[PATCH 3/3] selftests/bpf: Add test case for defence against SSB exploitation

From: Ben Hutchings
Date: Fri Nov 23 2018 - 13:35:19 EST


Test that the defence added by commit af86ca4e3088 "bpf: Prevent
memory disambiguation attack" is actually being applied.

Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
---
tools/testing/selftests/bpf/test_verifier.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index e71b7f2e5f17..ca21a63541b0 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -13927,6 +13927,21 @@ static struct bpf_test tests[] = {
.result = ACCEPT,
},
{
+ "reference tracking: defend against SSB exploitation",
+ .insns = {
+ BPF_MOV32_IMM(BPF_REG_2, 1),
+ /* stack[-1] = (integer) 1 */
+ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
+ /* stack[-1] = (pointer) context */
+ BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
+ BPF_MOV32_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .infostr_unpriv = "patching in sanitization against SSB at 2",
+ .result_unpriv = ACCEPT,
+ .result = ACCEPT,
+ },
+ {
"calls: ctx read at start of subprog",
.insns = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom