long bpf_skb_load_bytes(const void *skb, u32 offset, void *to, u32 len)
What is the behavior of bpf_skb_load_bytes on failure, specifically with respect to the memory pointer to by the "to" parameter. Does it always zero initialize the output? Is this a documented requirement of helper functions and and kfuncs? This somewhat meaningless program seems to suggest that the verifier assumes that the "out" parameters are always initialized and I was wondering if this behavior is documented somewhere or if it should be?
__attribute__((section(".maps"), used))
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__type(key, uint32_t);
__type(value, uint64_t);
__uint(max_entries, 1);
} test_map;
SEC("socket_filter")
int UninitilizedRead(struct __sk_buff* ctx) {
uint64_t value;
int key = 0;
if (bpf_skb_load_bytes(ctx, -1, &value, sizeof(value)) < 0) {
bpf_map_update_elem(&test_map, &key, &value, 0);
}
return 0;
}
If bpf_skb_load_bytes doesn't zero initialize value, then it will leak uninitialized stack memory. The verifier appears to accept this, so it presumably assumes that value was zero initialized on failure?
Regards,
Alan Jowett
