From: Anton Protopopov <a.s.protopopov@gmail.com>
To: Eduard Zingerman <eddyz87@gmail.com>
Cc: bpf@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Anton Protopopov <aspsk@isovalent.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Quentin Monnet <qmo@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>
Subject: Re: [PATCH v6 bpf-next 16/17] selftests/bpf: add new verifier_gotox test
Date: Fri, 24 Oct 2025 11:40:38 +0000 [thread overview]
Message-ID: <aPtltvv+WHPMEnNt@mail.gmail.com> (raw)
In-Reply-To: <b0e59e59fbe35090809ccbe0b01d923212c789ab.camel@gmail.com>
On 25/10/21 03:42PM, Eduard Zingerman wrote:
> On Sun, 2025-10-19 at 20:21 +0000, Anton Protopopov wrote:
> > Add a set of tests to validate core gotox functionality
> > without need to rely on compilers.
> >
> > Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
> > ---
>
> Thank you for adding these.
> Could you please also add a test cases that checks the following errors:
> - "jump table for insn %d points outside of the subprog [%u,%u]"
> - "the sum of R%u umin_value %llu and off %u is too big\n"
> - "register R%d doesn't point to any offset in map id=%d\n"
Yeah, sorry, these actually were on my list, but I've postponed them
for the next version. Will add. (I also need to add a few selftests
on the offset when loading from map.)
>
> Might be the case that some of these can't be triggered because of the
> check_mem_access() call.
>
> [...]
>
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_gotox.c b/tools/testing/selftests/bpf/progs/verifier_gotox.c
> > new file mode 100644
> > index 000000000000..1a92e4d321e8
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/progs/verifier_gotox.c
>
> [...]
>
> > +/*
> > + * Gotox is forbidden when there is no jump table loaded
> > + * which points to the sub-function where the gotox is used
> > + */
> > +SEC("socket")
> > +__failure __msg("no jump tables found for subprog starting at 0")
> ^^^^
> Nit: one day we need to figure out a way to
> report subprogram names, when reporting
> check_cfg() errors.
But those are not always present, right?
>
> > +__naked void jump_table_no_jump_table(void)
> > +{
> > + asm volatile (" \
> > + .8byte %[gotox_r0]; \
> > + r0 = 1; \
> > + exit; \
> > +" : \
> > + : __imm_insn(gotox_r0, BPF_RAW_INSN(BPF_JMP | BPF_JA | BPF_X, BPF_REG_0, 0, 0 , 0))
> > + : __clobber_all);
> > +}
> > +
> > +/*
> > + * Incorrect type of the target register, only PTR_TO_INSN allowed
> > + */
> > +SEC("socket")
> > +__failure __msg("R1 has type 1, expected PTR_TO_INSN")
> ^^^^^^
> log.c:reg_type_str() should help here.
Yes, thanks, this was changed to address your comment
in the other patch.
> > +__naked void jump_table_incorrect_dst_reg_type(void)
> > +{
> > + asm volatile (" \
> > + .pushsection .jumptables,\"\",@progbits; \
> > +jt0_%=: \
> > + .quad ret0_%=; \
> > + .quad ret1_%=; \
> > + .size jt0_%=, 16; \
> > + .global jt0_%=; \
> > + .popsection; \
> > + \
> > + r0 = jt0_%= ll; \
> > + r0 += 8; \
> > + r0 = *(u64 *)(r0 + 0); \
> > + r1 = 42; \
> > + .8byte %[gotox_r1]; \
> > + ret0_%=: \
> > + r0 = 0; \
> > + exit; \
> > + ret1_%=: \
> > + r0 = 1; \
> > + exit; \
> > +" : \
> > + : __imm_insn(gotox_r1, BPF_RAW_INSN(BPF_JMP | BPF_JA | BPF_X, BPF_REG_1, 0, 0 , 0))
> > + : __clobber_all);
> > +}
> > +
> > +#define DEFINE_INVALID_SIZE_PROG(READ_SIZE, OUTCOME) \
>
> Nit: this can be merged with DEFINE_SIMPLE_JUMP_TABLE_PROG.
Didn't want to overload the macro too much so the prog stays
readable. (Here are two different regs are used.) I will check
how it looks like if I merge them, and merge, if it looks ok-ish.
> > + \
> > + SEC("socket") \
> > + OUTCOME \
> > + __naked void jump_table_invalid_read_size_ ## READ_SIZE(void) \
> > + { \
> > + asm volatile (" \
> > + .pushsection .jumptables,\"\",@progbits; \
> > + jt0_%=: \
> > + .quad ret0_%=; \
> > + .quad ret1_%=; \
> > + .size jt0_%=, 16; \
> > + .global jt0_%=; \
> > + .popsection; \
> > + \
> > + r0 = jt0_%= ll; \
> > + r0 += 8; \
> > + r0 = *(" #READ_SIZE " *)(r0 + 0); \
> > + .8byte %[gotox_r0]; \
> > + ret0_%=: \
> > + r0 = 0; \
> > + exit; \
> > + ret1_%=: \
> > + r0 = 1; \
> > + exit; \
> > + " : \
> > + : __imm_insn(gotox_r0, BPF_RAW_INSN(BPF_JMP | BPF_JA | BPF_X, BPF_REG_0, 0, 0 , 0)) \
> > + : __clobber_all); \
> > + }
> > +
> > +DEFINE_INVALID_SIZE_PROG(u32, __failure __msg("Invalid read of 4 bytes from insn_array"))
> > +DEFINE_INVALID_SIZE_PROG(u16, __failure __msg("Invalid read of 2 bytes from insn_array"))
> > +DEFINE_INVALID_SIZE_PROG(u8, __failure __msg("Invalid read of 1 bytes from insn_array"))
>
> [...]
next prev parent reply other threads:[~2025-10-24 11:33 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-19 20:21 [PATCH v6 bpf-next 00/17] BPF indirect jumps Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 01/17] bpf: fix the return value of push_stack Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 02/17] bpf: save the start of functions in bpf_prog_aux Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 03/17] bpf: generalize and export map_get_next_key for arrays Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 04/17] bpf, x86: add new map type: instructions array Anton Protopopov
2025-10-21 17:49 ` Alexei Starovoitov
2025-10-21 18:32 ` Anton Protopopov
2025-10-21 23:26 ` Eduard Zingerman
2025-10-24 12:12 ` Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 05/17] selftests/bpf: add selftests for new insn_array map Anton Protopopov
2025-10-21 23:51 ` Eduard Zingerman
2025-10-22 13:44 ` Anton Protopopov
2025-10-22 13:55 ` Eduard Zingerman
2025-10-22 14:06 ` Anton Protopopov
2025-10-22 14:03 ` Eduard Zingerman
2025-10-22 14:13 ` Anton Protopopov
2025-10-22 17:00 ` Eduard Zingerman
2025-10-19 20:21 ` [PATCH v6 bpf-next 06/17] bpf: support instructions arrays with constants blinding Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 07/17] selftests/bpf: test instructions arrays with blinding Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 08/17] bpf, x86: allow indirect jumps to r8...r15 Anton Protopopov
2025-10-20 8:38 ` Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 09/17] bpf: make bpf_insn_successors to return a pointer Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 10/17] bpf, x86: add support for indirect jumps Anton Protopopov
2025-10-20 7:23 ` Anton Protopopov
2025-10-21 21:17 ` Eduard Zingerman
2025-10-22 6:51 ` Anton Protopopov
2025-10-22 6:53 ` Eduard Zingerman
2025-10-19 20:21 ` [PATCH v6 bpf-next 11/17] bpf: disasm: add support for BPF_JMP|BPF_JA|BPF_X Anton Protopopov
2025-10-21 21:19 ` Eduard Zingerman
2025-10-19 20:21 ` [PATCH v6 bpf-next 12/17] bpf, docs: do not state that indirect jumps are not supported Anton Protopopov
2025-10-21 19:15 ` Eduard Zingerman
2025-10-21 19:32 ` Anton Protopopov
2025-10-21 19:36 ` Eduard Zingerman
2025-10-21 19:50 ` Anton Protopopov
2025-10-21 20:17 ` Eduard Zingerman
2025-10-19 20:21 ` [PATCH v6 bpf-next 13/17] libbpf: fix formatting of bpf_object__append_subprog_code Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 14/17] libbpf: support llvm-generated indirect jumps Anton Protopopov
2025-10-21 22:18 ` Eduard Zingerman
2025-10-21 22:45 ` Eduard Zingerman
2025-10-24 12:52 ` Anton Protopopov
2025-10-25 17:39 ` Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 15/17] bpftool: Recognize insn_array map type Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 16/17] selftests/bpf: add new verifier_gotox test Anton Protopopov
2025-10-21 22:42 ` Eduard Zingerman
2025-10-24 11:40 ` Anton Protopopov [this message]
2025-10-26 12:34 ` Anton Protopopov
2025-10-27 23:11 ` Eduard Zingerman
2025-10-28 12:06 ` Anton Protopopov
2025-10-19 20:21 ` [PATCH v6 bpf-next 17/17] selftests/bpf: add C-level selftests for indirect jumps Anton Protopopov
2025-10-22 0:27 ` Eduard Zingerman
2025-10-22 13:34 ` Anton Protopopov
2025-10-25 17:41 ` Anton Protopopov
2025-10-21 18:30 ` [PATCH v6 bpf-next 00/17] BPF " patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPtltvv+WHPMEnNt@mail.gmail.com \
--to=a.s.protopopov@gmail.com \
--cc=andrii@kernel.org \
--cc=aspsk@isovalent.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=qmo@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.