When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg, the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the destination register in the !fullsock / !locked_tcp_sock path, leading to OOB read (GET_SK) and kernel pointer leak (GET_FIELD).
Patch 1: Fix both macros by adding BPF_MOV64_IMM(si->dst_reg, 0) in the !fullsock landing pad. Patch 2: Add selftests covering same-register and different-register cases for both GET_SK and GET_FIELD. [1] https://lore.kernel.org/bpf/[email protected]/T/#u Changes since v2: https://lore.kernel.org/bpf/[email protected]/ - Addressed selftest review from Martin KaFai Lau: removed unused skel parameter, renamed to test_ns_ for automatic netns, ASSERT_GE -> ASSERT_OK_FD - Add reviewed-by tags. Changes since v1: https://lore.kernel.org/bpf/[email protected]/ - Fixed the same bug in SOCK_OPS_GET_FIELD() (pointed out by AI review) - Added SOCK_OPS_GET_FIELD same-register and GET_SK different-register subtests Jiayuan Chen (2): bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops selftests/bpf: Add tests for sock_ops ctx access with same src/dst register net/core/filter.c | 6 +- .../bpf/prog_tests/sock_ops_get_sk.c | 76 ++++++++++++ .../selftests/bpf/progs/sock_ops_get_sk.c | 117 ++++++++++++++++++ 3 files changed, 197 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/sock_ops_get_sk.c create mode 100644 tools/testing/selftests/bpf/progs/sock_ops_get_sk.c -- 2.43.0
