Loading...
1// SPDX-License-Identifier: GPL-2.0
2/* Converted from tools/testing/selftests/bpf/verifier/ctx.c */
3
4#include <linux/bpf.h>
5#include <bpf/bpf_helpers.h>
6#include "bpf_misc.h"
7
8SEC("tc")
9__description("context stores via BPF_ATOMIC")
10__failure __msg("BPF_ATOMIC stores into R1 ctx is not allowed")
11__naked void context_stores_via_bpf_atomic(void)
12{
13 asm volatile (" \
14 r0 = 0; \
15 lock *(u32 *)(r1 + %[__sk_buff_mark]) += w0; \
16 exit; \
17" :
18 : __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
19 : __clobber_all);
20}
21
22SEC("tc")
23__description("arithmetic ops make PTR_TO_CTX unusable")
24__failure __msg("dereference of modified ctx ptr")
25__naked void make_ptr_to_ctx_unusable(void)
26{
27 asm volatile (" \
28 r1 += %[__imm_0]; \
29 r0 = *(u32*)(r1 + %[__sk_buff_mark]); \
30 exit; \
31" :
32 : __imm_const(__imm_0,
33 offsetof(struct __sk_buff, data) - offsetof(struct __sk_buff, mark)),
34 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
35 : __clobber_all);
36}
37
38SEC("tc")
39__description("pass unmodified ctx pointer to helper")
40__success __retval(0)
41__naked void unmodified_ctx_pointer_to_helper(void)
42{
43 asm volatile (" \
44 r2 = 0; \
45 call %[bpf_csum_update]; \
46 r0 = 0; \
47 exit; \
48" :
49 : __imm(bpf_csum_update)
50 : __clobber_all);
51}
52
53SEC("tc")
54__description("pass modified ctx pointer to helper, 1")
55__failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
56__naked void ctx_pointer_to_helper_1(void)
57{
58 asm volatile (" \
59 r1 += -612; \
60 r2 = 0; \
61 call %[bpf_csum_update]; \
62 r0 = 0; \
63 exit; \
64" :
65 : __imm(bpf_csum_update)
66 : __clobber_all);
67}
68
69SEC("socket")
70__description("pass modified ctx pointer to helper, 2")
71__failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
72__failure_unpriv __msg_unpriv("negative offset ctx ptr R1 off=-612 disallowed")
73__naked void ctx_pointer_to_helper_2(void)
74{
75 asm volatile (" \
76 r1 += -612; \
77 call %[bpf_get_socket_cookie]; \
78 r0 = 0; \
79 exit; \
80" :
81 : __imm(bpf_get_socket_cookie)
82 : __clobber_all);
83}
84
85SEC("tc")
86__description("pass modified ctx pointer to helper, 3")
87__failure __msg("variable ctx access var_off=(0x0; 0x4)")
88__naked void ctx_pointer_to_helper_3(void)
89{
90 asm volatile (" \
91 r3 = *(u32*)(r1 + 0); \
92 r3 &= 4; \
93 r1 += r3; \
94 r2 = 0; \
95 call %[bpf_csum_update]; \
96 r0 = 0; \
97 exit; \
98" :
99 : __imm(bpf_csum_update)
100 : __clobber_all);
101}
102
103SEC("cgroup/sendmsg6")
104__description("pass ctx or null check, 1: ctx")
105__success
106__naked void or_null_check_1_ctx(void)
107{
108 asm volatile (" \
109 call %[bpf_get_netns_cookie]; \
110 r0 = 0; \
111 exit; \
112" :
113 : __imm(bpf_get_netns_cookie)
114 : __clobber_all);
115}
116
117SEC("cgroup/sendmsg6")
118__description("pass ctx or null check, 2: null")
119__success
120__naked void or_null_check_2_null(void)
121{
122 asm volatile (" \
123 r1 = 0; \
124 call %[bpf_get_netns_cookie]; \
125 r0 = 0; \
126 exit; \
127" :
128 : __imm(bpf_get_netns_cookie)
129 : __clobber_all);
130}
131
132SEC("cgroup/sendmsg6")
133__description("pass ctx or null check, 3: 1")
134__failure __msg("R1 type=scalar expected=ctx")
135__naked void or_null_check_3_1(void)
136{
137 asm volatile (" \
138 r1 = 1; \
139 call %[bpf_get_netns_cookie]; \
140 r0 = 0; \
141 exit; \
142" :
143 : __imm(bpf_get_netns_cookie)
144 : __clobber_all);
145}
146
147SEC("cgroup/sendmsg6")
148__description("pass ctx or null check, 4: ctx - const")
149__failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
150__naked void null_check_4_ctx_const(void)
151{
152 asm volatile (" \
153 r1 += -612; \
154 call %[bpf_get_netns_cookie]; \
155 r0 = 0; \
156 exit; \
157" :
158 : __imm(bpf_get_netns_cookie)
159 : __clobber_all);
160}
161
162SEC("cgroup/connect4")
163__description("pass ctx or null check, 5: null (connect)")
164__success
165__naked void null_check_5_null_connect(void)
166{
167 asm volatile (" \
168 r1 = 0; \
169 call %[bpf_get_netns_cookie]; \
170 r0 = 0; \
171 exit; \
172" :
173 : __imm(bpf_get_netns_cookie)
174 : __clobber_all);
175}
176
177SEC("cgroup/post_bind4")
178__description("pass ctx or null check, 6: null (bind)")
179__success
180__naked void null_check_6_null_bind(void)
181{
182 asm volatile (" \
183 r1 = 0; \
184 call %[bpf_get_netns_cookie]; \
185 r0 = 0; \
186 exit; \
187" :
188 : __imm(bpf_get_netns_cookie)
189 : __clobber_all);
190}
191
192SEC("cgroup/post_bind4")
193__description("pass ctx or null check, 7: ctx (bind)")
194__success
195__naked void null_check_7_ctx_bind(void)
196{
197 asm volatile (" \
198 call %[bpf_get_socket_cookie]; \
199 r0 = 0; \
200 exit; \
201" :
202 : __imm(bpf_get_socket_cookie)
203 : __clobber_all);
204}
205
206SEC("cgroup/post_bind4")
207__description("pass ctx or null check, 8: null (bind)")
208__failure __msg("R1 type=scalar expected=ctx")
209__naked void null_check_8_null_bind(void)
210{
211 asm volatile (" \
212 r1 = 0; \
213 call %[bpf_get_socket_cookie]; \
214 r0 = 0; \
215 exit; \
216" :
217 : __imm(bpf_get_socket_cookie)
218 : __clobber_all);
219}
220
221char _license[] SEC("license") = "GPL";
1// SPDX-License-Identifier: GPL-2.0
2/* Converted from tools/testing/selftests/bpf/verifier/ctx.c */
3
4#include <linux/bpf.h>
5#include <bpf/bpf_helpers.h>
6#include "bpf_misc.h"
7
8SEC("tc")
9__description("context stores via BPF_ATOMIC")
10__failure __msg("BPF_ATOMIC stores into R1 ctx is not allowed")
11__naked void context_stores_via_bpf_atomic(void)
12{
13 asm volatile (" \
14 r0 = 0; \
15 lock *(u32 *)(r1 + %[__sk_buff_mark]) += w0; \
16 exit; \
17" :
18 : __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
19 : __clobber_all);
20}
21
22SEC("tc")
23__description("arithmetic ops make PTR_TO_CTX unusable")
24__failure __msg("dereference of modified ctx ptr")
25__naked void make_ptr_to_ctx_unusable(void)
26{
27 asm volatile (" \
28 r1 += %[__imm_0]; \
29 r0 = *(u32*)(r1 + %[__sk_buff_mark]); \
30 exit; \
31" :
32 : __imm_const(__imm_0,
33 offsetof(struct __sk_buff, data) - offsetof(struct __sk_buff, mark)),
34 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
35 : __clobber_all);
36}
37
38SEC("tc")
39__description("pass unmodified ctx pointer to helper")
40__success __retval(0)
41__naked void unmodified_ctx_pointer_to_helper(void)
42{
43 asm volatile (" \
44 r2 = 0; \
45 call %[bpf_csum_update]; \
46 r0 = 0; \
47 exit; \
48" :
49 : __imm(bpf_csum_update)
50 : __clobber_all);
51}
52
53SEC("tc")
54__description("pass modified ctx pointer to helper, 1")
55__failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
56__naked void ctx_pointer_to_helper_1(void)
57{
58 asm volatile (" \
59 r1 += -612; \
60 r2 = 0; \
61 call %[bpf_csum_update]; \
62 r0 = 0; \
63 exit; \
64" :
65 : __imm(bpf_csum_update)
66 : __clobber_all);
67}
68
69SEC("socket")
70__description("pass modified ctx pointer to helper, 2")
71__failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
72__failure_unpriv __msg_unpriv("negative offset ctx ptr R1 off=-612 disallowed")
73__naked void ctx_pointer_to_helper_2(void)
74{
75 asm volatile (" \
76 r1 += -612; \
77 call %[bpf_get_socket_cookie]; \
78 r0 = 0; \
79 exit; \
80" :
81 : __imm(bpf_get_socket_cookie)
82 : __clobber_all);
83}
84
85SEC("tc")
86__description("pass modified ctx pointer to helper, 3")
87__failure __msg("variable ctx access var_off=(0x0; 0x4)")
88__naked void ctx_pointer_to_helper_3(void)
89{
90 asm volatile (" \
91 r3 = *(u32*)(r1 + 0); \
92 r3 &= 4; \
93 r1 += r3; \
94 r2 = 0; \
95 call %[bpf_csum_update]; \
96 r0 = 0; \
97 exit; \
98" :
99 : __imm(bpf_csum_update)
100 : __clobber_all);
101}
102
103SEC("cgroup/sendmsg6")
104__description("pass ctx or null check, 1: ctx")
105__success
106__naked void or_null_check_1_ctx(void)
107{
108 asm volatile (" \
109 call %[bpf_get_netns_cookie]; \
110 r0 = 0; \
111 exit; \
112" :
113 : __imm(bpf_get_netns_cookie)
114 : __clobber_all);
115}
116
117SEC("cgroup/sendmsg6")
118__description("pass ctx or null check, 2: null")
119__success
120__naked void or_null_check_2_null(void)
121{
122 asm volatile (" \
123 r1 = 0; \
124 call %[bpf_get_netns_cookie]; \
125 r0 = 0; \
126 exit; \
127" :
128 : __imm(bpf_get_netns_cookie)
129 : __clobber_all);
130}
131
132SEC("cgroup/sendmsg6")
133__description("pass ctx or null check, 3: 1")
134__failure __msg("R1 type=scalar expected=ctx")
135__naked void or_null_check_3_1(void)
136{
137 asm volatile (" \
138 r1 = 1; \
139 call %[bpf_get_netns_cookie]; \
140 r0 = 0; \
141 exit; \
142" :
143 : __imm(bpf_get_netns_cookie)
144 : __clobber_all);
145}
146
147SEC("cgroup/sendmsg6")
148__description("pass ctx or null check, 4: ctx - const")
149__failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
150__naked void null_check_4_ctx_const(void)
151{
152 asm volatile (" \
153 r1 += -612; \
154 call %[bpf_get_netns_cookie]; \
155 r0 = 0; \
156 exit; \
157" :
158 : __imm(bpf_get_netns_cookie)
159 : __clobber_all);
160}
161
162SEC("cgroup/connect4")
163__description("pass ctx or null check, 5: null (connect)")
164__success
165__naked void null_check_5_null_connect(void)
166{
167 asm volatile (" \
168 r1 = 0; \
169 call %[bpf_get_netns_cookie]; \
170 r0 = 0; \
171 exit; \
172" :
173 : __imm(bpf_get_netns_cookie)
174 : __clobber_all);
175}
176
177SEC("cgroup/post_bind4")
178__description("pass ctx or null check, 6: null (bind)")
179__success
180__naked void null_check_6_null_bind(void)
181{
182 asm volatile (" \
183 r1 = 0; \
184 call %[bpf_get_netns_cookie]; \
185 r0 = 0; \
186 exit; \
187" :
188 : __imm(bpf_get_netns_cookie)
189 : __clobber_all);
190}
191
192SEC("cgroup/post_bind4")
193__description("pass ctx or null check, 7: ctx (bind)")
194__success
195__naked void null_check_7_ctx_bind(void)
196{
197 asm volatile (" \
198 call %[bpf_get_socket_cookie]; \
199 r0 = 0; \
200 exit; \
201" :
202 : __imm(bpf_get_socket_cookie)
203 : __clobber_all);
204}
205
206SEC("cgroup/post_bind4")
207__description("pass ctx or null check, 8: null (bind)")
208__failure __msg("R1 type=scalar expected=ctx")
209__naked void null_check_8_null_bind(void)
210{
211 asm volatile (" \
212 r1 = 0; \
213 call %[bpf_get_socket_cookie]; \
214 r0 = 0; \
215 exit; \
216" :
217 : __imm(bpf_get_socket_cookie)
218 : __clobber_all);
219}
220
221char _license[] SEC("license") = "GPL";