// SPDX-License-Identifier: GPL-2.0 /* Converted from tools/testing/selftests/bpf/verifier/direct_packet_access.c */ #include #include #include "bpf_misc.h" SEC("tc") __description("pkt_end - pkt_start is allowed") __success __retval(TEST_DATA_LEN) __naked void end_pkt_start_is_allowed(void) { asm volatile (" \ r0 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r0 -= r2; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test1") __success __retval(0) __naked void direct_packet_access_test1(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 > r3 goto l0_%=; \ r0 = *(u8*)(r2 + 0); \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test2") __success __retval(0) __naked void direct_packet_access_test2(void) { asm volatile (" \ r0 = 1; \ r4 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r3 = *(u32*)(r1 + %[__sk_buff_data]); \ r5 = r3; \ r5 += 14; \ if r5 > r4 goto l0_%=; \ r0 = *(u8*)(r3 + 7); \ r4 = *(u8*)(r3 + 12); \ r4 *= 14; \ r3 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 += r4; \ r2 = *(u32*)(r1 + %[__sk_buff_len]); \ r2 <<= 49; \ r2 >>= 49; \ r3 += r2; \ r2 = r3; \ r2 += 8; \ r1 = *(u32*)(r1 + %[__sk_buff_data_end]); \ if r2 > r1 goto l1_%=; \ r1 = *(u8*)(r3 + 4); \ l1_%=: r0 = 0; \ l0_%=: exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) : __clobber_all); } SEC("socket") __description("direct packet access: test3") __failure __msg("invalid bpf_context access off=76") __failure_unpriv __naked void direct_packet_access_test3(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)) : __clobber_all); } SEC("tc") __description("direct packet access: test4 (write)") __success __retval(0) __naked void direct_packet_access_test4_write(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 > r3 goto l0_%=; \ *(u8*)(r2 + 0) = r2; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test5 (pkt_end >= reg, good access)") __success __retval(0) __naked void pkt_end_reg_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 >= r0 goto l0_%=; \ r0 = 1; \ exit; \ l0_%=: r0 = *(u8*)(r2 + 0); \ r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test6 (pkt_end >= reg, bad access)") __failure __msg("invalid access to packet") __naked void pkt_end_reg_bad_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 >= r0 goto l0_%=; \ r0 = *(u8*)(r2 + 0); \ r0 = 1; \ exit; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test7 (pkt_end >= reg, both accesses)") __failure __msg("invalid access to packet") __naked void pkt_end_reg_both_accesses(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 >= r0 goto l0_%=; \ r0 = *(u8*)(r2 + 0); \ r0 = 1; \ exit; \ l0_%=: r0 = *(u8*)(r2 + 0); \ r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test8 (double test, variant 1)") __success __retval(0) __naked void test8_double_test_variant_1(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 >= r0 goto l0_%=; \ if r0 > r3 goto l1_%=; \ r0 = *(u8*)(r2 + 0); \ l1_%=: r0 = 1; \ exit; \ l0_%=: r0 = *(u8*)(r2 + 0); \ r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test9 (double test, variant 2)") __success __retval(0) __naked void test9_double_test_variant_2(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 >= r0 goto l0_%=; \ r0 = 1; \ exit; \ l0_%=: if r0 > r3 goto l1_%=; \ r0 = *(u8*)(r2 + 0); \ l1_%=: r0 = *(u8*)(r2 + 0); \ r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test10 (write invalid)") __failure __msg("invalid access to packet") __naked void packet_access_test10_write_invalid(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 > r3 goto l0_%=; \ r0 = 0; \ exit; \ l0_%=: *(u8*)(r2 + 0) = r2; \ r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test11 (shift, good access)") __success __retval(1) __naked void access_test11_shift_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 22; \ if r0 > r3 goto l0_%=; \ r3 = 144; \ r5 = r3; \ r5 += 23; \ r5 >>= 3; \ r6 = r2; \ r6 += r5; \ r0 = 1; \ exit; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test12 (and, good access)") __success __retval(1) __naked void access_test12_and_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 22; \ if r0 > r3 goto l0_%=; \ r3 = 144; \ r5 = r3; \ r5 += 23; \ r5 &= 15; \ r6 = r2; \ r6 += r5; \ r0 = 1; \ exit; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test13 (branches, good access)") __success __retval(1) __naked void access_test13_branches_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 22; \ if r0 > r3 goto l0_%=; \ r3 = *(u32*)(r1 + %[__sk_buff_mark]); \ r4 = 1; \ if r3 > r4 goto l1_%=; \ r3 = 14; \ goto l2_%=; \ l1_%=: r3 = 24; \ l2_%=: r5 = r3; \ r5 += 23; \ r5 &= 15; \ r6 = r2; \ r6 += r5; \ r0 = 1; \ exit; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)) : __clobber_all); } SEC("tc") __description("direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)") __success __retval(1) __naked void _0_const_imm_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 22; \ if r0 > r3 goto l0_%=; \ r5 = 12; \ r5 >>= 4; \ r6 = r2; \ r6 += r5; \ r0 = *(u8*)(r6 + 0); \ r0 = 1; \ exit; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test15 (spill with xadd)") __failure __msg("R2 invalid mem access 'scalar'") __flag(BPF_F_ANY_ALIGNMENT) __naked void access_test15_spill_with_xadd(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 > r3 goto l0_%=; \ r5 = 4096; \ r4 = r10; \ r4 += -8; \ *(u64*)(r4 + 0) = r2; \ lock *(u64 *)(r4 + 0) += r5; \ r2 = *(u64*)(r4 + 0); \ *(u32*)(r2 + 0) = r5; \ r0 = 0; \ l0_%=: exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test16 (arith on data_end)") __failure __msg("R3 pointer arithmetic on pkt_end") __naked void test16_arith_on_data_end(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ r3 += 16; \ if r0 > r3 goto l0_%=; \ *(u8*)(r2 + 0) = r2; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test17 (pruning, alignment)") __failure __msg("misaligned packet access off 2+0+15+-4 size 4") __flag(BPF_F_STRICT_ALIGNMENT) __naked void packet_access_test17_pruning_alignment(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r7 = *(u32*)(r1 + %[__sk_buff_mark]); \ r0 = r2; \ r0 += 14; \ if r7 > 1 goto l0_%=; \ l2_%=: if r0 > r3 goto l1_%=; \ *(u32*)(r0 - 4) = r0; \ l1_%=: r0 = 0; \ exit; \ l0_%=: r0 += 1; \ goto l2_%=; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)) : __clobber_all); } SEC("tc") __description("direct packet access: test18 (imm += pkt_ptr, 1)") __success __retval(0) __naked void test18_imm_pkt_ptr_1(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = 8; \ r0 += r2; \ if r0 > r3 goto l0_%=; \ *(u8*)(r2 + 0) = r2; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test19 (imm += pkt_ptr, 2)") __success __retval(0) __naked void test19_imm_pkt_ptr_2(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 > r3 goto l0_%=; \ r4 = 4; \ r4 += r2; \ *(u8*)(r4 + 0) = r4; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test20 (x += pkt_ptr, 1)") __success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) __naked void test20_x_pkt_ptr_1(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = 0xffffffff; \ *(u64*)(r10 - 8) = r0; \ r0 = *(u64*)(r10 - 8); \ r0 &= 0x7fff; \ r4 = r0; \ r4 += r2; \ r5 = r4; \ r4 += %[__imm_0]; \ if r4 > r3 goto l0_%=; \ *(u64*)(r5 + 0) = r4; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__imm_0, 0x7fff - 1), __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test21 (x += pkt_ptr, 2)") __success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) __naked void test21_x_pkt_ptr_2(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 > r3 goto l0_%=; \ r4 = 0xffffffff; \ *(u64*)(r10 - 8) = r4; \ r4 = *(u64*)(r10 - 8); \ r4 &= 0x7fff; \ r4 += r2; \ r5 = r4; \ r4 += %[__imm_0]; \ if r4 > r3 goto l0_%=; \ *(u64*)(r5 + 0) = r4; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__imm_0, 0x7fff - 1), __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test22 (x += pkt_ptr, 3)") __success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) __naked void test22_x_pkt_ptr_3(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ *(u64*)(r10 - 8) = r2; \ *(u64*)(r10 - 16) = r3; \ r3 = *(u64*)(r10 - 16); \ if r0 > r3 goto l0_%=; \ r2 = *(u64*)(r10 - 8); \ r4 = 0xffffffff; \ lock *(u64 *)(r10 - 8) += r4; \ r4 = *(u64*)(r10 - 8); \ r4 >>= 49; \ r4 += r2; \ r0 = r4; \ r0 += 2; \ if r0 > r3 goto l0_%=; \ r2 = 1; \ *(u16*)(r4 + 0) = r2; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test23 (x += pkt_ptr, 4)") __failure __msg("invalid access to packet, off=0 size=8, R5(id=3,off=0,r=0)") __flag(BPF_F_ANY_ALIGNMENT) __naked void test23_x_pkt_ptr_4(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = *(u32*)(r1 + %[__sk_buff_mark]); \ *(u64*)(r10 - 8) = r0; \ r0 = *(u64*)(r10 - 8); \ r0 &= 0xffff; \ r4 = r0; \ r0 = 31; \ r0 += r4; \ r0 += r2; \ r5 = r0; \ r0 += %[__imm_0]; \ if r0 > r3 goto l0_%=; \ *(u64*)(r5 + 0) = r0; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__imm_0, 0xffff - 1), __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)) : __clobber_all); } SEC("tc") __description("direct packet access: test24 (x += pkt_ptr, 5)") __success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) __naked void test24_x_pkt_ptr_5(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = 0xffffffff; \ *(u64*)(r10 - 8) = r0; \ r0 = *(u64*)(r10 - 8); \ r0 &= 0xff; \ r4 = r0; \ r0 = 64; \ r0 += r4; \ r0 += r2; \ r5 = r0; \ r0 += %[__imm_0]; \ if r0 > r3 goto l0_%=; \ *(u64*)(r5 + 0) = r0; \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__imm_0, 0x7fff - 1), __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test25 (marking on <, good access)") __success __retval(0) __naked void test25_marking_on_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 < r3 goto l0_%=; \ l1_%=: r0 = 0; \ exit; \ l0_%=: r0 = *(u8*)(r2 + 0); \ goto l1_%=; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test26 (marking on <, bad access)") __failure __msg("invalid access to packet") __naked void test26_marking_on_bad_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r0 < r3 goto l0_%=; \ r0 = *(u8*)(r2 + 0); \ l1_%=: r0 = 0; \ exit; \ l0_%=: goto l1_%=; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test27 (marking on <=, good access)") __success __retval(1) __naked void test27_marking_on_good_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 <= r0 goto l0_%=; \ r0 = *(u8*)(r2 + 0); \ l0_%=: r0 = 1; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test28 (marking on <=, bad access)") __failure __msg("invalid access to packet") __naked void test28_marking_on_bad_access(void) { asm volatile (" \ r2 = *(u32*)(r1 + %[__sk_buff_data]); \ r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r0 = r2; \ r0 += 8; \ if r3 <= r0 goto l0_%=; \ l1_%=: r0 = 1; \ exit; \ l0_%=: r0 = *(u8*)(r2 + 0); \ goto l1_%=; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } SEC("tc") __description("direct packet access: test29 (reg > pkt_end in subprog)") __success __retval(0) __naked void reg_pkt_end_in_subprog(void) { asm volatile (" \ r6 = *(u32*)(r1 + %[__sk_buff_data]); \ r2 = *(u32*)(r1 + %[__sk_buff_data_end]); \ r3 = r6; \ r3 += 8; \ call reg_pkt_end_in_subprog__1; \ if r0 == 0 goto l0_%=; \ r0 = *(u8*)(r6 + 0); \ l0_%=: r0 = 0; \ exit; \ " : : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } static __naked __noinline __attribute__((used)) void reg_pkt_end_in_subprog__1(void) { asm volatile (" \ r0 = 0; \ if r3 > r2 goto l0_%=; \ r0 = 1; \ l0_%=: exit; \ " ::: __clobber_all); } SEC("tc") __description("direct packet access: test30 (check_id() in regsafe(), bad access)") __failure __msg("invalid access to packet, off=0 size=1, R2") __flag(BPF_F_TEST_STATE_FREQ) __naked void id_in_regsafe_bad_access(void) { asm volatile (" \ /* r9 = ctx */ \ r9 = r1; \ /* r7 = ktime_get_ns() */ \ call %[bpf_ktime_get_ns]; \ r7 = r0; \ /* r6 = ktime_get_ns() */ \ call %[bpf_ktime_get_ns]; \ r6 = r0; \ /* r2 = ctx->data \ * r3 = ctx->data \ * r4 = ctx->data_end \ */ \ r2 = *(u32*)(r9 + %[__sk_buff_data]); \ r3 = *(u32*)(r9 + %[__sk_buff_data]); \ r4 = *(u32*)(r9 + %[__sk_buff_data_end]); \ /* if r6 > 100 goto exit \ * if r7 > 100 goto exit \ */ \ if r6 > 100 goto l0_%=; \ if r7 > 100 goto l0_%=; \ /* r2 += r6 ; this forces assignment of ID to r2\ * r2 += 1 ; get some fixed off for r2\ * r3 += r7 ; this forces assignment of ID to r3\ * r3 += 1 ; get some fixed off for r3\ */ \ r2 += r6; \ r2 += 1; \ r3 += r7; \ r3 += 1; \ /* if r6 > r7 goto +1 ; no new information about the state is derived from\ * ; this check, thus produced verifier states differ\ * ; only in 'insn_idx' \ * r2 = r3 ; optionally share ID between r2 and r3\ */ \ if r6 != r7 goto l1_%=; \ r2 = r3; \ l1_%=: /* if r3 > ctx->data_end goto exit */ \ if r3 > r4 goto l0_%=; \ /* r5 = *(u8 *) (r2 - 1) ; access packet memory using r2,\ * ; this is not always safe\ */ \ r5 = *(u8*)(r2 - 1); \ l0_%=: /* exit(0) */ \ r0 = 0; \ exit; \ " : : __imm(bpf_ktime_get_ns), __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) : __clobber_all); } char _license[] SEC("license") = "GPL";