When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg,
the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the
destination register in the !fullsock / !locked_tcp_sock path, leading to
OOB read (GET_SK) and kernel pointer leak (GET_FIELD).
Patch 1: Fix both macros by adding BPF_MOV64_IMM(si->dst_reg, 0) in the
!fullsock landing pad.
Patch 2: Add selftests covering same-register and different-register cases
for both GET_SK and GET_FIELD.
[1] https://lore.kernel.org/bpf/6fe1243e-149b-4d3b-99c7-fcc9e2f75787@std.uestc.edu.cn/T/#u
Changes since v2:
https://lore.kernel.org/bpf/20260406031330.187630-1-jiayuan.chen@linux.dev/
- Addressed selftest review from Martin KaFai Lau: removed unused skel
parameter, renamed to test_ns_ for automatic netns, ASSERT_GE -> ASSERT_OK_FD
- Add reviewed-by tags.
Changes since v1:
https://lore.kernel.org/bpf/20260404141010.247536-1-jiayuan.chen@linux.dev/
- Fixed the same bug in SOCK_OPS_GET_FIELD() (pointed out by AI review)
- Added SOCK_OPS_GET_FIELD same-register and GET_SK different-register
subtests
Jiayuan Chen (2):
bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops
selftests/bpf: Add tests for sock_ops ctx access with same src/dst
register
net/core/filter.c | 6 +-
.../bpf/prog_tests/sock_ops_get_sk.c | 76 ++++++++++++
.../selftests/bpf/progs/sock_ops_get_sk.c | 117 ++++++++++++++++++
3 files changed, 197 insertions(+), 2 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/sock_ops_get_sk.c
create mode 100644 tools/testing/selftests/bpf/progs/sock_ops_get_sk.c
--
2.43.0