Skip to content

feat: Added bounds check for SkBuff::load_bytes and relevant integration test. #1539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
benaryorg wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Added bounds check for SkBuff::load_bytes and relevant integration test. #1539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
77f7030
test: Add integration test for SkBuffContext::load_bytes
RyanAlameddine Mar 15, 2025
561633a
fix(aya-ebpf): Add bounds check to SkBuff::load_bytes
RyanAlameddine Mar 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion ebpf/aya-ebpf/src/programs/sk_buff.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ use aya_ebpf_bindings::helpers::{
};
use aya_ebpf_cty::c_long;

use crate::{EbpfContext, bindings::__sk_buff};
use crate::{EbpfContext, bindings::__sk_buff, check_bounds_signed};

pub struct SkBuff {
pub skb: *mut __sk_buff,
Expand Down Expand Up @@ -85,8 +85,12 @@ impl SkBuff {
#[inline(always)]
pub fn load_bytes(&self, offset: usize, dst: &mut [u8]) -> Result<usize, c_long> {
let len = usize::try_from(self.len()).map_err(|core::num::TryFromIntError { .. }| -1)?;
// 0 byte reads will trip the verifier. We need to ensure that the valid range of values for len is at least 1.
let len = len.checked_sub(offset).ok_or(-1)?;
let len = len.min(dst.len());
if !check_bounds_signed(len as i64, 1, dst.len() as i64) {
return Err(-1);
}
let len_u32 = u32::try_from(len).map_err(|core::num::TryFromIntError { .. }| -1)?;
let ret = unsafe {
bpf_skb_load_bytes(
Expand Down
4 changes: 4 additions & 0 deletions test/integration-ebpf/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,3 +135,7 @@ path = "src/printk_test.rs"
[[bin]]
name = "prog_array"
path = "src/prog_array.rs"

[[bin]]
name = "socket_filter"
path = "src/socket_filter.rs"
17 changes: 17 additions & 0 deletions test/integration-ebpf/src/socket_filter.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#![no_std]
#![no_main]
#![expect(unused_crate_dependencies, reason = "used in other bins")]

use aya_ebpf::{macros::socket_filter, programs::SkBuffContext};

#[cfg(not(test))]
extern crate ebpf_panic;

#[socket_filter]
fn read_one(ctx: SkBuffContext) -> i64 {
// Read 1 byte
let mut dst = [0; 2];
let _result: Result<_, _> = ctx.load_bytes(0, &mut dst);

0
}
1 change: 1 addition & 0 deletions test/integration-test/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ bpf_file!(
UPROBE_COOKIE => "uprobe_cookie",
PRINTK_TEST => "printk_test",
PROG_ARRAY => "prog_array",
SOCKET_FILTER => "socket_filter",
);

#[cfg(test)]
Expand Down
1 change: 1 addition & 0 deletions test/integration-test/src/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ mod relocations;
mod ring_buf;
mod sk_storage;
mod smoke;
mod socket_filter;
mod strncmp;
mod tcx;
mod uprobe_cookie;
Expand Down
8 changes: 8 additions & 0 deletions test/integration-test/src/tests/socket_filter.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
use aya::{Ebpf, programs::SocketFilter};

#[test]
fn socket_filter_load() {
let mut bpf = Ebpf::load(crate::SOCKET_FILTER).unwrap();
let prog: &mut SocketFilter = bpf.program_mut("read_one").unwrap().try_into().unwrap();
prog.load().unwrap();
}