Re: [PATCH bpf v5 1/2] bpf: Fix kfunc implicit arg inject type detection to prevent invalid pointer deref

[Ihor Solodrai]

On 6/8/26 6:00 PM, Eduard Zingerman wrote:
> On Mon, 2026-06-08 at 17:54 -0700, Ihor Solodrai wrote:
>> On 6/8/26 7:26 AM, chenyuan_fl@xxxxxxx wrote:
>>> From: Yuan Chen <chenyuan@xxxxxxxxxx>
>>>
>>> When a module kfunc declares an implicit struct bpf_prog_aux * argument,
>>> the verifier must identify it so the kernel injects env->prog->aux into
>>> the correct register at runtime.  The original check used
>>> is_kfunc_arg_prog_aux() which calls btf_types_are_same() to compare the
>>> module BTF type against vmlinux.
>>>
>>> Root Cause
>>>
>>> This issue was triggered by pahole 1.30 generating module BTF with
>>> incorrect type information, which caused the kernel's distilled base
>>> BTF deduplication for modules to fail.  As a result, the module retained
>>> its own copy of struct bpf_prog_aux with a different BTF ID than
>>> vmlinux's definition.  While pahole 1.31 fixed the BTF generation issue,
>>> the kernel must be robust against such inconsistencies: a BTF mismatch
>>> should result in a clean rejection, not a kernel crash or information
>>> disclosure.
>>>
>>> When the distilled base dedup fails and btf_types_are_same() cannot
>>> match the module's bpf_prog_aux type against vmlinux's,
>>> is_kfunc_arg_prog_aux() returned false and the code fell through
>>> silently without setting arg_prog.  The kfunc then received whatever
>>> value was in the argument register and dereferenced it as a
>>> bpf_prog_aux pointer, leading to:
>>>
>>>   BUG: kernel invalid pointer dereference, address: 00000000000009e2
>>>   RIP: bpf_prog_get_assoc_struct_ops+0xa/0xc0
>>>   RDI: 0x000000000000046d (stale register value)
>>>
>>> In the observed crash the stale value was the process PID, causing a
>>> dereference within the unmapped NULL page.  However, an attacker able
>>> to control the register value -- for example by writing a BPF program
>>> that explicitly sets R2 before calling a KF_IMPLICIT_ARGS kfunc --
>>> could redirect the dereference to arbitrary kernel memory, turning
>>> this into an information disclosure.  The fix ensures the verifier
>>> either validates and injects the correct bpf_prog_aux pointer, or
>>> rejects the program outright -- no silent fallthrough that could
>>> be exploited.
>>>
>>> Crash Stack Trace
>>>
>>>   PID: 1133     TASK: ffff8881057d3900  CPU: 3    COMMAND: "test_progs"
>>>    #0 machine_kexec at ffffffff812f6e26
>>>    #1 __crash_kexec at ffffffff8145a788
>>>    #2 crash_kexec at ffffffff8145ac24
>>>    #3 oops_end at ffffffff812bb67c
>>>    #4 page_fault_oops at ffffffff813053a1
>>>    #5 exc_page_fault at ffffffff828e60a1
>>>    #6 asm_exc_page_fault at ffffffff810012a6
>>>       [exception RIP: bpf_prog_get_assoc_struct_ops+10]
>>>       RIP: ffffffff815c024a  RSP: ffffc90001b57e48  RFLAGS: 00010283
>>>       RAX: ffff8881057d3900  RBX: ffffc90001b57e68  RCX: ffff8881057d3900
>>>       RDX: 0000607d4d1768b8  RSI: 000000000000046d  RDI: 000000000000046d
>>>    #7 bpf_kfunc_multi_st_ops_test_1_assoc at ffffffffc0013a85 [bpf_testmod]
>>>    #8 bpf_trace_run2 at ffffffff814f8332
>>>    #9 __traceiter_sys_enter at ffffffff81415f45
>>>   #10 trace_syscall_enter at ffffffff81416735
>>>   #11 do_syscall_64 at ffffffff828e06a1
>>>
>>> Fix
>>>
>>> Split the combined is_kfunc_arg_ignore() || is_kfunc_arg_implicit()
>>> check in check_kfunc_args() so that an implicit argument reaching
>>> is_kfunc_arg_implicit() without being handled by a prior handler is
>>> rejected with -EFAULT, instead of silently skipped.  Existing implicit
>>>       args in bpf_fixup_kfunc_call() (obj_new, percpu_obj_new, obj_drop,
>>>       percpu_obj_drop, refcount_acquire, list_push, rbtree_add) are
>>>       explicitly allowed.
>>>
>>> Suggested-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
>>> Fixes: 64e1360524b9 ("bpf: Verifier support for KF_IMPLICIT_ARGS")
>>> Signed-off-by: Yuan Chen <chenyuan@xxxxxxxxxx>
>>> ---
>>>  kernel/bpf/verifier.c | 20 +++++++++++++++++++-
>>>  1 file changed, 19 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>>> index 8ed484cb1a8a..91aaed7a5eeb 100644
>>> --- a/kernel/bpf/verifier.c
>>> +++ b/kernel/bpf/verifier.c
>>> @@ -11885,9 +11885,27 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
>>>  			continue;
>>>  		}
>>>  
>>> -		if (is_kfunc_arg_ignore(btf, &args[i]) || is_kfunc_arg_implicit(meta, i))
>>> +		if (is_kfunc_arg_ignore(btf, &args[i]))
>>>  			continue;
>>>  
>>> +		if (is_kfunc_arg_implicit(meta, i)) {
>>> +			/* kfuncs with implicit args (e.g. 'off' parameter)
>>> +			 * handled during verification in bpf_fixup_kfunc_call():
>>> +			 * obj_new, percpu_obj_new, obj_drop, percpu_obj_drop,
>>> +			 * refcount_acquire, list_push, rbtree_add. Don't flag them. */
>>> +			if (is_bpf_obj_new_kfunc(meta->func_id) ||
>>> +			    is_bpf_percpu_obj_new_kfunc(meta->func_id) ||
>>> +			    is_bpf_obj_drop_kfunc(meta->func_id) ||
>>> +			    is_bpf_percpu_obj_drop_kfunc(meta->func_id) ||
>>> +			    is_bpf_refcount_acquire_kfunc(meta->func_id) ||
>>> +			    is_bpf_list_push_kfunc(meta->func_id) ||
>>> +			    is_bpf_rbtree_add_kfunc(meta->func_id))
>>
>> Is the goal here to have a nice error message?
>>
>> I think this will fail for other functions like bpf_wq_set_callback().
>> For a proper check, the list must include every single kfunc with KF_IMPLICIT_ARGS, no?
>>
>> If we go this route, then the list of flagged kfuncs can be collected automatically.
>> I'm not sure we actually want to do this.
> 
> The calls to functions with implicit arguments are patched by
> bpf_fixup_kfunc_call(). As far as I understand, this function:
> - handles functions with implicit bpf_prog_aux generically
> - handles the functions listed above on a case-by-case basis.
> 
> The goal is not to have a nice error message, but to prevent runtime
> from reading garbage from a register.

In check_kfunc_args() we only needed to know whether the arg is implicit,
independent of its type, which is_kfunc_arg_implicit() already does. To skip it.

For vmlinux kernel kfuncs this should be enough, I think.

To properly harden against reading garbage for a *module* kfunc, I think the 
verifier would have to check for the specific BTF type, e.g. "are we patching a 
struct bpf_prog_aux pointer?".

It could be done immediately before patching, but at that point the verification is
complete, right?..

Other than that we'd have to somehow pass through from check_kfunc_args() to
bpf_fixup_kfunc_call() information like "arg 1 of this kfunc can be patched to prog_aux" etc.
We sort of do that already with the meta->arg_prog = true

In a module one can define arbitrary kfuncs and add KF_IMPLICIT_ARGS to them, so
proper hardening needs to be generic.

I think this boils down to whether we want to error-check module kfuncs or not.
Not sure what the verifier strategy is here, but my understanding is that in general
a custom module can easily make kernel read garbage, and it's not a kernel's problem.

> 
>>
>>> +				continue;
>>> +			verbose(env, "%s unrecognized implicit argument, possible BTF mismatch\n",
>>> +				reg_arg_name(env, argno));
>>> +			return -EFAULT;
>>> +		}
>>> +
>>>  		t = btf_type_skip_modifiers(btf, args[i].type, NULL);
>>>  
>>>  		if (btf_type_is_scalar(t)) {