Add a new Kconfig option CONFIG_BPF_JIT_KASAN that automatically enables KASAN (Kernel Address Sanitizer) memory access checks for JIT-compiled BPF programs, when both KASAN and JIT compiler are enabled. When enabled, the JIT compiler will emit shadow memory checks before memory loads and stores to detect use-after-free, out-of-bounds, and other memory safety bugs at runtime. The option is gated behind HAVE_EBPF_JIT_KASAN, as it needs proper arch-specific implementation.
Signed-off-by: Alexis Lothoré (eBPF Foundation) <[email protected]> --- kernel/bpf/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index eb3de35734f0..28392adb3d7e 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -17,6 +17,10 @@ config HAVE_CBPF_JIT config HAVE_EBPF_JIT bool +# KASAN support for JIT compiler +config HAVE_EBPF_JIT_KASAN + bool + # Used by archs to tell that they want the BPF JIT compiler enabled by # default for kernels that were compiled with BPF JIT support. config ARCH_WANT_DEFAULT_BPF_JIT @@ -101,4 +105,9 @@ config BPF_LSM If you are unsure how to answer this question, answer N. +config BPF_JIT_KASAN + bool + depends on HAVE_EBPF_JIT_KASAN + default y if BPF_JIT && KASAN_GENERIC + endmenu # "BPF subsystem" -- 2.53.0
