[PATCH v16 09/12] selftests/bpf: Add verifier tests for bpf_lookup_*_key() and bpf_key_put()
Kumar Kartikeya Dwivedi
memxor at gmail.com
Tue Sep 6 03:03:07 UTC 2022
On Mon, 5 Sept 2022 at 16:36, Roberto Sassu
<roberto.sassu at huaweicloud.com> wrote:
>
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Add verifier tests for bpf_lookup_*_key() and bpf_key_put(), to ensure that
> acquired key references stored in the bpf_key structure are released, that
> a non-NULL bpf_key pointer is passed to bpf_key_put(), and that key
> references are not leaked.
>
> Also, slightly modify test_verifier.c, to find the BTF ID of the attach
> point for the LSM program type (currently, it is done only for TRACING).
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
> ---
Acked-by: Kumar Kartikeya Dwivedi <memxor at gmail.com>
> tools/testing/selftests/bpf/config | 1 +
> tools/testing/selftests/bpf/test_verifier.c | 3 +-
> .../selftests/bpf/verifier/ref_tracking.c | 139 ++++++++++++++++++
> 3 files changed, 142 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/bpf/config
> index 0fdd11e6b742..add5a5a919b4 100644
> --- a/tools/testing/selftests/bpf/config
> +++ b/tools/testing/selftests/bpf/config
> @@ -30,6 +30,7 @@ CONFIG_IPV6_GRE=y
> CONFIG_IPV6_SEG6_BPF=y
> CONFIG_IPV6_SIT=y
> CONFIG_IPV6_TUNNEL=y
> +CONFIG_KEYS=y
> CONFIG_LIRC=y
> CONFIG_LWTUNNEL=y
> CONFIG_MPLS=y
> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
> index f9d553fbf68a..2dbcbf363c18 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/selftests/bpf/test_verifier.c
> @@ -1498,7 +1498,8 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
> opts.log_level = DEFAULT_LIBBPF_LOG_LEVEL;
> opts.prog_flags = pflags;
>
> - if (prog_type == BPF_PROG_TYPE_TRACING && test->kfunc) {
> + if ((prog_type == BPF_PROG_TYPE_TRACING ||
> + prog_type == BPF_PROG_TYPE_LSM) && test->kfunc) {
> int attach_btf_id;
>
> attach_btf_id = libbpf_find_vmlinux_btf_id(test->kfunc,
> diff --git a/tools/testing/selftests/bpf/verifier/ref_tracking.c b/tools/testing/selftests/bpf/verifier/ref_tracking.c
> index 57a83d763ec1..f18ce867271f 100644
> --- a/tools/testing/selftests/bpf/verifier/ref_tracking.c
> +++ b/tools/testing/selftests/bpf/verifier/ref_tracking.c
> @@ -84,6 +84,145 @@
> .errstr = "Unreleased reference",
> .result = REJECT,
> },
> +{
> + "reference tracking: acquire/release user key reference",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, -3),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_user_key", 2 },
> + { "bpf_key_put", 5 },
> + },
> + .result = ACCEPT,
> +},
> +{
> + "reference tracking: acquire/release system key reference",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_system_key", 1 },
> + { "bpf_key_put", 4 },
> + },
> + .result = ACCEPT,
> +},
> +{
> + "reference tracking: release user key reference without check",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, -3),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "arg#0 pointer type STRUCT bpf_key must point to scalar, or struct with scalar",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_user_key", 2 },
> + { "bpf_key_put", 4 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: release system key reference without check",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "arg#0 pointer type STRUCT bpf_key must point to scalar, or struct with scalar",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_system_key", 1 },
> + { "bpf_key_put", 3 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: release with NULL key pointer",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "arg#0 pointer type STRUCT bpf_key must point to scalar, or struct with scalar",
> + .fixup_kfunc_btf_id = {
> + { "bpf_key_put", 1 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: leak potential reference to user key",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, -3),
> + BPF_MOV64_IMM(BPF_REG_2, 0),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "Unreleased reference",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_user_key", 2 },
> + },
> + .result = REJECT,
> +},
> +{
> + "reference tracking: leak potential reference to system key",
> + .insns = {
> + BPF_MOV64_IMM(BPF_REG_1, 1),
> + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
> + BPF_EXIT_INSN(),
> + },
> + .prog_type = BPF_PROG_TYPE_LSM,
> + .kfunc = "bpf",
> + .expected_attach_type = BPF_LSM_MAC,
> + .flags = BPF_F_SLEEPABLE,
> + .errstr = "Unreleased reference",
> + .fixup_kfunc_btf_id = {
> + { "bpf_lookup_system_key", 1 },
> + },
> + .result = REJECT,
> +},
> {
> "reference tracking: release reference without check",
> .insns = {
> --
> 2.25.1
>
More information about the Linux-security-module-archive
mailing list