tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / tools / testing / selftests / bpf / verifier / array_access.c
at v5.1 219 lines 7.6 kB view raw
1{ 2 "valid map access into an array with a constant", 3 .insns = { 4 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7 BPF_LD_MAP_FD(BPF_REG_1, 0), 8 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 10 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 11 BPF_EXIT_INSN(), 12 }, 13 .fixup_map_hash_48b = { 3 }, 14 .errstr_unpriv = "R0 leaks addr", 15 .result_unpriv = REJECT, 16 .result = ACCEPT, 17}, 18{ 19 "valid map access into an array with a register", 20 .insns = { 21 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 22 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 23 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 24 BPF_LD_MAP_FD(BPF_REG_1, 0), 25 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 26 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 27 BPF_MOV64_IMM(BPF_REG_1, 4), 28 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 29 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 30 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 31 BPF_EXIT_INSN(), 32 }, 33 .fixup_map_hash_48b = { 3 }, 34 .errstr_unpriv = "R0 leaks addr", 35 .result_unpriv = REJECT, 36 .result = ACCEPT, 37 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 38}, 39{ 40 "valid map access into an array with a variable", 41 .insns = { 42 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 43 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 44 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 45 BPF_LD_MAP_FD(BPF_REG_1, 0), 46 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 48 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 49 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 50 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 51 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 52 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 53 BPF_EXIT_INSN(), 54 }, 55 .fixup_map_hash_48b = { 3 }, 56 .errstr_unpriv = "R0 leaks addr", 57 .result_unpriv = REJECT, 58 .result = ACCEPT, 59 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 60}, 61{ 62 "valid map access into an array with a signed variable", 63 .insns = { 64 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 65 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 67 BPF_LD_MAP_FD(BPF_REG_1, 0), 68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 69 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 70 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 71 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 72 BPF_MOV32_IMM(BPF_REG_1, 0), 73 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 74 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 75 BPF_MOV32_IMM(BPF_REG_1, 0), 76 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 77 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 78 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 79 BPF_EXIT_INSN(), 80 }, 81 .fixup_map_hash_48b = { 3 }, 82 .errstr_unpriv = "R0 leaks addr", 83 .result_unpriv = REJECT, 84 .result = ACCEPT, 85 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 86}, 87{ 88 "invalid map access into an array with a constant", 89 .insns = { 90 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 91 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 92 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 93 BPF_LD_MAP_FD(BPF_REG_1, 0), 94 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 95 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 96 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 97 offsetof(struct test_val, foo)), 98 BPF_EXIT_INSN(), 99 }, 100 .fixup_map_hash_48b = { 3 }, 101 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 102 .result = REJECT, 103}, 104{ 105 "invalid map access into an array with a register", 106 .insns = { 107 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 110 BPF_LD_MAP_FD(BPF_REG_1, 0), 111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 113 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 114 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 115 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 116 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 117 BPF_EXIT_INSN(), 118 }, 119 .fixup_map_hash_48b = { 3 }, 120 .errstr = "R0 min value is outside of the array range", 121 .result = REJECT, 122 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 123}, 124{ 125 "invalid map access into an array with a variable", 126 .insns = { 127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 130 BPF_LD_MAP_FD(BPF_REG_1, 0), 131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 133 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 134 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 135 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 136 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 137 BPF_EXIT_INSN(), 138 }, 139 .fixup_map_hash_48b = { 3 }, 140 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 141 .result = REJECT, 142 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 143}, 144{ 145 "invalid map access into an array with no floor check", 146 .insns = { 147 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 150 BPF_LD_MAP_FD(BPF_REG_1, 0), 151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 153 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 154 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 155 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 156 BPF_MOV32_IMM(BPF_REG_1, 0), 157 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 158 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 159 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 160 BPF_EXIT_INSN(), 161 }, 162 .fixup_map_hash_48b = { 3 }, 163 .errstr_unpriv = "R0 leaks addr", 164 .errstr = "R0 unbounded memory access", 165 .result_unpriv = REJECT, 166 .result = REJECT, 167 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 168}, 169{ 170 "invalid map access into an array with a invalid max check", 171 .insns = { 172 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 173 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 175 BPF_LD_MAP_FD(BPF_REG_1, 0), 176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 178 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 179 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 180 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 181 BPF_MOV32_IMM(BPF_REG_1, 0), 182 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 183 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 184 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 185 BPF_EXIT_INSN(), 186 }, 187 .fixup_map_hash_48b = { 3 }, 188 .errstr_unpriv = "R0 leaks addr", 189 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 190 .result_unpriv = REJECT, 191 .result = REJECT, 192 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 193}, 194{ 195 "invalid map access into an array with a invalid max check", 196 .insns = { 197 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 198 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 200 BPF_LD_MAP_FD(BPF_REG_1, 0), 201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 203 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 207 BPF_LD_MAP_FD(BPF_REG_1, 0), 208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 210 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 211 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 212 offsetof(struct test_val, foo)), 213 BPF_EXIT_INSN(), 214 }, 215 .fixup_map_hash_48b = { 3, 11 }, 216 .errstr = "R0 pointer += pointer", 217 .result = REJECT, 218 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 219},