On 4/23/21 11:28 AM, Alexei Starovoitov wrote:
On Fri, Apr 23, 2021 at 11:16 AM Yonghong Song <yhs@xxxxxx> wrote:+ +static bool syscall_prog_is_valid_access(int off, int size, + enum bpf_access_type type, + const struct bpf_prog *prog, + struct bpf_insn_access_aux *info) +{ + if (off < 0 || off >= U16_MAX) + return false;Is this enough? If I understand correctly, the new program type allows any arbitrary context data from user as long as its size meets the following constraints: if (ctx_size_in < prog->aux->max_ctx_offset || ctx_size_in > U16_MAX) return -EINVAL; So if user provides a ctx with size say 40 and inside the program looks it is still able to read/write to say offset 400. Should we be a little more restrictive on this?At the load time the program can have a read/write at offset 400, but it will be rejected at prog_test_run time. That's similar to tp and raw_tp test_run-s and attach-es. That's why test_run has that check you've quoted. It's a two step verification. The verifier rejects <0 || > u16_max right away and keeps the track of max_ctx_offset. Then at attach/test_run the final check is done with an actual ctx_size_in.
Thanks! That is indeed the case. Somehow although I copy-pasted it, I missed the code "ctx_size_in < prog->aux->max_ctx_offset"...
