On Thu, Mar 26, 2026 at 7:17 AM Leon Hwang <[email protected]> wrote: > > uprobe programs are allowed to modify struct pt_regs. > > Since the actual program type of uprobe is KPROBE, it can be abused to > modify struct pt_regs via kprobe+freplace when the kprobe attaches to > kernel functions. > > For example, > > SEC("?kprobe") > int kprobe(struct pt_regs *regs) > { > return 0; > } > > SEC("?freplace") > int freplace_kprobe(struct pt_regs *regs) > { > regs->di = 0; > return 0; > } > > freplace_kprobe prog will attach to kprobe prog. > kprobe prog will attach to a kernel function. > > Without this patch, when the kernel function runs, its first arg will > always be set as 0 via the freplace_kprobe prog. > > To fix the abuse of kprobe_write_ctx=true via kprobe+freplace, disallow > attaching freplace programs on kprobe programs with different > kprobe_write_ctx values. > > Fixes: 7384893d970e ("bpf: Allow uprobe program to change context registers") > Signed-off-by: Leon Hwang <[email protected]> > --- > kernel/bpf/syscall.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index 51ade3cde8bb..1dd2ea076d8b 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -3733,6 +3733,11 @@ static int bpf_tracing_prog_attach(struct bpf_prog > *prog, > tr = prog->aux->dst_trampoline; > tgt_prog = prog->aux->dst_prog; > } > + if (prog->type == BPF_PROG_TYPE_EXT && > + prog->aux->kprobe_write_ctx != tgt_prog->aux->kprobe_write_ctx) { > + err = -EINVAL; > + goto out_unlock; > + }
This also blocks uprobe+freplace when prog and tgt_prog have different kprobe_write_ctx, right? Is this the expected behavior? Thanks, Song
