Message ID | 1486054838-5072-1-git-send-email-jbacik@fb.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
On 2/2/17 9:00 AM, Josef Bacik wrote: > These two tests are based on the work done for f23cc643f9ba. The first test is > just a basic one to make sure we don't allow AND'ing negative values, even if it > would result in a valid index for the array. The second is a cleaned up version > of the original testcase provided by Jann Horn that resulted in the commit. > > Signed-off-by: Josef Bacik <jbacik@fb.com> Thanks for the tests! Much appreciated. > diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c > index 853d7e4..44404f1 100644 > --- a/tools/testing/selftests/bpf/test_verifier.c > +++ b/tools/testing/selftests/bpf/test_verifier.c > @@ -2905,6 +2905,61 @@ static struct bpf_test tests[] = { > .result = REJECT, > .errstr = "invalid bpf_context access", > }, > + { > + "invalid and of negative number", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), > + BPF_MOV64_IMM(BPF_REG_1, 6), > + BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), > + BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), > + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), > + BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, > + offsetof(struct test_val, foo)), > + BPF_EXIT_INSN(), > + }, > + .fixup_map2 = { 3 }, > + .errstr_unpriv = "R0 pointer arithmetic prohibited", > + .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", the errstr doesn't have to compare the whole string. In case we find typos or adjust the hint message, we'd need to change the test as well, but I see it's being used as-is in other tests already, so we'll fix all of them at once when time comes. Acked-by: Alexei Starovoitov <ast@kernel.org>
On 02/02/2017 06:00 PM, Josef Bacik wrote: > These two tests are based on the work done for f23cc643f9ba. The first test is > just a basic one to make sure we don't allow AND'ing negative values, even if it > would result in a valid index for the array. The second is a cleaned up version > of the original testcase provided by Jann Horn that resulted in the commit. > > Signed-off-by: Josef Bacik <jbacik@fb.com> Thanks for following up! Acked-by: Daniel Borkmann <daniel@iogearbox.net>
From: Josef Bacik <jbacik@fb.com> Date: Thu, 2 Feb 2017 12:00:38 -0500 > These two tests are based on the work done for f23cc643f9ba. The first test is > just a basic one to make sure we don't allow AND'ing negative values, even if it > would result in a valid index for the array. The second is a cleaned up version > of the original testcase provided by Jann Horn that resulted in the commit. > > Signed-off-by: Josef Bacik <jbacik@fb.com> This doesn't apply cleanly to net-next, please respin.
On Fri, 2017-02-03 at 16:03 -0500, David Miller wrote: > From: Josef Bacik <jbacik@fb.com> > Date: Thu, 2 Feb 2017 12:00:38 -0500 > > > > > These two tests are based on the work done for f23cc643f9ba. The > > first test is > > just a basic one to make sure we don't allow AND'ing negative > > values, even if it > > would result in a valid index for the array. The second is a > > cleaned up version > > of the original testcase provided by Jann Horn that resulted in the > > commit. > > > > Signed-off-by: Josef Bacik <jbacik@fb.com> > This doesn't apply cleanly to net-next, please respin. Ugh sorry did it on the wrong branch, I'll send an updated one shortly. Thanks, Josef
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 853d7e4..44404f1 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -2905,6 +2905,61 @@ static struct bpf_test tests[] = { .result = REJECT, .errstr = "invalid bpf_context access", }, + { + "invalid and of negative number", + .insns = { + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), + BPF_MOV64_IMM(BPF_REG_1, 6), + BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), + BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), + BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, + offsetof(struct test_val, foo)), + BPF_EXIT_INSN(), + }, + .fixup_map2 = { 3 }, + .errstr_unpriv = "R0 pointer arithmetic prohibited", + .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", + .result = REJECT, + .result_unpriv = REJECT, + }, + { + "invalid range check", + .insns = { + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, + BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), + BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_9, 1), + BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), + BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), + BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), + BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), + BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), + BPF_MOV32_IMM(BPF_REG_3, 1), + BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), + BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), + BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), + BPF_MOV64_REG(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map2 = { 3 }, + .errstr_unpriv = "R0 pointer arithmetic prohibited", + .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", + .result = REJECT, + .result_unpriv = REJECT, + } }; static int probe_filter_length(const struct bpf_insn *fp)
These two tests are based on the work done for f23cc643f9ba. The first test is just a basic one to make sure we don't allow AND'ing negative values, even if it would result in a valid index for the array. The second is a cleaned up version of the original testcase provided by Jann Horn that resulted in the commit. Signed-off-by: Josef Bacik <jbacik@fb.com> --- tools/testing/selftests/bpf/test_verifier.c | 55 +++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+)