On Thu, Apr 20, 2023 at 02:44:55PM +0200, Florian Westphal wrote:
> +
> +SEC("netfilter")
> +__description("netfilter valid context access")
> +__success __failure_unpriv
> +__retval(1)
> +__naked void with_invalid_ctx_access_test5(void)
> +{
> + asm volatile (" \
> + r2 = *(u64*)(r1 + %[__bpf_nf_ctx_state]); \
> + r1 = *(u64*)(r1 + %[__bpf_nf_ctx_skb]); \
> + r0 = 1; \
> + exit; \
> +" :
> + : __imm_const(__bpf_nf_ctx_state, offsetof(struct bpf_nf_ctx, state)),
> + __imm_const(__bpf_nf_ctx_skb, offsetof(struct bpf_nf_ctx, skb))
> + : __clobber_all);
Could you write this one in C instead?
Also check that skb and state are dereferenceable after that.
Since they should be seen as trusted ptr_to_btf_id skb->len and state->sk should work.
You cannot craft this test case in asm, since it needs CO-RE.
Also see that BPF CI is not happy:
https://github.com/kernel-patches/bpf/actions/runs/4757642030/jobs/8455500277
Error: #112 libbpf_probe_prog_types
Error: #112/32 libbpf_probe_prog_types/BPF_PROG_TYPE_NETFILTER
Error: #113 libbpf_str
Error: #113/4 libbpf_str/bpf_prog_type_str
