Message-ID: <c42914fc-503f-abb9-b7e9-8f7360c9587a@iogearbox.net>
Date:   Mon, 4 Feb 2019 21:57:46 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Breno Leitao <leitao@...ian.org>, netdev@...r.kernel.org
Cc:     ast@...nel.org
Subject: Re: [PATCH] bpf: test_maps: Avoid possible out of bound access

On 02/04/2019 05:27 PM, Breno Leitao wrote:
> When compiling test_maps selftest with GCC-8, it warns that an array might
> be indexed with a negative value, which could cause a negative out of bound
> access, depending on parameters of the function. This is the GCC-8 warning:
> 
> 	gcc -Wall -O2 -I../../../include/uapi -I../../../lib -I../../../lib/bpf -I../../../../include/generated -DHAVE_GENHDR -I../../../include    test_maps.c /home/breno/Devel/linux/tools/testing/selftests/bpf/libbpf.a -lcap -lelf -lrt -lpthread -o /home/breno/Devel/linux/tools/testing/selftests/bpf/test_maps
> 	In file included from test_maps.c:16:
> 	test_maps.c: In function ‘run_all_tests’:
> 	test_maps.c:1079:10: warning: array subscript -1 is below array bounds of ‘pid_t[<Ube20> + 1]’ [-Warray-bounds]
> 	   assert(waitpid(pid[i], &status, 0) == pid[i]);
> 		  ^~~~~~~~~~~~~~~~~~~~~~~~~~~
> 	test_maps.c:1059:6: warning: array subscript -1 is below array bounds of ‘pid_t[<Ube20> + 1]’ [-Warray-bounds]
> 	   pid[i] = fork();
> 	   ~~~^~~
> 
> This patch simply guarantees that the tasks variable is unsigned, thus, it
> could never be a negative number, hence avoiding an out of bound access
> warning.
> 
> Signed-off-by: Breno Leitao <leitao@...ian.org>

Thanks for the patch, small comment below:

>  tools/testing/selftests/bpf/test_maps.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
> index e2b9eee37187..1714e26f4a72 100644
> --- a/tools/testing/selftests/bpf/test_maps.c
> +++ b/tools/testing/selftests/bpf/test_maps.c
> @@ -641,7 +641,7 @@ static void test_stackmap(int task, void *data)
>  #define SOCKMAP_PARSE_PROG "./sockmap_parse_prog.o"
>  #define SOCKMAP_VERDICT_PROG "./sockmap_verdict_prog.o"
>  #define SOCKMAP_TCP_MSG_PROG "./sockmap_tcp_msg_prog.o"
> -static void test_sockmap(int tasks, void *data)
> +static void test_sockmap(unsigned int tasks, void *data)

There are couple more test_*() functions that need to be converted if we do
the change to unsigned:

tools/testing/selftests/bpf/test_maps.c:48:static void test_hashmap(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:138:static void test_hashmap_sizes(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:158:static void test_hashmap_percpu(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:285:static void test_hashmap_walk(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:356:static void test_arraymap(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:411:static void test_arraymap_percpu(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:507:static void test_devmap(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:522:static void test_queuemap(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:580:static void test_stackmap(int task, void *data)
tools/testing/selftests/bpf/test_maps.c:645:static void test_sockmap(int tasks, void *data)

>  {
>  	struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_msg, *bpf_map_break;
>  	int map_fd_msg = 0, map_fd_rx = 0, map_fd_tx = 0, map_fd_break;
> @@ -1261,7 +1261,7 @@ static void test_map_large(void)
>  	printf("Fork %d tasks to '" #FN "'\n", N); \
>  	__run_parallel(N, FN, DATA)
>  
> -static void __run_parallel(int tasks, void (*fn)(int task, void *data),
> +static void __run_parallel(unsigned int tasks, void (*fn)(int task, void *data),

This would also need conversion to unsigned for the func arg above so that
we don't type mismatch.

Thanks,
Daniel

Powered by blists - more mailing lists