bpf: selftest: Ensure the return value of bpf_skc_to helpers must be checked

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch tests:

int bpf_cls(struct __sk_buff *skb)
{
/* REG_6: sk
* REG_7: tp
* REG_8: req_sk
*/

sk = skb->sk;
if (!sk)
return 0;

tp = bpf_skc_to_tcp_sock(sk);
req_sk = bpf_skc_to_tcp_request_sock(sk);
if (!req_sk)
return 0;

/* !tp has not been tested, so verifier should reject. */
return *(__u8 *)tp;
}

Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20201019194219.1051314-1-kafai@fb.com

authored by

Martin KaFai Lau and committed by

Alexei Starovoitov 5 years ago e710bcc6 93c230e3

+25

1 changed file

expand all

tools

testing

selftests

bpf

verifier

sock.c

+25

tools/testing/selftests/bpf/verifier/sock.c

··· 631 631 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 632 632 .result = ACCEPT, 633 633 }, 634 + { 635 + "mark null check on return value of bpf_skc_to helpers", 636 + .insns = { 637 + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 638 + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 639 + BPF_MOV64_IMM(BPF_REG_0, 0), 640 + BPF_EXIT_INSN(), 641 + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 642 + BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock), 643 + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 644 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 645 + BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_request_sock), 646 + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 647 + BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 0, 2), 648 + BPF_MOV64_IMM(BPF_REG_0, 0), 649 + BPF_EXIT_INSN(), 650 + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_7, 0), 651 + BPF_EXIT_INSN(), 652 + }, 653 + .prog_type = BPF_PROG_TYPE_SCHED_CLS, 654 + .result = REJECT, 655 + .errstr = "invalid mem access", 656 + .result_unpriv = REJECT, 657 + .errstr_unpriv = "unknown func", 658 + },