mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-24 19:35:58 +00:00
Code Issues Releases Wiki Activity
linux-stable/tools
History
Daniel Borkmann 180486b430 bpf, selftests: Add test case for atomic fetch on spilled pointer 
Test whether unprivileged would be able to leak the spilled pointer either
by exporting the returned value from the atomic{32,64} operation or by reading
and exporting the value from the stack after the atomic operation took place.

Note that for unprivileged, the below atomic cmpxchg test case named "Dest
pointer in r0 - succeed" is failing. The reason is that in the dst memory
location (r10 -8) there is the spilled register r10:

  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  0: (bf) r0 = r10
  1: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0
  1: (7b) *(u64 *)(r10 -8) = r0
  2: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0 fp-8_w=fp
  2: (b7) r1 = 0
  3: R0_w=fp0 R1_w=invP0 R10=fp0 fp-8_w=fp
  3: (db) r0 = atomic64_cmpxchg((u64 *)(r10 -8), r0, r1)
  4: R0_w=fp0 R1_w=invP0 R10=fp0 fp-8_w=mmmmmmmm
  4: (79) r1 = *(u64 *)(r0 -8)
  5: R0_w=fp0 R1_w=invP(id=0) R10=fp0 fp-8_w=mmmmmmmm
  5: (b7) r0 = 0
  6: R0_w=invP0 R1_w=invP(id=0) R10=fp0 fp-8_w=mmmmmmmm
  6: (95) exit

However, allowing this case for unprivileged is a bit useless given an
update with a new pointer will fail anyway:

  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  0: (bf) r0 = r10
  1: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0
  1: (7b) *(u64 *)(r10 -8) = r0
  2: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0 fp-8_w=fp
  2: (db) r0 = atomic64_cmpxchg((u64 *)(r10 -8), r0, r10)
  R10 leaks addr into mem

Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-14 19:33:06 -08:00
..
accounting
arch tools headers UAPI: Sync x86's asm/kvm.h with the kernel sources 2021-11-18 10:08:07 -03:00
bootconfig bootconfig: Cleanup dummy headers in tools/bootconfig 2021-10-10 22:16:02 -04:00
bpf tools/resolve_btfids: Skip unresolved symbol warning for empty BTF sets 2021-12-02 13:39:46 -08:00
build tools build: Remove needless libpython-version feature check that breaks test-all fast path 2021-12-06 21:57:53 -03:00
cgroup
counter tools/counter: Create Counter tools 2021-10-17 10:54:16 +01:00
debugging
edid
firewire
firmware
gpio
hv
iio
include tools/lib/lockdep: drop leftover liblockdep headers 2021-12-09 09:37:49 -08:00
io_uring
kvm/kvm_stat KVM: kvm_stat: do not show halt_wait_ns 2021-10-18 14:07:18 -04:00
laptop
leds
lib Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf 2021-11-16 16:53:48 -08:00
memory-model
objtool objtool: Fix pv_ops noinstr validation 2021-12-03 09:11:42 +01:00
pci
pcmcia
perf perf bpf_skel: Do not use typedef to avoid error on old clang 2021-12-06 21:57:53 -03:00
power
rcu tools/rcu: Add an extract-stall script 2021-09-16 10:31:26 -07:00
scripts tools, build: Add RISC-V to HOSTARCH parsing 2021-11-01 17:08:21 +01:00
spi
testing bpf, selftests: Add test case for atomic fetch on spilled pointer 2021-12-14 19:33:06 -08:00
thermal/tmon
time
tracing tools/latency-collector: Use correct size when writing queue_full_warning 2021-10-25 22:27:19 -04:00
usb usb: testusb: Fix for showing the connection speed 2021-09-14 10:31:41 +02:00
virtio
vm tools/vm/page-types.c: print file offset in hexadecimal 2021-11-06 13:30:40 -07:00
wmi
Makefile tools/lib/lockdep: drop liblockdep 2021-11-12 11:07:17 -08:00