Author | Tokens | Token Proportion | Commits | Commit Proportion |
---|---|---|---|---|
David Vernet | 648 | 77.23% | 1 | 20.00% |
Joanne Koong | 103 | 12.28% | 1 | 20.00% |
Kumar Kartikeya Dwivedi | 59 | 7.03% | 1 | 20.00% |
Matt Bobrowski | 28 | 3.34% | 1 | 20.00% |
Andrii Nakryiko | 1 | 0.12% | 1 | 20.00% |
Total | 839 | 5 |
// SPDX-License-Identifier: GPL-2.0 /* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */ #include <linux/bpf.h> #include <bpf/bpf_helpers.h> #include "bpf_misc.h" char _license[] SEC("license") = "GPL"; struct sample { int pid; int seq; long value; char comm[16]; }; struct { __uint(type, BPF_MAP_TYPE_USER_RINGBUF); __uint(max_entries, 4096); } user_ringbuf SEC(".maps"); struct { __uint(type, BPF_MAP_TYPE_RINGBUF); __uint(max_entries, 2); } ringbuf SEC(".maps"); static int map_value; static long bad_access1(struct bpf_dynptr *dynptr, void *context) { const struct sample *sample; sample = bpf_dynptr_data(dynptr - 1, 0, sizeof(*sample)); bpf_printk("Was able to pass bad pointer %lx\n", (__u64)dynptr - 1); return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to read before the pointer. */ SEC("?raw_tp") __failure __msg("negative offset dynptr_ptr ptr") int user_ringbuf_callback_bad_access1(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, bad_access1, NULL, 0); return 0; } static long bad_access2(struct bpf_dynptr *dynptr, void *context) { const struct sample *sample; sample = bpf_dynptr_data(dynptr + 1, 0, sizeof(*sample)); bpf_printk("Was able to pass bad pointer %lx\n", (__u64)dynptr + 1); return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to read past the end of the pointer. */ SEC("?raw_tp") __failure __msg("dereference of modified dynptr_ptr ptr") int user_ringbuf_callback_bad_access2(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, bad_access2, NULL, 0); return 0; } static long write_forbidden(struct bpf_dynptr *dynptr, void *context) { *((long *)dynptr) = 0; return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to write to that pointer. */ SEC("?raw_tp") __failure __msg("invalid mem access 'dynptr_ptr'") int user_ringbuf_callback_write_forbidden(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, write_forbidden, NULL, 0); return 0; } static long null_context_write(struct bpf_dynptr *dynptr, void *context) { *((__u64 *)context) = 0; return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to write to that pointer. */ SEC("?raw_tp") __failure __msg("invalid mem access 'scalar'") int user_ringbuf_callback_null_context_write(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, null_context_write, NULL, 0); return 0; } static long null_context_read(struct bpf_dynptr *dynptr, void *context) { __u64 id = *((__u64 *)context); bpf_printk("Read id %lu\n", id); return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to write to that pointer. */ SEC("?raw_tp") __failure __msg("invalid mem access 'scalar'") int user_ringbuf_callback_null_context_read(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, null_context_read, NULL, 0); return 0; } static long try_discard_dynptr(struct bpf_dynptr *dynptr, void *context) { bpf_ringbuf_discard_dynptr(dynptr, 0); return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to read past the end of the pointer. */ SEC("?raw_tp") __failure __msg("cannot release unowned const bpf_dynptr") int user_ringbuf_callback_discard_dynptr(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, try_discard_dynptr, NULL, 0); return 0; } static long try_submit_dynptr(struct bpf_dynptr *dynptr, void *context) { bpf_ringbuf_submit_dynptr(dynptr, 0); return 0; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to read past the end of the pointer. */ SEC("?raw_tp") __failure __msg("cannot release unowned const bpf_dynptr") int user_ringbuf_callback_submit_dynptr(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, try_submit_dynptr, NULL, 0); return 0; } static long invalid_drain_callback_return(struct bpf_dynptr *dynptr, void *context) { return 2; } /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should * not be able to write to that pointer. */ SEC("?raw_tp") __failure __msg("At callback return the register R0 has ") int user_ringbuf_callback_invalid_return(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, invalid_drain_callback_return, NULL, 0); return 0; } static long try_reinit_dynptr_mem(struct bpf_dynptr *dynptr, void *context) { bpf_dynptr_from_mem(&map_value, 4, 0, dynptr); return 0; } static long try_reinit_dynptr_ringbuf(struct bpf_dynptr *dynptr, void *context) { bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, dynptr); return 0; } SEC("?raw_tp") __failure __msg("Dynptr has to be an uninitialized dynptr") int user_ringbuf_callback_reinit_dynptr_mem(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, try_reinit_dynptr_mem, NULL, 0); return 0; } SEC("?raw_tp") __failure __msg("Dynptr has to be an uninitialized dynptr") int user_ringbuf_callback_reinit_dynptr_ringbuf(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, try_reinit_dynptr_ringbuf, NULL, 0); return 0; } __noinline long global_call_bpf_dynptr_data(struct bpf_dynptr *dynptr) { bpf_dynptr_data(dynptr, 0xA, 0xA); return 0; } static long callback_adjust_bpf_dynptr_reg_off(struct bpf_dynptr *dynptr, void *ctx) { global_call_bpf_dynptr_data(dynptr += 1024); return 0; } SEC("?raw_tp") __failure __msg("dereference of modified dynptr_ptr ptr R1 off=16384 disallowed") int user_ringbuf_callback_const_ptr_to_dynptr_reg_off(void *ctx) { bpf_user_ringbuf_drain(&user_ringbuf, callback_adjust_bpf_dynptr_reg_off, NULL, 0); return 0; }
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
Created with Cregit http://github.com/cregit/cregit
Version 2.0-RC1