From: "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
To: "Amery Hung" <ameryhung@gmail.com>,
"Kumar Kartikeya Dwivedi" <memxor@gmail.com>
Cc: <bpf@vger.kernel.org>, "Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Emil Tsalapatis" <emil@etsalapatis.com>, <kkd@meta.com>,
<kernel-team@meta.com>
Subject: Re: [PATCH bpf-next v1 2/2] selftests/bpf: Add untrusted BTF write regression
Date: Wed, 08 Jul 2026 00:36:01 +0200 [thread overview]
Message-ID: <DJSP514TVE91.2KYRSI48YO2P3@gmail.com> (raw)
In-Reply-To: <CAMB2axMvA6n-x4SReDCzCPuu2n1i-oxsgeQtk6p5LF1Ce8Ez_A@mail.gmail.com>
On Wed Jul 8, 2026 at 12:31 AM CEST, Amery Hung wrote:
> On Tue, Jul 7, 2026 at 12:02 PM Kumar Kartikeya Dwivedi
> <memxor@gmail.com> wrote:
>>
>> Add a TCP congestion-control struct_ops load test for a write through a
>> BTF pointer produced by bpf_rdonly_cast().
>>
>> The test expects the verifier to reject the program before the TCP CA
>> btf_struct_access callback can whitelist the tcp_sock field write.
>>
>> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
>> ---
>> .../selftests/bpf/prog_tests/bpf_tcp_ca.c | 12 +++++++++
>> .../bpf/progs/tcp_ca_untrusted_btf_write.c | 26 +++++++++++++++++++
>> 2 files changed, 38 insertions(+)
>> create mode 100644 tools/testing/selftests/bpf/progs/tcp_ca_untrusted_btf_write.c
>>
>> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_tcp_ca.c b/tools/testing/selftests/bpf/prog_tests/bpf_tcp_ca.c
>> index fe30181e6336..eb05fc82f81b 100644
>> --- a/tools/testing/selftests/bpf/prog_tests/bpf_tcp_ca.c
>> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_tcp_ca.c
>> @@ -14,6 +14,7 @@
>> #include "tcp_ca_incompl_cong_ops.skel.h"
>> #include "tcp_ca_unsupp_cong_op.skel.h"
>> #include "tcp_ca_kfunc.skel.h"
>> +#include "tcp_ca_untrusted_btf_write.skel.h"
>> #include "bpf_cc_cubic.skel.h"
>>
>> static const unsigned int total_bytes = 10 * 1024 * 1024;
>> @@ -579,6 +580,15 @@ static void test_tcp_ca_kfunc(void)
>> tcp_ca_kfunc__destroy(skel);
>> }
>>
>> +static void test_untrusted_btf_write(void)
>> +{
>> + struct tcp_ca_untrusted_btf_write *skel;
>> +
>> + skel = tcp_ca_untrusted_btf_write__open_and_load();
>> + ASSERT_ERR_PTR(skel, "tcp_ca_untrusted_btf_write__open_and_load");
>> + tcp_ca_untrusted_btf_write__destroy(skel);
>> +}
>> +
>> static void test_cc_cubic(void)
>> {
>> struct cb_opts cb_opts = {
>> @@ -637,6 +647,8 @@ void test_bpf_tcp_ca(void)
>> test_link_replace();
>> if (test__start_subtest("tcp_ca_kfunc"))
>> test_tcp_ca_kfunc();
>> + if (test__start_subtest("untrusted_btf_write"))
>> + test_untrusted_btf_write();
>> if (test__start_subtest("cc_cubic"))
>> test_cc_cubic();
>> if (test__start_subtest("dctcp_autoattach_map"))
>> diff --git a/tools/testing/selftests/bpf/progs/tcp_ca_untrusted_btf_write.c b/tools/testing/selftests/bpf/progs/tcp_ca_untrusted_btf_write.c
>> new file mode 100644
>> index 000000000000..eda4697aac80
>> --- /dev/null
>> +++ b/tools/testing/selftests/bpf/progs/tcp_ca_untrusted_btf_write.c
>> @@ -0,0 +1,26 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +
>> +#include "bpf_tracing_net.h"
>> +#include <bpf/bpf_core_read.h>
>> +#include <bpf/bpf_helpers.h>
>> +#include <bpf/bpf_tracing.h>
>> +
>> +char _license[] SEC("license") = "GPL";
>> +
>> +SEC("struct_ops")
>> +void BPF_PROG(untrusted_btf_write_init, struct sock *sk)
>> +{
>> + struct tcp_sock *tp;
>> + int v = 1;
>> + void *p;
>> +
>> + p = bpf_rdonly_cast(&v, 0);
>> + tp = bpf_rdonly_cast(p, bpf_core_type_id_kernel(struct tcp_sock));
>
> Do we need two bpf_rdonly_cast()? I tested the following and it also works:
>
Yeah, single case works too, I mostly kept these two because of the original
report.
> tp = bpf_rdonly_cast(&v, bpf_core_type_id_kernel(struct tcp_sock));
>
>> + tp->snd_cwnd = 1;
>> +}
>> +
>> +SEC(".struct_ops")
>> +struct tcp_congestion_ops untrusted_btf_write = {
>> + .init = (void *)untrusted_btf_write_init,
>> + .name = "bpf_ro_btf",
>> +};
>> --
>> 2.53.0
>>
>>
next prev parent reply other threads:[~2026-07-07 22:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 19:02 [PATCH bpf-next v1 0/2] Fix for untrusted BTF pointer writes Kumar Kartikeya Dwivedi
2026-07-07 19:02 ` [PATCH bpf-next v1 1/2] bpf: Reject writes through untrusted BTF pointers Kumar Kartikeya Dwivedi
2026-07-07 19:48 ` bot+bpf-ci
2026-07-07 22:10 ` Amery Hung
2026-07-07 19:02 ` [PATCH bpf-next v1 2/2] selftests/bpf: Add untrusted BTF write regression Kumar Kartikeya Dwivedi
2026-07-07 22:31 ` Amery Hung
2026-07-07 22:36 ` Kumar Kartikeya Dwivedi [this message]
2026-07-07 22:58 ` Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJSP514TVE91.2KYRSI48YO2P3@gmail.com \
--to=memxor@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=emil@etsalapatis.com \
--cc=kernel-team@meta.com \
--cc=kkd@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox