ebpf-verifier Verifier should check if program is writing within bounds of buffer returned by bpf_ringbuf

Verifier should check if program is writing within bounds of buffer returned by bpf_ringbuf_reserve helper

Open shankarseal opened this issue 3 years ago • 1 comments

void *bpf_ringbuf_reserve(void *ringbuf, u64 size, u64 flags)
Description
         Reserve size bytes of payload in a ring buffer
         ringbuf.
Return Valid pointer with size bytes of memory available;
         NULL, otherwise.

The return type of this helper function should be EBPF_RETURN_TYPE_PTR_TO_MAP_VALUE_OR_NULL. But ringbuf map may have variable length value. The size of the buffer to be reserved is passed in the helper function parameter. Verifier needs to ensure that a program that invokes the API does not write beyond size bytes on the returned buffer.

Please close this issue if this is already the case.

Jan 20 '22 00:01 shankarseal

I believe #298 needs to be completed first.

Jan 22 '22 23:01 elazarg

@elazarg Since #298 was merged, is this issue closable now? bpf_ringbuf_reserve is marked as .return_type = EBPF_RETURN_TYPE_PTR_TO_ALLOC_MEM_OR_NULL,

Jan 04 '24 23:01 dthaler

ebpf-verifier ebpf-verifier copied to clipboard

Verifier should check if program is writing within bounds of buffer returned by bpf_ringbuf_reserve helper

ebpf-verifier
ebpf-verifier copied to clipboard