Mismatched context should fail verification

[dthaler]

Currently it seems that all helper functions are allowed by the verifier for all program types, and helper prototypes are unaware of the required context size.

The net effect is that the verifier will happily pass programs like:

__attribute__((section("xdp"), used))
int func(void* ctx)
{
    uint32_t key = 1;

    // The following should fail because the ctx doesn't match, and in particular
    // the memory pointed to by ctx might be smaller than the memory read by the helper.
    int result = bpf_sock_map_update(ctx, &map, &key, 0);
    return result;
}

In the example above, the program is passed an XDP context, and then tries to use it as if it were a socket context. This can result in bad memory accesses, e.g., if the hook's context struct is smaller than the helper's expected context struct.

[dthaler]

PR #212 fixed most of the issues. The following helpers still remain unchecked after that PR:

• tail_call: void *
• override_return: struct pt_reg *
• perf_event_output: struct pt_reg *
• get_stackid: struct pt_reg *
• get_stack: struct pt_regs *
• setsockopt: struct bpf_sock_ops *
• getsockopt: struct bpf_sock_ops *
• bind: struct bpf_sock_addr *
• xdp_fib_lookup: struct xdp_md *
• rc_repeat: void * ("the lirc sample")
• rc_keydown: void * ("the lirc sample")

Helpers are documented at

• https://github.com/iovisor/bpf-docs/blob/master/bpf_helpers.rst
• https://www.man7.org/linux/man-pages/man7/bpf-helpers.7.html
• https://manpages.ubuntu.com/manpages/focal/man7/bpf-helpers.7.html