mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

selftest/bpf: Test for use-after-free bug fix in inline_bpf_loop

Browse source 
This test verifies that bpf_loop() inlining works as expected when
address of `env->prog` is updated. This address is updated upon BPF
program reallocation.

Reallocation is handled by bpf_prog_realloc(), which reuses old memory
if page boundary is not crossed. The value of `len` in the test is
chosen to cross this boundary on bpf_loop() patching.

Verify that the use-after-free bug in inline_bpf_loop() reported by
Dan Carpenter is fixed.

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220624020613.548108-3-eddyz87@gmail.com
This commit is contained in:
Eduard Zingerman 2022-06-24 05:06:13 +03:00 committed by Daniel Borkmann
parent fb4e3b33e3
commit 41188e9e9d
2 changed files with 50 additions and 0 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

39
tools/testing/selftests/bpf/test_verifier.c
View file

@ -425,6 +425,45 @@ static void bpf_fill_torturous_jumps(struct bpf_test *self)
} }
} }
static void bpf_fill_big_prog_with_loop_1(struct bpf_test *self)
{
struct bpf_insn *insn = self->fill_insns;
/* This test was added to catch a specific use after free
* error, which happened upon BPF program reallocation.
* Reallocation is handled by core.c:bpf_prog_realloc, which
* reuses old memory if page boundary is not crossed. The
* value of `len` is chosen to cross this boundary on bpf_loop
* patching.
*/
const int len = getpagesize() - 25;
int callback_load_idx;
int callback_idx;
int i = 0;
insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_1, 1);
callback_load_idx = i;
insn[i++] = BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW,
BPF_REG_2, BPF_PSEUDO_FUNC, 0,
777 /* filled below */);
insn[i++] = BPF_RAW_INSN(0, 0, 0, 0, 0);
insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_3, 0);
insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_4, 0);
insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_loop);
while (i < len - 3)
insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0);
insn[i++] = BPF_EXIT_INSN();
callback_idx = i;
insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0);
insn[i++] = BPF_EXIT_INSN();
insn[callback_load_idx].imm = callback_idx - callback_load_idx - 1;
self->func_info[1].insn_off = callback_idx;
self->prog_len = i;
assert(i == len);
}
/* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */ /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
#define BPF_SK_LOOKUP(func) \ #define BPF_SK_LOOKUP(func) \
/* struct bpf_sock_tuple tuple = {} */ \ /* struct bpf_sock_tuple tuple = {} */ \

11
tools/testing/selftests/bpf/verifier/bpf_loop_inline.c
View file

@ -244,6 +244,17 @@
.func_info_cnt = 3, .func_info_cnt = 3,
BTF_TYPES BTF_TYPES
}, },
{
"inline bpf_loop call in a big program",
.insns = {},
.fill_helper = bpf_fill_big_prog_with_loop_1,
.expected_insns = { PSEUDO_CALL_INSN() },
.unexpected_insns = { HELPER_CALL_INSN() },
.result = ACCEPT,
.func_info = { { 0, MAIN_TYPE }, { 16, CALLBACK_TYPE } },
.func_info_cnt = 2,
BTF_TYPES
},
#undef HELPER_CALL_INSN #undef HELPER_CALL_INSN
#undef PSEUDO_CALL_INSN #undef PSEUDO_CALL_INSN