lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 22 Apr 2019 19:27:02 +0000
From:   Matt Mullins <mmullins@...com>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        Yonghong Song <yhs@...com>, Andrew Hall <hall@...com>,
        "bpf@...r.kernel.org" <bpf@...r.kernel.org>,
        "ast@...nel.org" <ast@...nel.org>
CC:     Song Liu <songliubraving@...com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "daniel@...earbox.net" <daniel@...earbox.net>,
        "rostedt@...dmis.org" <rostedt@...dmis.org>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "shuah@...nel.org" <shuah@...nel.org>, Martin Lau <kafai@...com>,
        "linux-kselftest@...r.kernel.org" <linux-kselftest@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>
Subject: Re: [PATCH bpf-next v3 5/5] selftests: bpf: test writable buffers in
 raw tps

On Mon, 2019-04-22 at 18:32 +0000, Yonghong Song wrote:
> 
> On 4/19/19 2:04 PM, Matt Mullins wrote:
> > This tests that:
> >    * a BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE cannot be attached if it
> >      uses either:
> >      * a variable offset to the tracepoint buffer, or
> >      * an offset beyond the size of the tracepoint buffer
> >    * a tracer can modify the buffer provided when attached to a writable
> >      tracepoint in bpf_prog_test_run
> > 
> > Signed-off-by: Matt Mullins <mmullins@...com>
> > ---
> >   include/trace/events/bpf_test_run.h           | 50 ++++++++++++
> >   net/bpf/test_run.c                            |  4 +
> >   .../raw_tp_writable_reject_nbd_invalid.c      | 40 ++++++++++
> >   .../bpf/prog_tests/raw_tp_writable_test_run.c | 80 +++++++++++++++++++
> >   .../selftests/bpf/verifier/raw_tp_writable.c  | 34 ++++++++
> >   5 files changed, 208 insertions(+)
> >   create mode 100644 include/trace/events/bpf_test_run.h
> >   create mode 100644 tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c
> >   create mode 100644 tools/testing/selftests/bpf/prog_tests/raw_tp_writable_test_run.c
> >   create mode 100644 tools/testing/selftests/bpf/verifier/raw_tp_writable.c
> > 
> > diff --git a/include/trace/events/bpf_test_run.h b/include/trace/events/bpf_test_run.h
> > new file mode 100644
> > index 000000000000..abf466839ea4
> > --- /dev/null
> > +++ b/include/trace/events/bpf_test_run.h
> > @@ -0,0 +1,50 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +#undef TRACE_SYSTEM
> > +#define TRACE_SYSTEM bpf_test_run
> > +
> > +#if !defined(_TRACE_NBD_H) || defined(TRACE_HEADER_MULTI_READ)
> > +#define _TRACE_BPF_TEST_RUN_H
> > +
> > +#include <linux/tracepoint.h>
> > +
> > +DECLARE_EVENT_CLASS(bpf_test_finish,
> > +
> > +	TP_PROTO(int *err),
> > +
> > +	TP_ARGS(err),
> > +
> > +	TP_STRUCT__entry(
> > +		__field(int, err)
> > +	),
> > +
> > +	TP_fast_assign(
> > +		__entry->err = *err;
> > +	),
> > +
> > +	TP_printk("bpf_test_finish with err=%d", __entry->err)
> > +);
> > +
> > +#ifdef DEFINE_EVENT_WRITABLE
> > +#undef BPF_TEST_RUN_DEFINE_EVENT
> > +#define BPF_TEST_RUN_DEFINE_EVENT(template, call, proto, args, size)	\
> > +	DEFINE_EVENT_WRITABLE(template, call, PARAMS(proto),		\
> > +			      PARAMS(args), size)
> > +#else
> > +#undef BPF_TEST_RUN_DEFINE_EVENT
> > +#define BPF_TEST_RUN_DEFINE_EVENT(template, call, proto, args, size)	\
> > +	DEFINE_EVENT(template, call, PARAMS(proto), PARAMS(args))
> > +#endif
> > +
> > +BPF_TEST_RUN_DEFINE_EVENT(bpf_test_finish, bpf_test_finish,
> > +
> > +	TP_PROTO(int *err),
> > +
> > +	TP_ARGS(err),
> > +
> > +	sizeof(int)
> > +);
> > +
> > +#endif
> > +
> > +/* This part must be outside protection */
> > +#include <trace/define_trace.h>
> > diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> > index fab142b796ef..25e757102595 100644
> > --- a/net/bpf/test_run.c
> > +++ b/net/bpf/test_run.c
> > @@ -13,6 +13,9 @@
> >   #include <net/sock.h>
> >   #include <net/tcp.h>
> >   
> > +#define CREATE_TRACE_POINTS
> > +#include <trace/events/bpf_test_run.h>
> > +
> >   static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat,
> >   			u32 *retval, u32 *time)
> >   {
> > @@ -100,6 +103,7 @@ static int bpf_test_finish(const union bpf_attr *kattr,
> >   	if (err != -ENOSPC)
> >   		err = 0;
> >   out:
> > +	trace_bpf_test_finish(&err);
> >   	return err;
> >   }
> >   
> > diff --git a/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c b/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c
> > new file mode 100644
> > index 000000000000..328d5c4b084b
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_reject_nbd_invalid.c
> > @@ -0,0 +1,40 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +
> > +#include <test_progs.h>
> > +#include <linux/nbd.h>
> > +
> > +void test_raw_tp_writable_reject_nbd_invalid(void)
> > +{
> > +	__u32 duration = 0;
> > +	char error[4096];
> > +	int bpf_fd = -1, tp_fd = -1;
> > +
> > +	const struct bpf_insn program[] = {
> > +		/* r6 is our tp buffer */
> > +		BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
> > +		BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 128),
> 
> The number "128" is a little cryptic. Maybe you can use something like
> sizeof(struct nbd_request)?

That was explicitly chosen to be (far) larger than an nbd_request, as
this program should be rejected by the verifier.  If you really want, I
can do `sizeof(struct nbd_request) + some constant` and add a comment. 
But the size of an nbd request should never change, as that's a network
protocol.

> 
> > +		BPF_EXIT_INSN(),
> > +	};
> > +
> > +	struct bpf_load_program_attr load_attr = {
> > +		.prog_type = BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE,
> > +		.license = "GPL v2",
> > +		.insns = program,
> > +		.insns_cnt = sizeof(program) / sizeof(struct bpf_insn),
> > +		.log_level = 2,
> > +	};
> > +
> > +	bpf_fd = bpf_load_program_xattr(&load_attr, error, sizeof(error));
> > +	if (CHECK(bpf_fd < 0, "bpf_raw_tracepoint_writable loaded",
> > +		  "failed: %d errno %d\n", bpf_fd, errno))
> > +		return;
> > +
> > +	tp_fd = bpf_raw_tracepoint_open("nbd_send_request", bpf_fd);
> > +	if (CHECK(tp_fd >= 0, "bpf_raw_tracepoint_writable opened",
> > +		  "erroneously succeeded\n"))
> > +		goto out_bpffd;
> > +
> > +	close(tp_fd);
> > +out_bpffd:
> > +	close(bpf_fd);
> > +}
> > diff --git a/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_test_run.c b/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_test_run.c
> > new file mode 100644
> > index 000000000000..4145925f9cab
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/prog_tests/raw_tp_writable_test_run.c
> > @@ -0,0 +1,80 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +
> > +#include <test_progs.h>
> > +#include <linux/nbd.h>
> > +
> > +void test_raw_tp_writable_test_run(void)
> > +{
> > +	__u32 duration = 0;
> > +	char error[4096];
> > +
> > +	const struct bpf_insn trace_program[] = {
> > +		BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
> > +		BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, 0),
> > +		BPF_LD_IMM64(BPF_REG_0, 42),
> 
> You can use BPF_MOV64_IMM(BPF_REG_0, 42) instead of BPF_LD_IMM64.
> BPF_LD_IMM64 is fine, but probably BPF_MOV64_IMM is better.
> The same for a few below instances.

Ah, right.  I don't need the second opcode if the value can be zero-
extended.

> 
> > +		BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_0, 0),
> > +		BPF_EXIT_INSN(),
> > +	};
> > +
> > +	struct bpf_load_program_attr load_attr = {
> > +		.prog_type = BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE,
> > +		.license = "GPL v2",
> > +		.insns = trace_program,
> > +		.insns_cnt = sizeof(trace_program) / sizeof(struct bpf_insn),
> > +		.log_level = 2,
> > +	};
> > +
> > +	int bpf_fd = bpf_load_program_xattr(&load_attr, error, sizeof(error));
> > +	if (CHECK(bpf_fd < 0, "bpf_raw_tracepoint_writable loaded",
> > +		  "failed: %d errno %d\n", bpf_fd, errno))
> > +		return;
> > +
> > +	const struct bpf_insn skb_program[] = {
> > +		BPF_LD_IMM64(BPF_REG_0, 0),
> > +		BPF_EXIT_INSN(),
> > +	};
> > +
> > +	struct bpf_load_program_attr skb_load_attr = {
> > +		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
> > +		.license = "GPL v2",
> > +		.insns = skb_program,
> > +		.insns_cnt = sizeof(skb_program) / sizeof(struct bpf_insn),
> > +	};
> > +
> > +	int filter_fd =
> > +		bpf_load_program_xattr(&skb_load_attr, error, sizeof(error));
> > +	if (CHECK(filter_fd < 0, "test_program_loaded", "failed: %d errno %d\n",
> > +		  filter_fd, errno))
> > +		goto out_bpffd;
> > +
> > +	int tp_fd = bpf_raw_tracepoint_open("bpf_test_finish", bpf_fd);
> > +	if (CHECK(tp_fd < 0, "bpf_raw_tracepoint_writable opened",
> > +		  "failed: %d errno %d\n", tp_fd, errno))
> > +		goto out_filterfd;
> > +
> > +	char test_skb[128] = {
> > +		0,
> > +	};
> > +
> > +	__u32 prog_ret;
> > +	int err = bpf_prog_test_run(filter_fd, 1, test_skb, sizeof(test_skb), 0,
> > +				    0, &prog_ret, 0);
> > +	CHECK(err != 42, "test_run",
> > +	      "tracepoint did not modify return value\n");
> > +	CHECK(prog_ret != 0, "test_run_ret",
> > +	      "socket_filter did not return 0\n");
> > +
> > +	close(tp_fd);
> > +
> > +	err = bpf_prog_test_run(filter_fd, 1, test_skb, sizeof(test_skb), 0, 0,
> > +				&prog_ret, 0);
> > +	CHECK(err != 0, "test_run_notrace",
> > +	      "test_run failed with %d errno %d\n", err, errno);
> > +	CHECK(prog_ret != 0, "test_run_ret_notrace",
> > +	      "socket_filter did not return 0\n");
> > +
> > +out_filterfd:
> > +	close(filter_fd);
> > +out_bpffd:
> > +	close(bpf_fd);
> > +}
> > diff --git a/tools/testing/selftests/bpf/verifier/raw_tp_writable.c b/tools/testing/selftests/bpf/verifier/raw_tp_writable.c
> > new file mode 100644
> > index 000000000000..95b5d70a1dc1
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/verifier/raw_tp_writable.c
> > @@ -0,0 +1,34 @@
> > +{
> > +	"raw_tracepoint_writable: reject variable offset",
> > +	.insns = {
> > +		/* r6 is our tp buffer */
> > +		BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
> > +
> > +		BPF_LD_MAP_FD(BPF_REG_1, 0),
> > +		/* move the key (== 0) to r10-8 */
> > +		BPF_MOV32_IMM(BPF_REG_0, 0),
> > +		BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> > +		BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> > +		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
> > +		/* lookup in the map */
> > +		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> > +			     BPF_FUNC_map_lookup_elem),
> > +
> > +		/* exit clean if null */
> > +		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
> > +		BPF_EXIT_INSN(),
> > +
> > +		/* shift the buffer pointer to a variable location */
> > +		BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
> > +		BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_0),
> > +		/* clobber whatever's there */
> > +		BPF_MOV64_IMM(BPF_REG_7, 4242),
> > +		BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_7, 0),
> > +
> > +		BPF_MOV64_IMM(BPF_REG_0, 0),
> > +		BPF_EXIT_INSN(),
> > +	},
> > +	.fixup_map_hash_8b = { 1, },
> > +	.prog_type = BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE,
> > +	.errstr = "R6 invalid variable buffer offset: off=0, var_off=(0x0; 0xffffffff)",
> > +},
> > 

Powered by blists - more mailing lists