bpf: Add a possibly-zero-sized read test

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This patch adds a test for the condition that the previous patch mucked
with - illegal zero-sized helper memory access. As opposed to existing
tests, this new one uses a size whose lower bound is zero, as opposed to
a known-zero one.

Signed-off-by: Andrei Matei <andreimatei1@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20231221232225.568730-3-andreimatei1@gmail.com

authored by

Andrei Matei and committed by

Andrii Nakryiko 2 years ago 72187506 8a021e7f

+38 -1

1 changed file

expand all

tools

testing

selftests

bpf

progs

verifier_helper_value_access.c

+38 -1

tools/testing/selftests/bpf/progs/verifier_helper_value_access.c

··· 89 89 : __clobber_all); 90 90 } 91 91 92 + /* Call a function taking a pointer and a size which doesn't allow the size to 93 + * be zero (i.e. bpf_trace_printk() declares the second argument to be 94 + * ARG_CONST_SIZE, not ARG_CONST_SIZE_OR_ZERO). We attempt to pass zero for the 95 + * size and expect to fail. 96 + */ 92 97 SEC("tracepoint") 93 98 __description("helper access to map: empty range") 94 - __failure __msg("R2 invalid zero-sized read") 99 + __failure __msg("R2 invalid zero-sized read: u64=[0,0]") 95 100 __naked void access_to_map_empty_range(void) 96 101 { 97 102 asm volatile (" \ ··· 111 106 r2 = 0; \ 112 107 call %[bpf_trace_printk]; \ 113 108 l0_%=: exit; \ 109 + " : 110 + : __imm(bpf_map_lookup_elem), 111 + __imm(bpf_trace_printk), 112 + __imm_addr(map_hash_48b) 113 + : __clobber_all); 114 + } 115 + 116 + /* Like the test above, but this time the size register is not known to be zero; 117 + * its lower-bound is zero though, which is still unacceptable. 118 + */ 119 + SEC("tracepoint") 120 + __description("helper access to map: possibly-empty ange") 121 + __failure __msg("R2 invalid zero-sized read: u64=[0,4]") 122 + __naked void access_to_map_possibly_empty_range(void) 123 + { 124 + asm volatile (" \ 125 + r2 = r10; \ 126 + r2 += -8; \ 127 + r1 = 0; \ 128 + *(u64*)(r2 + 0) = r1; \ 129 + r1 = %[map_hash_48b] ll; \ 130 + call %[bpf_map_lookup_elem]; \ 131 + if r0 == 0 goto l0_%=; \ 132 + r1 = r0; \ 133 + /* Read an unknown value */ \ 134 + r7 = *(u64*)(r0 + 0); \ 135 + /* Make it small and positive, to avoid other errors */ \ 136 + r7 &= 4; \ 137 + r2 = 0; \ 138 + r2 += r7; \ 139 + call %[bpf_trace_printk]; \ 140 + l0_%=: exit; \ 114 141 " : 115 142 : __imm(bpf_map_lookup_elem), 116 143 __imm(bpf_trace_printk),