check_mem_reg() verifies both read and write access when a caller passes
memory into a global subprogram. For PTR_TO_BTF_ID callers,
check_helper_mem_access() currently always checks the access as BPF_READ.
That lets a tracing program pass a task_struct field pointer to a global
subprogram argument typed as writable memory. The direct field store is rejected
with "only read is supported", but the callee is validated with a generic
writable PTR_TO_MEM argument and can store through it.
Forward the requested access type into the PTR_TO_BTF_ID helper-access path and
add verifier coverage for the global-subprogram argument case.
Validation (tested on bpf-next 8496d9020ff3):
Without this series:
direct BTF field store rejected with "only read is supported";
global-subprogram candidate loaded, attached, and runtime-confirmed.
With this series applied:
direct BTF field store rejected with "only read is supported";
global-subprogram candidate rejected with "only read is supported".
Signed-off-by: Nuoqi Gui <[email protected]>
---
Nuoqi Gui (2):
bpf: Enforce write checks for BTF pointer helper access
selftests/bpf: Cover writable BTF field global subprog args
kernel/bpf/verifier.c | 2 +-
.../selftests/bpf/progs/verifier_global_ptr_args.c | 19 +++++++++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)
---
base-commit: b9452b594fd3aecbfd4aa0a6a1f741330a37dab7
change-id: 20260609-f01-04-btf-writable-arg-6abdbd68dec8
Best regards,
--
Nuoqi Gui <[email protected]>
