1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/map_ptr.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 #define MAX_ENTRIES 11 9 10 struct test_val { 11 unsigned int index; 12 int foo[MAX_ENTRIES]; 13 }; 14 15 struct { 16 __uint(type, BPF_MAP_TYPE_ARRAY); 17 __uint(max_entries, 1); 18 __type(key, int); 19 __type(value, struct test_val); 20 } map_array_48b SEC(".maps"); 21 22 struct other_val { 23 long long foo; 24 long long bar; 25 }; 26 27 struct { 28 __uint(type, BPF_MAP_TYPE_HASH); 29 __uint(max_entries, 1); 30 __type(key, long long); 31 __type(value, struct other_val); 32 } map_hash_16b SEC(".maps"); 33 34 SEC("socket") 35 __description("bpf_map_ptr: read with negative offset rejected") 36 __failure __msg("R1 is bpf_array invalid negative access: off=-8") 37 __failure_unpriv 38 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 39 __naked void read_with_negative_offset_rejected(void) 40 { 41 asm volatile (" \ 42 r1 = r10; \ 43 r1 = %[map_array_48b] ll; \ 44 r6 = *(u64*)(r1 - 8); \ 45 r0 = 1; \ 46 exit; \ 47 " : 48 : __imm_addr(map_array_48b) 49 : __clobber_all); 50 } 51 52 SEC("socket") 53 __description("bpf_map_ptr: write rejected") 54 __failure __msg("only read from bpf_array is supported") 55 __failure_unpriv 56 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 57 __naked void bpf_map_ptr_write_rejected(void) 58 { 59 asm volatile (" \ 60 r0 = 0; \ 61 *(u64*)(r10 - 8) = r0; \ 62 r2 = r10; \ 63 r2 += -8; \ 64 r1 = %[map_array_48b] ll; \ 65 *(u64*)(r1 + 0) = r2; \ 66 r0 = 1; \ 67 exit; \ 68 " : 69 : __imm_addr(map_array_48b) 70 : __clobber_all); 71 } 72 73 /* The first element of struct bpf_map is a SHA256 hash of 32 bytes, accessing 74 * into this array is valid. The opts field is now at offset 33. 75 */ 76 SEC("socket") 77 __description("bpf_map_ptr: read non-existent field rejected") 78 __failure 79 __msg("cannot access ptr member ops with moff 32 in struct bpf_map with off 33 size 4") 80 __failure_unpriv 81 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 82 __flag(BPF_F_ANY_ALIGNMENT) 83 __naked void read_non_existent_field_rejected(void) 84 { 85 asm volatile (" \ 86 r6 = 0; \ 87 r1 = %[map_array_48b] ll; \ 88 r6 = *(u32*)(r1 + 33); \ 89 r0 = 1; \ 90 exit; \ 91 " : 92 : __imm_addr(map_array_48b) 93 : __clobber_all); 94 } 95 96 SEC("socket") 97 __description("bpf_map_ptr: read ops field accepted") 98 __success __failure_unpriv 99 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 100 __retval(1) 101 __naked void ptr_read_ops_field_accepted(void) 102 { 103 asm volatile (" \ 104 r6 = 0; \ 105 r1 = %[map_array_48b] ll; \ 106 r6 = *(u64*)(r1 + 0); \ 107 r0 = 1; \ 108 exit; \ 109 " : 110 : __imm_addr(map_array_48b) 111 : __clobber_all); 112 } 113 114 SEC("socket") 115 __description("bpf_map_ptr: r = 0, map_ptr = map_ptr + r") 116 __success __failure_unpriv 117 __msg_unpriv("R1 has pointer with unsupported alu operation") 118 __retval(0) 119 __naked void map_ptr_map_ptr_r(void) 120 { 121 asm volatile (" \ 122 r0 = 0; \ 123 *(u64*)(r10 - 8) = r0; \ 124 r2 = r10; \ 125 r2 += -8; \ 126 r0 = 0; \ 127 r1 = %[map_hash_16b] ll; \ 128 r1 += r0; \ 129 call %[bpf_map_lookup_elem]; \ 130 r0 = 0; \ 131 exit; \ 132 " : 133 : __imm(bpf_map_lookup_elem), 134 __imm_addr(map_hash_16b) 135 : __clobber_all); 136 } 137 138 SEC("socket") 139 __description("bpf_map_ptr: r = 0, r = r + map_ptr") 140 __success __failure_unpriv 141 __msg_unpriv("R0 has pointer with unsupported alu operation") 142 __retval(0) 143 __naked void _0_r_r_map_ptr(void) 144 { 145 asm volatile (" \ 146 r0 = 0; \ 147 *(u64*)(r10 - 8) = r0; \ 148 r2 = r10; \ 149 r2 += -8; \ 150 r1 = 0; \ 151 r0 = %[map_hash_16b] ll; \ 152 r1 += r0; \ 153 call %[bpf_map_lookup_elem]; \ 154 r0 = 0; \ 155 exit; \ 156 " : 157 : __imm(bpf_map_lookup_elem), 158 __imm_addr(map_hash_16b) 159 : __clobber_all); 160 } 161 162 char _license[] SEC("license") = "GPL"; 163