1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/raw_stack.c */
3
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7
8 SEC("socket")
9 __description("raw_stack: no skb_load_bytes")
10 __success
11 __failure_unpriv __msg_unpriv("invalid read from stack R6 off=-8 size=8")
stack_no_skb_load_bytes(void)12 __naked void stack_no_skb_load_bytes(void)
13 {
14 asm volatile (" \
15 r2 = 4; \
16 r6 = r10; \
17 r6 += -8; \
18 r3 = r6; \
19 r4 = 8; \
20 /* Call to skb_load_bytes() omitted. */ \
21 r0 = *(u64*)(r6 + 0); \
22 exit; \
23 " ::: __clobber_all);
24 }
25
26 SEC("tc")
27 __description("raw_stack: skb_load_bytes, negative len")
28 __failure __msg("R4 min value is negative")
skb_load_bytes_negative_len(void)29 __naked void skb_load_bytes_negative_len(void)
30 {
31 asm volatile (" \
32 r2 = 4; \
33 r6 = r10; \
34 r6 += -8; \
35 r3 = r6; \
36 r4 = -8; \
37 call %[bpf_skb_load_bytes]; \
38 r0 = *(u64*)(r6 + 0); \
39 exit; \
40 " :
41 : __imm(bpf_skb_load_bytes)
42 : __clobber_all);
43 }
44
45 SEC("tc")
46 __description("raw_stack: skb_load_bytes, negative len 2")
47 __failure __msg("R4 min value is negative")
load_bytes_negative_len_2(void)48 __naked void load_bytes_negative_len_2(void)
49 {
50 asm volatile (" \
51 r2 = 4; \
52 r6 = r10; \
53 r6 += -8; \
54 r3 = r6; \
55 r4 = %[__imm_0]; \
56 call %[bpf_skb_load_bytes]; \
57 r0 = *(u64*)(r6 + 0); \
58 exit; \
59 " :
60 : __imm(bpf_skb_load_bytes),
61 __imm_const(__imm_0, ~0)
62 : __clobber_all);
63 }
64
65 SEC("tc")
66 __description("raw_stack: skb_load_bytes, zero len")
67 __failure __msg("R4 invalid zero-sized read: u64=[0,0]")
skb_load_bytes_zero_len(void)68 __naked void skb_load_bytes_zero_len(void)
69 {
70 asm volatile (" \
71 r2 = 4; \
72 r6 = r10; \
73 r6 += -8; \
74 r3 = r6; \
75 r4 = 0; \
76 call %[bpf_skb_load_bytes]; \
77 r0 = *(u64*)(r6 + 0); \
78 exit; \
79 " :
80 : __imm(bpf_skb_load_bytes)
81 : __clobber_all);
82 }
83
84 SEC("tc")
85 __description("raw_stack: skb_load_bytes, no init")
86 __success __retval(0)
skb_load_bytes_no_init(void)87 __naked void skb_load_bytes_no_init(void)
88 {
89 asm volatile (" \
90 r2 = 4; \
91 r6 = r10; \
92 r6 += -8; \
93 r3 = r6; \
94 r4 = 8; \
95 call %[bpf_skb_load_bytes]; \
96 r0 = *(u64*)(r6 + 0); \
97 exit; \
98 " :
99 : __imm(bpf_skb_load_bytes)
100 : __clobber_all);
101 }
102
103 SEC("tc")
104 __description("raw_stack: skb_load_bytes, init")
105 __success __retval(0)
stack_skb_load_bytes_init(void)106 __naked void stack_skb_load_bytes_init(void)
107 {
108 asm volatile (" \
109 r2 = 4; \
110 r6 = r10; \
111 r6 += -8; \
112 r3 = 0xcafe; \
113 *(u64*)(r6 + 0) = r3; \
114 r3 = r6; \
115 r4 = 8; \
116 call %[bpf_skb_load_bytes]; \
117 r0 = *(u64*)(r6 + 0); \
118 exit; \
119 " :
120 : __imm(bpf_skb_load_bytes)
121 : __clobber_all);
122 }
123
124 SEC("tc")
125 __description("raw_stack: skb_load_bytes, spilled regs around bounds")
126 __success __retval(0)
bytes_spilled_regs_around_bounds(void)127 __naked void bytes_spilled_regs_around_bounds(void)
128 {
129 asm volatile (" \
130 r2 = 4; \
131 r6 = r10; \
132 r6 += -16; \
133 *(u64*)(r6 - 8) = r1; \
134 *(u64*)(r6 + 8) = r1; \
135 r3 = r6; \
136 r4 = 8; \
137 call %[bpf_skb_load_bytes]; \
138 r0 = *(u64*)(r6 - 8); \
139 r2 = *(u64*)(r6 + 8); \
140 r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
141 r2 = *(u32*)(r2 + %[__sk_buff_priority]); \
142 r0 += r2; \
143 exit; \
144 " :
145 : __imm(bpf_skb_load_bytes),
146 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
147 __imm_const(__sk_buff_priority, offsetof(struct __sk_buff, priority))
148 : __clobber_all);
149 }
150
151 SEC("tc")
152 __description("raw_stack: skb_load_bytes, spilled regs corruption")
153 __failure __msg("R0 invalid mem access 'scalar'")
__flag(BPF_F_ANY_ALIGNMENT)154 __flag(BPF_F_ANY_ALIGNMENT)
155 __naked void load_bytes_spilled_regs_corruption(void)
156 {
157 asm volatile (" \
158 r2 = 4; \
159 r6 = r10; \
160 r6 += -8; \
161 *(u64*)(r6 + 0) = r1; \
162 r3 = r6; \
163 r4 = 8; \
164 call %[bpf_skb_load_bytes]; \
165 r0 = *(u64*)(r6 + 0); \
166 r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
167 exit; \
168 " :
169 : __imm(bpf_skb_load_bytes),
170 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
171 : __clobber_all);
172 }
173
174 SEC("tc")
175 __description("raw_stack: skb_load_bytes, spilled regs corruption 2")
176 __failure __msg("R3 invalid mem access 'scalar'")
__flag(BPF_F_ANY_ALIGNMENT)177 __flag(BPF_F_ANY_ALIGNMENT)
178 __naked void bytes_spilled_regs_corruption_2(void)
179 {
180 asm volatile (" \
181 r2 = 4; \
182 r6 = r10; \
183 r6 += -16; \
184 *(u64*)(r6 - 8) = r1; \
185 *(u64*)(r6 + 0) = r1; \
186 *(u64*)(r6 + 8) = r1; \
187 r3 = r6; \
188 r4 = 8; \
189 call %[bpf_skb_load_bytes]; \
190 r0 = *(u64*)(r6 - 8); \
191 r2 = *(u64*)(r6 + 8); \
192 r3 = *(u64*)(r6 + 0); \
193 r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
194 r2 = *(u32*)(r2 + %[__sk_buff_priority]); \
195 r0 += r2; \
196 r3 = *(u32*)(r3 + %[__sk_buff_pkt_type]); \
197 r0 += r3; \
198 exit; \
199 " :
200 : __imm(bpf_skb_load_bytes),
201 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
202 __imm_const(__sk_buff_pkt_type, offsetof(struct __sk_buff, pkt_type)),
203 __imm_const(__sk_buff_priority, offsetof(struct __sk_buff, priority))
204 : __clobber_all);
205 }
206
207 SEC("tc")
208 __description("raw_stack: skb_load_bytes, spilled regs + data")
209 __success __retval(0)
load_bytes_spilled_regs_data(void)210 __naked void load_bytes_spilled_regs_data(void)
211 {
212 asm volatile (" \
213 r2 = 4; \
214 r6 = r10; \
215 r6 += -16; \
216 *(u64*)(r6 - 8) = r1; \
217 *(u64*)(r6 + 0) = r1; \
218 *(u64*)(r6 + 8) = r1; \
219 r3 = r6; \
220 r4 = 8; \
221 call %[bpf_skb_load_bytes]; \
222 r0 = *(u64*)(r6 - 8); \
223 r2 = *(u64*)(r6 + 8); \
224 r3 = *(u64*)(r6 + 0); \
225 r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
226 r2 = *(u32*)(r2 + %[__sk_buff_priority]); \
227 r0 += r2; \
228 r0 += r3; \
229 exit; \
230 " :
231 : __imm(bpf_skb_load_bytes),
232 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
233 __imm_const(__sk_buff_priority, offsetof(struct __sk_buff, priority))
234 : __clobber_all);
235 }
236
237 SEC("tc")
238 __description("raw_stack: skb_load_bytes, invalid access 1")
239 __failure __msg("invalid indirect access to stack R3 off=-513 size=8")
load_bytes_invalid_access_1(void)240 __naked void load_bytes_invalid_access_1(void)
241 {
242 asm volatile (" \
243 r2 = 4; \
244 r6 = r10; \
245 r6 += -513; \
246 r3 = r6; \
247 r4 = 8; \
248 call %[bpf_skb_load_bytes]; \
249 r0 = *(u64*)(r6 + 0); \
250 exit; \
251 " :
252 : __imm(bpf_skb_load_bytes)
253 : __clobber_all);
254 }
255
256 SEC("tc")
257 __description("raw_stack: skb_load_bytes, invalid access 2")
258 __failure __msg("invalid indirect access to stack R3 off=-1 size=8")
load_bytes_invalid_access_2(void)259 __naked void load_bytes_invalid_access_2(void)
260 {
261 asm volatile (" \
262 r2 = 4; \
263 r6 = r10; \
264 r6 += -1; \
265 r3 = r6; \
266 r4 = 8; \
267 call %[bpf_skb_load_bytes]; \
268 r0 = *(u64*)(r6 + 0); \
269 exit; \
270 " :
271 : __imm(bpf_skb_load_bytes)
272 : __clobber_all);
273 }
274
275 SEC("tc")
276 __description("raw_stack: skb_load_bytes, invalid access 3")
277 __failure __msg("R4 min value is negative")
load_bytes_invalid_access_3(void)278 __naked void load_bytes_invalid_access_3(void)
279 {
280 asm volatile (" \
281 r2 = 4; \
282 r6 = r10; \
283 r6 += 0xffffffff; \
284 r3 = r6; \
285 r4 = 0xffffffff; \
286 call %[bpf_skb_load_bytes]; \
287 r0 = *(u64*)(r6 + 0); \
288 exit; \
289 " :
290 : __imm(bpf_skb_load_bytes)
291 : __clobber_all);
292 }
293
294 SEC("tc")
295 __description("raw_stack: skb_load_bytes, invalid access 4")
296 __failure
297 __msg("R4 unbounded memory access, use 'var &= const' or 'if (var < const)'")
load_bytes_invalid_access_4(void)298 __naked void load_bytes_invalid_access_4(void)
299 {
300 asm volatile (" \
301 r2 = 4; \
302 r6 = r10; \
303 r6 += -1; \
304 r3 = r6; \
305 r4 = 0x7fffffff; \
306 call %[bpf_skb_load_bytes]; \
307 r0 = *(u64*)(r6 + 0); \
308 exit; \
309 " :
310 : __imm(bpf_skb_load_bytes)
311 : __clobber_all);
312 }
313
314 SEC("tc")
315 __description("raw_stack: skb_load_bytes, invalid access 5")
316 __failure
317 __msg("R4 unbounded memory access, use 'var &= const' or 'if (var < const)'")
load_bytes_invalid_access_5(void)318 __naked void load_bytes_invalid_access_5(void)
319 {
320 asm volatile (" \
321 r2 = 4; \
322 r6 = r10; \
323 r6 += -512; \
324 r3 = r6; \
325 r4 = 0x7fffffff; \
326 call %[bpf_skb_load_bytes]; \
327 r0 = *(u64*)(r6 + 0); \
328 exit; \
329 " :
330 : __imm(bpf_skb_load_bytes)
331 : __clobber_all);
332 }
333
334 SEC("tc")
335 __description("raw_stack: skb_load_bytes, invalid access 6")
336 __failure __msg("invalid zero-sized read")
load_bytes_invalid_access_6(void)337 __naked void load_bytes_invalid_access_6(void)
338 {
339 asm volatile (" \
340 r2 = 4; \
341 r6 = r10; \
342 r6 += -512; \
343 r3 = r6; \
344 r4 = 0; \
345 call %[bpf_skb_load_bytes]; \
346 r0 = *(u64*)(r6 + 0); \
347 exit; \
348 " :
349 : __imm(bpf_skb_load_bytes)
350 : __clobber_all);
351 }
352
353 SEC("tc")
354 __description("raw_stack: skb_load_bytes, large access")
355 __success __retval(0)
skb_load_bytes_large_access(void)356 __naked void skb_load_bytes_large_access(void)
357 {
358 asm volatile (" \
359 r2 = 4; \
360 r6 = r10; \
361 r6 += -512; \
362 r3 = r6; \
363 r4 = 512; \
364 call %[bpf_skb_load_bytes]; \
365 r0 = *(u64*)(r6 + 0); \
366 exit; \
367 " :
368 : __imm(bpf_skb_load_bytes)
369 : __clobber_all);
370 }
371
372 char _license[] SEC("license") = "GPL";
373