git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Xingwang Xiang <v3rdant.xiang@gmail.com>
	Sun, 17 May 2026 14:56:27 +0000 (23:56 +0900)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 21 May 2026 00:23:56 +0000 (17:23 -0700)
commit	33644bd38aec24fe043e78ce5dca38e7156f8328
tree	4cd53be437895e52c8767edb947d578e53fba14a	tree \| snapshot
parent	ddf8029623a1af20e984c040e89ff918158397ab	commit \| diff

selftests/bpf: add regression test for ktls+sockmap verdict UAF

Test the scenario where a socket is inserted into a sockmap with a
BPF_SK_SKB_VERDICT program before TLS RX is configured. Previously
sk_psock_verdict_data_ready() would call tcp_read_skb() and drain the
receive queue without advancing copied_seq, causing tls_decrypt_sg()
to walk a dangling frag_list pointer (use-after-free).

The test drives the full vulnerable sequence and verifies that after
the fix recv() returns the correct decrypted data.

Signed-off-by: Xingwang Xiang <v3rdant.xiang@gmail.com>
Link: https://patch.msgid.link/20260517145630.20521-3-v3rdant.xiang@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c		diff \| blob \| blame \| history
tools/testing/selftests/bpf/progs/test_sockmap_ktls.c		diff \| blob \| blame \| history