forked from Minki/linux
6b80ad2992
This checks that it is not possible to bypass the total stack size check in update_stack_depth() by calling a function that uses a large amount of stack memory *before* using a large amount of stack memory in the caller. Currently, the first added testcase causes a rejection as expected, but the second testcase is (AFAICS incorrectly) accepted: [...] #483/p calls: stack overflow using two frames (post-call access) FAIL Unexpected success to load! 0: (85) call pc+2 caller: R10=fp0,call_-1 callee: frame1: R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0 3: (72) *(u8 *)(r10 -300) = 0 4: (b7) r0 = 0 5: (95) exit returning from callee: frame1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0 to caller at 1: R0_w=inv0 R10=fp0,call_-1 from 5 to 1: R0=inv0 R10=fp0,call_-1 1: (72) *(u8 *)(r10 -300) = 0 2: (95) exit processed 6 insns, stack depth 300+300 [...] Summary: 704 PASSED, 1 FAILED AFAICS the JIT-generated code for the second testcase shows that this really causes the stack pointer to be decremented by 300+300: first function: 00000000 55 push rbp 00000001 4889E5 mov rbp,rsp 00000004 4881EC58010000 sub rsp,0x158 0000000B 4883ED28 sub rbp,byte +0x28 [...] 00000025 E89AB3AFE5 call 0xffffffffe5afb3c4 0000002A C685D4FEFFFF00 mov byte [rbp-0x12c],0x0 [...] 00000041 4883C528 add rbp,byte +0x28 00000045 C9 leave 00000046 C3 ret second function: 00000000 55 push rbp 00000001 4889E5 mov rbp,rsp 00000004 4881EC58010000 sub rsp,0x158 0000000B 4883ED28 sub rbp,byte +0x28 [...] 00000025 C685D4FEFFFF00 mov byte [rbp-0x12c],0x0 [...] 0000003E 4883C528 add rbp,byte +0x28 00000042 C9 leave 00000043 C3 ret Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
||
---|---|---|
.. | ||
gnu | ||
include/uapi/linux | ||
.gitignore | ||
bpf_endian.h | ||
bpf_helpers.h | ||
bpf_util.h | ||
cgroup_helpers.c | ||
cgroup_helpers.h | ||
config | ||
dev_cgroup.c | ||
Makefile | ||
sample_ret0.c | ||
sockmap_parse_prog.c | ||
sockmap_verdict_prog.c | ||
test_align.c | ||
test_dev_cgroup.c | ||
test_iptunnel_common.h | ||
test_kmod.sh | ||
test_l4lb_noinline.c | ||
test_l4lb.c | ||
test_lpm_map.c | ||
test_lru_map.c | ||
test_maps.c | ||
test_obj_id.c | ||
test_offload.py | ||
test_pkt_access.c | ||
test_pkt_md_access.c | ||
test_progs.c | ||
test_tag.c | ||
test_tcp_estats.c | ||
test_tracepoint.c | ||
test_verifier_log.c | ||
test_verifier.c | ||
test_xdp_meta.c | ||
test_xdp_meta.sh | ||
test_xdp_noinline.c | ||
test_xdp_redirect.c | ||
test_xdp_redirect.sh | ||
test_xdp.c |