| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Nov 2022 20:29:12 +0800
From: Hao Sun <sunhao.th@...il.com>
To: bpf@...r.kernel.org
Cc: ast@...nel.org, daniel@...earbox.net, john.fastabend@...il.com,
andrii@...nel.org, martin.lau@...ux.dev, song@...nel.org,
yhs@...com, kpsingh@...nel.org, sdf@...gle.com, haoluo@...gle.com,
jolsa@...nel.org, davem@...emloft.net,
linux-kernel@...r.kernel.org, Hao Sun <sunhao.th@...il.com>
Subject: [PATCH bpf-next v3 3/3] selftests/bpf: Add tests for LDX/STX/ST sanitize
Add tests for LDX/STX/ST instrumentation in each possible case.
Five cases for STX/ST, nice cases for LDX. All new/existing
selftests can pass.
A slab-out-of-bounds read report is also availble, which is
achieved by exploiting CVE-2022-23222 and can be reproduced
in Linux v5.10: https://pastebin.com/raw/Ee1Cw492
Signed-off-by: Hao Sun <sunhao.th@...il.com>
---
.../selftests/bpf/verifier/sanitize_st_ldx.c | 317 ++++++++++++++++++
1 file changed, 317 insertions(+)
create mode 100644 tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c
diff --git a/tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c b/tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c
new file mode 100644
index 000000000000..dfd53f97eb95
--- /dev/null
+++ b/tools/testing/selftests/bpf/verifier/sanitize_st_ldx.c
@@ -0,0 +1,317 @@
+#ifdef CONFIG_BPF_PROG_KASAN
+
+#define __BACKUP_REG(n) \
+ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_##n, INSN_OFF_MASK)
+#define BACKUP_SCRATCH_REGS \
+ __BACKUP_REG(1), __BACKUP_REG(2), __BACKUP_REG(3), __BACKUP_REG(4), \
+ __BACKUP_REG(5)
+
+#define __RESTORE_REG(n) \
+ BPF_LDX_MEM(BPF_DW, BPF_REG_##n, BPF_REG_10, INSN_OFF_MASK)
+#define RESTORE_SCRATCH_REGS \
+ __RESTORE_REG(1), __RESTORE_REG(2), __RESTORE_REG(3), \
+ __RESTORE_REG(4), __RESTORE_REG(5)
+
+{
+ "sanitize stx: dst is R1, off is zero",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 1),
+ },
+},
+{
+ "sanitize stx: dst is R1",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, -8, 1),
+ },
+},
+{
+ "sanitize stx: dst is other regs, off is zero",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 1),
+ },
+},
+{
+ "sanitize stx: dst is other regs",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 1),
+ },
+},
+{
+ "sanitize stx: dst is R10",
+ .insns = {
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .unexpected_insns = {
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ },
+},
+{
+ "sanitize ldx: src is R1, dst is R0, off is zero",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
+ },
+},
+{
+ "sanitize ldx: src is R1, dst is R0",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+ },
+},
+{
+ "sanitize ldx: src is R1, dst is others, off is zero",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
+ },
+},
+{
+ "sanitize ldx: src is R1, dst is others",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+ BPF_ST_MEM(BPF_DW, BPF_REG_1, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, -8),
+ },
+},
+{
+ "sanitize ldx: src is others, dst is R0, off is zero",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
+ },
+},
+{
+ "sanitize ldx: src is others, dst is R0",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
+ },
+},
+{
+ "sanitize ldx: src is others, dst is others, off is zero",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
+ },
+},
+{
+ "sanitize ldx: src is others, dst is others",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+ BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .expected_insns = {
+ BACKUP_SCRATCH_REGS,
+ BPF_MOV64_REG(MAX_BPF_REG, BPF_REG_0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ RESTORE_SCRATCH_REGS,
+ BPF_MOV64_REG(BPF_REG_0, MAX_BPF_REG),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -8),
+ },
+},
+{
+ "sanitize LDX: SRC is R10",
+ .insns = {
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 1),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
+ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 1),
+ BPF_MOV64_IMM(BPF_REG_0, 2),
+ BPF_EXIT_INSN(),
+ },
+ .result = ACCEPT,
+ .retval = 1,
+ .unexpected_insns = {
+ BPF_EMIT_CALL(INSN_IMM_MASK),
+ },
+},
+#endif /* CONFIG_BPF_PROG_KASAN */
--
2.38.1
Powered by blists - more mailing lists