Re: NULL pointer deref when running BPF monitor program (6.11.0-rc1)

From: Steven Rostedt
Date: Thu Oct 10 2024 - 09:50:26 EST


On Thu, 10 Oct 2024 11:00:30 +0200
Jiri Olsa <olsajiri@xxxxxxxxx> wrote:

> > Unfortunately it's not that simple, the args could be moved around to
> > other registers. And objtool doesn't have an emulator.
> >
> > Also it's not clear how that would deal with >6 args, or IS_ERR() as
> > Jirka pointed out upthread.

For the >6 args, I would say that the verifier just says any arg greater
than 6 can be NULL. There's not many trace events that have that (if any).

>
> another complication might be that the code in tracepoint's fast assign
> can potentially call global function (?), that could do the argument NULL
> check and we won't have its code at objtool invocation time

I'm starting to think that the best thing to do is to have the verifier add
exception code in the bpf program that just kills the task if it faults on
reading a tracepoint parameter.

This all started because it was assumed (incorrectly, and I was never
asked) that trace point args can't be NULL. It was always the case that
they could be. This was not a regression.

Now that there's existing BPF programs that assume that tracepoint
arguments are not NULL, is a bug in user space. Not the kernel.

-- Steve