Commit bdc4e369 authored by Dave Marchevsky's avatar Dave Marchevsky Committed by Alexei Starovoitov
Browse files

bpf/selftests: Add bpf_get_task_stack retval bounds verifier test 



Add a bpf_iter test which feeds bpf_get_task_stack's return value into
seq_write after confirming it's positive. No attempt to bound the value
from above is made.

Load will fail if verifier does not refine retval range based on
buf sz input to bpf_get_task_stack.

Signed-off-by: default avatarDave Marchevsky <davemarchevsky@fb.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Acked-by: default avatarSong Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20210416204704.2816874-3-davemarchevsky@fb.com
parent fd0b88f7

tools/testing/selftests/bpf/verifier/bpf_get_stack.c

+43 −0
Original line number Diff line number Diff line
@@ -42,3 +42,46 @@ 
	.result = ACCEPT,

	.prog_type = BPF_PROG_TYPE_TRACEPOINT,

},

{

	"bpf_get_task_stack return R0 range is refined",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),

	BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_6, 0), // ctx->meta->seq

	BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_1, 8), // ctx->task

	BPF_LD_MAP_FD(BPF_REG_1, 0), // fixup_map_array_48b

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),



	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),

	BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), // keep buf for seq_write

	BPF_MOV64_IMM(BPF_REG_3, 48),

	BPF_MOV64_IMM(BPF_REG_4, 0),

	BPF_EMIT_CALL(BPF_FUNC_get_task_stack),

	BPF_JMP_IMM(BPF_JSGT, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),



	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),

	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),

	BPF_EMIT_CALL(BPF_FUNC_seq_write),



	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.result = ACCEPT,

	.prog_type = BPF_PROG_TYPE_TRACING,

	.expected_attach_type = BPF_TRACE_ITER,

	.kfunc = "task",

	.runs = -1, // Don't run, just load

	.fixup_map_array_48b = { 3 },

},