1// SPDX-License-Identifier: GPL-2.0 2/* Converted from tools/testing/selftests/bpf/verifier/value_ptr_arith.c */ 3 4#include <linux/bpf.h> 5#include <bpf/bpf_helpers.h> 6#include <errno.h> 7#include "bpf_misc.h" 8 9#define MAX_ENTRIES 11 10 11struct test_val { 12 unsigned int index; 13 int foo[MAX_ENTRIES]; 14}; 15 16struct { 17 __uint(type, BPF_MAP_TYPE_ARRAY); 18 __uint(max_entries, 1); 19 __type(key, int); 20 __type(value, struct test_val); 21} map_array_48b SEC(".maps"); 22 23struct other_val { 24 long long foo; 25 long long bar; 26}; 27 28struct { 29 __uint(type, BPF_MAP_TYPE_HASH); 30 __uint(max_entries, 1); 31 __type(key, long long); 32 __type(value, struct other_val); 33} map_hash_16b SEC(".maps"); 34 35struct { 36 __uint(type, BPF_MAP_TYPE_HASH); 37 __uint(max_entries, 1); 38 __type(key, long long); 39 __type(value, struct test_val); 40} map_hash_48b SEC(".maps"); 41 42SEC("socket") 43__description("map access: known scalar += value_ptr unknown vs const") 44__success __failure_unpriv 45__msg_unpriv("R1 tried to add from different maps, paths or scalars") 46__retval(1) 47__naked void value_ptr_unknown_vs_const(void) 48{ 49 asm volatile (" \ 50 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 51 r1 = 0; \ 52 *(u64*)(r10 - 8) = r1; \ 53 r2 = r10; \ 54 r2 += -8; \ 55 if r0 == 1 goto l0_%=; \ 56 r1 = %[map_hash_16b] ll; \ 57 if r0 != 1 goto l1_%=; \ 58l0_%=: r1 = %[map_array_48b] ll; \ 59l1_%=: call %[bpf_map_lookup_elem]; \ 60 if r0 == 0 goto l2_%=; \ 61 r4 = *(u8*)(r0 + 0); \ 62 if r4 == 1 goto l3_%=; \ 63 r1 = 6; \ 64 r1 = -r1; \ 65 r1 &= 0x7; \ 66 goto l4_%=; \ 67l3_%=: r1 = 3; \ 68l4_%=: r1 += r0; \ 69 r0 = *(u8*)(r1 + 0); \ 70l2_%=: r0 = 1; \ 71 exit; \ 72" : 73 : __imm(bpf_map_lookup_elem), 74 __imm_addr(map_array_48b), 75 __imm_addr(map_hash_16b), 76 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 77 : __clobber_all); 78} 79 80SEC("socket") 81__description("map access: known scalar += value_ptr const vs unknown") 82__success __failure_unpriv 83__msg_unpriv("R1 tried to add from different maps, paths or scalars") 84__retval(1) 85__naked void value_ptr_const_vs_unknown(void) 86{ 87 asm volatile (" \ 88 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 89 r1 = 0; \ 90 *(u64*)(r10 - 8) = r1; \ 91 r2 = r10; \ 92 r2 += -8; \ 93 if r0 == 1 goto l0_%=; \ 94 r1 = %[map_hash_16b] ll; \ 95 if r0 != 1 goto l1_%=; \ 96l0_%=: r1 = %[map_array_48b] ll; \ 97l1_%=: call %[bpf_map_lookup_elem]; \ 98 if r0 == 0 goto l2_%=; \ 99 r4 = *(u8*)(r0 + 0); \ 100 if r4 == 1 goto l3_%=; \ 101 r1 = 3; \ 102 goto l4_%=; \ 103l3_%=: r1 = 6; \ 104 r1 = -r1; \ 105 r1 &= 0x7; \ 106l4_%=: r1 += r0; \ 107 r0 = *(u8*)(r1 + 0); \ 108l2_%=: r0 = 1; \ 109 exit; \ 110" : 111 : __imm(bpf_map_lookup_elem), 112 __imm_addr(map_array_48b), 113 __imm_addr(map_hash_16b), 114 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 115 : __clobber_all); 116} 117 118SEC("socket") 119__description("map access: known scalar += value_ptr const vs const (ne)") 120__success __failure_unpriv 121__msg_unpriv("R1 tried to add from different maps, paths or scalars") 122__retval(1) 123__naked void ptr_const_vs_const_ne(void) 124{ 125 asm volatile (" \ 126 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 127 r1 = 0; \ 128 *(u64*)(r10 - 8) = r1; \ 129 r2 = r10; \ 130 r2 += -8; \ 131 if r0 == 1 goto l0_%=; \ 132 r1 = %[map_hash_16b] ll; \ 133 if r0 != 1 goto l1_%=; \ 134l0_%=: r1 = %[map_array_48b] ll; \ 135l1_%=: call %[bpf_map_lookup_elem]; \ 136 if r0 == 0 goto l2_%=; \ 137 r4 = *(u8*)(r0 + 0); \ 138 if r4 == 1 goto l3_%=; \ 139 r1 = 3; \ 140 goto l4_%=; \ 141l3_%=: r1 = 5; \ 142l4_%=: r1 += r0; \ 143 r0 = *(u8*)(r1 + 0); \ 144l2_%=: r0 = 1; \ 145 exit; \ 146" : 147 : __imm(bpf_map_lookup_elem), 148 __imm_addr(map_array_48b), 149 __imm_addr(map_hash_16b), 150 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 151 : __clobber_all); 152} 153 154SEC("socket") 155__description("map access: known scalar += value_ptr const vs const (eq)") 156__success __success_unpriv __retval(1) 157__naked void ptr_const_vs_const_eq(void) 158{ 159 asm volatile (" \ 160 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 161 r1 = 0; \ 162 *(u64*)(r10 - 8) = r1; \ 163 r2 = r10; \ 164 r2 += -8; \ 165 if r0 == 1 goto l0_%=; \ 166 r1 = %[map_hash_16b] ll; \ 167 if r0 != 1 goto l1_%=; \ 168l0_%=: r1 = %[map_array_48b] ll; \ 169l1_%=: call %[bpf_map_lookup_elem]; \ 170 if r0 == 0 goto l2_%=; \ 171 r4 = *(u8*)(r0 + 0); \ 172 if r4 == 1 goto l3_%=; \ 173 r1 = 5; \ 174 goto l4_%=; \ 175l3_%=: r1 = 5; \ 176l4_%=: r1 += r0; \ 177 r0 = *(u8*)(r1 + 0); \ 178l2_%=: r0 = 1; \ 179 exit; \ 180" : 181 : __imm(bpf_map_lookup_elem), 182 __imm_addr(map_array_48b), 183 __imm_addr(map_hash_16b), 184 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 185 : __clobber_all); 186} 187 188SEC("socket") 189__description("map access: known scalar += value_ptr unknown vs unknown (eq)") 190__success __success_unpriv __retval(1) 191__naked void ptr_unknown_vs_unknown_eq(void) 192{ 193 asm volatile (" \ 194 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 195 r1 = 0; \ 196 *(u64*)(r10 - 8) = r1; \ 197 r2 = r10; \ 198 r2 += -8; \ 199 if r0 == 1 goto l0_%=; \ 200 r1 = %[map_hash_16b] ll; \ 201 if r0 != 1 goto l1_%=; \ 202l0_%=: r1 = %[map_array_48b] ll; \ 203l1_%=: call %[bpf_map_lookup_elem]; \ 204 if r0 == 0 goto l2_%=; \ 205 r4 = *(u8*)(r0 + 0); \ 206 if r4 == 1 goto l3_%=; \ 207 r1 = 6; \ 208 r1 = -r1; \ 209 r1 &= 0x7; \ 210 goto l4_%=; \ 211l3_%=: r1 = 6; \ 212 r1 = -r1; \ 213 r1 &= 0x7; \ 214l4_%=: r1 += r0; \ 215 r0 = *(u8*)(r1 + 0); \ 216l2_%=: r0 = 1; \ 217 exit; \ 218" : 219 : __imm(bpf_map_lookup_elem), 220 __imm_addr(map_array_48b), 221 __imm_addr(map_hash_16b), 222 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 223 : __clobber_all); 224} 225 226SEC("socket") 227__description("map access: known scalar += value_ptr unknown vs unknown (lt)") 228__success __failure_unpriv 229__msg_unpriv("R1 tried to add from different maps, paths or scalars") 230__retval(1) 231__naked void ptr_unknown_vs_unknown_lt(void) 232{ 233 asm volatile (" \ 234 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 235 r1 = 0; \ 236 *(u64*)(r10 - 8) = r1; \ 237 r2 = r10; \ 238 r2 += -8; \ 239 if r0 == 1 goto l0_%=; \ 240 r1 = %[map_hash_16b] ll; \ 241 if r0 != 1 goto l1_%=; \ 242l0_%=: r1 = %[map_array_48b] ll; \ 243l1_%=: call %[bpf_map_lookup_elem]; \ 244 if r0 == 0 goto l2_%=; \ 245 r4 = *(u8*)(r0 + 0); \ 246 if r4 == 1 goto l3_%=; \ 247 r1 = 6; \ 248 r1 = -r1; \ 249 r1 &= 0x3; \ 250 goto l4_%=; \ 251l3_%=: r1 = 6; \ 252 r1 = -r1; \ 253 r1 &= 0x7; \ 254l4_%=: r1 += r0; \ 255 r0 = *(u8*)(r1 + 0); \ 256l2_%=: r0 = 1; \ 257 exit; \ 258" : 259 : __imm(bpf_map_lookup_elem), 260 __imm_addr(map_array_48b), 261 __imm_addr(map_hash_16b), 262 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 263 : __clobber_all); 264} 265 266SEC("socket") 267__description("map access: known scalar += value_ptr unknown vs unknown (gt)") 268__success __failure_unpriv 269__msg_unpriv("R1 tried to add from different maps, paths or scalars") 270__retval(1) 271__naked void ptr_unknown_vs_unknown_gt(void) 272{ 273 asm volatile (" \ 274 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 275 r1 = 0; \ 276 *(u64*)(r10 - 8) = r1; \ 277 r2 = r10; \ 278 r2 += -8; \ 279 if r0 == 1 goto l0_%=; \ 280 r1 = %[map_hash_16b] ll; \ 281 if r0 != 1 goto l1_%=; \ 282l0_%=: r1 = %[map_array_48b] ll; \ 283l1_%=: call %[bpf_map_lookup_elem]; \ 284 if r0 == 0 goto l2_%=; \ 285 r4 = *(u8*)(r0 + 0); \ 286 if r4 == 1 goto l3_%=; \ 287 r1 = 6; \ 288 r1 = -r1; \ 289 r1 &= 0x7; \ 290 goto l4_%=; \ 291l3_%=: r1 = 6; \ 292 r1 = -r1; \ 293 r1 &= 0x3; \ 294l4_%=: r1 += r0; \ 295 r0 = *(u8*)(r1 + 0); \ 296l2_%=: r0 = 1; \ 297 exit; \ 298" : 299 : __imm(bpf_map_lookup_elem), 300 __imm_addr(map_array_48b), 301 __imm_addr(map_hash_16b), 302 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 303 : __clobber_all); 304} 305 306SEC("socket") 307__description("map access: known scalar += value_ptr from different maps") 308__success __success_unpriv __retval(1) 309__naked void value_ptr_from_different_maps(void) 310{ 311 asm volatile (" \ 312 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 313 r1 = 0; \ 314 *(u64*)(r10 - 8) = r1; \ 315 r2 = r10; \ 316 r2 += -8; \ 317 if r0 == 1 goto l0_%=; \ 318 r1 = %[map_hash_16b] ll; \ 319 if r0 != 1 goto l1_%=; \ 320l0_%=: r1 = %[map_array_48b] ll; \ 321l1_%=: call %[bpf_map_lookup_elem]; \ 322 if r0 == 0 goto l2_%=; \ 323 r1 = 4; \ 324 r1 += r0; \ 325 r0 = *(u8*)(r1 + 0); \ 326l2_%=: r0 = 1; \ 327 exit; \ 328" : 329 : __imm(bpf_map_lookup_elem), 330 __imm_addr(map_array_48b), 331 __imm_addr(map_hash_16b), 332 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 333 : __clobber_all); 334} 335 336SEC("socket") 337__description("map access: value_ptr -= known scalar from different maps") 338__success __failure_unpriv 339__msg_unpriv("R0 min value is outside of the allowed memory range") 340__retval(1) 341__naked void known_scalar_from_different_maps(void) 342{ 343 asm volatile (" \ 344 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 345 r1 = 0; \ 346 *(u64*)(r10 - 8) = r1; \ 347 r2 = r10; \ 348 r2 += -8; \ 349 if r0 == 1 goto l0_%=; \ 350 r1 = %[map_hash_16b] ll; \ 351 if r0 != 1 goto l1_%=; \ 352l0_%=: r1 = %[map_array_48b] ll; \ 353l1_%=: call %[bpf_map_lookup_elem]; \ 354 if r0 == 0 goto l2_%=; \ 355 r1 = 4; \ 356 r0 -= r1; \ 357 r0 += r1; \ 358 r0 = *(u8*)(r0 + 0); \ 359l2_%=: r0 = 1; \ 360 exit; \ 361" : 362 : __imm(bpf_map_lookup_elem), 363 __imm_addr(map_array_48b), 364 __imm_addr(map_hash_16b), 365 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 366 : __clobber_all); 367} 368 369SEC("socket") 370__description("map access: known scalar += value_ptr from different maps, but same value properties") 371__success __success_unpriv __retval(1) 372__naked void maps_but_same_value_properties(void) 373{ 374 asm volatile (" \ 375 r0 = *(u32*)(r1 + %[__sk_buff_len]); \ 376 r1 = 0; \ 377 *(u64*)(r10 - 8) = r1; \ 378 r2 = r10; \ 379 r2 += -8; \ 380 if r0 == 1 goto l0_%=; \ 381 r1 = %[map_hash_48b] ll; \ 382 if r0 != 1 goto l1_%=; \ 383l0_%=: r1 = %[map_array_48b] ll; \ 384l1_%=: call %[bpf_map_lookup_elem]; \ 385 if r0 == 0 goto l2_%=; \ 386 r1 = 4; \ 387 r1 += r0; \ 388 r0 = *(u8*)(r1 + 0); \ 389l2_%=: r0 = 1; \ 390 exit; \ 391" : 392 : __imm(bpf_map_lookup_elem), 393 __imm_addr(map_array_48b), 394 __imm_addr(map_hash_48b), 395 __imm_const(__sk_buff_len, offsetof(struct __sk_buff, len)) 396 : __clobber_all); 397} 398 399SEC("socket") 400__description("map access: mixing value pointer and scalar, 1") 401__success __failure_unpriv __msg_unpriv("R2 pointer comparison prohibited") 402__retval(0) 403__naked void value_pointer_and_scalar_1(void) 404{ 405 asm volatile (" \ 406 /* load map value pointer into r0 and r2 */ \ 407 r0 = 1; \ 408 r1 = %[map_array_48b] ll; \ 409 r2 = r10; \ 410 r2 += -16; \ 411 r6 = 0; \ 412 *(u64*)(r10 - 16) = r6; \ 413 call %[bpf_map_lookup_elem]; \ 414 if r0 != 0 goto l0_%=; \ 415 exit; \ 416l0_%=: /* load some number from the map into r1 */ \ 417 r1 = *(u8*)(r0 + 0); \ 418 /* depending on r1, branch: */ \ 419 if r1 != 0 goto l1_%=; \ 420 /* branch A */ \ 421 r2 = r0; \ 422 r3 = 0; \ 423 goto l2_%=; \ 424l1_%=: /* branch B */ \ 425 r2 = 0; \ 426 r3 = 0x100000; \ 427l2_%=: /* common instruction */ \ 428 r2 += r3; \ 429 /* depending on r1, branch: */ \ 430 if r1 != 0 goto l3_%=; \ 431 /* branch A */ \ 432 goto l4_%=; \ 433l3_%=: /* branch B */ \ 434 r0 = 0x13371337; \ 435 /* verifier follows fall-through */ \ 436 if r2 != 0x100000 goto l4_%=; \ 437 r0 = 0; \ 438 exit; \ 439l4_%=: /* fake-dead code; targeted from branch A to \ 440 * prevent dead code sanitization \ 441 */ \ 442 r0 = *(u8*)(r0 + 0); \ 443 r0 = 0; \ 444 exit; \ 445" : 446 : __imm(bpf_map_lookup_elem), 447 __imm_addr(map_array_48b) 448 : __clobber_all); 449} 450 451SEC("socket") 452__description("map access: mixing value pointer and scalar, 2") 453__success __failure_unpriv __msg_unpriv("R0 invalid mem access 'scalar'") 454__retval(0) 455__naked void value_pointer_and_scalar_2(void) 456{ 457 asm volatile (" \ 458 /* load map value pointer into r0 and r2 */ \ 459 r0 = 1; \ 460 r1 = %[map_array_48b] ll; \ 461 r2 = r10; \ 462 r2 += -16; \ 463 r6 = 0; \ 464 *(u64*)(r10 - 16) = r6; \ 465 call %[bpf_map_lookup_elem]; \ 466 if r0 != 0 goto l0_%=; \ 467 exit; \ 468l0_%=: /* load some number from the map into r1 */ \ 469 r1 = *(u8*)(r0 + 0); \ 470 /* depending on r1, branch: */ \ 471 if r1 == 0 goto l1_%=; \ 472 /* branch A */ \ 473 r2 = 0; \ 474 r3 = 0x100000; \ 475 goto l2_%=; \ 476l1_%=: /* branch B */ \ 477 r2 = r0; \ 478 r3 = 0; \ 479l2_%=: /* common instruction */ \ 480 r2 += r3; \ 481 /* depending on r1, branch: */ \ 482 if r1 != 0 goto l3_%=; \ 483 /* branch A */ \ 484 goto l4_%=; \ 485l3_%=: /* branch B */ \ 486 r0 = 0x13371337; \ 487 /* verifier follows fall-through */ \ 488 if r2 != 0x100000 goto l4_%=; \ 489 r0 = 0; \ 490 exit; \ 491l4_%=: /* fake-dead code; targeted from branch A to \ 492 * prevent dead code sanitization, rejected \ 493 * via branch B however \ 494 */ \ 495 r0 = *(u8*)(r0 + 0); \ 496 r0 = 0; \ 497 exit; \ 498" : 499 : __imm(bpf_map_lookup_elem), 500 __imm_addr(map_array_48b) 501 : __clobber_all); 502} 503 504SEC("socket") 505__description("sanitation: alu with different scalars 1") 506__success __success_unpriv __retval(0x100000) 507__naked void alu_with_different_scalars_1(void) 508{ 509 asm volatile (" \ 510 r0 = 1; \ 511 r1 = %[map_array_48b] ll; \ 512 r2 = r10; \ 513 r2 += -16; \ 514 r6 = 0; \ 515 *(u64*)(r10 - 16) = r6; \ 516 call %[bpf_map_lookup_elem]; \ 517 if r0 != 0 goto l0_%=; \ 518 exit; \ 519l0_%=: r1 = *(u32*)(r0 + 0); \ 520 if r1 == 0 goto l1_%=; \ 521 r2 = 0; \ 522 r3 = 0x100000; \ 523 goto l2_%=; \ 524l1_%=: r2 = 42; \ 525 r3 = 0x100001; \ 526l2_%=: r2 += r3; \ 527 r0 = r2; \ 528 exit; \ 529" : 530 : __imm(bpf_map_lookup_elem), 531 __imm_addr(map_array_48b) 532 : __clobber_all); 533} 534 535SEC("socket") 536__description("sanitation: alu with different scalars 2") 537__success __success_unpriv __retval(0) 538__naked void alu_with_different_scalars_2(void) 539{ 540 asm volatile (" \ 541 r0 = 1; \ 542 r1 = %[map_array_48b] ll; \ 543 r6 = r1; \ 544 r2 = r10; \ 545 r2 += -16; \ 546 r7 = 0; \ 547 *(u64*)(r10 - 16) = r7; \ 548 call %[bpf_map_delete_elem]; \ 549 r7 = r0; \ 550 r1 = r6; \ 551 r2 = r10; \ 552 r2 += -16; \ 553 call %[bpf_map_delete_elem]; \ 554 r6 = r0; \ 555 r8 = r6; \ 556 r8 += r7; \ 557 r0 = r8; \ 558 r0 += %[einval]; \ 559 r0 += %[einval]; \ 560 exit; \ 561" : 562 : __imm(bpf_map_delete_elem), 563 __imm_addr(map_array_48b), 564 __imm_const(einval, EINVAL) 565 : __clobber_all); 566} 567 568SEC("socket") 569__description("sanitation: alu with different scalars 3") 570__success __success_unpriv __retval(0) 571__naked void alu_with_different_scalars_3(void) 572{ 573 asm volatile (" \ 574 r0 = %[einval]; \ 575 r0 *= -1; \ 576 r7 = r0; \ 577 r0 = %[einval]; \ 578 r0 *= -1; \ 579 r6 = r0; \ 580 r8 = r6; \ 581 r8 += r7; \ 582 r0 = r8; \ 583 r0 += %[einval]; \ 584 r0 += %[einval]; \ 585 exit; \ 586" : 587 : __imm_const(einval, EINVAL) 588 : __clobber_all); 589} 590 591SEC("socket") 592__description("map access: value_ptr += known scalar, upper oob arith, test 1") 593__success __failure_unpriv 594__msg_unpriv("R0 pointer arithmetic of map value goes out of range") 595__retval(1) 596__naked void upper_oob_arith_test_1(void) 597{ 598 asm volatile (" \ 599 r1 = 0; \ 600 *(u64*)(r10 - 8) = r1; \ 601 r2 = r10; \ 602 r2 += -8; \ 603 r1 = %[map_array_48b] ll; \ 604 call %[bpf_map_lookup_elem]; \ 605 if r0 == 0 goto l0_%=; \ 606 r1 = 48; \ 607 r0 += r1; \ 608 r0 -= r1; \ 609 r0 = *(u8*)(r0 + 0); \ 610l0_%=: r0 = 1; \ 611 exit; \ 612" : 613 : __imm(bpf_map_lookup_elem), 614 __imm_addr(map_array_48b) 615 : __clobber_all); 616} 617 618SEC("socket") 619__description("map access: value_ptr += known scalar, upper oob arith, test 2") 620__success __failure_unpriv 621__msg_unpriv("R0 pointer arithmetic of map value goes out of range") 622__retval(1) 623__naked void upper_oob_arith_test_2(void) 624{ 625 asm volatile (" \ 626 r1 = 0; \ 627 *(u64*)(r10 - 8) = r1; \ 628 r2 = r10; \ 629 r2 += -8; \ 630 r1 = %[map_array_48b] ll; \ 631 call %[bpf_map_lookup_elem]; \ 632 if r0 == 0 goto l0_%=; \ 633 r1 = 49; \ 634 r0 += r1; \ 635 r0 -= r1; \ 636 r0 = *(u8*)(r0 + 0); \ 637l0_%=: r0 = 1; \ 638 exit; \ 639" : 640 : __imm(bpf_map_lookup_elem), 641 __imm_addr(map_array_48b) 642 : __clobber_all); 643} 644 645SEC("socket") 646__description("map access: value_ptr += known scalar, upper oob arith, test 3") 647__success __success_unpriv __retval(1) 648__naked void upper_oob_arith_test_3(void) 649{ 650 asm volatile (" \ 651 r1 = 0; \ 652 *(u64*)(r10 - 8) = r1; \ 653 r2 = r10; \ 654 r2 += -8; \ 655 r1 = %[map_array_48b] ll; \ 656 call %[bpf_map_lookup_elem]; \ 657 if r0 == 0 goto l0_%=; \ 658 r1 = 47; \ 659 r0 += r1; \ 660 r0 -= r1; \ 661 r0 = *(u8*)(r0 + 0); \ 662l0_%=: r0 = 1; \ 663 exit; \ 664" : 665 : __imm(bpf_map_lookup_elem), 666 __imm_addr(map_array_48b) 667 : __clobber_all); 668} 669 670SEC("socket") 671__description("map access: value_ptr -= known scalar, lower oob arith, test 1") 672__failure __msg("R0 min value is outside of the allowed memory range") 673__failure_unpriv 674__msg_unpriv("R0 pointer arithmetic of map value goes out of range") 675__naked void lower_oob_arith_test_1(void) 676{ 677 asm volatile (" \ 678 r1 = 0; \ 679 *(u64*)(r10 - 8) = r1; \ 680 r2 = r10; \ 681 r2 += -8; \ 682 r1 = %[map_array_48b] ll; \ 683 call %[bpf_map_lookup_elem]; \ 684 if r0 == 0 goto l0_%=; \ 685 r1 = 47; \ 686 r0 += r1; \ 687 r1 = 48; \ 688 r0 -= r1; \ 689 r0 = *(u8*)(r0 + 0); \ 690l0_%=: r0 = 1; \ 691 exit; \ 692" : 693 : __imm(bpf_map_lookup_elem), 694 __imm_addr(map_array_48b) 695 : __clobber_all); 696} 697 698SEC("socket") 699__description("map access: value_ptr -= known scalar, lower oob arith, test 2") 700__success __failure_unpriv 701__msg_unpriv("R0 pointer arithmetic of map value goes out of range") 702__retval(1) 703__naked void lower_oob_arith_test_2(void) 704{ 705 asm volatile (" \ 706 r1 = 0; \ 707 *(u64*)(r10 - 8) = r1; \ 708 r2 = r10; \ 709 r2 += -8; \ 710 r1 = %[map_array_48b] ll; \ 711 call %[bpf_map_lookup_elem]; \ 712 if r0 == 0 goto l0_%=; \ 713 r1 = 47; \ 714 r0 += r1; \ 715 r1 = 48; \ 716 r0 -= r1; \ 717 r1 = 1; \ 718 r0 += r1; \ 719 r0 = *(u8*)(r0 + 0); \ 720l0_%=: r0 = 1; \ 721 exit; \ 722" : 723 : __imm(bpf_map_lookup_elem), 724 __imm_addr(map_array_48b) 725 : __clobber_all); 726} 727 728SEC("socket") 729__description("map access: value_ptr -= known scalar, lower oob arith, test 3") 730__success __success_unpriv __retval(1) 731__naked void lower_oob_arith_test_3(void) 732{ 733 asm volatile (" \ 734 r1 = 0; \ 735 *(u64*)(r10 - 8) = r1; \ 736 r2 = r10; \ 737 r2 += -8; \ 738 r1 = %[map_array_48b] ll; \ 739 call %[bpf_map_lookup_elem]; \ 740 if r0 == 0 goto l0_%=; \ 741 r1 = 47; \ 742 r0 += r1; \ 743 r1 = 47; \ 744 r0 -= r1; \ 745 r0 = *(u8*)(r0 + 0); \ 746l0_%=: r0 = 1; \ 747 exit; \ 748" : 749 : __imm(bpf_map_lookup_elem), 750 __imm_addr(map_array_48b) 751 : __clobber_all); 752} 753 754SEC("socket") 755__description("map access: known scalar += value_ptr") 756__success __success_unpriv __retval(1) 757__naked void access_known_scalar_value_ptr_1(void) 758{ 759 asm volatile (" \ 760 r1 = 0; \ 761 *(u64*)(r10 - 8) = r1; \ 762 r2 = r10; \ 763 r2 += -8; \ 764 r1 = %[map_array_48b] ll; \ 765 call %[bpf_map_lookup_elem]; \ 766 if r0 == 0 goto l0_%=; \ 767 r1 = 4; \ 768 r1 += r0; \ 769 r0 = *(u8*)(r1 + 0); \ 770l0_%=: r0 = 1; \ 771 exit; \ 772" : 773 : __imm(bpf_map_lookup_elem), 774 __imm_addr(map_array_48b) 775 : __clobber_all); 776} 777 778SEC("socket") 779__description("map access: value_ptr += known scalar, 1") 780__success __success_unpriv __retval(1) 781__naked void value_ptr_known_scalar_1(void) 782{ 783 asm volatile (" \ 784 r1 = 0; \ 785 *(u64*)(r10 - 8) = r1; \ 786 r2 = r10; \ 787 r2 += -8; \ 788 r1 = %[map_array_48b] ll; \ 789 call %[bpf_map_lookup_elem]; \ 790 if r0 == 0 goto l0_%=; \ 791 r1 = 4; \ 792 r0 += r1; \ 793 r1 = *(u8*)(r0 + 0); \ 794l0_%=: r0 = 1; \ 795 exit; \ 796" : 797 : __imm(bpf_map_lookup_elem), 798 __imm_addr(map_array_48b) 799 : __clobber_all); 800} 801 802SEC("socket") 803__description("map access: value_ptr += known scalar, 2") 804__failure __msg("invalid access to map value") 805__failure_unpriv 806__naked void value_ptr_known_scalar_2_1(void) 807{ 808 asm volatile (" \ 809 r1 = 0; \ 810 *(u64*)(r10 - 8) = r1; \ 811 r2 = r10; \ 812 r2 += -8; \ 813 r1 = %[map_array_48b] ll; \ 814 call %[bpf_map_lookup_elem]; \ 815 if r0 == 0 goto l0_%=; \ 816 r1 = 49; \ 817 r0 += r1; \ 818 r1 = *(u8*)(r0 + 0); \ 819l0_%=: r0 = 1; \ 820 exit; \ 821" : 822 : __imm(bpf_map_lookup_elem), 823 __imm_addr(map_array_48b) 824 : __clobber_all); 825} 826 827SEC("socket") 828__description("map access: value_ptr += known scalar, 3") 829__failure __msg("invalid access to map value") 830__failure_unpriv 831__naked void value_ptr_known_scalar_3(void) 832{ 833 asm volatile (" \ 834 r1 = 0; \ 835 *(u64*)(r10 - 8) = r1; \ 836 r2 = r10; \ 837 r2 += -8; \ 838 r1 = %[map_array_48b] ll; \ 839 call %[bpf_map_lookup_elem]; \ 840 if r0 == 0 goto l0_%=; \ 841 r1 = -1; \ 842 r0 += r1; \ 843 r1 = *(u8*)(r0 + 0); \ 844l0_%=: r0 = 1; \ 845 exit; \ 846" : 847 : __imm(bpf_map_lookup_elem), 848 __imm_addr(map_array_48b) 849 : __clobber_all); 850} 851 852SEC("socket") 853__description("map access: value_ptr += known scalar, 4") 854__success __success_unpriv __retval(1) 855__naked void value_ptr_known_scalar_4(void) 856{ 857 asm volatile (" \ 858 r1 = 0; \ 859 *(u64*)(r10 - 8) = r1; \ 860 r2 = r10; \ 861 r2 += -8; \ 862 r1 = %[map_array_48b] ll; \ 863 call %[bpf_map_lookup_elem]; \ 864 if r0 == 0 goto l0_%=; \ 865 r1 = 5; \ 866 r0 += r1; \ 867 r1 = -2; \ 868 r0 += r1; \ 869 r1 = -1; \ 870 r0 += r1; \ 871 r1 = *(u8*)(r0 + 0); \ 872l0_%=: r0 = 1; \ 873 exit; \ 874" : 875 : __imm(bpf_map_lookup_elem), 876 __imm_addr(map_array_48b) 877 : __clobber_all); 878} 879 880SEC("socket") 881__description("map access: value_ptr += known scalar, 5") 882__success __success_unpriv __retval(0xabcdef12) 883__naked void value_ptr_known_scalar_5(void) 884{ 885 asm volatile (" \ 886 r1 = 0; \ 887 *(u64*)(r10 - 8) = r1; \ 888 r2 = r10; \ 889 r2 += -8; \ 890 r1 = %[map_array_48b] ll; \ 891 call %[bpf_map_lookup_elem]; \ 892 if r0 == 0 goto l0_%=; \ 893 r1 = %[__imm_0]; \ 894 r1 += r0; \ 895 r0 = *(u32*)(r1 + 0); \ 896l0_%=: exit; \ 897" : 898 : __imm(bpf_map_lookup_elem), 899 __imm_addr(map_array_48b), 900 __imm_const(__imm_0, (6 + 1) * sizeof(int)) 901 : __clobber_all); 902} 903 904SEC("socket") 905__description("map access: value_ptr += known scalar, 6") 906__success __success_unpriv __retval(0xabcdef12) 907__naked void value_ptr_known_scalar_6(void) 908{ 909 asm volatile (" \ 910 r1 = 0; \ 911 *(u64*)(r10 - 8) = r1; \ 912 r2 = r10; \ 913 r2 += -8; \ 914 r1 = %[map_array_48b] ll; \ 915 call %[bpf_map_lookup_elem]; \ 916 if r0 == 0 goto l0_%=; \ 917 r1 = %[__imm_0]; \ 918 r0 += r1; \ 919 r1 = %[__imm_1]; \ 920 r0 += r1; \ 921 r0 = *(u32*)(r0 + 0); \ 922l0_%=: exit; \ 923" : 924 : __imm(bpf_map_lookup_elem), 925 __imm_addr(map_array_48b), 926 __imm_const(__imm_0, (3 + 1) * sizeof(int)), 927 __imm_const(__imm_1, 3 * sizeof(int)) 928 : __clobber_all); 929} 930 931SEC("socket") 932__description("map access: value_ptr += N, value_ptr -= N known scalar") 933__success __success_unpriv __retval(0x12345678) 934__naked void value_ptr_n_known_scalar(void) 935{ 936 asm volatile (" \ 937 r1 = 0; \ 938 *(u64*)(r10 - 8) = r1; \ 939 r2 = r10; \ 940 r2 += -8; \ 941 r1 = %[map_array_48b] ll; \ 942 call %[bpf_map_lookup_elem]; \ 943 if r0 == 0 goto l0_%=; \ 944 w1 = 0x12345678; \ 945 *(u32*)(r0 + 0) = r1; \ 946 r0 += 2; \ 947 r1 = 2; \ 948 r0 -= r1; \ 949 r0 = *(u32*)(r0 + 0); \ 950l0_%=: exit; \ 951" : 952 : __imm(bpf_map_lookup_elem), 953 __imm_addr(map_array_48b) 954 : __clobber_all); 955} 956 957SEC("socket") 958__description("map access: unknown scalar += value_ptr, 1") 959__success __success_unpriv __retval(1) 960__naked void unknown_scalar_value_ptr_1(void) 961{ 962 asm volatile (" \ 963 r1 = 0; \ 964 *(u64*)(r10 - 8) = r1; \ 965 r2 = r10; \ 966 r2 += -8; \ 967 r1 = %[map_array_48b] ll; \ 968 call %[bpf_map_lookup_elem]; \ 969 if r0 == 0 goto l0_%=; \ 970 r1 = *(u8*)(r0 + 0); \ 971 r1 &= 0xf; \ 972 r1 += r0; \ 973 r0 = *(u8*)(r1 + 0); \ 974l0_%=: r0 = 1; \ 975 exit; \ 976" : 977 : __imm(bpf_map_lookup_elem), 978 __imm_addr(map_array_48b) 979 : __clobber_all); 980} 981 982SEC("socket") 983__description("map access: unknown scalar += value_ptr, 2") 984__success __success_unpriv __retval(0xabcdef12) __flag(BPF_F_ANY_ALIGNMENT) 985__naked void unknown_scalar_value_ptr_2(void) 986{ 987 asm volatile (" \ 988 r1 = 0; \ 989 *(u64*)(r10 - 8) = r1; \ 990 r2 = r10; \ 991 r2 += -8; \ 992 r1 = %[map_array_48b] ll; \ 993 call %[bpf_map_lookup_elem]; \ 994 if r0 == 0 goto l0_%=; \ 995 r1 = *(u32*)(r0 + 0); \ 996 r1 &= 31; \ 997 r1 += r0; \ 998 r0 = *(u32*)(r1 + 0); \ 999l0_%=: exit; \ 1000" : 1001 : __imm(bpf_map_lookup_elem), 1002 __imm_addr(map_array_48b) 1003 : __clobber_all); 1004} 1005 1006SEC("socket") 1007__description("map access: unknown scalar += value_ptr, 3") 1008__success __failure_unpriv 1009__msg_unpriv("R0 pointer arithmetic of map value goes out of range") 1010__retval(0xabcdef12) __flag(BPF_F_ANY_ALIGNMENT) 1011__naked void unknown_scalar_value_ptr_3(void) 1012{ 1013 asm volatile (" \ 1014 r1 = 0; \ 1015 *(u64*)(r10 - 8) = r1; \ 1016 r2 = r10; \ 1017 r2 += -8; \ 1018 r1 = %[map_array_48b] ll; \ 1019 call %[bpf_map_lookup_elem]; \ 1020 if r0 == 0 goto l0_%=; \ 1021 r1 = -1; \ 1022 r0 += r1; \ 1023 r1 = 1; \ 1024 r0 += r1; \ 1025 r1 = *(u32*)(r0 + 0); \ 1026 r1 &= 31; \ 1027 r1 += r0; \ 1028 r0 = *(u32*)(r1 + 0); \ 1029l0_%=: exit; \ 1030" : 1031 : __imm(bpf_map_lookup_elem), 1032 __imm_addr(map_array_48b) 1033 : __clobber_all); 1034} 1035 1036SEC("socket") 1037__description("map access: unknown scalar += value_ptr, 4") 1038__failure __msg("R1 max value is outside of the allowed memory range") 1039__msg_unpriv("R1 pointer arithmetic of map value goes out of range") 1040__flag(BPF_F_ANY_ALIGNMENT) 1041__naked void unknown_scalar_value_ptr_4(void) 1042{ 1043 asm volatile (" \ 1044 r1 = 0; \ 1045 *(u64*)(r10 - 8) = r1; \ 1046 r2 = r10; \ 1047 r2 += -8; \ 1048 r1 = %[map_array_48b] ll; \ 1049 call %[bpf_map_lookup_elem]; \ 1050 if r0 == 0 goto l0_%=; \ 1051 r1 = 19; \ 1052 r0 += r1; \ 1053 r1 = *(u32*)(r0 + 0); \ 1054 r1 &= 31; \ 1055 r1 += r0; \ 1056 r0 = *(u32*)(r1 + 0); \ 1057l0_%=: exit; \ 1058" : 1059 : __imm(bpf_map_lookup_elem), 1060 __imm_addr(map_array_48b) 1061 : __clobber_all); 1062} 1063 1064SEC("socket") 1065__description("map access: value_ptr += unknown scalar, 1") 1066__success __success_unpriv __retval(1) 1067__naked void value_ptr_unknown_scalar_1(void) 1068{ 1069 asm volatile (" \ 1070 r1 = 0; \ 1071 *(u64*)(r10 - 8) = r1; \ 1072 r2 = r10; \ 1073 r2 += -8; \ 1074 r1 = %[map_array_48b] ll; \ 1075 call %[bpf_map_lookup_elem]; \ 1076 if r0 == 0 goto l0_%=; \ 1077 r1 = *(u8*)(r0 + 0); \ 1078 r1 &= 0xf; \ 1079 r0 += r1; \ 1080 r1 = *(u8*)(r0 + 0); \ 1081l0_%=: r0 = 1; \ 1082 exit; \ 1083" : 1084 : __imm(bpf_map_lookup_elem), 1085 __imm_addr(map_array_48b) 1086 : __clobber_all); 1087} 1088 1089SEC("socket") 1090__description("map access: value_ptr += unknown scalar, 2") 1091__success __success_unpriv __retval(0xabcdef12) __flag(BPF_F_ANY_ALIGNMENT) 1092__naked void value_ptr_unknown_scalar_2_1(void) 1093{ 1094 asm volatile (" \ 1095 r1 = 0; \ 1096 *(u64*)(r10 - 8) = r1; \ 1097 r2 = r10; \ 1098 r2 += -8; \ 1099 r1 = %[map_array_48b] ll; \ 1100 call %[bpf_map_lookup_elem]; \ 1101 if r0 == 0 goto l0_%=; \ 1102 r1 = *(u32*)(r0 + 0); \ 1103 r1 &= 31; \ 1104 r0 += r1; \ 1105 r0 = *(u32*)(r0 + 0); \ 1106l0_%=: exit; \ 1107" : 1108 : __imm(bpf_map_lookup_elem), 1109 __imm_addr(map_array_48b) 1110 : __clobber_all); 1111} 1112 1113SEC("socket") 1114__description("map access: value_ptr += unknown scalar, 3") 1115__success __success_unpriv __retval(1) 1116__naked void value_ptr_unknown_scalar_3(void) 1117{ 1118 asm volatile (" \ 1119 r1 = 0; \ 1120 *(u64*)(r10 - 8) = r1; \ 1121 r2 = r10; \ 1122 r2 += -8; \ 1123 r1 = %[map_array_48b] ll; \ 1124 call %[bpf_map_lookup_elem]; \ 1125 if r0 == 0 goto l0_%=; \ 1126 r1 = *(u64*)(r0 + 0); \ 1127 r2 = *(u64*)(r0 + 8); \ 1128 r3 = *(u64*)(r0 + 16); \ 1129 r1 &= 0xf; \ 1130 r3 &= 1; \ 1131 r3 |= 1; \ 1132 if r2 > r3 goto l0_%=; \ 1133 r0 += r3; \ 1134 r0 = *(u8*)(r0 + 0); \ 1135 r0 = 1; \ 1136l1_%=: exit; \ 1137l0_%=: r0 = 2; \ 1138 goto l1_%=; \ 1139" : 1140 : __imm(bpf_map_lookup_elem), 1141 __imm_addr(map_array_48b) 1142 : __clobber_all); 1143} 1144 1145SEC("socket") 1146__description("map access: value_ptr += value_ptr") 1147__failure __msg("R0 pointer += pointer prohibited") 1148__failure_unpriv 1149__naked void access_value_ptr_value_ptr_1(void) 1150{ 1151 asm volatile (" \ 1152 r1 = 0; \ 1153 *(u64*)(r10 - 8) = r1; \ 1154 r2 = r10; \ 1155 r2 += -8; \ 1156 r1 = %[map_array_48b] ll; \ 1157 call %[bpf_map_lookup_elem]; \ 1158 if r0 == 0 goto l0_%=; \ 1159 r0 += r0; \ 1160 r1 = *(u8*)(r0 + 0); \ 1161l0_%=: r0 = 1; \ 1162 exit; \ 1163" : 1164 : __imm(bpf_map_lookup_elem), 1165 __imm_addr(map_array_48b) 1166 : __clobber_all); 1167} 1168 1169SEC("socket") 1170__description("map access: known scalar -= value_ptr") 1171__failure __msg("R1 tried to subtract pointer from scalar") 1172__failure_unpriv 1173__naked void access_known_scalar_value_ptr_2(void) 1174{ 1175 asm volatile (" \ 1176 r1 = 0; \ 1177 *(u64*)(r10 - 8) = r1; \ 1178 r2 = r10; \ 1179 r2 += -8; \ 1180 r1 = %[map_array_48b] ll; \ 1181 call %[bpf_map_lookup_elem]; \ 1182 if r0 == 0 goto l0_%=; \ 1183 r1 = 4; \ 1184 r1 -= r0; \ 1185 r0 = *(u8*)(r1 + 0); \ 1186l0_%=: r0 = 1; \ 1187 exit; \ 1188" : 1189 : __imm(bpf_map_lookup_elem), 1190 __imm_addr(map_array_48b) 1191 : __clobber_all); 1192} 1193 1194SEC("socket") 1195__description("map access: value_ptr -= known scalar") 1196__failure __msg("R0 min value is outside of the allowed memory range") 1197__failure_unpriv 1198__naked void access_value_ptr_known_scalar(void) 1199{ 1200 asm volatile (" \ 1201 r1 = 0; \ 1202 *(u64*)(r10 - 8) = r1; \ 1203 r2 = r10; \ 1204 r2 += -8; \ 1205 r1 = %[map_array_48b] ll; \ 1206 call %[bpf_map_lookup_elem]; \ 1207 if r0 == 0 goto l0_%=; \ 1208 r1 = 4; \ 1209 r0 -= r1; \ 1210 r1 = *(u8*)(r0 + 0); \ 1211l0_%=: r0 = 1; \ 1212 exit; \ 1213" : 1214 : __imm(bpf_map_lookup_elem), 1215 __imm_addr(map_array_48b) 1216 : __clobber_all); 1217} 1218 1219SEC("socket") 1220__description("map access: value_ptr -= known scalar, 2") 1221__success __success_unpriv __retval(1) 1222__naked void value_ptr_known_scalar_2_2(void) 1223{ 1224 asm volatile (" \ 1225 r1 = 0; \ 1226 *(u64*)(r10 - 8) = r1; \ 1227 r2 = r10; \ 1228 r2 += -8; \ 1229 r1 = %[map_array_48b] ll; \ 1230 call %[bpf_map_lookup_elem]; \ 1231 if r0 == 0 goto l0_%=; \ 1232 r1 = 6; \ 1233 r2 = 4; \ 1234 r0 += r1; \ 1235 r0 -= r2; \ 1236 r1 = *(u8*)(r0 + 0); \ 1237l0_%=: r0 = 1; \ 1238 exit; \ 1239" : 1240 : __imm(bpf_map_lookup_elem), 1241 __imm_addr(map_array_48b) 1242 : __clobber_all); 1243} 1244 1245SEC("socket") 1246__description("map access: unknown scalar -= value_ptr") 1247__failure __msg("R1 tried to subtract pointer from scalar") 1248__failure_unpriv 1249__naked void access_unknown_scalar_value_ptr(void) 1250{ 1251 asm volatile (" \ 1252 r1 = 0; \ 1253 *(u64*)(r10 - 8) = r1; \ 1254 r2 = r10; \ 1255 r2 += -8; \ 1256 r1 = %[map_array_48b] ll; \ 1257 call %[bpf_map_lookup_elem]; \ 1258 if r0 == 0 goto l0_%=; \ 1259 r1 = *(u8*)(r0 + 0); \ 1260 r1 &= 0xf; \ 1261 r1 -= r0; \ 1262 r0 = *(u8*)(r1 + 0); \ 1263l0_%=: r0 = 1; \ 1264 exit; \ 1265" : 1266 : __imm(bpf_map_lookup_elem), 1267 __imm_addr(map_array_48b) 1268 : __clobber_all); 1269} 1270 1271SEC("socket") 1272__description("map access: value_ptr -= unknown scalar") 1273__failure __msg("R0 min value is negative") 1274__failure_unpriv 1275__naked void access_value_ptr_unknown_scalar(void) 1276{ 1277 asm volatile (" \ 1278 r1 = 0; \ 1279 *(u64*)(r10 - 8) = r1; \ 1280 r2 = r10; \ 1281 r2 += -8; \ 1282 r1 = %[map_array_48b] ll; \ 1283 call %[bpf_map_lookup_elem]; \ 1284 if r0 == 0 goto l0_%=; \ 1285 r1 = *(u8*)(r0 + 0); \ 1286 r1 &= 0xf; \ 1287 r0 -= r1; \ 1288 r1 = *(u8*)(r0 + 0); \ 1289l0_%=: r0 = 1; \ 1290 exit; \ 1291" : 1292 : __imm(bpf_map_lookup_elem), 1293 __imm_addr(map_array_48b) 1294 : __clobber_all); 1295} 1296 1297SEC("socket") 1298__description("map access: value_ptr -= unknown scalar, 2") 1299__success __failure_unpriv 1300__msg_unpriv("R0 pointer arithmetic of map value goes out of range") 1301__retval(1) 1302__naked void value_ptr_unknown_scalar_2_2(void) 1303{ 1304 asm volatile (" \ 1305 r1 = 0; \ 1306 *(u64*)(r10 - 8) = r1; \ 1307 r2 = r10; \ 1308 r2 += -8; \ 1309 r1 = %[map_array_48b] ll; \ 1310 call %[bpf_map_lookup_elem]; \ 1311 if r0 == 0 goto l0_%=; \ 1312 r1 = *(u8*)(r0 + 0); \ 1313 r1 &= 0xf; \ 1314 r1 |= 0x7; \ 1315 r0 += r1; \ 1316 r1 = *(u8*)(r0 + 0); \ 1317 r1 &= 0x7; \ 1318 r0 -= r1; \ 1319 r1 = *(u8*)(r0 + 0); \ 1320l0_%=: r0 = 1; \ 1321 exit; \ 1322" : 1323 : __imm(bpf_map_lookup_elem), 1324 __imm_addr(map_array_48b) 1325 : __clobber_all); 1326} 1327 1328SEC("socket") 1329__description("map access: value_ptr -= value_ptr") 1330__failure __msg("R0 invalid mem access 'scalar'") 1331__msg_unpriv("R0 pointer -= pointer prohibited") 1332__naked void access_value_ptr_value_ptr_2(void) 1333{ 1334 asm volatile (" \ 1335 r1 = 0; \ 1336 *(u64*)(r10 - 8) = r1; \ 1337 r2 = r10; \ 1338 r2 += -8; \ 1339 r1 = %[map_array_48b] ll; \ 1340 call %[bpf_map_lookup_elem]; \ 1341 if r0 == 0 goto l0_%=; \ 1342 r0 -= r0; \ 1343 r1 = *(u8*)(r0 + 0); \ 1344l0_%=: r0 = 1; \ 1345 exit; \ 1346" : 1347 : __imm(bpf_map_lookup_elem), 1348 __imm_addr(map_array_48b) 1349 : __clobber_all); 1350} 1351 1352SEC("socket") 1353__description("map access: trying to leak tainted dst reg") 1354__failure __msg("math between map_value pointer and 4294967295 is not allowed") 1355__failure_unpriv 1356__naked void to_leak_tainted_dst_reg(void) 1357{ 1358 asm volatile (" \ 1359 r0 = 0; \ 1360 r1 = 0; \ 1361 *(u64*)(r10 - 8) = r1; \ 1362 r2 = r10; \ 1363 r2 += -8; \ 1364 r1 = %[map_array_48b] ll; \ 1365 call %[bpf_map_lookup_elem]; \ 1366 if r0 != 0 goto l0_%=; \ 1367 exit; \ 1368l0_%=: r2 = r0; \ 1369 w1 = 0xFFFFFFFF; \ 1370 w1 = w1; \ 1371 r2 -= r1; \ 1372 *(u64*)(r0 + 0) = r2; \ 1373 r0 = 0; \ 1374 exit; \ 1375" : 1376 : __imm(bpf_map_lookup_elem), 1377 __imm_addr(map_array_48b) 1378 : __clobber_all); 1379} 1380 1381SEC("tc") 1382__description("32bit pkt_ptr -= scalar") 1383__success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) 1384__naked void _32bit_pkt_ptr_scalar(void) 1385{ 1386 asm volatile (" \ 1387 r8 = *(u32*)(r1 + %[__sk_buff_data_end]); \ 1388 r7 = *(u32*)(r1 + %[__sk_buff_data]); \ 1389 r6 = r7; \ 1390 r6 += 40; \ 1391 if r6 > r8 goto l0_%=; \ 1392 w4 = w7; \ 1393 w6 -= w4; \ 1394l0_%=: r0 = 0; \ 1395 exit; \ 1396" : 1397 : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), 1398 __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) 1399 : __clobber_all); 1400} 1401 1402SEC("tc") 1403__description("32bit scalar -= pkt_ptr") 1404__success __retval(0) __flag(BPF_F_ANY_ALIGNMENT) 1405__naked void _32bit_scalar_pkt_ptr(void) 1406{ 1407 asm volatile (" \ 1408 r8 = *(u32*)(r1 + %[__sk_buff_data_end]); \ 1409 r7 = *(u32*)(r1 + %[__sk_buff_data]); \ 1410 r6 = r7; \ 1411 r6 += 40; \ 1412 if r6 > r8 goto l0_%=; \ 1413 w4 = w6; \ 1414 w4 -= w7; \ 1415l0_%=: r0 = 0; \ 1416 exit; \ 1417" : 1418 : __imm_const(__sk_buff_data, offsetof(struct __sk_buff, data)), 1419 __imm_const(__sk_buff_data_end, offsetof(struct __sk_buff, data_end)) 1420 : __clobber_all); 1421} 1422 1423char _license[] SEC("license") = "GPL"; 1424