On Tue, Jul 28, 2020 at 3:18 PM Yonghong Song <yhs@xxxxxx> wrote:
>
> Commit afbf21dce668 ("bpf: Support readonly/readwrite buffers
> in verifier") added readonly/readwrite buffer support which
> is currently used by bpf_iter tracing programs. It has
> a bug with incorrect parameter ordering which later fixed
> by Commit f6dfbe31e8fa ("bpf: Fix swapped arguments in calls
> to check_buffer_access").
>
> This patch added a test case with a negative offset access
> which will trigger the error path.
>
> Without Commit f6dfbe31e8fa, running the test case in the patch,
> the error message looks like:
> R1_w=rdwr_buf(id=0,off=0,imm=0) R10=fp0
> ; value_sum += *(__u32 *)(value - 4);
> 2: (61) r1 = *(u32 *)(r1 -4)
> R1 invalid (null) buffer access: off=-4, size=4
>
> With the above commit, the error message looks like:
> R1_w=rdwr_buf(id=0,off=0,imm=0) R10=fp0
> ; value_sum += *(__u32 *)(value - 4);
> 2: (61) r1 = *(u32 *)(r1 -4)
> R1 invalid rdwr buffer access: off=-4, size=4
>
> Signed-off-by: Yonghong Song <yhs@xxxxxx>
Acked-by: Song Liu <songliubraving@xxxxxx>
> ---
> .../selftests/bpf/prog_tests/bpf_iter.c | 13 ++++++++++++
> .../selftests/bpf/progs/bpf_iter_test_kern6.c | 21 +++++++++++++++++++
> 2 files changed, 34 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/progs/bpf_iter_test_kern6.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c
> index d95de80b1851..4ffefdc1130f 100644
> --- a/tools/testing/selftests/bpf/prog_tests/bpf_iter.c
> +++ b/tools/testing/selftests/bpf/prog_tests/bpf_iter.c
> @@ -21,6 +21,7 @@
> #include "bpf_iter_bpf_percpu_array_map.skel.h"
> #include "bpf_iter_bpf_sk_storage_map.skel.h"
> #include "bpf_iter_test_kern5.skel.h"
> +#include "bpf_iter_test_kern6.skel.h"
>
> static int duration;
>
> @@ -885,6 +886,16 @@ static void test_rdonly_buf_out_of_bound(void)
> bpf_iter_test_kern5__destroy(skel);
> }
>
> +static void test_buf_neg_offset(void)
> +{
> + struct bpf_iter_test_kern6 *skel;
> +
> + skel = bpf_iter_test_kern6__open_and_load();
> + if (CHECK(skel, "bpf_iter_test_kern6__open_and_load",
> + "skeleton open_and_load unexpected success\n"))
> + bpf_iter_test_kern6__destroy(skel);
> +}
> +
> void test_bpf_iter(void)
> {
> if (test__start_subtest("btf_id_or_null"))
> @@ -933,4 +944,6 @@ void test_bpf_iter(void)
> test_bpf_sk_storage_map();
> if (test__start_subtest("rdonly-buf-out-of-bound"))
> test_rdonly_buf_out_of_bound();
> + if (test__start_subtest("buf-neg-offset"))
> + test_buf_neg_offset();
> }
> diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_test_kern6.c b/tools/testing/selftests/bpf/progs/bpf_iter_test_kern6.c
> new file mode 100644
> index 000000000000..1c7304f56b1e
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/bpf_iter_test_kern6.c
> @@ -0,0 +1,21 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2020 Facebook */
> +#include "bpf_iter.h"
> +#include <bpf/bpf_helpers.h>
> +
> +char _license[] SEC("license") = "GPL";
> +
> +__u32 value_sum = 0;
> +
> +SEC("iter/bpf_map_elem")
> +int dump_bpf_hash_map(struct bpf_iter__bpf_map_elem *ctx)
> +{
> + void *value = ctx->value;
> +
> + if (value == (void *)0)
> + return 0;
> +
> + /* negative offset, verifier failure. */
> + value_sum += *(__u32 *)(value - 4);
> + return 0;
> +}
> --
> 2.24.1
>
