From patchwork Wed Nov 27 21:20:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kumar Kartikeya Dwivedi <memxor@gmail.com>
X-Patchwork-Id: 13887377
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com
 [209.85.128.68])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D78118EFED
	for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 21:20:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.68
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1732742433; cv=none;
 b=CyGs5RaDr9Ua/LzDsGVfQ8xR8NC2Ee1hIL7K356Ho2MkaGvICB5H9TTqALqj+DsDCzlO3G+Gj0A4KIENGV37oBTY5XiRsKVJV2PCyAdMkwpeSAkt0PRhT/QzptJjFonmMpG5tVHO2VpSsL4VL56AKjM+OsQbtY6wu55v1IhqVNE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1732742433; c=relaxed/simple;
	bh=h0LqxQ42MMPent3wsGT2YYH2dwg3a/IXfXT3SKw5gT0=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=fY4KetOOFinm0+6CnMfnTVcJ44PQG+ZARfGIm9bdZ4Jq0cBt4xP/Ye2t+YBulUrdZOWQfZam5E7RJEyqhM63TcAlul4/2vZq65WEiTooOsS71xnZnpcFAfRpKcuiW7Qc9eZ3f8mSjxdOXGEDyxsl+VQl+pi8uIDmC6Hezv4agaI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=YvBchB0E; arc=none smtp.client-ip=209.85.128.68
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="YvBchB0E"
Received: by mail-wm1-f68.google.com with SMTP id
 5b1f17b1804b1-434a90fed23so910255e9.1
        for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 13:20:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1732742429; x=1733347229;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xzSfLUWRBNvo0A0RH4lHABmogu7i2Nws7BjZvmN/WVs=;
        b=YvBchB0EGRykvNDXyZIeT5FSTpp0Q4ayIV4UQgHRknj7dphcKP0qHXpRA/oUAhGQyQ
         Do3Wwe4C3K1dusYbnwJpxA/nbn0nXWtVI2UaXS0SZ+JifQ21ZGaR4nq6Qp5aspreRG/B
         lHDwc/BzExYDnhckVounzRF9pfJ+vWq8ywsQ1lBfXALjNWL0d/bXIckLOhp6/QavOIuK
         96oraP//ylSvFh0l2Ri3Tzm4Kf5idGC04RXjdselfxhEg3PAS8yCmHuMgTTpVHSdhwHj
         R8B4pJMY+hfrbfrVmazESPiEURd1ENrKlIgPyZgf33qx0LzNIIll57UYRPN7bKmf8qgZ
         x7pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732742429; x=1733347229;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=xzSfLUWRBNvo0A0RH4lHABmogu7i2Nws7BjZvmN/WVs=;
        b=mvuGx7ndZTUEgyX3p5Q2LXlXOTpO1P+LptHhmMSY5XoQxW8en2sFF98BkgSuRozhEC
         /yypn45uDdoKbbrpBXq41WFFw8R8JorOYfUGsNODR+K86KDCCzSe2+NiOtpJ9fp+Qpos
         h6m+4+2dUZ62Ojb7mlX/g+5VbU6Ylmk2Vej3ls0182HR32zfSGpbPNE6eHIK2iq708nm
         td0YnabMkkPcbzZLrrVdN4CgDo2HjofPJWBd8AHdcOkZkUmNdj/J6N5wOxyK8NNmOtKz
         6BB1nSPsI68qA2IRgQ0/63s9vwYtrpBcQnBfXIMZIa/dG1utnOTDTCxVHBKFlv7CLiS4
         XijQ==
X-Gm-Message-State: AOJu0YwZKtO55aDcbtRu0tk0epPFXIBE6imkDIYcmjJZLFzZnoDSstd2
	iWaZGZeCQHalCnUz3XzSvfGMs5qbLNxMD8dFE9ANpo6mzl+4Pgiwn91f31v4jIE=
X-Gm-Gg: ASbGnctu3Q4nh7xAfy6Tzlzq2r3Zmo/42CoKLxbGGtar0J3BJ2qHr74/HtDlg/debMv
	o/2FXyiumaMsoJVpUtxkVh2Fz10V3aavTtt3AekigdhfOZZaVmX+UGGu8VBAmrP1GG/Gdguk3Cn
	y0BMOWiVXNW0lDPpvvzPTEaXXwLw3kkxgaJYVqZGev/og79kR87zfl9I4MJZQFiQzrCFu+I77nl
	srwOexhZm4g85jV9GB71hxxrmnqf1NDSGVS8aGKryHWgSxBVNR937es1DW3U2SpucFDs7YrvSVK
	EQ==
X-Google-Smtp-Source: 
 AGHT+IFWGpTZRhOL6WzhViCWw9mrSCvGl9pikD0d1cEiEICr0dCD2capMzNEWxVJfznOQZfxS4yn1Q==
X-Received: by 2002:a05:600c:1c88:b0:434:a0a0:3660 with SMTP id
 5b1f17b1804b1-434a9dfbbffmr45307705e9.31.1732742429103;
        Wed, 27 Nov 2024 13:20:29 -0800 (PST)
Received: from localhost (fwdproxy-cln-033.fbsv.net.
 [2a03:2880:31ff:21::face:b00c])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-3825fbc3b4asm17608808f8f.84.2024.11.27.13.20.28
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Nov 2024 13:20:28 -0800 (PST)
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Tao Lyu <tao.lyu@epfl.ch>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Mathias Payer <mathias.payer@nebelwelt.net>,
	Meng Xu <meng.xu.cs@uwaterloo.ca>,
	Sanidhya Kashyap <sanidhya.kashyap@epfl.ch>
Subject: [PATCH bpf-next v2 1/4] bpf: Don't relax STACK_INVALID to STACK_MISC
 when not allow_ptr_leaks
Date: Wed, 27 Nov 2024 13:20:23 -0800
Message-ID: <20241127212026.3580542-2-memxor@gmail.com>
X-Mailer: git-send-email 2.43.5
In-Reply-To: <20241127212026.3580542-1-memxor@gmail.com>
References: <20241127212026.3580542-1-memxor@gmail.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=5054; h=from:subject;
 bh=h0LqxQ42MMPent3wsGT2YYH2dwg3a/IXfXT3SKw5gT0=;
 b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnR40ByJfFnazCRwF4JiIVisRfB6Wd8z4HFB/tOrX5
 XLQm6WyJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0eNAQAKCRBM4MiGSL8Ryim3EA
 C27kSzUyN/L8P8HkIB6yq4vpqduRe5p/ih0BInEaOIpld7lLnAlNieszuULPXiHmPIFcM3P99HAvNu
 QaxHyEMCT8IFXvPk6c9dw0wayCqFhpL70sSCWtt15IvC/h9pBICFNvGsK14W4HjqVFuyNOeFL19FqT
 XSmMDz6Ev+sG8fscV1HwJIiufXGtBW5mgRUlyFosDsYZix1CrzyWR6pbQ+jRnx93pxPkKYeVJU//oG
 /0D6S8uEk0uj4E4D+RDg3CV3P/cs9ajquXmjUguI7YFp58mxHDN8mfLNjK3kIGreokh78Y+xuIY0nQ
 J0hyyssRbG9xaYsANAU2uCRPIG6wRI0wRgQFs4lySJbNEpDlrBoyPOr2twA/b0uxbe/1FrEC6DXnA8
 qNZNK22ev9X54FK4IN1iMpVilbBVQ+8srPHxfmsDBYguuXWgAFkjKUuEGa0Q+iYwoh3/DG/bUJbKcO
 Mm1jvwri0xC+w0yQFK2aatkdmN79fIjwCVBqHhLW2rzmvdQRKfVypxLlVkCzbS35aC5/Mh41tPWHTt
 lD1garoeS7CZBqUGQFcWcPD861TnxcVLus/RVHrFRVwb4x/94E2BXCJQWwD49S8CNqyDVwOtAVlA2E
 cHVWfC88W6qTIh1ULMfM9isxeqM/hGQ05JinOh4jork3fj0AgLU5pYwLBugg==
X-Developer-Key: i=memxor@gmail.com; a=openpgp;
 fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA
X-Patchwork-Delegate: bpf@iogearbox.net

Inside mark_stack_slot_misc, we should not upgrade STACK_INVALID to
STACK_MISC when allow_ptr_leaks is false, since invalid contents
shouldn't be read unless the program has the relevant capabilities.
The relaxation only makes sense when env->allow_ptr_leaks is true.

Currently, the condition is inverted (i.e. checking for true instead of
false), simply invert it to restore correct behavior.

Update error strings of selftests relying on current behavior's verifier
output.

Fixes: eaf18febd6eb ("bpf: preserve STACK_ZERO slots on partial reg spills")
Reported-by: Tao Lyu <tao.lyu@epfl.ch>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
 kernel/bpf/verifier.c                          |  2 +-
 .../selftests/bpf/progs/verifier_spill_fill.c  | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 1c4ebb326785..f9791a001e25 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1209,7 +1209,7 @@ static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype)
 {
 	if (*stype == STACK_ZERO)
 		return;
-	if (env->allow_ptr_leaks && *stype == STACK_INVALID)
+	if (!env->allow_ptr_leaks && *stype == STACK_INVALID)
 		return;
 	*stype = STACK_MISC;
 }
diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
index 671d9f415dbf..f52f10dbc91d 100644
--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
@@ -464,9 +464,9 @@ l0_%=:	r1 >>= 16;					\
 SEC("raw_tp")
 __log_level(2)
 __success
-__msg("fp-8=0m??scalar()")
-__msg("fp-16=00mm??scalar()")
-__msg("fp-24=00mm???scalar()")
+__msg("fp-8=0mmmscalar()")
+__msg("fp-16=00mmmmscalar()")
+__msg("fp-24=00mmmmmscalar()")
 __naked void spill_subregs_preserve_stack_zero(void)
 {
 	asm volatile (
@@ -717,16 +717,16 @@ SEC("raw_tp")
 __log_level(2) __flag(BPF_F_TEST_STATE_FREQ)
 __success
 /* make sure fp-8 is 32-bit FAKE subregister spill */
-__msg("3: (62) *(u32 *)(r10 -8) = 1          ; R10=fp0 fp-8=????1")
+__msg("3: (62) *(u32 *)(r10 -8) = 1          ; R10=fp0 fp-8=mmmm1")
 /* but fp-16 is spilled IMPRECISE zero const reg */
-__msg("5: (63) *(u32 *)(r10 -16) = r0        ; R0_w=1 R10=fp0 fp-16=????1")
+__msg("5: (63) *(u32 *)(r10 -16) = r0        ; R0_w=1 R10=fp0 fp-16=mmmm1")
 /* validate load from fp-8, which was initialized using BPF_ST_MEM */
-__msg("8: (61) r2 = *(u32 *)(r10 -8)         ; R2_w=1 R10=fp0 fp-8=????1")
+__msg("8: (61) r2 = *(u32 *)(r10 -8)         ; R2_w=1 R10=fp0 fp-8=mmmm1")
 __msg("9: (0f) r1 += r2")
 __msg("mark_precise: frame0: last_idx 9 first_idx 7 subseq_idx -1")
 __msg("mark_precise: frame0: regs=r2 stack= before 8: (61) r2 = *(u32 *)(r10 -8)")
 __msg("mark_precise: frame0: regs= stack=-8 before 7: (bf) r1 = r6")
-__msg("mark_precise: frame0: parent state regs= stack=-8:  R0_w=1 R1=ctx() R6_r=map_value(map=.data.two_byte_,ks=4,vs=2) R10=fp0 fp-8_r=????P1 fp-16=????1")
+__msg("mark_precise: frame0: parent state regs= stack=-8:  R0_w=1 R1=ctx() R6_r=map_value(map=.data.two_byte_,ks=4,vs=2) R10=fp0 fp-8_r=mmmmP1 fp-16=mmmm1")
 __msg("mark_precise: frame0: last_idx 6 first_idx 3 subseq_idx 7")
 __msg("mark_precise: frame0: regs= stack=-8 before 6: (05) goto pc+0")
 __msg("mark_precise: frame0: regs= stack=-8 before 5: (63) *(u32 *)(r10 -16) = r0")
@@ -734,7 +734,7 @@ __msg("mark_precise: frame0: regs= stack=-8 before 4: (b7) r0 = 1")
 __msg("mark_precise: frame0: regs= stack=-8 before 3: (62) *(u32 *)(r10 -8) = 1")
 __msg("10: R1_w=map_value(map=.data.two_byte_,ks=4,vs=2,off=1) R2_w=1")
 /* validate load from fp-16, which was initialized using BPF_STX_MEM */
-__msg("12: (61) r2 = *(u32 *)(r10 -16)       ; R2_w=1 R10=fp0 fp-16=????1")
+__msg("12: (61) r2 = *(u32 *)(r10 -16)       ; R2_w=1 R10=fp0 fp-16=mmmm1")
 __msg("13: (0f) r1 += r2")
 __msg("mark_precise: frame0: last_idx 13 first_idx 7 subseq_idx -1")
 __msg("mark_precise: frame0: regs=r2 stack= before 12: (61) r2 = *(u32 *)(r10 -16)")
@@ -743,7 +743,7 @@ __msg("mark_precise: frame0: regs= stack=-16 before 10: (73) *(u8 *)(r1 +0) = r2
 __msg("mark_precise: frame0: regs= stack=-16 before 9: (0f) r1 += r2")
 __msg("mark_precise: frame0: regs= stack=-16 before 8: (61) r2 = *(u32 *)(r10 -8)")
 __msg("mark_precise: frame0: regs= stack=-16 before 7: (bf) r1 = r6")
-__msg("mark_precise: frame0: parent state regs= stack=-16:  R0_w=1 R1=ctx() R6_r=map_value(map=.data.two_byte_,ks=4,vs=2) R10=fp0 fp-8_r=????P1 fp-16_r=????P1")
+__msg("mark_precise: frame0: parent state regs= stack=-16:  R0_w=1 R1=ctx() R6_r=map_value(map=.data.two_byte_,ks=4,vs=2) R10=fp0 fp-8_r=mmmmP1 fp-16_r=mmmmP1")
 __msg("mark_precise: frame0: last_idx 6 first_idx 3 subseq_idx 7")
 __msg("mark_precise: frame0: regs= stack=-16 before 6: (05) goto pc+0")
 __msg("mark_precise: frame0: regs= stack=-16 before 5: (63) *(u32 *)(r10 -16) = r0")

From patchwork Wed Nov 27 21:20:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kumar Kartikeya Dwivedi <memxor@gmail.com>
X-Patchwork-Id: 13887378
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com
 [209.85.128.67])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DBDE202F91
	for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 21:20:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.67
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1732742434; cv=none;
 b=gXwMkrgXfMIfbb7y7VL9ux1VD0sJK2UDTVcwC0+4cPECauV+0Qe959eoCbmG2HRVrG7tVE4uVR2a59zD04UXDLwnhLDdv2pXn4hUIvS9QnCefv9fapxsfe1sbNPN2eC8ZGCmsDbAcj4GzvWZ0toB2KaHU8Gw+oijDY5AzGSouTU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1732742434; c=relaxed/simple;
	bh=74rzKpRwL/eGKHdxgXp12BarXCS0xTMFX5QgJJZavQM=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=K8CEmEpxztKNaQQwZrv/4to0rJ8pKyY8r+Z1MtHFHmV9ZdKz5ITsA1xbWYDNwURanAJtuEeb28vxlQDANQsG2ht7p4cnK+69RA/0yM9K8la5aZBrcGQT4H0x8I4bD7//gIPxZ733XyMk48OcTDNaMbGM2iD0yiszsRDwLjnLY+Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=SlUyOTvy; arc=none smtp.client-ip=209.85.128.67
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="SlUyOTvy"
Received: by mail-wm1-f67.google.com with SMTP id
 5b1f17b1804b1-434a7ee3d60so7745285e9.1
        for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 13:20:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1732742430; x=1733347230;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C6PTl9q6lRBH3tqDgsxX3DlWVqzehzzOiqJYZ44e9sQ=;
        b=SlUyOTvyJ/1AbMCnlZaK4yPkappoBCLWf58gDR1OR+PLPA3w3gn/q1/dg2UIQwaDL8
         VjgSqaj4S32OD9JysREHU7advRoEMryp7oHKfuhC0jKJhbWnwGuCNUH//MTfElfGWUAE
         hR9P2421BayPopZ9dERvtE8UaEvqMhVqnXP4FjbycycebZkIUzZHd+2SKA4Byts2FfE/
         uIWkAXOytzk06oAXurA9QGp/6ynVIdhye0JF4O52DlOlywlz+s0fbD7XIk072cm1O18q
         bX9L4p8utNaoC8b/Aba/Nn3YBqlgLwchM6KZBcbXFvrA0G/MM7Iz9cJpXa4DyIXGD8b4
         WhRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732742430; x=1733347230;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=C6PTl9q6lRBH3tqDgsxX3DlWVqzehzzOiqJYZ44e9sQ=;
        b=QX5hboAkrd3zCk43fs1ojTX3bmGAsZFMVyiNxozhdnJDprZ/kOMw0MKnCZ9ltxiySE
         yJQprlD4v00rwvUSHDyN8oZaX1VUm4SdcsK27/1GgMoQs24wOT0hpOfyv1g4aV/+b3J0
         SEcndQZEleNxL3URNDI13WSzBb3rg3sQo8AQqWdKrzyW7ontFyTRxdTdtatqnAyOC5/j
         F7ZhyJRC4SW5JiB7svP4GdZ6eE3ZbKw0ZBnz9TsSWzZtG7XYE65Meg2ZoIwieBIQptIZ
         6R/1Cf9NUjc9J1VfR6jm28+x1Zic0tjjlqPCFQwe+Ecrz2VpCgyi61ekf66muJX59kvt
         pm+Q==
X-Gm-Message-State: AOJu0YxoS3HQWrenahxPuc3uTjy7TGsTKahyMuJvdMLpD21oBywjOXCP
	WpRijNITElc/CmSgRCwMTeO9Su0ttw32/etWELlKyB0RukbZXJsXjTkkFs950Xk=
X-Gm-Gg: ASbGncuSOAIiEQMqhIZhUCSscwAr3t5NGzaij+zDc0rEQLBFUV+OSNYcAmfl4CQQI07
	y7se0Qxh+UhLpOyfBC5kXF/cIDh651/C59kxZ8s/UovcQWtEowcQUt+0Cacj73iGZLoU0U1ktEO
	pdE3S2fp6ELQEzAfqeVOOsxLQ8xn4NNPaD/01R6eGJf4s03A5gbW0+xLhbsIf+RFkDEKoyF4lPy
	/8vmTCFViKQt9NCAcKrFYmp+C/NBV5aq7iGv897R5OZY0p3eYwwoCOPnOzHgVV8rpWhdNbuLemV
X-Google-Smtp-Source: 
 AGHT+IH33D9vtTuZG6x1bbiiUxJ5H7jHMpdoDxsTrir1CRaRaocFEtf2tfKIi7nP0TwxPA76JySqKw==
X-Received: by 2002:a5d:64ac:0:b0:37d:47eb:b586 with SMTP id
 ffacd0b85a97d-385cbd5e8e5mr696820f8f.4.1732742430335;
        Wed, 27 Nov 2024 13:20:30 -0800 (PST)
Received: from localhost (fwdproxy-cln-009.fbsv.net.
 [2a03:2880:31ff:9::face:b00c])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-434b0d9bef8sm962145e9.7.2024.11.27.13.20.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Nov 2024 13:20:29 -0800 (PST)
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Tao Lyu <tao.lyu@epfl.ch>,
	Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Mathias Payer <mathias.payer@nebelwelt.net>,
	Meng Xu <meng.xu.cs@uwaterloo.ca>,
	Sanidhya Kashyap <sanidhya.kashyap@epfl.ch>
Subject: [PATCH bpf-next v2 2/4] bpf: Fix narrow scalar spill onto 64-bit
 spilled scalar slots
Date: Wed, 27 Nov 2024 13:20:24 -0800
Message-ID: <20241127212026.3580542-3-memxor@gmail.com>
X-Mailer: git-send-email 2.43.5
In-Reply-To: <20241127212026.3580542-1-memxor@gmail.com>
References: <20241127212026.3580542-1-memxor@gmail.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1823; i=memxor@gmail.com;
 h=from:subject; bh=VSaG2aEiYQUl4a9ZAUYAxytzW7sudkJfqBWXv3xLgKE=;
 b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnR40B93ZwHlbiqdt8rLpZ2/Jb2u1TW6xfu9IN4Tm8
 QtS3QOGJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0eNAQAKCRBM4MiGSL8RypmaD/
 90xa8EnbDdiVaQg1ndFRb0jDFRbH7MOx1vnPtFdjdN1oKNlURmXOkX2is473DNLNEKvpBBqqDz9RER
 lQwYooVxyP4K76IVaFOqq7BzJjparwnFhmPXLF8L6cCbzA7V6Va/lAMTuWJ7CaYEpClCH9B7onPvvL
 jGH5yfUiIhpoQJPxg6yEpVowqGFpsAWOfmKOh3NfAUW1qX+jJDnws0hKOpUYnlgOz1MvRigc466BK2
 vMsqpoI6C9eCijqoYqVee+wCeaINHlFLKL6Z7V26Qgz8LGpYQH0PCXhJLw1WdnvHQv88oF0mLpnPIe
 8woKJizK/5dWDavtD66765nuO9aht6Kq9tprA3cPEpO35+L+07JZCWAcfzXvx1IqghAsDGFN77UUSX
 UitgrXCuekTPuhxND0UnOPndguNwIJREXLvN4m55VI63KfcoZTEBu6TDBlJUOCBntmrQ9sjI+20pOt
 f5YjgZARhOs9ipbizPf1UFZCYwSCXEL8oc0xKpjjvPtrA/QLF0V0BuHVz3Z08GP/g36lEDh62TVWAB
 /KNsvmPIDxj7ldfNRWbcGdnKsj6kRMcmxa0jS6iPzRH8KYFE855C8njVYycgnw9qj0OjsQWa2k/+to
 wx4c4gB61b5SZH/cwpZdRM+Ij6Ty7Y+aU+S2jG+I5CjEb0AkHNZ2Tm+lBg1g==
X-Developer-Key: i=memxor@gmail.com; a=openpgp;
 fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA
X-Patchwork-Delegate: bpf@iogearbox.net

From: Tao Lyu <tao.lyu@epfl.ch>

When CAP_PERFMON and CAP_SYS_ADMIN (allow_ptr_leaks) are disabled, the
verifier aims to reject partial overwrite on an 8-byte stack slot that
contains a spilled pointer.

However, in such a scenario, it rejects all partial stack overwrites as
long as the targeted stack slot is a spilled register, because it does
not check if the stack slot is a spilled pointer.

Incomplete checks will result in the rejection of valid programs, which
spill narrower scalar values onto scalar slots, as shown below.

0: R1=ctx() R10=fp0
; asm volatile ( @ repro.bpf.c:679
0: (7a) *(u64 *)(r10 -8) = 1          ; R10=fp0 fp-8_w=1
1: (62) *(u32 *)(r10 -8) = 1
attempt to corrupt spilled pointer on stack
processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0.

Fix this by expanding the check to not consider spilled scalar registers
when rejecting the write into the stack.

Previous discussion on this patch is at link [0].

  [0]: https://lore.kernel.org/bpf/20240403202409.2615469-1-tao.lyu@epfl.ch

Fixes: ab125ed3ec1c ("bpf: fix check for attempt to corrupt spilled pointer")
Signed-off-by: Tao Lyu <tao.lyu@epfl.ch>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
---
 kernel/bpf/verifier.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f9791a001e25..7fb3aa6561f5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4700,6 +4700,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
 	 */
 	if (!env->allow_ptr_leaks &&
 	    is_spilled_reg(&state->stack[spi]) &&
+	    !is_spilled_scalar_reg(&state->stack[spi]) &&
 	    size != BPF_REG_SIZE) {
 		verbose(env, "attempt to corrupt spilled pointer on stack\n");
 		return -EACCES;

From patchwork Wed Nov 27 21:20:25 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kumar Kartikeya Dwivedi <memxor@gmail.com>
X-Patchwork-Id: 13887379
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com
 [209.85.128.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AED4E2036EF
	for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 21:20:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.66
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1732742435; cv=none;
 b=DWiHESEYYgn0LeJeW7FTXYjsZpVgww5uoSC0qyDu9ljbZv6OwxoqofBKIkTTzEHO254fp++CmhR58Es2j9yfcTiQi3h1uQftn53aFbdWUdKKNcVDJBOcm9E1+NeHlQMc3frmefCkBPg16P5Mxz6i04k9CQ28zGrIjYunzx4M1J8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1732742435; c=relaxed/simple;
	bh=tvGcCg9wXHUdXfXGLZyEpOIxvEX19bauCQBSJn54EQA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=AgqSQN1XE8btod8Zbj9J9weidrlflnJ7aMHwJjLKgk0o7r2FH8VwhVV5+H4ZSwdMKsdd5siaQ2MczwSKWg2rDRe+O89Ta6Mq/qX/QuyGLNfDEtqFGJSY3PCLoFNCEOHv/JBKjnDECnughgcOUxY83lvJ9cpOn+URDRoI2VV8RXc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=jfi5X6ko; arc=none smtp.client-ip=209.85.128.66
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="jfi5X6ko"
Received: by mail-wm1-f66.google.com with SMTP id
 5b1f17b1804b1-43494a20379so1071945e9.0
        for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 13:20:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1732742432; x=1733347232;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=P6xUjyAmVSqUk1j9DziwbvTTczoV8UVWym2vkF6YOIk=;
        b=jfi5X6koMYUgDGfxEGDztpg5ta23zO3Xcb4b69E3zi79THBw2MYddK8UE6wJs6Gr71
         9bQ9Ujo24VZ+3orPAR68UFfpSw8/e86fQ7B04r/D58SmRRbXQ5gutbvAZm9ke2YtYcfQ
         uXoo7GT4ncKYQa2J4iEb0x4o01qhAcV81gTpXZrJJ5rKL83IdFheuGIoQg/O+Y7Tsaxx
         ax8Pgo2ouA4QMpzhFxgk8EUdJIxHEnYmHdYErQLjnKjl2MJuNu+GVZHpm+qu2coGuqTV
         eouwNfPizBtjsj72rgqNw0B/c1h56W8eQiB4OPMpHirdM9+0WnvL85FaTpBqHlSVhrbZ
         n5IQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732742432; x=1733347232;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=P6xUjyAmVSqUk1j9DziwbvTTczoV8UVWym2vkF6YOIk=;
        b=NFI9qr+kpQMrJKaKP6FuIoj8ASh9ipPh7uV9Y6yShgrLNRDkSARCj9j25SwMz66euC
         00T/+sbXzrG8yx0z8gBczp9IlIcYjXjAUPL2PsHdFZfEuNP3aPPFRvNXNCjhrPUvNGP+
         2tIimdret/WNWDq3CWxVB4WQxQFUUpP+1earn63Y4qzXjNxFjNRO82oUojk4gh0r1hAb
         5mf7CvuxrolAVDEIkV9b8SdtxhmRy4yKWCBp2oCHOs23AhUpTTof34ChmFc3ApuqlqqQ
         0BLFtKjX96FNdsZxFkrdhpedfGEhSuen1W13BHTdfTNU7gDonWz/4L2GEikw88xx9zH6
         kGWQ==
X-Gm-Message-State: AOJu0Yy13rjYen64YmVHX3cKmNmEwwAoGOQ6T/sLa84tbIr1zHXdHaRo
	CCtuff2c1b7KGigvS/B3nAu9t8rUovNwC6bhQHUzivif0iv9XSvETz5gHrxDVnQ=
X-Gm-Gg: ASbGncsNPvE22nUurgl2geMuR3GlLa/TNRxajRAMMTWZtSrf7ozH7PJIPCmcZAAiGK2
	uJK6MJGJN1v9THREdq/xqYNNb72Pe/BUuSiFDCOFTCz7SkODteiYFuZdlqIJ0Wry8cQXFn8Ov8Q
	5hNXRtcoH4HnVgw0dWDqsUgGQDRQsHhPkqpOwqmkRaGOJaFQKdfdWScKEfKWmrA1nDELq/JoRmX
	Szt4XPIqqbEDX08DQpe0gJg4Z7uHO939gmUcVlua1HQLzAWDfFEAVyEzlyNqmZDXJ51fMthE5J6
	EQ==
X-Google-Smtp-Source: 
 AGHT+IFkHfcF3MNVB6zKrm8Uc/6Py+Ni2bYOAcKprPKBkWOzkFy0ELpnfkNcx/Kd+Agcii0ZCWuvVg==
X-Received: by 2002:a05:600c:4447:b0:434:a5bc:70fc with SMTP id
 5b1f17b1804b1-434a9dc3c8emr43531195e9.8.1732742431753;
        Wed, 27 Nov 2024 13:20:31 -0800 (PST)
Received: from localhost (fwdproxy-cln-028.fbsv.net.
 [2a03:2880:31ff:1c::face:b00c])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-434aca7eea8sm20297305e9.34.2024.11.27.13.20.30
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Nov 2024 13:20:31 -0800 (PST)
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Tao Lyu <tao.lyu@epfl.ch>,
	Mathias Payer <mathias.payer@nebelwelt.net>,
	Meng Xu <meng.xu.cs@uwaterloo.ca>,
	Sanidhya Kashyap <sanidhya.kashyap@epfl.ch>
Subject: [PATCH bpf-next v2 3/4] selftests/bpf: Add test for reading from
 STACK_INVALID slots
Date: Wed, 27 Nov 2024 13:20:25 -0800
Message-ID: <20241127212026.3580542-4-memxor@gmail.com>
X-Mailer: git-send-email 2.43.5
In-Reply-To: <20241127212026.3580542-1-memxor@gmail.com>
References: <20241127212026.3580542-1-memxor@gmail.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3736; h=from:subject;
 bh=tvGcCg9wXHUdXfXGLZyEpOIxvEX19bauCQBSJn54EQA=;
 b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnR40BFAsP+TR7VQRx6S91V8avBnOH+pFhvad3dIfV
 nQuUe1WJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0eNAQAKCRBM4MiGSL8Ryl4gEA
 C4vLtcZ6eD0BHmRNf6dAjLjZsT5QASnk4FvdFtB8JbET5rCAgZIc+3TRF/Yp/A3KJDRbSvur7YlSnT
 M0UNiSlKoXxTLGxPqMSlQfz0O312SKEN8/Cn6F03b9Nlk3JT7vXcDz3gGuOUXO6oRKWoTDzCjZ16hS
 4LX/AtNOJabS4vCed4VYX86in555NuKjsNjhOfmRDXUR7+ONxuR00sklH4yAKQTvnPF0hongmbQMlG
 b81Z+SJthvxkmRboVzyor9FAJnhGf0m03rUPbDB7NPmQDhNhJ1EmXWUlQAZciiMe5cm7V9EHdJXgd3
 tyCYxOiXoHVWHtomwrYYIsLPHtKLGUhQerSGvhuReKKXjDPgiKrkM3obtlIx+u5VoB6iVjUUEemZrL
 jDh5bthk7ZtFWzov1XaRhwdU2+gYrMKk4HyWwM6O72+zhIeFdBp13xqDxqnNCf+9SHGwUWJLJ3cAZC
 KEk5CWf+qTY1y0hQIhZjkQ7ieB2JokPnlEWPtpD5VhRYK51n5/ac4SlVGnv4uSbyKHIDdxOSddcEo+
 I9mP/Xtn9OSp6sF1ETJnI4QW3h+LHcq6YutugyO+32ZYCUVGKuGnUWZT+3qnZePYuxHlFM+tXXubIE
 fgcmCtfy11jqZ/VMTFJKo+/dQxvyLF0kl+8c2lKv+1xZCUefLUlmptTuDn0g==
X-Developer-Key: i=memxor@gmail.com; a=openpgp;
 fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA
X-Patchwork-Delegate: bpf@iogearbox.net

Ensure that when CAP_PERFMON is dropped, and the verifier sees
allow_ptr_leaks as false, we are not permitted to read from a
STACK_INVALID slot. Without the fix, the test will report unexpected
success in loading.

Since we need to control the capabilities when loading this test to only
retain CAP_BPF, refactor support added to do the same for
test_verifier_mtu and reuse it for this selftest to avoid copy-paste.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
 .../selftests/bpf/prog_tests/verifier.c       | 41 ++++++++++++++++---
 .../bpf/progs/verifier_stack_noperfmon.c      | 21 ++++++++++
 2 files changed, 56 insertions(+), 6 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c

diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/testing/selftests/bpf/prog_tests/verifier.c
index d9f65adb456b..aaf4324e8ef0 100644
--- a/tools/testing/selftests/bpf/prog_tests/verifier.c
+++ b/tools/testing/selftests/bpf/prog_tests/verifier.c
@@ -63,6 +63,7 @@
 #include "verifier_prevent_map_lookup.skel.h"
 #include "verifier_private_stack.skel.h"
 #include "verifier_raw_stack.skel.h"
+#include "verifier_stack_noperfmon.skel.h"
 #include "verifier_raw_tp_writable.skel.h"
 #include "verifier_reg_equal.skel.h"
 #include "verifier_ref_tracking.skel.h"
@@ -226,22 +227,50 @@ void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_pack
 void test_verifier_bits_iter(void) { RUN(verifier_bits_iter); }
 void test_verifier_lsm(void)                  { RUN(verifier_lsm); }
 
-void test_verifier_mtu(void)
+static int test_verifier_disable_caps(__u64 *caps)
 {
-	__u64 caps = 0;
 	int ret;
 
 	/* In case CAP_BPF and CAP_PERFMON is not set */
-	ret = cap_enable_effective(1ULL << CAP_BPF | 1ULL << CAP_NET_ADMIN, &caps);
+	ret = cap_enable_effective(1ULL << CAP_BPF | 1ULL << CAP_NET_ADMIN, caps);
 	if (!ASSERT_OK(ret, "set_cap_bpf_cap_net_admin"))
-		return;
+		return -EINVAL;
 	ret = cap_disable_effective(1ULL << CAP_SYS_ADMIN | 1ULL << CAP_PERFMON, NULL);
 	if (!ASSERT_OK(ret, "disable_cap_sys_admin"))
+		return -EINVAL;
+	return 0;
+}
+
+static void test_verifier_enable_caps(__u64 caps)
+{
+	if (caps)
+		cap_enable_effective(caps, NULL);
+}
+
+void test_verifier_mtu(void)
+{
+	__u64 caps = 0;
+	int ret;
+
+	ret = test_verifier_disable_caps(&caps);
+	if (ret)
 		goto restore_cap;
 	RUN(verifier_mtu);
 restore_cap:
-	if (caps)
-		cap_enable_effective(caps, NULL);
+	test_verifier_enable_caps(caps);
+}
+
+void test_verifier_stack_noperfmon(void)
+{
+	__u64 caps = 0;
+	int ret;
+
+	ret = test_verifier_disable_caps(&caps);
+	if (ret)
+		goto restore_cap;
+	RUN(verifier_stack_noperfmon);
+restore_cap:
+	test_verifier_enable_caps(caps);
 }
 
 static int init_test_val_map(struct bpf_object *obj, char *map_name)
diff --git a/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c b/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c
new file mode 100644
index 000000000000..52da836d47a6
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c
@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+SEC("tc")
+__description("stack_noperfmon: reject read of invalid slots")
+__failure __msg("invalid read from stack off -8+1 size 8")
+__naked void stack_noperfmon_rejecte_invalid_read(void)
+{
+	asm volatile ("					\
+	r2 = 1;						\
+	r6 = r10;					\
+	r6 += -8;					\
+	*(u8 *)(r6 + 0) = r2;				\
+	r2 = *(u64 *)(r6 + 0);				\
+	r0 = 0;						\
+	exit;						\
+"	::: __clobber_all);
+}

From patchwork Wed Nov 27 21:20:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kumar Kartikeya Dwivedi <memxor@gmail.com>
X-Patchwork-Id: 13887380
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mail-wm1-f67.google.com (mail-wm1-f67.google.com
 [209.85.128.67])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AAA620370C
	for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 21:20:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.67
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1732742437; cv=none;
 b=MOARoxiSp1eVOmZzHDF3mPj0Uw8gjVgjZCMqvynBixKFujSce0jSNbUniqZlrQm4djver7MfdLisNjrxrzfBsAOhQYKBYHv2skP4EtsbVPBbZ2qk3sOWGy4XiVV9adZcQpQvc+l3DR6KutDrkPGWQBcIAgkny7nf4ZoZ4/oVmQs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1732742437; c=relaxed/simple;
	bh=oY9jsAUPseSd/D6SXyUwXnVl6VJEJJcEJYNkyUDDctw=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=m5lVCe0x7SCIs+af3UvugMm8qhbNIIs0v55lZYlAIlUOn+SlDRtafJI2fYk/GlrlYYKCLNbqlBeiM9jI8bljRX2a+K/fBz5FTBaKC8IP3jCyIuy299+v85Bbs4fRJtC/6b7xwWZk1jq1Ru599lrGuQ8wlFPq14I0DVl9SQwwJIk=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=eDheEDZF; arc=none smtp.client-ip=209.85.128.67
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="eDheEDZF"
Received: by mail-wm1-f67.google.com with SMTP id
 5b1f17b1804b1-434ab114753so1002045e9.0
        for <bpf@vger.kernel.org>; Wed, 27 Nov 2024 13:20:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1732742433; x=1733347233;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+Ka14TJBEqHtaUHC2SF4/1fJOLh8nxaeNftD7cY8iv4=;
        b=eDheEDZFzv3GjPPNG12MLjYLrhQHSJI+JlQNT1VlmfpGs0vcB8uORHog2zgIZB6PkI
         Vw5/Pv9477LPwyfxMeCzWjCI5BxWMPoxXT25zSHBYaDAdZli/0W4w8Ms9BskCOxetC7M
         pfgZwE3LzEU78CNqHLJs4X3oZcHXL6GawqCTjVUDXrcHrRTYyHl10FzG+L9HvejhSm/b
         OftlUtPvkfjfoiifSC8jnWO3n3f1aE3Ml+LVOTFItDaiLZ3dTKi3FjvAjsvgsblcN5lQ
         X4OXQTc1MmXCy0yZRtYqjYeDTdpF83BZdZ6gCs+JrI+ehcNeO1ZUWgKpqyxcC++SyEJ4
         lXNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1732742433; x=1733347233;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+Ka14TJBEqHtaUHC2SF4/1fJOLh8nxaeNftD7cY8iv4=;
        b=VTMbDkJ4KgFw7uU0KCp2ZfUbGb+MC74ztFYukWlCTgIiNMunDuGtx6A4hywHpCBAeb
         aGv2mS4oDbYyrpczJsLGSfK7r9piWXvaHbMdv9VrYlSUmDD+zM64sLkSG5iIbGGldVf6
         hPEhIOT0N+8yKiDrErkcRb2FxA7NElF6jsPFh0VK1A1+jQVcxWE2mdLTciUZOPVfAjKy
         3M60UCiEPh2wSRkwQhiJdldUrP61oMB1cG8qpjOpbwkiXaeaCpJCG11mj6rBiW8Kabik
         B7c4RJyneyDCCszmUC59pePSRVQFQkbQ19fSb1tuil+GQKNdTc2DR176vr28bJQfQ8bJ
         iwTA==
X-Gm-Message-State: AOJu0Yycc63LsWW5PUlXYOnCNXNzA7gjD16PzOS5To5y/lroRzWnhhNo
	HRNXXHpIOSvBXYqXK3T8YEUcMVfplE7+uOhBEHxxI4qPprrlwCw4lXnl66q+s30=
X-Gm-Gg: ASbGncu1vjVx5yCp7vcllsBmpw+Ua8gPYhkLC1C3pYe2u2rhJP/m7Kh9JazoXCQvYIH
	z+ZG8kTKt5u4i8rGGW8ex/HWwuSX5WhCsert0G+Wgg7lm4lB4rphvuM0UlKUWZv+RDPUH21j7Li
	oOk4lWZV9VOW8TuiWw++dUDE1EpkQ+oCs07y9bE60N6GiW8Z3oF4rlqOYswqycR1l+CG3v/in0y
	tVgZlN7pPUVZtP74bUA1bUpLE0PHtcjuxOqXrbDKC2WI8GgXEgtoiUU4prNv7wuFHRo2L8Q99Vt
X-Google-Smtp-Source: 
 AGHT+IH6YFaDsaRqvBuYwyYPfmtXSo0PhV6iRfH23j82Z694KUbZmMNw4a8NjlVEhlKeyfjBTOvWsw==
X-Received: by 2002:a05:600c:4f49:b0:431:52a3:d9d9 with SMTP id
 5b1f17b1804b1-434a9d4fa7dmr46247355e9.0.1732742433001;
        Wed, 27 Nov 2024 13:20:33 -0800 (PST)
Received: from localhost (fwdproxy-cln-003.fbsv.net.
 [2a03:2880:31ff:3::face:b00c])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-434b0dbfa2csm939665e9.17.2024.11.27.13.20.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Nov 2024 13:20:32 -0800 (PST)
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Martin KaFai Lau <martin.lau@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Tao Lyu <tao.lyu@epfl.ch>,
	Mathias Payer <mathias.payer@nebelwelt.net>,
	Meng Xu <meng.xu.cs@uwaterloo.ca>,
	Sanidhya Kashyap <sanidhya.kashyap@epfl.ch>
Subject: [PATCH bpf-next v2 4/4] selftests/bpf: Add test for narrow spill into
 64-bit spilled scalar
Date: Wed, 27 Nov 2024 13:20:26 -0800
Message-ID: <20241127212026.3580542-5-memxor@gmail.com>
X-Mailer: git-send-email 2.43.5
In-Reply-To: <20241127212026.3580542-1-memxor@gmail.com>
References: <20241127212026.3580542-1-memxor@gmail.com>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1088; h=from:subject;
 bh=oY9jsAUPseSd/D6SXyUwXnVl6VJEJJcEJYNkyUDDctw=;
 b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnR40BDYRUFMIiEq4/rSyy8yQvc6YxVZGPDBJthLa9
 u4NlexCJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0eNAQAKCRBM4MiGSL8RysyTEA
 CXA88KbvQ4CdRe3nZBkGWTJtD0OxYRPA8655hSFsx/6FUazQLKSULUELJU6frFbLbMDZ1Q/5JVO/YH
 Vh4XLU5iITLnT7ZiYKnowb2K2ozonUzeILB4vi3d4uRzUySIGYrnQlw4cbAyomcbZRN48FOPRu3+OW
 TeCYOC/xknY3DyX737QmfBgTijYSPHqShEfxR4DSHz++7M+VqhKZyaYz0ckqXMXVVLsdbY/IVB60EH
 9WIU+Ls1ejuL3fzJ1hHkxDnmMkK1OvO+fUVHAgFZxV7fG/pVUywILfdia5C0Kyo5th4qCGNWz9aC47
 HjYALspOqxGEdzw9QufEr0clCyyT8hockfpisags8wScbUsC2XTHis06JGC7YYZJw+VwFDTZ6wcD10
 TaTvHXEC+PLNA4Vx5mtm5e5CUoN93yXCdbGvnI+5d6dsm8hbR0KGZOVgJJ3ymb0xM2U43wLmavzG91
 l/ZlA3rovwyNDM4ZFYHderIzVxBEG3lj9X9PLbNvoYn0A0/GwViLuzq3eaPWGdMLc1aLV1qghC3GjF
 7FP/2d89g+jxGIjZdZ/XPgK63GkqtzsZHthVq3+FH/dPlaAOmoOj6FnZJd2hpMukQOcUGCLtzViHEJ
 PYWpVUB6sGGpgGvD+N1wmRXa9qE6sVOn94/mso6TgI84w5m8aWsBwFcJM60A==
X-Developer-Key: i=memxor@gmail.com; a=openpgp;
 fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA
X-Patchwork-Delegate: bpf@iogearbox.net

Add a test case to verify that without CAP_PERFMON, the test now
succeeds instead of failing due to a verification error.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
---
 .../bpf/progs/verifier_stack_noperfmon.c          | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c b/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c
index 52da836d47a6..787e01ef477a 100644
--- a/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c
+++ b/tools/testing/selftests/bpf/progs/verifier_stack_noperfmon.c
@@ -19,3 +19,18 @@ __naked void stack_noperfmon_rejecte_invalid_read(void)
 	exit;						\
 "	::: __clobber_all);
 }
+
+SEC("socket")
+__description("stack_noperfmon: narrow spill onto 64-bit scalar spilled slots")
+__success
+__naked void stack_noperfmon_spill_32bit_onto_64bit_slot(void)
+{
+	asm volatile("					\
+	r0 = 0;						\
+	*(u64 *)(r10 - 8) = r0;				\
+	*(u32 *)(r10 - 8) = r0;				\
+	exit;						\
+"	:
+	:
+	: __clobber_all);
+}