diff options
| author | Andrii Nakryiko <andrii@kernel.org> | 2023-12-07 10:57:36 -0800 |
|---|---|---|
| committer | Andrii Nakryiko <andrii@kernel.org> | 2023-12-07 13:58:14 -0800 |
| commit | 483af466e4ee3326d150877ea0626e95c67a395e (patch) | |
| tree | ceead968fb8ab47e59d6c55e3bc087a68736c8a8 /tools/testing/selftests/bpf/progs/verifier_var_off.c | |
| parent | 2146f7fe6e028a3905f0658a1a0d8ef7c115d6c1 (diff) | |
| parent | 1d38a9ee81570c4bd61f557832dead4d6f816760 (diff) | |
Merge branch 'bpf-fix-verification-of-indirect-var-off-stack-access'
Andrei Matei says:
====================
bpf: fix verification of indirect var-off stack access
V4 to V5:
- split the test into a separate patch
V3 to V4:
- include a test per Eduard's request
- target bpf-next per Alexei's request (patches didn't change)
V2 to V3:
- simplify checks for max_off (don't call
check_stack_slot_within_bounds for it)
- append a commit to protect against overflow in the addition of the
register and the offset
V1 to V2:
- fix max_off calculation for access size = 0
====================
Link: https://lore.kernel.org/r/20231207041150.229139-1-andreimatei1@gmail.com
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Diffstat (limited to 'tools/testing/selftests/bpf/progs/verifier_var_off.c')
| -rw-r--r-- | tools/testing/selftests/bpf/progs/verifier_var_off.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/progs/verifier_var_off.c b/tools/testing/selftests/bpf/progs/verifier_var_off.c index 83a90afba785..b7bdd7db3a35 100644 --- a/tools/testing/selftests/bpf/progs/verifier_var_off.c +++ b/tools/testing/selftests/bpf/progs/verifier_var_off.c @@ -224,6 +224,35 @@ __naked void access_max_out_of_bound(void) : __clobber_all); } +/* Similar to the test above, but this time check the special case of a + * zero-sized stack access. We used to have a bug causing crashes for zero-sized + * out-of-bounds accesses. + */ +SEC("socket") +__description("indirect variable-offset stack access, zero-sized, max out of bound") +__failure __msg("invalid variable-offset indirect access to stack R1") +__naked void zero_sized_access_max_out_of_bound(void) +{ + asm volatile (" \ + r0 = 0; \ + /* Fill some stack */ \ + *(u64*)(r10 - 16) = r0; \ + *(u64*)(r10 - 8) = r0; \ + /* Get an unknown value */ \ + r1 = *(u32*)(r1 + 0); \ + r1 &= 63; \ + r1 += -16; \ + /* r1 is now anywhere in [-16,48) */ \ + r1 += r10; \ + r2 = 0; \ + r3 = 0; \ + call %[bpf_probe_read_kernel]; \ + exit; \ +" : + : __imm(bpf_probe_read_kernel) + : __clobber_all); +} + SEC("lwt_in") __description("indirect variable-offset stack access, min out of bound") __failure __msg("invalid variable-offset indirect access to stack R2") |