tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selftests/bpf: Test that lookup on SOCKMAP/SOCKHASH is allowed

Now that bpf_map_lookup_elem() is white-listed for SOCKMAP/SOCKHASH,
replace the tests which check that verifier prevents lookup on these map
types with ones that ensure that lookup operation is permitted, but only
with a release of acquired socket reference.

Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20200429181154.479310-3-jakub@cloudflare.com

authored by

Jakub Sitnicki and committed by
Daniel Borkmann 34a2cc6e 64d85290

+70 -30
-30
tools/testing/selftests/bpf/verifier/prevent_map_lookup.c
··· 1 1 { 2 - "prevent map lookup in sockmap", 3 - .insns = { 4 - BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5 - BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6 - BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7 - BPF_LD_MAP_FD(BPF_REG_1, 0), 8 - BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 9 - BPF_EXIT_INSN(), 10 - }, 11 - .fixup_map_sockmap = { 3 }, 12 - .result = REJECT, 13 - .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem", 14 - .prog_type = BPF_PROG_TYPE_SOCK_OPS, 15 - }, 16 - { 17 - "prevent map lookup in sockhash", 18 - .insns = { 19 - BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 20 - BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 21 - BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 22 - BPF_LD_MAP_FD(BPF_REG_1, 0), 23 - BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 24 - BPF_EXIT_INSN(), 25 - }, 26 - .fixup_map_sockhash = { 3 }, 27 - .result = REJECT, 28 - .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem", 29 - .prog_type = BPF_PROG_TYPE_SOCK_OPS, 30 - }, 31 - { 32 2 "prevent map lookup in stack trace", 33 3 .insns = { 34 4 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+70
tools/testing/selftests/bpf/verifier/sock.c
··· 516 516 .prog_type = BPF_PROG_TYPE_XDP, 517 517 .result = ACCEPT, 518 518 }, 519 + { 520 + "bpf_map_lookup_elem(sockmap, &key)", 521 + .insns = { 522 + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 523 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 524 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 525 + BPF_LD_MAP_FD(BPF_REG_1, 0), 526 + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 527 + BPF_MOV64_IMM(BPF_REG_0, 0), 528 + BPF_EXIT_INSN(), 529 + }, 530 + .fixup_map_sockmap = { 3 }, 531 + .prog_type = BPF_PROG_TYPE_SK_SKB, 532 + .result = REJECT, 533 + .errstr = "Unreleased reference id=2 alloc_insn=5", 534 + }, 535 + { 536 + "bpf_map_lookup_elem(sockhash, &key)", 537 + .insns = { 538 + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 539 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 540 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 541 + BPF_LD_MAP_FD(BPF_REG_1, 0), 542 + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 543 + BPF_MOV64_IMM(BPF_REG_0, 0), 544 + BPF_EXIT_INSN(), 545 + }, 546 + .fixup_map_sockhash = { 3 }, 547 + .prog_type = BPF_PROG_TYPE_SK_SKB, 548 + .result = REJECT, 549 + .errstr = "Unreleased reference id=2 alloc_insn=5", 550 + }, 551 + { 552 + "bpf_map_lookup_elem(sockmap, &key); sk->type [fullsock field]; bpf_sk_release(sk)", 553 + .insns = { 554 + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 555 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 556 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 557 + BPF_LD_MAP_FD(BPF_REG_1, 0), 558 + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 559 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 560 + BPF_EXIT_INSN(), 561 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 562 + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 563 + BPF_EMIT_CALL(BPF_FUNC_sk_release), 564 + BPF_EXIT_INSN(), 565 + }, 566 + .fixup_map_sockmap = { 3 }, 567 + .prog_type = BPF_PROG_TYPE_SK_SKB, 568 + .result = ACCEPT, 569 + }, 570 + { 571 + "bpf_map_lookup_elem(sockhash, &key); sk->type [fullsock field]; bpf_sk_release(sk)", 572 + .insns = { 573 + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 574 + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 575 + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 576 + BPF_LD_MAP_FD(BPF_REG_1, 0), 577 + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 578 + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 579 + BPF_EXIT_INSN(), 580 + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 581 + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 582 + BPF_EMIT_CALL(BPF_FUNC_sk_release), 583 + BPF_EXIT_INSN(), 584 + }, 585 + .fixup_map_sockhash = { 3 }, 586 + .prog_type = BPF_PROG_TYPE_SK_SKB, 587 + .result = ACCEPT, 588 + },