Context |
Check |
Description |
bpf/vmtest-bpf-next-PR |
success
|
PR summary
|
netdev/series_format |
success
|
Single patches do not need cover letters
|
netdev/tree_selection |
success
|
Clearly marked for bpf-next
|
netdev/ynl |
success
|
SINGLE THREAD;
Generated files up to date;
no warnings/errors;
no diff in generated;
|
netdev/fixes_present |
success
|
Fixes tag not required for -next series
|
netdev/header_inline |
success
|
No static functions without inline keyword in header files
|
netdev/build_32bit |
success
|
Errors and warnings before: 8 this patch: 8
|
netdev/cc_maintainers |
success
|
CCed 0 of 0 maintainers
|
netdev/build_clang |
success
|
Errors and warnings before: 8 this patch: 8
|
netdev/verify_signedoff |
success
|
Signed-off-by tag matches author and committer
|
netdev/deprecated_api |
success
|
None detected
|
netdev/check_selftest |
success
|
No net selftest shell script
|
netdev/verify_fixes |
success
|
No Fixes tag
|
netdev/build_allmodconfig_warn |
success
|
Errors and warnings before: 8 this patch: 8
|
netdev/checkpatch |
fail
|
ERROR: "(foo*)" should be "(foo *)"
ERROR: "(foo**)" should be "(foo **)"
WARNING: Avoid line continuations in quoted strings
WARNING: Avoid unnecessary line continuations
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
|
netdev/build_clang_rust |
success
|
No Rust files in patch. Skipping build
|
netdev/kdoc |
success
|
Errors and warnings before: 0 this patch: 0
|
netdev/source_inline |
success
|
Was 0 now: 0
|
bpf/vmtest-bpf-next-VM_Test-16 |
success
|
Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
|
bpf/vmtest-bpf-next-VM_Test-4 |
success
|
Logs for aarch64-gcc / build / build for aarch64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-12 |
success
|
Logs for s390x-gcc / build-release
|
bpf/vmtest-bpf-next-VM_Test-13 |
success
|
Logs for set-matrix
|
bpf/vmtest-bpf-next-VM_Test-15 |
success
|
Logs for x86_64-gcc / build-release
|
bpf/vmtest-bpf-next-VM_Test-9 |
success
|
Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-6 |
success
|
Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-14 |
success
|
Logs for x86_64-gcc / build / build for x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-11 |
success
|
Logs for s390x-gcc / build / build for s390x with gcc
|
bpf/vmtest-bpf-next-VM_Test-17 |
success
|
Logs for s390x-gcc / veristat
|
bpf/vmtest-bpf-next-VM_Test-18 |
success
|
Logs for set-matrix
|
bpf/vmtest-bpf-next-VM_Test-20 |
success
|
Logs for x86_64-gcc / build-release
|
bpf/vmtest-bpf-next-VM_Test-19 |
success
|
Logs for x86_64-gcc / build / build for x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-34 |
success
|
Logs for x86_64-llvm-17 / veristat
|
bpf/vmtest-bpf-next-VM_Test-28 |
success
|
Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
|
bpf/vmtest-bpf-next-VM_Test-35 |
success
|
Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
|
bpf/vmtest-bpf-next-VM_Test-36 |
success
|
Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18 and -O2 optimization
|
bpf/vmtest-bpf-next-VM_Test-42 |
success
|
Logs for x86_64-llvm-18 / veristat
|
bpf/vmtest-bpf-next-VM_Test-29 |
success
|
Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17 and -O2 optimization
|
bpf/vmtest-bpf-next-VM_Test-22 |
success
|
Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-21 |
success
|
Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-24 |
success
|
Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-23 |
success
|
Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-26 |
success
|
Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-25 |
success
|
Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-30 |
success
|
Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
|
bpf/vmtest-bpf-next-VM_Test-27 |
success
|
Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
|
bpf/vmtest-bpf-next-VM_Test-32 |
success
|
Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
|
bpf/vmtest-bpf-next-VM_Test-31 |
success
|
Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
|
bpf/vmtest-bpf-next-VM_Test-33 |
success
|
Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
|
bpf/vmtest-bpf-next-VM_Test-39 |
success
|
Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
|
bpf/vmtest-bpf-next-VM_Test-38 |
success
|
Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
|
bpf/vmtest-bpf-next-VM_Test-37 |
success
|
Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
|
bpf/vmtest-bpf-next-VM_Test-41 |
success
|
Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
|
bpf/vmtest-bpf-next-VM_Test-40 |
success
|
Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
|
bpf/vmtest-bpf-next-VM_Test-0 |
success
|
Logs for Lint
|
bpf/vmtest-bpf-next-VM_Test-1 |
success
|
Logs for ShellCheck
|
bpf/vmtest-bpf-next-VM_Test-2 |
success
|
Logs for Unittests
|
bpf/vmtest-bpf-next-VM_Test-3 |
success
|
Logs for Validate matrix.py
|
bpf/vmtest-bpf-next-VM_Test-5 |
success
|
Logs for aarch64-gcc / build-release
|
bpf/vmtest-bpf-next-VM_Test-8 |
success
|
Logs for set-matrix
|
bpf/vmtest-bpf-next-VM_Test-10 |
success
|
Logs for x86_64-gcc / build-release
|
bpf/vmtest-bpf-next-VM_Test-7 |
success
|
Logs for s390x-gcc / build-release
|
new file mode 100644
@@ -0,0 +1,167 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Google LLC. */
+#include <test_progs.h>
+#include "array_elem_test.skel.h"
+
+#include <sys/mman.h>
+
+#define NR_MAP_ELEMS 100
+
+static size_t map_mmap_sz(struct bpf_map *map)
+{
+ size_t mmap_sz;
+
+ mmap_sz = (size_t)roundup(bpf_map__value_size(map), 8) *
+ bpf_map__max_entries(map);
+ mmap_sz = roundup(mmap_sz, sysconf(_SC_PAGE_SIZE));
+
+ return mmap_sz;
+}
+
+static void *map_mmap(struct bpf_map *map)
+{
+ return mmap(NULL, map_mmap_sz(map), PROT_READ | PROT_WRITE, MAP_SHARED,
+ bpf_map__fd(map), 0);
+}
+
+static void map_munmap(struct bpf_map *map, void *addr)
+{
+ munmap(addr, map_mmap_sz(map));
+}
+
+struct arr_elem_fixture {
+ struct array_elem_test *skel;
+ int *map_elems;
+};
+
+static void setup_fixture(struct arr_elem_fixture *tf, size_t prog_off)
+{
+ struct array_elem_test *skel;
+ struct bpf_program *prog;
+ int err;
+
+ skel = array_elem_test__open();
+ if (!ASSERT_OK_PTR(skel, "array_elem_test open"))
+ return;
+
+ /*
+ * Our caller doesn't know the addr of the program until the skeleton is
+ * opened. But the offset to the pointer is statically known.
+ */
+ prog = *(struct bpf_program**)((__u8*)skel + prog_off);
+ bpf_program__set_autoload(prog, true);
+
+ err = array_elem_test__load(skel);
+ if (!ASSERT_EQ(err, 0, "array_elem_test load")) {
+ array_elem_test__destroy(skel);
+ return;
+ }
+
+ err = array_elem_test__attach(skel);
+ if (!ASSERT_EQ(err, 0, "array_elem_test attach")) {
+ array_elem_test__destroy(skel);
+ return;
+ }
+
+ for (int i = 0; i < NR_MAP_ELEMS; i++) {
+ skel->bss->lookup_indexes[i] = i;
+ err = bpf_map_update_elem(bpf_map__fd(skel->maps.lookup_again),
+ &i, &i, BPF_ANY);
+ ASSERT_EQ(err, 0, "array_elem_test set lookup_again");
+ }
+
+ tf->map_elems = map_mmap(skel->maps.arraymap);
+ ASSERT_OK_PTR(tf->map_elems, "mmap");
+
+ tf->skel = skel;
+}
+
+static void run_test(struct arr_elem_fixture *tf)
+{
+ tf->skel->bss->target_pid = getpid();
+ usleep(1);
+}
+
+static void destroy_fixture(struct arr_elem_fixture *tf)
+{
+ map_munmap(tf->skel->maps.arraymap, tf->map_elems);
+ array_elem_test__destroy(tf->skel);
+}
+
+static void test_access_single(void)
+{
+ struct arr_elem_fixture tf[1];
+
+ setup_fixture(tf, offsetof(struct array_elem_test,
+ progs.access_single));
+ run_test(tf);
+
+ ASSERT_EQ(tf->map_elems[0], 1337, "array_elem map value not written");
+
+ destroy_fixture(tf);
+}
+
+static void test_access_all(void)
+{
+ struct arr_elem_fixture tf[1];
+
+ setup_fixture(tf, offsetof(struct array_elem_test,
+ progs.access_all));
+ run_test(tf);
+
+ for (int i = 0; i < NR_MAP_ELEMS; i++)
+ ASSERT_EQ(tf->map_elems[i], i,
+ "array_elem map value not written");
+
+ destroy_fixture(tf);
+}
+
+static void test_oob_access(void)
+{
+ struct arr_elem_fixture tf[1];
+
+ setup_fixture(tf, offsetof(struct array_elem_test,
+ progs.oob_access));
+ run_test(tf);
+
+ for (int i = 0; i < NR_MAP_ELEMS; i++)
+ ASSERT_EQ(tf->map_elems[i], 0,
+ "array_elem map value was written");
+
+ destroy_fixture(tf);
+}
+
+static void test_infer_size(void)
+{
+ struct arr_elem_fixture tf[1];
+
+ setup_fixture(tf, offsetof(struct array_elem_test,
+ progs.infer_size));
+ run_test(tf);
+
+ for (int i = 0; i < NR_MAP_ELEMS; i++)
+ ASSERT_EQ(tf->map_elems[i], i,
+ "array_elem map value not written");
+
+ destroy_fixture(tf);
+}
+
+void test_test_array_elem(void)
+{
+ if (test__start_subtest("real_access_single"))
+ test_access_single();
+ if (test__start_subtest("real_access_all"))
+ test_access_all();
+ if (test__start_subtest("real_oob_access"))
+ test_oob_access();
+ if (test__start_subtest("real_infer_size"))
+ test_infer_size();
+
+ /*
+ * RUN_TESTS() will load the *bad* tests, marked with
+ * __failure, and ensure they fail to load. It will also load the
+ * *good* tests, which we already tested, so you'll see some tests twice
+ * in the output.
+ */
+ RUN_TESTS(array_elem_test);
+}
new file mode 100644
@@ -0,0 +1,256 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Google LLC. */
+
+#include <vmlinux.h>
+#include <stdbool.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include "bpf_misc.h"
+#include "bpf_experimental.h"
+
+char _license[] SEC("license") = "GPL";
+
+int target_pid = 0;
+
+#define NR_MAP_ELEMS 100
+
+/*
+ * We want to test valid accesses into an array, but we also need to fool the
+ * verifier. If we just do for (i = 0; i < 100; i++), the verifier knows the
+ * value of i and can tell we're inside the array.
+ *
+ * This "lookup" array is just the values 0, 1, 2..., such that
+ * lookup_indexes[i] == i. (set by userspace). But the verifier doesn't know
+ * that.
+ */
+unsigned int lookup_indexes[NR_MAP_ELEMS];
+
+/*
+ * This second lookup array also has the values 0, 1, 2. The extra layer of
+ * lookups seems to make the compiler work a little harder, and more likely to
+ * spill to the stack.
+ */
+struct {
+ __uint(type, BPF_MAP_TYPE_ARRAY);
+ __uint(max_entries, NR_MAP_ELEMS);
+ __type(key, u32);
+ __type(value, u32);
+ __uint(map_flags, BPF_F_MMAPABLE);
+} lookup_again SEC(".maps");
+
+struct map_array {
+ int elems[NR_MAP_ELEMS];
+};
+
+/*
+ * This is an ARRAY_MAP of a single struct, and that struct is an array of
+ * elements. Userspace can mmap the map as if it was just a basic array of
+ * elements. Though if you make an ARRAY_MAP where the *values* are ints, don't
+ * forget that bpf map elements are rounded up to 8 bytes.
+ *
+ * Once you get the pointer to the base of the inner array, you can access all
+ * of the elements without another bpf_map_lookup_elem(), which is useful if you
+ * are operating on multiple elements while holding a spinlock.
+ */
+struct {
+ __uint(type, BPF_MAP_TYPE_ARRAY);
+ __uint(max_entries, 1);
+ __type(key, u32);
+ __type(value, struct map_array);
+ __uint(map_flags, BPF_F_MMAPABLE);
+} arraymap SEC(".maps");
+
+static struct map_array *get_map_array(void)
+{
+ int zero = 0;
+
+ return bpf_map_lookup_elem(&arraymap, &zero);
+}
+
+static int *get_map_elems(void)
+{
+ struct map_array *arr = get_map_array();
+
+ if (!arr)
+ return NULL;
+ return arr->elems;
+}
+
+/*
+ * This is convoluted enough that the compiler may spill a register (r1) before
+ * bounds checking it.
+ */
+static void bad_set_elem(unsigned int which, int val)
+{
+ u32 idx_1;
+ u32 *idx_2p;
+ int *map_elems;
+
+ if (which >= NR_MAP_ELEMS)
+ return;
+
+ idx_1 = lookup_indexes[which];
+ idx_2p = bpf_map_lookup_elem(&lookup_again, &idx_1);
+ if (!idx_2p)
+ return;
+
+ /*
+ * reuse idx_1, which is often r1. if you use a new variable, e.g.
+ * idx_3 = *idx_2p, the compiler will pick a non-caller save register
+ * (e.g. r6), and won't spill it to the stack.
+ */
+ idx_1 = *idx_2p;
+
+ /*
+ * Whether we use bpf_cmp or a normal comparison, r1 might get spilled
+ * to the stack, *then* checked against NR_MAP_ELEMS. The verifier will
+ * know r1's bounds, but since the check happened after the spill, it
+ * doesn't know about the stack variable's bounds.
+ */
+ if (bpf_cmp_unlikely(idx_1, >=, NR_MAP_ELEMS))
+ return;
+
+ /*
+ * This does a bpf_map_lookup_elem(), which is a function call, which
+ * necessitates spilling r1.
+ */
+ map_elems = get_map_elems();
+ if (map_elems)
+ map_elems[idx_1] = val;
+}
+
+SEC("?tp/syscalls/sys_enter_nanosleep")
+__failure
+__msg("R0 unbounded memory access, make sure to bounds check any such access")
+int bad_access_single(void *ctx)
+{
+ bad_set_elem(0, 1337);
+ return 0;
+}
+
+SEC("?tp/syscalls/sys_enter_nanosleep")
+__failure
+__msg("R0 unbounded memory access, make sure to bounds check any such access")
+int bad_access_all(void *ctx)
+{
+ for (int i = 0; i < NR_MAP_ELEMS; i++)
+ bad_set_elem(i, i);
+ return 0;
+}
+
+/*
+ * Both lookup_indexes and lookup_again are identity maps, i.e. f(x) = x (within
+ * bounds), so ultimately we're setting map_elems[which] = val.
+ */
+static void good_set_elem(unsigned int which, int val)
+{
+ u32 idx_1;
+ u32 *idx_2p;
+ int *map_elems, *x;
+
+ if (which >= NR_MAP_ELEMS)
+ return;
+ idx_1 = lookup_indexes[which];
+ idx_2p = bpf_map_lookup_elem(&lookup_again, &idx_1);
+
+ if (!idx_2p)
+ return;
+
+ idx_1 = *idx_2p;
+
+ map_elems = get_map_elems();
+ x = bpf_array_elem(map_elems, NR_MAP_ELEMS, idx_1);
+ if (x)
+ *x = val;
+}
+
+/*
+ * Test accessing a single element in the array with a convoluted lookup.
+ */
+SEC("?tp/syscalls/sys_enter_nanosleep")
+int access_single(void *ctx)
+{
+ if ((bpf_get_current_pid_tgid() >> 32) != target_pid)
+ return 0;
+
+ good_set_elem(0, 1337);
+
+ return 0;
+}
+
+/*
+ * Test that we can access all elements, and that we are accessing the element
+ * we think we are accessing.
+ */
+SEC("?tp/syscalls/sys_enter_nanosleep")
+int access_all(void *ctx)
+{
+ if ((bpf_get_current_pid_tgid() >> 32) != target_pid)
+ return 0;
+
+ for (int i = 0; i < NR_MAP_ELEMS; i++)
+ good_set_elem(i, i);
+
+ return 0;
+}
+
+/*
+ * Helper for various OOB tests. An out-of-bound access should be handled like
+ * a lookup failure. Specifically, the verifier should ensure we do not access
+ * outside the array. Userspace will check that we didn't access somewhere
+ * inside the array.
+ */
+static void set_elem_to_1(long idx)
+{
+ int *map_elems = get_map_elems();
+ int *x;
+
+ x = bpf_array_elem(map_elems, NR_MAP_ELEMS, idx);
+ if (x)
+ *x = 1;
+}
+
+/*
+ * Test various out-of-bounds accesses.
+ */
+SEC("?tp/syscalls/sys_enter_nanosleep")
+int oob_access(void *ctx)
+{
+ if ((bpf_get_current_pid_tgid() >> 32) != target_pid)
+ return 0;
+
+ set_elem_to_1(NR_MAP_ELEMS + 5);
+ set_elem_to_1(NR_MAP_ELEMS);
+ set_elem_to_1(-1);
+ set_elem_to_1(~0UL);
+
+ return 0;
+}
+
+/*
+ * Test that we can use the ARRAY_SIZE-style helper with an array in a map.
+ *
+ * Note that you cannot infer the size of the array from just a pointer; you
+ * have to use the actual elems[100]. i.e. this will fail and should fail to
+ * compile (-Wsizeof-pointer-div):
+ *
+ * int *map_elems = get_map_elems();
+ * x = bpf_array_sz_elem(map_elems, lookup_indexes[i]);
+ */
+SEC("?tp/syscalls/sys_enter_nanosleep")
+int infer_size(void *ctx)
+{
+ struct map_array *arr = get_map_array();
+ int *x;
+
+ if ((bpf_get_current_pid_tgid() >> 32) != target_pid)
+ return 0;
+
+ for (int i = 0; i < NR_MAP_ELEMS; i++) {
+ x = bpf_array_sz_elem(arr->elems, lookup_indexes[i]);
+ if (x)
+ *x = i;
+ }
+
+ return 0;
+}
@@ -135,4 +135,47 @@
/* make it look to compiler like value is read and written */
#define __sink(expr) asm volatile("" : "+g"(expr))
+/*
+ * Access an array element within a bound, such that the verifier knows the
+ * access is safe.
+ *
+ * This macro asm is the equivalent of:
+ *
+ * if (!arr)
+ * return NULL;
+ * if (idx >= arr_sz)
+ * return NULL;
+ * return &arr[idx];
+ *
+ * The index (___idx below) needs to be a u64, at least for certain versions of
+ * the BPF ISA, since there aren't u32 conditional jumps.
+ */
+#define bpf_array_elem(arr, arr_sz, idx) ({ \
+ typeof(&(arr)[0]) ___arr = arr; \
+ __u64 ___idx = idx; \
+ if (___arr) { \
+ asm volatile("if %[__idx] >= %[__bound] goto 1f; \
+ %[__idx] *= %[__size]; \
+ %[__arr] += %[__idx]; \
+ goto 2f; \
+ 1:; \
+ %[__arr] = 0; \
+ 2: \
+ " \
+ : [__arr]"+r"(___arr), [__idx]"+r"(___idx) \
+ : [__bound]"r"((arr_sz)), \
+ [__size]"i"(sizeof(typeof((arr)[0]))) \
+ : "cc"); \
+ } \
+ ___arr; \
+})
+
+/*
+ * Convenience wrapper for bpf_array_elem(), where we compute the size of the
+ * array. Be sure to use an actual array, and not a pointer, just like with the
+ * ARRAY_SIZE macro.
+ */
+#define bpf_array_sz_elem(arr, idx) \
+ bpf_array_elem(arr, sizeof(arr) / sizeof((arr)[0]), idx)
+
#endif
When accessing an array, even if you insert your own bounds check, sometimes the compiler will remove the check. bpf_cmp() will force the compiler to do the check. However, the compiler is free to make a copy of a register, check the copy, and use the original to access the array. The verifier knows the *copy* is within bounds, but not the original register! Although I couldn't recreate the "bounds check a copy of a register", the test below managed to get the compiler to spill a register to the stack, then bounds-check the register, and later reread the register - sans bounds check. By performing the bounds check and the indexing in assembly, we ensure the register used to index the array was bounds checked. Signed-off-by: Barret Rhoden <brho@google.com> --- v2: https://lore.kernel.org/bpf/20240103185403.610641-1-brho@google.com Changes since v2: - added a test prog that should load, but fails to verify for me (Debian clang version 16.0.6 (16)). these tests might be brittle and start successfully verifying for other compiler versions. - removed the mmap-an-arraymap patch - removed macros and added some "test fixture" code - used RUN_TESTS for the __failure cases .../bpf/prog_tests/test_array_elem.c | 167 ++++++++++++ .../selftests/bpf/progs/array_elem_test.c | 256 ++++++++++++++++++ tools/testing/selftests/bpf/progs/bpf_misc.h | 43 +++ 3 files changed, 466 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/test_array_elem.c create mode 100644 tools/testing/selftests/bpf/progs/array_elem_test.c