xref: /linux/tools/testing/selftests/bpf/progs/verifier_unpriv.c (revision 1ac731c529cd4d6adbce134754b51ff7d822b145) 
1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/unpriv.c */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "../../../include/linux/filter.h"
7 #include "bpf_misc.h"
8 
9 #define BPF_SK_LOOKUP(func) \
10 	/* struct bpf_sock_tuple tuple = {} */ \
11 	"r2 = 0;"			\
12 	"*(u32*)(r10 - 8) = r2;"	\
13 	"*(u64*)(r10 - 16) = r2;"	\
14 	"*(u64*)(r10 - 24) = r2;"	\
15 	"*(u64*)(r10 - 32) = r2;"	\
16 	"*(u64*)(r10 - 40) = r2;"	\
17 	"*(u64*)(r10 - 48) = r2;"	\
18 	/* sk = func(ctx, &tuple, sizeof tuple, 0, 0) */ \
19 	"r2 = r10;"			\
20 	"r2 += -48;"			\
21 	"r3 = %[sizeof_bpf_sock_tuple];"\
22 	"r4 = 0;"			\
23 	"r5 = 0;"			\
24 	"call %[" #func "];"
25 
26 struct {
27 	__uint(type, BPF_MAP_TYPE_HASH);
28 	__uint(max_entries, 1);
29 	__type(key, long long);
30 	__type(value, long long);
31 } map_hash_8b SEC(".maps");
32 
33 void dummy_prog_42_socket(void);
34 void dummy_prog_24_socket(void);
35 void dummy_prog_loop1_socket(void);
36 
37 struct {
38 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
39 	__uint(max_entries, 4);
40 	__uint(key_size, sizeof(int));
41 	__array(values, void (void));
42 } map_prog1_socket SEC(".maps") = {
43 	.values = {
44 		[0] = (void *)&dummy_prog_42_socket,
45 		[1] = (void *)&dummy_prog_loop1_socket,
46 		[2] = (void *)&dummy_prog_24_socket,
47 	},
48 };
49 
50 SEC("socket")
51 __auxiliary __auxiliary_unpriv
dummy_prog_42_socket(void)52 __naked void dummy_prog_42_socket(void)
53 {
54 	asm volatile ("r0 = 42; exit;");
55 }
56 
57 SEC("socket")
58 __auxiliary __auxiliary_unpriv
dummy_prog_24_socket(void)59 __naked void dummy_prog_24_socket(void)
60 {
61 	asm volatile ("r0 = 24; exit;");
62 }
63 
64 SEC("socket")
65 __auxiliary __auxiliary_unpriv
dummy_prog_loop1_socket(void)66 __naked void dummy_prog_loop1_socket(void)
67 {
68 	asm volatile ("			\
69 	r3 = 1;				\
70 	r2 = %[map_prog1_socket] ll;	\
71 	call %[bpf_tail_call];		\
72 	r0 = 41;			\
73 	exit;				\
74 "	:
75 	: __imm(bpf_tail_call),
76 	  __imm_addr(map_prog1_socket)
77 	: __clobber_all);
78 }
79 
80 SEC("socket")
81 __description("unpriv: return pointer")
82 __success __failure_unpriv __msg_unpriv("R0 leaks addr")
__retval(POINTER_VALUE)83 __retval(POINTER_VALUE)
84 __naked void unpriv_return_pointer(void)
85 {
86 	asm volatile ("					\
87 	r0 = r10;					\
88 	exit;						\
89 "	::: __clobber_all);
90 }
91 
92 SEC("socket")
93 __description("unpriv: add const to pointer")
94 __success __success_unpriv __retval(0)
unpriv_add_const_to_pointer(void)95 __naked void unpriv_add_const_to_pointer(void)
96 {
97 	asm volatile ("					\
98 	r1 += 8;					\
99 	r0 = 0;						\
100 	exit;						\
101 "	::: __clobber_all);
102 }
103 
104 SEC("socket")
105 __description("unpriv: add pointer to pointer")
106 __failure __msg("R1 pointer += pointer")
107 __failure_unpriv
unpriv_add_pointer_to_pointer(void)108 __naked void unpriv_add_pointer_to_pointer(void)
109 {
110 	asm volatile ("					\
111 	r1 += r10;					\
112 	r0 = 0;						\
113 	exit;						\
114 "	::: __clobber_all);
115 }
116 
117 SEC("socket")
118 __description("unpriv: neg pointer")
119 __success __failure_unpriv __msg_unpriv("R1 pointer arithmetic")
120 __retval(0)
unpriv_neg_pointer(void)121 __naked void unpriv_neg_pointer(void)
122 {
123 	asm volatile ("					\
124 	r1 = -r1;					\
125 	r0 = 0;						\
126 	exit;						\
127 "	::: __clobber_all);
128 }
129 
130 SEC("socket")
131 __description("unpriv: cmp pointer with const")
132 __success __failure_unpriv __msg_unpriv("R1 pointer comparison")
133 __retval(0)
unpriv_cmp_pointer_with_const(void)134 __naked void unpriv_cmp_pointer_with_const(void)
135 {
136 	asm volatile ("					\
137 	if r1 == 0 goto l0_%=;				\
138 l0_%=:	r0 = 0;						\
139 	exit;						\
140 "	::: __clobber_all);
141 }
142 
143 SEC("socket")
144 __description("unpriv: cmp pointer with pointer")
145 __success __failure_unpriv __msg_unpriv("R10 pointer comparison")
146 __retval(0)
unpriv_cmp_pointer_with_pointer(void)147 __naked void unpriv_cmp_pointer_with_pointer(void)
148 {
149 	asm volatile ("					\
150 	if r1 == r10 goto l0_%=;			\
151 l0_%=:	r0 = 0;						\
152 	exit;						\
153 "	::: __clobber_all);
154 }
155 
156 SEC("tracepoint")
157 __description("unpriv: check that printk is disallowed")
158 __success
check_that_printk_is_disallowed(void)159 __naked void check_that_printk_is_disallowed(void)
160 {
161 	asm volatile ("					\
162 	r1 = 0;						\
163 	*(u64*)(r10 - 8) = r1;				\
164 	r1 = r10;					\
165 	r1 += -8;					\
166 	r2 = 8;						\
167 	r3 = r1;					\
168 	call %[bpf_trace_printk];			\
169 	r0 = 0;						\
170 	exit;						\
171 "	:
172 	: __imm(bpf_trace_printk)
173 	: __clobber_all);
174 }
175 
176 SEC("socket")
177 __description("unpriv: pass pointer to helper function")
178 __success __failure_unpriv __msg_unpriv("R4 leaks addr")
179 __retval(0)
pass_pointer_to_helper_function(void)180 __naked void pass_pointer_to_helper_function(void)
181 {
182 	asm volatile ("					\
183 	r1 = 0;						\
184 	*(u64*)(r10 - 8) = r1;				\
185 	r2 = r10;					\
186 	r2 += -8;					\
187 	r1 = %[map_hash_8b] ll;				\
188 	r3 = r2;					\
189 	r4 = r2;					\
190 	call %[bpf_map_update_elem];			\
191 	r0 = 0;						\
192 	exit;						\
193 "	:
194 	: __imm(bpf_map_update_elem),
195 	  __imm_addr(map_hash_8b)
196 	: __clobber_all);
197 }
198 
199 SEC("socket")
200 __description("unpriv: indirectly pass pointer on stack to helper function")
201 __success __failure_unpriv
202 __msg_unpriv("invalid indirect read from stack R2 off -8+0 size 8")
203 __retval(0)
on_stack_to_helper_function(void)204 __naked void on_stack_to_helper_function(void)
205 {
206 	asm volatile ("					\
207 	*(u64*)(r10 - 8) = r10;				\
208 	r2 = r10;					\
209 	r2 += -8;					\
210 	r1 = %[map_hash_8b] ll;				\
211 	call %[bpf_map_lookup_elem];			\
212 	r0 = 0;						\
213 	exit;						\
214 "	:
215 	: __imm(bpf_map_lookup_elem),
216 	  __imm_addr(map_hash_8b)
217 	: __clobber_all);
218 }
219 
220 SEC("socket")
221 __description("unpriv: mangle pointer on stack 1")
222 __success __failure_unpriv __msg_unpriv("attempt to corrupt spilled")
223 __retval(0)
mangle_pointer_on_stack_1(void)224 __naked void mangle_pointer_on_stack_1(void)
225 {
226 	asm volatile ("					\
227 	*(u64*)(r10 - 8) = r10;				\
228 	r0 = 0;						\
229 	*(u32*)(r10 - 8) = r0;				\
230 	r0 = 0;						\
231 	exit;						\
232 "	::: __clobber_all);
233 }
234 
235 SEC("socket")
236 __description("unpriv: mangle pointer on stack 2")
237 __success __failure_unpriv __msg_unpriv("attempt to corrupt spilled")
238 __retval(0)
mangle_pointer_on_stack_2(void)239 __naked void mangle_pointer_on_stack_2(void)
240 {
241 	asm volatile ("					\
242 	*(u64*)(r10 - 8) = r10;				\
243 	r0 = 0;						\
244 	*(u8*)(r10 - 1) = r0;				\
245 	r0 = 0;						\
246 	exit;						\
247 "	::: __clobber_all);
248 }
249 
250 SEC("socket")
251 __description("unpriv: read pointer from stack in small chunks")
252 __failure __msg("invalid size")
253 __failure_unpriv
from_stack_in_small_chunks(void)254 __naked void from_stack_in_small_chunks(void)
255 {
256 	asm volatile ("					\
257 	*(u64*)(r10 - 8) = r10;				\
258 	r0 = *(u32*)(r10 - 8);				\
259 	r0 = 0;						\
260 	exit;						\
261 "	::: __clobber_all);
262 }
263 
264 SEC("socket")
265 __description("unpriv: write pointer into ctx")
266 __failure __msg("invalid bpf_context access")
267 __failure_unpriv __msg_unpriv("R1 leaks addr")
unpriv_write_pointer_into_ctx(void)268 __naked void unpriv_write_pointer_into_ctx(void)
269 {
270 	asm volatile ("					\
271 	*(u64*)(r1 + 0) = r1;				\
272 	r0 = 0;						\
273 	exit;						\
274 "	::: __clobber_all);
275 }
276 
277 SEC("socket")
278 __description("unpriv: spill/fill of ctx")
279 __success __success_unpriv __retval(0)
unpriv_spill_fill_of_ctx(void)280 __naked void unpriv_spill_fill_of_ctx(void)
281 {
282 	asm volatile ("					\
283 	r6 = r10;					\
284 	r6 += -8;					\
285 	*(u64*)(r6 + 0) = r1;				\
286 	r1 = *(u64*)(r6 + 0);				\
287 	r0 = 0;						\
288 	exit;						\
289 "	::: __clobber_all);
290 }
291 
292 SEC("tc")
293 __description("unpriv: spill/fill of ctx 2")
294 __success __retval(0)
spill_fill_of_ctx_2(void)295 __naked void spill_fill_of_ctx_2(void)
296 {
297 	asm volatile ("					\
298 	r6 = r10;					\
299 	r6 += -8;					\
300 	*(u64*)(r6 + 0) = r1;				\
301 	r1 = *(u64*)(r6 + 0);				\
302 	call %[bpf_get_hash_recalc];			\
303 	r0 = 0;						\
304 	exit;						\
305 "	:
306 	: __imm(bpf_get_hash_recalc)
307 	: __clobber_all);
308 }
309 
310 SEC("tc")
311 __description("unpriv: spill/fill of ctx 3")
312 __failure __msg("R1 type=fp expected=ctx")
spill_fill_of_ctx_3(void)313 __naked void spill_fill_of_ctx_3(void)
314 {
315 	asm volatile ("					\
316 	r6 = r10;					\
317 	r6 += -8;					\
318 	*(u64*)(r6 + 0) = r1;				\
319 	*(u64*)(r6 + 0) = r10;				\
320 	r1 = *(u64*)(r6 + 0);				\
321 	call %[bpf_get_hash_recalc];			\
322 	exit;						\
323 "	:
324 	: __imm(bpf_get_hash_recalc)
325 	: __clobber_all);
326 }
327 
328 SEC("tc")
329 __description("unpriv: spill/fill of ctx 4")
330 __failure __msg("R1 type=scalar expected=ctx")
spill_fill_of_ctx_4(void)331 __naked void spill_fill_of_ctx_4(void)
332 {
333 	asm volatile ("					\
334 	r6 = r10;					\
335 	r6 += -8;					\
336 	*(u64*)(r6 + 0) = r1;				\
337 	r0 = 1;						\
338 	lock *(u64 *)(r10 - 8) += r0;			\
339 	r1 = *(u64*)(r6 + 0);				\
340 	call %[bpf_get_hash_recalc];			\
341 	exit;						\
342 "	:
343 	: __imm(bpf_get_hash_recalc)
344 	: __clobber_all);
345 }
346 
347 SEC("tc")
348 __description("unpriv: spill/fill of different pointers stx")
349 __failure __msg("same insn cannot be used with different pointers")
fill_of_different_pointers_stx(void)350 __naked void fill_of_different_pointers_stx(void)
351 {
352 	asm volatile ("					\
353 	r3 = 42;					\
354 	r6 = r10;					\
355 	r6 += -8;					\
356 	if r1 == 0 goto l0_%=;				\
357 	r2 = r10;					\
358 	r2 += -16;					\
359 	*(u64*)(r6 + 0) = r2;				\
360 l0_%=:	if r1 != 0 goto l1_%=;				\
361 	*(u64*)(r6 + 0) = r1;				\
362 l1_%=:	r1 = *(u64*)(r6 + 0);				\
363 	*(u32*)(r1 + %[__sk_buff_mark]) = r3;		\
364 	r0 = 0;						\
365 	exit;						\
366 "	:
367 	: __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
368 	: __clobber_all);
369 }
370 
371 /* Same as above, but use BPF_ST_MEM to save 42
372  * instead of BPF_STX_MEM.
373  */
374 SEC("tc")
375 __description("unpriv: spill/fill of different pointers st")
376 __failure __msg("same insn cannot be used with different pointers")
fill_of_different_pointers_st(void)377 __naked void fill_of_different_pointers_st(void)
378 {
379 	asm volatile ("					\
380 	r6 = r10;					\
381 	r6 += -8;					\
382 	if r1 == 0 goto l0_%=;				\
383 	r2 = r10;					\
384 	r2 += -16;					\
385 	*(u64*)(r6 + 0) = r2;				\
386 l0_%=:	if r1 != 0 goto l1_%=;				\
387 	*(u64*)(r6 + 0) = r1;				\
388 l1_%=:	r1 = *(u64*)(r6 + 0);				\
389 	.8byte %[st_mem];				\
390 	r0 = 0;						\
391 	exit;						\
392 "	:
393 	: __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
394 	  __imm_insn(st_mem,
395 		     BPF_ST_MEM(BPF_W, BPF_REG_1, offsetof(struct __sk_buff, mark), 42))
396 	: __clobber_all);
397 }
398 
399 SEC("tc")
400 __description("unpriv: spill/fill of different pointers stx - ctx and sock")
401 __failure __msg("type=ctx expected=sock")
pointers_stx_ctx_and_sock(void)402 __naked void pointers_stx_ctx_and_sock(void)
403 {
404 	asm volatile ("					\
405 	r8 = r1;					\
406 	/* struct bpf_sock *sock = bpf_sock_lookup(...); */\
407 "	BPF_SK_LOOKUP(bpf_sk_lookup_tcp)
408 "	r2 = r0;					\
409 	/* u64 foo; */					\
410 	/* void *target = &foo; */			\
411 	r6 = r10;					\
412 	r6 += -8;					\
413 	r1 = r8;					\
414 	/* if (skb == NULL) *target = sock; */		\
415 	if r1 == 0 goto l0_%=;				\
416 	*(u64*)(r6 + 0) = r2;				\
417 l0_%=:	/* else *target = skb; */			\
418 	if r1 != 0 goto l1_%=;				\
419 	*(u64*)(r6 + 0) = r1;				\
420 l1_%=:	/* struct __sk_buff *skb = *target; */		\
421 	r1 = *(u64*)(r6 + 0);				\
422 	/* skb->mark = 42; */				\
423 	r3 = 42;					\
424 	*(u32*)(r1 + %[__sk_buff_mark]) = r3;		\
425 	/* if (sk) bpf_sk_release(sk) */		\
426 	if r1 == 0 goto l2_%=;				\
427 	call %[bpf_sk_release];				\
428 l2_%=:	r0 = 0;						\
429 	exit;						\
430 "	:
431 	: __imm(bpf_sk_lookup_tcp),
432 	  __imm(bpf_sk_release),
433 	  __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
434 	  __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple))
435 	: __clobber_all);
436 }
437 
438 SEC("tc")
439 __description("unpriv: spill/fill of different pointers stx - leak sock")
440 __failure
441 //.errstr = "same insn cannot be used with different pointers",
442 __msg("Unreleased reference")
different_pointers_stx_leak_sock(void)443 __naked void different_pointers_stx_leak_sock(void)
444 {
445 	asm volatile ("					\
446 	r8 = r1;					\
447 	/* struct bpf_sock *sock = bpf_sock_lookup(...); */\
448 "	BPF_SK_LOOKUP(bpf_sk_lookup_tcp)
449 "	r2 = r0;					\
450 	/* u64 foo; */					\
451 	/* void *target = &foo; */			\
452 	r6 = r10;					\
453 	r6 += -8;					\
454 	r1 = r8;					\
455 	/* if (skb == NULL) *target = sock; */		\
456 	if r1 == 0 goto l0_%=;				\
457 	*(u64*)(r6 + 0) = r2;				\
458 l0_%=:	/* else *target = skb; */			\
459 	if r1 != 0 goto l1_%=;				\
460 	*(u64*)(r6 + 0) = r1;				\
461 l1_%=:	/* struct __sk_buff *skb = *target; */		\
462 	r1 = *(u64*)(r6 + 0);				\
463 	/* skb->mark = 42; */				\
464 	r3 = 42;					\
465 	*(u32*)(r1 + %[__sk_buff_mark]) = r3;		\
466 	exit;						\
467 "	:
468 	: __imm(bpf_sk_lookup_tcp),
469 	  __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
470 	  __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple))
471 	: __clobber_all);
472 }
473 
474 SEC("tc")
475 __description("unpriv: spill/fill of different pointers stx - sock and ctx (read)")
476 __failure __msg("same insn cannot be used with different pointers")
stx_sock_and_ctx_read(void)477 __naked void stx_sock_and_ctx_read(void)
478 {
479 	asm volatile ("					\
480 	r8 = r1;					\
481 	/* struct bpf_sock *sock = bpf_sock_lookup(...); */\
482 "	BPF_SK_LOOKUP(bpf_sk_lookup_tcp)
483 "	r2 = r0;					\
484 	/* u64 foo; */					\
485 	/* void *target = &foo; */			\
486 	r6 = r10;					\
487 	r6 += -8;					\
488 	r1 = r8;					\
489 	/* if (skb) *target = skb */			\
490 	if r1 == 0 goto l0_%=;				\
491 	*(u64*)(r6 + 0) = r1;				\
492 l0_%=:	/* else *target = sock */			\
493 	if r1 != 0 goto l1_%=;				\
494 	*(u64*)(r6 + 0) = r2;				\
495 l1_%=:	/* struct bpf_sock *sk = *target; */		\
496 	r1 = *(u64*)(r6 + 0);				\
497 	/* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */\
498 	if r1 == 0 goto l2_%=;				\
499 	r3 = *(u32*)(r1 + %[bpf_sock_mark]);		\
500 	call %[bpf_sk_release];				\
501 l2_%=:	r0 = 0;						\
502 	exit;						\
503 "	:
504 	: __imm(bpf_sk_lookup_tcp),
505 	  __imm(bpf_sk_release),
506 	  __imm_const(bpf_sock_mark, offsetof(struct bpf_sock, mark)),
507 	  __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple))
508 	: __clobber_all);
509 }
510 
511 SEC("tc")
512 __description("unpriv: spill/fill of different pointers stx - sock and ctx (write)")
513 __failure
514 //.errstr = "same insn cannot be used with different pointers",
515 __msg("cannot write into sock")
stx_sock_and_ctx_write(void)516 __naked void stx_sock_and_ctx_write(void)
517 {
518 	asm volatile ("					\
519 	r8 = r1;					\
520 	/* struct bpf_sock *sock = bpf_sock_lookup(...); */\
521 "	BPF_SK_LOOKUP(bpf_sk_lookup_tcp)
522 "	r2 = r0;					\
523 	/* u64 foo; */					\
524 	/* void *target = &foo; */			\
525 	r6 = r10;					\
526 	r6 += -8;					\
527 	r1 = r8;					\
528 	/* if (skb) *target = skb */			\
529 	if r1 == 0 goto l0_%=;				\
530 	*(u64*)(r6 + 0) = r1;				\
531 l0_%=:	/* else *target = sock */			\
532 	if r1 != 0 goto l1_%=;				\
533 	*(u64*)(r6 + 0) = r2;				\
534 l1_%=:	/* struct bpf_sock *sk = *target; */		\
535 	r1 = *(u64*)(r6 + 0);				\
536 	/* if (sk) sk->mark = 42; bpf_sk_release(sk); */\
537 	if r1 == 0 goto l2_%=;				\
538 	r3 = 42;					\
539 	*(u32*)(r1 + %[bpf_sock_mark]) = r3;		\
540 	call %[bpf_sk_release];				\
541 l2_%=:	r0 = 0;						\
542 	exit;						\
543 "	:
544 	: __imm(bpf_sk_lookup_tcp),
545 	  __imm(bpf_sk_release),
546 	  __imm_const(bpf_sock_mark, offsetof(struct bpf_sock, mark)),
547 	  __imm_const(sizeof_bpf_sock_tuple, sizeof(struct bpf_sock_tuple))
548 	: __clobber_all);
549 }
550 
551 SEC("socket")
552 __description("unpriv: write pointer into map elem value")
553 __success __failure_unpriv __msg_unpriv("R0 leaks addr")
554 __retval(0)
pointer_into_map_elem_value(void)555 __naked void pointer_into_map_elem_value(void)
556 {
557 	asm volatile ("					\
558 	r1 = 0;						\
559 	*(u64*)(r10 - 8) = r1;				\
560 	r2 = r10;					\
561 	r2 += -8;					\
562 	r1 = %[map_hash_8b] ll;				\
563 	call %[bpf_map_lookup_elem];			\
564 	if r0 == 0 goto l0_%=;				\
565 	*(u64*)(r0 + 0) = r0;				\
566 l0_%=:	exit;						\
567 "	:
568 	: __imm(bpf_map_lookup_elem),
569 	  __imm_addr(map_hash_8b)
570 	: __clobber_all);
571 }
572 
573 SEC("socket")
574 __description("alu32: mov u32 const")
575 __success __failure_unpriv __msg_unpriv("R7 invalid mem access 'scalar'")
576 __retval(0)
alu32_mov_u32_const(void)577 __naked void alu32_mov_u32_const(void)
578 {
579 	asm volatile ("					\
580 	w7 = 0;						\
581 	w7 &= 1;					\
582 	w0 = w7;					\
583 	if r0 == 0 goto l0_%=;				\
584 	r0 = *(u64*)(r7 + 0);				\
585 l0_%=:	exit;						\
586 "	::: __clobber_all);
587 }
588 
589 SEC("socket")
590 __description("unpriv: partial copy of pointer")
591 __success __failure_unpriv __msg_unpriv("R10 partial copy")
592 __retval(0)
unpriv_partial_copy_of_pointer(void)593 __naked void unpriv_partial_copy_of_pointer(void)
594 {
595 	asm volatile ("					\
596 	w1 = w10;					\
597 	r0 = 0;						\
598 	exit;						\
599 "	::: __clobber_all);
600 }
601 
602 SEC("socket")
603 __description("unpriv: pass pointer to tail_call")
604 __success __failure_unpriv __msg_unpriv("R3 leaks addr into helper")
605 __retval(0)
pass_pointer_to_tail_call(void)606 __naked void pass_pointer_to_tail_call(void)
607 {
608 	asm volatile ("					\
609 	r3 = r1;					\
610 	r2 = %[map_prog1_socket] ll;			\
611 	call %[bpf_tail_call];				\
612 	r0 = 0;						\
613 	exit;						\
614 "	:
615 	: __imm(bpf_tail_call),
616 	  __imm_addr(map_prog1_socket)
617 	: __clobber_all);
618 }
619 
620 SEC("socket")
621 __description("unpriv: cmp map pointer with zero")
622 __success __failure_unpriv __msg_unpriv("R1 pointer comparison")
623 __retval(0)
cmp_map_pointer_with_zero(void)624 __naked void cmp_map_pointer_with_zero(void)
625 {
626 	asm volatile ("					\
627 	r1 = 0;						\
628 	r1 = %[map_hash_8b] ll;				\
629 	if r1 == 0 goto l0_%=;				\
630 l0_%=:	r0 = 0;						\
631 	exit;						\
632 "	:
633 	: __imm_addr(map_hash_8b)
634 	: __clobber_all);
635 }
636 
637 SEC("socket")
638 __description("unpriv: write into frame pointer")
639 __failure __msg("frame pointer is read only")
640 __failure_unpriv
unpriv_write_into_frame_pointer(void)641 __naked void unpriv_write_into_frame_pointer(void)
642 {
643 	asm volatile ("					\
644 	r10 = r1;					\
645 	r0 = 0;						\
646 	exit;						\
647 "	::: __clobber_all);
648 }
649 
650 SEC("socket")
651 __description("unpriv: spill/fill frame pointer")
652 __failure __msg("frame pointer is read only")
653 __failure_unpriv
unpriv_spill_fill_frame_pointer(void)654 __naked void unpriv_spill_fill_frame_pointer(void)
655 {
656 	asm volatile ("					\
657 	r6 = r10;					\
658 	r6 += -8;					\
659 	*(u64*)(r6 + 0) = r10;				\
660 	r10 = *(u64*)(r6 + 0);				\
661 	r0 = 0;						\
662 	exit;						\
663 "	::: __clobber_all);
664 }
665 
666 SEC("socket")
667 __description("unpriv: cmp of frame pointer")
668 __success __failure_unpriv __msg_unpriv("R10 pointer comparison")
669 __retval(0)
unpriv_cmp_of_frame_pointer(void)670 __naked void unpriv_cmp_of_frame_pointer(void)
671 {
672 	asm volatile ("					\
673 	if r10 == 0 goto l0_%=;				\
674 l0_%=:	r0 = 0;						\
675 	exit;						\
676 "	::: __clobber_all);
677 }
678 
679 SEC("socket")
680 __description("unpriv: adding of fp, reg")
681 __success __failure_unpriv
682 __msg_unpriv("R1 stack pointer arithmetic goes out of range")
683 __retval(0)
unpriv_adding_of_fp_reg(void)684 __naked void unpriv_adding_of_fp_reg(void)
685 {
686 	asm volatile ("					\
687 	r0 = 0;						\
688 	r1 = 0;						\
689 	r1 += r10;					\
690 	*(u64*)(r1 - 8) = r0;				\
691 	exit;						\
692 "	::: __clobber_all);
693 }
694 
695 SEC("socket")
696 __description("unpriv: adding of fp, imm")
697 __success __failure_unpriv
698 __msg_unpriv("R1 stack pointer arithmetic goes out of range")
699 __retval(0)
unpriv_adding_of_fp_imm(void)700 __naked void unpriv_adding_of_fp_imm(void)
701 {
702 	asm volatile ("					\
703 	r0 = 0;						\
704 	r1 = r10;					\
705 	r1 += 0;					\
706 	*(u64*)(r1 - 8) = r0;				\
707 	exit;						\
708 "	::: __clobber_all);
709 }
710 
711 SEC("socket")
712 __description("unpriv: cmp of stack pointer")
713 __success __failure_unpriv __msg_unpriv("R2 pointer comparison")
714 __retval(0)
unpriv_cmp_of_stack_pointer(void)715 __naked void unpriv_cmp_of_stack_pointer(void)
716 {
717 	asm volatile ("					\
718 	r2 = r10;					\
719 	r2 += -8;					\
720 	if r2 == 0 goto l0_%=;				\
721 l0_%=:	r0 = 0;						\
722 	exit;						\
723 "	::: __clobber_all);
724 }
725 
726 char _license[] SEC("license") = "GPL";
727