lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Oct 2018 18:51:45 -0700 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp> Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Jakub Kicinski <jakub.kicinski@...ronome.com>, "David S . Miller" <davem@...emloft.net>, Quentin Monnet <quentin.monnet@...ronome.com>, netdev@...r.kernel.org Subject: Re: [RFC v2 bpf-next 5/5] selftests/bpf: verifier, check bpf_map_lookup_elem access in bpf prog On Tue, Oct 02, 2018 at 02:35:19PM +0900, Prashant Bhole wrote: > map_lookup_elem isn't supported by certain map types like: > - BPF_MAP_TYPE_PROG_ARRAY > - BPF_MAP_TYPE_STACK_TRACE > - BPF_MAP_TYPE_XSKMAP > - BPF_MAP_TYPE_SOCKMAP/BPF_MAP_TYPE_SOCKHASH > Let's add verfier tests to check whether verifier prevents > bpf_map_lookup_elem call on above programs from bpf program. > > Signed-off-by: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp> > --- > tools/testing/selftests/bpf/test_verifier.c | 121 +++++++++++++++++++- > 1 file changed, 120 insertions(+), 1 deletion(-) > > diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c > index c7d25f23baf9..afa7e67f66e4 100644 > --- a/tools/testing/selftests/bpf/test_verifier.c > +++ b/tools/testing/selftests/bpf/test_verifier.c > @@ -47,7 +47,7 @@ > > #define MAX_INSNS BPF_MAXINSNS > #define MAX_FIXUPS 8 > -#define MAX_NR_MAPS 8 > +#define MAX_NR_MAPS 13 > #define POINTER_VALUE 0xcafe4all > #define TEST_DATA_LEN 64 > > @@ -64,6 +64,10 @@ struct bpf_test { > int fixup_map2[MAX_FIXUPS]; > int fixup_map3[MAX_FIXUPS]; > int fixup_map4[MAX_FIXUPS]; > + int fixup_map5[MAX_FIXUPS]; > + int fixup_map6[MAX_FIXUPS]; > + int fixup_map7[MAX_FIXUPS]; > + int fixup_map8[MAX_FIXUPS]; > int fixup_prog1[MAX_FIXUPS]; > int fixup_prog2[MAX_FIXUPS]; > int fixup_map_in_map[MAX_FIXUPS]; > @@ -4391,6 +4395,85 @@ static struct bpf_test tests[] = { > .errstr = "invalid access to packet", > .prog_type = BPF_PROG_TYPE_SCHED_CLS, > }, > + { > + "prevent map lookup in sockmap", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_EXIT_INSN(), > + }, > + .fixup_map5 = { 3 }, > + .result = REJECT, > + .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem", > + .prog_type = BPF_PROG_TYPE_SOCK_OPS, > + }, > + { > + "prevent map lookup in sockhash", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_EXIT_INSN(), > + }, > + .fixup_map6 = { 3 }, > + .result = REJECT, > + .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem", > + .prog_type = BPF_PROG_TYPE_SOCK_OPS, > + }, > + { > + "prevent map lookup in xskmap", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_EXIT_INSN(), > + }, > + .fixup_map7 = { 3 }, > + .result = REJECT, > + .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem", > + .prog_type = BPF_PROG_TYPE_XDP, > + }, > + { > + "prevent map lookup in stack trace", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_EXIT_INSN(), > + }, > + .fixup_map8 = { 3 }, > + .result = REJECT, > + .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem", > + .prog_type = BPF_PROG_TYPE_PERF_EVENT, > + }, > + { > + "prevent map lookup in prog array", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_EXIT_INSN(), > + }, > + .fixup_prog2 = { 3 }, > + .result = REJECT, > + .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem", excellent tests. exactly what I was hoping to see. > + }, > { > "valid map access into an array with a constant", > .insns = { > @@ -12755,6 +12838,10 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, > int *fixup_map2 = test->fixup_map2; > int *fixup_map3 = test->fixup_map3; > int *fixup_map4 = test->fixup_map4; > + int *fixup_map5 = test->fixup_map5; > + int *fixup_map6 = test->fixup_map6; > + int *fixup_map7 = test->fixup_map7; > + int *fixup_map8 = test->fixup_map8; > int *fixup_prog1 = test->fixup_prog1; > int *fixup_prog2 = test->fixup_prog2; > int *fixup_map_in_map = test->fixup_map_in_map; > @@ -12843,6 +12930,38 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, > fixup_percpu_cgroup_storage++; > } while (*fixup_percpu_cgroup_storage); > } > + if (*fixup_map5) { > + map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int), > + sizeof(int), 1); > + do { > + prog[*fixup_map5].imm = map_fds[9]; > + fixup_map5++; > + } while (*fixup_map5); > + } > + if (*fixup_map6) { > + map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int), > + sizeof(int), 1); > + do { > + prog[*fixup_map6].imm = map_fds[10]; > + fixup_map6++; > + } while (*fixup_map6); > + } > + if (*fixup_map7) { > + map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int), > + sizeof(int), 1); > + do { > + prog[*fixup_map7].imm = map_fds[11]; > + fixup_map7++; > + } while (*fixup_map7); > + } > + if (*fixup_map8) { > + map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32), > + sizeof(u64), 1); > + do { > + prog[*fixup_map8].imm = map_fds[12]; > + fixup_map8++; > + } while (fixup_map8); I understand that you're following the existing naming convention with fixup_mapN, but it was ugly before and these 4 additions make it completely unreadable. Could you please refactor the old names: fixup_map1 -> fixup_map_hash_8b fixup_map2 -> fixup_map_hash_48b (pls double check my math) fixup_map3 -> fixup_map_hash_16b fixup_map4 -> fixup_map_array_48b then your new diff will use fixup_map5 -> fixup_map_sockmap fixup_map6 -> fixup_map_sockhash ... and please drop rfc tag from the next respin. Thanks!
Powered by blists - more mailing lists