On Tue, Feb 22, 2022 at 07:53:33AM IST, Song Liu wrote:
> On Sat, Feb 19, 2022 at 6:31 PM Kumar Kartikeya Dwivedi
> <memxor@xxxxxxxxx> wrote:
> >
> > This test tries to pass a PTR_TO_BTF_ID_OR_NULL to the release function,
> > which would trigger a out of bounds access without the fix in commit
> > 45ce4b4f9009 ("bpf: Fix crash due to out of bounds access into reg2btf_ids.")
> > but after the fix, it should only index using base_type(reg->type),
> > which should be less than __BPF_REG_TYPE_MAX, and also not permit any
> > type flags to be set for the reg->type.
> >
> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> > ---
> > tools/testing/selftests/bpf/verifier/calls.c | 19 +++++++++++++++++++
> > 1 file changed, 19 insertions(+)
> >
> > diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c
> > index 829be2b9e08e..0a8ea60c2a80 100644
> > --- a/tools/testing/selftests/bpf/verifier/calls.c
> > +++ b/tools/testing/selftests/bpf/verifier/calls.c
> > @@ -96,6 +96,25 @@
> > { "bpf_kfunc_call_test_mem_len_fail1", 2 },
> > },
> > },
> > +{
> > + "calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX",
> > + .insns = {
> > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
> > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
> > + BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
> > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> > + BPF_EXIT_INSN(),
> > + },
> > + .prog_type = BPF_PROG_TYPE_SCHED_CLS,
> > + .result = REJECT,
> > + .errstr = "arg#0 pointer type STRUCT prog_test_ref_kfunc must point",
>
> Why do we stop errstr at "must point"?
>
The complete string is too long, I think it matches using strncmp.
> > + .fixup_kfunc_btf_id = {
> > + { "bpf_kfunc_call_test_acquire", 3 },
> > + { "bpf_kfunc_call_test_release", 5 },
> > + },
> > +},
> > {
> > "calls: basic sanity",
> > .insns = {
> > --
> > 2.35.1
> >
--
Kartikeya
