Commit 0a13e353 authored by Piotr Krysiuk's avatar Piotr Krysiuk Committed by Daniel Borkmann

bpf, selftests: Fix up some test_verifier cases for unprivileged

Fix up test_verifier error messages for the case where the original error
message changed, or for the case where pointer alu errors differ between
privileged and unprivileged tests. Also, add alternative tests for keeping
coverage of the original verifier rejection error message (fp alu), and
newly reject map_ptr += rX where rX == 0 given we now forbid alu on these
types for unprivileged. All test_verifier cases pass after the change. The
test case fixups were kept separate to ease backporting of core changes.
Signed-off-by: default avatarPiotr Krysiuk <piotras@gmail.com>
Co-developed-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 1b1597e6
...@@ -6,8 +6,9 @@ ...@@ -6,8 +6,9 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
.errstr = "R0 tried to subtract pointer from scalar", .errstr = "R0 tried to subtract pointer from scalar",
.result = REJECT,
}, },
{ {
"check deducing bounds from const, 2", "check deducing bounds from const, 2",
...@@ -20,6 +21,8 @@ ...@@ -20,6 +21,8 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
.result_unpriv = REJECT,
.result = ACCEPT, .result = ACCEPT,
.retval = 1, .retval = 1,
}, },
...@@ -31,8 +34,9 @@ ...@@ -31,8 +34,9 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
.errstr = "R0 tried to subtract pointer from scalar", .errstr = "R0 tried to subtract pointer from scalar",
.result = REJECT,
}, },
{ {
"check deducing bounds from const, 4", "check deducing bounds from const, 4",
...@@ -45,6 +49,8 @@ ...@@ -45,6 +49,8 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
.result_unpriv = REJECT,
.result = ACCEPT, .result = ACCEPT,
}, },
{ {
...@@ -55,8 +61,9 @@ ...@@ -55,8 +61,9 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
.errstr = "R0 tried to subtract pointer from scalar", .errstr = "R0 tried to subtract pointer from scalar",
.result = REJECT,
}, },
{ {
"check deducing bounds from const, 6", "check deducing bounds from const, 6",
...@@ -67,8 +74,9 @@ ...@@ -67,8 +74,9 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
.errstr = "R0 tried to subtract pointer from scalar", .errstr = "R0 tried to subtract pointer from scalar",
.result = REJECT,
}, },
{ {
"check deducing bounds from const, 7", "check deducing bounds from const, 7",
...@@ -80,8 +88,9 @@ ...@@ -80,8 +88,9 @@
offsetof(struct __sk_buff, mark)), offsetof(struct __sk_buff, mark)),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
.errstr = "dereference of modified ctx ptr", .errstr = "dereference of modified ctx ptr",
.result = REJECT,
.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
}, },
{ {
...@@ -94,8 +103,9 @@ ...@@ -94,8 +103,9 @@
offsetof(struct __sk_buff, mark)), offsetof(struct __sk_buff, mark)),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
.errstr = "dereference of modified ctx ptr", .errstr = "dereference of modified ctx ptr",
.result = REJECT,
.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
}, },
{ {
...@@ -106,8 +116,9 @@ ...@@ -106,8 +116,9 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT, .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
.errstr = "R0 tried to subtract pointer from scalar", .errstr = "R0 tried to subtract pointer from scalar",
.result = REJECT,
}, },
{ {
"check deducing bounds from const, 10", "check deducing bounds from const, 10",
...@@ -119,6 +130,6 @@ ...@@ -119,6 +130,6 @@
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.result = REJECT,
.errstr = "math between ctx pointer and register with unbounded min value is not allowed", .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
.result = REJECT,
}, },
...@@ -75,6 +75,8 @@ ...@@ -75,6 +75,8 @@
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.fixup_map_hash_16b = { 4 }, .fixup_map_hash_16b = { 4 },
.result_unpriv = REJECT,
.errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
.result = ACCEPT, .result = ACCEPT,
}, },
{ {
...@@ -91,5 +93,7 @@ ...@@ -91,5 +93,7 @@
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.fixup_map_hash_16b = { 4 }, .fixup_map_hash_16b = { 4 },
.result_unpriv = REJECT,
.errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
.result = ACCEPT, .result = ACCEPT,
}, },
...@@ -497,7 +497,7 @@ ...@@ -497,7 +497,7 @@
.result = ACCEPT, .result = ACCEPT,
}, },
{ {
"unpriv: adding of fp", "unpriv: adding of fp, reg",
.insns = { .insns = {
BPF_MOV64_IMM(BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_MOV64_IMM(BPF_REG_1, 0), BPF_MOV64_IMM(BPF_REG_1, 0),
...@@ -505,6 +505,19 @@ ...@@ -505,6 +505,19 @@
BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
.result_unpriv = REJECT,
.result = ACCEPT,
},
{
"unpriv: adding of fp, imm",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
BPF_EXIT_INSN(),
},
.errstr_unpriv = "R1 stack pointer arithmetic goes out of range", .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
.result_unpriv = REJECT, .result_unpriv = REJECT,
.result = ACCEPT, .result = ACCEPT,
......
...@@ -169,7 +169,7 @@ ...@@ -169,7 +169,7 @@
.fixup_map_array_48b = { 1 }, .fixup_map_array_48b = { 1 },
.result = ACCEPT, .result = ACCEPT,
.result_unpriv = REJECT, .result_unpriv = REJECT,
.errstr_unpriv = "R2 tried to add from different maps or paths", .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types",
.retval = 0, .retval = 0,
}, },
{ {
...@@ -516,6 +516,27 @@ ...@@ -516,6 +516,27 @@
.result = ACCEPT, .result = ACCEPT,
.retval = 0xabcdef12, .retval = 0xabcdef12,
}, },
{
"map access: value_ptr += N, value_ptr -= N known scalar",
.insns = {
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
BPF_LD_MAP_FD(BPF_REG_1, 0),
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
BPF_MOV32_IMM(BPF_REG_1, 0x12345678),
BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
BPF_MOV64_IMM(BPF_REG_1, 2),
BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.fixup_map_array_48b = { 3 },
.result = ACCEPT,
.retval = 0x12345678,
},
{ {
"map access: unknown scalar += value_ptr, 1", "map access: unknown scalar += value_ptr, 1",
.insns = { .insns = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment