Re: [PATCH v2 bpf-next 2/2] selftests/bpf: Add selftests for load-acquire/store-release when register number is invalid

BPF List
 help / color / mirror / Atom feed

From: Eduard Zingerman <eddyz87@gmail.com>
To: Kohei Enju <enjuk@amazon.com>,
	bpf@vger.kernel.org,  linux-kernel@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	 John Fastabend <john.fastabend@gmail.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau	 <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>,
	Yonghong Song	 <yonghong.song@linux.dev>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev	 <sdf@fomichev.me>,
	Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
	 Peilin Ye <yepeilin@google.com>,
	Ilya Leoshkevich <iii@linux.ibm.com>,
	Kuniyuki Iwashima	 <kuniyu@amazon.com>,
	kohei.enju@gmail.com
Subject: Re: [PATCH v2 bpf-next 2/2] selftests/bpf: Add selftests for load-acquire/store-release when register number is invalid
Date: Fri, 21 Mar 2025 15:24:04 -0700	[thread overview]
Message-ID: <65ff9c62d0d2c355121468b04c0701081d3275fd.camel@gmail.com> (raw)
In-Reply-To: <20250321110010.95217-6-enjuk@amazon.com>

On Fri, 2025-03-21 at 19:59 +0900, Kohei Enju wrote:

Hi Kohei,

Thank you for adding these tests.

[...]

> +SEC("socket")
> +__description("load-acquire with invalid register R11")
> +__failure __failure_unpriv __msg("R11 is invalid")
> +__naked void load_acquire_with_invalid_reg(void)
> +{
> +	asm volatile (
> +	".8byte %[load_acquire_insn];" // r0 = load_acquire((u64 *)(r11 + 0));
> +	"exit;"
> +	:
> +	: __imm_insn(load_acquire_insn,
> +		     BPF_ATOMIC_OP(BPF_DW, BPF_LOAD_ACQ, BPF_REG_0, 11 /* invalid reg */, 0))
> +	: __clobber_all);
> +}
> +
>  #else /* CAN_USE_LOAD_ACQ_STORE_REL */
>  
>  SEC("socket")
> diff --git a/tools/testing/selftests/bpf/progs/verifier_store_release.c b/tools/testing/selftests/bpf/progs/verifier_store_release.c
> index cd6f1e5f378b..2dc1d713b4a6 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_store_release.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_store_release.c
> @@ -257,6 +257,20 @@ __naked void store_release_leak_pointer_to_map(void)
>  	: __clobber_all);
>  }
>  
> +SEC("socket")
> +__description("store-release with invalid register R11")
> +__failure __failure_unpriv __msg("R11 is invalid")
> +__naked void store_release_with_invalid_reg(void)
> +{
> +	asm volatile (
> +	".8byte %[store_release_insn];" // store_release((u64 *)(r11 + 0), r1);
> +	"exit;"
> +	:
> +	: __imm_insn(store_release_insn,
> +		     BPF_ATOMIC_OP(BPF_DW, BPF_STORE_REL, 11 /* invalid reg */, BPF_REG_1, 0))

On my machine / config, the value of 11 was too small to trigger the
KASAN warning. Value of 12 was sufficient.
Curious if it is my config, did you see KASAN warning locally when running this test
before applying the fix?
Maybe set the value to 15 here and above to maximize probability of KASAN warning?

> +	: __clobber_all);
> +}
> +
>  #else
>  
>  SEC("socket")

next prev parent reply	other threads:[~2025-03-21 22:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-21 10:59 [PATCH v2 bpf-next 0/2] bpf: Fix OOB read and add tests for load-acquire/store-release Kohei Enju
2025-03-21 10:59 ` [PATCH v2 bpf-next 1/2] bpf: Fix out-of-bounds read in check_atomic_load/store() Kohei Enju
2025-03-21 22:16   ` Eduard Zingerman
2025-03-21 10:59 ` [PATCH v2 bpf-next 2/2] selftests/bpf: Add selftests for load-acquire/store-release when register number is invalid Kohei Enju
2025-03-21 22:24   ` Eduard Zingerman [this message]
2025-03-22  2:48     ` Kohei Enju
2025-03-22  3:17       ` Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=65ff9c62d0d2c355121468b04c0701081d3275fd.camel@gmail.com \
    --to=eddyz87@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=enjuk@amazon.com \
    --cc=haoluo@google.com \
    --cc=iii@linux.ibm.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kohei.enju@gmail.com \
    --cc=kpsingh@kernel.org \
    --cc=kuniyu@amazon.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=sdf@fomichev.me \
    --cc=song@kernel.org \
    --cc=yepeilin@google.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox