Re: [PATCH bpf-next] bpf: add test cases for non-pointer sanitiation logic

Daniel Borkmann <daniel@xxxxxxxxxxxxx> · Sat, 2 Mar 2019 00:27:15 +0100

On 03/02/2019 12:22 AM, Song Liu wrote:
> On Fri, Mar 1, 2019 at 1:10 PM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>>
>> Add two additional tests for further asserting the
>> BPF_ALU_NON_POINTER logic with cases that were missed
>> previously.
>>
>> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
>> Cc: Marek Majkowski <marek@xxxxxxxxxxxxxx>
>> Cc: Arthur Fabre <afabre@xxxxxxxxxxxxxx>
>> ---
>>  .../selftests/bpf/verifier/value_ptr_arith.c  | 44 ++++++++++++++++++-
>>  1 file changed, 43 insertions(+), 1 deletion(-)
>>
>> diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
>> index 4b721a77bebb..c3de1a2c9dc5 100644
>> --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
>> +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
>> @@ -173,7 +173,7 @@
>>         .retval = 0,
>>  },
>>  {
>> -       "sanitation: alu with different scalars",
>> +       "sanitation: alu with different scalars 1",
>>         .insns = {
>>         BPF_MOV64_IMM(BPF_REG_0, 1),
>>         BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
>> @@ -198,6 +198,48 @@
>>         .result = ACCEPT,
>>         .retval = 0x100000,
>>  },
>> +{
>> +       "sanitation: alu with different scalars 2",
>> +       .insns = {
>> +       BPF_MOV64_IMM(BPF_REG_0, 1),
>> +       BPF_LD_MAP_FD(BPF_REG_1, 0),
>> +       BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
>> +       BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
>> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
>> +       BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
>> +       BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
>> +       BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
>> +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
>> +       BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
>> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
>> +       BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
>> +       BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
>> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
>> +       BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
>> +       BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
>> +       BPF_EXIT_INSN(),
>> +       },
>> +       .fixup_map_array_48b = { 1 },
>> +       .result = ACCEPT,
>> +       .retval = -EINVAL * 2,
> 
> Why "-EINVAL * 2" here?

This is array map so deletion will return -EINVAL, basically I
wanted to get a test case under socket filters where helper
returns a stable value which is then unknown scalar to do some
alu64 op with where sanitation logic triggers. So map_delete_elem()
came in handy for that test.

Thanks,
Daniel