[...]
Issue Regarding BPF_PROG_TYPE_EXT Programs Bypassing Validation Logic:
__attribute__ ((noinline)) int B()
{
return 0; /* Valid return value */
}
SEC("fmod_ret/security_task_alloc")
int A()
{
return B();
}
SEC("freplace/B")
int replace()
{
return 1; /* Invalid return value */
}
This method can verify whether the return value of freplace is legitimate
by using env->prog->aux->dst_prog->aux->attach_btf_id.
However, this approach will reject legitimate programs if the return value of
the original program does not come from the replaced function (as shown below).
__attribute__ ((noinline)) int B()
{
return 0;
}
SEC("fmod_ret/security_task_alloc")
int A()
{
B();
return 0;
}
SEC("freplace/B")
int replace()
{
return 1;
}
I have not found a proper solution to this issue.
target.bpf.c:
__attribute__ ((noinline)) int B()
{
bpf_printk("--\n");
return -2;
}
SEC("fmod_ret/security_task_alloc")
int A()
{
int i = B();
bpf_printk("return: %d\n", i);
return i;
}
freplace.bpf.c:
SEC("freplace/B")
int replace()
{
bpf_printk("freplace\n");
return -1;
}
In addition, the log output from testing the above program is as follows:
cat /sys/kernel/debug/tracing/trace_pipe
attack-5370 [002] ...11 4379.086626: bpf_trace_printk: freplace
attack-5370 [002] ...11 4379.086656: bpf_trace_printk: return: -2
Strangely, the replacement program is executed, but the return value still
originates from the original program.
