tools/testing/selftests/bpf/prog_tests/bpf_mod_race.c - linux - Git at Google

 // SPDX-License-Identifier: GPL-2.0
 #include <unistd.h>
 #include <pthread.h>
 #include <sys/mman.h>
 #include <stdatomic.h>
 #include <test_progs.h>
 #include <sys/syscall.h>
 #include <linux/module.h>
 #include <linux/userfaultfd.h>

 #include "ksym_race.skel.h"
 #include "bpf_mod_race.skel.h"
 #include "kfunc_call_race.skel.h"
 #include "testing_helpers.h"

 /* This test crafts a race between btf_try_get_module and do_init_module, and
  * checks whether btf_try_get_module handles the invocation for a well-formed
  * but uninitialized module correctly. Unless the module has completed its
  * initcalls, the verifier should fail the program load and return ENXIO.
  *
  * userfaultfd is used to trigger a fault in an fmod_ret program, and make it
  * sleep, then the BPF program is loaded and the return value from verifier is
  * inspected. After this, the userfaultfd is closed so that the module loading
  * thread makes forward progress, and fmod_ret injects an error so that the
  * module load fails and it is freed.
  *
  * If the verifier succeeded in loading the supplied program, it will end up
  * taking reference to freed module, and trigger a crash when the program fd
  * is closed later. This is true for both kfuncs and ksyms. In both cases,
  * the crash is triggered inside bpf_prog_free_deferred, when module reference
  * is finally released.
  */

 struct test_config {
 	const char *str_open;
 	void *(*bpf_open_and_load)();
 	void (*bpf_destroy)(void *);
 };

 enum bpf_test_state {
 	_TS_INVALID,
 	TS_MODULE_LOAD,
 	TS_MODULE_LOAD_FAIL,
 };

 static _Atomic enum bpf_test_state state = _TS_INVALID;

 static void *load_module_thread(void *p)
 {

 	if (!ASSERT_NEQ(load_bpf_testmod(false), 0, "load_module_thread must fail"))
 		atomic_store(&state, TS_MODULE_LOAD);
 	else
 		atomic_store(&state, TS_MODULE_LOAD_FAIL);
 	return p;
 }

 static int sys_userfaultfd(int flags)
 {
 	return syscall(__NR_userfaultfd, flags);
 }

 static int test_setup_uffd(void *fault_addr)
 {
 	struct uffdio_register uffd_register = {};
 	struct uffdio_api uffd_api = {};
 	int uffd;

 	uffd = sys_userfaultfd(O_CLOEXEC);
 	if (uffd < 0)
 		return -errno;

 	uffd_api.api = UFFD_API;
 	uffd_api.features = 0;
 	if (ioctl(uffd, UFFDIO_API, &uffd_api)) {
 		close(uffd);
 		return -1;
 	}

 	uffd_register.range.start = (unsigned long)fault_addr;
 	uffd_register.range.len = 4096;
 	uffd_register.mode = UFFDIO_REGISTER_MODE_MISSING;
 	if (ioctl(uffd, UFFDIO_REGISTER, &uffd_register)) {
 		close(uffd);
 		return -1;
 	}
 	return uffd;
 }

 static void test_bpf_mod_race_config(const struct test_config *config)
 {
 	void *fault_addr, *skel_fail;
 	struct bpf_mod_race *skel;
 	struct uffd_msg uffd_msg;
 	pthread_t load_mod_thrd;
 	_Atomic int *blockingp;
 	int uffd, ret;

 	fault_addr = mmap(0, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
 	if (!ASSERT_NEQ(fault_addr, MAP_FAILED, "mmap for uffd registration"))
 		return;

 	if (!ASSERT_OK(unload_bpf_testmod(false), "unload bpf_testmod"))
 		goto end_mmap;

 	skel = bpf_mod_race__open();
 	if (!ASSERT_OK_PTR(skel, "bpf_mod_kfunc_race__open"))
 		goto end_module;

 	skel->rodata->bpf_mod_race_config.tgid = getpid();
 	skel->rodata->bpf_mod_race_config.inject_error = -4242;
 	skel->rodata->bpf_mod_race_config.fault_addr = fault_addr;
 	if (!ASSERT_OK(bpf_mod_race__load(skel), "bpf_mod___load"))
 		goto end_destroy;
 	blockingp = (_Atomic int *)&skel->bss->bpf_blocking;

 	if (!ASSERT_OK(bpf_mod_race__attach(skel), "bpf_mod_kfunc_race__attach"))
 		goto end_destroy;

 	uffd = test_setup_uffd(fault_addr);
 	if (!ASSERT_GE(uffd, 0, "userfaultfd open + register address"))
 		goto end_destroy;

 	if (!ASSERT_OK(pthread_create(&load_mod_thrd, NULL, load_module_thread, NULL),
 		       "load module thread"))
 		goto end_uffd;

 	/* Now, we either fail loading module, or block in bpf prog, spin to find out */
 	while (!atomic_load(&state) && !atomic_load(blockingp))
 		;
 	if (!ASSERT_EQ(state, _TS_INVALID, "module load should block"))
 		goto end_join;
 	if (!ASSERT_EQ(*blockingp, 1, "module load blocked")) {
 		pthread_kill(load_mod_thrd, SIGKILL);
 		goto end_uffd;
 	}

 	/* We might have set bpf_blocking to 1, but may have not blocked in
 	 * bpf_copy_from_user. Read userfaultfd descriptor to verify that.
 	 */
 	if (!ASSERT_EQ(read(uffd, &uffd_msg, sizeof(uffd_msg)), sizeof(uffd_msg),
 		       "read uffd block event"))
 		goto end_join;
 	if (!ASSERT_EQ(uffd_msg.event, UFFD_EVENT_PAGEFAULT, "read uffd event is pagefault"))
 		goto end_join;

 	/* We know that load_mod_thrd is blocked in the fmod_ret program, the
 	 * module state is still MODULE_STATE_COMING because mod->init hasn't
 	 * returned. This is the time we try to load a program calling kfunc and
 	 * check if we get ENXIO from verifier.
 	 */
 	skel_fail = config->bpf_open_and_load();
 	ret = errno;
 	if (!ASSERT_EQ(skel_fail, NULL, config->str_open)) {
 		/* Close uffd to unblock load_mod_thrd */
 		close(uffd);
 		uffd = -1;
 		while (atomic_load(blockingp) != 2)
 			;
 		ASSERT_OK(kern_sync_rcu(), "kern_sync_rcu");
 		config->bpf_destroy(skel_fail);
 		goto end_join;

 	}
 	ASSERT_EQ(ret, ENXIO, "verifier returns ENXIO");
 	ASSERT_EQ(skel->data->res_try_get_module, false, "btf_try_get_module == false");

 	close(uffd);
 	uffd = -1;
 end_join:
 	pthread_join(load_mod_thrd, NULL);
 	if (uffd < 0)
 		ASSERT_EQ(atomic_load(&state), TS_MODULE_LOAD_FAIL, "load_mod_thrd success");
 end_uffd:
 	if (uffd >= 0)
 		close(uffd);
 end_destroy:
 	bpf_mod_race__destroy(skel);
 	ASSERT_OK(kern_sync_rcu(), "kern_sync_rcu");
 end_module:
 	unload_bpf_testmod(false);
 	ASSERT_OK(load_bpf_testmod(false), "restore bpf_testmod");
 end_mmap:
 	munmap(fault_addr, 4096);
 	atomic_store(&state, _TS_INVALID);
 }

 static const struct test_config ksym_config = {
 	.str_open = "ksym_race__open_and_load",
 	.bpf_open_and_load = (void *)ksym_race__open_and_load,
 	.bpf_destroy = (void *)ksym_race__destroy,
 };

 static const struct test_config kfunc_config = {
 	.str_open = "kfunc_call_race__open_and_load",
 	.bpf_open_and_load = (void *)kfunc_call_race__open_and_load,
 	.bpf_destroy = (void *)kfunc_call_race__destroy,
 };

 void serial_test_bpf_mod_race(void)
 {
 	if (test__start_subtest("ksym (used_btfs UAF)"))
 		test_bpf_mod_race_config(&ksym_config);
 	if (test__start_subtest("kfunc (kfunc_btf_tab UAF)"))
 		test_bpf_mod_race_config(&kfunc_config);
 }
	// SPDX-License-Identifier: GPL-2.0
	#include <unistd.h>
	#include <pthread.h>
	#include <sys/mman.h>
	#include <stdatomic.h>
	#include <test_progs.h>
	#include <sys/syscall.h>
	#include <linux/module.h>
	#include <linux/userfaultfd.h>

	#include "ksym_race.skel.h"
	#include "bpf_mod_race.skel.h"
	#include "kfunc_call_race.skel.h"
	#include "testing_helpers.h"

	/* This test crafts a race between btf_try_get_module and do_init_module, and
	* checks whether btf_try_get_module handles the invocation for a well-formed
	* but uninitialized module correctly. Unless the module has completed its
	* initcalls, the verifier should fail the program load and return ENXIO.
	*
	* userfaultfd is used to trigger a fault in an fmod_ret program, and make it
	* sleep, then the BPF program is loaded and the return value from verifier is
	* inspected. After this, the userfaultfd is closed so that the module loading
	* thread makes forward progress, and fmod_ret injects an error so that the
	* module load fails and it is freed.
	*
	* If the verifier succeeded in loading the supplied program, it will end up
	* taking reference to freed module, and trigger a crash when the program fd
	* is closed later. This is true for both kfuncs and ksyms. In both cases,
	* the crash is triggered inside bpf_prog_free_deferred, when module reference
	* is finally released.
	*/

	struct test_config {
	const char *str_open;
	void (bpf_open_and_load)();
	void (bpf_destroy)(void );
	};

	enum bpf_test_state {
	_TS_INVALID,
	TS_MODULE_LOAD,
	TS_MODULE_LOAD_FAIL,
	};

	static _Atomic enum bpf_test_state state = _TS_INVALID;

	static void load_module_thread(void p)
	{

	if (!ASSERT_NEQ(load_bpf_testmod(false), 0, "load_module_thread must fail"))
	atomic_store(&state, TS_MODULE_LOAD);
	else
	atomic_store(&state, TS_MODULE_LOAD_FAIL);
	return p;
	}

	static int sys_userfaultfd(int flags)
	{
	return syscall(__NR_userfaultfd, flags);
	}

	static int test_setup_uffd(void *fault_addr)
	{
	struct uffdio_register uffd_register = {};
	struct uffdio_api uffd_api = {};
	int uffd;

	uffd = sys_userfaultfd(O_CLOEXEC);
	if (uffd < 0)
	return -errno;

	uffd_api.api = UFFD_API;
	uffd_api.features = 0;
	if (ioctl(uffd, UFFDIO_API, &uffd_api)) {
	close(uffd);
	return -1;
	}

	uffd_register.range.start = (unsigned long)fault_addr;
	uffd_register.range.len = 4096;
	uffd_register.mode = UFFDIO_REGISTER_MODE_MISSING;
	if (ioctl(uffd, UFFDIO_REGISTER, &uffd_register)) {
	close(uffd);
	return -1;
	}
	return uffd;
	}

	static void test_bpf_mod_race_config(const struct test_config *config)
	{
	void fault_addr, skel_fail;
	struct bpf_mod_race *skel;
	struct uffd_msg uffd_msg;
	pthread_t load_mod_thrd;
	_Atomic int *blockingp;
	int uffd, ret;

	fault_addr = mmap(0, 4096, PROT_READ, MAP_PRIVATE \| MAP_ANONYMOUS, -1, 0);
	if (!ASSERT_NEQ(fault_addr, MAP_FAILED, "mmap for uffd registration"))
	return;

	if (!ASSERT_OK(unload_bpf_testmod(false), "unload bpf_testmod"))
	goto end_mmap;

	skel = bpf_mod_race__open();
	if (!ASSERT_OK_PTR(skel, "bpf_mod_kfunc_race__open"))
	goto end_module;

	skel->rodata->bpf_mod_race_config.tgid = getpid();
	skel->rodata->bpf_mod_race_config.inject_error = -4242;
	skel->rodata->bpf_mod_race_config.fault_addr = fault_addr;
	if (!ASSERT_OK(bpf_mod_race__load(skel), "bpf_mod___load"))
	goto end_destroy;
	blockingp = (_Atomic int *)&skel->bss->bpf_blocking;

	if (!ASSERT_OK(bpf_mod_race__attach(skel), "bpf_mod_kfunc_race__attach"))
	goto end_destroy;

	uffd = test_setup_uffd(fault_addr);
	if (!ASSERT_GE(uffd, 0, "userfaultfd open + register address"))
	goto end_destroy;

	if (!ASSERT_OK(pthread_create(&load_mod_thrd, NULL, load_module_thread, NULL),
	"load module thread"))
	goto end_uffd;

	/* Now, we either fail loading module, or block in bpf prog, spin to find out */
	while (!atomic_load(&state) && !atomic_load(blockingp))
	;
	if (!ASSERT_EQ(state, _TS_INVALID, "module load should block"))
	goto end_join;
	if (!ASSERT_EQ(*blockingp, 1, "module load blocked")) {
	pthread_kill(load_mod_thrd, SIGKILL);
	goto end_uffd;
	}

	/* We might have set bpf_blocking to 1, but may have not blocked in
	* bpf_copy_from_user. Read userfaultfd descriptor to verify that.
	*/
	if (!ASSERT_EQ(read(uffd, &uffd_msg, sizeof(uffd_msg)), sizeof(uffd_msg),
	"read uffd block event"))
	goto end_join;
	if (!ASSERT_EQ(uffd_msg.event, UFFD_EVENT_PAGEFAULT, "read uffd event is pagefault"))
	goto end_join;

	/* We know that load_mod_thrd is blocked in the fmod_ret program, the
	* module state is still MODULE_STATE_COMING because mod->init hasn't
	* returned. This is the time we try to load a program calling kfunc and
	* check if we get ENXIO from verifier.
	*/
	skel_fail = config->bpf_open_and_load();
	ret = errno;
	if (!ASSERT_EQ(skel_fail, NULL, config->str_open)) {
	/* Close uffd to unblock load_mod_thrd */
	close(uffd);
	uffd = -1;
	while (atomic_load(blockingp) != 2)
	;
	ASSERT_OK(kern_sync_rcu(), "kern_sync_rcu");
	config->bpf_destroy(skel_fail);
	goto end_join;

	}
	ASSERT_EQ(ret, ENXIO, "verifier returns ENXIO");
	ASSERT_EQ(skel->data->res_try_get_module, false, "btf_try_get_module == false");

	close(uffd);
	uffd = -1;
	end_join:
	pthread_join(load_mod_thrd, NULL);
	if (uffd < 0)
	ASSERT_EQ(atomic_load(&state), TS_MODULE_LOAD_FAIL, "load_mod_thrd success");
	end_uffd:
	if (uffd >= 0)
	close(uffd);
	end_destroy:
	bpf_mod_race__destroy(skel);
	ASSERT_OK(kern_sync_rcu(), "kern_sync_rcu");
	end_module:
	unload_bpf_testmod(false);
	ASSERT_OK(load_bpf_testmod(false), "restore bpf_testmod");
	end_mmap:
	munmap(fault_addr, 4096);
	atomic_store(&state, _TS_INVALID);
	}

	static const struct test_config ksym_config = {
	.str_open = "ksym_race__open_and_load",
	.bpf_open_and_load = (void *)ksym_race__open_and_load,
	.bpf_destroy = (void *)ksym_race__destroy,
	};

	static const struct test_config kfunc_config = {
	.str_open = "kfunc_call_race__open_and_load",
	.bpf_open_and_load = (void *)kfunc_call_race__open_and_load,
	.bpf_destroy = (void *)kfunc_call_race__destroy,
	};

	void serial_test_bpf_mod_race(void)
	{
	if (test__start_subtest("ksym (used_btfs UAF)"))
	test_bpf_mod_race_config(&ksym_config);
	if (test__start_subtest("kfunc (kfunc_btf_tab UAF)"))
	test_bpf_mod_race_config(&kfunc_config);
	}