| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Jan 2024 17:08:28 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Tiezhu Yang <yangtiezhu@...ngson.cn>
Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>, Eduard Zingerman <eddyz87@...il.com>,
John Fastabend <john.fastabend@...il.com>, Jiri Olsa <jolsa@...nel.org>,
Hou Tao <houtao@...weicloud.com>, Song Liu <song@...nel.org>, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf-next v6 3/3] selftests/bpf: Skip callback tests if jit
is disabled in test_verifier
On Sun, Jan 21, 2024 at 11:57 PM Tiezhu Yang <yangtiezhu@...ngson.cn> wrote:
>
> If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
> exist 6 failed tests.
>
> [root@...ux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
> [root@...ux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
> [root@...ux bpf]# ./test_verifier | grep FAIL
> #106/p inline simple bpf_loop call FAIL
> #107/p don't inline bpf_loop call, flags non-zero FAIL
> #108/p don't inline bpf_loop call, callback non-constant FAIL
> #109/p bpf_loop_inline and a dead func FAIL
> #110/p bpf_loop_inline stack locations for loop vars FAIL
> #111/p inline bpf_loop call in a big program FAIL
> Summary: 768 PASSED, 15 SKIPPED, 6 FAILED
>
> The test log shows that callbacks are not allowed in non-JITed programs,
> interpreter doesn't support them yet, thus these tests should be skipped
> if jit is disabled, just handle this case in do_test_single().
>
> With this patch:
>
> [root@...ux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
> [root@...ux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
> [root@...ux bpf]# ./test_verifier | grep FAIL
> Summary: 768 PASSED, 21 SKIPPED, 0 FAILED
>
> Signed-off-by: Tiezhu Yang <yangtiezhu@...ngson.cn>
> Acked-by: Hou Tao <houtao1@...wei.com>
> Acked-by: Song Liu <song@...nel.org>
> ---
> tools/testing/selftests/bpf/test_verifier.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
> index 1a09fc34d093..cf05448cfe13 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/selftests/bpf/test_verifier.c
> @@ -74,6 +74,7 @@
> 1ULL << CAP_BPF)
> #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
> static bool unpriv_disabled = false;
> +static bool jit_disabled;
> static int skips;
> static bool verbose = false;
> static int verif_log_level = 0;
> @@ -1622,6 +1623,16 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
> alignment_prevented_execution = 0;
>
> if (expected_ret == ACCEPT || expected_ret == VERBOSE_ACCEPT) {
> + if (fd_prog < 0 && saved_errno == EINVAL && jit_disabled) {
> + for (i = 0; i < prog_len; i++, prog++) {
> + if (!insn_is_pseudo_func(prog))
> + continue;
> + printf("SKIP (callbacks are not allowed in non-JITed programs)\n");
> + skips++;
> + goto close_fds;
> + }
> + }
Wouldn't it be better to add an explicit flag to those tests to mark
that they require JIT enabled, instead of trying to derive this from
analysing their BPF instructions?
> +
> if (fd_prog < 0) {
> printf("FAIL\nFailed to load prog '%s'!\n",
> strerror(saved_errno));
> @@ -1844,6 +1855,8 @@ int main(int argc, char **argv)
> return EXIT_FAILURE;
> }
>
> + jit_disabled = !is_jit_enabled();
> +
> /* Use libbpf 1.0 API mode */
> libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
>
> --
> 2.42.0
>
Powered by blists - more mailing lists