This test verifies that resolve_prog_type() works as expected when
attach_prog_fd is not passed in.
prog->aux->dst_prog in resolve_prog_type() is aligned by attach_prog_fd,
and would be null if attach_prog_fd is not given. Loading EXT prog with
bpf_dynptr_from_skb kfunc call in this way will meet null-pointer-deref.
Verify that the null-pointer-deref bug in resolve_prog_type() is fixed.
Signed-off-by: Tengda Wu <wutengda@xxxxxxxxxxxxxxx>
---
tools/testing/selftests/bpf/verifier/calls.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c
index ab25a81fd3a1..786201434d06 100644
--- a/tools/testing/selftests/bpf/verifier/calls.c
+++ b/tools/testing/selftests/bpf/verifier/calls.c
@@ -275,6 +275,19 @@
.result_unpriv = REJECT,
.result = ACCEPT,
},
+{
+ "calls: invalid kfunc call: attach_prog_fd must be non-empty when freplace",
+ .insns = {
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_EXT,
+ .result = REJECT,
+ .errstr = "",
+ .fixup_kfunc_btf_id = {
+ { "bpf_dynptr_from_skb", 0 },
+ },
+},
{
"calls: basic sanity",
.insns = {
--
2.34.1
