Skip to content

Commit d9706b5

Browse files
eddyz87Alexei Starovoitov
eddyz87
authored and
Alexei Starovoitov
committed
selftests/bpf: validate that tail call invalidates packet pointers
Add a test case with a tail call done from a global sub-program. Such tails calls should be considered as invalidating packet pointers. Signed-off-by: Eduard Zingerman <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
1 parent 1a4607f commit d9706b5

File tree

1 file changed

+28
-0
lines changed

1 file changed

+28
-0
lines changed

tools/testing/selftests/bpf/progs/verifier_sock.c

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,13 @@ struct {
5050
__uint(map_flags, BPF_F_NO_PREALLOC);
5151
} sk_storage_map SEC(".maps");
5252

53+
struct {
54+
__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
55+
__uint(max_entries, 1);
56+
__uint(key_size, sizeof(__u32));
57+
__uint(value_size, sizeof(__u32));
58+
} jmp_table SEC(".maps");
59+
5360
SEC("cgroup/skb")
5461
__description("skb->sk: no NULL check")
5562
__failure __msg("invalid mem access 'sock_common_or_null'")
@@ -1065,4 +1072,25 @@ int invalidate_pkt_pointers_from_global_func(struct __sk_buff *sk)
10651072
return TCX_PASS;
10661073
}
10671074

1075+
__noinline
1076+
int tail_call(struct __sk_buff *sk)
1077+
{
1078+
bpf_tail_call_static(sk, &jmp_table, 0);
1079+
return 0;
1080+
}
1081+
1082+
/* Tail calls invalidate packet pointers. */
1083+
SEC("tc")
1084+
__failure __msg("invalid mem access")
1085+
int invalidate_pkt_pointers_by_tail_call(struct __sk_buff *sk)
1086+
{
1087+
int *p = (void *)(long)sk->data;
1088+
1089+
if ((void *)(p + 1) > (void *)(long)sk->data_end)
1090+
return TCX_DROP;
1091+
tail_call(sk);
1092+
*p = 42; /* this is unsafe */
1093+
return TCX_PASS;
1094+
}
1095+
10681096
char _license[] SEC("license") = "GPL";

0 commit comments

Comments
 (0)