From patchwork Fri Dec 22 18:12:35 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 852497
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="I7Q/2C3G"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z3Gnt4VVtz9s1h
	for <patchwork-incoming@ozlabs.org>;
	Sat, 23 Dec 2017 05:12:50 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756652AbdLVSMs (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 22 Dec 2017 13:12:48 -0500
Received: from mail-ot0-f202.google.com ([74.125.82.202]:35637 "EHLO
	mail-ot0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755940AbdLVSMq (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 22 Dec 2017 13:12:46 -0500
Received: by mail-ot0-f202.google.com with SMTP id i5so4326177otf.2
	for <netdev@vger.kernel.org>; Fri, 22 Dec 2017 10:12:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:message-id:subject:from:to:cc;
	bh=HKggQxCIP5iB6mlFDKhtZZeVbjFWo9/Dj90tuWRBtYk=;
	b=I7Q/2C3Gic+wzYJASHuLyGu6N8Q0aE4tWcImXuptmQ5rfaKgCKQzdO0Vd9ba37UG+F
	Ny7FYTyEmrG1meSglF8yvK6Y83L72zM/UD+lzuMBVExPjgIM0qTniECmB5lcmp70nC+/
	IIG7wU0jf08VBQsp7OU44f6J2TfKRrHdEF5Dq1cbUQtxkBLC2RlK+cAKarK0mvi95VlP
	Zu2LDdwWaRougMnZdYk/RbweMGn/2AOWfwzaQDG74J2z8+YknZuHZB5MsotfO/y4bsYC
	MnVHgS9aoPF7Th25Snz65Qa27A3XNRVuF1tdaIQ0HKi2zkUpSFDzxQA356zgvEPvjVEq
	6VxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc;
	bh=HKggQxCIP5iB6mlFDKhtZZeVbjFWo9/Dj90tuWRBtYk=;
	b=WmhhYJQhNOItJUrx39YziHf83sn4MitPYP7XUqs55FICYZyHFEJwRWLH0mNWFbdPS1
	PCRnxbmpbr2/9L4IRUYEKdYJi9vc6qP/hQhK0P30go43OUp9C/9BPBPypyT4XoWqTgWp
	5Aoj0skA8TtMP+8OTTS1JUzB87y6F9QO88OZYbYgE6Wzrl8bO86qceIfhH5tIUIPkzXy
	3E9BYMrilDtubPOI5m15nxyRcX7Gac5hqLTD42HedZWOAtZncUkfImGlMCW3o51JOZMO
	wOczwthh+wP5ipetta1KpJXWvOzWUGHnpe76hBm+kmPriW/PatCF1ssTHhfkN+CgJo63
	q3XA==
X-Gm-Message-State: AKGB3mLNglER40SdLElu44BibLK9Vy9aamf9iDGA5trI/+Dwn5HhwO22
	jFxw7VRxgeTAMxZ8bE+mOULO/CkC9w==
X-Google-Smtp-Source: 
 ACJfBouJeTtkl+hHCN2yuzuUI7+hER7JTqhsfB9sWxBddlCQCNthBlhJH8jiqolbJkSVHbrkUHAMAQd5cA==
MIME-Version: 1.0
X-Received: by 10.157.27.217 with SMTP id v25mr1046363otv.44.1513966365683;
	Fri, 22 Dec 2017 10:12:45 -0800 (PST)
Date: Fri, 22 Dec 2017 19:12:35 +0100
Message-Id: <20171222181235.158636-1-jannh@google.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
Subject: [PATCH] bpf: selftest for late caller stack size increase
From: Jann Horn <jannh@google.com>
To: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

This checks that it is not possible to bypass the total stack size check in
update_stack_depth() by calling a function that uses a large amount of
stack memory *before* using a large amount of stack memory in the caller.

Currently, the first added testcase causes a rejection as expected, but
the second testcase is (AFAICS incorrectly) accepted:

[...]
#483/p calls: stack overflow using two frames (post-call access) FAIL
Unexpected success to load!
0: (85) call pc+2
caller:
 R10=fp0,call_-1
callee:
 frame1: R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0
3: (72) *(u8 *)(r10 -300) = 0
4: (b7) r0 = 0
5: (95) exit
returning from callee:
 frame1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0,call_0
to caller at 1:
 R0_w=inv0 R10=fp0,call_-1

from 5 to 1: R0=inv0 R10=fp0,call_-1
1: (72) *(u8 *)(r10 -300) = 0
2: (95) exit
processed 6 insns, stack depth 300+300
[...]
Summary: 704 PASSED, 1 FAILED

AFAICS the JIT-generated code for the second testcase shows that this
really causes the stack pointer to be decremented by 300+300:

first function:
00000000  55                push rbp
00000001  4889E5            mov rbp,rsp
00000004  4881EC58010000    sub rsp,0x158
0000000B  4883ED28          sub rbp,byte +0x28
[...]
00000025  E89AB3AFE5        call 0xffffffffe5afb3c4
0000002A  C685D4FEFFFF00    mov byte [rbp-0x12c],0x0
[...]
00000041  4883C528          add rbp,byte +0x28
00000045  C9                leave
00000046  C3                ret

second function:
00000000  55                push rbp
00000001  4889E5            mov rbp,rsp
00000004  4881EC58010000    sub rsp,0x158
0000000B  4883ED28          sub rbp,byte +0x28
[...]
00000025  C685D4FEFFFF00    mov byte [rbp-0x12c],0x0
[...]
0000003E  4883C528          add rbp,byte +0x28
00000042  C9                leave
00000043  C3                ret

Signed-off-by: Jann Horn <jannh@google.com>
---
 tools/testing/selftests/bpf/test_verifier.c | 34 +++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 3bacff0d6f91..71fb0be81b78 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -8729,6 +8729,40 @@ static struct bpf_test tests[] = {
 		.prog_type = BPF_PROG_TYPE_XDP,
 		.result = ACCEPT,
 	},
+	{
+		"calls: stack overflow using two frames (pre-call access)",
+		.insns = {
+			/* prog 1 */
+			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
+			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
+			BPF_EXIT_INSN(),
+
+			/* prog 2 */
+			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
+			BPF_MOV64_IMM(BPF_REG_0, 0),
+			BPF_EXIT_INSN(),
+		},
+		.prog_type = BPF_PROG_TYPE_XDP,
+		.errstr = "combined stack size",
+		.result = REJECT,
+	},
+	{
+		"calls: stack overflow using two frames (post-call access)",
+		.insns = {
+			/* prog 1 */
+			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
+			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
+			BPF_EXIT_INSN(),
+
+			/* prog 2 */
+			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
+			BPF_MOV64_IMM(BPF_REG_0, 0),
+			BPF_EXIT_INSN(),
+		},
+		.prog_type = BPF_PROG_TYPE_XDP,
+		.errstr = "combined stack size",
+		.result = REJECT,
+	},
 	{
 		"calls: spill into caller stack frame",
 		.insns = {