From: Frank van der Linden <fllinden@amazon.com>
To: <stable@vger.kernel.org>
Cc: <bpf@vger.kernel.org>, <daniel@iogearbox.net>
Subject: [PATCH v2 4.14 13/17] selftests/bpf: make 'dubious pointer arithmetic' test useful
Date: Mon, 31 May 2021 18:25:52 +0000 [thread overview]
Message-ID: <20210531182556.25277-14-fllinden@amazon.com> (raw)
In-Reply-To: <20210531182556.25277-1-fllinden@amazon.com>
From: Alexei Starovoitov <ast@kernel.org>
commit 31e95b61e172144bb2b626a291db1bdc0769275b upstream.
mostly revert the previous workaround and make
'dubious pointer arithmetic' test useful again.
Use (ptr - ptr) << const instead of ptr << const to generate large scalar.
The rest stays as before commit 2b36047e7889.
Fixes: 2b36047e7889 ("selftests/bpf: fix test_align")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[fllinden@amazon.com: adjust for 4.14 (no liveness of regs in output)]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
---
tools/testing/selftests/bpf/test_align.c | 30 ++++++++++++++++++------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/tools/testing/selftests/bpf/test_align.c b/tools/testing/selftests/bpf/test_align.c
index 471bbbdb94db..5d530c90779e 100644
--- a/tools/testing/selftests/bpf/test_align.c
+++ b/tools/testing/selftests/bpf/test_align.c
@@ -446,11 +446,9 @@ static struct bpf_align_test tests[] = {
.insns = {
PREP_PKT_POINTERS,
BPF_MOV64_IMM(BPF_REG_0, 0),
- /* ptr & const => unknown & const */
- BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
- BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 0x40),
- /* ptr << const => unknown << const */
- BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
+ /* (ptr - ptr) << 2 */
+ BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_5, BPF_REG_2),
BPF_ALU64_IMM(BPF_LSH, BPF_REG_5, 2),
/* We have a (4n) value. Let's make a packet offset
* out of it. First add 14, to make it a (4n+2)
@@ -473,8 +471,26 @@ static struct bpf_align_test tests[] = {
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
.result = REJECT,
.matches = {
- {4, "R5=pkt(id=0,off=0,r=0,imm=0)"},
- /* R5 bitwise operator &= on pointer prohibited */
+ {4, "R5=pkt_end(id=0,off=0,imm=0)"},
+ /* (ptr - ptr) << 2 == unknown, (4n) */
+ {6, "R5=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
+ /* (4n) + 14 == (4n+2). We blow our bounds, because
+ * the add could overflow.
+ */
+ {7, "R5=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
+ /* Checked s>=0 */
+ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
+ /* packet pointer + nonnegative (4n+2) */
+ {11, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
+ {13, "R4=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
+ /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
+ * We checked the bounds, but it might have been able
+ * to overflow if the packet pointer started in the
+ * upper half of the address space.
+ * So we did not get a 'range' on R6, and the access
+ * attempt will fail.
+ */
+ {15, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
}
},
{
--
2.23.4
next prev parent reply other threads:[~2021-05-31 18:26 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-31 18:25 [PATCH v2 4.14 00/16] CVE fixes and selftests cleanup Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 01/17] bpf, selftests: Fix up some test_verifier cases for unprivileged Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 02/17] bpf: Move off_reg into sanitize_ptr_alu Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 03/17] bpf: Ensure off_reg has no mixed signed bounds for all types Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 04/17] bpf: Rework ptr_limit into alu_limit and add common error path Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 05/17] bpf: Improve verifier error messages for users Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 06/17] bpf: Refactor and streamline bounds check into helper Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 07/17] bpf: Move sanitize_val_alu out of op switch Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 08/17] bpf: Tighten speculative pointer arithmetic mask Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 09/17] bpf: Update selftests to reflect new error states Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 10/17] bpf: do not allow root to mangle valid pointers Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 11/17] bpf/verifier: disallow pointer subtraction Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 12/17] selftests/bpf: fix test_align Frank van der Linden
2021-05-31 18:25 ` Frank van der Linden [this message]
2021-05-31 18:25 ` [PATCH v2 4.14 14/17] bpf: Fix leakage of uninitialized bpf stack under speculation Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 15/17] bpf: Wrap aux data inside bpf_sanitize_info container Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 16/17] bpf: Fix mask direction swap upon off reg sign change Frank van der Linden
2021-05-31 18:25 ` [PATCH v2 4.14 17/17] bpf: No need to simulate speculative domain for immediates Frank van der Linden
2021-06-08 14:48 ` [PATCH v2 4.14 00/16] CVE fixes and selftests cleanup Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210531182556.25277-14-fllinden@amazon.com \
--to=fllinden@amazon.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).