| From e523102cb719cbad1673b6aa2a4d5c1fa6f13799 Mon Sep 17 00:00:00 2001 |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| Date: Mon, 13 Dec 2021 22:25:23 +0000 |
| Subject: bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer |
| |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| |
| commit e523102cb719cbad1673b6aa2a4d5c1fa6f13799 upstream. |
| |
| Fix up unprivileged test case results for 'Dest pointer in r0' verifier tests |
| given they now need to reject R0 containing a pointer value, and add a couple |
| of new related ones with 32bit cmpxchg as well. |
| |
| root@foo:~/bpf/tools/testing/selftests/bpf# ./test_verifier |
| #0/u invalid and of negative number OK |
| #0/p invalid and of negative number OK |
| [...] |
| #1268/p XDP pkt read, pkt_meta' <= pkt_data, bad access 1 OK |
| #1269/p XDP pkt read, pkt_meta' <= pkt_data, bad access 2 OK |
| #1270/p XDP pkt read, pkt_data <= pkt_meta', good access OK |
| #1271/p XDP pkt read, pkt_data <= pkt_meta', bad access 1 OK |
| #1272/p XDP pkt read, pkt_data <= pkt_meta', bad access 2 OK |
| Summary: 1900 PASSED, 0 SKIPPED, 0 FAILED |
| |
| Acked-by: Brendan Jackman <jackmanb@google.com> |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c | 67 +++++++++++++++++- |
| 1 file changed, 65 insertions(+), 2 deletions(-) |
| |
| --- a/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c |
| +++ b/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c |
| @@ -71,6 +71,8 @@ |
| BPF_EXIT_INSN(), |
| }, |
| .result = ACCEPT, |
| + .result_unpriv = REJECT, |
| + .errstr_unpriv = "R0 leaks addr into mem", |
| }, |
| { |
| "Can't use cmpxchg on uninit src reg", |
| @@ -119,7 +121,7 @@ |
| }, |
| .result = ACCEPT, |
| .result_unpriv = REJECT, |
| - .errstr_unpriv = "leaking pointer from stack off -8", |
| + .errstr_unpriv = "R0 leaks addr into mem", |
| }, |
| { |
| "Dest pointer in r0 - succeed, check 2", |
| @@ -140,5 +142,66 @@ |
| }, |
| .result = ACCEPT, |
| .result_unpriv = REJECT, |
| - .errstr_unpriv = "R5 leaks addr into mem", |
| + .errstr_unpriv = "R0 leaks addr into mem", |
| +}, |
| +{ |
| + "Dest pointer in r0 - succeed, check 3", |
| + .insns = { |
| + /* r0 = &val */ |
| + BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), |
| + /* val = r0; */ |
| + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), |
| + /* r5 = &val */ |
| + BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), |
| + /* r0 = atomic_cmpxchg(&val, r0, r5); */ |
| + BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8), |
| + /* exit(0); */ |
| + BPF_MOV64_IMM(BPF_REG_0, 0), |
| + BPF_EXIT_INSN(), |
| + }, |
| + .result = REJECT, |
| + .errstr = "invalid size of register fill", |
| + .errstr_unpriv = "R0 leaks addr into mem", |
| +}, |
| +{ |
| + "Dest pointer in r0 - succeed, check 4", |
| + .insns = { |
| + /* r0 = &val */ |
| + BPF_MOV32_REG(BPF_REG_0, BPF_REG_10), |
| + /* val = r0; */ |
| + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8), |
| + /* r5 = &val */ |
| + BPF_MOV32_REG(BPF_REG_5, BPF_REG_10), |
| + /* r0 = atomic_cmpxchg(&val, r0, r5); */ |
| + BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8), |
| + /* r1 = *r10 */ |
| + BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -8), |
| + /* exit(0); */ |
| + BPF_MOV64_IMM(BPF_REG_0, 0), |
| + BPF_EXIT_INSN(), |
| + }, |
| + .result = ACCEPT, |
| + .result_unpriv = REJECT, |
| + .errstr_unpriv = "R10 partial copy of pointer", |
| +}, |
| +{ |
| + "Dest pointer in r0 - succeed, check 5", |
| + .insns = { |
| + /* r0 = &val */ |
| + BPF_MOV32_REG(BPF_REG_0, BPF_REG_10), |
| + /* val = r0; */ |
| + BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8), |
| + /* r5 = &val */ |
| + BPF_MOV32_REG(BPF_REG_5, BPF_REG_10), |
| + /* r0 = atomic_cmpxchg(&val, r0, r5); */ |
| + BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8), |
| + /* r1 = *r0 */ |
| + BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -8), |
| + /* exit(0); */ |
| + BPF_MOV64_IMM(BPF_REG_0, 0), |
| + BPF_EXIT_INSN(), |
| + }, |
| + .result = REJECT, |
| + .errstr = "R0 invalid mem access", |
| + .errstr_unpriv = "R10 partial copy of pointer", |
| }, |