Commit cfd49b5a authored Jul 29, 2024 by Tengda Wu Committed by Tengda Wu Jul 29, 2024

selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()

mainline inclusion
from mainline-v6.11-rc1
commit e435b043d89a267bd6eb3d5650d2319805d7924a
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAD7R8

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e435b043d89a267bd6eb3d5650d2319805d7924a



--------------------------------

This test verifies that resolve_prog_type() works as expected when
`attach_prog_fd` is not passed in.

`prog->aux->dst_prog` in resolve_prog_type() is assigned by
`attach_prog_fd`, and would be NULL if `attach_prog_fd` is not provided.

Loading EXT prog with bpf_dynptr_from_skb() kfunc call in this way will
lead to null-pointer-deref.

Verify that the null-pointer-deref bug in resolve_prog_type() is fixed.

Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240711145819.254178-3-wutengda@huaweicloud.com


Fixes: 4a9c7bbe ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT")
Signed-off-by: Tengda Wu <wutengda2@huawei.com>

parent 1fd82ce0

tools/testing/selftests/bpf/verifier/calls.c

+13 −0

Original line number	Diff line number	Diff line
		@@ -275,6 +275,19 @@
		.result_unpriv = REJECT,
		.result = ACCEPT,
		},
		{
		"calls: invalid kfunc call: must provide (attach_prog_fd, btf_id) pair when freplace",
		.insns = {
		BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
		BPF_EXIT_INSN(),
		},
		.prog_type = BPF_PROG_TYPE_EXT,
		.result = REJECT,
		.errstr = "Tracing programs must provide btf_id",
		.fixup_kfunc_btf_id = {
		{ "bpf_dynptr_from_skb", 0 },
		},
		},
		{
		"calls: basic sanity",
		.insns = {