lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEf4BzaKyARO0E+9N7myGoFbbQLMh14=6bnJ2x7ejSFpZQPMyA@mail.gmail.com>
Date: Mon, 18 Dec 2023 21:52:52 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Menglong Dong <menglong8.dong@...il.com>
Cc: andrii@...nel.org, eddyz87@...il.com, yonghong.song@...ux.dev, 
	alexei.starovoitov@...il.com, ast@...nel.org, daniel@...earbox.net, 
	john.fastabend@...il.com, martin.lau@...ux.dev, song@...nel.org, 
	kpsingh@...nel.org, sdf@...gle.com, haoluo@...gle.com, jolsa@...nel.org, 
	bpf@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf-next v4 3/3] selftests/bpf: add testcase to
 verifier_bounds.c for JMP_NE

On Mon, Dec 18, 2023 at 6:27 PM Menglong Dong <menglong8.dong@...il.com> wrote:
>
> On Tue, Dec 19, 2023 at 2:03 AM Andrii Nakryiko
> <andrii.nakryiko@...il.com> wrote:
> >
> > On Sun, Dec 17, 2023 at 5:18 AM Menglong Dong <menglong8.dong@...il.com> wrote:
> > >
> > > Add testcase for the logic that the verifier tracks the BPF_JNE for regs.
> > > The assembly function "reg_not_equal()" that we add is exactly converted
> > > from the following case:
> > >
> > >   u32 a = bpf_get_prandom_u32();
> > >   u64 b = 0;
> > >
> > >   a %= 8;
> > >   /* the "a > 0" here will be optimized to "a != 0" */
> > >   if (a > 0) {
> > >     /* now the range of a should be [1, 7] */
> > >     bpf_skb_store_bytes(skb, 0, &b, a, 0);
> > >   }
> > >
> > > Signed-off-by: Menglong Dong <menglong8.dong@...il.com>
> > > ---
> > >  .../selftests/bpf/progs/verifier_bounds.c     | 27 +++++++++++++++++++
> > >  1 file changed, 27 insertions(+)
> > >
> >
> > LGTM, but please add a comment that we rely on bpf_skb_store_byte's
> > 4th argument being defined as ARG_CONST_SIZE, so zero is not allowed.
> > And that r4 == 0 check is providing us this exclusion of zero from
> > initial [0, 7] range.
> >
>
> Okay, sounds great! BTW, should I add such a comment to the
> commit log or to the assembly function?
>

I'd leave it in the code, next to the function itself

> >
> > > diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > > index ec430b71730b..3fe2ce2b3f21 100644
> > > --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > > +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> > > @@ -1075,4 +1075,31 @@ l0_%=:   r0 = 0;                                         \
> > >         : __clobber_all);
> > >  }
> > >
> > > +SEC("tc")
> > > +__description("bounds check with JMP_NE for reg edge")
> > > +__success __retval(0)
> > > +__naked void reg_not_equal(void)
> >
> > technically, you are testing `r4 == 0` :) so maybe call the test
> > reg_equal_const or something. And then add similar test where you
> > actually have `r4 != 0`, called req_no_equal_const?
> >
>
> Yeah, that makes sense. I'll add such a test in the next version.
>
> Thanks!
> Menglong Dong
>
> > > +{
> > > +       asm volatile ("                                 \
> > > +       r6 = r1;                                        \
> > > +       r1 = 0;                                         \
> > > +       *(u64*)(r10 - 8) = r1;                          \
> > > +       call %[bpf_get_prandom_u32];                    \
> > > +       r4 = r0;                                        \
> > > +       r4 &= 7;                                        \
> > > +       if r4 == 0 goto l0_%=;                          \
> > > +       r1 = r6;                                        \
> > > +       r2 = 0;                                         \
> > > +       r3 = r10;                                       \
> > > +       r3 += -8;                                       \
> > > +       r5 = 0;                                         \
> > > +       call %[bpf_skb_store_bytes];                    \
> > > +l0_%=: r0 = 0;                                         \
> > > +       exit;                                           \
> > > +"      :
> > > +       : __imm(bpf_get_prandom_u32),
> > > +         __imm(bpf_skb_store_bytes)
> > > +       : __clobber_all);
> > > +}
> > > +
> > >  char _license[] SEC("license") = "GPL";
> > > --
> > > 2.39.2
> > >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ