diff options
author | Eduard Zingerman <eddyz87@gmail.com> | 2022-06-24 05:06:13 +0300 |
---|---|---|
committer | Daniel Borkmann <daniel@iogearbox.net> | 2022-06-24 16:51:00 +0200 |
commit | 41188e9e9defa1678abbf860ad7f6dd1ba48ad1c (patch) | |
tree | 5dce891137cb76dba82aeaae93a6d3d990e6f75a /tools/testing/selftests/bpf/verifier/bpf_loop_inline.c | |
parent | fb4e3b33e3e7f13befdf9ee232e34818c6cc5fb9 (diff) | |
download | linux-41188e9e9defa1678abbf860ad7f6dd1ba48ad1c.tar.gz linux-41188e9e9defa1678abbf860ad7f6dd1ba48ad1c.tar.bz2 linux-41188e9e9defa1678abbf860ad7f6dd1ba48ad1c.zip |
selftest/bpf: Test for use-after-free bug fix in inline_bpf_loop
This test verifies that bpf_loop() inlining works as expected when
address of `env->prog` is updated. This address is updated upon BPF
program reallocation.
Reallocation is handled by bpf_prog_realloc(), which reuses old memory
if page boundary is not crossed. The value of `len` in the test is
chosen to cross this boundary on bpf_loop() patching.
Verify that the use-after-free bug in inline_bpf_loop() reported by
Dan Carpenter is fixed.
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220624020613.548108-3-eddyz87@gmail.com
Diffstat (limited to 'tools/testing/selftests/bpf/verifier/bpf_loop_inline.c')
-rw-r--r-- | tools/testing/selftests/bpf/verifier/bpf_loop_inline.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/verifier/bpf_loop_inline.c b/tools/testing/selftests/bpf/verifier/bpf_loop_inline.c index 232da07c93b5..2d0023659d88 100644 --- a/tools/testing/selftests/bpf/verifier/bpf_loop_inline.c +++ b/tools/testing/selftests/bpf/verifier/bpf_loop_inline.c @@ -244,6 +244,17 @@ .func_info_cnt = 3, BTF_TYPES }, +{ + "inline bpf_loop call in a big program", + .insns = {}, + .fill_helper = bpf_fill_big_prog_with_loop_1, + .expected_insns = { PSEUDO_CALL_INSN() }, + .unexpected_insns = { HELPER_CALL_INSN() }, + .result = ACCEPT, + .func_info = { { 0, MAIN_TYPE }, { 16, CALLBACK_TYPE } }, + .func_info_cnt = 2, + BTF_TYPES +}, #undef HELPER_CALL_INSN #undef PSEUDO_CALL_INSN |