tools/testing/selftests/bpf/verifier/spill_fill.c at v5.11

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / tools / testing / selftests / bpf / verifier / spill_fill.c
at v5.11 106 lines 3.1 kB view raw
wrap content
  1{
  2	"check valid spill/fill",
  3	.insns = {
  4	/* spill R1(ctx) into stack */
  5	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
  6	/* fill it back into R2 */
  7	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
  8	/* should be able to access R0 = *(R2 + 8) */
  9	/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
 10	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
 11	BPF_EXIT_INSN(),
 12	},
 13	.errstr_unpriv = "R0 leaks addr",
 14	.result = ACCEPT,
 15	.result_unpriv = REJECT,
 16	.retval = POINTER_VALUE,
 17},
 18{
 19	"check valid spill/fill, skb mark",
 20	.insns = {
 21	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
 22	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
 23	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
 24	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
 25		    offsetof(struct __sk_buff, mark)),
 26	BPF_EXIT_INSN(),
 27	},
 28	.result = ACCEPT,
 29	.result_unpriv = ACCEPT,
 30},
 31{
 32	"check valid spill/fill, ptr to mem",
 33	.insns = {
 34	/* reserve 8 byte ringbuf memory */
 35	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
 36	BPF_LD_MAP_FD(BPF_REG_1, 0),
 37	BPF_MOV64_IMM(BPF_REG_2, 8),
 38	BPF_MOV64_IMM(BPF_REG_3, 0),
 39	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
 40	/* store a pointer to the reserved memory in R6 */
 41	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
 42	/* check whether the reservation was successful */
 43	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
 44	/* spill R6(mem) into the stack */
 45	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
 46	/* fill it back in R7 */
 47	BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8),
 48	/* should be able to access *(R7) = 0 */
 49	BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0),
 50	/* submit the reserved ringbuf memory */
 51	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
 52	BPF_MOV64_IMM(BPF_REG_2, 0),
 53	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
 54	BPF_MOV64_IMM(BPF_REG_0, 0),
 55	BPF_EXIT_INSN(),
 56	},
 57	.fixup_map_ringbuf = { 1 },
 58	.result = ACCEPT,
 59	.result_unpriv = ACCEPT,
 60},
 61{
 62	"check corrupted spill/fill",
 63	.insns = {
 64	/* spill R1(ctx) into stack */
 65	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
 66	/* mess up with R1 pointer on stack */
 67	BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
 68	/* fill back into R0 is fine for priv.
 69	 * R0 now becomes SCALAR_VALUE.
 70	 */
 71	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
 72	/* Load from R0 should fail. */
 73	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
 74	BPF_EXIT_INSN(),
 75	},
 76	.errstr_unpriv = "attempt to corrupt spilled",
 77	.errstr = "R0 invalid mem access 'inv",
 78	.result = REJECT,
 79	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
 80},
 81{
 82	"check corrupted spill/fill, LSB",
 83	.insns = {
 84	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
 85	BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
 86	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
 87	BPF_EXIT_INSN(),
 88	},
 89	.errstr_unpriv = "attempt to corrupt spilled",
 90	.result_unpriv = REJECT,
 91	.result = ACCEPT,
 92	.retval = POINTER_VALUE,
 93},
 94{
 95	"check corrupted spill/fill, MSB",
 96	.insns = {
 97	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
 98	BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
 99	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
100	BPF_EXIT_INSN(),
101	},
102	.errstr_unpriv = "attempt to corrupt spilled",
103	.result_unpriv = REJECT,
104	.result = ACCEPT,
105	.retval = POINTER_VALUE,
106},