xref: /aosp_15_r20/external/ltp/testcases/kernel/syscalls/bpf/bpf_prog07.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2022 SUSE LLC <[email protected]>
4  */
5 
6 /*\
7  * [Description]
8  *
9  * The verifier did not properly restrict some *_OR_NULL pointer
10  * types. Including RET_PTR_TO_ALLOC_MEM_OR_NULL which is returned by
11  * ringbuf_reserve. Somehow this means they can be used to perform
12  * arbitrary pointer arithmetic.
13  *
14  * The test tries to do some pointer arithmetic on the return value of
15  * ringbuf_reserve. Possibly with a trick to make the verifier believe
16  * the pointer (in r1) is NULL. The test will pass if the eBPF is
17  * rejected and will fail otherwise.
18  *
19  * This test does not try to cause a crash. Howver it does run the
20  * eBPF if it can. This will result in an instant crash or memory
21  * corruption which may later cause a crash.
22  *
23  * This test is adapted from a full reproducer which can be found here:
24  * https://github.com/tr3ee/CVE-2022-23222
25  *
26  * It's recommended to disable unprivileged eBPF by setting
27  * /proc/sys/kernel/unprivileged_bpf_disabled. Also there is a
28  * specific fix for this issue:
29  *
30  * commit 64620e0a1e712a778095bd35cbb277dc2259281f
31  * Author: Daniel Borkmann <[email protected]>
32  * Date:   Tue Jan 11 14:43:41 2022 +0000
33  *
34  *  bpf: Fix out of bounds access for ringbuf helpers
35  */
36 
37 #include <stdint.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <inttypes.h>
41 
42 #include "config.h"
43 #include "tst_test.h"
44 #include "tst_taint.h"
45 #include "tst_capability.h"
46 #include "lapi/bpf.h"
47 #include "bpf_common.h"
48 
49 static const char MSG[] = "Ahoj!";
50 static char *msg;
51 
52 static int map_fd;
53 static uint32_t *key;
54 static uint64_t *val;
55 static char *log;
56 static union bpf_attr *attr;
57 
load_prog(void)58 static int load_prog(void)
59 {
60 	int ret;
61 	const struct bpf_insn prog_insn[] = {
62 		// r0 = bpf_ringbuf_reserve(ctx->ringbuf_fd, PAGE_SIZE, 0)
63 		BPF_LD_MAP_FD(BPF_REG_1, map_fd),
64 		BPF_MOV64_IMM(BPF_REG_2, getpagesize()),
65 		BPF_MOV64_IMM(BPF_REG_3, 0x00),
66 		BPF_EMIT_CALL(BPF_FUNC_ringbuf_reserve),
67 
68 		BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
69 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
70 
71 		// if (r0 != NULL) { ringbuf_discard(r0, 1); exit(2); }
72 		BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
73 		BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
74 		BPF_MOV64_IMM(BPF_REG_2, 1),
75 		BPF_EMIT_CALL(BPF_FUNC_ringbuf_discard),
76 		BPF_MOV64_IMM(BPF_REG_0, 2),
77 		BPF_EXIT_INSN(),
78 
79 		// *(sp + 4*r1) = INT32_MAX
80 		BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 8),
81 		BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
82 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
83 		BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
84 		BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, INT32_MAX),
85 
86 		/* exit(0) */
87 		BPF_MOV64_IMM(BPF_REG_0, 0),
88 		BPF_EXIT_INSN()
89 
90 	};
91 
92 	bpf_init_prog_attr(attr, prog_insn, sizeof(prog_insn), log, BUFSIZE);
93 
94 	ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
95 			     TST_RETVAL_GE0);
96 
97 	if (ret >= 0)
98 		return ret;
99 
100 	if (ret != -1)
101 		tst_brk(TBROK, "Invalid bpf() return value: %d", ret);
102 
103 	if (log[0] != 0)
104 		tst_printf("%s\n", log);
105 
106 	return ret;
107 }
108 
setup(void)109 static void setup(void)
110 {
111 	rlimit_bump_memlock();
112 	memcpy(msg, MSG, sizeof(MSG));
113 }
114 
run(void)115 static void run(void)
116 {
117 	int prog_fd;
118 
119 	map_fd = bpf_map_create(&(union bpf_attr){
120 			.map_type = BPF_MAP_TYPE_RINGBUF,
121 			.key_size = 0,
122 			.value_size = 0,
123 			.max_entries = getpagesize()
124 		});
125 
126 	tst_res(TINFO, "Trying to load eBPF with OOB write");
127 	prog_fd = load_prog();
128 	if (prog_fd == -1) {
129 		tst_res(TPASS, "Failed verification");
130 		return;
131 	}
132 
133 	tst_res(TFAIL, "Loaded program with OOB write");
134 	tst_res(TINFO, "Running eBPF with OOB");
135 	bpf_run_prog(prog_fd, msg, sizeof(MSG));
136 	tst_res(TINFO, "Ran eBPF");
137 
138 	SAFE_CLOSE(prog_fd);
139 }
140 
141 static struct tst_test test = {
142 	.setup = setup,
143 	.test_all = run,
144 	.min_kver = "5.8",
145 	.taint_check = TST_TAINT_W | TST_TAINT_D,
146 	.caps = (struct tst_cap []) {
147 		TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
148 		TST_CAP(TST_CAP_DROP, CAP_BPF),
149 		{}
150 	},
151 	.bufs = (struct tst_buffers []) {
152 		{&key, .size = sizeof(*key)},
153 		{&val, .size = sizeof(*val)},
154 		{&log, .size = BUFSIZE},
155 		{&attr, .size = sizeof(*attr)},
156 		{&msg, .size = sizeof(MSG)},
157 		{}
158 	},
159 	.tags = (const struct tst_tag[]) {
160 		{"linux-git", "64620e0a1e71"},
161 		{"CVE", "CVE-2022-23222"},
162 		{}
163 	}
164 };
165