1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2021 SUSE LLC <rpalethorpe@suse.com>
4 */
5
6 /*\
7 * [Description]
8 *
9 * Compare the effects of 32-bit div/mod by zero with the "expected"
10 * behaviour.
11 *
12 * The commit "bpf: fix subprog verifier bypass by div/mod by 0
13 * exception", changed div/mod by zero from exiting the current
14 * program to setting the destination register to zero (div) or
15 * leaving it untouched (mod).
16 *
17 * This solved one verfier bug which allowed dodgy pointer values, but
18 * it turned out that the source register was being 32-bit truncated
19 * when it should not be. Also the destination register for mod was
20 * not being truncated when it should be.
21 *
22 * So then we have the following two fixes:
23 * "bpf: Fix 32 bit src register truncation on div/mod"
24 * "bpf: Fix truncation handling for mod32 dst reg wrt zero"
25 *
26 * Testing for all of these issues is a problem. Not least because
27 * division by zero is undefined, so in theory any result is
28 * acceptable so long as the verifier and runtime behaviour
29 * match.
30 *
31 * However to keep things simple we just check if the source and
32 * destination register runtime values match the current upstream
33 * behaviour at the time of writing.
34 *
35 * If the test fails you may have one or more of the above patches
36 * missing. In this case it is possible that you are not vulnerable
37 * depending on what other backports and fixes have been applied. If
38 * upstream changes the behaviour of division by zero, then the test
39 * will need updating.
40 *
41 * Note that we use r6 as the src register and r7 as the dst. w6 and
42 * w7 are the same registers treated as 32bit.
43 */
44
45 #include <stdio.h>
46 #include <string.h>
47 #include <inttypes.h>
48
49 #include "config.h"
50 #include "tst_test.h"
51 #include "tst_taint.h"
52 #include "tst_capability.h"
53 #include "bpf_common.h"
54
55 #define BUFSIZE 8192
56
57 static const char MSG[] = "Ahoj!";
58 static char *msg;
59
60 static int map_fd;
61 static uint32_t *key;
62 static uint64_t *val;
63 static char *log;
64 static union bpf_attr *attr;
65
ensure_ptr_arithmetic(void)66 static void ensure_ptr_arithmetic(void)
67 {
68 const struct bpf_insn prog_insn[] = {
69 /* r2 = r10
70 * r3 = -1
71 * r2 += r3
72 * *(char *)r2 = 0
73 */
74 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
75 BPF_MOV64_IMM(BPF_REG_3, -1),
76 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
77 BPF_ST_MEM(BPF_B, BPF_REG_2, 0, 0),
78
79 /* exit(0) */
80 BPF_MOV64_IMM(BPF_REG_0, 0),
81 BPF_EXIT_INSN()
82 };
83 int ret;
84
85 bpf_init_prog_attr(attr, prog_insn, sizeof(prog_insn), log, BUFSIZE);
86
87 ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
88 TST_RETVAL_GE0);
89
90 if (ret >= 0) {
91 tst_res(TINFO, "Have pointer arithmetic");
92 SAFE_CLOSE(ret);
93 return;
94 }
95
96 if (ret != -1)
97 tst_brk(TBROK, "Invalid bpf() return value: %d", ret);
98
99 if (log[0] != 0)
100 tst_brk(TCONF | TERRNO, "No pointer arithmetic:\n %s", log);
101
102 tst_brk(TBROK | TERRNO, "Failed to load program");
103 }
104
load_prog(void)105 static int load_prog(void)
106 {
107 const struct bpf_insn prog_insn[] = {
108 /* r6 = 1 << 32
109 * r7 = -1
110 */
111 BPF_LD_IMM64(BPF_REG_6, 1ULL << 32),
112 BPF_MOV64_IMM(BPF_REG_7, -1LL),
113
114 /* w7 /= w6 */
115 BPF_ALU32_REG(BPF_DIV, BPF_REG_7, BPF_REG_6),
116
117 /* map[1] = r6
118 * map[2] = r7
119 */
120 BPF_MAP_ARRAY_STX(map_fd, 0, BPF_REG_6),
121 BPF_MAP_ARRAY_STX(map_fd, 1, BPF_REG_7),
122
123 /* r6 = 1 << 32
124 * r7 = -1
125 */
126 BPF_LD_IMM64(BPF_REG_6, 1ULL << 32),
127 BPF_MOV64_IMM(BPF_REG_7, -1LL),
128
129 /* w7 %= w6 */
130 BPF_ALU32_REG(BPF_MOD, BPF_REG_7, BPF_REG_6),
131
132 /* map[3] = r6
133 * map[4] = r7
134 */
135 BPF_MAP_ARRAY_STX(map_fd, 2, BPF_REG_6),
136 BPF_MAP_ARRAY_STX(map_fd, 3, BPF_REG_7),
137
138 /* exit(0) */
139 BPF_MOV64_IMM(BPF_REG_0, 0),
140 BPF_EXIT_INSN()
141 };
142
143 bpf_init_prog_attr(attr, prog_insn, sizeof(prog_insn), log, BUFSIZE);
144
145 return bpf_load_prog(attr, log);
146 }
147
expect_reg_val(const char * const reg_name,const uint64_t expected_val)148 static void expect_reg_val(const char *const reg_name,
149 const uint64_t expected_val)
150 {
151 bpf_map_array_get(map_fd, key, val);
152
153 (*key)++;
154
155 if (*val != expected_val) {
156 tst_res(TFAIL,
157 "%s = %"PRIu64", but should be %"PRIu64,
158 reg_name, *val, expected_val);
159 } else {
160 tst_res(TPASS, "%s = %"PRIu64, reg_name, *val);
161 }
162 }
163
setup(void)164 static void setup(void)
165 {
166 rlimit_bump_memlock();
167 memcpy(msg, MSG, sizeof(MSG));
168 }
169
run(void)170 static void run(void)
171 {
172 int prog_fd;
173
174 map_fd = bpf_map_array_create(8);
175
176 ensure_ptr_arithmetic();
177 prog_fd = load_prog();
178 bpf_run_prog(prog_fd, msg, sizeof(MSG));
179 SAFE_CLOSE(prog_fd);
180
181 *key = 0;
182
183 tst_res(TINFO, "Check w7(-1) /= w6(0) [r7 = -1, r6 = 1 << 32]");
184 expect_reg_val("src(r6)", 1ULL << 32);
185 expect_reg_val("dst(r7)", 0);
186
187 tst_res(TINFO, "Check w7(-1) %%= w6(0) [r7 = -1, r6 = 1 << 32]");
188 expect_reg_val("src(r6)", 1ULL << 32);
189 expect_reg_val("dst(r7)", (uint32_t)-1);
190
191 SAFE_CLOSE(map_fd);
192 }
193
194 static struct tst_test test = {
195 .setup = setup,
196 .test_all = run,
197 .min_kver = "3.18",
198 .taint_check = TST_TAINT_W | TST_TAINT_D,
199 .caps = (struct tst_cap []) {
200 TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
201 TST_CAP(TST_CAP_DROP, CAP_BPF),
202 {}
203 },
204 .bufs = (struct tst_buffers []) {
205 {&key, .size = sizeof(*key)},
206 {&val, .size = sizeof(*val)},
207 {&log, .size = BUFSIZE},
208 {&attr, .size = sizeof(*attr)},
209 {&msg, .size = sizeof(MSG)},
210 {}
211 },
212 .tags = (const struct tst_tag[]) {
213 {"linux-git", "f6b1b3bf0d5f"},
214 {"linux-git", "468f6eafa6c4"},
215 {"linux-git", "e88b2c6e5a4d"},
216 {"linux-git", "9b00f1b78809"},
217 {"CVE", "CVE-2021-3444"},
218 {}
219 }
220 };
221