Commit 6079ae63 authored by Andrii Nakryiko's avatar Andrii Nakryiko
Browse files

Merge branch 'bpf-add-check-for-negative-uprobe-multi-offset' 

Jiri Olsa says:

====================
bpf: Add check for negative uprobe multi offset

hi,
adding the check for negative offset for uprobe multi link.

v2 changes:
- add more failure checks [Alan]
- move the offset retrieval/check up in the loop to be done earlier [Song]

thanks,
jirka
---
====================

Link: https://lore.kernel.org/r/20231217215538.3361991-1-jolsa@kernel.org


Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
parents e58aac1a f17d1a18

kernel/trace/bpf_trace.c

+6 −2
Original line number Diff line number Diff line
@@ -3391,15 +3391,19 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr 
		goto error_free;



	for (i = 0; i < cnt; i++) {

		if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {

		if (__get_user(uprobes[i].offset, uoffsets + i)) {

			err = -EFAULT;

			goto error_free;

		}

		if (uprobes[i].offset < 0) {

			err = -EINVAL;

			goto error_free;

		}

		if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {

			err = -EFAULT;

			goto error_free;

		}

		if (__get_user(uprobes[i].offset, uoffsets + i)) {

		if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {

			err = -EFAULT;

			goto error_free;

		}

tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c

+146 −3
Original line number Diff line number Diff line
@@ -239,23 +239,166 @@ static void test_attach_api_fails(void) 
	LIBBPF_OPTS(bpf_link_create_opts, opts);

	const char *path = "/proc/self/exe";

	struct uprobe_multi *skel = NULL;

	int prog_fd, link_fd = -1;

	unsigned long offset = 0;

	int link_fd = -1;



	skel = uprobe_multi__open_and_load();

	if (!ASSERT_OK_PTR(skel, "uprobe_multi__open_and_load"))

		goto cleanup;



	prog_fd = bpf_program__fd(skel->progs.uprobe_extra);



	/* abnormal cnt */

	opts.uprobe_multi.path = path;

	opts.uprobe_multi.offsets = &offset;

	opts.uprobe_multi.cnt = INT_MAX;

	link_fd = bpf_link_create(bpf_program__fd(skel->progs.uprobe), 0,

				  BPF_TRACE_UPROBE_MULTI, &opts);

	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -E2BIG, "big cnt"))

		goto cleanup;



	/* cnt is 0 */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = path,

		.uprobe_multi.offsets = (unsigned long *) &offset,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EINVAL, "cnt_is_zero"))

		goto cleanup;



	/* negative offset */

	offset = -1;

	opts.uprobe_multi.path = path;

	opts.uprobe_multi.offsets = (unsigned long *) &offset;

	opts.uprobe_multi.cnt = 1;



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EINVAL, "offset_is_negative"))

		goto cleanup;



	/* offsets is NULL */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = path,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EINVAL, "offsets_is_null"))

		goto cleanup;



	/* wrong offsets pointer */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = path,

		.uprobe_multi.offsets = (unsigned long *) 1,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EFAULT, "offsets_is_wrong"))

		goto cleanup;



	/* path is NULL */

	offset = 1;

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.offsets = (unsigned long *) &offset,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EINVAL, "path_is_null"))

		goto cleanup;



	/* wrong path pointer  */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = (const char *) 1,

		.uprobe_multi.offsets = (unsigned long *) &offset,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EFAULT, "path_is_wrong"))

		goto cleanup;



	/* wrong path type */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = "/",

		.uprobe_multi.offsets = (unsigned long *) &offset,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EBADF, "path_is_wrong_type"))

		goto cleanup;



	/* wrong cookies pointer */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = path,

		.uprobe_multi.offsets = (unsigned long *) &offset,

		.uprobe_multi.cookies = (__u64 *) 1ULL,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EFAULT, "cookies_is_wrong"))

		goto cleanup;



	/* wrong ref_ctr_offsets pointer */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = path,

		.uprobe_multi.offsets = (unsigned long *) &offset,

		.uprobe_multi.cookies = (__u64 *) &offset,

		.uprobe_multi.ref_ctr_offsets = (unsigned long *) 1,

		.uprobe_multi.cnt = 1,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EFAULT, "ref_ctr_offsets_is_wrong"))

		goto cleanup;



	/* wrong flags */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.flags = 1 << 31,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	if (!ASSERT_EQ(link_fd, -EINVAL, "wrong_flags"))

		goto cleanup;



	/* wrong pid */

	LIBBPF_OPTS_RESET(opts,

		.uprobe_multi.path = path,

		.uprobe_multi.offsets = (unsigned long *) &offset,

		.uprobe_multi.cnt = 1,

		.uprobe_multi.pid = -2,

	);



	link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);

	if (!ASSERT_ERR(link_fd, "link_fd"))

		goto cleanup;

	ASSERT_EQ(link_fd, -ESRCH, "pid_is_wrong");



cleanup:

	if (link_fd >= 0)

		close(link_fd);