Skip to content

Commit 06be086

Browse files
borkmannAlexei Starovoitov
borkmann
authored and
Alexei Starovoitov
committed
bpf: test case for map pointer poison with calls/branches
Add several test cases where the same or different map pointers originate from different paths in the program and execute a map lookup or tail call at a common location. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Song Liu <songliubraving@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
1 parent 25c1013 commit 06be086

File tree

3 files changed

+178
-27
lines changed

3 files changed

+178
-27
lines changed

include/linux/filter.h

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,16 @@ struct xdp_buff;
289289
.off = OFF, \
290290
.imm = 0 })
291291

292+
/* Relative call */
293+
294+
#define BPF_CALL_REL(TGT) \
295+
((struct bpf_insn) { \
296+
.code = BPF_JMP | BPF_CALL, \
297+
.dst_reg = 0, \
298+
.src_reg = BPF_PSEUDO_CALL, \
299+
.off = 0, \
300+
.imm = TGT })
301+
292302
/* Function call */
293303

294304
#define BPF_EMIT_CALL(FUNC) \

tools/include/linux/filter.h

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -263,6 +263,16 @@
263263
#define BPF_LD_MAP_FD(DST, MAP_FD) \
264264
BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
265265

266+
/* Relative call */
267+
268+
#define BPF_CALL_REL(TGT) \
269+
((struct bpf_insn) { \
270+
.code = BPF_JMP | BPF_CALL, \
271+
.dst_reg = 0, \
272+
.src_reg = BPF_PSEUDO_CALL, \
273+
.off = 0, \
274+
.imm = TGT })
275+
266276
/* Program exit */
267277

268278
#define BPF_EXIT_INSN() \

tools/testing/selftests/bpf/test_verifier.c

Lines changed: 158 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@
5050

5151
#define MAX_INSNS BPF_MAXINSNS
5252
#define MAX_FIXUPS 8
53-
#define MAX_NR_MAPS 4
53+
#define MAX_NR_MAPS 7
5454
#define POINTER_VALUE 0xcafe4all
5555
#define TEST_DATA_LEN 64
5656

@@ -66,7 +66,9 @@ struct bpf_test {
6666
int fixup_map1[MAX_FIXUPS];
6767
int fixup_map2[MAX_FIXUPS];
6868
int fixup_map3[MAX_FIXUPS];
69-
int fixup_prog[MAX_FIXUPS];
69+
int fixup_map4[MAX_FIXUPS];
70+
int fixup_prog1[MAX_FIXUPS];
71+
int fixup_prog2[MAX_FIXUPS];
7072
int fixup_map_in_map[MAX_FIXUPS];
7173
const char *errstr;
7274
const char *errstr_unpriv;
@@ -2769,7 +2771,7 @@ static struct bpf_test tests[] = {
27692771
BPF_MOV64_IMM(BPF_REG_0, 0),
27702772
BPF_EXIT_INSN(),
27712773
},
2772-
.fixup_prog = { 1 },
2774+
.fixup_prog1 = { 1 },
27732775
.errstr_unpriv = "R3 leaks addr into helper",
27742776
.result_unpriv = REJECT,
27752777
.result = ACCEPT,
@@ -2856,7 +2858,7 @@ static struct bpf_test tests[] = {
28562858
BPF_MOV64_IMM(BPF_REG_0, 1),
28572859
BPF_EXIT_INSN(),
28582860
},
2859-
.fixup_prog = { 1 },
2861+
.fixup_prog1 = { 1 },
28602862
.result = ACCEPT,
28612863
.retval = 42,
28622864
},
@@ -2870,7 +2872,7 @@ static struct bpf_test tests[] = {
28702872
BPF_MOV64_IMM(BPF_REG_0, 1),
28712873
BPF_EXIT_INSN(),
28722874
},
2873-
.fixup_prog = { 1 },
2875+
.fixup_prog1 = { 1 },
28742876
.result = ACCEPT,
28752877
.retval = 41,
28762878
},
@@ -2884,7 +2886,7 @@ static struct bpf_test tests[] = {
28842886
BPF_MOV64_IMM(BPF_REG_0, 1),
28852887
BPF_EXIT_INSN(),
28862888
},
2887-
.fixup_prog = { 1 },
2889+
.fixup_prog1 = { 1 },
28882890
.result = ACCEPT,
28892891
.retval = 1,
28902892
},
@@ -2898,7 +2900,7 @@ static struct bpf_test tests[] = {
28982900
BPF_MOV64_IMM(BPF_REG_0, 2),
28992901
BPF_EXIT_INSN(),
29002902
},
2901-
.fixup_prog = { 1 },
2903+
.fixup_prog1 = { 1 },
29022904
.result = ACCEPT,
29032905
.retval = 2,
29042906
},
@@ -2912,7 +2914,7 @@ static struct bpf_test tests[] = {
29122914
BPF_MOV64_IMM(BPF_REG_0, 2),
29132915
BPF_EXIT_INSN(),
29142916
},
2915-
.fixup_prog = { 1 },
2917+
.fixup_prog1 = { 1 },
29162918
.result = ACCEPT,
29172919
.retval = 2,
29182920
},
@@ -2926,7 +2928,7 @@ static struct bpf_test tests[] = {
29262928
BPF_MOV64_IMM(BPF_REG_0, 2),
29272929
BPF_EXIT_INSN(),
29282930
},
2929-
.fixup_prog = { 2 },
2931+
.fixup_prog1 = { 2 },
29302932
.result = ACCEPT,
29312933
.retval = 42,
29322934
},
@@ -11681,6 +11683,112 @@ static struct bpf_test tests[] = {
1168111683
.result = REJECT,
1168211684
.prog_type = BPF_PROG_TYPE_XDP,
1168311685
},
11686+
{
11687+
"calls: two calls returning different map pointers for lookup (hash, array)",
11688+
.insns = {
11689+
/* main prog */
11690+
BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11691+
BPF_CALL_REL(11),
11692+
BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11693+
BPF_CALL_REL(12),
11694+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11695+
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11696+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11697+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11698+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11699+
BPF_FUNC_map_lookup_elem),
11700+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11701+
BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11702+
offsetof(struct test_val, foo)),
11703+
BPF_MOV64_IMM(BPF_REG_0, 1),
11704+
BPF_EXIT_INSN(),
11705+
/* subprog 1 */
11706+
BPF_LD_MAP_FD(BPF_REG_0, 0),
11707+
BPF_EXIT_INSN(),
11708+
/* subprog 2 */
11709+
BPF_LD_MAP_FD(BPF_REG_0, 0),
11710+
BPF_EXIT_INSN(),
11711+
},
11712+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11713+
.fixup_map2 = { 13 },
11714+
.fixup_map4 = { 16 },
11715+
.result = ACCEPT,
11716+
.retval = 1,
11717+
},
11718+
{
11719+
"calls: two calls returning different map pointers for lookup (hash, map in map)",
11720+
.insns = {
11721+
/* main prog */
11722+
BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11723+
BPF_CALL_REL(11),
11724+
BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11725+
BPF_CALL_REL(12),
11726+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11727+
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11728+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11729+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11730+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11731+
BPF_FUNC_map_lookup_elem),
11732+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11733+
BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11734+
offsetof(struct test_val, foo)),
11735+
BPF_MOV64_IMM(BPF_REG_0, 1),
11736+
BPF_EXIT_INSN(),
11737+
/* subprog 1 */
11738+
BPF_LD_MAP_FD(BPF_REG_0, 0),
11739+
BPF_EXIT_INSN(),
11740+
/* subprog 2 */
11741+
BPF_LD_MAP_FD(BPF_REG_0, 0),
11742+
BPF_EXIT_INSN(),
11743+
},
11744+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11745+
.fixup_map_in_map = { 16 },
11746+
.fixup_map4 = { 13 },
11747+
.result = REJECT,
11748+
.errstr = "R0 invalid mem access 'map_ptr'",
11749+
},
11750+
{
11751+
"cond: two branches returning different map pointers for lookup (tail, tail)",
11752+
.insns = {
11753+
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11754+
offsetof(struct __sk_buff, mark)),
11755+
BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11756+
BPF_LD_MAP_FD(BPF_REG_2, 0),
11757+
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11758+
BPF_LD_MAP_FD(BPF_REG_2, 0),
11759+
BPF_MOV64_IMM(BPF_REG_3, 7),
11760+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11761+
BPF_FUNC_tail_call),
11762+
BPF_MOV64_IMM(BPF_REG_0, 1),
11763+
BPF_EXIT_INSN(),
11764+
},
11765+
.fixup_prog1 = { 5 },
11766+
.fixup_prog2 = { 2 },
11767+
.result_unpriv = REJECT,
11768+
.errstr_unpriv = "tail_call abusing map_ptr",
11769+
.result = ACCEPT,
11770+
.retval = 42,
11771+
},
11772+
{
11773+
"cond: two branches returning same map pointers for lookup (tail, tail)",
11774+
.insns = {
11775+
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11776+
offsetof(struct __sk_buff, mark)),
11777+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11778+
BPF_LD_MAP_FD(BPF_REG_2, 0),
11779+
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11780+
BPF_LD_MAP_FD(BPF_REG_2, 0),
11781+
BPF_MOV64_IMM(BPF_REG_3, 7),
11782+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11783+
BPF_FUNC_tail_call),
11784+
BPF_MOV64_IMM(BPF_REG_0, 1),
11785+
BPF_EXIT_INSN(),
11786+
},
11787+
.fixup_prog2 = { 2, 5 },
11788+
.result_unpriv = ACCEPT,
11789+
.result = ACCEPT,
11790+
.retval = 42,
11791+
},
1168411792
{
1168511793
"search pruning: all branches should be verified (nop operation)",
1168611794
.insns = {
@@ -12162,12 +12270,13 @@ static int probe_filter_length(const struct bpf_insn *fp)
1216212270
return len + 1;
1216312271
}
1216412272

12165-
static int create_map(uint32_t size_value, uint32_t max_elem)
12273+
static int create_map(uint32_t type, uint32_t size_key,
12274+
uint32_t size_value, uint32_t max_elem)
1216612275
{
1216712276
int fd;
1216812277

12169-
fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12170-
size_value, max_elem, BPF_F_NO_PREALLOC);
12278+
fd = bpf_create_map(type, size_key, size_value, max_elem,
12279+
type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
1217112280
if (fd < 0)
1217212281
printf("Failed to create hash map '%s'!\n", strerror(errno));
1217312282

@@ -12200,13 +12309,13 @@ static int create_prog_dummy2(int mfd, int idx)
1220012309
ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
1220112310
}
1220212311

12203-
static int create_prog_array(void)
12312+
static int create_prog_array(uint32_t max_elem, int p1key)
1220412313
{
12205-
int p1key = 0, p2key = 1;
12314+
int p2key = 1;
1220612315
int mfd, p1fd, p2fd;
1220712316

1220812317
mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12209-
sizeof(int), 4, 0);
12318+
sizeof(int), max_elem, 0);
1221012319
if (mfd < 0) {
1221112320
printf("Failed to create prog array '%s'!\n", strerror(errno));
1221212321
return -1;
@@ -12261,7 +12370,9 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
1226112370
int *fixup_map1 = test->fixup_map1;
1226212371
int *fixup_map2 = test->fixup_map2;
1226312372
int *fixup_map3 = test->fixup_map3;
12264-
int *fixup_prog = test->fixup_prog;
12373+
int *fixup_map4 = test->fixup_map4;
12374+
int *fixup_prog1 = test->fixup_prog1;
12375+
int *fixup_prog2 = test->fixup_prog2;
1226512376
int *fixup_map_in_map = test->fixup_map_in_map;
1226612377

1226712378
if (test->fill_helper)
@@ -12272,41 +12383,61 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
1227212383
* that really matters is value size in this case.
1227312384
*/
1227412385
if (*fixup_map1) {
12275-
map_fds[0] = create_map(sizeof(long long), 1);
12386+
map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12387+
sizeof(long long), 1);
1227612388
do {
1227712389
prog[*fixup_map1].imm = map_fds[0];
1227812390
fixup_map1++;
1227912391
} while (*fixup_map1);
1228012392
}
1228112393

1228212394
if (*fixup_map2) {
12283-
map_fds[1] = create_map(sizeof(struct test_val), 1);
12395+
map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12396+
sizeof(struct test_val), 1);
1228412397
do {
1228512398
prog[*fixup_map2].imm = map_fds[1];
1228612399
fixup_map2++;
1228712400
} while (*fixup_map2);
1228812401
}
1228912402

1229012403
if (*fixup_map3) {
12291-
map_fds[1] = create_map(sizeof(struct other_val), 1);
12404+
map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12405+
sizeof(struct other_val), 1);
1229212406
do {
12293-
prog[*fixup_map3].imm = map_fds[1];
12407+
prog[*fixup_map3].imm = map_fds[2];
1229412408
fixup_map3++;
1229512409
} while (*fixup_map3);
1229612410
}
1229712411

12298-
if (*fixup_prog) {
12299-
map_fds[2] = create_prog_array();
12412+
if (*fixup_map4) {
12413+
map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12414+
sizeof(struct test_val), 1);
12415+
do {
12416+
prog[*fixup_map4].imm = map_fds[3];
12417+
fixup_map4++;
12418+
} while (*fixup_map4);
12419+
}
12420+
12421+
if (*fixup_prog1) {
12422+
map_fds[4] = create_prog_array(4, 0);
12423+
do {
12424+
prog[*fixup_prog1].imm = map_fds[4];
12425+
fixup_prog1++;
12426+
} while (*fixup_prog1);
12427+
}
12428+
12429+
if (*fixup_prog2) {
12430+
map_fds[5] = create_prog_array(8, 7);
1230012431
do {
12301-
prog[*fixup_prog].imm = map_fds[2];
12302-
fixup_prog++;
12303-
} while (*fixup_prog);
12432+
prog[*fixup_prog2].imm = map_fds[5];
12433+
fixup_prog2++;
12434+
} while (*fixup_prog2);
1230412435
}
1230512436

1230612437
if (*fixup_map_in_map) {
12307-
map_fds[3] = create_map_in_map();
12438+
map_fds[6] = create_map_in_map();
1230812439
do {
12309-
prog[*fixup_map_in_map].imm = map_fds[3];
12440+
prog[*fixup_map_in_map].imm = map_fds[6];
1231012441
fixup_map_in_map++;
1231112442
} while (*fixup_map_in_map);
1231212443
}

0 commit comments

Comments
 (0)