• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2021 SUSE LLC <rpalethorpe@suse.com>
4  */
5 
6 /*\
7  * [Description]
8  *
9  * Compare the effects of 32-bit div/mod by zero with the "expected"
10  * behaviour.
11  *
12  * The commit "bpf: fix subprog verifier bypass by div/mod by 0
13  * exception", changed div/mod by zero from exiting the current
14  * program to setting the destination register to zero (div) or
15  * leaving it untouched (mod).
16  *
17  * This solved one verfier bug which allowed dodgy pointer values, but
18  * it turned out that the source register was being 32-bit truncated
19  * when it should not be. Also the destination register for mod was
20  * not being truncated when it should be.
21  *
22  * So then we have the following two fixes:
23  * "bpf: Fix 32 bit src register truncation on div/mod"
24  * "bpf: Fix truncation handling for mod32 dst reg wrt zero"
25  *
26  * Testing for all of these issues is a problem. Not least because
27  * division by zero is undefined, so in theory any result is
28  * acceptable so long as the verifier and runtime behaviour
29  * match.
30  *
31  * However to keep things simple we just check if the source and
32  * destination register runtime values match the current upstream
33  * behaviour at the time of writing.
34  *
35  * If the test fails you may have one or more of the above patches
36  * missing. In this case it is possible that you are not vulnerable
37  * depending on what other backports and fixes have been applied. If
38  * upstream changes the behaviour of division by zero, then the test
39  * will need updating.
40  *
41  * Note that we use r6 as the src register and r7 as the dst. w6 and
42  * w7 are the same registers treated as 32bit.
43  */
44 
45 #include <stdio.h>
46 #include <string.h>
47 #include <inttypes.h>
48 
49 #include "config.h"
50 #include "tst_test.h"
51 #include "tst_taint.h"
52 #include "tst_capability.h"
53 #include "bpf_common.h"
54 
55 #define BUFSIZE 8192
56 
57 static const char MSG[] = "Ahoj!";
58 static char *msg;
59 
60 static int map_fd;
61 static uint32_t *key;
62 static uint64_t *val;
63 static char *log;
64 static union bpf_attr *attr;
65 
load_prog(void)66 static int load_prog(void)
67 {
68 	const struct bpf_insn prog_insn[] = {
69 		/* r6 = 1 << 32
70 		 * r7 = -1
71 		 */
72 		BPF_LD_IMM64(BPF_REG_6, 1ULL << 32),
73 		BPF_MOV64_IMM(BPF_REG_7, -1LL),
74 
75 		/* w7 /= w6 */
76 		BPF_ALU32_REG(BPF_DIV, BPF_REG_7, BPF_REG_6),
77 
78 		/* map[1] = r6
79 		 * map[2] = r7
80 		 */
81 		BPF_MAP_ARRAY_STX(map_fd, 0, BPF_REG_6),
82 		BPF_MAP_ARRAY_STX(map_fd, 1, BPF_REG_7),
83 
84 		/* r6 = 1 << 32
85 		 * r7 = -1
86 		 */
87 		BPF_LD_IMM64(BPF_REG_6, 1ULL << 32),
88 		BPF_MOV64_IMM(BPF_REG_7, -1LL),
89 
90 		/* w7 %= w6 */
91 		BPF_ALU32_REG(BPF_MOD, BPF_REG_7, BPF_REG_6),
92 
93 		/* map[3] = r6
94 		 * map[4] = r7
95 		 */
96 		BPF_MAP_ARRAY_STX(map_fd, 2, BPF_REG_6),
97 		BPF_MAP_ARRAY_STX(map_fd, 3, BPF_REG_7),
98 
99 		/* exit(0) */
100 		BPF_MOV64_IMM(BPF_REG_0, 0),
101 		BPF_EXIT_INSN()
102 	};
103 
104 	bpf_init_prog_attr(attr, prog_insn, sizeof(prog_insn), log, BUFSIZE);
105 
106 	return bpf_load_prog(attr, log);
107 }
108 
expect_reg_val(const char * const reg_name,const uint64_t expected_val)109 static void expect_reg_val(const char *const reg_name,
110 			   const uint64_t expected_val)
111 {
112 	bpf_map_array_get(map_fd, key, val);
113 
114 	(*key)++;
115 
116 	if (*val != expected_val) {
117 		tst_res(TFAIL,
118 			"%s = %"PRIu64", but should be %"PRIu64,
119 			reg_name, *val, expected_val);
120 	} else {
121 		tst_res(TPASS, "%s = %"PRIu64, reg_name, *val);
122 	}
123 }
124 
setup(void)125 static void setup(void)
126 {
127 	rlimit_bump_memlock();
128 	memcpy(msg, MSG, sizeof(MSG));
129 }
130 
run(void)131 static void run(void)
132 {
133 	int prog_fd;
134 
135 	map_fd = bpf_map_array_create(4);
136 	prog_fd = load_prog();
137 	bpf_run_prog(prog_fd, msg, sizeof(MSG));
138 	SAFE_CLOSE(prog_fd);
139 
140 	*key = 0;
141 
142 	tst_res(TINFO, "Check w7(-1) /= w6(0) [r7 = -1, r6 = 1 << 32]");
143 	expect_reg_val("src(r6)", 1ULL << 32);
144 	expect_reg_val("dst(r7)", 0);
145 
146 	tst_res(TINFO, "Check w7(-1) %%= w6(0) [r7 = -1, r6 = 1 << 32]");
147 	expect_reg_val("src(r6)", 1ULL << 32);
148 	expect_reg_val("dst(r7)", (uint32_t)-1);
149 
150 	SAFE_CLOSE(map_fd);
151 }
152 
153 static struct tst_test test = {
154 	.setup = setup,
155 	.test_all = run,
156 	.min_kver = "3.18",
157 	.taint_check = TST_TAINT_W | TST_TAINT_D,
158 	.caps = (struct tst_cap []) {
159 		TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
160 		{}
161 	},
162 	.bufs = (struct tst_buffers []) {
163 		{&key, .size = sizeof(*key)},
164 		{&val, .size = sizeof(*val)},
165 		{&log, .size = BUFSIZE},
166 		{&attr, .size = sizeof(*attr)},
167 		{&msg, .size = sizeof(MSG)},
168 		{}
169 	},
170 	.tags = (const struct tst_tag[]) {
171 		{"linux-git", "f6b1b3bf0d5f"},
172 		{"linux-git", "468f6eafa6c4"},
173 		{"linux-git", "e88b2c6e5a4d"},
174 		{"linux-git", "9b00f1b78809"},
175 		{"CVE", "CVE-2021-3444"},
176 		{}
177 	}
178 };
179