For gotox, CFG construction models the indirect-jump target set in
insn_aux_data->jt, but do_check() later follows targets from the runtime
PTR_TO_INSN register's own INSN_ARRAY map. If the same gotox can be
reached with PTR_TO_INSN values from different maps, do_check() can accept
a target that CFG did not model.
On x86, that can transfer control into another subprog without a matching
BPF call frame and crash when the program is run.
Fix this by rejecting gotox map targets that are absent from the CFG jump
table built for that instruction. Add a regression test covering the
two-map cross-subprog case.
Validation:
unpatched bpf-next b9452b594fd3:
F01_02_LOAD_FD=5 errno=0 (accepted)
SELFTEST F01-02 gotox-cross-subprog: FAIL
patched bpf-next b9452b594fd3 + this series:
F01_02_LOAD_FD=-1 errno=22 (Invalid argument)
gotox target 14 from map id=2 is not in the CFG jump table
SELFTEST F01-02 gotox-cross-subprog: PASS
Signed-off-by: Nuoqi Gui <[email protected]>
---
Nuoqi Gui (2):
bpf: Fix gotox target validation against CFG
selftests/bpf: Add cross-subprog gotox target coverage
kernel/bpf/verifier.c | 26 ++++++++
tools/testing/selftests/bpf/prog_tests/bpf_gotox.c | 73 ++++++++++++++++++++++
2 files changed, 99 insertions(+)
---
base-commit: b9452b594fd3aecbfd4aa0a6a1f741330a37dab7
change-id: 20260609-f01-02-gotox-bpf-next-272e6276085d
Best regards,
--
Nuoqi Gui <[email protected]>
