[PATCH bpf-next v5 7/7] selftests/bpf: Add tests for syscall ctx accesses beyond U16_MAX

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Emil Tsalapatis <emil@etsalapatis.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>, Tejun Heo <tj@kernel.org>,
	Dan Schatzberg <dschatzberg@meta.com>,
	kkd@meta.com, kernel-team@meta.com
Subject: [PATCH bpf-next v5 7/7] selftests/bpf: Add tests for syscall ctx accesses beyond U16_MAX
Date: Mon,  6 Apr 2026 21:44:01 +0200	[thread overview]
Message-ID: <20260406194403.1649608-8-memxor@gmail.com> (raw)
In-Reply-To: <20260406194403.1649608-1-memxor@gmail.com>

Ensure we reject programs that access beyond the maximum syscall ctx
size, i.e. U16_MAX either through direct accesses or helpers/kfuncs.

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
 .../selftests/bpf/progs/verifier_ctx.c        | 108 ++++++++++++++++++
 1 file changed, 108 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_ctx.c b/tools/testing/selftests/bpf/progs/verifier_ctx.c
index 887cd07ed885..7856dad3d1f3 100644
--- a/tools/testing/selftests/bpf/progs/verifier_ctx.c
+++ b/tools/testing/selftests/bpf/progs/verifier_ctx.c
@@ -406,6 +406,37 @@ int syscall_ctx_unaligned_var_off_write(void *ctx)
 	return 0;
 }
 
+SEC("?syscall")
+__description("syscall: reject ctx access past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_u16_max_fixed_off(void *ctx)
+{
+	char *p = ctx;
+	volatile __u32 val;
+
+	p += 65535;
+	val = *(__u32 *)p;
+	(void)val;
+	return 0;
+}
+
+SEC("?syscall")
+__description("syscall: reject ctx access past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_u16_max_var_off(void *ctx)
+{
+	__u64 off = bpf_get_prandom_u32();
+	char *p = ctx;
+	volatile __u32 val;
+
+	off &= 0xffff;
+	off += 1;
+	p += off;
+	val = *(__u32 *)p;
+	(void)val;
+	return 0;
+}
+
 SEC("?syscall")
 __description("syscall: reject negative variable offset ctx access")
 __failure __msg("min value is negative")
@@ -530,6 +561,56 @@ int syscall_ctx_helper_unaligned_var_off_write(void *ctx)
 	return bpf_probe_read_kernel(p, 4, 0);
 }
 
+SEC("?syscall")
+__description("syscall: reject helper read ctx past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_fixed_off_read(void *ctx)
+{
+	char *p = ctx;
+
+	p += 65535;
+	return bpf_strncmp(p, 4, ctx_strncmp_target);
+}
+
+SEC("?syscall")
+__description("syscall: reject helper write ctx past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_fixed_off_write(void *ctx)
+{
+	char *p = ctx;
+
+	p += 65535;
+	return bpf_probe_read_kernel(p, 4, 0);
+}
+
+SEC("?syscall")
+__description("syscall: reject helper read ctx past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_var_off_read(void *ctx)
+{
+	__u64 off = bpf_get_prandom_u32();
+	char *p = ctx;
+
+	off &= 0xffff;
+	off += 1;
+	p += off;
+	return bpf_strncmp(p, 4, ctx_strncmp_target);
+}
+
+SEC("?syscall")
+__description("syscall: reject helper write ctx past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_var_off_write(void *ctx)
+{
+	__u64 off = bpf_get_prandom_u32();
+	char *p = ctx;
+
+	off &= 0xffff;
+	off += 1;
+	p += off;
+	return bpf_probe_read_kernel(p, 4, 0);
+}
+
 SEC("?syscall")
 __description("syscall: helper read zero-sized ctx access")
 __success
@@ -599,6 +680,33 @@ int syscall_ctx_kfunc_unaligned_var_off(void *ctx)
 	return 0;
 }
 
+SEC("?syscall")
+__description("syscall: reject kfunc ctx access past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_kfunc_u16_max_fixed_off(void *ctx)
+{
+	char *p = ctx;
+
+	p += 65535;
+	bpf_kfunc_call_test_mem_len_pass1(p, 4);
+	return 0;
+}
+
+SEC("?syscall")
+__description("syscall: reject kfunc ctx access past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_kfunc_u16_max_var_off(void *ctx)
+{
+	__u64 off = bpf_get_prandom_u32();
+	char *p = ctx;
+
+	off &= 0xffff;
+	off += 1;
+	p += off;
+	bpf_kfunc_call_test_mem_len_pass1(p, 4);
+	return 0;
+}
+
 SEC("?syscall")
 __description("syscall: kfunc access zero-sized ctx")
 __success
-- 
2.52.0

next prev parent reply	other threads:[~2026-04-06 19:44 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-06 19:43 [PATCH bpf-next v5 0/7] Allow variable offsets for syscall PTR_TO_CTX Kumar Kartikeya Dwivedi
2026-04-06 19:43 ` [PATCH bpf-next v5 1/7] bpf: Support " Kumar Kartikeya Dwivedi
2026-04-06 19:43 ` [PATCH bpf-next v5 2/7] bpf: Enable unaligned accesses for syscall ctx Kumar Kartikeya Dwivedi
2026-04-06 19:43 ` [PATCH bpf-next v5 3/7] selftests/bpf: Convert ctx tests from ASM to C Kumar Kartikeya Dwivedi
2026-04-06 19:43 ` [PATCH bpf-next v5 4/7] selftests/bpf: Add syscall ctx variable offset tests Kumar Kartikeya Dwivedi
2026-04-06 19:43 ` [PATCH bpf-next v5 5/7] selftests/bpf: Test modified syscall ctx for ARG_PTR_TO_CTX Kumar Kartikeya Dwivedi
2026-04-06 19:44 ` [PATCH bpf-next v5 6/7] selftests/bpf: Add tests for unaligned syscall ctx accesses Kumar Kartikeya Dwivedi
2026-04-06 19:44 ` Kumar Kartikeya Dwivedi [this message]
2026-04-06 22:02   ` [PATCH bpf-next v5 7/7] selftests/bpf: Add tests for syscall ctx accesses beyond U16_MAX Alexei Starovoitov
2026-04-06 22:30 ` [PATCH bpf-next v5 0/7] Allow variable offsets for syscall PTR_TO_CTX patchwork-bot+netdevbpf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:887cd07ed88 dfblob:7856dad3d1f )
 OR (
bs:"[PATCH bpf-next v5 7/7] selftests/bpf: Add tests for syscall ctx accesses beyond U16_MAX" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260406194403.1649608-8-memxor@gmail.com \
    --to=memxor@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=dschatzberg@meta.com \
    --cc=eddyz87@gmail.com \
    --cc=emil@etsalapatis.com \
    --cc=kernel-team@meta.com \
    --cc=kkd@meta.com \
    --cc=martin.lau@kernel.org \
    --cc=tj@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.