Re: [PATCH bpf-next 2/3] bpf/selftests: add bpf_get_task_stack retval bounds verifier test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On Apr 15, 2021, at 7:55 PM, Dave Marchevsky <davemarchevsky@xxxxxx> wrote:
> 
> Add a bpf_iter test which feeds bpf_get_task_stack's return value into
> seq_write after confirming it's positive. No attempt to bound the value
> from above is made.
> 
> Load will fail if verifier does not refine retval range based on
> buf sz input to bpf_get_task_stack.
> 
> Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx>

Acked-by: Song Liu <songliubraving@xxxxxx>

> ---
> .../selftests/bpf/verifier/bpf_get_stack.c    | 43 +++++++++++++++++++
> 1 file changed, 43 insertions(+)
> 
> diff --git a/tools/testing/selftests/bpf/verifier/bpf_get_stack.c b/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
> index 69b048cf46d9..0e8299c043d4 100644
> --- a/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
> +++ b/tools/testing/selftests/bpf/verifier/bpf_get_stack.c
> @@ -42,3 +42,46 @@
> 	.result = ACCEPT,
> 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
> },
> +{
> +	"bpf_get_task_stack return R0 range is refined",
> +	.insns = {
> +	BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
> +	BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_6, 0), // ctx->meta->seq
> +	BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_1, 8), // ctx->task
> +	BPF_LD_MAP_FD(BPF_REG_1, 0), // fixup_map_array_48b
> +	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
> +	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
> +	BPF_MOV64_IMM(BPF_REG_0, 0),
> +	BPF_EXIT_INSN(),
> +	BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0, 2),
> +	BPF_MOV64_IMM(BPF_REG_0, 0),
> +	BPF_EXIT_INSN(),
> +
> +	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
> +	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
> +	BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), // keep buf for seq_write
> +	BPF_MOV64_IMM(BPF_REG_3, 48),
> +	BPF_MOV64_IMM(BPF_REG_4, 0),
> +	BPF_EMIT_CALL(BPF_FUNC_get_task_stack),
> +	BPF_JMP_IMM(BPF_JSGT, BPF_REG_0, 0, 2),
> +	BPF_MOV64_IMM(BPF_REG_0, 0),
> +	BPF_EXIT_INSN(),
> +
> +	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> +	BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
> +	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
> +	BPF_EMIT_CALL(BPF_FUNC_seq_write),
> +
> +	BPF_MOV64_IMM(BPF_REG_0, 0),
> +	BPF_EXIT_INSN(),
> +	},
> +	.result = ACCEPT,
> +	.prog_type = BPF_PROG_TYPE_TRACING,
> +	.expected_attach_type = BPF_TRACE_ITER,
> +	.kfunc = "task",
> +	.runs = -1, // Don't run, just load
> +	.fixup_map_array_48b = { 3 },
> +},
> -- 
> 2.30.2
>
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux