From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Martin KaFai Lau <martin.lau@kernel.org>,
Joanne Koong <joannelkoong@gmail.com>,
David Vernet <void@manifault.com>,
Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next v1 5/8] selftests/bpf: Add dynptr pruning tests
Date: Sun, 1 Jan 2023 14:03:59 +0530 [thread overview]
Message-ID: <20230101083403.332783-6-memxor@gmail.com> (raw)
In-Reply-To: <20230101083403.332783-1-memxor@gmail.com>
Add verifier tests that verify the new pruning behavior for STACK_DYNPTR
slots, and ensure that state equivalence takes into account changes to
the old and current verifier state correctly.
Without the prior fixes, both of these bugs trigger with unprivileged
BPF mode.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
tools/testing/selftests/bpf/verifier/dynptr.c | 90 +++++++++++++++++++
1 file changed, 90 insertions(+)
create mode 100644 tools/testing/selftests/bpf/verifier/dynptr.c
diff --git a/tools/testing/selftests/bpf/verifier/dynptr.c b/tools/testing/selftests/bpf/verifier/dynptr.c
new file mode 100644
index 000000000000..798f4f7e0c57
--- /dev/null
+++ b/tools/testing/selftests/bpf/verifier/dynptr.c
@@ -0,0 +1,90 @@
+{
+ "dynptr: rewrite dynptr slot",
+ .insns = {
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_LD_MAP_FD(BPF_REG_6, 0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+ BPF_MOV64_IMM(BPF_REG_2, 8),
+ BPF_MOV64_IMM(BPF_REG_3, 0),
+ BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
+ BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9F),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_ringbuf = { 1 },
+ .result_unpriv = REJECT,
+ .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
+ .result = REJECT,
+ .errstr = "arg 1 is an unacquired reference",
+},
+{
+ "dynptr: type confusion",
+ .insns = {
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_LD_MAP_FD(BPF_REG_6, 0),
+ BPF_LD_MAP_FD(BPF_REG_7, 0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+ BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -24),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9FeB9F),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0xeB9FeB9F),
+ BPF_MOV64_IMM(BPF_REG_4, 0),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_2),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
+ BPF_MOV64_IMM(BPF_REG_2, 8),
+ BPF_MOV64_IMM(BPF_REG_3, 0),
+ BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+ /* pad with insns to trigger add_new_state heuristic for straight line path */
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+ BPF_JMP_IMM(BPF_JA, 0, 0, 9),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+ BPF_MOV64_IMM(BPF_REG_2, 0),
+ BPF_MOV64_IMM(BPF_REG_3, 0),
+ BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_dynptr_from_mem),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
+ BPF_MOV64_IMM(BPF_REG_2, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_hash_16b = { 1 },
+ .fixup_map_ringbuf = { 3 },
+ .result_unpriv = REJECT,
+ .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
+ .result = REJECT,
+ .errstr = "arg 1 is an unacquired reference",
+},
--
2.39.0
next prev parent reply other threads:[~2023-01-01 8:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-01 8:33 [PATCH bpf-next v1 0/8] Dynptr fixes Kumar Kartikeya Dwivedi
2023-01-01 8:33 ` [PATCH bpf-next v1 1/8] bpf: Fix state pruning for STACK_DYNPTR stack slots Kumar Kartikeya Dwivedi
2023-01-02 19:28 ` Eduard Zingerman
2023-01-09 10:59 ` Kumar Kartikeya Dwivedi
2023-01-04 22:24 ` Andrii Nakryiko
2023-01-09 11:05 ` Kumar Kartikeya Dwivedi
2023-01-12 0:47 ` Andrii Nakryiko
2023-01-06 0:18 ` Joanne Koong
2023-01-09 11:17 ` Kumar Kartikeya Dwivedi
2023-01-01 8:33 ` [PATCH bpf-next v1 2/8] bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR Kumar Kartikeya Dwivedi
2023-01-04 22:32 ` Andrii Nakryiko
2023-01-09 11:18 ` Kumar Kartikeya Dwivedi
2023-01-06 0:57 ` Joanne Koong
2023-01-06 17:56 ` Joanne Koong
2023-01-09 11:21 ` Kumar Kartikeya Dwivedi
2023-01-01 8:33 ` [PATCH bpf-next v1 3/8] bpf: Fix partial dynptr stack slot reads/writes Kumar Kartikeya Dwivedi
2023-01-04 22:42 ` Andrii Nakryiko
2023-01-09 11:26 ` Kumar Kartikeya Dwivedi
2023-01-05 3:06 ` Alexei Starovoitov
2023-01-09 11:52 ` Kumar Kartikeya Dwivedi
2023-01-10 2:19 ` Alexei Starovoitov
2023-01-06 19:16 ` Joanne Koong
2023-01-06 19:31 ` Joanne Koong
2023-01-09 11:30 ` Kumar Kartikeya Dwivedi
2023-01-12 18:51 ` Joanne Koong
2023-01-01 8:33 ` [PATCH bpf-next v1 4/8] bpf: Allow reinitializing unreferenced dynptr stack slots Kumar Kartikeya Dwivedi
2023-01-04 22:44 ` Andrii Nakryiko
2023-01-06 19:33 ` Joanne Koong
2023-01-09 11:40 ` Kumar Kartikeya Dwivedi
2023-01-01 8:33 ` Kumar Kartikeya Dwivedi [this message]
2023-01-04 22:49 ` [PATCH bpf-next v1 5/8] selftests/bpf: Add dynptr pruning tests Andrii Nakryiko
2023-01-09 11:44 ` Kumar Kartikeya Dwivedi
2023-01-01 8:34 ` [PATCH bpf-next v1 6/8] selftests/bpf: Add dynptr var_off tests Kumar Kartikeya Dwivedi
2023-01-01 8:34 ` [PATCH bpf-next v1 7/8] selftests/bpf: Add dynptr partial slot overwrite tests Kumar Kartikeya Dwivedi
2023-01-01 8:34 ` [PATCH bpf-next v1 8/8] selftests/bpf: Add dynptr helper tests Kumar Kartikeya Dwivedi
2023-01-04 22:51 ` [PATCH bpf-next v1 0/8] Dynptr fixes Andrii Nakryiko
2023-01-12 1:08 ` Kumar Kartikeya Dwivedi
2023-01-13 22:31 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230101083403.332783-6-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=joannelkoong@gmail.com \
--cc=martin.lau@kernel.org \
--cc=void@manifault.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox