lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250613-deny_trampoline_structs_on_stack-v1-7-5be9211768c3@bootlin.com>
Date: Fri, 13 Jun 2025 09:37:16 +0200
From: Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
To: Alexei Starovoitov <ast@...nel.org>, 
 Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, 
 Martin KaFai Lau <martin.lau@...ux.dev>, 
 Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, 
 Yonghong Song <yonghong.song@...ux.dev>, 
 John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, 
 Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, 
 Jiri Olsa <jolsa@...nel.org>, "David S. Miller" <davem@...emloft.net>, 
 David Ahern <dsahern@...nel.org>, Thomas Gleixner <tglx@...utronix.de>, 
 Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, 
 Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org, 
 "H. Peter Anvin" <hpa@...or.com>, Menglong Dong <imagedong@...cent.com>, 
 Björn Töpel <bjorn@...nel.org>, 
 Pu Lehui <pulehui@...wei.com>, Puranjay Mohan <puranjay@...nel.org>, 
 Paul Walmsley <paul.walmsley@...ive.com>, 
 Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>, 
 Alexandre Ghiti <alex@...ti.fr>, Ilya Leoshkevich <iii@...ux.ibm.com>, 
 Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>, 
 Alexander Gordeev <agordeev@...ux.ibm.com>, 
 Christian Borntraeger <borntraeger@...ux.ibm.com>, 
 Sven Schnelle <svens@...ux.ibm.com>, Hari Bathini <hbathini@...ux.ibm.com>, 
 Christophe Leroy <christophe.leroy@...roup.eu>, 
 Naveen N Rao <naveen@...nel.org>, Madhavan Srinivasan <maddy@...ux.ibm.com>, 
 Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, 
 Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>, 
 Maxime Coquelin <mcoquelin.stm32@...il.com>, 
 Alexandre Torgue <alexandre.torgue@...s.st.com>
Cc: ebpf@...uxfoundation.org, 
 Thomas Petazzoni <thomas.petazzoni@...tlin.com>, 
 Bastien Curutchet <bastien.curutchet@...tlin.com>, netdev@...r.kernel.org, 
 bpf@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Björn Töpel <bjorn@...osinc.com>, 
 linux-riscv@...ts.infradead.org, linux-s390@...r.kernel.org, 
 linuxppc-dev@...ts.ozlabs.org, linux-kselftest@...r.kernel.org, 
 linux-stm32@...md-mailman.stormreply.com, 
 linux-arm-kernel@...ts.infradead.org, 
 Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
Subject: [PATCH bpf 7/7] selftests/bpf: ensure that functions passing
 structs on stack can not be hooked

When attaching ebpf programs to functions through fentry/fexit, the
generated trampolines can not really make sure about the arguments exact
location on the stack if those are structures: those structures can be
altered with attributes such as packed or aligned(x), but this
information is not encoded in BTF.

Update tracing_struct_many_args test to check that programs can not be
attached on those specific functions. Not all architectures can use the
same number of registers to pass arguments, so define a testing function
that makes all currently supported architectures start passing arguments
on stack (-> more than 8 args)

Signed-off-by: Alexis Lothoré (eBPF Foundation) <alexis.lothore@...tlin.com>
---
 .../selftests/bpf/prog_tests/tracing_struct.c      | 37 +-----------
 .../selftests/bpf/progs/tracing_struct_many_args.c | 70 ----------------------
 .../testing/selftests/bpf/test_kmods/bpf_testmod.c | 43 ++-----------
 3 files changed, 6 insertions(+), 144 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/tracing_struct.c b/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
index 19e68d4b353278bf8e2917e62f62c89d14d7fe80..a084f6e5eca4e97b463950feba2142a628e9ec72 100644
--- a/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
+++ b/tools/testing/selftests/bpf/prog_tests/tracing_struct.c
@@ -70,44 +70,9 @@ static void test_struct_many_args(void)
 		return;
 
 	err = tracing_struct_many_args__attach(skel);
-	if (!ASSERT_OK(err, "tracing_struct_many_args__attach"))
+	if (!ASSERT_EQ(err, -ENOTSUPP, "tracing_struct_many_args__attach"))
 		goto destroy_skel;
 
-	ASSERT_OK(trigger_module_test_read(256), "trigger_read");
-
-	ASSERT_EQ(skel->bss->t7_a, 16, "t7:a");
-	ASSERT_EQ(skel->bss->t7_b, 17, "t7:b");
-	ASSERT_EQ(skel->bss->t7_c, 18, "t7:c");
-	ASSERT_EQ(skel->bss->t7_d, 19, "t7:d");
-	ASSERT_EQ(skel->bss->t7_e, 20, "t7:e");
-	ASSERT_EQ(skel->bss->t7_f_a, 21, "t7:f.a");
-	ASSERT_EQ(skel->bss->t7_f_b, 22, "t7:f.b");
-	ASSERT_EQ(skel->bss->t7_ret, 133, "t7 ret");
-
-	ASSERT_EQ(skel->bss->t8_a, 16, "t8:a");
-	ASSERT_EQ(skel->bss->t8_b, 17, "t8:b");
-	ASSERT_EQ(skel->bss->t8_c, 18, "t8:c");
-	ASSERT_EQ(skel->bss->t8_d, 19, "t8:d");
-	ASSERT_EQ(skel->bss->t8_e, 20, "t8:e");
-	ASSERT_EQ(skel->bss->t8_f_a, 21, "t8:f.a");
-	ASSERT_EQ(skel->bss->t8_f_b, 22, "t8:f.b");
-	ASSERT_EQ(skel->bss->t8_g, 23, "t8:g");
-	ASSERT_EQ(skel->bss->t8_ret, 156, "t8 ret");
-
-	ASSERT_EQ(skel->bss->t9_a, 16, "t9:a");
-	ASSERT_EQ(skel->bss->t9_b, 17, "t9:b");
-	ASSERT_EQ(skel->bss->t9_c, 18, "t9:c");
-	ASSERT_EQ(skel->bss->t9_d, 19, "t9:d");
-	ASSERT_EQ(skel->bss->t9_e, 20, "t9:e");
-	ASSERT_EQ(skel->bss->t9_f, 21, "t9:f");
-	ASSERT_EQ(skel->bss->t9_g, 22, "t9:f");
-	ASSERT_EQ(skel->bss->t9_h_a, 23, "t9:h.a");
-	ASSERT_EQ(skel->bss->t9_h_b, 24, "t9:h.b");
-	ASSERT_EQ(skel->bss->t9_h_c, 25, "t9:h.c");
-	ASSERT_EQ(skel->bss->t9_h_d, 26, "t9:h.d");
-	ASSERT_EQ(skel->bss->t9_i, 27, "t9:i");
-	ASSERT_EQ(skel->bss->t9_ret, 258, "t9 ret");
-
 destroy_skel:
 	tracing_struct_many_args__destroy(skel);
 }
diff --git a/tools/testing/selftests/bpf/progs/tracing_struct_many_args.c b/tools/testing/selftests/bpf/progs/tracing_struct_many_args.c
index 4742012ace06af949d7f15a21131aaef7ab006e4..1cbedcdc1c42e1fe2f118fdbd1a4ab7fe48b52fb 100644
--- a/tools/testing/selftests/bpf/progs/tracing_struct_many_args.c
+++ b/tools/testing/selftests/bpf/progs/tracing_struct_many_args.c
@@ -8,28 +8,11 @@ struct bpf_testmod_struct_arg_4 {
 	int b;
 };
 
-struct bpf_testmod_struct_arg_5 {
-	char a;
-	short b;
-	int c;
-	long d;
-};
-
-long t7_a, t7_b, t7_c, t7_d, t7_e, t7_f_a, t7_f_b, t7_ret;
-long t8_a, t8_b, t8_c, t8_d, t8_e, t8_f_a, t8_f_b, t8_g, t8_ret;
-long t9_a, t9_b, t9_c, t9_d, t9_e, t9_f, t9_g, t9_h_a, t9_h_b, t9_h_c, t9_h_d, t9_i, t9_ret;
 
 SEC("fentry/bpf_testmod_test_struct_arg_7")
 int BPF_PROG2(test_struct_many_args_1, __u64, a, void *, b, short, c, int, d,
 	      void *, e, struct bpf_testmod_struct_arg_4, f)
 {
-	t7_a = a;
-	t7_b = (long)b;
-	t7_c = c;
-	t7_d = d;
-	t7_e = (long)e;
-	t7_f_a = f.a;
-	t7_f_b = f.b;
 	return 0;
 }
 
@@ -37,59 +20,6 @@ SEC("fexit/bpf_testmod_test_struct_arg_7")
 int BPF_PROG2(test_struct_many_args_2, __u64, a, void *, b, short, c, int, d,
 	      void *, e, struct bpf_testmod_struct_arg_4, f, int, ret)
 {
-	t7_ret = ret;
-	return 0;
-}
-
-SEC("fentry/bpf_testmod_test_struct_arg_8")
-int BPF_PROG2(test_struct_many_args_3, __u64, a, void *, b, short, c, int, d,
-	      void *, e, struct bpf_testmod_struct_arg_4, f, int, g)
-{
-	t8_a = a;
-	t8_b = (long)b;
-	t8_c = c;
-	t8_d = d;
-	t8_e = (long)e;
-	t8_f_a = f.a;
-	t8_f_b = f.b;
-	t8_g = g;
-	return 0;
-}
-
-SEC("fexit/bpf_testmod_test_struct_arg_8")
-int BPF_PROG2(test_struct_many_args_4, __u64, a, void *, b, short, c, int, d,
-	      void *, e, struct bpf_testmod_struct_arg_4, f, int, g,
-	      int, ret)
-{
-	t8_ret = ret;
 	return 0;
 }
-
-SEC("fentry/bpf_testmod_test_struct_arg_9")
-int BPF_PROG2(test_struct_many_args_5, __u64, a, void *, b, short, c, int, d, void *, e,
-	      char, f, short, g, struct bpf_testmod_struct_arg_5, h, long, i)
-{
-	t9_a = a;
-	t9_b = (long)b;
-	t9_c = c;
-	t9_d = d;
-	t9_e = (long)e;
-	t9_f = f;
-	t9_g = g;
-	t9_h_a = h.a;
-	t9_h_b = h.b;
-	t9_h_c = h.c;
-	t9_h_d = h.d;
-	t9_i = i;
-	return 0;
-}
-
-SEC("fexit/bpf_testmod_test_struct_arg_9")
-int BPF_PROG2(test_struct_many_args_6, __u64, a, void *, b, short, c, int, d, void *, e,
-	      char, f, short, g, struct bpf_testmod_struct_arg_5, h, long, i, int, ret)
-{
-	t9_ret = ret;
-	return 0;
-}
-
 char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
index e9e918cdf31ff2b15bf41302ad429e8683b834d6..ff6a4a0fb73679c6c4831ae0662bce2080e53c23 100644
--- a/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/test_kmods/bpf_testmod.c
@@ -55,13 +55,6 @@ struct bpf_testmod_struct_arg_4 {
 	int b;
 };
 
-struct bpf_testmod_struct_arg_5 {
-	char a;
-	short b;
-	int c;
-	long d;
-};
-
 __bpf_hook_start();
 
 noinline int
@@ -101,30 +94,10 @@ bpf_testmod_test_struct_arg_6(struct bpf_testmod_struct_arg_3 *a) {
 	return bpf_testmod_test_struct_arg_result;
 }
 
-noinline int
-bpf_testmod_test_struct_arg_7(u64 a, void *b, short c, int d, void *e,
-			      struct bpf_testmod_struct_arg_4 f)
-{
-	bpf_testmod_test_struct_arg_result = a + (long)b + c + d +
-		(long)e + f.a + f.b;
-	return bpf_testmod_test_struct_arg_result;
-}
-
-noinline int
-bpf_testmod_test_struct_arg_8(u64 a, void *b, short c, int d, void *e,
-			      struct bpf_testmod_struct_arg_4 f, int g)
+noinline int bpf_testmod_test_struct_arg_7(u64 a, void *b, short c, int d,
+					   void *e, u64 f, u64 g, u64 h,
+					   struct bpf_testmod_struct_arg_4 i)
 {
-	bpf_testmod_test_struct_arg_result = a + (long)b + c + d +
-		(long)e + f.a + f.b + g;
-	return bpf_testmod_test_struct_arg_result;
-}
-
-noinline int
-bpf_testmod_test_struct_arg_9(u64 a, void *b, short c, int d, void *e, char f,
-			      short g, struct bpf_testmod_struct_arg_5 h, long i)
-{
-	bpf_testmod_test_struct_arg_result = a + (long)b + c + d + (long)e +
-		f + g + h.a + h.b + h.c + h.d + i;
 	return bpf_testmod_test_struct_arg_result;
 }
 
@@ -397,7 +370,6 @@ bpf_testmod_test_read(struct file *file, struct kobject *kobj,
 	struct bpf_testmod_struct_arg_2 struct_arg2 = {2, 3};
 	struct bpf_testmod_struct_arg_3 *struct_arg3;
 	struct bpf_testmod_struct_arg_4 struct_arg4 = {21, 22};
-	struct bpf_testmod_struct_arg_5 struct_arg5 = {23, 24, 25, 26};
 	int i = 1;
 
 	while (bpf_testmod_return_ptr(i))
@@ -408,13 +380,8 @@ bpf_testmod_test_read(struct file *file, struct kobject *kobj,
 	(void)bpf_testmod_test_struct_arg_3(1, 4, struct_arg2);
 	(void)bpf_testmod_test_struct_arg_4(struct_arg1, 1, 2, 3, struct_arg2);
 	(void)bpf_testmod_test_struct_arg_5();
-	(void)bpf_testmod_test_struct_arg_7(16, (void *)17, 18, 19,
-					    (void *)20, struct_arg4);
-	(void)bpf_testmod_test_struct_arg_8(16, (void *)17, 18, 19,
-					    (void *)20, struct_arg4, 23);
-	(void)bpf_testmod_test_struct_arg_9(16, (void *)17, 18, 19, (void *)20,
-					    21, 22, struct_arg5, 27);
-
+	(void)bpf_testmod_test_struct_arg_7(16, (void *)17, 18, 19, (void *)20,
+					    21, 22, 23, struct_arg4);
 	(void)bpf_testmod_test_arg_ptr_to_struct(&struct_arg1_2);
 
 	(void)trace_bpf_testmod_test_raw_tp_null_tp(NULL);

-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ