| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAP01T75fKAxU-EsJiaoqnymn2b_+=TAKMOvt0Tdd_+Wm5YaXHw@mail.gmail.com>
Date: Tue, 6 Sep 2022 05:03:07 +0200
From: Kumar Kartikeya Dwivedi <memxor@...il.com>
To: Roberto Sassu <roberto.sassu@...weicloud.com>
Cc: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
martin.lau@...ux.dev, song@...nel.org, yhs@...com,
john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
haoluo@...gle.com, jolsa@...nel.org, mykolal@...com,
dhowells@...hat.com, jarkko@...nel.org, rostedt@...dmis.org,
mingo@...hat.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, shuah@...nel.org, bpf@...r.kernel.org,
keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org,
deso@...teo.net, Roberto Sassu <roberto.sassu@...wei.com>
Subject: Re: [PATCH v16 09/12] selftests/bpf: Add verifier tests for
bpf_lookup_*_key() and bpf_key_put()
On Mon, 5 Sept 2022 at 16:36, Roberto Sassu
<roberto.sassu@...weicloud.com> wrote:
>
> From: Roberto Sassu <roberto.sassu@...wei.com>
>
> Add verifier tests for bpf_lookup_*_key() and bpf_key_put(), to ensure that
> acquired key references stored in the bpf_key structure are released, that
> a non-NULL bpf_key pointer is passed to bpf_key_put(), and that key
> references are not leaked.
>
> Also, slightly modify test_verifier.c, to find the BTF ID of the attach
> point for the LSM program type (currently, it is done only for TRACING).
>
> Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
> ---
Acked-by: Kumar Kartikeya Dwivedi <memxor@...il.com>
> tools/testing/selftests/bpf/config | 1 +
> tools/testing/selftests/bpf/test_verifier.c | 3 +-
> .../selftests/bpf/verifier/ref_tracking.c | 139 ++++++++++++++++++
> 3 files changed, 142 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
> index 0fdd11e6b742..add5a5a919b4 100644
> --- a/tools/testing/selftests/bpf/config
> +++ b/tools/testing/selftests/bpf/config
> @@ -30,6 +30,7 @@ CONFIG_IPV6_GRE=y
> CONFIG_IPV6_SEG6_BPF=y
> CONFIG_IPV6_SIT=y
> CONFIG_IPV6_TUNNEL=y
> +CONFIG_KEYS=y
> CONFIG_LIRC=y
> CONFIG_LWTUNNEL=y
> CONFIG_MPLS=y
> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
> index f9d553fbf68a..2dbcbf363c18 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/selftests/bpf/test_verifier.c
> @@ -1498,7 +1498,8 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
> opts.log_level = DEFAULT_LIBBPF_LOG_LEVEL;
> opts.prog_flags = pflags;
>
> - if (prog_type == BPF_PROG_TYPE_TRACING && test->kfunc) {
> + if ((prog_type == BPF_PROG_TYPE_TRACING ||
> + prog_type == BPF_PROG_TYPE_LSM) && test->kfunc) {
> int attach_btf_id;
>
> attach_btf_id = libbpf_find_vmlinux_btf_id(test->kfunc,
> diff --git a/tools/testing/selftests/bpf/verifier/ref_tracking.c b/tools/testing/selftests/bpf/verifier/ref_tracking.c
> index 57a83d763ec1..f18ce867271f 100644
> --- a/tools/testing/selftests/bpf/verifier/ref_tracking.c
> +++ b/tools/testing/selftests/bpf/verifier/ref_tracking.c
> @@ -84,6 +84,145 @@
> .errstr = "Unreleased reference",
> .result = REJECT,
> },
> +{
> + "reference tracking: acquire/release user key reference",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, -3),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_user_key", 2 },
> + { "bpf_key_put", 5 },
> + },
> + .result = ACCEPT,
> +},
> +{
> + "reference tracking: acquire/release system key reference",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_system_key", 1 },
> + { "bpf_key_put", 4 },
> + },
> + .result = ACCEPT,
> +},
> +{
> + "reference tracking: release user key reference without check",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, -3),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "arg#0 pointer type STRUCT bpf_key must point to scalar, or struct with scalar",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_user_key", 2 },
> + { "bpf_key_put", 4 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: release system key reference without check",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "arg#0 pointer type STRUCT bpf_key must point to scalar, or struct with scalar",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_system_key", 1 },
> + { "bpf_key_put", 3 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: release with NULL key pointer",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "arg#0 pointer type STRUCT bpf_key must point to scalar, or struct with scalar",
> + .fixup_kfunc_btf_id = {
> + { "bpf_key_put", 1 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: leak potential reference to user key",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, -3),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "Unreleased reference",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_user_key", 2 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: leak potential reference to system key",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "Unreleased reference",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_system_key", 1 },
> + },
> + .result = REJECT,
> +},
> {
> "reference tracking: release reference without check",
> .insns = {
> --
> 2.25.1
>
Powered by blists - more mailing lists