Linux Audio

Check our new training course

Open Menu / tools / testing / selftests / bpf / progs / verifier_and.c
Loading...
v6.13.7
  1// SPDX-License-Identifier: GPL-2.0
  2/* Converted from tools/testing/selftests/bpf/verifier/and.c */
  3
  4#include <linux/bpf.h>
  5#include <bpf/bpf_helpers.h>
  6#include "bpf_misc.h"
  7
  8#define MAX_ENTRIES 11
  9
 10struct test_val {
 11	unsigned int index;
 12	int foo[MAX_ENTRIES];
 13};
 14
 15struct {
 16	__uint(type, BPF_MAP_TYPE_HASH);
 17	__uint(max_entries, 1);
 18	__type(key, long long);
 19	__type(value, struct test_val);
 20} map_hash_48b SEC(".maps");
 21
 22SEC("socket")
 23__description("invalid and of negative number")
 24__failure __msg("R0 max value is outside of the allowed memory range")
 25__failure_unpriv
 26__flag(BPF_F_ANY_ALIGNMENT)
 27__naked void invalid_and_of_negative_number(void)
 28{
 29	asm volatile ("					\
 30	r1 = 0;						\
 31	*(u64*)(r10 - 8) = r1;				\
 32	r2 = r10;					\
 33	r2 += -8;					\
 34	r1 = %[map_hash_48b] ll;			\
 35	call %[bpf_map_lookup_elem];			\
 36	if r0 == 0 goto l0_%=;				\
 37	r1 = *(u8*)(r0 + 0);				\
 38	r1 &= -4;					\
 39	r1 <<= 2;					\
 40	r0 += r1;					\
 41l0_%=:	r1 = %[test_val_foo];				\
 42	*(u64*)(r0 + 0) = r1;				\
 43	exit;						\
 44"	:
 45	: __imm(bpf_map_lookup_elem),
 46	  __imm_addr(map_hash_48b),
 47	  __imm_const(test_val_foo, offsetof(struct test_val, foo))
 48	: __clobber_all);
 49}
 50
 51SEC("socket")
 52__description("invalid range check")
 53__failure __msg("R0 max value is outside of the allowed memory range")
 54__failure_unpriv
 55__flag(BPF_F_ANY_ALIGNMENT)
 56__naked void invalid_range_check(void)
 57{
 58	asm volatile ("					\
 59	r1 = 0;						\
 60	*(u64*)(r10 - 8) = r1;				\
 61	r2 = r10;					\
 62	r2 += -8;					\
 63	r1 = %[map_hash_48b] ll;			\
 64	call %[bpf_map_lookup_elem];			\
 65	if r0 == 0 goto l0_%=;				\
 66	r1 = *(u32*)(r0 + 0);				\
 67	r9 = 1;						\
 68	w1 %%= 2;					\
 69	w1 += 1;					\
 70	w9 &= w1;					\
 71	w9 += 1;					\
 72	w9 >>= 1;					\
 73	w3 = 1;						\
 74	w3 -= w9;					\
 75	w3 *= 0x10000000;				\
 76	r0 += r3;					\
 77	*(u32*)(r0 + 0) = r3;				\
 78l0_%=:	r0 = r0;					\
 79	exit;						\
 80"	:
 81	: __imm(bpf_map_lookup_elem),
 82	  __imm_addr(map_hash_48b)
 83	: __clobber_all);
 84}
 85
 86SEC("socket")
 87__description("check known subreg with unknown reg")
 88__success __failure_unpriv __msg_unpriv("R1 !read_ok")
 89__retval(0)
 90__naked void known_subreg_with_unknown_reg(void)
 91{
 92	asm volatile ("					\
 93	call %[bpf_get_prandom_u32];			\
 94	r0 <<= 32;					\
 95	r0 += 1;					\
 96	r0 &= 0xFFFF1234;				\
 97	/* Upper bits are unknown but AND above masks out 1 zero'ing lower bits */\
 98	if w0 < 1 goto l0_%=;				\
 99	r1 = *(u32*)(r1 + 512);				\
100l0_%=:	r0 = 0;						\
101	exit;						\
102"	:
103	: __imm(bpf_get_prandom_u32)
104	: __clobber_all);
105}
106
107char _license[] SEC("license") = "GPL";
v6.8
  1// SPDX-License-Identifier: GPL-2.0
  2/* Converted from tools/testing/selftests/bpf/verifier/and.c */
  3
  4#include <linux/bpf.h>
  5#include <bpf/bpf_helpers.h>
  6#include "bpf_misc.h"
  7
  8#define MAX_ENTRIES 11
  9
 10struct test_val {
 11	unsigned int index;
 12	int foo[MAX_ENTRIES];
 13};
 14
 15struct {
 16	__uint(type, BPF_MAP_TYPE_HASH);
 17	__uint(max_entries, 1);
 18	__type(key, long long);
 19	__type(value, struct test_val);
 20} map_hash_48b SEC(".maps");
 21
 22SEC("socket")
 23__description("invalid and of negative number")
 24__failure __msg("R0 max value is outside of the allowed memory range")
 25__failure_unpriv
 26__flag(BPF_F_ANY_ALIGNMENT)
 27__naked void invalid_and_of_negative_number(void)
 28{
 29	asm volatile ("					\
 30	r1 = 0;						\
 31	*(u64*)(r10 - 8) = r1;				\
 32	r2 = r10;					\
 33	r2 += -8;					\
 34	r1 = %[map_hash_48b] ll;			\
 35	call %[bpf_map_lookup_elem];			\
 36	if r0 == 0 goto l0_%=;				\
 37	r1 = *(u8*)(r0 + 0);				\
 38	r1 &= -4;					\
 39	r1 <<= 2;					\
 40	r0 += r1;					\
 41l0_%=:	r1 = %[test_val_foo];				\
 42	*(u64*)(r0 + 0) = r1;				\
 43	exit;						\
 44"	:
 45	: __imm(bpf_map_lookup_elem),
 46	  __imm_addr(map_hash_48b),
 47	  __imm_const(test_val_foo, offsetof(struct test_val, foo))
 48	: __clobber_all);
 49}
 50
 51SEC("socket")
 52__description("invalid range check")
 53__failure __msg("R0 max value is outside of the allowed memory range")
 54__failure_unpriv
 55__flag(BPF_F_ANY_ALIGNMENT)
 56__naked void invalid_range_check(void)
 57{
 58	asm volatile ("					\
 59	r1 = 0;						\
 60	*(u64*)(r10 - 8) = r1;				\
 61	r2 = r10;					\
 62	r2 += -8;					\
 63	r1 = %[map_hash_48b] ll;			\
 64	call %[bpf_map_lookup_elem];			\
 65	if r0 == 0 goto l0_%=;				\
 66	r1 = *(u32*)(r0 + 0);				\
 67	r9 = 1;						\
 68	w1 %%= 2;					\
 69	w1 += 1;					\
 70	w9 &= w1;					\
 71	w9 += 1;					\
 72	w9 >>= 1;					\
 73	w3 = 1;						\
 74	w3 -= w9;					\
 75	w3 *= 0x10000000;				\
 76	r0 += r3;					\
 77	*(u32*)(r0 + 0) = r3;				\
 78l0_%=:	r0 = r0;					\
 79	exit;						\
 80"	:
 81	: __imm(bpf_map_lookup_elem),
 82	  __imm_addr(map_hash_48b)
 83	: __clobber_all);
 84}
 85
 86SEC("socket")
 87__description("check known subreg with unknown reg")
 88__success __failure_unpriv __msg_unpriv("R1 !read_ok")
 89__retval(0)
 90__naked void known_subreg_with_unknown_reg(void)
 91{
 92	asm volatile ("					\
 93	call %[bpf_get_prandom_u32];			\
 94	r0 <<= 32;					\
 95	r0 += 1;					\
 96	r0 &= 0xFFFF1234;				\
 97	/* Upper bits are unknown but AND above masks out 1 zero'ing lower bits */\
 98	if w0 < 1 goto l0_%=;				\
 99	r1 = *(u32*)(r1 + 512);				\
100l0_%=:	r0 = 0;						\
101	exit;						\
102"	:
103	: __imm(bpf_get_prandom_u32)
104	: __clobber_all);
105}
106
107char _license[] SEC("license") = "GPL";