selftests/bpf: Add tests for syscall ctx accesses beyond U16_MAX

Ensure we reject programs that access beyond the maximum syscall ctx
size, i.e. U16_MAX either through direct accesses or helpers/kfuncs.

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260406194403.1649608-8-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/testing/selftests/bpf/progs/verifier_ctx.c b/tools/testing/selftests/bpf/progs/verifier_ctx.c
index 887cd07ed8855216e1146434cd2511f4c65dd11a..7856dad3d1f3815fdabe5ac77784a109cb4a9087 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_ctx.c
+++ b/tools/testing/selftests/bpf/progs/verifier_ctx.c
@@ -406,6 +406,37 @@ int syscall_ctx_unaligned_var_off_write(void *ctx)
        return 0;
 }
 
+SEC("?syscall")
+__description("syscall: reject ctx access past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_u16_max_fixed_off(void *ctx)
+{
+       char *p = ctx;
+       volatile __u32 val;
+
+       p += 65535;
+       val = *(__u32 *)p;
+       (void)val;
+       return 0;
+}
+
+SEC("?syscall")
+__description("syscall: reject ctx access past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_u16_max_var_off(void *ctx)
+{
+       __u64 off = bpf_get_prandom_u32();
+       char *p = ctx;
+       volatile __u32 val;
+
+       off &= 0xffff;
+       off += 1;
+       p += off;
+       val = *(__u32 *)p;
+       (void)val;
+       return 0;
+}
+
 SEC("?syscall")
 __description("syscall: reject negative variable offset ctx access")
 __failure __msg("min value is negative")
@@ -530,6 +561,56 @@ int syscall_ctx_helper_unaligned_var_off_write(void *ctx)
        return bpf_probe_read_kernel(p, 4, 0);
 }
 
+SEC("?syscall")
+__description("syscall: reject helper read ctx past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_fixed_off_read(void *ctx)
+{
+       char *p = ctx;
+
+       p += 65535;
+       return bpf_strncmp(p, 4, ctx_strncmp_target);
+}
+
+SEC("?syscall")
+__description("syscall: reject helper write ctx past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_fixed_off_write(void *ctx)
+{
+       char *p = ctx;
+
+       p += 65535;
+       return bpf_probe_read_kernel(p, 4, 0);
+}
+
+SEC("?syscall")
+__description("syscall: reject helper read ctx past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_var_off_read(void *ctx)
+{
+       __u64 off = bpf_get_prandom_u32();
+       char *p = ctx;
+
+       off &= 0xffff;
+       off += 1;
+       p += off;
+       return bpf_strncmp(p, 4, ctx_strncmp_target);
+}
+
+SEC("?syscall")
+__description("syscall: reject helper write ctx past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_helper_u16_max_var_off_write(void *ctx)
+{
+       __u64 off = bpf_get_prandom_u32();
+       char *p = ctx;
+
+       off &= 0xffff;
+       off += 1;
+       p += off;
+       return bpf_probe_read_kernel(p, 4, 0);
+}
+
 SEC("?syscall")
 __description("syscall: helper read zero-sized ctx access")
 __success
@@ -599,6 +680,33 @@ int syscall_ctx_kfunc_unaligned_var_off(void *ctx)
        return 0;
 }
 
+SEC("?syscall")
+__description("syscall: reject kfunc ctx access past U16_MAX with fixed offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_kfunc_u16_max_fixed_off(void *ctx)
+{
+       char *p = ctx;
+
+       p += 65535;
+       bpf_kfunc_call_test_mem_len_pass1(p, 4);
+       return 0;
+}
+
+SEC("?syscall")
+__description("syscall: reject kfunc ctx access past U16_MAX with variable offset")
+__failure __msg("outside of the allowed memory range")
+int syscall_ctx_kfunc_u16_max_var_off(void *ctx)
+{
+       __u64 off = bpf_get_prandom_u32();
+       char *p = ctx;
+
+       off &= 0xffff;
+       off += 1;
+       p += off;
+       bpf_kfunc_call_test_mem_len_pass1(p, 4);
+       return 0;
+}
+
 SEC("?syscall")
 __description("syscall: kfunc access zero-sized ctx")
 __success