forked from Minki/linux
selftests/bpf: Test bpf_iter buffer access with negative offset
Commitafbf21dce6
("bpf: Support readonly/readwrite buffers in verifier") added readonly/readwrite buffer support which is currently used by bpf_iter tracing programs. It has a bug with incorrect parameter ordering which later fixed by Commitf6dfbe31e8
("bpf: Fix swapped arguments in calls to check_buffer_access"). This patch added a test case with a negative offset access which will trigger the error path. Without Commitf6dfbe31e8
, running the test case in the patch, the error message looks like: R1_w=rdwr_buf(id=0,off=0,imm=0) R10=fp0 ; value_sum += *(__u32 *)(value - 4); 2: (61) r1 = *(u32 *)(r1 -4) R1 invalid (null) buffer access: off=-4, size=4 With the above commit, the error message looks like: R1_w=rdwr_buf(id=0,off=0,imm=0) R10=fp0 ; value_sum += *(__u32 *)(value - 4); 2: (61) r1 = *(u32 *)(r1 -4) R1 invalid rdwr buffer access: off=-4, size=4 Signed-off-by: Yonghong Song <yhs@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Song Liu <songliubraving@fb.com> Link: https://lore.kernel.org/bpf/20200728221801.1090406-1-yhs@fb.com
This commit is contained in:
parent
4fc00b79b8
commit
12e6196fb1
@ -21,6 +21,7 @@
|
||||
#include "bpf_iter_bpf_percpu_array_map.skel.h"
|
||||
#include "bpf_iter_bpf_sk_storage_map.skel.h"
|
||||
#include "bpf_iter_test_kern5.skel.h"
|
||||
#include "bpf_iter_test_kern6.skel.h"
|
||||
|
||||
static int duration;
|
||||
|
||||
@ -885,6 +886,16 @@ static void test_rdonly_buf_out_of_bound(void)
|
||||
bpf_iter_test_kern5__destroy(skel);
|
||||
}
|
||||
|
||||
static void test_buf_neg_offset(void)
|
||||
{
|
||||
struct bpf_iter_test_kern6 *skel;
|
||||
|
||||
skel = bpf_iter_test_kern6__open_and_load();
|
||||
if (CHECK(skel, "bpf_iter_test_kern6__open_and_load",
|
||||
"skeleton open_and_load unexpected success\n"))
|
||||
bpf_iter_test_kern6__destroy(skel);
|
||||
}
|
||||
|
||||
void test_bpf_iter(void)
|
||||
{
|
||||
if (test__start_subtest("btf_id_or_null"))
|
||||
@ -933,4 +944,6 @@ void test_bpf_iter(void)
|
||||
test_bpf_sk_storage_map();
|
||||
if (test__start_subtest("rdonly-buf-out-of-bound"))
|
||||
test_rdonly_buf_out_of_bound();
|
||||
if (test__start_subtest("buf-neg-offset"))
|
||||
test_buf_neg_offset();
|
||||
}
|
||||
|
21
tools/testing/selftests/bpf/progs/bpf_iter_test_kern6.c
Normal file
21
tools/testing/selftests/bpf/progs/bpf_iter_test_kern6.c
Normal file
@ -0,0 +1,21 @@
|
||||
// SPDX-License-Identifier: GPL-2.0
|
||||
/* Copyright (c) 2020 Facebook */
|
||||
#include "bpf_iter.h"
|
||||
#include <bpf/bpf_helpers.h>
|
||||
|
||||
char _license[] SEC("license") = "GPL";
|
||||
|
||||
__u32 value_sum = 0;
|
||||
|
||||
SEC("iter/bpf_map_elem")
|
||||
int dump_bpf_hash_map(struct bpf_iter__bpf_map_elem *ctx)
|
||||
{
|
||||
void *value = ctx->value;
|
||||
|
||||
if (value == (void *)0)
|
||||
return 0;
|
||||
|
||||
/* negative offset, verifier failure. */
|
||||
value_sum += *(__u32 *)(value - 4);
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue
Block a user