Re: [PATCH v3 bpf-next 1/2] bpf: Fix Null-Pointer Dereference in kernel_clone() via BPF fmod_ret on security_task_alloc

Next message: Huang, Ying: "Re: [RFC PATCH 2/2] mm/migrate: wait for folio refcount during longterm pin migration"
Previous message: mawupeng: "Re: [PATCH] ACPI: APEI: check return value of task_work_add to prevent memory leaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Feng Yang

Date: Tue Apr 21 2026 - 05:22:43 EST

[...]

Issue Regarding BPF_PROG_TYPE_EXT Programs Bypassing Validation Logic:

__attribute__ ((noinline)) int B()
{
return 0; /* Valid return value */
}

SEC("fmod_ret/security_task_alloc")
int A()
{
return B();
}

SEC("freplace/B")
int replace()
{
return 1; /* Invalid return value */
}

This method can verify whether the return value of freplace is legitimate
by using env->prog->aux->dst_prog->aux->attach_btf_id.

However, this approach will reject legitimate programs if the return value of
the original program does not come from the replaced function (as shown below).

__attribute__ ((noinline)) int B()
{
return 0;
}

SEC("fmod_ret/security_task_alloc")
int A()
{
B();
return 0;
}

SEC("freplace/B")
int replace()
{
return 1;
}

I have not found a proper solution to this issue.

target.bpf.c:
__attribute__ ((noinline)) int B()
{
bpf_printk("--\n");
return -2;
}

SEC("fmod_ret/security_task_alloc")
int A()
{
int i = B();
bpf_printk("return: %d\n", i);
return i;
}

freplace.bpf.c:
SEC("freplace/B")
int replace()
{
bpf_printk("freplace\n");
return -1;
}
In addition, the log output from testing the above program is as follows:
cat /sys/kernel/debug/tracing/trace_pipe
attack-5370 [002] ...11 4379.086626: bpf_trace_printk: freplace

attack-5370 [002] ...11 4379.086656: bpf_trace_printk: return: -2

Strangely, the replacement program is executed, but the return value still originates from the original program.