| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Dec 2022 14:01:58 -0800
From: Martin KaFai Lau <martin.lau@...ux.dev>
To: Hao Sun <sunhao.th@...il.com>
Cc: ast@...nel.org, daniel@...earbox.net, john.fastabend@...il.com,
andrii@...nel.org, song@...nel.org, yhs@...com, kpsingh@...nel.org,
sdf@...gle.com, haoluo@...gle.com, jolsa@...nel.org,
davem@...emloft.net, linux-kernel@...r.kernel.org,
bpf@...r.kernel.org
Subject: Re: [PATCH bpf-next v2 2/2] selftests/bpf: check null propagation
only neither reg is PTR_TO_BTF_ID
On 12/12/22 7:04 PM, Hao Sun wrote:
> Verify that nullness information is not porpagated in the branches
> of register to register JEQ and JNE operations if one of them is
> PTR_TO_BTF_ID.
Thanks for the fix and test.
>
> Signed-off-by: Hao Sun <sunhao.th@...il.com>
> Acked-by: Yonghong Song <yhs@...com>
> ---
> .../bpf/verifier/jeq_infer_not_null.c | 22 +++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/verifier/jeq_infer_not_null.c b/tools/testing/selftests/bpf/verifier/jeq_infer_not_null.c
> index 67a1c07ead34..b2b215227d97 100644
> --- a/tools/testing/selftests/bpf/verifier/jeq_infer_not_null.c
> +++ b/tools/testing/selftests/bpf/verifier/jeq_infer_not_null.c
> @@ -172,3 +172,25 @@
> .prog_type = BPF_PROG_TYPE_XDP,
> .result = ACCEPT,
> },
> +{
> + "jne/jeq infer not null, PTR_TO_MAP_OR_NULL unchanged with PTR_TO_BTF_ID reg",
> + .insns = {
> + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> + BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
> + BPF_LD_MAP_FD(BPF_REG_1, 0),
> + /* r6 = bpf_map->inner_map_meta; */
> + BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
This bpf_map->inner_map_meta requires CO-RE. It works now but could be fragile
in different platform and in the future bpf_map changes. Take a look at the
map_ptr_kern.c which uses "__attribute__((preserve_access_index))" at the
"struct bpf_map".
Please translate this verifer test into a proper bpf prog in C code such that it
can use the CO-RE in libbpf. It should run under test_progs instead of
test_verifier. The bpf prog can include the "vmlinux.h" to get the
"__attribute__((preserve_access_index))" for free. Take a look at
https://lore.kernel.org/all/20221207201648.2990661-2-andrii@kernel.org/ which
has example on how to check verifier message in test_progs.
> + /* r0 = map_lookup_elem(r1, r2); */
> + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
> + /* if (r0 == r6) read *r0; */
> + BPF_JMP_REG(BPF_JEQ, BPF_REG_6, BPF_REG_0, 1),
> + BPF_EXIT_INSN(),
> + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .fixup_map_hash_8b = { 3 },
> + .prog_type = BPF_PROG_TYPE_XDP,
> + .result = REJECT,
> + .errstr = "R0 invalid mem access 'map_value_or_null'",
> +},
Powered by blists - more mailing lists