Skip to content

Commit 6079ae6

Browse files
anakryikoanakryiko
committed
Merge branch 'bpf-add-check-for-negative-uprobe-multi-offset'
Jiri Olsa says: ==================== bpf: Add check for negative uprobe multi offset hi, adding the check for negative offset for uprobe multi link. v2 changes: - add more failure checks [Alan] - move the offset retrieval/check up in the loop to be done earlier [Song] thanks, jirka --- ==================== Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Andrii Nakryiko <[email protected]>
2 parents e58aac1 + f17d1a1 commit 6079ae6

File tree

2 files changed

+152
-5
lines changed

2 files changed

+152
-5
lines changed

kernel/trace/bpf_trace.c

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3391,15 +3391,19 @@ int bpf_uprobe_multi_link_attach(const union bpf_attr *attr, struct bpf_prog *pr
33913391
goto error_free;
33923392

33933393
for (i = 0; i < cnt; i++) {
3394-
if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
3394+
if (__get_user(uprobes[i].offset, uoffsets + i)) {
33953395
err = -EFAULT;
33963396
goto error_free;
33973397
}
3398+
if (uprobes[i].offset < 0) {
3399+
err = -EINVAL;
3400+
goto error_free;
3401+
}
33983402
if (uref_ctr_offsets && __get_user(uprobes[i].ref_ctr_offset, uref_ctr_offsets + i)) {
33993403
err = -EFAULT;
34003404
goto error_free;
34013405
}
3402-
if (__get_user(uprobes[i].offset, uoffsets + i)) {
3406+
if (ucookies && __get_user(uprobes[i].cookie, ucookies + i)) {
34033407
err = -EFAULT;
34043408
goto error_free;
34053409
}

tools/testing/selftests/bpf/prog_tests/uprobe_multi_test.c

Lines changed: 146 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -239,23 +239,166 @@ static void test_attach_api_fails(void)
239239
LIBBPF_OPTS(bpf_link_create_opts, opts);
240240
const char *path = "/proc/self/exe";
241241
struct uprobe_multi *skel = NULL;
242+
int prog_fd, link_fd = -1;
242243
unsigned long offset = 0;
243-
int link_fd = -1;
244244

245245
skel = uprobe_multi__open_and_load();
246246
if (!ASSERT_OK_PTR(skel, "uprobe_multi__open_and_load"))
247247
goto cleanup;
248248

249+
prog_fd = bpf_program__fd(skel->progs.uprobe_extra);
250+
249251
/* abnormal cnt */
250252
opts.uprobe_multi.path = path;
251253
opts.uprobe_multi.offsets = &offset;
252254
opts.uprobe_multi.cnt = INT_MAX;
253-
link_fd = bpf_link_create(bpf_program__fd(skel->progs.uprobe), 0,
254-
BPF_TRACE_UPROBE_MULTI, &opts);
255+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
255256
if (!ASSERT_ERR(link_fd, "link_fd"))
256257
goto cleanup;
257258
if (!ASSERT_EQ(link_fd, -E2BIG, "big cnt"))
258259
goto cleanup;
260+
261+
/* cnt is 0 */
262+
LIBBPF_OPTS_RESET(opts,
263+
.uprobe_multi.path = path,
264+
.uprobe_multi.offsets = (unsigned long *) &offset,
265+
);
266+
267+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
268+
if (!ASSERT_ERR(link_fd, "link_fd"))
269+
goto cleanup;
270+
if (!ASSERT_EQ(link_fd, -EINVAL, "cnt_is_zero"))
271+
goto cleanup;
272+
273+
/* negative offset */
274+
offset = -1;
275+
opts.uprobe_multi.path = path;
276+
opts.uprobe_multi.offsets = (unsigned long *) &offset;
277+
opts.uprobe_multi.cnt = 1;
278+
279+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
280+
if (!ASSERT_ERR(link_fd, "link_fd"))
281+
goto cleanup;
282+
if (!ASSERT_EQ(link_fd, -EINVAL, "offset_is_negative"))
283+
goto cleanup;
284+
285+
/* offsets is NULL */
286+
LIBBPF_OPTS_RESET(opts,
287+
.uprobe_multi.path = path,
288+
.uprobe_multi.cnt = 1,
289+
);
290+
291+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
292+
if (!ASSERT_ERR(link_fd, "link_fd"))
293+
goto cleanup;
294+
if (!ASSERT_EQ(link_fd, -EINVAL, "offsets_is_null"))
295+
goto cleanup;
296+
297+
/* wrong offsets pointer */
298+
LIBBPF_OPTS_RESET(opts,
299+
.uprobe_multi.path = path,
300+
.uprobe_multi.offsets = (unsigned long *) 1,
301+
.uprobe_multi.cnt = 1,
302+
);
303+
304+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
305+
if (!ASSERT_ERR(link_fd, "link_fd"))
306+
goto cleanup;
307+
if (!ASSERT_EQ(link_fd, -EFAULT, "offsets_is_wrong"))
308+
goto cleanup;
309+
310+
/* path is NULL */
311+
offset = 1;
312+
LIBBPF_OPTS_RESET(opts,
313+
.uprobe_multi.offsets = (unsigned long *) &offset,
314+
.uprobe_multi.cnt = 1,
315+
);
316+
317+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
318+
if (!ASSERT_ERR(link_fd, "link_fd"))
319+
goto cleanup;
320+
if (!ASSERT_EQ(link_fd, -EINVAL, "path_is_null"))
321+
goto cleanup;
322+
323+
/* wrong path pointer */
324+
LIBBPF_OPTS_RESET(opts,
325+
.uprobe_multi.path = (const char *) 1,
326+
.uprobe_multi.offsets = (unsigned long *) &offset,
327+
.uprobe_multi.cnt = 1,
328+
);
329+
330+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
331+
if (!ASSERT_ERR(link_fd, "link_fd"))
332+
goto cleanup;
333+
if (!ASSERT_EQ(link_fd, -EFAULT, "path_is_wrong"))
334+
goto cleanup;
335+
336+
/* wrong path type */
337+
LIBBPF_OPTS_RESET(opts,
338+
.uprobe_multi.path = "/",
339+
.uprobe_multi.offsets = (unsigned long *) &offset,
340+
.uprobe_multi.cnt = 1,
341+
);
342+
343+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
344+
if (!ASSERT_ERR(link_fd, "link_fd"))
345+
goto cleanup;
346+
if (!ASSERT_EQ(link_fd, -EBADF, "path_is_wrong_type"))
347+
goto cleanup;
348+
349+
/* wrong cookies pointer */
350+
LIBBPF_OPTS_RESET(opts,
351+
.uprobe_multi.path = path,
352+
.uprobe_multi.offsets = (unsigned long *) &offset,
353+
.uprobe_multi.cookies = (__u64 *) 1ULL,
354+
.uprobe_multi.cnt = 1,
355+
);
356+
357+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
358+
if (!ASSERT_ERR(link_fd, "link_fd"))
359+
goto cleanup;
360+
if (!ASSERT_EQ(link_fd, -EFAULT, "cookies_is_wrong"))
361+
goto cleanup;
362+
363+
/* wrong ref_ctr_offsets pointer */
364+
LIBBPF_OPTS_RESET(opts,
365+
.uprobe_multi.path = path,
366+
.uprobe_multi.offsets = (unsigned long *) &offset,
367+
.uprobe_multi.cookies = (__u64 *) &offset,
368+
.uprobe_multi.ref_ctr_offsets = (unsigned long *) 1,
369+
.uprobe_multi.cnt = 1,
370+
);
371+
372+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
373+
if (!ASSERT_ERR(link_fd, "link_fd"))
374+
goto cleanup;
375+
if (!ASSERT_EQ(link_fd, -EFAULT, "ref_ctr_offsets_is_wrong"))
376+
goto cleanup;
377+
378+
/* wrong flags */
379+
LIBBPF_OPTS_RESET(opts,
380+
.uprobe_multi.flags = 1 << 31,
381+
);
382+
383+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
384+
if (!ASSERT_ERR(link_fd, "link_fd"))
385+
goto cleanup;
386+
if (!ASSERT_EQ(link_fd, -EINVAL, "wrong_flags"))
387+
goto cleanup;
388+
389+
/* wrong pid */
390+
LIBBPF_OPTS_RESET(opts,
391+
.uprobe_multi.path = path,
392+
.uprobe_multi.offsets = (unsigned long *) &offset,
393+
.uprobe_multi.cnt = 1,
394+
.uprobe_multi.pid = -2,
395+
);
396+
397+
link_fd = bpf_link_create(prog_fd, 0, BPF_TRACE_UPROBE_MULTI, &opts);
398+
if (!ASSERT_ERR(link_fd, "link_fd"))
399+
goto cleanup;
400+
ASSERT_EQ(link_fd, -ESRCH, "pid_is_wrong");
401+
259402
cleanup:
260403
if (link_fd >= 0)
261404
close(link_fd);

0 commit comments

Comments
 (0)