| From b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 Mon Sep 17 00:00:00 2001 |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| Date: Wed, 15 Dec 2021 23:48:54 +0000 |
| Subject: bpf, selftests: Add test case trying to taint map value pointer |
| |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| |
| commit b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 upstream. |
| |
| Add a test case which tries to taint map value pointer arithmetic into a |
| unknown scalar with subsequent export through the map. |
| |
| Before fix: |
| |
| # ./test_verifier 1186 |
| #1186/u map access: trying to leak tained dst reg FAIL |
| Unexpected success to load! |
| verification time 24 usec |
| stack depth 8 |
| processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1 |
| #1186/p map access: trying to leak tained dst reg FAIL |
| Unexpected success to load! |
| verification time 8 usec |
| stack depth 8 |
| processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1 |
| Summary: 0 PASSED, 0 SKIPPED, 2 FAILED |
| |
| After fix: |
| |
| # ./test_verifier 1186 |
| #1186/u map access: trying to leak tained dst reg OK |
| #1186/p map access: trying to leak tained dst reg OK |
| Summary: 2 PASSED, 0 SKIPPED, 0 FAILED |
| |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Reviewed-by: John Fastabend <john.fastabend@gmail.com> |
| Acked-by: Alexei Starovoitov <ast@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| tools/testing/selftests/bpf/verifier/value_ptr_arith.c | 23 +++++++++++++++++ |
| 1 file changed, 23 insertions(+) |
| |
| --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c |
| +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c |
| @@ -1078,6 +1078,29 @@ |
| .errstr_unpriv = "R0 pointer -= pointer prohibited", |
| }, |
| { |
| + "map access: trying to leak tained dst reg", |
| + .insns = { |
| + BPF_MOV64_IMM(BPF_REG_0, 0), |
| + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), |
| + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), |
| + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), |
| + BPF_LD_MAP_FD(BPF_REG_1, 0), |
| + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
| + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), |
| + BPF_EXIT_INSN(), |
| + BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), |
| + BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF), |
| + BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), |
| + BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1), |
| + BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), |
| + BPF_MOV64_IMM(BPF_REG_0, 0), |
| + BPF_EXIT_INSN(), |
| + }, |
| + .fixup_map_array_48b = { 4 }, |
| + .result = REJECT, |
| + .errstr = "math between map_value pointer and 4294967295 is not allowed", |
| +}, |
| +{ |
| "32bit pkt_ptr -= scalar", |
| .insns = { |
| BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, |