| Message ID | 20190301194921.2856705-1-kafai@fb.com |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | Fix bpf_tcp_sock and bpf_sk_fullsock issue related to bpf_sk_release | expand |
> On Mar 1, 2019, at 11:49 AM, Martin KaFai Lau <kafai@fb.com> wrote: > > Adding verifier tests to ensure the ptr returned from > bpf_tcp_sock() and bpf_sk_fullsock() cannot be accessed > after bpf_sk_release() is called. It is derived from a > reproducer test from Lorenz Bauer. > > Cc: Lorenz Bauer <lmb@cloudflare.com> > Signed-off-by: Martin KaFai Lau <kafai@fb.com> Acked-by: Song Liu <songliubraving@fb.com> > --- > .../selftests/bpf/verifier/ref_tracking.c | 73 +++++++++++++++++++ > 1 file changed, 73 insertions(+) > > diff --git a/tools/testing/selftests/bpf/verifier/ref_tracking.c b/tools/testing/selftests/bpf/verifier/ref_tracking.c > index 3ed3593bd8b6..9695f8e9b58b 100644 > --- a/tools/testing/selftests/bpf/verifier/ref_tracking.c > +++ b/tools/testing/selftests/bpf/verifier/ref_tracking.c > @@ -605,3 +605,76 @@ > .prog_type = BPF_PROG_TYPE_SCHED_CLS, > .result = ACCEPT, > }, > +{ > + "reference tracking: use ptr from bpf_tcp_sock() after release", > + .insns = { > + BPF_SK_LOOKUP, > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), > + BPF_EMIT_CALL(BPF_FUNC_tcp_sock), > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), > + BPF_EMIT_CALL(BPF_FUNC_sk_release), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), > + BPF_EMIT_CALL(BPF_FUNC_sk_release), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_tcp_sock, snd_cwnd)), > + BPF_EXIT_INSN(), > + }, > + .prog_type = BPF_PROG_TYPE_SCHED_CLS, > + .result = REJECT, > + .errstr = "invalid mem access", > +}, > +{ > + "reference tracking: use ptr from bpf_sk_fullsock() after release", > + .insns = { > + BPF_SK_LOOKUP, > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), > + BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), > + BPF_EMIT_CALL(BPF_FUNC_sk_release), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), > + BPF_EMIT_CALL(BPF_FUNC_sk_release), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_sock, type)), > + BPF_EXIT_INSN(), > + }, > + .prog_type = BPF_PROG_TYPE_SCHED_CLS, > + .result = REJECT, > + .errstr = "invalid mem access", > +}, > +{ > + "reference tracking: use ptr from bpf_sk_fullsock(tp) after release", > + .insns = { > + BPF_SK_LOOKUP, > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), > + BPF_EMIT_CALL(BPF_FUNC_tcp_sock), > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), > + BPF_EMIT_CALL(BPF_FUNC_sk_release), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), > + BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), > + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), > + BPF_EMIT_CALL(BPF_FUNC_sk_release), > + BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1), > + BPF_EXIT_INSN(), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)), > + BPF_EXIT_INSN(), > + }, > + .prog_type = BPF_PROG_TYPE_SCHED_CLS, > + .result = REJECT, > + .errstr = "invalid mem access", > +}, > -- > 2.17.1 >
diff --git a/tools/testing/selftests/bpf/verifier/ref_tracking.c b/tools/testing/selftests/bpf/verifier/ref_tracking.c index 3ed3593bd8b6..9695f8e9b58b 100644 --- a/tools/testing/selftests/bpf/verifier/ref_tracking.c +++ b/tools/testing/selftests/bpf/verifier/ref_tracking.c @@ -605,3 +605,76 @@ .prog_type = BPF_PROG_TYPE_SCHED_CLS, .result = ACCEPT, }, +{ + "reference tracking: use ptr from bpf_tcp_sock() after release", + .insns = { + BPF_SK_LOOKUP, + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), + BPF_EMIT_CALL(BPF_FUNC_tcp_sock), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_EMIT_CALL(BPF_FUNC_sk_release), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_EMIT_CALL(BPF_FUNC_sk_release), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_tcp_sock, snd_cwnd)), + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .result = REJECT, + .errstr = "invalid mem access", +}, +{ + "reference tracking: use ptr from bpf_sk_fullsock() after release", + .insns = { + BPF_SK_LOOKUP, + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), + BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_EMIT_CALL(BPF_FUNC_sk_release), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_EMIT_CALL(BPF_FUNC_sk_release), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_sock, type)), + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .result = REJECT, + .errstr = "invalid mem access", +}, +{ + "reference tracking: use ptr from bpf_sk_fullsock(tp) after release", + .insns = { + BPF_SK_LOOKUP, + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), + BPF_EMIT_CALL(BPF_FUNC_tcp_sock), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_EMIT_CALL(BPF_FUNC_sk_release), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), + BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + BPF_EMIT_CALL(BPF_FUNC_sk_release), + BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1), + BPF_EXIT_INSN(), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)), + BPF_EXIT_INSN(), + }, + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .result = REJECT, + .errstr = "invalid mem access", +},
Adding verifier tests to ensure the ptr returned from bpf_tcp_sock() and bpf_sk_fullsock() cannot be accessed after bpf_sk_release() is called. It is derived from a reproducer test from Lorenz Bauer. Cc: Lorenz Bauer <lmb@cloudflare.com> Signed-off-by: Martin KaFai Lau <kafai@fb.com> --- .../selftests/bpf/verifier/ref_tracking.c | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+)