tools/testing/selftests/bpf/progs/verifier_int_ptr.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 /* Converted from tools/testing/selftests/bpf/verifier/int_ptr.c */
   3
   4 #include <linux/bpf.h>
   5 #include <bpf/bpf_helpers.h>
   6 #include "bpf_misc.h"
   7
   8 SEC("socket")
   9 __description("ARG_PTR_TO_LONG uninitialized")
  10 __success
  11 __failure_unpriv __msg_unpriv("invalid indirect read from stack R4 off -16+0 size 8")
  12 __naked void arg_ptr_to_long_uninitialized(void)
  13 {
  14         asm volatile ("                                 \
  15         /* bpf_strtoul arg1 (buf) */                    \
  16         r7 = r10;                                       \
  17         r7 += -8;                                       \
  18         r0 = 0x00303036;                                \
  19         *(u64*)(r7 + 0) = r0;                           \
  20         r1 = r7;                                        \
  21         /* bpf_strtoul arg2 (buf_len) */                \
  22         r2 = 4;                                         \
  23         /* bpf_strtoul arg3 (flags) */                  \
  24         r3 = 0;                                         \
  25         /* bpf_strtoul arg4 (res) */                    \
  26         r7 += -8;                                       \
  27         r4 = r7;                                        \
  28         /* bpf_strtoul() */                             \
  29         call %[bpf_strtoul];                            \
  30         r0 = 1;                                         \
  31         exit;                                           \
  32 "       :
  33         : __imm(bpf_strtoul)
  34         : __clobber_all);
  35 }
  36
  37 SEC("socket")
  38 __description("ARG_PTR_TO_LONG half-uninitialized")
  39 /* in privileged mode reads from uninitialized stack locations are permitted */
  40 __success __failure_unpriv
  41 __msg_unpriv("invalid indirect read from stack R4 off -16+4 size 8")
  42 __retval(0)
  43 __naked void ptr_to_long_half_uninitialized(void)
  44 {
  45         asm volatile ("                                 \
  46         /* bpf_strtoul arg1 (buf) */                    \
  47         r7 = r10;                                       \
  48         r7 += -8;                                       \
  49         r0 = 0x00303036;                                \
  50         *(u64*)(r7 + 0) = r0;                           \
  51         r1 = r7;                                        \
  52         /* bpf_strtoul arg2 (buf_len) */                \
  53         r2 = 4;                                         \
  54         /* bpf_strtoul arg3 (flags) */                  \
  55         r3 = 0;                                         \
  56         /* bpf_strtoul arg4 (res) */                    \
  57         r7 += -8;                                       \
  58         *(u32*)(r7 + 0) = r0;                           \
  59         r4 = r7;                                        \
  60         /* bpf_strtoul() */                             \
  61         call %[bpf_strtoul];                            \
  62         r0 = 0;                                         \
  63         exit;                                           \
  64 "       :
  65         : __imm(bpf_strtoul)
  66         : __clobber_all);
  67 }
  68
  69 SEC("cgroup/sysctl")
  70 __description("ARG_PTR_TO_LONG misaligned")
  71 __failure __msg("misaligned stack access off (0x0; 0x0)+-20+0 size 8")
  72 __naked void arg_ptr_to_long_misaligned(void)
  73 {
  74         asm volatile ("                                 \
  75         /* bpf_strtoul arg1 (buf) */                    \
  76         r7 = r10;                                       \
  77         r7 += -8;                                       \
  78         r0 = 0x00303036;                                \
  79         *(u64*)(r7 + 0) = r0;                           \
  80         r1 = r7;                                        \
  81         /* bpf_strtoul arg2 (buf_len) */                \
  82         r2 = 4;                                         \
  83         /* bpf_strtoul arg3 (flags) */                  \
  84         r3 = 0;                                         \
  85         /* bpf_strtoul arg4 (res) */                    \
  86         r7 += -12;                                      \
  87         r0 = 0;                                         \
  88         *(u32*)(r7 + 0) = r0;                           \
  89         *(u64*)(r7 + 4) = r0;                           \
  90         r4 = r7;                                        \
  91         /* bpf_strtoul() */                             \
  92         call %[bpf_strtoul];                            \
  93         r0 = 1;                                         \
  94         exit;                                           \
  95 "       :
  96         : __imm(bpf_strtoul)
  97         : __clobber_all);
  98 }
  99
 100 SEC("cgroup/sysctl")
 101 __description("ARG_PTR_TO_LONG size < sizeof(long)")
 102 __failure __msg("invalid indirect access to stack R4 off=-4 size=8")
 103 __naked void to_long_size_sizeof_long(void)
 104 {
 105         asm volatile ("                                 \
 106         /* bpf_strtoul arg1 (buf) */                    \
 107         r7 = r10;                                       \
 108         r7 += -16;                                      \
 109         r0 = 0x00303036;                                \
 110         *(u64*)(r7 + 0) = r0;                           \
 111         r1 = r7;                                        \
 112         /* bpf_strtoul arg2 (buf_len) */                \
 113         r2 = 4;                                         \
 114         /* bpf_strtoul arg3 (flags) */                  \
 115         r3 = 0;                                         \
 116         /* bpf_strtoul arg4 (res) */                    \
 117         r7 += 12;                                       \
 118         *(u32*)(r7 + 0) = r0;                           \
 119         r4 = r7;                                        \
 120         /* bpf_strtoul() */                             \
 121         call %[bpf_strtoul];                            \
 122         r0 = 1;                                         \
 123         exit;                                           \
 124 "       :
 125         : __imm(bpf_strtoul)
 126         : __clobber_all);
 127 }
 128
 129 SEC("cgroup/sysctl")
 130 __description("ARG_PTR_TO_LONG initialized")
 131 __success
 132 __naked void arg_ptr_to_long_initialized(void)
 133 {
 134         asm volatile ("                                 \
 135         /* bpf_strtoul arg1 (buf) */                    \
 136         r7 = r10;                                       \
 137         r7 += -8;                                       \
 138         r0 = 0x00303036;                                \
 139         *(u64*)(r7 + 0) = r0;                           \
 140         r1 = r7;                                        \
 141         /* bpf_strtoul arg2 (buf_len) */                \
 142         r2 = 4;                                         \
 143         /* bpf_strtoul arg3 (flags) */                  \
 144         r3 = 0;                                         \
 145         /* bpf_strtoul arg4 (res) */                    \
 146         r7 += -8;                                       \
 147         *(u64*)(r7 + 0) = r0;                           \
 148         r4 = r7;                                        \
 149         /* bpf_strtoul() */                             \
 150         call %[bpf_strtoul];                            \
 151         r0 = 1;                                         \
 152         exit;                                           \
 153 "       :
 154         : __imm(bpf_strtoul)
 155         : __clobber_all);
 156 }
 157
 158 char _license[] SEC("license") = "GPL";