On Fri, Mar 27, 2020 at 8:59 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>
> Add various tests to make sure the verifier keeps catching them:
>
> # ./test_verifier
> [...]
> #230/p pass ctx or null check, 1: ctx OK
> #231/p pass ctx or null check, 2: null OK
> #232/p pass ctx or null check, 3: 1 OK
> #233/p pass ctx or null check, 4: ctx - const OK
> #234/p pass ctx or null check, 5: null (connect) OK
> #235/p pass ctx or null check, 6: null (bind) OK
> #236/p pass ctx or null check, 7: ctx (bind) OK
> #237/p pass ctx or null check, 8: null (bind) OK
> [...]
> Summary: 1595 PASSED, 0 SKIPPED, 0 FAILED
>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> ---
> tools/testing/selftests/bpf/verifier/ctx.c | 105 +++++++++++++++++++++
> 1 file changed, 105 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/verifier/ctx.c b/tools/testing/selftests/bpf/verifier/ctx.c
> index 92762c08f5e3..93d6b1641481 100644
> --- a/tools/testing/selftests/bpf/verifier/ctx.c
> +++ b/tools/testing/selftests/bpf/verifier/ctx.c
> @@ -91,3 +91,108 @@
> .result = REJECT,
> .errstr = "variable ctx access var_off=(0x0; 0x4)",
> },
> +{
> + "pass ctx or null check, 1: ctx",
> + .insns = {
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> + BPF_FUNC_get_netns_cookie),
nit: seems like it deserves its own helper, e.g.,
BPF_CALL_HELPER(BPF_FUNC_get_netns_cookie)?
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
> + .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
> + .result = ACCEPT,
> +},
[...]
