1// SPDX-License-Identifier: GPL-2.0 2#include "bpf_misc.h" 3#include "bpf_experimental.h" 4 5struct { 6 __uint(type, BPF_MAP_TYPE_ARRAY); 7 __uint(max_entries, 8); 8 __type(key, __u32); 9 __type(value, __u64); 10} map SEC(".maps"); 11 12struct { 13 __uint(type, BPF_MAP_TYPE_USER_RINGBUF); 14 __uint(max_entries, 8); 15} ringbuf SEC(".maps"); 16 17struct vm_area_struct; 18struct bpf_map; 19 20struct buf_context { 21 char *buf; 22}; 23 24struct num_context { 25 __u64 i; 26 __u64 j; 27}; 28 29__u8 choice_arr[2] = { 0, 1 }; 30 31static int unsafe_on_2nd_iter_cb(__u32 idx, struct buf_context *ctx) 32{ 33 if (idx == 0) { 34 ctx->buf = (char *)(0xDEAD); 35 return 0; 36 } 37 38 if (bpf_probe_read_user(ctx->buf, 8, (void *)(0xBADC0FFEE))) 39 return 1; 40 41 return 0; 42} 43 44SEC("?raw_tp") 45__failure __msg("R1 type=scalar expected=fp") 46int unsafe_on_2nd_iter(void *unused) 47{ 48 char buf[4]; 49 struct buf_context loop_ctx = { .buf = buf }; 50 51 bpf_loop(100, unsafe_on_2nd_iter_cb, &loop_ctx, 0); 52 return 0; 53} 54 55static int unsafe_on_zero_iter_cb(__u32 idx, struct num_context *ctx) 56{ 57 ctx->i = 0; 58 return 0; 59} 60 61SEC("?raw_tp") 62__failure __msg("invalid access to map value, value_size=2 off=32 size=1") 63int unsafe_on_zero_iter(void *unused) 64{ 65 struct num_context loop_ctx = { .i = 32 }; 66 67 bpf_loop(100, unsafe_on_zero_iter_cb, &loop_ctx, 0); 68 return choice_arr[loop_ctx.i]; 69} 70 71static int widening_cb(__u32 idx, struct num_context *ctx) 72{ 73 ++ctx->i; 74 return 0; 75} 76 77SEC("?raw_tp") 78__success 79int widening(void *unused) 80{ 81 struct num_context loop_ctx = { .i = 0, .j = 1 }; 82 83 bpf_loop(100, widening_cb, &loop_ctx, 0); 84 /* loop_ctx.j is not changed during callback iteration, 85 * verifier should not apply widening to it. 86 */ 87 return choice_arr[loop_ctx.j]; 88} 89 90static int loop_detection_cb(__u32 idx, struct num_context *ctx) 91{ 92 for (;;) {} 93 return 0; 94} 95 96SEC("?raw_tp") 97__failure __msg("infinite loop detected") 98int loop_detection(void *unused) 99{ 100 struct num_context loop_ctx = { .i = 0 }; 101 102 bpf_loop(100, loop_detection_cb, &loop_ctx, 0); 103 return 0; 104} 105 106static __always_inline __u64 oob_state_machine(struct num_context *ctx) 107{ 108 switch (ctx->i) { 109 case 0: 110 ctx->i = 1; 111 break; 112 case 1: 113 ctx->i = 32; 114 break; 115 } 116 return 0; 117} 118 119static __u64 for_each_map_elem_cb(struct bpf_map *map, __u32 *key, __u64 *val, void *data) 120{ 121 return oob_state_machine(data); 122} 123 124SEC("?raw_tp") 125__failure __msg("invalid access to map value, value_size=2 off=32 size=1") 126int unsafe_for_each_map_elem(void *unused) 127{ 128 struct num_context loop_ctx = { .i = 0 }; 129 130 bpf_for_each_map_elem(&map, for_each_map_elem_cb, &loop_ctx, 0); 131 return choice_arr[loop_ctx.i]; 132} 133 134static __u64 ringbuf_drain_cb(struct bpf_dynptr *dynptr, void *data) 135{ 136 return oob_state_machine(data); 137} 138 139SEC("?raw_tp") 140__failure __msg("invalid access to map value, value_size=2 off=32 size=1") 141int unsafe_ringbuf_drain(void *unused) 142{ 143 struct num_context loop_ctx = { .i = 0 }; 144 145 bpf_user_ringbuf_drain(&ringbuf, ringbuf_drain_cb, &loop_ctx, 0); 146 return choice_arr[loop_ctx.i]; 147} 148 149static __u64 find_vma_cb(struct task_struct *task, struct vm_area_struct *vma, void *data) 150{ 151 return oob_state_machine(data); 152} 153 154SEC("?raw_tp") 155__failure __msg("invalid access to map value, value_size=2 off=32 size=1") 156int unsafe_find_vma(void *unused) 157{ 158 struct task_struct *task = bpf_get_current_task_btf(); 159 struct num_context loop_ctx = { .i = 0 }; 160 161 bpf_find_vma(task, 0, find_vma_cb, &loop_ctx, 0); 162 return choice_arr[loop_ctx.i]; 163} 164 165static int iter_limit_cb(__u32 idx, struct num_context *ctx) 166{ 167 ctx->i++; 168 return 0; 169} 170 171SEC("?raw_tp") 172__success 173int bpf_loop_iter_limit_ok(void *unused) 174{ 175 struct num_context ctx = { .i = 0 }; 176 177 bpf_loop(1, iter_limit_cb, &ctx, 0); 178 return choice_arr[ctx.i]; 179} 180 181SEC("?raw_tp") 182__failure __msg("invalid access to map value, value_size=2 off=2 size=1") 183int bpf_loop_iter_limit_overflow(void *unused) 184{ 185 struct num_context ctx = { .i = 0 }; 186 187 bpf_loop(2, iter_limit_cb, &ctx, 0); 188 return choice_arr[ctx.i]; 189} 190 191static int iter_limit_level2a_cb(__u32 idx, struct num_context *ctx) 192{ 193 ctx->i += 100; 194 return 0; 195} 196 197static int iter_limit_level2b_cb(__u32 idx, struct num_context *ctx) 198{ 199 ctx->i += 10; 200 return 0; 201} 202 203static int iter_limit_level1_cb(__u32 idx, struct num_context *ctx) 204{ 205 ctx->i += 1; 206 bpf_loop(1, iter_limit_level2a_cb, ctx, 0); 207 bpf_loop(1, iter_limit_level2b_cb, ctx, 0); 208 return 0; 209} 210 211/* Check that path visiting every callback function once had been 212 * reached by verifier. Variables 'ctx{1,2}i' below serve as flags, 213 * with each decimal digit corresponding to a callback visit marker. 214 */ 215SEC("socket") 216__success __retval(111111) 217int bpf_loop_iter_limit_nested(void *unused) 218{ 219 struct num_context ctx1 = { .i = 0 }; 220 struct num_context ctx2 = { .i = 0 }; 221 __u64 a, b, c; 222 223 bpf_loop(1, iter_limit_level1_cb, &ctx1, 0); 224 bpf_loop(1, iter_limit_level1_cb, &ctx2, 0); 225 a = ctx1.i; 226 b = ctx2.i; 227 /* Force 'ctx1.i' and 'ctx2.i' precise. */ 228 c = choice_arr[(a + b) % 2]; 229 /* This makes 'c' zero, but neither clang nor verifier know it. */ 230 c /= 10; 231 /* Make sure that verifier does not visit 'impossible' states: 232 * enumerate all possible callback visit masks. 233 */ 234 if (a != 0 && a != 1 && a != 11 && a != 101 && a != 111 && 235 b != 0 && b != 1 && b != 11 && b != 101 && b != 111) 236 asm volatile ("r0 /= 0;" ::: "r0"); 237 return 1000 * a + b + c; 238} 239 240struct iter_limit_bug_ctx { 241 __u64 a; 242 __u64 b; 243 __u64 c; 244}; 245 246static __naked void iter_limit_bug_cb(void) 247{ 248 /* This is the same as C code below, but written 249 * in assembly to control which branches are fall-through. 250 * 251 * switch (bpf_get_prandom_u32()) { 252 * case 1: ctx->a = 42; break; 253 * case 2: ctx->b = 42; break; 254 * default: ctx->c = 42; break; 255 * } 256 */ 257 asm volatile ( 258 "r9 = r2;" 259 "call %[bpf_get_prandom_u32];" 260 "r1 = r0;" 261 "r2 = 42;" 262 "r0 = 0;" 263 "if r1 == 0x1 goto 1f;" 264 "if r1 == 0x2 goto 2f;" 265 "*(u64 *)(r9 + 16) = r2;" 266 "exit;" 267 "1: *(u64 *)(r9 + 0) = r2;" 268 "exit;" 269 "2: *(u64 *)(r9 + 8) = r2;" 270 "exit;" 271 : 272 : __imm(bpf_get_prandom_u32) 273 : __clobber_all 274 ); 275} 276 277SEC("tc") 278__failure 279__flag(BPF_F_TEST_STATE_FREQ) 280int iter_limit_bug(struct __sk_buff *skb) 281{ 282 struct iter_limit_bug_ctx ctx = { 7, 7, 7 }; 283 284 bpf_loop(2, iter_limit_bug_cb, &ctx, 0); 285 286 /* This is the same as C code below, 287 * written in assembly to guarantee checks order. 288 * 289 * if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7) 290 * asm volatile("r1 /= 0;":::"r1"); 291 */ 292 asm volatile ( 293 "r1 = *(u64 *)%[ctx_a];" 294 "if r1 != 42 goto 1f;" 295 "r1 = *(u64 *)%[ctx_b];" 296 "if r1 != 42 goto 1f;" 297 "r1 = *(u64 *)%[ctx_c];" 298 "if r1 != 7 goto 1f;" 299 "r1 /= 0;" 300 "1:" 301 : 302 : [ctx_a]"m"(ctx.a), 303 [ctx_b]"m"(ctx.b), 304 [ctx_c]"m"(ctx.c) 305 : "r1" 306 ); 307 return 0; 308} 309 310#define ARR_SZ 1000000 311int zero; 312char arr[ARR_SZ]; 313 314SEC("socket") 315__success __retval(0xd495cdc0) 316int cond_break1(const void *ctx) 317{ 318 unsigned long i; 319 unsigned int sum = 0; 320 321 for (i = zero; i < ARR_SZ; cond_break, i++) 322 sum += i; 323 for (i = zero; i < ARR_SZ; i++) { 324 barrier_var(i); 325 sum += i + arr[i]; 326 cond_break; 327 } 328 329 return sum; 330} 331 332SEC("socket") 333__success __retval(999000000) 334int cond_break2(const void *ctx) 335{ 336 int i, j; 337 int sum = 0; 338 339 for (i = zero; i < 1000; cond_break, i++) 340 for (j = zero; j < 1000; j++) { 341 sum += i + j; 342 cond_break; 343 } 344 345 return sum; 346} 347 348static __noinline int loop(void) 349{ 350 int i, sum = 0; 351 352 for (i = zero; i <= 1000000; i++, cond_break) 353 sum += i; 354 355 return sum; 356} 357 358SEC("socket") 359__success __retval(0x6a5a2920) 360int cond_break3(const void *ctx) 361{ 362 return loop(); 363} 364 365SEC("socket") 366__success __retval(1) 367int cond_break4(const void *ctx) 368{ 369 int cnt = zero; 370 371 for (;;) { 372 /* should eventually break out of the loop */ 373 cond_break; 374 cnt++; 375 } 376 /* if we looped a bit, it's a success */ 377 return cnt > 1 ? 1 : 0; 378} 379 380static __noinline int static_subprog(void) 381{ 382 int cnt = zero; 383 384 for (;;) { 385 cond_break; 386 cnt++; 387 } 388 389 return cnt; 390} 391 392SEC("socket") 393__success __retval(1) 394int cond_break5(const void *ctx) 395{ 396 int cnt1 = zero, cnt2; 397 398 for (;;) { 399 cond_break; 400 cnt1++; 401 } 402 403 cnt2 = static_subprog(); 404 405 /* main and subprog have to loop a bit */ 406 return cnt1 > 1 && cnt2 > 1 ? 1 : 0; 407} 408 409char _license[] SEC("license") = "GPL"; 410