| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230314001512.GC202344@maniforge>
Date: Mon, 13 Mar 2023 19:15:12 -0500
From: David Vernet <void@...ifault.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: davem@...emloft.net, daniel@...earbox.net, andrii@...nel.org,
martin.lau@...nel.org, davemarchevsky@...a.com, tj@...nel.org,
memxor@...il.com, netdev@...r.kernel.org, bpf@...r.kernel.org,
kernel-team@...com
Subject: Re: [PATCH bpf-next 3/3] selftests/bpf: Add various tests to check
helper access into ptr_to_btf_id.
On Mon, Mar 13, 2023 at 04:58:45PM -0700, Alexei Starovoitov wrote:
> From: Alexei Starovoitov <ast@...nel.org>
>
> Add various tests to check helper access into ptr_to_btf_id.
>
> Signed-off-by: Alexei Starovoitov <ast@...nel.org>
Thanks a lot for the quick turnaround on this.
LGTM, just left one small nit below.
Acked-by: David Vernet <void@...ifault.com>
> ---
> .../selftests/bpf/progs/task_kfunc_failure.c | 36 +++++++++++++++++++
> .../selftests/bpf/progs/task_kfunc_success.c | 4 +++
> 2 files changed, 40 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/task_kfunc_failure.c b/tools/testing/selftests/bpf/progs/task_kfunc_failure.c
> index 002c7f69e47f..27994d6b2914 100644
> --- a/tools/testing/selftests/bpf/progs/task_kfunc_failure.c
> +++ b/tools/testing/selftests/bpf/progs/task_kfunc_failure.c
> @@ -301,3 +301,39 @@ int BPF_PROG(task_kfunc_from_lsm_task_free, struct task_struct *task)
> bpf_task_release(acquired);
> return 0;
> }
> +
> +SEC("tp_btf/task_newtask")
> +__failure __msg("access beyond the end of member comm")
> +int BPF_PROG(task_access_comm1, struct task_struct *task, u64 clone_flags)
> +{
> + bpf_strncmp(task->comm, 17, "foo");
Instead of 17, can you do either TASK_COMM_LEN + 1, or
sizeof(task->comm) + 1, to make the test a bit less brittle? Applies to
the other testcases as well.
> + return 0;
> +}
> +
> +SEC("tp_btf/task_newtask")
> +__failure __msg("access beyond the end of member comm")
> +int BPF_PROG(task_access_comm2, struct task_struct *task, u64 clone_flags)
> +{
> + bpf_strncmp(task->comm + 1, 16, "foo");
> + return 0;
> +}
> +
> +SEC("tp_btf/task_newtask")
> +__failure __msg("write into memory")
> +int BPF_PROG(task_access_comm3, struct task_struct *task, u64 clone_flags)
> +{
> + bpf_probe_read_kernel(task->comm, 16, task->comm);
> + return 0;
> +}
> +
> +SEC("fentry/__set_task_comm")
> +__failure __msg("R1 type=ptr_ expected")
> +int BPF_PROG(task_access_comm4, struct task_struct *task, const char *buf, bool exec)
> +{
> + /*
> + * task->comm is a legacy ptr_to_btf_id. The verifier cannot guarantee
> + * its safety. Hence it cannot be accessed with normal load insns.
> + */
> + bpf_strncmp(task->comm, 16, "foo");
> + return 0;
> +}
> diff --git a/tools/testing/selftests/bpf/progs/task_kfunc_success.c b/tools/testing/selftests/bpf/progs/task_kfunc_success.c
> index aebc4bb14e7d..4f61596b0242 100644
> --- a/tools/testing/selftests/bpf/progs/task_kfunc_success.c
> +++ b/tools/testing/selftests/bpf/progs/task_kfunc_success.c
> @@ -207,6 +207,10 @@ int BPF_PROG(test_task_from_pid_invalid, struct task_struct *task, u64 clone_fla
> if (!is_test_kfunc_task())
> return 0;
>
> + bpf_strncmp(task->comm, 12, "foo");
> + bpf_strncmp(task->comm, 16, "foo");
> + bpf_strncmp(&task->comm[8], 4, "foo");
> +
> if (is_pid_lookup_valid(-1)) {
> err = 1;
> return 0;
> --
> 2.34.1
>
Powered by blists - more mailing lists