[PATCH bpf-next 2/2] selftests/bpf: Tests for uninitialized stack reads

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: Eduard Zingerman <eddyz87@gmail.com>
To: bpf@vger.kernel.org, ast@kernel.org
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
	kernel-team@fb.com, yhs@fb.com,
	Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next  2/2] selftests/bpf: Tests for uninitialized stack reads
Date: Thu, 16 Feb 2023 20:36:06 +0200	[thread overview]
Message-ID: <20230216183606.2483834-3-eddyz87@gmail.com> (raw)
In-Reply-To: <20230216183606.2483834-1-eddyz87@gmail.com>

Two testcases to make sure that stack reads from uninitialized
locations are accepted by verifier when executed in privileged mode:
- read from a fixed offset;
- read from a variable offset.

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
---
 .../selftests/bpf/prog_tests/uninit_stack.c   |  9 +++
 .../selftests/bpf/progs/uninit_stack.c        | 55 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/uninit_stack.c
 create mode 100644 tools/testing/selftests/bpf/progs/uninit_stack.c

diff --git a/tools/testing/selftests/bpf/prog_tests/uninit_stack.c b/tools/testing/selftests/bpf/prog_tests/uninit_stack.c
new file mode 100644
index 000000000000..e64c71948491
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/uninit_stack.c
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include "uninit_stack.skel.h"
+
+void test_uninit_stack(void)
+{
+	RUN_TESTS(uninit_stack);
+}
diff --git a/tools/testing/selftests/bpf/progs/uninit_stack.c b/tools/testing/selftests/bpf/progs/uninit_stack.c
new file mode 100644
index 000000000000..20ff6a22c906
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/uninit_stack.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+/* Read an uninitialized value from stack at a fixed offset */
+SEC("socket")
+__naked int read_uninit_stack_fixed_off(void *ctx)
+{
+	asm volatile ("				\
+		// force stack depth to be 128	\
+		*(u64*)(r10 - 128) = r1;	\
+		r1 = *(u8 *)(r10 - 8 );		\
+		r1 = *(u8 *)(r10 - 11);		\
+		r1 = *(u8 *)(r10 - 13);		\
+		r1 = *(u8 *)(r10 - 15);		\
+		r1 = *(u16*)(r10 - 16);		\
+		r1 = *(u32*)(r10 - 32);		\
+		r1 = *(u64*)(r10 - 64);		\
+		// read from a spill of a wrong size, it is a separate	\
+		// branch in check_stack_read_fixed_off()		\
+		*(u32*)(r10 - 72) = r1;		\
+		r1 = *(u64*)(r10 - 72);		\
+		r0 = 0;				\
+		exit;				\
+"
+		      ::: __clobber_all);
+}
+
+/* Read an uninitialized value from stack at a variable offset */
+SEC("socket")
+__naked int read_uninit_stack_var_off(void *ctx)
+{
+	asm volatile ("				\
+		call %[bpf_get_prandom_u32];	\
+		// force stack depth to be 64	\
+		*(u64*)(r10 - 64) = r0;		\
+		r0 = -r0;			\
+		// give r0 a range [-31, -1]	\
+		if r0 s<= -32 goto exit_%=;	\
+		if r0 s>= 0 goto exit_%=;	\
+		// access stack using r0	\
+		r1 = r10;			\
+		r1 += r0;			\
+		r2 = *(u8*)(r1 + 0);		\
+exit_%=:	r0 = 0;				\
+		exit;				\
+"
+		      :
+		      : __imm(bpf_get_prandom_u32)
+		      : __clobber_all);
+}
+
+char _license[] SEC("license") = "GPL";
-- 
2.39.1

next prev parent reply	other threads:[~2023-02-16 18:36 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-16 18:36 [PATCH bpf-next 0/2] Allow reads from uninit stack Eduard Zingerman
2023-02-16 18:36 ` [PATCH bpf-next 1/2] bpf: " Eduard Zingerman
2023-02-17  0:36   ` Andrii Nakryiko
2023-02-17 13:13     ` Eduard Zingerman
2023-02-17 21:58       ` Andrii Nakryiko
2023-02-16 18:36 ` Eduard Zingerman [this message]
2023-02-17  0:55   ` [PATCH bpf-next 2/2] selftests/bpf: Tests for uninitialized stack reads Andrii Nakryiko
2023-02-17 13:25     ` Eduard Zingerman
2023-02-17 22:00       ` Andrii Nakryiko
2023-02-17 22:06         ` Eduard Zingerman
2023-02-17 20:37 ` [PATCH bpf-next 0/2] Allow reads from uninit stack Daniel Borkmann
2023-02-17 20:46   ` Eduard Zingerman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e64c7194849 dfblob:20ff6a22c90 )
 OR (
bs:"[PATCH bpf-next  2/2] selftests/bpf: Tests for uninitialized stack reads" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230216183606.2483834-3-eddyz87@gmail.com \
    --to=eddyz87@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kernel-team@fb.com \
    --cc=martin.lau@linux.dev \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox