From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrei Matei <andreimatei1@gmail.com>,
bpf@vger.kernel.org, andrii.nakryiko@gmail.com,
sunhao.th@gmail.com
Subject: Re: [PATCH bpf-next v4 1/2] bpf: fix verification of indirect var-off stack access
Date: Wed, 06 Dec 2023 19:12:31 +0200 [thread overview]
Message-ID: <aa7421147262d1b8be628cb7d98c4c43199bc20e.camel@gmail.com> (raw)
In-Reply-To: <20231206165802.380626-2-andreimatei1@gmail.com>
On Wed, 2023-12-06 at 11:58 -0500, Andrei Matei wrote:
[...]
> diff --git a/tools/testing/selftests/bpf/progs/verifier_var_off.c b/tools/testing/selftests/bpf/progs/verifier_var_off.c
You would probably be asked to split this patch in two.
Usually selftests are submitted as separate patches with
'selftests/bpf:' tag. Tests are updated in 'bpf:' patches only if
changes to verifier make some tests invalid (so that it is possible
to do bisects over commit ranges).
Otherwise, lgtm, thank you for adding the test and please add my ack
for the test if v5 would be submitted.
> index 83a90afba785..9fb32b292017 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_var_off.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_var_off.c
> @@ -224,6 +224,35 @@ __naked void access_max_out_of_bound(void)
> : __clobber_all);
> }
>
> +/* Similar to the test above, but this time check the special case of a
> + * zero-sized stack access. We used to have a bug causing crashes for zero-sized
> + * out-of-bounds accesses.
> + */
> +SEC("socket")
> +__description("indirect variable-offset stack access, zero-sized, max out of bound")
> +__failure __msg("invalid variable-offset indirect access to stack R1")
> +__naked void zero_sized_access_max_out_of_bound(void)
> +{
> + asm volatile (" \
> + r0 = 0; \
> + /* Fill some stack */ \
> + *(u64*)(r10 - 16) = r0; \
> + *(u64*)(r10 - 8) = r0; \
> + /* Get an unknown value */ \
> + r1 = *(u32*)(r1 + 0); \
> + r1 &= 64; \
> + r1 += -16; \
> + /* r1 is now anywhere in [-16,48)*/ \
> + r1 += r10; \
> + r2 = 0; \
> + r3 = 0; \
> + call %[bpf_probe_read_kernel]; \
> + exit; \
> +" :
> + : __imm(bpf_probe_read_kernel)
> + : __clobber_all);
> +}
> +
> SEC("lwt_in")
> __description("indirect variable-offset stack access, min out of bound")
> __failure __msg("invalid variable-offset indirect access to stack R2")
next prev parent reply other threads:[~2023-12-06 17:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-06 16:58 [PATCH bpf-next v4 0/2] bpf: fix verification of indirect var-off stack access Andrei Matei
2023-12-06 16:58 ` [PATCH bpf-next v4 1/2] " Andrei Matei
2023-12-06 17:12 ` Eduard Zingerman [this message]
2023-12-06 18:56 ` Andrii Nakryiko
2023-12-07 3:30 ` Andrei Matei
2023-12-06 16:58 ` [PATCH bpf-next v4 2/2] bpf: guard stack limits against 32bit overflow Andrei Matei
2023-12-06 19:04 ` Andrii Nakryiko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa7421147262d1b8be628cb7d98c4c43199bc20e.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andreimatei1@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sunhao.th@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox