From patchwork Wed Dec 4 04:47:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893205 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wr1-f66.google.com (mail-wr1-f66.google.com [209.85.221.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7E7074BE1 for ; Wed, 4 Dec 2024 04:48:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.66 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287684; cv=none; b=tLTdqKzVfx+uo/IV1tQDH6tU6+pw9UZ5nif//ZiwF67H1XB6vLy2ZFy8CSNdaQogeDNm6f/rCz/1wNi3vEZQ6m4m37ZErdCMHUgWjd71A6c9Vesx1cNtVuJCt5sCu/Md2DZ6ERtLvskPZWbVdgtksOguRCeR8Kb8LDPcvvp5IuY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287684; c=relaxed/simple; bh=DMSQH041gMQXVFBX+V15neIaExf6bFzGcrKcbhOTzdk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Unno8jldNcSgVpbQARaSNx705uYUFhtlQZj/h9zDqdAwMKmgGWMOU7C1Kcly+VxSxlVBifru9x8e1+eJj3v0JZrpvBUFRHGK3+kyXx4IRTkDKhtozCPDrLvGtwyNi792ci9blElTrG+jx8kCH0ezlqHiA3CbSDCE5DHX1zbLIsg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XKsqmO90; arc=none smtp.client-ip=209.85.221.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XKsqmO90" Received: by mail-wr1-f66.google.com with SMTP id ffacd0b85a97d-385ea29eee1so2583688f8f.3 for ; Tue, 03 Dec 2024 20:48:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733287680; x=1733892480; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fndc2hQ/tqVYn8QVqQR4qo2NUwhcR20isyaN5F15Vd0=; b=XKsqmO90NRlRNwHxLMz0ajmjnMIWe/nB6oueuG79+tBYgalnzLn6g7LxhtdwHMj8Nm G9Ft/sV8TsyFgj1+fGf+onJnDAI/OiNBQIq/yd5vWJbUhD5p4Y/41W5VMOO7FL0E8Yju Ck/iqOnlOWzVi3Z5i8Fapo/vWR8gZptgf204jjizDgslEDd27gsDzZ07hCwcFqoLY8db Y/YgTau2tVkg1k59aSiAIzOFb6eo3W+w0PJ2NcNBZVYPO2TVXkFzdeS+KrLRdSghHrTJ 0m2FRYppACs5UyI7w4VMOVtGkcSGHPB2XeQiiiuvEb0vPHL+gefotMVfjZ3cDrCjVEqd kqMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733287680; x=1733892480; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fndc2hQ/tqVYn8QVqQR4qo2NUwhcR20isyaN5F15Vd0=; b=kvi+GWr1srSQ2rz41H0mrDPVzLxJgmeERXPuLjwWGFhA4vKi+PJK9uM5l8wO9V3N3N gzRIhD8wIAdSulC7laOqOWNwq2LpASdYvgXRkPG7cyB8tXYOQW1fMOD7Xw4A2n6glzvM AvFz3rlnXdlP9uEmkcWBmsW5dWtaJFEOHxIOKFgfFByPeNXmsO+M3zYwgErv++hE1vyB zXlCCzgNThQlbgu1oJ8wmEyzUerucdsl5Fwmeq4oT6tcKOjI0EfwmYly4FPpy3E/eYdi JEtxKSL8tIwmhL7sx/VFbguj1UjwLv0NFZabI8svCgp6tN8mXgJhjlbFSbDPbjCDR8f7 F5Yg== X-Gm-Message-State: AOJu0Yyb++k8hCsXoZilW6oiYAst/3mvBKua79DioSjffa8QMKVRPcVU zzdm0sw6Jfio4Sx30d1RB4+ZpCDhuhXLHvZ6PKwcOrscGkxp0Db1BqluPatUZKw= X-Gm-Gg: ASbGnctGqON39JOseOc6qJn+9NrSMRO0VGF7x4bTx5btNyYg8jOuglrtQhjDmU/awIZ VMewi+eYr04oshnb3PWKePAUhLE7kRrJN4f+zjQ2h7HEc28ViVOHMv7/au14Nfaz7dyYHmWrdbe TFvFhXw0hxVQ4Uuiilr1Aqgf8lfQRFHWRl6Lcp05hIoV7Uq5T6Ml1b4iMRpNn3eCS53ORpal3VL Ge37Mc6Irk1QiJSy1hLE70s44Agy09YjHRQmMzgm69CAanBigUovKs0T1G5Teqke3Y6fzhV0Jvi X-Google-Smtp-Source: AGHT+IFBDZYCnpAfEVo1+moBLmYB9Jl/EqY7KcPMGvOiMR10tRZGQeN1THAtXkJLTvxQV7XFX1PBcw== X-Received: by 2002:a5d:47a6:0:b0:385:e055:a294 with SMTP id ffacd0b85a97d-385fd55f1b4mr4398583f8f.59.1733287680357; Tue, 03 Dec 2024 20:48:00 -0800 (PST) Received: from localhost (fwdproxy-cln-009.fbsv.net. [2a03:2880:31ff:9::face:b00c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385ccd2e1bdsm17687017f8f.9.2024.12.03.20.47.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 20:47:59 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Andrii Nakryiko , Tao Lyu , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Mathias Payer , Meng Xu , Sanidhya Kashyap , kernel-team@fb.com Subject: [PATCH bpf v4 1/5] bpf: Don't mark STACK_INVALID as STACK_MISC in mark_stack_slot_misc Date: Tue, 3 Dec 2024 20:47:53 -0800 Message-ID: <20241204044757.1483141-2-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204044757.1483141-1-memxor@gmail.com> References: <20241204044757.1483141-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2056; h=from:subject; bh=DMSQH041gMQXVFBX+V15neIaExf6bFzGcrKcbhOTzdk=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT97Gfew9I+fXpK7cd7UBzQc5kDbXLcBNtB5cWhJk qmpnnKaJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/exgAKCRBM4MiGSL8Rys+eD/ 4iy155zYhO60z/nN+DFkqIuHVbrcNW0ftGuO+e43338ewZgNsmTarp7nzIwLjIIfwoVBYXduzmK/sh EAdWkrW0xGux8Hxc+Whj015YkmyLyAWL4K5wHRkAs5vhTGIFFHIjG/PhTXEQaucYa/ZmbZsr4C8KrH xro+uowslnX0xAbGdjM/dMyfjdV1rIj9uaXAYhEUUwQYddcqxJxq5n5P4TXNuTUaYp+rUOKuqCwEI2 oyT5oSfu4CR9NoCSBKroKbJwaDITh9zAU147CFt9PTKPUJviH8GfqUIj8IhOvIb+Gzfsz8MoAhTegF lU16bpYVKfbSDJYV7ND+f+OexF9mZeh2UsB5XXdvFv2/vMpXMFJQ3PVsoSgBwNRg3jtgFbIHWfllnL C2+R0B3Nyw5jDWMqvRu2dZnk8UGflOp80nBcKFhTIgxgJEgqQrp4Gl7CS8/opC3AZS9EaFzn1K0ddQ 3tFnyRTs2VwK4/cAT+rnqkkrjSdb7Rfeofvhr6XJ/4gFqRLMEqQQP6O/LdbsjPK/qyR05sj5b/plWj gP1WrJUDYsnPin5NFlBUCCc8FxQU5FBp7Se1lxla+5gWMVYsnvZs5Tt8jraZ615Y26dsHXCnwAmexO e23A6gcs5cycHprHs119Cc2YcDtRjPHXfNUkL/kYL3uHnaUEeazxtuL6NBvQ== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net Inside mark_stack_slot_misc, we should not upgrade STACK_INVALID to STACK_MISC when allow_ptr_leaks is false, since invalid contents shouldn't be read unless the program has the relevant capabilities. The relaxation only makes sense when env->allow_ptr_leaks is true. However, such conversion in privileged mode becomes unnecessary, as invalid slots can be read without being upgraded to STACK_MISC. Currently, the condition is inverted (i.e. checking for true instead of false), simply remove it to restore correct behavior. Fixes: eaf18febd6eb ("bpf: preserve STACK_ZERO slots on partial reg spills") Acked-by: Andrii Nakryiko Reported-by: Tao Lyu Signed-off-by: Kumar Kartikeya Dwivedi --- kernel/bpf/verifier.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2fd35465d650..f18aad339de8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1202,14 +1202,17 @@ static bool is_spilled_scalar_reg64(const struct bpf_stack_state *stack) /* Mark stack slot as STACK_MISC, unless it is already STACK_INVALID, in which * case they are equivalent, or it's STACK_ZERO, in which case we preserve * more precise STACK_ZERO. - * Note, in uprivileged mode leaving STACK_INVALID is wrong, so we take - * env->allow_ptr_leaks into account and force STACK_MISC, if necessary. + * Regardless of allow_ptr_leaks setting (i.e., privileged or unprivileged + * mode), we won't promote STACK_INVALID to STACK_MISC. In privileged case it is + * unnecessary as both are considered equivalent when loading data and pruning, + * in case of unprivileged mode it will be incorrect to allow reads of invalid + * slots. */ static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype) { if (*stype == STACK_ZERO) return; - if (env->allow_ptr_leaks && *stype == STACK_INVALID) + if (*stype == STACK_INVALID) return; *stype = STACK_MISC; } From patchwork Wed Dec 4 04:47:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893206 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4104613A409 for ; Wed, 4 Dec 2024 04:48:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.68 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287686; cv=none; b=m4ub3P2b6qqmYGXmVnG0Pbq/ECapFY2TanG96wgH36Tp5lHX9bOJQAKF/WhLKEFXJ6jKhx2qfb0mx5X2KiH38tHVEoq63VB8Ihqc+CotbjNY7RxOBxWibjS/UFm2oDCTFaqB28O85s5Bt/pg3YB02Ev8bNc3svxJPCE0F8VsD4A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287686; c=relaxed/simple; bh=7zraTB4t6qK0NHyA18gJSSA90vuh8frNRUo1vvIlnfo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y3eS3jwppS5EExKKlonpesPpiLT5kexoI/4yXpTu+r9SVBGveWHZs6MZMMNFomByrA5jHY75LBVwpZDPFdr51pAGVjGEw5L3NDKbsOfYovNY8dLcDEDCzhPUzzWY1aBl8mj9x9mdAC9extn4whv6LpVKNh8E40+s6msnj1IoMTk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=j4s9eNSd; arc=none smtp.client-ip=209.85.128.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j4s9eNSd" Received: by mail-wm1-f68.google.com with SMTP id 5b1f17b1804b1-434aabd688fso40754735e9.3 for ; Tue, 03 Dec 2024 20:48:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733287682; x=1733892482; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FA3G4MRxUkjHPHVc8QHcKTvZLecg2jgLMCWmbSH7n44=; b=j4s9eNSd8HnBfZ8QBtYpDnm9U4+3NkM9jDgqYOjvrjdOrbT+jdTeDjnWKIj2QLxATc ZHYt+x59Js2EaPnYfx1aO1eODQZaoHj2BAizSmAxzaLxcUkyfKDO+K1fPHRreNacKVo7 VF/S2I2xxbVdurPXKJj6PQaqlTi6tBBV8vCY3wxvcHckzDlaQCFyXQsoPfmlofhGsp1C FfrRNiWMYB1dA3pqhyoMW+zseXwBOx8P6UzHVFE3hnB3SAL0PJrOwi2DFbmVfuIwZwIk nVwvNFd1ZObeVgtCduGHDJc1TVRCTU69OYrPtj6ySi3QDcYQ/9nBEHBEkfFqrHykWXu/ 5SoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733287682; x=1733892482; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FA3G4MRxUkjHPHVc8QHcKTvZLecg2jgLMCWmbSH7n44=; b=RpEcUR8weo+DBuCFXsVju/nHwR4g8rdloMmv1shTE8b8a2L6ZhOiwSJ1srEzJQv7Cl WATpdle7IwYhVVmkvkw1EORN5TSP4d6sMZriJqSypoL5zSrsTcVxTHReU/RndSHPDmS3 EVwxg4Hv1F8kzyK61pKQptha+JoIbB0dB0NOFRrjZFFWxUc6PWO4p8jS3NQa+v3cLBWb ds696LVQO4Ey2Jnk/Em/YCJf1cT3b/96kHOh343dpkmKn8hy5da3iItpG1toTScE1GAU 9AdKqaq3VH4PDiOwtBthr2VgOcYqtKeSkQ/uXlLaLMSWN6cmv5N3i5Y+D4F5ALWwMgup bhyQ== X-Gm-Message-State: AOJu0YxrAyK76NssyclPWVCCEvEoVhEtsOLSAA6UgrMo8p4wZ3O0bSY6 qJSqIYc1sXTXCQlx6eerR2o7encisygS/zYJq7zUhD+WK3HZJuyH9Ty9ysSh2Rc= X-Gm-Gg: ASbGncvERAzTLcvtzuZqR65Sd399GZhMrHodQcxNGizidBjYaOdkDAxD92CiQ7hhvCm fviFByCYGbWjMaIqBRnFD3QZ/XI2iAik0tY44O+t/0IEurqAEpmNKLanb3a2Q2dxACy0tkph7JN BpLFHkTXOrkpyw8Y1Cwe6/Sn3kFVgg3UybVlDT0T5lYxk45XL1rdvlWMwX8TYGLYWa0qMsBGJwq HZtly7tUQ8BbdmpXrXj4BvbXTt6HVBbvoLv46HPvzFtTrEU8q3cU/6Qj0gb9A+s/r0cxUYq/q4V X-Google-Smtp-Source: AGHT+IHTggKGeJbNA/HNEHaGlbJ8HfBo6iN7shXkTcL+ko2JW1Y71F6a5Yo05OWl22Wc3wvNJfHAgA== X-Received: by 2002:a05:600c:19ce:b0:431:5871:6c5d with SMTP id 5b1f17b1804b1-434d3f8e454mr25832605e9.3.1733287681912; Tue, 03 Dec 2024 20:48:01 -0800 (PST) Received: from localhost (fwdproxy-cln-013.fbsv.net. [2a03:2880:31ff:d::face:b00c]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434d528a683sm9957045e9.23.2024.12.03.20.48.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 20:48:01 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Eduard Zingerman , Andrii Nakryiko , Tao Lyu , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Mathias Payer , Meng Xu , Sanidhya Kashyap , kernel-team@fb.com Subject: [PATCH bpf v4 2/5] bpf: Fix narrow scalar spill onto 64-bit spilled scalar slots Date: Tue, 3 Dec 2024 20:47:54 -0800 Message-ID: <20241204044757.1483141-3-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204044757.1483141-1-memxor@gmail.com> References: <20241204044757.1483141-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1918; i=memxor@gmail.com; h=from:subject; bh=UgiEKh9fSP+5XzC/3bnvwvgWbv9Kje5tMYX9wJ+5u6k=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT97G3KD36TLUD3BnYyK29AuE1TuW7OnqccI1Txx2 A1L0ZVWJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/exgAKCRBM4MiGSL8Ryn3GD/ 45R+nbQb9UZn3ojSDHAYBTc/UW8hoRKYZSaxD0teWJxeLIprfNKJwuB8oOFZBm3Kx5RkjUcLqAk0GR xScnLNOJhG9KWcginp/Bx7A23IjPP7lcmMvBXDtlxFPjMPkXCCZ+X+FB9YOrBG6PO0aKiLPYOOdPc3 WmOVIAFrwxC7ZqltlRHs8QxaCfQeP1+beMuxs4agXErubNMqySABru/+Y7I1Z/mA6MLtaY7gz10Rgb YMz4qSRL/FQ7hHXayDUxfvoLmdBLQWOTB4p0DbvytcJhYT5VRVFDc8k319Xuv6+qOBf7QkXKfZcuu/ K5y94DUvqXSwn719ZnBkym09ukAuqg/GCI3dOtFAt9N6K2JdOjgIYwv1crO6/yNl2Z3IgF55A9gDJ3 MMprrzsvWYQu08lLb3QSQkTYqV5txHC3rTd2RnXMEn1aN9ZvbgeX6YlbKV/ewqnIUoBYKPnrEcNih8 HjQGPC7MFSjUgA0PmJcARW4R8alq+wtJnccRrXlrZ2uNArXFCCi3Z1/dQDu+NobyLI36UIsOlobGEB idDB/R+jQCkuncPQmPpzjvcNA7H/x3Cn52Qp5pbWB8gaN/LQoTsqo4BDx94aEbU4Vhj8X04FOqGR/D N54/QESq+2v2lBONEJQFj86ZzU0339GA6PYfbEtqS20P1TqrI6mSpjDgfobA== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net From: Tao Lyu When CAP_PERFMON and CAP_SYS_ADMIN (allow_ptr_leaks) are disabled, the verifier aims to reject partial overwrite on an 8-byte stack slot that contains a spilled pointer. However, in such a scenario, it rejects all partial stack overwrites as long as the targeted stack slot is a spilled register, because it does not check if the stack slot is a spilled pointer. Incomplete checks will result in the rejection of valid programs, which spill narrower scalar values onto scalar slots, as shown below. 0: R1=ctx() R10=fp0 ; asm volatile ( @ repro.bpf.c:679 0: (7a) *(u64 *)(r10 -8) = 1 ; R10=fp0 fp-8_w=1 1: (62) *(u32 *)(r10 -8) = 1 attempt to corrupt spilled pointer on stack processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0. Fix this by expanding the check to not consider spilled scalar registers when rejecting the write into the stack. Previous discussion on this patch is at link [0]. [0]: https://lore.kernel.org/bpf/20240403202409.2615469-1-tao.lyu@epfl.ch Fixes: ab125ed3ec1c ("bpf: fix check for attempt to corrupt spilled pointer") Acked-by: Eduard Zingerman Acked-by: Andrii Nakryiko Signed-off-by: Tao Lyu Signed-off-by: Kumar Kartikeya Dwivedi --- kernel/bpf/verifier.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f18aad339de8..01fbef9576e0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4703,6 +4703,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, */ if (!env->allow_ptr_leaks && is_spilled_reg(&state->stack[spi]) && + !is_spilled_scalar_reg(&state->stack[spi]) && size != BPF_REG_SIZE) { verbose(env, "attempt to corrupt spilled pointer on stack\n"); return -EACCES; From patchwork Wed Dec 4 04:47:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893207 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A92A13A409 for ; Wed, 4 Dec 2024 04:48:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.66 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287689; cv=none; b=iobjG28R6L/3KYAQ7W/zHkmosPGM1GqU7yLBu0ariDmZEFmLbfWo1wAyGaHwGI4rb9w8/byOafxFc7LMqDie2vPhzQ1a0yRAcdJ6C5L9f514e9NHC5syrsTsO2rPgfrMDHb3IffIx2DFYKPYB84byvm3MRAQXjlOqBQWiMryxqA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287689; c=relaxed/simple; bh=cus25vwv5PBT+UkSlVsZSL89g1Dj1ZctmIyYjrEfAcI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=m8sZ9motK/vO/oxlSnmslWEXkFd4DZAC4EkoqtYbZcn7fWPvjaN8TfOq8YujYb5MRa9QWfvgHOlWzIEX+/3IummuhPkju8M2eQ3Pz90dqK7Jn5YPc5avhWHuvemqcfs0eYl6Ua/d3GSKE4+AViXsYhQas0ksysTUjQxCarbqaAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HkMyIGjo; arc=none smtp.client-ip=209.85.128.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HkMyIGjo" Received: by mail-wm1-f66.google.com with SMTP id 5b1f17b1804b1-434a736518eso77344435e9.1 for ; Tue, 03 Dec 2024 20:48:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733287684; x=1733892484; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cBMNIJ7E3at74h2O41m5yjnbsTv9InkCA6bR0cP4q0k=; b=HkMyIGjoMoOzAS0VroHGMf/rWZuKHikjHzX96JlJf6JcB9AzG92BzjYkS/hQ+bndr5 9u30I0nxRDBz4OpxCAV8kim2rdcSDdl6gwLxk9IQj28uTzM4ThFtLdIyoWAbA7TLO4ct X7RwqXXyOsFraQCLdAmb0ex+UWeRlRmmouPxKhuy1IX5ELVn3Qv0cKZP0ao7+/IFVX3H rF5gDbhwED1/OgrNr2IxQ/dW6cm6Tzxdn8NHTQAryifLEJ9HecMmXtzyVk61WsVnsrZk VJPartgAJsODtiVrudeZv46x+6dDI2R1UjvQNbfq8l8/4w37eWdIJE8U77WrzHO46sIg Rnhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733287684; x=1733892484; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cBMNIJ7E3at74h2O41m5yjnbsTv9InkCA6bR0cP4q0k=; b=MVDgZ2uxSjOZPrW9X2wyIusGYhPKYFWQyqN4ivnr/501W4cceecQjGAQYCqM04V5k0 lWiEy+7HI9a/ZzqBkB2WEeTL6vwlHrynu6nCiSLXp8GH44GfA7/4JUFO4YPDo7FY0OlK i52y+Gs7+3mZnTqR1MiPBT/hxq+SBhN+l0JDQDk6ty1zUccej4BvoTh9XR9QGkSXNxgT hCuZDqfeGjd0F3JQlQNXe24DwOLFrK/BCTucx/Dy9IKmjP4Lj/sbOCVyjQSD9eItg+2s Xra4Gzq/oMBi/LZYID+Zq2URVNxPALPNo6a2Hc49diZizb5TT/D1YlMLrEmv7qdVFtLb xKMw== X-Gm-Message-State: AOJu0Yw1UAABja5jNh2Un6epV9msHi/3c3QAcnvrvLEYE93KwKEGKbKd Yj6uRNTCNE7CmCgAzUmjPZB4OJ4UcjmwQRFS+Hy+JTk7HNw8hMztZOtQT8pTjYQ= X-Gm-Gg: ASbGncsNLCjse4+Z+gIt2pRirfaaX3nSmzesYK7EgrXmg25NSJrLA0+UNvKncBp6Q2U vVCMdU8IdPyeu10/lMS/sTfJzW7sB6xGC3WUX/qKgkgvH9EmX1PbsRFGO/5vepmtj3NzWlv2TLx +YbTYfUJ1V5mhGSiX0gsdh2XsDNvUyDl21Q+BAwl/DSUj0c0zG0FQwxJc4wdWJhE2H4c8in7hAt iIi495JmqSRpzTt0q53s3Ae5Bq5tH5lB7U35Yg5B9kiTXdwVZV1VAL1sdOIoQvCKmBzj4mtf2JQ cg== X-Google-Smtp-Source: AGHT+IHvg+ZXBKSxvfod3eP843soaBPGD2xbdXgrsyc5EK5/185N+UzVDksmjtFzA4RcBs766e2aVQ== X-Received: by 2002:a05:600c:4f03:b0:434:a852:ba77 with SMTP id 5b1f17b1804b1-434d09d0432mr48070555e9.15.1733287683678; Tue, 03 Dec 2024 20:48:03 -0800 (PST) Received: from localhost (fwdproxy-cln-112.fbsv.net. [2a03:2880:31ff:70::face:b00c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385ccd3a710sm17005813f8f.57.2024.12.03.20.48.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 20:48:02 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Eduard Zingerman , Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Tao Lyu , Mathias Payer , Meng Xu , Sanidhya Kashyap , kernel-team@fb.com Subject: [PATCH bpf v4 3/5] selftests/bpf: Introduce __caps_unpriv annotation for tests Date: Tue, 3 Dec 2024 20:47:55 -0800 Message-ID: <20241204044757.1483141-4-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204044757.1483141-1-memxor@gmail.com> References: <20241204044757.1483141-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=7508; i=memxor@gmail.com; h=from:subject; bh=B0YfKWpxO5lLY+pZW7PE+2YsYxRNwAAS3dXH5V8Xc6M=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT97Ght3U3pVKXpxegX7tzWR3ZlDTLwi5Ps1m2M92 vMEsreWJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/exgAKCRBM4MiGSL8Ryrp+D/ 9XqPL+zlkuzL2RvuP3UrGNuslbFjon1G1K0bOV6tHgatRGfsoadWEJghtSC5vNXEXkTpzg6+QUdPx8 Ifm5Qxut7qmw//25miInPzCQ9HT2mxLALB4vo3HBM95Qo5tzlhmkCcEgehnGvJu5s8jpZ4N/w+qFG8 bjHmjmcYm8QMnD6LO43KJqptV0vQez+R8ADunkgZYS9TZTaxe2cYDX2LzZPVeXxbYJQZ1pEpvhdptY kwALQo5AUO1oDTFEibsrvOnfwFfDfPe6pl3Q0HLqs/myhAjQOKBR04a8YmBV/AvJ57nAoc3vlMFYpo HiWFf5A2G8Q6Rlz/pFwbjND8gY2MnFF5xEkAufffJTJuwcdxYvsYqaxLBuKqcNXu8jeRmisg50ybM3 jX0d74byCGtqawATu9YoBpVdKFKh9jFQNFMVcqExWzDGPYevAIgy/qUIlN7PPT8crv5v6d2sM1AlPW jb9/vTE4hgJU4B9iyQm0Bi5gercHBed00QNr0BLgkFqXNi8MfofICEAt4i1vaNXJiokjxA7CRHot2t ZOw7EFW7f8P9UahfdBAOywmKiWLng114GHuUjvlTuUaCxKhagKSRfNmYPGVyEh8qAlgAD6LpbD6D8J XyXpUzaKdjcZ7sC4VDDwHrdBJ/p0/UMCq0ym0JxUPvioeDyV6QZWNz1ie37g== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net From: Eduard Zingerman Add a __caps_unpriv annotation so that tests requiring specific capabilities while dropping the rest can conveniently specify them during selftest declaration instead of munging with capabilities at runtime from the testing binary. While at it, let us convert test_verifier_mtu to use this new support instead. Since we do not want to include linux/capability.h, we only defined the four main capabilities BPF subsystem deals with in bpf_misc.h for use in tests. If the user passes a CAP_SYS_NICE or anything else that's not defined in the header, capability parsing code will return a warning. Also reject strtol returning 0. CAP_CHOWN = 0 but we'll never need to use it, and strtol doesn't errno on failed conversion. Fail the test in such a case. The original diff for this idea is available at link [0]. [0]: https://lore.kernel.org/bpf/a1e48f5d9ae133e19adc6adf27e19d585e06bab4.camel@gmail.com Signed-off-by: Eduard Zingerman [ Kartikeya: rebase on bpf-next, add warn to parse_caps, convert test_verifier_mtu ] Signed-off-by: Kumar Kartikeya Dwivedi --- .../selftests/bpf/prog_tests/verifier.c | 19 +------- tools/testing/selftests/bpf/progs/bpf_misc.h | 12 +++++ .../selftests/bpf/progs/verifier_mtu.c | 4 +- tools/testing/selftests/bpf/test_loader.c | 46 +++++++++++++++++++ 4 files changed, 62 insertions(+), 19 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/testing/selftests/bpf/prog_tests/verifier.c index d9f65adb456b..3ee40ee9413a 100644 --- a/tools/testing/selftests/bpf/prog_tests/verifier.c +++ b/tools/testing/selftests/bpf/prog_tests/verifier.c @@ -225,24 +225,7 @@ void test_verifier_xdp(void) { RUN(verifier_xdp); } void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direct_packet_access); } void test_verifier_bits_iter(void) { RUN(verifier_bits_iter); } void test_verifier_lsm(void) { RUN(verifier_lsm); } - -void test_verifier_mtu(void) -{ - __u64 caps = 0; - int ret; - - /* In case CAP_BPF and CAP_PERFMON is not set */ - ret = cap_enable_effective(1ULL << CAP_BPF | 1ULL << CAP_NET_ADMIN, &caps); - if (!ASSERT_OK(ret, "set_cap_bpf_cap_net_admin")) - return; - ret = cap_disable_effective(1ULL << CAP_SYS_ADMIN | 1ULL << CAP_PERFMON, NULL); - if (!ASSERT_OK(ret, "disable_cap_sys_admin")) - goto restore_cap; - RUN(verifier_mtu); -restore_cap: - if (caps) - cap_enable_effective(caps, NULL); -} +void test_verifier_mtu(void) { RUN(verifier_mtu); } static int init_test_val_map(struct bpf_object *obj, char *map_name) { diff --git a/tools/testing/selftests/bpf/progs/bpf_misc.h b/tools/testing/selftests/bpf/progs/bpf_misc.h index eccaf955e394..f45f4352feeb 100644 --- a/tools/testing/selftests/bpf/progs/bpf_misc.h +++ b/tools/testing/selftests/bpf/progs/bpf_misc.h @@ -5,6 +5,10 @@ #define XSTR(s) STR(s) #define STR(s) #s +/* Expand a macro and then stringize the expansion */ +#define QUOTE(str) #str +#define EXPAND_QUOTE(str) QUOTE(str) + /* This set of attributes controls behavior of the * test_loader.c:test_loader__run_subtests(). * @@ -106,6 +110,7 @@ * __arch_* Specify on which architecture the test case should be tested. * Several __arch_* annotations could be specified at once. * When test case is not run on current arch it is marked as skipped. + * __caps_unpriv Specify the capabilities that should be set when running the test. */ #define __msg(msg) __attribute__((btf_decl_tag("comment:test_expect_msg=" XSTR(__COUNTER__) "=" msg))) #define __xlated(msg) __attribute__((btf_decl_tag("comment:test_expect_xlated=" XSTR(__COUNTER__) "=" msg))) @@ -129,6 +134,13 @@ #define __arch_x86_64 __arch("X86_64") #define __arch_arm64 __arch("ARM64") #define __arch_riscv64 __arch("RISCV64") +#define __caps_unpriv(caps) __attribute__((btf_decl_tag("comment:test_caps_unpriv=" EXPAND_QUOTE(caps)))) + +/* Define common capabilities tested using __caps_unpriv */ +#define CAP_NET_ADMIN 12 +#define CAP_SYS_ADMIN 21 +#define CAP_PERFMON 38 +#define CAP_BPF 39 /* Convenience macro for use with 'asm volatile' blocks */ #define __naked __attribute__((naked)) diff --git a/tools/testing/selftests/bpf/progs/verifier_mtu.c b/tools/testing/selftests/bpf/progs/verifier_mtu.c index 70c7600a26a0..4ccf1ebc42d1 100644 --- a/tools/testing/selftests/bpf/progs/verifier_mtu.c +++ b/tools/testing/selftests/bpf/progs/verifier_mtu.c @@ -6,7 +6,9 @@ SEC("tc/ingress") __description("uninit/mtu: write rejected") -__failure __msg("invalid indirect read from stack") +__success +__caps_unpriv(CAP_BPF|CAP_NET_ADMIN) +__failure_unpriv __msg_unpriv("invalid indirect read from stack") int tc_uninit_mtu(struct __sk_buff *ctx) { __u32 mtu; diff --git a/tools/testing/selftests/bpf/test_loader.c b/tools/testing/selftests/bpf/test_loader.c index 3e9b009580d4..53b06647cf57 100644 --- a/tools/testing/selftests/bpf/test_loader.c +++ b/tools/testing/selftests/bpf/test_loader.c @@ -36,6 +36,7 @@ #define TEST_TAG_ARCH "comment:test_arch=" #define TEST_TAG_JITED_PFX "comment:test_jited=" #define TEST_TAG_JITED_PFX_UNPRIV "comment:test_jited_unpriv=" +#define TEST_TAG_CAPS_UNPRIV "comment:test_caps_unpriv=" /* Warning: duplicated in bpf_misc.h */ #define POINTER_VALUE 0xcafe4all @@ -74,6 +75,7 @@ struct test_subspec { struct expected_msgs jited; int retval; bool execute; + __u64 caps; }; struct test_spec { @@ -276,6 +278,37 @@ static int parse_int(const char *str, int *val, const char *name) return 0; } +static int parse_caps(const char *str, __u64 *val, const char *name) +{ + int cap_flag = 0; + char *token = NULL, *saveptr = NULL; + + char *str_cpy = strdup(str); + if (str_cpy == NULL) { + PRINT_FAIL("Memory allocation failed\n"); + return -EINVAL; + } + + token = strtok_r(str_cpy, "|", &saveptr); + while (token != NULL) { + errno = 0; + if (!strncmp("CAP_", token, sizeof("CAP_") - 1)) { + PRINT_FAIL("define %s constant in bpf_misc.h, failed to parse caps\n", token); + return -EINVAL; + } + cap_flag = strtol(token, NULL, 10); + if (!cap_flag || errno) { + PRINT_FAIL("failed to parse caps %s\n", name); + return -EINVAL; + } + *val |= (1ULL << cap_flag); + token = strtok_r(NULL, "|", &saveptr); + } + + free(str_cpy); + return 0; +} + static int parse_retval(const char *str, int *val, const char *name) { struct { @@ -541,6 +574,12 @@ static int parse_test_spec(struct test_loader *tester, jit_on_next_line = true; } else if (str_has_pfx(s, TEST_BTF_PATH)) { spec->btf_custom_path = s + sizeof(TEST_BTF_PATH) - 1; + } else if (str_has_pfx(s, TEST_TAG_CAPS_UNPRIV)) { + val = s + sizeof(TEST_TAG_CAPS_UNPRIV) - 1; + err = parse_caps(val, &spec->unpriv.caps, "test caps"); + if (err) + goto cleanup; + spec->mode_mask |= UNPRIV; } } @@ -917,6 +956,13 @@ void run_subtest(struct test_loader *tester, test__end_subtest(); return; } + if (subspec->caps) { + err = cap_enable_effective(subspec->caps, NULL); + if (err) { + PRINT_FAIL("failed to set capabilities: %i, %s\n", err, strerror(err)); + goto subtest_cleanup; + } + } } /* Implicitly reset to NULL if next test case doesn't specify */ From patchwork Wed Dec 4 04:47:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893208 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C177C12B17C for ; Wed, 4 Dec 2024 04:48:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.66 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287689; cv=none; b=YVv+x9pg1pri2AvG992o5SxIqzHkMZgeTR22ULbR+gVB7v/jKYD8h/sX+aBtvQjHRtPFTPmBb741n3UI9gBbt3OLkCNohxvKnHCRrke1eziLAHkQHjI5Xjn7NqZV9KTjYnUpXyrlGU2o2dZJxR1bBXHZDCldDTb0bmNYSUPY1vI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287689; c=relaxed/simple; bh=Gu6ynwDLEc+arHwbd2nuJo0pV1QFFVtXpiSfI08AKgY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=JShT19719RTH8K05Jra6uADVQbS27457UJG8b6TQ1zCqqycksX4hmZ+sFprqvfaeeQ2+/ZMrdQbMzmUCBk4lTH8Cx4YAcNI23G97OPrd/Iaf5H2/I5mWRs0VCEPrI+7T+3rW7Fj7IY4LGyp0Ss/pB/fXvjD7vRW+AIwFyEM6/js= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CrE5puTc; arc=none smtp.client-ip=209.85.128.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CrE5puTc" Received: by mail-wm1-f66.google.com with SMTP id 5b1f17b1804b1-434a2033562so52089135e9.1 for ; Tue, 03 Dec 2024 20:48:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733287686; x=1733892486; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FjWwkVfCgW7gxVF5HeZs0LuHrf7Z23DitUwnrPlDP2g=; b=CrE5puTc5yfBSgM8i8vGYr01Bh/kTal2RCAoNCTj6oY8nsRVfmN92Jjf5uoTkl5DjP rhyoGH00q2kY/FrmOAtDKjD7qu/AKt3+v1v/HGgKL1COOAzKaiUsXL1q/+EPq3zZge+h kPqn2scnPyVslNnkG8sKnLfXFgO/0+T6PcfADqIJ2jh2zE4PyopAo3hZB6JG5Ip143vC 0BugEIjeVBTuA4m1GMmmtIhPvUVhJjPaotxEyUYtWtXveMobn9Epr3HZSPBrcR5XPL+r cQyzgGDjYOg2A0Ok66C1tBuUyxAnSMMo1XVnrgvSttMWQU2JiXZLEyyWqtwi8yZmtwIw eiDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733287686; x=1733892486; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FjWwkVfCgW7gxVF5HeZs0LuHrf7Z23DitUwnrPlDP2g=; b=agVQhn3UKTzjLnId4wvVhtKmcOgdLcghYSsPfutlPWEfX2UkPgwHIe5nWAoR1r5FaF fMH+KD/u8Rv0fXnPqzn8Tk0nTOdbjqpGHZ8R8Rkay7GVTRU3gy/81fsHGvYNbZ467DDx JkhHxvHYtHI/TVk0+KGh8rZvn51eM+BMQDhFBqiJlcMoeNSQClFiBPsDn3CPr3hW3WZ1 qztlgCNXCuiPJXGgUHqU7MKvFqdU2XErgy5roSxfH4dny79PO8/YAW/fBb+D1hZ3FAjv LISgcfekjwxc8PinLsbW2tQ36bLuu3IiDcJ+76iI8VWBBuMKUgwmCqMVow1Z8R8Iohvq B3Dg== X-Gm-Message-State: AOJu0Yy7TcrsXC8/wd/GU7QAY1NYzAx9n7pEszmRqS8Ocw9V8HdyAVip 9x7xsenzqHlgAMtbmFd2MORhVr3LCkT21F3XkMCZDCYfXqhHkAH4I8Af5d296S4= X-Gm-Gg: ASbGnctC0DbQTAJrV2c9ukR/657JcxQQ00fPCYCCO2BcE+rL7adxgsRIDenGXeIfuBd m9N3i9z84IGxwOxt9L7PN6zBBxdPXEugTjj5azlZcf2NIKhUDojA1G+YGP4xgn3WPYxvcT2AO3C yE1Qz4BTgbpCd7gjOiUMNEeDH2ER7IQtvkxbK/g0gv6/uyT7H5bd8VEHnFYUMKlsMhG1tYDDN77 F15yh99U9spaTLCwB325I7vEBM8f/EYdHI9xJgniZQ6+VQDowa00Zml0imPq2qPUxw3yfcNhgHO WQ== X-Google-Smtp-Source: AGHT+IFKOY9fLQaqLNxImeBlaHjWA3UQus4q0nD6+MpqtZANN6Mg3x2Gk9kpg+GyXRHauBR28zhvPg== X-Received: by 2002:a05:600c:1d1c:b0:426:8884:2c58 with SMTP id 5b1f17b1804b1-434d58438e6mr5215465e9.4.1733287685469; Tue, 03 Dec 2024 20:48:05 -0800 (PST) Received: from localhost (fwdproxy-cln-027.fbsv.net. [2a03:2880:31ff:1b::face:b00c]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434d528a6ccsm10024215e9.25.2024.12.03.20.48.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 20:48:04 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Tao Lyu , Mathias Payer , Meng Xu , Sanidhya Kashyap , kernel-team@fb.com Subject: [PATCH bpf v4 4/5] selftests/bpf: Add test for reading from STACK_INVALID slots Date: Tue, 3 Dec 2024 20:47:56 -0800 Message-ID: <20241204044757.1483141-5-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204044757.1483141-1-memxor@gmail.com> References: <20241204044757.1483141-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1306; h=from:subject; bh=Gu6ynwDLEc+arHwbd2nuJo0pV1QFFVtXpiSfI08AKgY=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT97Gz0wdlq8AaUu6mEAWn5WR34Xsv+WI1ziItzeV dwmS6M6JAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/exgAKCRBM4MiGSL8RyiytEA CPv02axN5mBh51KPddl3hB3q+FyDJlfsaPciSucNZPc7tUQwOxB3Utb3YaJs5ganWWNeZYuc2mhRLn cvhjpAmKZpDJRfTh4+2UN9ukS9pzwbxPkjx8+wQ0DKRQP2DGG7YYs8GsKBneeWLoM+6W2kOHx10QYR NJbXX2noQYTF5BzFwF/1QYsNtprmRnYFBPvATabaZh62Oj8C6NnpXUfQl/0YvbSgzgORX0Fzbj4tLJ 4I+TQU7t6HcuFGmSLbtqIeTWoFpbQDWjgSCXhcGptuWfGTN1MgB40mLVQNs+bBMsFDz2RKRoBosp5H lioyELdgRuqnfg4qXU1qaZRP3rbeKEY7m4KR29YJcIccYDvJLhmM59FPapXymT5Yw54rt2M83wXBCk itoG2kUwjM1jcbc9oJF8HK4jSRZbm1FKK1teKps/GpJEu4l2YVKZyPT3DFczh4ZSHlSYv0R4W/RksM G3lJhIWa4Royst2+aSF2RD3VX8rfuyBWUExmEX7TWrTcZHHdg3etpvL8i1bDKxJhSryaH+QrjolFsW A2xeXcJe+meFQOo2ejLabSwIJEaYTkVJJtomA7MwLk5AqrRF3IY5iOKgQcfKjhjjrGD81KSTKvVAPJ 4/IBS6NdZFRb/i0VtuWo1REa6gqpGFhHq1W5YmR0PZJIDBLgvezYkS4oIsOw== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net Ensure that when CAP_PERFMON is dropped, and the verifier sees allow_ptr_leaks as false, we are not permitted to read from a STACK_INVALID slot. Without the fix, the test will report unexpected success in loading. Signed-off-by: Kumar Kartikeya Dwivedi --- .../selftests/bpf/progs/verifier_spill_fill.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c index 671d9f415dbf..bab6d789ba00 100644 --- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c +++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c @@ -1244,4 +1244,22 @@ __naked void old_stack_misc_vs_cur_ctx_ptr(void) : __clobber_all); } +SEC("socket") +__description("stack_noperfmon: reject read of invalid slots") +__success +__caps_unpriv(CAP_BPF) +__failure_unpriv __msg_unpriv("invalid read from stack off -8+1 size 8") +__naked void stack_noperfmon_reject_invalid_read(void) +{ + asm volatile (" \ + r2 = 1; \ + r6 = r10; \ + r6 += -8; \ + *(u8 *)(r6 + 0) = r2; \ + r2 = *(u64 *)(r6 + 0); \ + r0 = 0; \ + exit; \ +" ::: __clobber_all); +} + char _license[] SEC("license") = "GPL"; From patchwork Wed Dec 4 04:47:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893209 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 98F1017DFF1 for ; Wed, 4 Dec 2024 04:48:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.67 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287691; cv=none; b=YbeFZP3jK1qMsQFmoLEZmc1Za+vPBlu5UoNjiL9lyYBYsqAdj/psvM91PD5a/Bu/bw3iw4BYZcTUmQRVd8W6VVm5MemzHGEkTabJqt4e/rErMyWeYSzwxyP1hOk5RvzXh+vMDJ3dud0dCxaHvFDQ7sUzLiLg2MkkcbKgIl+U8jU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733287691; c=relaxed/simple; bh=fIdVvCp8XtB8F+IHAb9nnlPihgOV6rxupvpi/L+2WO8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XKn+nWg+l1/gxf3U0LPtFdyl+UOPv6/EFhSZj/k86jQMdyAlgUs+WhIyfhvq1UyJOFip4D5cxW8aZMYOi5+zVZEAwMuU0VOWQJZuyiOAFQjah2UD7VLvOyMoMrjfWBDOPNe7Fch1qaIzbTmiaZ4E6JKZQdU2qrHy09yqWkpV4lI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YgI148Ds; arc=none smtp.client-ip=209.85.221.67 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YgI148Ds" Received: by mail-wr1-f67.google.com with SMTP id ffacd0b85a97d-385e35912f1so3088834f8f.3 for ; Tue, 03 Dec 2024 20:48:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733287687; x=1733892487; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=S2Ay3QJ3Mo5zqa0NBHsnx1xdDXUrE0nNz2CW93PKnwU=; b=YgI148DsoKkZ9EANr9cG3MlCsVADQ1hAPpq+bXMK5WCJMWxNFZUcpcrQk1H+g00wSv 2MT8gWiFMMEdKKk/zmskMBAixG0WdGw7zUXJZqFXyW+ApiwL/iG6XSYjJi5PcO79atPD R0uCT5I9jrSMwZHRfVbmRQC4rnAG7c4efWsHVEK4r9L7chWBdS4gLLUe+QGbdQVZ6HpO Z6qjaHO7Qetd6EXI3+4Op4s/OqStrLywqlVFknDVX9u53IsxpeHc0EcZGpyCM7FUejyg 3B+8RJ/SJr/8wP9RYJaK1WymZ76YQc8PEzTJ3WgWaKPVywy1Ze7EbmKsRkNba2pQiV0V 3l9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733287687; x=1733892487; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S2Ay3QJ3Mo5zqa0NBHsnx1xdDXUrE0nNz2CW93PKnwU=; b=msjAuUqnIA2jviUXPbrQblerL3ZkUYIkFLST3Vs5GATl6ox6OMkhEJJyvQPZ/2Viwu QCQgrwtvB1z3Jyha3zXG0PLo8Lc1YPtrH/nenkiMdAVEaqdFMa9bo7TMwk2H6981ftF2 KqlRZsMIfFGE7hs5/Y3Y/DzYrvFqgbVftvgCNJS+N912W33hlGG9akulCgzKr95+OiQZ 2zmDWJ7+zxlxYHUVZzcQFrrzDHmuRtcoNpdMuT2bmp1ImWp5UfW64+CHMiBtonyJxeag O5/8kO3aoiIRGRUkd0FD5n9E7JKYQ8D1yz4b2Dw9SYNv1iilktkpXQvH4e2Qo8gPAFof uxpg== X-Gm-Message-State: AOJu0Yx+rziYumTz4j+11b/G9YyH/cAS5yFuvAlHclf80vWX9+zRjUwf sa+sZk7ieMiCNw1VjOwSJUutnJ6+KTsqmBajhXTbUCwVP6XgP9U92ZCuw1tJoyM= X-Gm-Gg: ASbGncvT07whSu//9PLuJyGKYMJC8yKCZYWtNj/Q2XpuB+vIWvEcqU1tA1NSI8cWnvL o2WhjH7hpR91Ysn6E4YrIM2CnGNG0q3zF0NJHNkAiaJJc9yesLfYSOsrqMC2d2og6p03KdAGNv8 /85HN8907P0ZGz3paitLpE5ydbPi0ZSqh6BL02oFKpuqqDSlaP3ZDKvjQi7UZnKwzLx9cGDLzB5 tivilV5aDyuOL3//sEs/AfySA6Ncoa3rBr1OY+YdV32vm0snfbLDd349CCApq5tm7hb1h1tc0lu aQ== X-Google-Smtp-Source: AGHT+IHi/6znlU58w1axwSVRDO8qGJIosLMjrbjX3x5ls3mCTsdyephU1jTh9vjPE3mXBQLkyP6h4w== X-Received: by 2002:a05:6000:4615:b0:385:e1f5:476f with SMTP id ffacd0b85a97d-385fd4212fdmr4108589f8f.39.1733287687082; Tue, 03 Dec 2024 20:48:07 -0800 (PST) Received: from localhost (fwdproxy-cln-032.fbsv.net. [2a03:2880:31ff:20::face:b00c]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434d526b131sm10177925e9.7.2024.12.03.20.48.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 20:48:06 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Eduard Zingerman , Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Tao Lyu , Mathias Payer , Meng Xu , Sanidhya Kashyap , kernel-team@fb.com Subject: [PATCH bpf v4 5/5] selftests/bpf: Add test for narrow spill into 64-bit spilled scalar Date: Tue, 3 Dec 2024 20:47:57 -0800 Message-ID: <20241204044757.1483141-6-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204044757.1483141-1-memxor@gmail.com> References: <20241204044757.1483141-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1192; h=from:subject; bh=fIdVvCp8XtB8F+IHAb9nnlPihgOV6rxupvpi/L+2WO8=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT97GnopCmAv7kUneJsoLcXTYA6P18xAZiqdGP8mq RcjUSAWJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/exgAKCRBM4MiGSL8Ryr96D/ 924rbJN7AINozWQjeAdvv5EQWl1F7OCJjo5NmxWXuu3JEvcJkvH1gWOnbfOFwmYJlOLHO+HMV1Sy/f BylPpmZKAxqfnnySt19KatMuWqw4Jd8/NQM78vK68PF+e7ygHLZ96j/efUfx7xDGeElDgJZZgNA3dL 3ZUoa0AuLJUAgE2EqEGKRqdMa3lEMAmB8PQ+ai0Lv72hZXxUYJnUnvhsrJpfd9iZ0NDcw+iQZveVGD sdVZGUIkdcaZjZHNfThAR2/bvSAB4Lo2SEFfcm6etgqBW+vC3NXED/TiJTDLtN2lzRaepctPkSwd1C lzoqYCgLtrhGd4ZFB8//JFk9j0e2ERRO2svhNUuXC38yXAeFXtmDAAGW5m9Dx3aP6+R6y8wMmz1vrk OigJgweLk4Az95P56pZv9TrRn7eeRr6yvgCtDTGIc9nSjA/vjUViQYOOIMptpxq4FAIPGpOmxGrotH /uPHOh5URiv14DYXfC6Q3rrpMf0bYTihrvKvLXDHF6gdWaHtW53BfKNnqaxAWTOqAIhwKJJ4350Tvs hygOm1pLLQ3RO1SJGwGXWlVFRR/2AlhSoeoIGfYv6uX8TQcoQPEVP79LmBJswC0YHAzgzGzz++F8Py a3m3LKtATFmx9NZtLWPrKqAGfmlOiNgHnJT+HZzCHApSvsTamPDFCMbma88g== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net Add a test case to verify that without CAP_PERFMON, the test now succeeds instead of failing due to a verification error. Acked-by: Eduard Zingerman Signed-off-by: Kumar Kartikeya Dwivedi --- .../selftests/bpf/progs/verifier_spill_fill.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c index bab6d789ba00..1e5a511e8494 100644 --- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c +++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c @@ -1262,4 +1262,21 @@ __naked void stack_noperfmon_reject_invalid_read(void) " ::: __clobber_all); } +SEC("socket") +__description("stack_noperfmon: narrow spill onto 64-bit scalar spilled slots") +__success +__caps_unpriv(CAP_BPF) +__success_unpriv +__naked void stack_noperfmon_spill_32bit_onto_64bit_slot(void) +{ + asm volatile(" \ + r0 = 0; \ + *(u64 *)(r10 - 8) = r0; \ + *(u32 *)(r10 - 8) = r0; \ + exit; \ +" : + : + : __clobber_all); +} + char _license[] SEC("license") = "GPL";