APPLIED[J]: [SRU OEM-5.10/HWE-5.11/Impish/OEM-5.14/Jammy 3/3] bpf, selftests: Add verifier test for mem_or_null register with offset.
Andrea Righi
andrea.righi at canonical.com
Fri Jan 28 18:15:15 UTC 2022
On Fri, Jan 28, 2022 at 03:00:03PM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Daniel Borkmann <daniel at iogearbox.net>
>
> Add a new test case with mem_or_null typed register with off > 0 to ensure
> it gets rejected by the verifier:
>
> # ./test_verifier 1011
> #1009/u check with invalid reg offset 0 OK
> #1009/p check with invalid reg offset 0 OK
> Summary: 2 PASSED, 0 SKIPPED, 0 FAILED
>
> Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
> Signed-off-by: Alexei Starovoitov <ast at kernel.org>
> (cherry picked from commit ca796fe66f7fceff17679ee6cc5fe4b4023de44d)
> CVE-2022-23222
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
Applied to jammy/linux.
Thanks,
-Andrea
> ---
> .../selftests/bpf/verifier/spill_fill.c | 28 +++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/verifier/spill_fill.c b/tools/testing/selftests/bpf/verifier/spill_fill.c
> index 0b943897aaf6..7991d5215c0d 100644
> --- a/tools/testing/selftests/bpf/verifier/spill_fill.c
> +++ b/tools/testing/selftests/bpf/verifier/spill_fill.c
> @@ -58,6 +58,34 @@
> .result = ACCEPT,
> .result_unpriv = ACCEPT,
> },
> +{
> + "check with invalid reg offset 0",
> + .insns = {
> + /* reserve 8 byte ringbuf memory */
> + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> + BPF_LD_MAP_FD(BPF_REG_1, 0),
> + BPF_MOV64_IMM(BPF_REG_2, 8),
> + BPF_MOV64_IMM(BPF_REG_3, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
> + /* store a pointer to the reserved memory in R6 */
> + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
> + /* add invalid offset to memory or NULL */
> + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
> + /* check whether the reservation was successful */
> + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
> + /* should not be able to access *(R7) = 0 */
> + BPF_ST_MEM(BPF_W, BPF_REG_6, 0, 0),
> + /* submit the reserved ringbuf memory */
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .fixup_map_ringbuf = { 1 },
> + .result = REJECT,
> + .errstr = "R0 pointer arithmetic on mem_or_null prohibited",
> +},
> {
> "check corrupted spill/fill",
> .insns = {
> --
> 2.32.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list