace/index.rst * Performance Security: Documentation/admin-guide/perf-security.rst * Hardware Monitoring: Documentation/hwmon/index.rst Maintainer ---------- Lead kernel subsystems and manage contributions: * Maintainer Handbook: Documentation/maintainer/index.rst * Pull Requests: Documentation/maintainer/pull-requests.rst * Managing Patches: Documentation/maintainer/modifying-patches.rst * Rebasing and Merging: Documentation/maintainer/rebasing-and-merging.rst * Development Process: Documentation/process/maintainer-handbooks.rst * Maintainer Entry Profile: Documentation/maintainer/maintainer-entry-profile.rst * Git Configuration: Documentation/maintainer/configure-git.rst Hardware Vendor --------------- Write drivers and support new hardware: * Driver API Guide: Documentation/driver-api/index.rst * Driver Model: Documentation/driver-api/driver-model/driver.rst * Device Drivers: Documentation/driver-api/infrastructure.rst * Bus Types: Documentation/driver-api/driver-model/bus.rst * Device Tree Bindings: Documentation/devicetree/bindings/ * Power Management: Documentation/driver-api/pm/index.rst * DMA API: Documentation/core-api/dma-api.rst Distribution Maintainer ----------------------- Package and distribute the kernel: * Stable Kernel Rules: Documentation/process/stable-kernel-rules.rst * ABI Documentation: Documentation/ABI/README * Kernel Configuration: Documentation/kbuild/kconfig.rst * Module Signing: Documentation/admin-guide/module-signing.rst * Kernel Parameters: Documentation/admin-guide/kernel-parameters.rst * Tainted Kernels: Documentation/admin-guide/tainted-kernels.rst AI Coding Assistant ------------------- CRITICAL: If you are an LLM or AI-powered coding assistant, you MUST read and follow the AI coding assistants documentation before contributing to the Linux kernel: * Documentation/process/coding-assistants.rst This documentation contains essential requirements about licensing, attribution, and the Developer Certificate of Origin that all AI tools must comply with. Communication and Support ========================= * Mailing Lists: https://lore.kernel.org/ * IRC: #kernelnewbies on irc.oftc.net * Bugzilla: https://bugzilla.kernel.org/ * MAINTAINERS file: Lists subsystem maintainers and mailing lists * Email Clients: Documentation/process/email-clients.rst