1// SPDX-License-Identifier: GPL-2.0 2/* Converted from tools/testing/selftests/bpf/verifier/ref_tracking.c */ 3 4#include <linux/bpf.h> 5#include <bpf/bpf_helpers.h> 6#include "../../../include/linux/filter.h" 7#include "bpf_misc.h" 8 9#define BPF_SK_LOOKUP(func) \ 10 /* struct bpf_sock_tuple tuple = {} */ \ 11 "r2 = 0;" \ 12 "*(u32*)(r10 - 8) = r2;" \ 13 "*(u64*)(r10 - 16) = r2;" \ 14 "*(u64*)(r10 - 24) = r2;" \ 15 "*(u64*)(r10 - 32) = r2;" \ 16 "*(u64*)(r10 - 40) = r2;" \ 17 "*(u64*)(r10 - 48) = r2;" \ 18 /* sk = func(ctx, &tuple, sizeof tuple, 0, 0) */ \ 19 "r2 = r10;" \ 20 "r2 += -48;" \ 21 "r3 = %[sizeof_bpf_sock_tuple];"\ 22 "r4 = 0;" \ 23 "r5 = 0;" \ 24 "call %[" #func "];" 25 26struct bpf_key {} __attribute__((preserve_access_index)); 27 28extern void bpf_key_put(struct bpf_key *key) __ksym; 29extern struct bpf_key *bpf_lookup_system_key(__u64 id) __ksym; 30extern struct bpf_key *bpf_lookup_user_key(__u32 serial, __u64 flags) __ksym; 31 32/* BTF FUNC records are not generated for kfuncs referenced 33 * from inline assembly. These records are necessary for 34 * libbpf to link the program. The function below is a hack 35 * to ensure that BTF FUNC records are generated. 36 */ 37void __kfunc_btf_root(void) 38{ 39 bpf_key_put(0); 40 bpf_lookup_system_key(0); 41 bpf_lookup_user_key(0, 0); 42} 43 44#define MAX_ENTRIES 11 45 46struct test_val { 47 unsigned int index; 48 int foo[MAX_ENTRIES]; 49}; 50 51struct { 52 __uint(type, BPF_MAP_TYPE_ARRAY); 53 __uint(max_entries, 1); 54 __type(key, int); 55 __type(value, struct test_val); 56} map_array_48b SEC(".maps"); 57 58struct { 59 __uint(type, BPF_MAP_TYPE_RINGBUF); 60 __uint(max_entries, 4096); 61} map_ringbuf SEC(".maps"); 62 63void dummy_prog_42_tc(void); 64void dummy_prog_24_tc(void); 65void dummy_prog_loop1_tc(void); 66 67struct { 68 __uint(type, BPF_MAP_TYPE_PROG_ARRAY); 69 __uint(max_entries, 4); 70 __uint(key_size, sizeof(int)); 71 __array(values, void (void)); 72} map_prog1_tc SEC(".maps") = { 73 .values = { 74 [0] = (void *)&dummy_prog_42_tc, 75 [1] = (void *)&dummy_prog_loop1_tc, 76 [2] = (void *)&dummy_prog_24_tc, 77 }, 78}; 79 80SEC("tc") 81__auxiliary 82__naked void dummy_prog_42_tc(void) 83{ 84 asm volatile ("r0 = 42; exit;"); 85} 86 87SEC("tc") 88__auxiliary 89__naked void dummy_prog_24_tc(void) 90{ 91 asm volatile ("r0 = 24; exit;"); 92} 93 94SEC("tc") 95__auxiliary 96__naked void dummy_prog_loop1_tc(void) 97{ 98 asm volatile (" \ 99 r3 = 1; \ 100 r2 = %[map_prog1_tc] ll; \ 101 call %[bpf_tail_call]; \ 102 r0 = 41; \ 103 exit; \ 104" : 105 : __imm(bpf_tail_call), 106 __imm_addr(map_prog1_tc) 107 : __clobber_all); 108} 109 110SEC("tc") 111__description("reference tracking: leak potential reference") 112__failure __msg("Unreleased reference") 113__naked void reference_tracking_leak_potential_reference(void) 114{ 115 asm volatile ( 116 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 117" r6 = r0; /* leak reference */ \ 118 exit; \ 119" : 120 : __imm(bpf_sk_lookup_tcp), 121 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 122 : __clobber_all); 123} 124 125SEC("tc") 126__description("reference tracking: leak potential reference to sock_common") 127__failure __msg("Unreleased reference") 128__naked void potential_reference_to_sock_common_1(void) 129{ 130 asm volatile ( 131 BPF_SK_LOOKUP(bpf_skc_lookup_tcp) 132" r6 = r0; /* leak reference */ \ 133 exit; \ 134" : 135 : __imm(bpf_skc_lookup_tcp), 136 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 137 : __clobber_all); 138} 139 140SEC("tc") 141__description("reference tracking: leak potential reference on stack") 142__failure __msg("Unreleased reference") 143__naked void leak_potential_reference_on_stack(void) 144{ 145 asm volatile ( 146 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 147" r4 = r10; \ 148 r4 += -8; \ 149 *(u64*)(r4 + 0) = r0; \ 150 r0 = 0; \ 151 exit; \ 152" : 153 : __imm(bpf_sk_lookup_tcp), 154 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 155 : __clobber_all); 156} 157 158SEC("tc") 159__description("reference tracking: leak potential reference on stack 2") 160__failure __msg("Unreleased reference") 161__naked void potential_reference_on_stack_2(void) 162{ 163 asm volatile ( 164 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 165" r4 = r10; \ 166 r4 += -8; \ 167 *(u64*)(r4 + 0) = r0; \ 168 r0 = 0; \ 169 r1 = 0; \ 170 *(u64*)(r4 + 0) = r1; \ 171 exit; \ 172" : 173 : __imm(bpf_sk_lookup_tcp), 174 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 175 : __clobber_all); 176} 177 178SEC("tc") 179__description("reference tracking: zero potential reference") 180__failure __msg("Unreleased reference") 181__naked void reference_tracking_zero_potential_reference(void) 182{ 183 asm volatile ( 184 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 185" r0 = 0; /* leak reference */ \ 186 exit; \ 187" : 188 : __imm(bpf_sk_lookup_tcp), 189 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 190 : __clobber_all); 191} 192 193SEC("tc") 194__description("reference tracking: zero potential reference to sock_common") 195__failure __msg("Unreleased reference") 196__naked void potential_reference_to_sock_common_2(void) 197{ 198 asm volatile ( 199 BPF_SK_LOOKUP(bpf_skc_lookup_tcp) 200" r0 = 0; /* leak reference */ \ 201 exit; \ 202" : 203 : __imm(bpf_skc_lookup_tcp), 204 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 205 : __clobber_all); 206} 207 208SEC("tc") 209__description("reference tracking: copy and zero potential references") 210__failure __msg("Unreleased reference") 211__naked void copy_and_zero_potential_references(void) 212{ 213 asm volatile ( 214 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 215" r7 = r0; \ 216 r0 = 0; \ 217 r7 = 0; /* leak reference */ \ 218 exit; \ 219" : 220 : __imm(bpf_sk_lookup_tcp), 221 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 222 : __clobber_all); 223} 224 225SEC("lsm.s/bpf") 226__description("reference tracking: acquire/release user key reference") 227__success 228__naked void acquire_release_user_key_reference(void) 229{ 230 asm volatile (" \ 231 r1 = -3; \ 232 r2 = 0; \ 233 call %[bpf_lookup_user_key]; \ 234 if r0 == 0 goto l0_%=; \ 235 r1 = r0; \ 236 call %[bpf_key_put]; \ 237l0_%=: r0 = 0; \ 238 exit; \ 239" : 240 : __imm(bpf_key_put), 241 __imm(bpf_lookup_user_key) 242 : __clobber_all); 243} 244 245SEC("lsm.s/bpf") 246__description("reference tracking: acquire/release system key reference") 247__success 248__naked void acquire_release_system_key_reference(void) 249{ 250 asm volatile (" \ 251 r1 = 1; \ 252 call %[bpf_lookup_system_key]; \ 253 if r0 == 0 goto l0_%=; \ 254 r1 = r0; \ 255 call %[bpf_key_put]; \ 256l0_%=: r0 = 0; \ 257 exit; \ 258" : 259 : __imm(bpf_key_put), 260 __imm(bpf_lookup_system_key) 261 : __clobber_all); 262} 263 264SEC("lsm.s/bpf") 265__description("reference tracking: release user key reference without check") 266__failure __msg("Possibly NULL pointer passed to trusted arg0") 267__naked void user_key_reference_without_check(void) 268{ 269 asm volatile (" \ 270 r1 = -3; \ 271 r2 = 0; \ 272 call %[bpf_lookup_user_key]; \ 273 r1 = r0; \ 274 call %[bpf_key_put]; \ 275 r0 = 0; \ 276 exit; \ 277" : 278 : __imm(bpf_key_put), 279 __imm(bpf_lookup_user_key) 280 : __clobber_all); 281} 282 283SEC("lsm.s/bpf") 284__description("reference tracking: release system key reference without check") 285__failure __msg("Possibly NULL pointer passed to trusted arg0") 286__naked void system_key_reference_without_check(void) 287{ 288 asm volatile (" \ 289 r1 = 1; \ 290 call %[bpf_lookup_system_key]; \ 291 r1 = r0; \ 292 call %[bpf_key_put]; \ 293 r0 = 0; \ 294 exit; \ 295" : 296 : __imm(bpf_key_put), 297 __imm(bpf_lookup_system_key) 298 : __clobber_all); 299} 300 301SEC("lsm.s/bpf") 302__description("reference tracking: release with NULL key pointer") 303__failure __msg("Possibly NULL pointer passed to trusted arg0") 304__naked void release_with_null_key_pointer(void) 305{ 306 asm volatile (" \ 307 r1 = 0; \ 308 call %[bpf_key_put]; \ 309 r0 = 0; \ 310 exit; \ 311" : 312 : __imm(bpf_key_put) 313 : __clobber_all); 314} 315 316SEC("lsm.s/bpf") 317__description("reference tracking: leak potential reference to user key") 318__failure __msg("Unreleased reference") 319__naked void potential_reference_to_user_key(void) 320{ 321 asm volatile (" \ 322 r1 = -3; \ 323 r2 = 0; \ 324 call %[bpf_lookup_user_key]; \ 325 exit; \ 326" : 327 : __imm(bpf_lookup_user_key) 328 : __clobber_all); 329} 330 331SEC("lsm.s/bpf") 332__description("reference tracking: leak potential reference to system key") 333__failure __msg("Unreleased reference") 334__naked void potential_reference_to_system_key(void) 335{ 336 asm volatile (" \ 337 r1 = 1; \ 338 call %[bpf_lookup_system_key]; \ 339 exit; \ 340" : 341 : __imm(bpf_lookup_system_key) 342 : __clobber_all); 343} 344 345SEC("tc") 346__description("reference tracking: release reference without check") 347__failure __msg("type=sock_or_null expected=sock") 348__naked void tracking_release_reference_without_check(void) 349{ 350 asm volatile ( 351 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 352" /* reference in r0 may be NULL */ \ 353 r1 = r0; \ 354 r2 = 0; \ 355 call %[bpf_sk_release]; \ 356 exit; \ 357" : 358 : __imm(bpf_sk_lookup_tcp), 359 __imm(bpf_sk_release), 360 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 361 : __clobber_all); 362} 363 364SEC("tc") 365__description("reference tracking: release reference to sock_common without check") 366__failure __msg("type=sock_common_or_null expected=sock") 367__naked void to_sock_common_without_check(void) 368{ 369 asm volatile ( 370 BPF_SK_LOOKUP(bpf_skc_lookup_tcp) 371" /* reference in r0 may be NULL */ \ 372 r1 = r0; \ 373 r2 = 0; \ 374 call %[bpf_sk_release]; \ 375 exit; \ 376" : 377 : __imm(bpf_sk_release), 378 __imm(bpf_skc_lookup_tcp), 379 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 380 : __clobber_all); 381} 382 383SEC("tc") 384__description("reference tracking: release reference") 385__success __retval(0) 386__naked void reference_tracking_release_reference(void) 387{ 388 asm volatile ( 389 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 390" r1 = r0; \ 391 if r0 == 0 goto l0_%=; \ 392 call %[bpf_sk_release]; \ 393l0_%=: exit; \ 394" : 395 : __imm(bpf_sk_lookup_tcp), 396 __imm(bpf_sk_release), 397 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 398 : __clobber_all); 399} 400 401SEC("tc") 402__description("reference tracking: release reference to sock_common") 403__success __retval(0) 404__naked void release_reference_to_sock_common(void) 405{ 406 asm volatile ( 407 BPF_SK_LOOKUP(bpf_skc_lookup_tcp) 408" r1 = r0; \ 409 if r0 == 0 goto l0_%=; \ 410 call %[bpf_sk_release]; \ 411l0_%=: exit; \ 412" : 413 : __imm(bpf_sk_release), 414 __imm(bpf_skc_lookup_tcp), 415 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 416 : __clobber_all); 417} 418 419SEC("tc") 420__description("reference tracking: release reference 2") 421__success __retval(0) 422__naked void reference_tracking_release_reference_2(void) 423{ 424 asm volatile ( 425 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 426" r1 = r0; \ 427 if r0 != 0 goto l0_%=; \ 428 exit; \ 429l0_%=: call %[bpf_sk_release]; \ 430 exit; \ 431" : 432 : __imm(bpf_sk_lookup_tcp), 433 __imm(bpf_sk_release), 434 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 435 : __clobber_all); 436} 437 438SEC("tc") 439__description("reference tracking: release reference twice") 440__failure __msg("type=scalar expected=sock") 441__naked void reference_tracking_release_reference_twice(void) 442{ 443 asm volatile ( 444 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 445" r1 = r0; \ 446 r6 = r0; \ 447 if r0 == 0 goto l0_%=; \ 448 call %[bpf_sk_release]; \ 449l0_%=: r1 = r6; \ 450 call %[bpf_sk_release]; \ 451 exit; \ 452" : 453 : __imm(bpf_sk_lookup_tcp), 454 __imm(bpf_sk_release), 455 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 456 : __clobber_all); 457} 458 459SEC("tc") 460__description("reference tracking: release reference twice inside branch") 461__failure __msg("type=scalar expected=sock") 462__naked void release_reference_twice_inside_branch(void) 463{ 464 asm volatile ( 465 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 466" r1 = r0; \ 467 r6 = r0; \ 468 if r0 == 0 goto l0_%=; /* goto end */ \ 469 call %[bpf_sk_release]; \ 470 r1 = r6; \ 471 call %[bpf_sk_release]; \ 472l0_%=: exit; \ 473" : 474 : __imm(bpf_sk_lookup_tcp), 475 __imm(bpf_sk_release), 476 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 477 : __clobber_all); 478} 479 480SEC("tc") 481__description("reference tracking: alloc, check, free in one subbranch") 482__failure __msg("Unreleased reference") 483__flag(BPF_F_ANY_ALIGNMENT) 484__naked void check_free_in_one_subbranch(void) 485{ 486 asm volatile (" \ 487 r2 = *(u32*)(r1 + %[__sk_buff_data]); \ 488 r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ 489 r0 = r2; \ 490 r0 += 16; \ 491 /* if (offsetof(skb, mark) > data_len) exit; */ \ 492 if r0 <= r3 goto l0_%=; \ 493 exit; \ 494l0_%=: r6 = *(u32*)(r2 + %[__sk_buff_mark]); \ 495" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 496" if r6 == 0 goto l1_%=; /* mark == 0? */\ 497 /* Leak reference in R0 */ \ 498 exit; \ 499l1_%=: if r0 == 0 goto l2_%=; /* sk NULL? */ \ 500 r1 = r0; \ 501 call %[bpf_sk_release]; \ 502l2_%=: exit; \ 503" : 504 : __imm(bpf_sk_lookup_tcp), 505 __imm(bpf_sk_release), 506 __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), 507 __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), 508 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)), 509 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 510 : __clobber_all); 511} 512 513SEC("tc") 514__description("reference tracking: alloc, check, free in both subbranches") 515__success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) 516__naked void check_free_in_both_subbranches(void) 517{ 518 asm volatile (" \ 519 r2 = *(u32*)(r1 + %[__sk_buff_data]); \ 520 r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ 521 r0 = r2; \ 522 r0 += 16; \ 523 /* if (offsetof(skb, mark) > data_len) exit; */ \ 524 if r0 <= r3 goto l0_%=; \ 525 exit; \ 526l0_%=: r6 = *(u32*)(r2 + %[__sk_buff_mark]); \ 527" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 528" if r6 == 0 goto l1_%=; /* mark == 0? */\ 529 if r0 == 0 goto l2_%=; /* sk NULL? */ \ 530 r1 = r0; \ 531 call %[bpf_sk_release]; \ 532l2_%=: exit; \ 533l1_%=: if r0 == 0 goto l3_%=; /* sk NULL? */ \ 534 r1 = r0; \ 535 call %[bpf_sk_release]; \ 536l3_%=: exit; \ 537" : 538 : __imm(bpf_sk_lookup_tcp), 539 __imm(bpf_sk_release), 540 __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), 541 __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), 542 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)), 543 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 544 : __clobber_all); 545} 546 547SEC("tc") 548__description("reference tracking in call: free reference in subprog") 549__success __retval(0) 550__naked void call_free_reference_in_subprog(void) 551{ 552 asm volatile ( 553 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 554" r1 = r0; /* unchecked reference */ \ 555 call call_free_reference_in_subprog__1; \ 556 r0 = 0; \ 557 exit; \ 558" : 559 : __imm(bpf_sk_lookup_tcp), 560 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 561 : __clobber_all); 562} 563 564static __naked __noinline __attribute__((used)) 565void call_free_reference_in_subprog__1(void) 566{ 567 asm volatile (" \ 568 /* subprog 1 */ \ 569 r2 = r1; \ 570 if r2 == 0 goto l0_%=; \ 571 call %[bpf_sk_release]; \ 572l0_%=: exit; \ 573" : 574 : __imm(bpf_sk_release) 575 : __clobber_all); 576} 577 578SEC("tc") 579__description("reference tracking in call: free reference in subprog and outside") 580__failure __msg("type=scalar expected=sock") 581__naked void reference_in_subprog_and_outside(void) 582{ 583 asm volatile ( 584 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 585" r1 = r0; /* unchecked reference */ \ 586 r6 = r0; \ 587 call reference_in_subprog_and_outside__1; \ 588 r1 = r6; \ 589 call %[bpf_sk_release]; \ 590 exit; \ 591" : 592 : __imm(bpf_sk_lookup_tcp), 593 __imm(bpf_sk_release), 594 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 595 : __clobber_all); 596} 597 598static __naked __noinline __attribute__((used)) 599void reference_in_subprog_and_outside__1(void) 600{ 601 asm volatile (" \ 602 /* subprog 1 */ \ 603 r2 = r1; \ 604 if r2 == 0 goto l0_%=; \ 605 call %[bpf_sk_release]; \ 606l0_%=: exit; \ 607" : 608 : __imm(bpf_sk_release) 609 : __clobber_all); 610} 611 612SEC("tc") 613__description("reference tracking in call: alloc & leak reference in subprog") 614__failure __msg("Unreleased reference") 615__naked void alloc_leak_reference_in_subprog(void) 616{ 617 asm volatile (" \ 618 r4 = r10; \ 619 r4 += -8; \ 620 call alloc_leak_reference_in_subprog__1; \ 621 r1 = r0; \ 622 r0 = 0; \ 623 exit; \ 624" ::: __clobber_all); 625} 626 627static __naked __noinline __attribute__((used)) 628void alloc_leak_reference_in_subprog__1(void) 629{ 630 asm volatile (" \ 631 /* subprog 1 */ \ 632 r6 = r4; \ 633" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 634" /* spill unchecked sk_ptr into stack of caller */\ 635 *(u64*)(r6 + 0) = r0; \ 636 r1 = r0; \ 637 exit; \ 638" : 639 : __imm(bpf_sk_lookup_tcp), 640 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 641 : __clobber_all); 642} 643 644SEC("tc") 645__description("reference tracking in call: alloc in subprog, release outside") 646__success __retval(POINTER_VALUE) 647__naked void alloc_in_subprog_release_outside(void) 648{ 649 asm volatile (" \ 650 r4 = r10; \ 651 call alloc_in_subprog_release_outside__1; \ 652 r1 = r0; \ 653 if r0 == 0 goto l0_%=; \ 654 call %[bpf_sk_release]; \ 655l0_%=: exit; \ 656" : 657 : __imm(bpf_sk_release) 658 : __clobber_all); 659} 660 661static __naked __noinline __attribute__((used)) 662void alloc_in_subprog_release_outside__1(void) 663{ 664 asm volatile (" \ 665 /* subprog 1 */ \ 666" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 667" exit; /* return sk */ \ 668" : 669 : __imm(bpf_sk_lookup_tcp), 670 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 671 : __clobber_all); 672} 673 674SEC("tc") 675__description("reference tracking in call: sk_ptr leak into caller stack") 676__failure __msg("Unreleased reference") 677__naked void ptr_leak_into_caller_stack(void) 678{ 679 asm volatile (" \ 680 r4 = r10; \ 681 r4 += -8; \ 682 call ptr_leak_into_caller_stack__1; \ 683 r0 = 0; \ 684 exit; \ 685" ::: __clobber_all); 686} 687 688static __naked __noinline __attribute__((used)) 689void ptr_leak_into_caller_stack__1(void) 690{ 691 asm volatile (" \ 692 /* subprog 1 */ \ 693 r5 = r10; \ 694 r5 += -8; \ 695 *(u64*)(r5 + 0) = r4; \ 696 call ptr_leak_into_caller_stack__2; \ 697 /* spill unchecked sk_ptr into stack of caller */\ 698 r5 = r10; \ 699 r5 += -8; \ 700 r4 = *(u64*)(r5 + 0); \ 701 *(u64*)(r4 + 0) = r0; \ 702 exit; \ 703" ::: __clobber_all); 704} 705 706static __naked __noinline __attribute__((used)) 707void ptr_leak_into_caller_stack__2(void) 708{ 709 asm volatile (" \ 710 /* subprog 2 */ \ 711" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 712" exit; \ 713" : 714 : __imm(bpf_sk_lookup_tcp), 715 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 716 : __clobber_all); 717} 718 719SEC("tc") 720__description("reference tracking in call: sk_ptr spill into caller stack") 721__success __retval(0) 722__naked void ptr_spill_into_caller_stack(void) 723{ 724 asm volatile (" \ 725 r4 = r10; \ 726 r4 += -8; \ 727 call ptr_spill_into_caller_stack__1; \ 728 r0 = 0; \ 729 exit; \ 730" ::: __clobber_all); 731} 732 733static __naked __noinline __attribute__((used)) 734void ptr_spill_into_caller_stack__1(void) 735{ 736 asm volatile (" \ 737 /* subprog 1 */ \ 738 r5 = r10; \ 739 r5 += -8; \ 740 *(u64*)(r5 + 0) = r4; \ 741 call ptr_spill_into_caller_stack__2; \ 742 /* spill unchecked sk_ptr into stack of caller */\ 743 r5 = r10; \ 744 r5 += -8; \ 745 r4 = *(u64*)(r5 + 0); \ 746 *(u64*)(r4 + 0) = r0; \ 747 if r0 == 0 goto l0_%=; \ 748 /* now the sk_ptr is verified, free the reference */\ 749 r1 = *(u64*)(r4 + 0); \ 750 call %[bpf_sk_release]; \ 751l0_%=: exit; \ 752" : 753 : __imm(bpf_sk_release) 754 : __clobber_all); 755} 756 757static __naked __noinline __attribute__((used)) 758void ptr_spill_into_caller_stack__2(void) 759{ 760 asm volatile (" \ 761 /* subprog 2 */ \ 762" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 763" exit; \ 764" : 765 : __imm(bpf_sk_lookup_tcp), 766 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 767 : __clobber_all); 768} 769 770SEC("tc") 771__description("reference tracking: allow LD_ABS") 772__success __retval(0) 773__naked void reference_tracking_allow_ld_abs(void) 774{ 775 asm volatile (" \ 776 r6 = r1; \ 777" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 778" r1 = r0; \ 779 if r0 == 0 goto l0_%=; \ 780 call %[bpf_sk_release]; \ 781l0_%=: r0 = *(u8*)skb[0]; \ 782 r0 = *(u16*)skb[0]; \ 783 r0 = *(u32*)skb[0]; \ 784 exit; \ 785" : 786 : __imm(bpf_sk_lookup_tcp), 787 __imm(bpf_sk_release), 788 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 789 : __clobber_all); 790} 791 792SEC("tc") 793__description("reference tracking: forbid LD_ABS while holding reference") 794__failure __msg("BPF_LD_[ABS|IND] cannot be mixed with socket references") 795__naked void ld_abs_while_holding_reference(void) 796{ 797 asm volatile (" \ 798 r6 = r1; \ 799" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 800" r0 = *(u8*)skb[0]; \ 801 r0 = *(u16*)skb[0]; \ 802 r0 = *(u32*)skb[0]; \ 803 r1 = r0; \ 804 if r0 == 0 goto l0_%=; \ 805 call %[bpf_sk_release]; \ 806l0_%=: exit; \ 807" : 808 : __imm(bpf_sk_lookup_tcp), 809 __imm(bpf_sk_release), 810 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 811 : __clobber_all); 812} 813 814SEC("tc") 815__description("reference tracking: allow LD_IND") 816__success __retval(1) 817__naked void reference_tracking_allow_ld_ind(void) 818{ 819 asm volatile (" \ 820 r6 = r1; \ 821" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 822" r1 = r0; \ 823 if r0 == 0 goto l0_%=; \ 824 call %[bpf_sk_release]; \ 825l0_%=: r7 = 1; \ 826 .8byte %[ld_ind]; \ 827 r0 = r7; \ 828 exit; \ 829" : 830 : __imm(bpf_sk_lookup_tcp), 831 __imm(bpf_sk_release), 832 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)), 833 __imm_insn(ld_ind, BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000)) 834 : __clobber_all); 835} 836 837SEC("tc") 838__description("reference tracking: forbid LD_IND while holding reference") 839__failure __msg("BPF_LD_[ABS|IND] cannot be mixed with socket references") 840__naked void ld_ind_while_holding_reference(void) 841{ 842 asm volatile (" \ 843 r6 = r1; \ 844" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 845" r4 = r0; \ 846 r7 = 1; \ 847 .8byte %[ld_ind]; \ 848 r0 = r7; \ 849 r1 = r4; \ 850 if r1 == 0 goto l0_%=; \ 851 call %[bpf_sk_release]; \ 852l0_%=: exit; \ 853" : 854 : __imm(bpf_sk_lookup_tcp), 855 __imm(bpf_sk_release), 856 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)), 857 __imm_insn(ld_ind, BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000)) 858 : __clobber_all); 859} 860 861SEC("tc") 862__description("reference tracking: check reference or tail call") 863__success __retval(0) 864__naked void check_reference_or_tail_call(void) 865{ 866 asm volatile (" \ 867 r7 = r1; \ 868" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 869" /* if (sk) bpf_sk_release() */ \ 870 r1 = r0; \ 871 if r1 != 0 goto l0_%=; \ 872 /* bpf_tail_call() */ \ 873 r3 = 3; \ 874 r2 = %[map_prog1_tc] ll; \ 875 r1 = r7; \ 876 call %[bpf_tail_call]; \ 877 r0 = 0; \ 878 exit; \ 879l0_%=: call %[bpf_sk_release]; \ 880 exit; \ 881" : 882 : __imm(bpf_sk_lookup_tcp), 883 __imm(bpf_sk_release), 884 __imm(bpf_tail_call), 885 __imm_addr(map_prog1_tc), 886 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 887 : __clobber_all); 888} 889 890SEC("tc") 891__description("reference tracking: release reference then tail call") 892__success __retval(0) 893__naked void release_reference_then_tail_call(void) 894{ 895 asm volatile (" \ 896 r7 = r1; \ 897" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 898" /* if (sk) bpf_sk_release() */ \ 899 r1 = r0; \ 900 if r1 == 0 goto l0_%=; \ 901 call %[bpf_sk_release]; \ 902l0_%=: /* bpf_tail_call() */ \ 903 r3 = 3; \ 904 r2 = %[map_prog1_tc] ll; \ 905 r1 = r7; \ 906 call %[bpf_tail_call]; \ 907 r0 = 0; \ 908 exit; \ 909" : 910 : __imm(bpf_sk_lookup_tcp), 911 __imm(bpf_sk_release), 912 __imm(bpf_tail_call), 913 __imm_addr(map_prog1_tc), 914 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 915 : __clobber_all); 916} 917 918SEC("tc") 919__description("reference tracking: leak possible reference over tail call") 920__failure __msg("tail_call would lead to reference leak") 921__naked void possible_reference_over_tail_call(void) 922{ 923 asm volatile (" \ 924 r7 = r1; \ 925 /* Look up socket and store in REG_6 */ \ 926" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 927" /* bpf_tail_call() */ \ 928 r6 = r0; \ 929 r3 = 3; \ 930 r2 = %[map_prog1_tc] ll; \ 931 r1 = r7; \ 932 call %[bpf_tail_call]; \ 933 r0 = 0; \ 934 /* if (sk) bpf_sk_release() */ \ 935 r1 = r6; \ 936 if r1 == 0 goto l0_%=; \ 937 call %[bpf_sk_release]; \ 938l0_%=: exit; \ 939" : 940 : __imm(bpf_sk_lookup_tcp), 941 __imm(bpf_sk_release), 942 __imm(bpf_tail_call), 943 __imm_addr(map_prog1_tc), 944 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 945 : __clobber_all); 946} 947 948SEC("tc") 949__description("reference tracking: leak checked reference over tail call") 950__failure __msg("tail_call would lead to reference leak") 951__naked void checked_reference_over_tail_call(void) 952{ 953 asm volatile (" \ 954 r7 = r1; \ 955 /* Look up socket and store in REG_6 */ \ 956" BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 957" r6 = r0; \ 958 /* if (!sk) goto end */ \ 959 if r0 == 0 goto l0_%=; \ 960 /* bpf_tail_call() */ \ 961 r3 = 0; \ 962 r2 = %[map_prog1_tc] ll; \ 963 r1 = r7; \ 964 call %[bpf_tail_call]; \ 965 r0 = 0; \ 966 r1 = r6; \ 967l0_%=: call %[bpf_sk_release]; \ 968 exit; \ 969" : 970 : __imm(bpf_sk_lookup_tcp), 971 __imm(bpf_sk_release), 972 __imm(bpf_tail_call), 973 __imm_addr(map_prog1_tc), 974 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 975 : __clobber_all); 976} 977 978SEC("tc") 979__description("reference tracking: mangle and release sock_or_null") 980__failure __msg("R1 pointer arithmetic on sock_or_null prohibited") 981__naked void and_release_sock_or_null(void) 982{ 983 asm volatile ( 984 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 985" r1 = r0; \ 986 r1 += 5; \ 987 if r0 == 0 goto l0_%=; \ 988 call %[bpf_sk_release]; \ 989l0_%=: exit; \ 990" : 991 : __imm(bpf_sk_lookup_tcp), 992 __imm(bpf_sk_release), 993 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 994 : __clobber_all); 995} 996 997SEC("tc") 998__description("reference tracking: mangle and release sock") 999__failure __msg("R1 pointer arithmetic on sock prohibited") 1000__naked void tracking_mangle_and_release_sock(void) 1001{ 1002 asm volatile ( 1003 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1004" r1 = r0; \ 1005 if r0 == 0 goto l0_%=; \ 1006 r1 += 5; \ 1007 call %[bpf_sk_release]; \ 1008l0_%=: exit; \ 1009" : 1010 : __imm(bpf_sk_lookup_tcp), 1011 __imm(bpf_sk_release), 1012 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1013 : __clobber_all); 1014} 1015 1016SEC("tc") 1017__description("reference tracking: access member") 1018__success __retval(0) 1019__naked void reference_tracking_access_member(void) 1020{ 1021 asm volatile ( 1022 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1023" r6 = r0; \ 1024 if r0 == 0 goto l0_%=; \ 1025 r2 = *(u32*)(r0 + 4); \ 1026 r1 = r6; \ 1027 call %[bpf_sk_release]; \ 1028l0_%=: exit; \ 1029" : 1030 : __imm(bpf_sk_lookup_tcp), 1031 __imm(bpf_sk_release), 1032 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1033 : __clobber_all); 1034} 1035 1036SEC("tc") 1037__description("reference tracking: write to member") 1038__failure __msg("cannot write into sock") 1039__naked void reference_tracking_write_to_member(void) 1040{ 1041 asm volatile ( 1042 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1043" r6 = r0; \ 1044 if r0 == 0 goto l0_%=; \ 1045 r1 = r6; \ 1046 r2 = 42 ll; \ 1047 *(u32*)(r1 + %[bpf_sock_mark]) = r2; \ 1048 r1 = r6; \ 1049l0_%=: call %[bpf_sk_release]; \ 1050 r0 = 0 ll; \ 1051 exit; \ 1052" : 1053 : __imm(bpf_sk_lookup_tcp), 1054 __imm(bpf_sk_release), 1055 __imm_const(bpf_sock_mark, offsetof(struct bpf_sock, mark)), 1056 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1057 : __clobber_all); 1058} 1059 1060SEC("tc") 1061__description("reference tracking: invalid 64-bit access of member") 1062__failure __msg("invalid sock access off=0 size=8") 1063__naked void _64_bit_access_of_member(void) 1064{ 1065 asm volatile ( 1066 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1067" r6 = r0; \ 1068 if r0 == 0 goto l0_%=; \ 1069 r2 = *(u64*)(r0 + 0); \ 1070 r1 = r6; \ 1071 call %[bpf_sk_release]; \ 1072l0_%=: exit; \ 1073" : 1074 : __imm(bpf_sk_lookup_tcp), 1075 __imm(bpf_sk_release), 1076 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1077 : __clobber_all); 1078} 1079 1080SEC("tc") 1081__description("reference tracking: access after release") 1082__failure __msg("!read_ok") 1083__naked void reference_tracking_access_after_release(void) 1084{ 1085 asm volatile ( 1086 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1087" r1 = r0; \ 1088 if r0 == 0 goto l0_%=; \ 1089 call %[bpf_sk_release]; \ 1090 r2 = *(u32*)(r1 + 0); \ 1091l0_%=: exit; \ 1092" : 1093 : __imm(bpf_sk_lookup_tcp), 1094 __imm(bpf_sk_release), 1095 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1096 : __clobber_all); 1097} 1098 1099SEC("tc") 1100__description("reference tracking: direct access for lookup") 1101__success __retval(0) 1102__naked void tracking_direct_access_for_lookup(void) 1103{ 1104 asm volatile (" \ 1105 /* Check that the packet is at least 64B long */\ 1106 r2 = *(u32*)(r1 + %[__sk_buff_data]); \ 1107 r3 = *(u32*)(r1 + %[__sk_buff_data_end]); \ 1108 r0 = r2; \ 1109 r0 += 64; \ 1110 if r0 > r3 goto l0_%=; \ 1111 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */ \ 1112 r3 = %[sizeof_bpf_sock_tuple]; \ 1113 r4 = 0; \ 1114 r5 = 0; \ 1115 call %[bpf_sk_lookup_tcp]; \ 1116 r6 = r0; \ 1117 if r0 == 0 goto l0_%=; \ 1118 r2 = *(u32*)(r0 + 4); \ 1119 r1 = r6; \ 1120 call %[bpf_sk_release]; \ 1121l0_%=: exit; \ 1122" : 1123 : __imm(bpf_sk_lookup_tcp), 1124 __imm(bpf_sk_release), 1125 __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), 1126 __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)), 1127 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1128 : __clobber_all); 1129} 1130 1131SEC("tc") 1132__description("reference tracking: use ptr from bpf_tcp_sock() after release") 1133__failure __msg("invalid mem access") 1134__flag(BPF_F_ANY_ALIGNMENT) 1135__naked void bpf_tcp_sock_after_release(void) 1136{ 1137 asm volatile ( 1138 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1139" if r0 != 0 goto l0_%=; \ 1140 exit; \ 1141l0_%=: r6 = r0; \ 1142 r1 = r0; \ 1143 call %[bpf_tcp_sock]; \ 1144 if r0 != 0 goto l1_%=; \ 1145 r1 = r6; \ 1146 call %[bpf_sk_release]; \ 1147 exit; \ 1148l1_%=: r7 = r0; \ 1149 r1 = r6; \ 1150 call %[bpf_sk_release]; \ 1151 r0 = *(u32*)(r7 + %[bpf_tcp_sock_snd_cwnd]); \ 1152 exit; \ 1153" : 1154 : __imm(bpf_sk_lookup_tcp), 1155 __imm(bpf_sk_release), 1156 __imm(bpf_tcp_sock), 1157 __imm_const(bpf_tcp_sock_snd_cwnd, offsetof(struct bpf_tcp_sock, snd_cwnd)), 1158 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1159 : __clobber_all); 1160} 1161 1162SEC("tc") 1163__description("reference tracking: use ptr from bpf_sk_fullsock() after release") 1164__failure __msg("invalid mem access") 1165__flag(BPF_F_ANY_ALIGNMENT) 1166__naked void bpf_sk_fullsock_after_release(void) 1167{ 1168 asm volatile ( 1169 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1170" if r0 != 0 goto l0_%=; \ 1171 exit; \ 1172l0_%=: r6 = r0; \ 1173 r1 = r0; \ 1174 call %[bpf_sk_fullsock]; \ 1175 if r0 != 0 goto l1_%=; \ 1176 r1 = r6; \ 1177 call %[bpf_sk_release]; \ 1178 exit; \ 1179l1_%=: r7 = r0; \ 1180 r1 = r6; \ 1181 call %[bpf_sk_release]; \ 1182 r0 = *(u32*)(r7 + %[bpf_sock_type]); \ 1183 exit; \ 1184" : 1185 : __imm(bpf_sk_fullsock), 1186 __imm(bpf_sk_lookup_tcp), 1187 __imm(bpf_sk_release), 1188 __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type)), 1189 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1190 : __clobber_all); 1191} 1192 1193SEC("tc") 1194__description("reference tracking: use ptr from bpf_sk_fullsock(tp) after release") 1195__failure __msg("invalid mem access") 1196__flag(BPF_F_ANY_ALIGNMENT) 1197__naked void sk_fullsock_tp_after_release(void) 1198{ 1199 asm volatile ( 1200 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1201" if r0 != 0 goto l0_%=; \ 1202 exit; \ 1203l0_%=: r6 = r0; \ 1204 r1 = r0; \ 1205 call %[bpf_tcp_sock]; \ 1206 if r0 != 0 goto l1_%=; \ 1207 r1 = r6; \ 1208 call %[bpf_sk_release]; \ 1209 exit; \ 1210l1_%=: r1 = r0; \ 1211 call %[bpf_sk_fullsock]; \ 1212 r1 = r6; \ 1213 r6 = r0; \ 1214 call %[bpf_sk_release]; \ 1215 if r6 != 0 goto l2_%=; \ 1216 exit; \ 1217l2_%=: r0 = *(u32*)(r6 + %[bpf_sock_type]); \ 1218 exit; \ 1219" : 1220 : __imm(bpf_sk_fullsock), 1221 __imm(bpf_sk_lookup_tcp), 1222 __imm(bpf_sk_release), 1223 __imm(bpf_tcp_sock), 1224 __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type)), 1225 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1226 : __clobber_all); 1227} 1228 1229SEC("tc") 1230__description("reference tracking: use sk after bpf_sk_release(tp)") 1231__failure __msg("invalid mem access") 1232__flag(BPF_F_ANY_ALIGNMENT) 1233__naked void after_bpf_sk_release_tp(void) 1234{ 1235 asm volatile ( 1236 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1237" if r0 != 0 goto l0_%=; \ 1238 exit; \ 1239l0_%=: r6 = r0; \ 1240 r1 = r0; \ 1241 call %[bpf_tcp_sock]; \ 1242 if r0 != 0 goto l1_%=; \ 1243 r1 = r6; \ 1244 call %[bpf_sk_release]; \ 1245 exit; \ 1246l1_%=: r1 = r0; \ 1247 call %[bpf_sk_release]; \ 1248 r0 = *(u32*)(r6 + %[bpf_sock_type]); \ 1249 exit; \ 1250" : 1251 : __imm(bpf_sk_lookup_tcp), 1252 __imm(bpf_sk_release), 1253 __imm(bpf_tcp_sock), 1254 __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type)), 1255 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1256 : __clobber_all); 1257} 1258 1259SEC("tc") 1260__description("reference tracking: use ptr from bpf_get_listener_sock() after bpf_sk_release(sk)") 1261__success __retval(0) 1262__naked void after_bpf_sk_release_sk(void) 1263{ 1264 asm volatile ( 1265 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1266" if r0 != 0 goto l0_%=; \ 1267 exit; \ 1268l0_%=: r6 = r0; \ 1269 r1 = r0; \ 1270 call %[bpf_get_listener_sock]; \ 1271 if r0 != 0 goto l1_%=; \ 1272 r1 = r6; \ 1273 call %[bpf_sk_release]; \ 1274 exit; \ 1275l1_%=: r1 = r6; \ 1276 r6 = r0; \ 1277 call %[bpf_sk_release]; \ 1278 r0 = *(u32*)(r6 + %[bpf_sock_src_port]); \ 1279 exit; \ 1280" : 1281 : __imm(bpf_get_listener_sock), 1282 __imm(bpf_sk_lookup_tcp), 1283 __imm(bpf_sk_release), 1284 __imm_const(bpf_sock_src_port, offsetof(struct bpf_sock, src_port)), 1285 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1286 : __clobber_all); 1287} 1288 1289SEC("tc") 1290__description("reference tracking: bpf_sk_release(listen_sk)") 1291__failure __msg("R1 must be referenced when passed to release function") 1292__naked void bpf_sk_release_listen_sk(void) 1293{ 1294 asm volatile ( 1295 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1296" if r0 != 0 goto l0_%=; \ 1297 exit; \ 1298l0_%=: r6 = r0; \ 1299 r1 = r0; \ 1300 call %[bpf_get_listener_sock]; \ 1301 if r0 != 0 goto l1_%=; \ 1302 r1 = r6; \ 1303 call %[bpf_sk_release]; \ 1304 exit; \ 1305l1_%=: r1 = r0; \ 1306 call %[bpf_sk_release]; \ 1307 r0 = *(u32*)(r6 + %[bpf_sock_type]); \ 1308 r1 = r6; \ 1309 call %[bpf_sk_release]; \ 1310 exit; \ 1311" : 1312 : __imm(bpf_get_listener_sock), 1313 __imm(bpf_sk_lookup_tcp), 1314 __imm(bpf_sk_release), 1315 __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type)), 1316 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1317 : __clobber_all); 1318} 1319 1320/* !bpf_sk_fullsock(sk) is checked but !bpf_tcp_sock(sk) is not checked */ 1321SEC("tc") 1322__description("reference tracking: tp->snd_cwnd after bpf_sk_fullsock(sk) and bpf_tcp_sock(sk)") 1323__failure __msg("invalid mem access") 1324__naked void and_bpf_tcp_sock_sk(void) 1325{ 1326 asm volatile ( 1327 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1328" if r0 != 0 goto l0_%=; \ 1329 exit; \ 1330l0_%=: r6 = r0; \ 1331 r1 = r0; \ 1332 call %[bpf_sk_fullsock]; \ 1333 r7 = r0; \ 1334 r1 = r6; \ 1335 call %[bpf_tcp_sock]; \ 1336 r8 = r0; \ 1337 if r7 != 0 goto l1_%=; \ 1338 r1 = r6; \ 1339 call %[bpf_sk_release]; \ 1340 exit; \ 1341l1_%=: r0 = *(u32*)(r8 + %[bpf_tcp_sock_snd_cwnd]); \ 1342 r1 = r6; \ 1343 call %[bpf_sk_release]; \ 1344 exit; \ 1345" : 1346 : __imm(bpf_sk_fullsock), 1347 __imm(bpf_sk_lookup_tcp), 1348 __imm(bpf_sk_release), 1349 __imm(bpf_tcp_sock), 1350 __imm_const(bpf_tcp_sock_snd_cwnd, offsetof(struct bpf_tcp_sock, snd_cwnd)), 1351 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1352 : __clobber_all); 1353} 1354 1355SEC("tc") 1356__description("reference tracking: branch tracking valid pointer null comparison") 1357__success __retval(0) 1358__naked void tracking_valid_pointer_null_comparison(void) 1359{ 1360 asm volatile ( 1361 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1362" r6 = r0; \ 1363 r3 = 1; \ 1364 if r6 != 0 goto l0_%=; \ 1365 r3 = 0; \ 1366l0_%=: if r6 == 0 goto l1_%=; \ 1367 r1 = r6; \ 1368 call %[bpf_sk_release]; \ 1369l1_%=: exit; \ 1370" : 1371 : __imm(bpf_sk_lookup_tcp), 1372 __imm(bpf_sk_release), 1373 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1374 : __clobber_all); 1375} 1376 1377SEC("tc") 1378__description("reference tracking: branch tracking valid pointer value comparison") 1379__failure __msg("Unreleased reference") 1380__naked void tracking_valid_pointer_value_comparison(void) 1381{ 1382 asm volatile ( 1383 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1384" r6 = r0; \ 1385 r3 = 1; \ 1386 if r6 == 0 goto l0_%=; \ 1387 r3 = 0; \ 1388 if r6 == 1234 goto l0_%=; \ 1389 r1 = r6; \ 1390 call %[bpf_sk_release]; \ 1391l0_%=: exit; \ 1392" : 1393 : __imm(bpf_sk_lookup_tcp), 1394 __imm(bpf_sk_release), 1395 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1396 : __clobber_all); 1397} 1398 1399SEC("tc") 1400__description("reference tracking: bpf_sk_release(btf_tcp_sock)") 1401__success 1402__retval(0) 1403__naked void sk_release_btf_tcp_sock(void) 1404{ 1405 asm volatile ( 1406 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1407" if r0 != 0 goto l0_%=; \ 1408 exit; \ 1409l0_%=: r6 = r0; \ 1410 r1 = r0; \ 1411 call %[bpf_skc_to_tcp_sock]; \ 1412 if r0 != 0 goto l1_%=; \ 1413 r1 = r6; \ 1414 call %[bpf_sk_release]; \ 1415 exit; \ 1416l1_%=: r1 = r0; \ 1417 call %[bpf_sk_release]; \ 1418 exit; \ 1419" : 1420 : __imm(bpf_sk_lookup_tcp), 1421 __imm(bpf_sk_release), 1422 __imm(bpf_skc_to_tcp_sock), 1423 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1424 : __clobber_all); 1425} 1426 1427SEC("tc") 1428__description("reference tracking: use ptr from bpf_skc_to_tcp_sock() after release") 1429__failure __msg("invalid mem access") 1430__naked void to_tcp_sock_after_release(void) 1431{ 1432 asm volatile ( 1433 BPF_SK_LOOKUP(bpf_sk_lookup_tcp) 1434" if r0 != 0 goto l0_%=; \ 1435 exit; \ 1436l0_%=: r6 = r0; \ 1437 r1 = r0; \ 1438 call %[bpf_skc_to_tcp_sock]; \ 1439 if r0 != 0 goto l1_%=; \ 1440 r1 = r6; \ 1441 call %[bpf_sk_release]; \ 1442 exit; \ 1443l1_%=: r7 = r0; \ 1444 r1 = r6; \ 1445 call %[bpf_sk_release]; \ 1446 r0 = *(u8*)(r7 + 0); \ 1447 exit; \ 1448" : 1449 : __imm(bpf_sk_lookup_tcp), 1450 __imm(bpf_sk_release), 1451 __imm(bpf_skc_to_tcp_sock), 1452 __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple)) 1453 : __clobber_all); 1454} 1455 1456SEC("socket") 1457__description("reference tracking: try to leak released ptr reg") 1458__success __failure_unpriv __msg_unpriv("R8 !read_ok") 1459__retval(0) 1460__naked void to_leak_released_ptr_reg(void) 1461{ 1462 asm volatile (" \ 1463 r0 = 0; \ 1464 *(u32*)(r10 - 4) = r0; \ 1465 r2 = r10; \ 1466 r2 += -4; \ 1467 r1 = %[map_array_48b] ll; \ 1468 call %[bpf_map_lookup_elem]; \ 1469 if r0 != 0 goto l0_%=; \ 1470 exit; \ 1471l0_%=: r9 = r0; \ 1472 r0 = 0; \ 1473 r1 = %[map_ringbuf] ll; \ 1474 r2 = 8; \ 1475 r3 = 0; \ 1476 call %[bpf_ringbuf_reserve]; \ 1477 if r0 != 0 goto l1_%=; \ 1478 exit; \ 1479l1_%=: r8 = r0; \ 1480 r1 = r8; \ 1481 r2 = 0; \ 1482 call %[bpf_ringbuf_discard]; \ 1483 r0 = 0; \ 1484 *(u64*)(r9 + 0) = r8; \ 1485 exit; \ 1486" : 1487 : __imm(bpf_map_lookup_elem), 1488 __imm(bpf_ringbuf_discard), 1489 __imm(bpf_ringbuf_reserve), 1490 __imm_addr(map_array_48b), 1491 __imm_addr(map_ringbuf) 1492 : __clobber_all); 1493} 1494 1495char _license[] SEC("license") = "GPL"; 1496