releases/5.15.11/bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 Mon Sep 17 00:00:00 2001
 From: Daniel Borkmann <daniel@iogearbox.net>
 Date: Wed, 15 Dec 2021 23:48:54 +0000
 Subject: bpf, selftests: Add test case trying to taint map value pointer

 From: Daniel Borkmann <daniel@iogearbox.net>

 commit b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 upstream.

 Add a test case which tries to taint map value pointer arithmetic into a
 unknown scalar with subsequent export through the map.

 Before fix:

   # ./test_verifier 1186
   #1186/u map access: trying to leak tained dst reg FAIL
   Unexpected success to load!
   verification time 24 usec
   stack depth 8
   processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
   #1186/p map access: trying to leak tained dst reg FAIL
   Unexpected success to load!
   verification time 8 usec
   stack depth 8
   processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
   Summary: 0 PASSED, 0 SKIPPED, 2 FAILED

 After fix:

   # ./test_verifier 1186
   #1186/u map access: trying to leak tained dst reg OK
   #1186/p map access: trying to leak tained dst reg OK
   Summary: 2 PASSED, 0 SKIPPED, 0 FAILED

 Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
 Reviewed-by: John Fastabend <john.fastabend@gmail.com>
 Acked-by: Alexei Starovoitov <ast@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  tools/testing/selftests/bpf/verifier/value_ptr_arith.c |   23 +++++++++++++++++
  1 file changed, 23 insertions(+)

 --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
 +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
 @@ -1078,6 +1078,29 @@
  	.errstr_unpriv = "R0 pointer -= pointer prohibited",
  },
  {
 +	"map access: trying to leak tained dst reg",
 +	.insns = {
 +	BPF_MOV64_IMM(BPF_REG_0, 0),
 +	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
 +	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
 +	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
 +	BPF_LD_MAP_FD(BPF_REG_1, 0),
 +	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
 +	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 +	BPF_EXIT_INSN(),
 +	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
 +	BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
 +	BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
 +	BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
 +	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
 +	BPF_MOV64_IMM(BPF_REG_0, 0),
 +	BPF_EXIT_INSN(),
 +	},
 +	.fixup_map_array_48b = { 4 },
 +	.result = REJECT,
 +	.errstr = "math between map_value pointer and 4294967295 is not allowed",
 +},
 +{
  	"32bit pkt_ptr -= scalar",
  	.insns = {
  	BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
	From b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 Mon Sep 17 00:00:00 2001
	From: Daniel Borkmann <daniel@iogearbox.net>
	Date: Wed, 15 Dec 2021 23:48:54 +0000
	Subject: bpf, selftests: Add test case trying to taint map value pointer

	From: Daniel Borkmann <daniel@iogearbox.net>

	commit b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 upstream.

	Add a test case which tries to taint map value pointer arithmetic into a
	unknown scalar with subsequent export through the map.

	Before fix:

	# ./test_verifier 1186
	#1186/u map access: trying to leak tained dst reg FAIL
	Unexpected success to load!
	verification time 24 usec
	stack depth 8
	processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
	#1186/p map access: trying to leak tained dst reg FAIL
	Unexpected success to load!
	verification time 8 usec
	stack depth 8
	processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
	Summary: 0 PASSED, 0 SKIPPED, 2 FAILED

	After fix:

	# ./test_verifier 1186
	#1186/u map access: trying to leak tained dst reg OK
	#1186/p map access: trying to leak tained dst reg OK
	Summary: 2 PASSED, 0 SKIPPED, 0 FAILED

	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	Reviewed-by: John Fastabend <john.fastabend@gmail.com>
	Acked-by: Alexei Starovoitov <ast@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	tools/testing/selftests/bpf/verifier/value_ptr_arith.c \| 23 +++++++++++++++++
	1 file changed, 23 insertions(+)

	--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
	+++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
	@@ -1078,6 +1078,29 @@
	.errstr_unpriv = "R0 pointer -= pointer prohibited",
	},
	{
	+ "map access: trying to leak tained dst reg",
	+ .insns = {
	+ BPF_MOV64_IMM(BPF_REG_0, 0),
	+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
	+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	+ BPF_LD_MAP_FD(BPF_REG_1, 0),
	+ BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	+ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
	+ BPF_EXIT_INSN(),
	+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
	+ BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
	+ BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
	+ BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
	+ BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
	+ BPF_MOV64_IMM(BPF_REG_0, 0),
	+ BPF_EXIT_INSN(),
	+ },
	+ .fixup_map_array_48b = { 4 },
	+ .result = REJECT,
	+ .errstr = "math between map_value pointer and 4294967295 is not allowed",
	+},
	+{
	"32bit pkt_ptr -= scalar",
	.insns = {
	BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,