Commit e435b043 authored by Tengda Wu's avatar Tengda Wu Committed by Daniel Borkmann

selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()

This test verifies that resolve_prog_type() works as expected when
`attach_prog_fd` is not passed in.

`prog->aux->dst_prog` in resolve_prog_type() is assigned by
`attach_prog_fd`, and would be NULL if `attach_prog_fd` is not provided.

Loading EXT prog with bpf_dynptr_from_skb() kfunc call in this way will
lead to null-pointer-deref.

Verify that the null-pointer-deref bug in resolve_prog_type() is fixed.
Signed-off-by: default avatarTengda Wu <wutengda@huaweicloud.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240711145819.254178-3-wutengda@huaweicloud.com
parent f7866c35
...@@ -275,6 +275,19 @@ ...@@ -275,6 +275,19 @@
.result_unpriv = REJECT, .result_unpriv = REJECT,
.result = ACCEPT, .result = ACCEPT,
}, },
{
"calls: invalid kfunc call: must provide (attach_prog_fd, btf_id) pair when freplace",
.insns = {
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
BPF_EXIT_INSN(),
},
.prog_type = BPF_PROG_TYPE_EXT,
.result = REJECT,
.errstr = "Tracing programs must provide btf_id",
.fixup_kfunc_btf_id = {
{ "bpf_dynptr_from_skb", 0 },
},
},
{ {
"calls: basic sanity", "calls: basic sanity",
.insns = { .insns = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment