This patchset is going to fix null-pointer-deref in resolve_prog_type() for BPF_PROG_TYPE_EXT.
`prog->aux->dst_prog` in resolve_prog_type() is assigned by `attach_prog_fd`, and would be NULL if `attach_prog_fd` is not provided. Loading EXT prog with bpf_dynptr_from_skb() kfunc call in this way will lead to null-pointer-deref.
In last version we fix it by forcing `attach_prog_fd` non-empty at load time, which leads to libbpf_probe_prog_types() api broken. Currently, we fix it by just adding null check for EXT prog in resolve_prog_type() as the old way did.
For the sake of safety, we compared the full test logs of selftest before and after applying these changes, and the results show that the two test logs were consistent.
Tengda Wu (2): bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type()
include/linux/bpf_verifier.h | 2 +- tools/testing/selftests/bpf/verifier/calls.c | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-)