selftests/bpf: test cases for regsafe() bug skipping check_id()

Under certain conditions it was possible for verifier.c:regsafe() to
skip check_id() call. This commit adds negative test cases previously
errorneously accepted as safe.

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20221209135733.28851-3-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/testing/selftests/bpf/verifier/direct_packet_access.c b/tools/testing/selftests/bpf/verifier/direct_packet_access.c
index 11acd1855acf6bdefffa6b6838ff7c910a222d6a..dce2e28aeb431bf27abc08f9688501322693031e 100644 (file)
--- a/tools/testing/selftests/bpf/verifier/direct_packet_access.c
+++ b/tools/testing/selftests/bpf/verifier/direct_packet_access.c
@@ -654,3 +654,57 @@
        .result = ACCEPT,
        .prog_type = BPF_PROG_TYPE_SCHED_CLS,
 },
+{
+       "direct packet access: test30 (check_id() in regsafe(), bad access)",
+       .insns = {
+       /* r9 = ctx */
+       BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),
+       /* r7 = ktime_get_ns() */
+       BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
+       BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
+       /* r6 = ktime_get_ns() */
+       BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
+       BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
+       /* r2 = ctx->data
+        * r3 = ctx->data
+        * r4 = ctx->data_end
+        */
+       BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_9, offsetof(struct __sk_buff, data)),
+       BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_9, offsetof(struct __sk_buff, data)),
+       BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_9, offsetof(struct __sk_buff, data_end)),
+       /* if r6 > 100 goto exit
+        * if r7 > 100 goto exit
+        */
+       BPF_JMP_IMM(BPF_JGT, BPF_REG_6, 100, 9),
+       BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 100, 8),
+       /* r2 += r6              ; this forces assignment of ID to r2
+        * r2 += 1               ; get some fixed off for r2
+        * r3 += r7              ; this forces assignment of ID to r3
+        * r3 += 1               ; get some fixed off for r3
+        */
+       BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_6),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
+       BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_7),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 1),
+       /* if r6 > r7 goto +1    ; no new information about the state is derived from
+        *                       ; this check, thus produced verifier states differ
+        *                       ; only in 'insn_idx'
+        * r2 = r3               ; optionally share ID between r2 and r3
+        */
+       BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_7, 1),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
+       /* if r3 > ctx->data_end goto exit */
+       BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 1),
+       /* r5 = *(u8 *) (r2 - 1) ; access packet memory using r2,
+        *                       ; this is not always safe
+        */
+       BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, -1),
+       /* exit(0) */
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .flags = BPF_F_TEST_STATE_FREQ,
+       .result = REJECT,
+       .errstr = "invalid access to packet, off=0 size=1, R2",
+       .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+},

diff --git a/tools/testing/selftests/bpf/verifier/value_or_null.c b/tools/testing/selftests/bpf/verifier/value_or_null.c
index 3ecb70a3d93970425413dee6cd402bdcdf6c4ed9..52a8bca14f03f99b2a619bce2dae8f8271e0bee1 100644 (file)
--- a/tools/testing/selftests/bpf/verifier/value_or_null.c
+++ b/tools/testing/selftests/bpf/verifier/value_or_null.c
@@ -169,3 +169,52 @@
        .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        .result = ACCEPT,
 },
+{
+       "MAP_VALUE_OR_NULL check_ids() in regsafe()",
+       .insns = {
+       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+       /* r9 = map_lookup_elem(...) */
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+       BPF_LD_MAP_FD(BPF_REG_1,
+                     0),
+       BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+       BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
+       /* r8 = map_lookup_elem(...) */
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+       BPF_LD_MAP_FD(BPF_REG_1,
+                     0),
+       BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+       /* r7 = ktime_get_ns() */
+       BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
+       BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
+       /* r6 = ktime_get_ns() */
+       BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
+       BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
+       /* if r6 > r7 goto +1    ; no new information about the state is derived from
+        *                       ; this check, thus produced verifier states differ
+        *                       ; only in 'insn_idx'
+        * r9 = r8               ; optionally share ID between r9 and r8
+        */
+       BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
+       BPF_MOV64_REG(BPF_REG_9, BPF_REG_8),
+       /* if r9 == 0 goto <exit> */
+       BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 0, 1),
+       /* read map value via r8, this is not always
+        * safe because r8 might be not equal to r9.
+        */
+       BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
+       /* exit 0 */
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .flags = BPF_F_TEST_STATE_FREQ,
+       .fixup_map_hash_8b = { 3, 9 },
+       .result = REJECT,
+       .errstr = "R8 invalid mem access 'map_value_or_null'",
+       .result_unpriv = REJECT,
+       .errstr_unpriv = "",
+       .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
+},