bpf/selftests: Test bpf_d_path on rdonly_mem.

mainline inclusion from mainline-v5.17-rc1 commit 44bab87d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4WT90 CVE: CVE-2021-4204 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=44bab87d8ca6f0544a9f8fc97bdf33aa5b3c899e -------------------------------- The second parameter of bpf_d_path() can only accept writable memories. Rdonly_mem obtained from bpf_per_cpu_ptr() can not be passed into bpf_d_path for modification. This patch adds a selftest to verify this behavior. Signed-off-by: N Hao Luo <haoluo@google.com> Signed-off-by: N Andrii Nakryiko <andrii@kernel.org> Acked-by: N Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20220106205525.2116218-1-haoluo@google.comSigned-off-by: N Pu Lehui <pulehui@huawei.com> Reviewed-by: N Kuohai Xu <xukuohai@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

bpf/selftests: Test bpf_d_path on rdonly_mem.
mainline inclusion from mainline-v5.17-rc1 commit 44bab87d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I4WT90 CVE: CVE-2021-4204 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=44bab87d8ca6f0544a9f8fc97bdf33aa5b3c899e -------------------------------- The second parameter of bpf_d_path() can only accept writable memories. Rdonly_mem obtained from bpf_per_cpu_ptr() can not be passed into bpf_d_path for modification. This patch adds a selftest to verify this behavior. Signed-off-by: N Hao Luo <haoluo@google.com> Signed-off-by: N Andrii Nakryiko <andrii@kernel.org> Acked-by: N Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20220106205525.2116218-1-haoluo@google.comSigned-off-by: N Pu Lehui <pulehui@huawei.com> Reviewed-by: N Kuohai Xu <xukuohai@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
76f59b4d · Hao Luo · Zheng Zengkai · 017bd71f · 76f59b4d · 76f59b4d
2 changed file
--- a/tools/testing/selftests/bpf/prog_tests/d_path.c
+++ b/tools/testing/selftests/bpf/prog_tests/d_path.c
@@ -9,6 +9,7 @@
 #define MAX_FILES		7

 #include "test_d_path.skel.h"
+#include "test_d_path_check_rdonly_mem.skel.h"

 static int duration;

@@ -99,7 +100,7 @@ static int trigger_fstat_events(pid_t pid)
 	return ret;
 }

-void test_d_path(void)
+static void test_d_path_basic(void)
 {
 	struct test_d_path__bss *bss;
 	struct test_d_path *skel;
@@ -155,3 +156,22 @@ void test_d_path(void)
 cleanup:
 	test_d_path__destroy(skel);
 }
+
+static void test_d_path_check_rdonly_mem(void)
+{
+	struct test_d_path_check_rdonly_mem *skel;
+
+	skel = test_d_path_check_rdonly_mem__open_and_load();
+	CHECK(skel, "skel_open", "unexpected_load_overwriting_rdonly_mem");
+
+	test_d_path_check_rdonly_mem__destroy(skel);
+}
+
+void test_d_path(void)
+{
+	if (test__start_subtest("basic"))
+		test_d_path_basic();
+
+	if (test__start_subtest("check_rdonly_mem"))
+		test_d_path_check_rdonly_mem();
+}
--- a/tools/testing/selftests/bpf/progs/test_d_path_check_rdonly_mem.c
+++ b/tools/testing/selftests/bpf/progs/test_d_path_check_rdonly_mem.c
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2022 Google */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+extern const int bpf_prog_active __ksym;
+
+SEC("fentry/security_inode_getattr")
+int BPF_PROG(d_path_check_rdonly_mem, struct path *path, struct kstat *stat,
+	     __u32 request_mask, unsigned int query_flags)
+{
+	void *active;
+	__u32 cpu;
+
+	cpu = bpf_get_smp_processor_id();
+	active = (void *)bpf_per_cpu_ptr(&bpf_prog_active, cpu);
+	if (active) {
+		/* FAIL here! 'active' points to readonly memory. bpf helpers
+		 * that update its arguments can not write into it.
+		 */
+		bpf_d_path(path, active, sizeof(int));
+	}
+	return 0;
+}
+
+char _license[] SEC("license") = "GPL";