| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPhsuW7dmvG-Uz2WJujerw3b7on6j8CJt9zfuojU9m2AAsiK_A@mail.gmail.com>
Date: Fri, 1 Mar 2019 16:04:28 -0800
From: Song Liu <liu.song.a23@...il.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Alexei Starovoitov <ast@...com>, afabre@...udflare.com,
Marek Majkowski <marek@...udflare.com>,
bpf <bpf@...r.kernel.org>, Networking <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next] bpf: add test cases for non-pointer sanitiation logic
On Fri, Mar 1, 2019 at 3:27 PM Daniel Borkmann <daniel@...earbox.net> wrote:
>
> On 03/02/2019 12:22 AM, Song Liu wrote:
> > On Fri, Mar 1, 2019 at 1:10 PM Daniel Borkmann <daniel@...earbox.net> wrote:
> >>
> >> Add two additional tests for further asserting the
> >> BPF_ALU_NON_POINTER logic with cases that were missed
> >> previously.
> >>
> >> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> >> Cc: Marek Majkowski <marek@...udflare.com>
> >> Cc: Arthur Fabre <afabre@...udflare.com>
> >> ---
> >> .../selftests/bpf/verifier/value_ptr_arith.c | 44 ++++++++++++++++++-
> >> 1 file changed, 43 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
> >> index 4b721a77bebb..c3de1a2c9dc5 100644
> >> --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
> >> +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
> >> @@ -173,7 +173,7 @@
> >> .retval = 0,
> >> },
> >> {
> >> - "sanitation: alu with different scalars",
> >> + "sanitation: alu with different scalars 1",
> >> .insns = {
> >> BPF_MOV64_IMM(BPF_REG_0, 1),
> >> BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
> >> @@ -198,6 +198,48 @@
> >> .result = ACCEPT,
> >> .retval = 0x100000,
> >> },
> >> +{
> >> + "sanitation: alu with different scalars 2",
> >> + .insns = {
> >> + BPF_MOV64_IMM(BPF_REG_0, 1),
> >> + BPF_LD_MAP_FD(BPF_REG_1, 0),
> >> + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
> >> + BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
> >> + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
> >> + BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
> >> + BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
> >> + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
> >> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> >> + BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
> >> + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
> >> + BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
> >> + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
> >> + BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
> >> + BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
> >> + BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
> >> + BPF_EXIT_INSN(),
> >> + },
> >> + .fixup_map_array_48b = { 1 },
> >> + .result = ACCEPT,
> >> + .retval = -EINVAL * 2,
> >
> > Why "-EINVAL * 2" here?
>
> This is array map so deletion will return -EINVAL, basically I
> wanted to get a test case under socket filters where helper
> returns a stable value which is then unknown scalar to do some
> alu64 op with where sanitation logic triggers. So map_delete_elem()
> came in handy for that test.
I see, so the *2 comes from
BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7)
Thanks for the explanation.
Acked-by: Song Liu <songliubraving@...com>
Powered by blists - more mailing lists