From patchwork Thu Nov 10 08:56:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alban Crequy <albancrequy@linux.microsoft.com>
X-Patchwork-Id: 624342
Return-Path: <linux-kselftest-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id BC550C4332F
 for <linux-kselftest@archiver.kernel.org>;
 Thu, 10 Nov 2022 08:56:47 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229447AbiKJI4q (ORCPT
 <rfc822;linux-kselftest@archiver.kernel.org>);
 Thu, 10 Nov 2022 03:56:46 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33418 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229667AbiKJI4n (ORCPT
 <rfc822;linux-kselftest@vger.kernel.org>);
 Thu, 10 Nov 2022 03:56:43 -0500
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by lindbergh.monkeyblade.net (Postfix) with ESMTP id EEA5A40912;
 Thu, 10 Nov 2022 00:56:42 -0800 (PST)
Received: from neptune.. (ip5f592f1a.dynamic.kabel-deutschland.de
 [95.89.47.26])
 by linux.microsoft.com (Postfix) with ESMTPSA id 5F1F520E67BB;
 Thu, 10 Nov 2022 00:56:38 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 5F1F520E67BB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
 s=default; t=1668070602;
 bh=GmmcWRHXej2dQfvPtFxEWyzjKiiDadj2sFvtiycrCxE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=ReyQjGm7vcTT5+EjufyZiuYxT3zEfu/hTGvQWVZ92UX8yY08quVAEEli7XHPUthHf
 oApL7sM0Xh/X4wP2quDfqW+lqR5FS6mamP608xvZ2/8K6VR2A289QbxueA23eoZPjZ
 RvasQusIguP7/J6k4RoRicSk4O9IuZAGqMhnBRqA=
From: Alban Crequy <albancrequy@linux.microsoft.com>
To: bpf@vger.kernel.org
Cc: stable@vger.kernel.org, albancrequy@linux.microsoft.com,
 flaniel@linux.microsoft.com, akpm@linux-foundation.org,
 andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net,
 haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org,
 kpsingh@kernel.org, linux-kernel@vger.kernel.org,
 linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
 martin.lau@linux.dev, mykolal@fb.com, sdf@google.com,
 shuah@kernel.org, song@kernel.org, yhs@fb.com
Subject: [PATCH bpf v2 1/2] maccess: fix writing offset in case of fault in
 strncpy_from_kernel_nofault()
Date: Thu, 10 Nov 2022 09:56:13 +0100
Message-Id: <20221110085614.111213-2-albancrequy@linux.microsoft.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20221110085614.111213-1-albancrequy@linux.microsoft.com>
References: <20221110085614.111213-1-albancrequy@linux.microsoft.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-kselftest.vger.kernel.org>
X-Mailing-List: linux-kselftest@vger.kernel.org

If a page fault occurs while copying the first byte, this function resets one
byte before dst.
As a consequence, an address could be modified and leaded to kernel crashes if
case the modified address was accessed later.

Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly")
Cc: <stable@vger.kernel.org> [5.8]
Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
Tested-by: Francis Laniel <flaniel@linux.microsoft.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
---

Changes v1 to v2:
- add 'cc:stable', 'Fixes:' and review tag
- fix my email
- rebase on bpf tree and tag for bpf tree
---
 mm/maccess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/maccess.c b/mm/maccess.c
index 5f4d240f67ec..074f6b086671 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
 	return src - unsafe_addr;
 Efault:
 	pagefault_enable();
-	dst[-1] = '\0';
+	dst[0] = '\0';
 	return -EFAULT;
 }
 

From patchwork Thu Nov 10 08:56:14 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alban Crequy <albancrequy@linux.microsoft.com>
X-Patchwork-Id: 623489
Return-Path: <linux-kselftest-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 83132C4332F
 for <linux-kselftest@archiver.kernel.org>;
 Thu, 10 Nov 2022 08:56:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S229657AbiKJI4v (ORCPT
 <rfc822;linux-kselftest@archiver.kernel.org>);
 Thu, 10 Nov 2022 03:56:51 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33418 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S229595AbiKJI4t (ORCPT
 <rfc822;linux-kselftest@vger.kernel.org>);
 Thu, 10 Nov 2022 03:56:49 -0500
Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182])
 by lindbergh.monkeyblade.net (Postfix) with ESMTP id BC76A43875;
 Thu, 10 Nov 2022 00:56:48 -0800 (PST)
Received: from neptune.. (ip5f592f1a.dynamic.kabel-deutschland.de
 [95.89.47.26])
 by linux.microsoft.com (Postfix) with ESMTPSA id 2A82320B9F82;
 Thu, 10 Nov 2022 00:56:43 -0800 (PST)
DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2A82320B9F82
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com;
 s=default; t=1668070608;
 bh=szRQl4NOiVgJGz/y76Fur+iBXK/NfJEkjgmsWKFSiWU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=nrXGpymqs4ouMJ0nRcC5r7dkMpIZK+4Vz2xiNtVc4FvCc7uU66XPckJEsAR2L2gbT
 yOKfI4o9Xz79KBhBz/hvhHlC9uWmr0uTEOYmUBnaCJeYif1Z/aH4DsEWIcHdsQxH5Y
 tqaUGVL0KodUOZn1Q4EI5XbphCHbF/q61DfvyENo=
From: Alban Crequy <albancrequy@linux.microsoft.com>
To: bpf@vger.kernel.org
Cc: stable@vger.kernel.org, albancrequy@linux.microsoft.com,
 flaniel@linux.microsoft.com, akpm@linux-foundation.org,
 andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net,
 haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org,
 kpsingh@kernel.org, linux-kernel@vger.kernel.org,
 linux-kselftest@vger.kernel.org, linux-mm@kvack.org,
 martin.lau@linux.dev, mykolal@fb.com, sdf@google.com,
 shuah@kernel.org, song@kernel.org, yhs@fb.com
Subject: [PATCH bpf v2 2/2] selftests: bpf: add a test when
 bpf_probe_read_kernel_str() returns EFAULT
Date: Thu, 10 Nov 2022 09:56:14 +0100
Message-Id: <20221110085614.111213-3-albancrequy@linux.microsoft.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20221110085614.111213-1-albancrequy@linux.microsoft.com>
References: <20221110085614.111213-1-albancrequy@linux.microsoft.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <linux-kselftest.vger.kernel.org>
X-Mailing-List: linux-kselftest@vger.kernel.org

This commit tests previous fix of bpf_probe_read_kernel_str().

The BPF helper bpf_probe_read_kernel_str should return -EFAULT when
given a bad source pointer and the target buffer should only be modified
to make the string NULL terminated.

bpf_probe_read_kernel_str() was previously inserting a NULL before the
beginning of the dst buffer. This test should ensure that the
implementation stays correct for now on.

Without the fix, this test will fail as follows:
  $ cd tools/testing/selftests/bpf
  $ make
  $ sudo ./test_progs --name=varlen
  ...
  test_varlen:FAIL:check got 0 != exp 66

Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
Acked-by: Yonghong Song <yhs@fb.com>

Changes v1 to v2:
- add ack tag
- fix my email
- rebase on bpf tree and tag for bpf tree
---
 tools/testing/selftests/bpf/prog_tests/varlen.c | 7 +++++++
 tools/testing/selftests/bpf/progs/test_varlen.c | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/varlen.c b/tools/testing/selftests/bpf/prog_tests/varlen.c
index dd324b4933db..4d7056f8f177 100644
--- a/tools/testing/selftests/bpf/prog_tests/varlen.c
+++ b/tools/testing/selftests/bpf/prog_tests/varlen.c
@@ -63,6 +63,13 @@ void test_varlen(void)
 	CHECK_VAL(data->total4, size1 + size2);
 	CHECK(memcmp(data->payload4, exp_str, size1 + size2), "content_check",
 	      "doesn't match!\n");
+
+	CHECK_VAL(bss->ret_bad_read, -EFAULT);
+	CHECK_VAL(data->payload_bad[0], 0x42);
+	CHECK_VAL(data->payload_bad[1], 0x42);
+	CHECK_VAL(data->payload_bad[2], 0);
+	CHECK_VAL(data->payload_bad[3], 0x42);
+	CHECK_VAL(data->payload_bad[4], 0x42);
 cleanup:
 	test_varlen__destroy(skel);
 }
diff --git a/tools/testing/selftests/bpf/progs/test_varlen.c b/tools/testing/selftests/bpf/progs/test_varlen.c
index 3987ff174f1f..20eb7d422c41 100644
--- a/tools/testing/selftests/bpf/progs/test_varlen.c
+++ b/tools/testing/selftests/bpf/progs/test_varlen.c
@@ -19,6 +19,7 @@ __u64 payload1_len1 = 0;
 __u64 payload1_len2 = 0;
 __u64 total1 = 0;
 char payload1[MAX_LEN + MAX_LEN] = {};
+__u64 ret_bad_read = 0;
 
 /* .data */
 int payload2_len1 = -1;
@@ -36,6 +37,8 @@ int payload4_len2 = -1;
 int total4= -1;
 char payload4[MAX_LEN + MAX_LEN] = { 1 };
 
+char payload_bad[5] = { 0x42, 0x42, 0x42, 0x42, 0x42 };
+
 SEC("raw_tp/sys_enter")
 int handler64_unsigned(void *regs)
 {
@@ -61,6 +64,8 @@ int handler64_unsigned(void *regs)
 
 	total1 = payload - (void *)payload1;
 
+	ret_bad_read = bpf_probe_read_kernel_str(payload_bad + 2, 1, (void *) -1);
+
 	return 0;
 }