From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@kernel.org>,
Joanne Koong <joannelkoong@gmail.com>,
David Vernet <void@manifault.com>
Subject: [PATCH bpf-next v1 13/13] selftests/bpf: Add dynptr helper tests
Date: Tue, 18 Oct 2022 19:29:20 +0530 [thread overview]
Message-ID: <20221018135920.726360-14-memxor@gmail.com> (raw)
In-Reply-To: <20221018135920.726360-1-memxor@gmail.com>
Test that MEM_UNINIT doesn't allow writing dynptr stack slots. Next,
also add a test triggering the memmove case for dynptr_read and
dynptr_write.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
.../testing/selftests/bpf/prog_tests/dynptr.c | 3 ++
.../testing/selftests/bpf/progs/dynptr_fail.c | 35 +++++++++++++++++++
.../selftests/bpf/progs/dynptr_success.c | 20 +++++++++++
3 files changed, 58 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/dynptr.c b/tools/testing/selftests/bpf/prog_tests/dynptr.c
index 947126d217bd..20910598a0a6 100644
--- a/tools/testing/selftests/bpf/prog_tests/dynptr.c
+++ b/tools/testing/selftests/bpf/prog_tests/dynptr.c
@@ -42,11 +42,14 @@ static struct {
{"release_twice_callback", "arg 1 is an unacquired reference"},
{"dynptr_from_mem_invalid_api",
"Unsupported reg type fp for bpf_dynptr_from_mem data"},
+ {"dynptr_read_into_slot", "potential write to dynptr at off=-16"},
+ {"uninit_write_into_slot", "potential write to dynptr at off=-16"},
/* success cases */
{"test_read_write", NULL},
{"test_data_slice", NULL},
{"test_ringbuf", NULL},
+ {"test_overlap", NULL},
};
static void verify_fail(const char *prog_name, const char *expected_err_msg)
diff --git a/tools/testing/selftests/bpf/progs/dynptr_fail.c b/tools/testing/selftests/bpf/progs/dynptr_fail.c
index b0f08ff024fb..43a0ed3736a9 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_fail.c
@@ -622,3 +622,38 @@ int dynptr_from_mem_invalid_api(void *ctx)
return 0;
}
+
+/* Reject writes to dynptr slot from bpf_dynptr_read */
+SEC("?raw_tp")
+int dynptr_read_into_slot(void *ctx)
+{
+ union {
+ struct {
+ char _pad[48];
+ struct bpf_dynptr ptr;
+ };
+ char buf[64];
+ } data;
+
+ bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &data.ptr);
+ /* this should fail */
+ bpf_dynptr_read(data.buf, sizeof(data.buf), &data.ptr, 0, 0);
+
+ return 0;
+}
+
+/* Reject writes to dynptr slot for uninit arg */
+SEC("?raw_tp")
+int uninit_write_into_slot(void *ctx)
+{
+ struct {
+ char buf[64];
+ struct bpf_dynptr ptr;
+ } data;
+
+ bpf_ringbuf_reserve_dynptr(&ringbuf, 80, 0, &data.ptr);
+ /* this should fail */
+ bpf_get_current_comm(data.buf, 80);
+
+ return 0;
+}
diff --git a/tools/testing/selftests/bpf/progs/dynptr_success.c b/tools/testing/selftests/bpf/progs/dynptr_success.c
index a3a6103c8569..401e924b15a0 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_success.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_success.c
@@ -162,3 +162,23 @@ int test_ringbuf(void *ctx)
bpf_ringbuf_discard_dynptr(&ptr, 0);
return 0;
}
+
+SEC("tp/syscalls/sys_enter_nanosleep")
+int test_overlap(void *ctx)
+{
+ struct bpf_dynptr ptr;
+ void *p;
+
+ if (bpf_get_current_pid_tgid() >> 32 != pid)
+ return 0;
+ bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr);
+ p = bpf_dynptr_data(&ptr, 0, 16);
+ if (!p) {
+ err = 1;
+ goto done;
+ }
+ bpf_dynptr_read(p + 1, 8, &ptr, 0, 0);
+done:
+ bpf_ringbuf_discard_dynptr(&ptr, 0);
+ return 0;
+}
--
2.38.0
next prev parent reply other threads:[~2022-10-18 14:00 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-18 13:59 [PATCH bpf-next v1 00/13] Fixes for dynptr Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 01/13] bpf: Refactor ARG_PTR_TO_DYNPTR checks into process_dynptr_func Kumar Kartikeya Dwivedi
2022-10-18 19:45 ` David Vernet
2022-10-19 6:04 ` Kumar Kartikeya Dwivedi
2022-10-19 15:26 ` David Vernet
2022-10-19 22:59 ` Joanne Koong
2022-10-20 0:55 ` Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 02/13] bpf: Rework process_dynptr_func Kumar Kartikeya Dwivedi
2022-10-18 23:16 ` David Vernet
2022-10-19 6:18 ` Kumar Kartikeya Dwivedi
2022-10-19 16:05 ` David Vernet
2022-10-20 1:09 ` Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 03/13] bpf: Rename confusingly named RET_PTR_TO_ALLOC_MEM Kumar Kartikeya Dwivedi
2022-10-18 21:38 ` sdf
2022-10-19 6:19 ` Kumar Kartikeya Dwivedi
2022-11-07 22:35 ` Joanne Koong
2022-11-07 23:12 ` Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 04/13] bpf: Rework check_func_arg_reg_off Kumar Kartikeya Dwivedi
2022-10-18 21:55 ` sdf
2022-10-19 6:24 ` Kumar Kartikeya Dwivedi
2022-11-07 23:17 ` Joanne Koong
2022-11-08 18:22 ` Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 05/13] bpf: Fix state pruning for STACK_DYNPTR stack slots Kumar Kartikeya Dwivedi
2022-11-08 20:22 ` Joanne Koong
2022-11-09 18:39 ` Kumar Kartikeya Dwivedi
2022-11-10 0:41 ` Joanne Koong
2022-10-18 13:59 ` [PATCH bpf-next v1 06/13] bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR Kumar Kartikeya Dwivedi
2022-10-19 18:52 ` Alexei Starovoitov
2022-10-20 1:04 ` Kumar Kartikeya Dwivedi
2022-10-20 2:13 ` Alexei Starovoitov
2022-10-20 2:40 ` Kumar Kartikeya Dwivedi
2022-10-20 2:56 ` Alexei Starovoitov
2022-10-20 3:23 ` Kumar Kartikeya Dwivedi
2022-10-21 0:46 ` Alexei Starovoitov
2022-10-21 1:53 ` Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 07/13] bpf: Fix partial dynptr stack slot reads/writes Kumar Kartikeya Dwivedi
2022-10-21 22:50 ` Joanne Koong
2022-10-21 22:57 ` Joanne Koong
2022-10-22 4:08 ` Kumar Kartikeya Dwivedi
2022-11-03 14:07 ` Joanne Koong
2022-11-04 22:14 ` Andrii Nakryiko
2022-11-04 23:02 ` Kumar Kartikeya Dwivedi
2022-11-04 23:08 ` Andrii Nakryiko
2022-10-18 13:59 ` [PATCH bpf-next v1 08/13] bpf: Use memmove for bpf_dynptr_{read,write} Kumar Kartikeya Dwivedi
2022-10-21 18:12 ` Joanne Koong
2022-10-18 13:59 ` [PATCH bpf-next v1 09/13] selftests/bpf: Add test for dynptr reinit in user_ringbuf callback Kumar Kartikeya Dwivedi
2022-10-19 16:59 ` David Vernet
2022-10-18 13:59 ` [PATCH bpf-next v1 10/13] selftests/bpf: Add dynptr pruning tests Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 11/13] selftests/bpf: Add dynptr var_off tests Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` [PATCH bpf-next v1 12/13] selftests/bpf: Add dynptr partial slot overwrite tests Kumar Kartikeya Dwivedi
2022-10-18 13:59 ` Kumar Kartikeya Dwivedi [this message]
2023-10-31 7:05 ` CVE-2023-39191 - Dynptr fixes - reg Nandhini Rengaraj
2023-10-31 7:13 ` Greg KH
2023-10-31 7:57 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221018135920.726360-14-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=joannelkoong@gmail.com \
--cc=martin.lau@kernel.org \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox