[PATCH] bpf: verifier: restrict insn_array_maps to jump tables

Next message: Wenzhao Liao: "[RFC PATCH v3 0/6] Rust goldfish_address_space driver (ioctl-only subset)"
Previous message: Borislav Petkov: "Re: [PATCH] x86/msr: Fix coding style issues is msr.c"
Next in thread: Alexei Starovoitov: "Re: [PATCH] bpf: verifier: restrict insn_array_maps to jump tables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Adith-Joshua

Date: Mon Apr 06 2026 - 12:56:32 EST

jt_from_subprog() currently iterates over all insn_array_maps
and treats them as jump tables. However, this may include maps
that are not actual jump tables, such as static keys or maps
used for indirect calls.

Restrict processing to BPF_MAP_TYPE_INSN_ARRAY maps with
multiple entries, which correspond to jump tables.

This improves correctness by avoiding unrelated maps during
jump table collection while keeping the logic simple.

Signed-off-by: Adith-Joshua <adithalex29@xxxxxxxxx>
---
kernel/bpf/verifier.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e3814152b52f..e2583dfd7bf2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18693,12 +18693,16 @@ static struct bpf_iarray *jt_from_subprog(struct bpf_verifier_env *env,
int i;

for (i = 0; i < env->insn_array_map_cnt; i++) {
- /*
- * TODO (when needed): collect only jump tables, not static keys
- * or maps for indirect calls
- */
map = env->insn_array_maps[i];

+ /* Only consider instruction array maps with multiple entries.
+ * These correspond to jump tables. Skip others (e.g. static keys,
+ * indirect call maps).
+ */
+ if (map->map_type != BPF_MAP_TYPE_INSN_ARRAY ||
+ map->max_entries <= 1)
+ continue;
+
jt_cur = jt_from_map(map);
if (IS_ERR(jt_cur)) {
kvfree(jt);
--
2.53.0