vbpf / prevail / 26711020454
86%

DEFAULT BRANCH: main
Ran
Jobs 2
Files 79
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 86.37% (+0.007%) from 86.363%
26711020454

push

github

elazarg 
Reject writes to read-only context pointer fields

A write through a `T_CTX`-typed base register was accepted while the abstract
transformer modeled it as a silent no-op (`do_mem_store` handles only `T_STACK`
stores) and the checker's `T_CTX` arm never inspected `access_type`. A load of
the data/data_end/meta context fields synthesizes a typed packet pointer
(`do_load_ctx`), so a program could overwrite e.g. `ctx->data`, reload it as a
packet pointer, and dereference an attacker-controlled address — and the
verifier reported PASS.

The context descriptor carries no per-field writability information and the
data/data_end/meta slots must stay read-only, but real programs legitimately
write *scalar* context fields (e.g. `__sk_buff` fields used by Cilium). Rejecting
all context writes would break those, so the checker's `T_CTX` arm now rejects
only writes whose byte range may overlap a data/data_end/meta pointer slot, and
allows writes to other fields (whose loads are havoced to numbers, making the
untracked store sound). The pointer-slot width is end - data (the data/data_end
adjacency do_load_ctx also relies on); a descriptor that ever violated it falls
back to rejecting the write outright.

Also closes the same class of hole on the atomic path: an atomic is a
read-modify-write but its `ValidAccess` used the default `compare` access type,
so an atomic RMW could corrupt a context pointer field unchecked. Atomics now
assert a `write` access.

Adds test-data/ctx.yaml covering rejection of stores/atomics that overlap a
pointer slot (including the full overwrite-reload-deref case) and acceptance
of scalar context writes. The existing uninit.yaml context stores/atomics, which
targeted offset 0, are moved to a scalar offset so they keep exercising the
value-type check they were written for.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Elazar Gershuni <elazarg@gmail.com>

14 of 15 new or added lines in 2 files covered. (93.33%)

8992 of 10411 relevant lines covered (86.37%)

6416275.49 hits per line

Uncovered Changes

Lines Coverage File
1
89.75
 0.12% src/crab/ebpf_checker.cpp
Jobs
ID Job ID Ran Files Coverage
1 run-Debug - 26711020454.1 79
84.62
 GitHub Action Run
2 run-Release - 26711020454.2 79
85.49
 GitHub Action Run
Source Files on build 26711020454