Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753546AbdGUO3c (ORCPT ); Fri, 21 Jul 2017 10:29:32 -0400 Received: from www62.your-server.de ([213.133.104.62]:44697 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750762AbdGUO3b (ORCPT ); Fri, 21 Jul 2017 10:29:31 -0400 Message-ID: <59720FC2.9070301@iogearbox.net> Date: Fri, 21 Jul 2017 16:29:22 +0200 From: Daniel Borkmann User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Edward Cree , davem@davemloft.net, Alexei Starovoitov , Alexei Starovoitov CC: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, iovisor-dev , josef@toxicpanda.com Subject: Re: [PATCH net 1/2] selftests/bpf: subtraction bounds test References: <2ebcb201-2f18-7276-f4f9-f2bbaffae179@solarflare.com> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2209 Lines: 55 On 07/21/2017 03:36 PM, Edward Cree wrote: > There is a bug in the verifier's handling of BPF_SUB: [a,b] - [c,d] yields > was [a-c, b-d] rather than the correct [a-d, b-c]. So here is a test > which, with the bogus handling, will produce ranges of [0,0] and thus > allowed accesses; whereas the correct handling will give a range of > [-255, 255] (and hence the right-shift will give a range of [0, 255]) and > the accesses will be rejected. > > Signed-off-by: Edward Cree Acked-by: Daniel Borkmann > tools/testing/selftests/bpf/test_verifier.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > > diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c > index af7d173..addea82 100644 > --- a/tools/testing/selftests/bpf/test_verifier.c > +++ b/tools/testing/selftests/bpf/test_verifier.c > @@ -5980,6 +5980,34 @@ static struct bpf_test tests[] = { > .result = REJECT, > .result_unpriv = REJECT, > }, > + { > + "subtraction bounds (map value)", > + .insns = { > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, > + BPF_FUNC_map_lookup_elem), > + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), > + BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), > + BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), > + BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), > + BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), > + BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), > + BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), > + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), > + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), > + BPF_EXIT_INSN(), > + BPF_MOV64_IMM(BPF_REG_0, 0), > + BPF_EXIT_INSN(), > + }, > + .fixup_map1 = { 3 }, > + .errstr_unpriv = "R0 pointer arithmetic prohibited", > + .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", > + .result = REJECT, > + .result_unpriv = REJECT, > + }, > }; > > static int probe_filter_length(const struct bpf_insn *fp) >