On Sat, Feb 19, 2022 at 6:31 PM Kumar Kartikeya Dwivedi
<memxor@xxxxxxxxx> wrote:
>
> This test tries to pass a PTR_TO_BTF_ID_OR_NULL to the release function,
> which would trigger a out of bounds access without the fix in commit
> 45ce4b4f9009 ("bpf: Fix crash due to out of bounds access into reg2btf_ids.")
> but after the fix, it should only index using base_type(reg->type),
> which should be less than __BPF_REG_TYPE_MAX, and also not permit any
> type flags to be set for the reg->type.
>
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> ---
> tools/testing/selftests/bpf/verifier/calls.c | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c
> index 829be2b9e08e..0a8ea60c2a80 100644
> --- a/tools/testing/selftests/bpf/verifier/calls.c
> +++ b/tools/testing/selftests/bpf/verifier/calls.c
> @@ -96,6 +96,25 @@
> { "bpf_kfunc_call_test_mem_len_fail1", 2 },
> },
> },
> +{
> + "calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX",
> + .insns = {
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
> + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
> + BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_SCHED_CLS,
> + .result = REJECT,
> + .errstr = "arg#0 pointer type STRUCT prog_test_ref_kfunc must point",
Why do we stop errstr at "must point"?
> + .fixup_kfunc_btf_id = {
> + { "bpf_kfunc_call_test_acquire", 3 },
> + { "bpf_kfunc_call_test_release", 5 },
> + },
> +},
> {
> "calls: basic sanity",
> .insns = {
> --
> 2.35.1
>
