Currently it seems that all helper functions are allowed by the verifier for all program types, and helper prototypes are unaware of the required context size.
The net effect is that the verifier will happily pass programs like:
__attribute__((section("xdp"), used))
int func(void* ctx)
{
uint32_t key = 1;
// The following should fail because the ctx doesn't match, and in particular
// the memory pointed to by ctx might be smaller than the memory read by the helper.
int result = bpf_sock_map_update(ctx, &map, &key, 0);
return result;
}
In the example above, the program is passed an XDP context, and then tries to use it as if it were a socket context. This can result in bad memory accesses, e.g., if the hook's context struct is smaller than the helper's expected context struct.
Currently it seems that all helper functions are allowed by the verifier for all program types, and helper prototypes are unaware of the required context size.
The net effect is that the verifier will happily pass programs like:
In the example above, the program is passed an XDP context, and then tries to use it as if it were a socket context. This can result in bad memory accesses, e.g., if the hook's context struct is smaller than the helper's expected context struct.