diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-03-18 19:28:02 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-03-19 06:39:44 +0100 |
commit | bd4536f9789ca002c88b6cdfb89e5ca830f579fe (patch) | |
tree | be637b8c864cf1bf7390811c3282d5399afa4c57 | |
parent | 69f505a2d79687a19cfbbdc2f7050d3d58f8e445 (diff) | |
download | linux-debian-bd4536f9789ca002c88b6cdfb89e5ca830f579fe.tar.gz |
bpf, selftests: Fix up some test_verifier cases for unprivileged
-rw-r--r-- | debian/changelog | 1 | ||||
-rw-r--r-- | debian/patches/bugfix/all/bpf-selftests-Fix-up-some-test_verifier-cases-for-un.patch | 229 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 231 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 22974a958..0df160b7e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -884,6 +884,7 @@ linux (5.10.24-1) UNRELEASED; urgency=medium (CVE-2020-27171) * bpf: Simplify alu_limit masking for pointer arithmetic * bpf: Add sanity check for upper ptr_limit + * bpf, selftests: Fix up some test_verifier cases for unprivileged -- Salvatore Bonaccorso <carnil@debian.org> Wed, 17 Mar 2021 21:21:06 +0100 diff --git a/debian/patches/bugfix/all/bpf-selftests-Fix-up-some-test_verifier-cases-for-un.patch b/debian/patches/bugfix/all/bpf-selftests-Fix-up-some-test_verifier-cases-for-un.patch new file mode 100644 index 000000000..a2085d7ca --- /dev/null +++ b/debian/patches/bugfix/all/bpf-selftests-Fix-up-some-test_verifier-cases-for-un.patch @@ -0,0 +1,229 @@ +From: Piotr Krysiuk <piotras@gmail.com> +Date: Tue, 16 Mar 2021 11:44:42 +0100 +Subject: bpf, selftests: Fix up some test_verifier cases for unprivileged +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit?id=0a13e3537ea67452d549a6a80da3776d6b7dedb3 + +Fix up test_verifier error messages for the case where the original error +message changed, or for the case where pointer alu errors differ between +privileged and unprivileged tests. Also, add alternative tests for keeping +coverage of the original verifier rejection error message (fp alu), and +newly reject map_ptr += rX where rX == 0 given we now forbid alu on these +types for unprivileged. All test_verifier cases pass after the change. The +test case fixups were kept separate to ease backporting of core changes. + +Signed-off-by: Piotr Krysiuk <piotras@gmail.com> +Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Alexei Starovoitov <ast@kernel.org> +--- + .../selftests/bpf/verifier/bounds_deduction.c | 27 +++++++++++++------ + .../testing/selftests/bpf/verifier/map_ptr.c | 4 +++ + tools/testing/selftests/bpf/verifier/unpriv.c | 15 ++++++++++- + .../selftests/bpf/verifier/value_ptr_arith.c | 23 +++++++++++++++- + 4 files changed, 59 insertions(+), 10 deletions(-) + +diff --git a/tools/testing/selftests/bpf/verifier/bounds_deduction.c b/tools/testing/selftests/bpf/verifier/bounds_deduction.c +index 1fd07a4f27ac..c162498a64fc 100644 +--- a/tools/testing/selftests/bpf/verifier/bounds_deduction.c ++++ b/tools/testing/selftests/bpf/verifier/bounds_deduction.c +@@ -6,8 +6,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 2", +@@ -20,6 +21,8 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", ++ .result_unpriv = REJECT, + .result = ACCEPT, + .retval = 1, + }, +@@ -31,8 +34,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 4", +@@ -45,6 +49,8 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", ++ .result_unpriv = REJECT, + .result = ACCEPT, + }, + { +@@ -55,8 +61,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 6", +@@ -67,8 +74,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 7", +@@ -80,8 +88,9 @@ + offsetof(struct __sk_buff, mark)), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .errstr = "dereference of modified ctx ptr", ++ .result = REJECT, + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, + }, + { +@@ -94,8 +103,9 @@ + offsetof(struct __sk_buff, mark)), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .errstr = "dereference of modified ctx ptr", ++ .result = REJECT, + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, + }, + { +@@ -106,8 +116,9 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, ++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr = "R0 tried to subtract pointer from scalar", ++ .result = REJECT, + }, + { + "check deducing bounds from const, 10", +@@ -119,6 +130,6 @@ + BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), + BPF_EXIT_INSN(), + }, +- .result = REJECT, + .errstr = "math between ctx pointer and register with unbounded min value is not allowed", ++ .result = REJECT, + }, +diff --git a/tools/testing/selftests/bpf/verifier/map_ptr.c b/tools/testing/selftests/bpf/verifier/map_ptr.c +index b117bdd3806d..6f610cfddae5 100644 +--- a/tools/testing/selftests/bpf/verifier/map_ptr.c ++++ b/tools/testing/selftests/bpf/verifier/map_ptr.c +@@ -75,6 +75,8 @@ + BPF_EXIT_INSN(), + }, + .fixup_map_hash_16b = { 4 }, ++ .result_unpriv = REJECT, ++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .result = ACCEPT, + }, + { +@@ -91,5 +93,7 @@ + BPF_EXIT_INSN(), + }, + .fixup_map_hash_16b = { 4 }, ++ .result_unpriv = REJECT, ++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .result = ACCEPT, + }, +diff --git a/tools/testing/selftests/bpf/verifier/unpriv.c b/tools/testing/selftests/bpf/verifier/unpriv.c +index b018ad71e0a8..3e32400c4b44 100644 +--- a/tools/testing/selftests/bpf/verifier/unpriv.c ++++ b/tools/testing/selftests/bpf/verifier/unpriv.c +@@ -497,7 +497,7 @@ + .result = ACCEPT, + }, + { +- "unpriv: adding of fp", ++ "unpriv: adding of fp, reg", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_MOV64_IMM(BPF_REG_1, 0), +@@ -505,6 +505,19 @@ + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), + BPF_EXIT_INSN(), + }, ++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", ++ .result_unpriv = REJECT, ++ .result = ACCEPT, ++}, ++{ ++ "unpriv: adding of fp, imm", ++ .insns = { ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), ++ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), ++ BPF_EXIT_INSN(), ++ }, + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", + .result_unpriv = REJECT, + .result = ACCEPT, +diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +index ed4e76b24649..feb91266db39 100644 +--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c ++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c +@@ -169,7 +169,7 @@ + .fixup_map_array_48b = { 1 }, + .result = ACCEPT, + .result_unpriv = REJECT, +- .errstr_unpriv = "R2 tried to add from different maps or paths", ++ .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types", + .retval = 0, + }, + { +@@ -516,6 +516,27 @@ + .result = ACCEPT, + .retval = 0xabcdef12, + }, ++{ ++ "map access: value_ptr += N, value_ptr -= N known scalar", ++ .insns = { ++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), ++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), ++ BPF_LD_MAP_FD(BPF_REG_1, 0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), ++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), ++ BPF_MOV32_IMM(BPF_REG_1, 0x12345678), ++ BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), ++ BPF_MOV64_IMM(BPF_REG_1, 2), ++ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .fixup_map_array_48b = { 3 }, ++ .result = ACCEPT, ++ .retval = 0x12345678, ++}, + { + "map access: unknown scalar += value_ptr, 1", + .insns = { +-- +2.31.0 + diff --git a/debian/patches/series b/debian/patches/series index ac574ddb6..97fdfef65 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -111,6 +111,7 @@ bugfix/all/bpf-Prohibit-alu-ops-for-pointer-types-not-defining-.patch bugfix/all/bpf-Fix-off-by-one-for-area-size-in-creating-mask-to.patch bugfix/all/bpf-Simplify-alu_limit-masking-for-pointer-arithmeti.patch bugfix/all/bpf-Add-sanity-check-for-upper-ptr_limit.patch +bugfix/all/bpf-selftests-Fix-up-some-test_verifier-cases-for-un.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch |