selftests/bpf: Add test for writes to .rodata

borkmann · borkmann · commit 85a3fa6db47b · 2024-10-21T14:40:07.000Z
Add a small test to write a (verification-time) fixed vs unknown but bounded-sized buffer into .rodata BPF map and assert that both get rejected. # ./vmtest.sh -- ./test_progs -t verifier_const [...] ./test_progs -t verifier_const [ 1.418717] tsc: Refined TSC clocksource calibration: 3407.994 MHz [ 1.419113] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcde90a1, max_idle_ns: 440795222066 ns [ 1.419972] clocksource: Switched to clocksource tsc [ 1.449596] bpf_testmod: loading out-of-tree module taints kernel. [ 1.449958] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel torvalds#475/1 verifier_const/rodata/strtol: write rejected:OK torvalds#475/2 verifier_const/bss/strtol: write accepted:OK torvalds#475/3 verifier_const/data/strtol: write accepted:OK torvalds#475/4 verifier_const/rodata/mtu: write rejected:OK torvalds#475/5 verifier_const/bss/mtu: write accepted:OK torvalds#475/6 verifier_const/data/mtu: write accepted:OK torvalds#475/7 verifier_const/rodata/mark: write with unknown reg rejected:OK torvalds#475/8 verifier_const/rodata/mark: write with unknown reg rejected:OK torvalds#475 verifier_const:OK torvalds#476/1 verifier_const_or/constant register |= constant should keep constant type:OK torvalds#476/2 verifier_const_or/constant register |= constant should not bypass stack boundary checks:OK torvalds#476/3 verifier_const_or/constant register |= constant register should keep constant type:OK torvalds#476/4 verifier_const_or/constant register |= constant register should not bypass stack boundary checks:OK torvalds#476 verifier_const_or:OK Summary: 2/12 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
diff --git a/tools/testing/selftests/bpf/progs/verifier_const.c b/tools/testing/selftests/bpf/progs/verifier_const.c
@@ -1,8 +1,9 @@
 // SPDX-License-Identifier: GPL-2.0
 /* Copyright (c) 2024 Isovalent */
 
-#include <linux/bpf.h>
+#include "vmlinux.h"
 #include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
 #include "bpf_misc.h"
 
 const volatile long foo = 42;
@@ -66,4 +67,32 @@ int tcx6(struct __sk_buff *skb)
 	return TCX_PASS;
 }
 
+static inline void write_fixed(volatile void *p, __u32 val)
+{
+	*(volatile __u32 *)p = val;
+}
+
+static inline void write_dyn(void *p, void *val, int len)
+{
+	bpf_copy_from_user(p, len, val);
+}
+
+SEC("tc/ingress")
+__description("rodata/mark: write with unknown reg rejected")
+__failure __msg("write into map forbidden")
+int tcx7(struct __sk_buff *skb)
+{
+	write_fixed((void *)&foo, skb->mark);
+	return TCX_PASS;
+}
+
+SEC("lsm.s/bprm_committed_creds")
+__description("rodata/mark: write with unknown reg rejected")
+__failure __msg("write into map forbidden")
+int BPF_PROG(bprm, struct linux_binprm *bprm)
+{
+	write_dyn((void *)&foo, &bart, bpf_get_prandom_u32() & 3);
+	return 0;
+}
+
 char LICENSE[] SEC("license") = "GPL";
