bpf: add various test cases for alu op on mixed dst register types

Add couple of test_verifier tests to check sanitation of alu op insn with pointer and scalar type coming from different paths. This also includes BPF insns of the test reproducer provided by Jann Horn. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Daniel Borkmann <daniel@iogearbox.net> 2019-01-05 18:54:38 -0500
committer: Alexei Starovoitov <ast@kernel.org> 2019-01-06 00:32:38 -0500
commit: 1cbbcfbbd56efd994d643428c69467fe3c8ab672 (patch)
tree: 576851fb11b2246f784da4ef3716fd441037ceaf
parent: d3bd7413e0ca40b60cf60d4003246d067cafdeda (diff)
1 files changed, 120 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 10d44446e801..2fd90d456892 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6934,6 +6934,126 @@ static struct bpf_test tests[] = {
                .retval = 1,
        },
        {
+                "map access: mixing value pointer and scalar, 1",
+                .insns = {
+                        // load map value pointer into r0 and r2
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        // load some number from the map into r1
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
+                        // branch A
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_JMP_A(2),
+                        // branch B
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100000),
+                        // common instruction
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
+                        // branch A
+                        BPF_JMP_A(4),
+                        // branch B
+                        BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
+                        // verifier follows fall-through
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        // fake-dead code; targeted from branch A to
+                        // prevent dead code sanitization
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 1 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R2 tried to add from different pointers or scalars",
+                .retval = 0,
+        },
+        {
+                "map access: mixing value pointer and scalar, 2",
+                .insns = {
+                        // load map value pointer into r0 and r2
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        // load some number from the map into r1
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
+                        // branch A
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100000),
+                        BPF_JMP_A(2),
+                        // branch B
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        // common instruction
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
+                        // branch A
+                        BPF_JMP_A(4),
+                        // branch B
+                        BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
+                        // verifier follows fall-through
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        // fake-dead code; targeted from branch A to
+                        // prevent dead code sanitization
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 1 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R2 tried to add from different maps or paths",
+                .retval = 0,
+        },
+        {
+                "sanitation: alu with different scalars",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100000),
+                        BPF_JMP_A(2),
+                        BPF_MOV64_IMM(BPF_REG_2, 42),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100001),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 1 },
+                .result = ACCEPT,
+                .retval = 0x100000,
+        },
+        {
                "map access: value_ptr += known scalar, upper oob arith, test 1",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
author	Daniel Borkmann <daniel@iogearbox.net>	2019-01-05 18:54:38 -0500
committer	Alexei Starovoitov <ast@kernel.org>	2019-01-06 00:32:38 -0500
commit	1cbbcfbbd56efd994d643428c69467fe3c8ab672 (patch)
tree	576851fb11b2246f784da4ef3716fd441037ceaf
parent	d3bd7413e0ca40b60cf60d4003246d067cafdeda (diff)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 10d44446e801..2fd90d456892 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6934,6 +6934,126 @@ static struct bpf_test tests[] = {
6934	.retval = 1,	6934	.retval = 1,
6935	},	6935	},
6936	{	6936	{
		6937	"map access: mixing value pointer and scalar, 1",
		6938	.insns = {
		6939	// load map value pointer into r0 and r2
		6940	BPF_MOV64_IMM(BPF_REG_0, 1),
		6941	BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
		6942	BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
		6943	BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
		6944	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
		6945	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
		6946	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		6947	BPF_EXIT_INSN(),
		6948	// load some number from the map into r1
		6949	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
		6950	// depending on r1, branch:
		6951	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
		6952	// branch A
		6953	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
		6954	BPF_MOV64_IMM(BPF_REG_3, 0),
		6955	BPF_JMP_A(2),
		6956	// branch B
		6957	BPF_MOV64_IMM(BPF_REG_2, 0),
		6958	BPF_MOV64_IMM(BPF_REG_3, 0x100000),
		6959	// common instruction
		6960	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
		6961	// depending on r1, branch:
		6962	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
		6963	// branch A
		6964	BPF_JMP_A(4),
		6965	// branch B
		6966	BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
		6967	// verifier follows fall-through
		6968	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
		6969	BPF_MOV64_IMM(BPF_REG_0, 0),
		6970	BPF_EXIT_INSN(),
		6971	// fake-dead code; targeted from branch A to
		6972	// prevent dead code sanitization
		6973	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
		6974	BPF_MOV64_IMM(BPF_REG_0, 0),
		6975	BPF_EXIT_INSN(),
		6976	},
		6977	.fixup_map_array_48b = { 1 },
		6978	.result = ACCEPT,
		6979	.result_unpriv = REJECT,
		6980	.errstr_unpriv = "R2 tried to add from different pointers or scalars",
		6981	.retval = 0,
		6982	},
		6983	{
		6984	"map access: mixing value pointer and scalar, 2",
		6985	.insns = {
		6986	// load map value pointer into r0 and r2
		6987	BPF_MOV64_IMM(BPF_REG_0, 1),
		6988	BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
		6989	BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
		6990	BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
		6991	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
		6992	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
		6993	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		6994	BPF_EXIT_INSN(),
		6995	// load some number from the map into r1
		6996	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
		6997	// depending on r1, branch:
		6998	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
		6999	// branch A
		7000	BPF_MOV64_IMM(BPF_REG_2, 0),
		7001	BPF_MOV64_IMM(BPF_REG_3, 0x100000),
		7002	BPF_JMP_A(2),
		7003	// branch B
		7004	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
		7005	BPF_MOV64_IMM(BPF_REG_3, 0),
		7006	// common instruction
		7007	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
		7008	// depending on r1, branch:
		7009	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
		7010	// branch A
		7011	BPF_JMP_A(4),
		7012	// branch B
		7013	BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
		7014	// verifier follows fall-through
		7015	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
		7016	BPF_MOV64_IMM(BPF_REG_0, 0),
		7017	BPF_EXIT_INSN(),
		7018	// fake-dead code; targeted from branch A to
		7019	// prevent dead code sanitization
		7020	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
		7021	BPF_MOV64_IMM(BPF_REG_0, 0),
		7022	BPF_EXIT_INSN(),
		7023	},
		7024	.fixup_map_array_48b = { 1 },
		7025	.result = ACCEPT,
		7026	.result_unpriv = REJECT,
		7027	.errstr_unpriv = "R2 tried to add from different maps or paths",
		7028	.retval = 0,
		7029	},
		7030	{
		7031	"sanitation: alu with different scalars",
		7032	.insns = {
		7033	BPF_MOV64_IMM(BPF_REG_0, 1),
		7034	BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
		7035	BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
		7036	BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
		7037	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
		7038	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
		7039	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		7040	BPF_EXIT_INSN(),
		7041	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
		7042	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
		7043	BPF_MOV64_IMM(BPF_REG_2, 0),
		7044	BPF_MOV64_IMM(BPF_REG_3, 0x100000),
		7045	BPF_JMP_A(2),
		7046	BPF_MOV64_IMM(BPF_REG_2, 42),
		7047	BPF_MOV64_IMM(BPF_REG_3, 0x100001),
		7048	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
		7049	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
		7050	BPF_EXIT_INSN(),
		7051	},
		7052	.fixup_map_array_48b = { 1 },
		7053	.result = ACCEPT,
		7054	.retval = 0x100000,
		7055	},
		7056	{
6937	"map access: value_ptr += known scalar, upper oob arith, test 1",	7057	"map access: value_ptr += known scalar, upper oob arith, test 1",
6938	.insns = {	7058	.insns = {
6939	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),	7059	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),