@@ -43,6 +43,7 @@ bpf_prog02 bpf_prog02
bpf_prog03 bpf_prog03
bpf_prog04 bpf_prog04
bpf_prog05 bpf_prog05
+bpf_prog06 bpf_prog06
brk01 brk01
brk02 brk02
@@ -4,3 +4,4 @@ bpf_prog02
bpf_prog03
bpf_prog04
bpf_prog05
+bpf_prog06
new file mode 100644
@@ -0,0 +1,158 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (c) 2022 SUSE LLC <rpalethorpe@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * ringbuf_submit takes a pointer to a ringbuf record, but not the
+ * size of this record. The verifier only validates offset ptrs[1] passed
+ * to functions if the function has a size parameter. So we can
+ * perform a wide range of ptr arithmetic on this record ptr.
+ *
+ * ringbuf_submit updates some data (i.e. the length) in the
+ * ringbuf header which is calculated from the record ptr. So this can
+ * be used to corrupt memory.
+ *
+ * This test does not try to cause a crash. Howver it does run the
+ * eBPF if it can. This will result in an instant crash or memory
+ * corruption which may later cause a crash.
+ *
+ * This test is adapted from a full reproducer which can be found here:
+ * https://github.com/tr3ee/CVE-2021-4204
+ *
+ * It's recommended to disable unprivileged eBPF by setting
+ * /proc/sys/kernel/unprivileged_bpf_disabled. Also there is a
+ * specific fix for this issue:
+ *
+ * commit 64620e0a1e712a778095bd35cbb277dc2259281f
+ * Author: Daniel Borkmann <daniel@iogearbox.net>
+ * Date: Tue Jan 11 14:43:41 2022 +0000
+ *
+ * bpf: Fix out of bounds access for ringbuf helpers
+ *
+ * [1]: Depending on the ptr/reg type
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <inttypes.h>
+
+#include "config.h"
+#include "tst_test.h"
+#include "tst_taint.h"
+#include "tst_capability.h"
+#include "lapi/bpf.h"
+#include "bpf_common.h"
+
+#define BUFSIZE 8192
+
+static const char MSG[] = "Ahoj!";
+static char *msg;
+
+static int map_fd;
+static uint32_t *key;
+static uint64_t *val;
+static char *log;
+static union bpf_attr *attr;
+
+static int load_prog(void)
+{
+ int ret;
+ const struct bpf_insn prog_insn[] = {
+ // r0 = bpf_ringbuf_reserve(ctx->ringbuf_fd, 0xff0, 0)
+ BPF_LD_MAP_FD(BPF_REG_1, map_fd),
+ BPF_MOV64_IMM(BPF_REG_2, 0xff0),
+ BPF_MOV64_IMM(BPF_REG_3, 0x00),
+ BPF_EMIT_CALL(BPF_FUNC_ringbuf_reserve),
+
+ // if (r0 == NULL) exit(2)
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+
+ // r0 = BPF_FUNC_ringbuf_submit(r0-(0x3008-0x38), BPF_RB_NO_WAKEUP)
+ BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, (0x3008-0x38)),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
+ BPF_MOV64_IMM(BPF_REG_2, 1),
+ BPF_EMIT_CALL(BPF_FUNC_ringbuf_submit),
+
+ /* exit(0) */
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN()
+ };
+
+ bpf_init_prog_attr(attr, prog_insn, sizeof(prog_insn), log, BUFSIZE);
+
+ ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
+ TST_RETVAL_GE0);
+
+ if (ret >= 0)
+ return ret;
+
+ if (ret != -1)
+ tst_brk(TBROK, "Invalid bpf() return value: %d", ret);
+
+ if (log[0] != 0)
+ tst_printf("%s\n", log);
+
+ return ret;
+}
+
+static void setup(void)
+{
+ rlimit_bump_memlock();
+ memcpy(msg, MSG, sizeof(MSG));
+}
+
+static void run(void)
+{
+ int prog_fd;
+
+ map_fd = bpf_map_create(&(union bpf_attr){
+ .map_type = BPF_MAP_TYPE_RINGBUF,
+ .key_size = 0,
+ .value_size = 0,
+ .max_entries = getpagesize()
+ });
+
+ tst_res(TINFO, "Trying to load eBPF with OOB write");
+ prog_fd = load_prog();
+ if (prog_fd == -1) {
+ tst_res(TPASS, "Failed verification");
+ return;
+ }
+
+ tst_res(TFAIL, "Loaded program with OOB write");
+ tst_res(TINFO, "Running eBPF with OOB");
+ bpf_run_prog(prog_fd, msg, sizeof(MSG));
+ tst_res(TINFO, "Ran eBPF");
+
+ SAFE_CLOSE(prog_fd);
+}
+
+static struct tst_test test = {
+ .setup = setup,
+ .test_all = run,
+ .min_kver = "5.8",
+ .taint_check = TST_TAINT_W | TST_TAINT_D,
+ .caps = (struct tst_cap []) {
+ TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
+ TST_CAP(TST_CAP_DROP, CAP_BPF),
+ {}
+ },
+ .bufs = (struct tst_buffers []) {
+ {&key, .size = sizeof(*key)},
+ {&val, .size = sizeof(*val)},
+ {&log, .size = BUFSIZE},
+ {&attr, .size = sizeof(*attr)},
+ {&msg, .size = sizeof(MSG)},
+ {}
+ },
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "64620e0a1e71"},
+ {"CVE", "CVE-2021-4204"},
+ {}
+ }
+};
Fixes: #944 Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com> --- runtest/syscalls | 1 + testcases/kernel/syscalls/bpf/.gitignore | 1 + testcases/kernel/syscalls/bpf/bpf_prog06.c | 158 +++++++++++++++++++++ 3 files changed, 160 insertions(+) create mode 100644 testcases/kernel/syscalls/bpf/bpf_prog06.c