1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2022 Facebook */ 3 4 #include <errno.h> 5 #include <string.h> 6 #include <stdbool.h> 7 #include <linux/bpf.h> 8 #include <bpf/bpf_helpers.h> 9 #include <linux/if_ether.h> 10 #include "bpf_misc.h" 11 #include "bpf_kfuncs.h" 12 13 char _license[] SEC("license") = "GPL"; 14 15 struct test_info { 16 int x; 17 struct bpf_dynptr ptr; 18 }; 19 20 struct { 21 __uint(type, BPF_MAP_TYPE_ARRAY); 22 __uint(max_entries, 1); 23 __type(key, __u32); 24 __type(value, struct bpf_dynptr); 25 } array_map1 SEC(".maps"); 26 27 struct { 28 __uint(type, BPF_MAP_TYPE_ARRAY); 29 __uint(max_entries, 1); 30 __type(key, __u32); 31 __type(value, struct test_info); 32 } array_map2 SEC(".maps"); 33 34 struct { 35 __uint(type, BPF_MAP_TYPE_ARRAY); 36 __uint(max_entries, 1); 37 __type(key, __u32); 38 __type(value, __u32); 39 } array_map3 SEC(".maps"); 40 41 struct { 42 __uint(type, BPF_MAP_TYPE_ARRAY); 43 __uint(max_entries, 1); 44 __type(key, __u32); 45 __type(value, __u64); 46 } array_map4 SEC(".maps"); 47 48 struct sample { 49 int pid; 50 long value; 51 char comm[16]; 52 }; 53 54 struct { 55 __uint(type, BPF_MAP_TYPE_RINGBUF); 56 __uint(max_entries, 4096); 57 } ringbuf SEC(".maps"); 58 59 int err, val; 60 61 static int get_map_val_dynptr(struct bpf_dynptr *ptr) 62 { 63 __u32 key = 0, *map_val; 64 65 bpf_map_update_elem(&array_map3, &key, &val, 0); 66 67 map_val = bpf_map_lookup_elem(&array_map3, &key); 68 if (!map_val) 69 return -ENOENT; 70 71 bpf_dynptr_from_mem(map_val, sizeof(*map_val), 0, ptr); 72 73 return 0; 74 } 75 76 /* Every bpf_ringbuf_reserve_dynptr call must have a corresponding 77 * bpf_ringbuf_submit/discard_dynptr call 78 */ 79 SEC("?raw_tp") 80 __failure __msg("Unreleased reference id=2") 81 int ringbuf_missing_release1(void *ctx) 82 { 83 struct bpf_dynptr ptr = {}; 84 85 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 86 87 /* missing a call to bpf_ringbuf_discard/submit_dynptr */ 88 89 return 0; 90 } 91 92 SEC("?raw_tp") 93 __failure __msg("Unreleased reference id=4") 94 int ringbuf_missing_release2(void *ctx) 95 { 96 struct bpf_dynptr ptr1, ptr2; 97 struct sample *sample; 98 99 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr1); 100 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr2); 101 102 sample = bpf_dynptr_data(&ptr1, 0, sizeof(*sample)); 103 if (!sample) { 104 bpf_ringbuf_discard_dynptr(&ptr1, 0); 105 bpf_ringbuf_discard_dynptr(&ptr2, 0); 106 return 0; 107 } 108 109 bpf_ringbuf_submit_dynptr(&ptr1, 0); 110 111 /* missing a call to bpf_ringbuf_discard/submit_dynptr on ptr2 */ 112 113 return 0; 114 } 115 116 static int missing_release_callback_fn(__u32 index, void *data) 117 { 118 struct bpf_dynptr ptr; 119 120 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 121 122 /* missing a call to bpf_ringbuf_discard/submit_dynptr */ 123 124 return 0; 125 } 126 127 /* Any dynptr initialized within a callback must have bpf_dynptr_put called */ 128 SEC("?raw_tp") 129 __failure __msg("Unreleased reference id") 130 int ringbuf_missing_release_callback(void *ctx) 131 { 132 bpf_loop(10, missing_release_callback_fn, NULL, 0); 133 return 0; 134 } 135 136 /* Can't call bpf_ringbuf_submit/discard_dynptr on a non-initialized dynptr */ 137 SEC("?raw_tp") 138 __failure __msg("arg 1 is an unacquired reference") 139 int ringbuf_release_uninit_dynptr(void *ctx) 140 { 141 struct bpf_dynptr ptr; 142 143 /* this should fail */ 144 bpf_ringbuf_submit_dynptr(&ptr, 0); 145 146 return 0; 147 } 148 149 /* A dynptr can't be used after it has been invalidated */ 150 SEC("?raw_tp") 151 __failure __msg("Expected an initialized dynptr as arg #3") 152 int use_after_invalid(void *ctx) 153 { 154 struct bpf_dynptr ptr; 155 char read_data[64]; 156 157 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(read_data), 0, &ptr); 158 159 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 160 161 bpf_ringbuf_submit_dynptr(&ptr, 0); 162 163 /* this should fail */ 164 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 165 166 return 0; 167 } 168 169 /* Can't call non-dynptr ringbuf APIs on a dynptr ringbuf sample */ 170 SEC("?raw_tp") 171 __failure __msg("type=mem expected=ringbuf_mem") 172 int ringbuf_invalid_api(void *ctx) 173 { 174 struct bpf_dynptr ptr; 175 struct sample *sample; 176 177 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr); 178 sample = bpf_dynptr_data(&ptr, 0, sizeof(*sample)); 179 if (!sample) 180 goto done; 181 182 sample->pid = 123; 183 184 /* invalid API use. need to use dynptr API to submit/discard */ 185 bpf_ringbuf_submit(sample, 0); 186 187 done: 188 bpf_ringbuf_discard_dynptr(&ptr, 0); 189 return 0; 190 } 191 192 /* Can't add a dynptr to a map */ 193 SEC("?raw_tp") 194 __failure __msg("invalid indirect read from stack") 195 int add_dynptr_to_map1(void *ctx) 196 { 197 struct bpf_dynptr ptr; 198 int key = 0; 199 200 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 201 202 /* this should fail */ 203 bpf_map_update_elem(&array_map1, &key, &ptr, 0); 204 205 bpf_ringbuf_submit_dynptr(&ptr, 0); 206 207 return 0; 208 } 209 210 /* Can't add a struct with an embedded dynptr to a map */ 211 SEC("?raw_tp") 212 __failure __msg("invalid indirect read from stack") 213 int add_dynptr_to_map2(void *ctx) 214 { 215 struct test_info x; 216 int key = 0; 217 218 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &x.ptr); 219 220 /* this should fail */ 221 bpf_map_update_elem(&array_map2, &key, &x, 0); 222 223 bpf_ringbuf_submit_dynptr(&x.ptr, 0); 224 225 return 0; 226 } 227 228 /* A data slice can't be accessed out of bounds */ 229 SEC("?raw_tp") 230 __failure __msg("value is outside of the allowed memory range") 231 int data_slice_out_of_bounds_ringbuf(void *ctx) 232 { 233 struct bpf_dynptr ptr; 234 void *data; 235 236 bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr); 237 238 data = bpf_dynptr_data(&ptr, 0, 8); 239 if (!data) 240 goto done; 241 242 /* can't index out of bounds of the data slice */ 243 val = *((char *)data + 8); 244 245 done: 246 bpf_ringbuf_submit_dynptr(&ptr, 0); 247 return 0; 248 } 249 250 /* A data slice can't be accessed out of bounds */ 251 SEC("?tc") 252 __failure __msg("value is outside of the allowed memory range") 253 int data_slice_out_of_bounds_skb(struct __sk_buff *skb) 254 { 255 struct bpf_dynptr ptr; 256 struct ethhdr *hdr; 257 char buffer[sizeof(*hdr)] = {}; 258 259 bpf_dynptr_from_skb(skb, 0, &ptr); 260 261 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 262 if (!hdr) 263 return SK_DROP; 264 265 /* this should fail */ 266 *(__u8*)(hdr + 1) = 1; 267 268 return SK_PASS; 269 } 270 271 SEC("?raw_tp") 272 __failure __msg("value is outside of the allowed memory range") 273 int data_slice_out_of_bounds_map_value(void *ctx) 274 { 275 __u32 map_val; 276 struct bpf_dynptr ptr; 277 void *data; 278 279 get_map_val_dynptr(&ptr); 280 281 data = bpf_dynptr_data(&ptr, 0, sizeof(map_val)); 282 if (!data) 283 return 0; 284 285 /* can't index out of bounds of the data slice */ 286 val = *((char *)data + (sizeof(map_val) + 1)); 287 288 return 0; 289 } 290 291 /* A data slice can't be used after it has been released */ 292 SEC("?raw_tp") 293 __failure __msg("invalid mem access 'scalar'") 294 int data_slice_use_after_release1(void *ctx) 295 { 296 struct bpf_dynptr ptr; 297 struct sample *sample; 298 299 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr); 300 sample = bpf_dynptr_data(&ptr, 0, sizeof(*sample)); 301 if (!sample) 302 goto done; 303 304 sample->pid = 123; 305 306 bpf_ringbuf_submit_dynptr(&ptr, 0); 307 308 /* this should fail */ 309 val = sample->pid; 310 311 return 0; 312 313 done: 314 bpf_ringbuf_discard_dynptr(&ptr, 0); 315 return 0; 316 } 317 318 /* A data slice can't be used after it has been released. 319 * 320 * This tests the case where the data slice tracks a dynptr (ptr2) 321 * that is at a non-zero offset from the frame pointer (ptr1 is at fp, 322 * ptr2 is at fp - 16). 323 */ 324 SEC("?raw_tp") 325 __failure __msg("invalid mem access 'scalar'") 326 int data_slice_use_after_release2(void *ctx) 327 { 328 struct bpf_dynptr ptr1, ptr2; 329 struct sample *sample; 330 331 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr1); 332 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr2); 333 334 sample = bpf_dynptr_data(&ptr2, 0, sizeof(*sample)); 335 if (!sample) 336 goto done; 337 338 sample->pid = 23; 339 340 bpf_ringbuf_submit_dynptr(&ptr2, 0); 341 342 /* this should fail */ 343 sample->pid = 23; 344 345 bpf_ringbuf_submit_dynptr(&ptr1, 0); 346 347 return 0; 348 349 done: 350 bpf_ringbuf_discard_dynptr(&ptr2, 0); 351 bpf_ringbuf_discard_dynptr(&ptr1, 0); 352 return 0; 353 } 354 355 /* A data slice must be first checked for NULL */ 356 SEC("?raw_tp") 357 __failure __msg("invalid mem access 'mem_or_null'") 358 int data_slice_missing_null_check1(void *ctx) 359 { 360 struct bpf_dynptr ptr; 361 void *data; 362 363 bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr); 364 365 data = bpf_dynptr_data(&ptr, 0, 8); 366 367 /* missing if (!data) check */ 368 369 /* this should fail */ 370 *(__u8 *)data = 3; 371 372 bpf_ringbuf_submit_dynptr(&ptr, 0); 373 return 0; 374 } 375 376 /* A data slice can't be dereferenced if it wasn't checked for null */ 377 SEC("?raw_tp") 378 __failure __msg("invalid mem access 'mem_or_null'") 379 int data_slice_missing_null_check2(void *ctx) 380 { 381 struct bpf_dynptr ptr; 382 __u64 *data1, *data2; 383 384 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr); 385 386 data1 = bpf_dynptr_data(&ptr, 0, 8); 387 data2 = bpf_dynptr_data(&ptr, 0, 8); 388 if (data1) 389 /* this should fail */ 390 *data2 = 3; 391 392 bpf_ringbuf_discard_dynptr(&ptr, 0); 393 return 0; 394 } 395 396 /* Can't pass in a dynptr as an arg to a helper function that doesn't take in a 397 * dynptr argument 398 */ 399 SEC("?raw_tp") 400 __failure __msg("invalid indirect read from stack") 401 int invalid_helper1(void *ctx) 402 { 403 struct bpf_dynptr ptr; 404 405 get_map_val_dynptr(&ptr); 406 407 /* this should fail */ 408 bpf_strncmp((const char *)&ptr, sizeof(ptr), "hello!"); 409 410 return 0; 411 } 412 413 /* A dynptr can't be passed into a helper function at a non-zero offset */ 414 SEC("?raw_tp") 415 __failure __msg("cannot pass in dynptr at an offset=-8") 416 int invalid_helper2(void *ctx) 417 { 418 struct bpf_dynptr ptr; 419 char read_data[64]; 420 421 get_map_val_dynptr(&ptr); 422 423 /* this should fail */ 424 bpf_dynptr_read(read_data, sizeof(read_data), (void *)&ptr + 8, 0, 0); 425 return 0; 426 } 427 428 /* A bpf_dynptr is invalidated if it's been written into */ 429 SEC("?raw_tp") 430 __failure __msg("Expected an initialized dynptr as arg #1") 431 int invalid_write1(void *ctx) 432 { 433 struct bpf_dynptr ptr; 434 void *data; 435 __u8 x = 0; 436 437 get_map_val_dynptr(&ptr); 438 439 memcpy(&ptr, &x, sizeof(x)); 440 441 /* this should fail */ 442 data = bpf_dynptr_data(&ptr, 0, 1); 443 __sink(data); 444 445 return 0; 446 } 447 448 /* 449 * A bpf_dynptr can't be used as a dynptr if it has been written into at a fixed 450 * offset 451 */ 452 SEC("?raw_tp") 453 __failure __msg("cannot overwrite referenced dynptr") 454 int invalid_write2(void *ctx) 455 { 456 struct bpf_dynptr ptr; 457 char read_data[64]; 458 __u8 x = 0; 459 460 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 461 462 memcpy((void *)&ptr + 8, &x, sizeof(x)); 463 464 /* this should fail */ 465 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 466 467 bpf_ringbuf_submit_dynptr(&ptr, 0); 468 469 return 0; 470 } 471 472 /* 473 * A bpf_dynptr can't be used as a dynptr if it has been written into at a 474 * non-const offset 475 */ 476 SEC("?raw_tp") 477 __failure __msg("cannot overwrite referenced dynptr") 478 int invalid_write3(void *ctx) 479 { 480 struct bpf_dynptr ptr; 481 char stack_buf[16]; 482 unsigned long len; 483 __u8 x = 0; 484 485 bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr); 486 487 memcpy(stack_buf, &val, sizeof(val)); 488 len = stack_buf[0] & 0xf; 489 490 memcpy((void *)&ptr + len, &x, sizeof(x)); 491 492 /* this should fail */ 493 bpf_ringbuf_submit_dynptr(&ptr, 0); 494 495 return 0; 496 } 497 498 static int invalid_write4_callback(__u32 index, void *data) 499 { 500 *(__u32 *)data = 123; 501 502 return 0; 503 } 504 505 /* If the dynptr is written into in a callback function, it should 506 * be invalidated as a dynptr 507 */ 508 SEC("?raw_tp") 509 __failure __msg("cannot overwrite referenced dynptr") 510 int invalid_write4(void *ctx) 511 { 512 struct bpf_dynptr ptr; 513 514 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 515 516 bpf_loop(10, invalid_write4_callback, &ptr, 0); 517 518 /* this should fail */ 519 bpf_ringbuf_submit_dynptr(&ptr, 0); 520 521 return 0; 522 } 523 524 /* A globally-defined bpf_dynptr can't be used (it must reside as a stack frame) */ 525 struct bpf_dynptr global_dynptr; 526 527 SEC("?raw_tp") 528 __failure __msg("type=map_value expected=fp") 529 int global(void *ctx) 530 { 531 /* this should fail */ 532 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &global_dynptr); 533 534 bpf_ringbuf_discard_dynptr(&global_dynptr, 0); 535 536 return 0; 537 } 538 539 /* A direct read should fail */ 540 SEC("?raw_tp") 541 __failure __msg("invalid read from stack") 542 int invalid_read1(void *ctx) 543 { 544 struct bpf_dynptr ptr; 545 546 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 547 548 /* this should fail */ 549 val = *(int *)&ptr; 550 551 bpf_ringbuf_discard_dynptr(&ptr, 0); 552 553 return 0; 554 } 555 556 /* A direct read at an offset should fail */ 557 SEC("?raw_tp") 558 __failure __msg("cannot pass in dynptr at an offset") 559 int invalid_read2(void *ctx) 560 { 561 struct bpf_dynptr ptr; 562 char read_data[64]; 563 564 get_map_val_dynptr(&ptr); 565 566 /* this should fail */ 567 bpf_dynptr_read(read_data, sizeof(read_data), (void *)&ptr + 1, 0, 0); 568 569 return 0; 570 } 571 572 /* A direct read at an offset into the lower stack slot should fail */ 573 SEC("?raw_tp") 574 __failure __msg("invalid read from stack") 575 int invalid_read3(void *ctx) 576 { 577 struct bpf_dynptr ptr1, ptr2; 578 579 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr1); 580 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr2); 581 582 /* this should fail */ 583 memcpy(&val, (void *)&ptr1 + 8, sizeof(val)); 584 585 bpf_ringbuf_discard_dynptr(&ptr1, 0); 586 bpf_ringbuf_discard_dynptr(&ptr2, 0); 587 588 return 0; 589 } 590 591 static int invalid_read4_callback(__u32 index, void *data) 592 { 593 /* this should fail */ 594 val = *(__u32 *)data; 595 596 return 0; 597 } 598 599 /* A direct read within a callback function should fail */ 600 SEC("?raw_tp") 601 __failure __msg("invalid read from stack") 602 int invalid_read4(void *ctx) 603 { 604 struct bpf_dynptr ptr; 605 606 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 607 608 bpf_loop(10, invalid_read4_callback, &ptr, 0); 609 610 bpf_ringbuf_submit_dynptr(&ptr, 0); 611 612 return 0; 613 } 614 615 /* Initializing a dynptr on an offset should fail */ 616 SEC("?raw_tp") 617 __failure __msg("cannot pass in dynptr at an offset=0") 618 int invalid_offset(void *ctx) 619 { 620 struct bpf_dynptr ptr; 621 622 /* this should fail */ 623 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr + 1); 624 625 bpf_ringbuf_discard_dynptr(&ptr, 0); 626 627 return 0; 628 } 629 630 /* Can't release a dynptr twice */ 631 SEC("?raw_tp") 632 __failure __msg("arg 1 is an unacquired reference") 633 int release_twice(void *ctx) 634 { 635 struct bpf_dynptr ptr; 636 637 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr); 638 639 bpf_ringbuf_discard_dynptr(&ptr, 0); 640 641 /* this second release should fail */ 642 bpf_ringbuf_discard_dynptr(&ptr, 0); 643 644 return 0; 645 } 646 647 static int release_twice_callback_fn(__u32 index, void *data) 648 { 649 /* this should fail */ 650 bpf_ringbuf_discard_dynptr(data, 0); 651 652 return 0; 653 } 654 655 /* Test that releasing a dynptr twice, where one of the releases happens 656 * within a callback function, fails 657 */ 658 SEC("?raw_tp") 659 __failure __msg("arg 1 is an unacquired reference") 660 int release_twice_callback(void *ctx) 661 { 662 struct bpf_dynptr ptr; 663 664 bpf_ringbuf_reserve_dynptr(&ringbuf, 32, 0, &ptr); 665 666 bpf_ringbuf_discard_dynptr(&ptr, 0); 667 668 bpf_loop(10, release_twice_callback_fn, &ptr, 0); 669 670 return 0; 671 } 672 673 /* Reject unsupported local mem types for dynptr_from_mem API */ 674 SEC("?raw_tp") 675 __failure __msg("Unsupported reg type fp for bpf_dynptr_from_mem data") 676 int dynptr_from_mem_invalid_api(void *ctx) 677 { 678 struct bpf_dynptr ptr; 679 int x = 0; 680 681 /* this should fail */ 682 bpf_dynptr_from_mem(&x, sizeof(x), 0, &ptr); 683 684 return 0; 685 } 686 687 SEC("?tc") 688 __failure __msg("cannot overwrite referenced dynptr") __log_level(2) 689 int dynptr_pruning_overwrite(struct __sk_buff *ctx) 690 { 691 asm volatile ( 692 "r9 = 0xeB9F; \ 693 r6 = %[ringbuf] ll; \ 694 r1 = r6; \ 695 r2 = 8; \ 696 r3 = 0; \ 697 r4 = r10; \ 698 r4 += -16; \ 699 call %[bpf_ringbuf_reserve_dynptr]; \ 700 if r0 == 0 goto pjmp1; \ 701 goto pjmp2; \ 702 pjmp1: \ 703 *(u64 *)(r10 - 16) = r9; \ 704 pjmp2: \ 705 r1 = r10; \ 706 r1 += -16; \ 707 r2 = 0; \ 708 call %[bpf_ringbuf_discard_dynptr]; " 709 : 710 : __imm(bpf_ringbuf_reserve_dynptr), 711 __imm(bpf_ringbuf_discard_dynptr), 712 __imm_addr(ringbuf) 713 : __clobber_all 714 ); 715 return 0; 716 } 717 718 SEC("?tc") 719 __success __msg("12: safe") __log_level(2) 720 int dynptr_pruning_stacksafe(struct __sk_buff *ctx) 721 { 722 asm volatile ( 723 "r9 = 0xeB9F; \ 724 r6 = %[ringbuf] ll; \ 725 r1 = r6; \ 726 r2 = 8; \ 727 r3 = 0; \ 728 r4 = r10; \ 729 r4 += -16; \ 730 call %[bpf_ringbuf_reserve_dynptr]; \ 731 if r0 == 0 goto stjmp1; \ 732 goto stjmp2; \ 733 stjmp1: \ 734 r9 = r9; \ 735 stjmp2: \ 736 r1 = r10; \ 737 r1 += -16; \ 738 r2 = 0; \ 739 call %[bpf_ringbuf_discard_dynptr]; " 740 : 741 : __imm(bpf_ringbuf_reserve_dynptr), 742 __imm(bpf_ringbuf_discard_dynptr), 743 __imm_addr(ringbuf) 744 : __clobber_all 745 ); 746 return 0; 747 } 748 749 SEC("?tc") 750 __failure __msg("cannot overwrite referenced dynptr") __log_level(2) 751 int dynptr_pruning_type_confusion(struct __sk_buff *ctx) 752 { 753 asm volatile ( 754 "r6 = %[array_map4] ll; \ 755 r7 = %[ringbuf] ll; \ 756 r1 = r6; \ 757 r2 = r10; \ 758 r2 += -8; \ 759 r9 = 0; \ 760 *(u64 *)(r2 + 0) = r9; \ 761 r3 = r10; \ 762 r3 += -24; \ 763 r9 = 0xeB9FeB9F; \ 764 *(u64 *)(r10 - 16) = r9; \ 765 *(u64 *)(r10 - 24) = r9; \ 766 r9 = 0; \ 767 r4 = 0; \ 768 r8 = r2; \ 769 call %[bpf_map_update_elem]; \ 770 r1 = r6; \ 771 r2 = r8; \ 772 call %[bpf_map_lookup_elem]; \ 773 if r0 != 0 goto tjmp1; \ 774 exit; \ 775 tjmp1: \ 776 r8 = r0; \ 777 r1 = r7; \ 778 r2 = 8; \ 779 r3 = 0; \ 780 r4 = r10; \ 781 r4 += -16; \ 782 r0 = *(u64 *)(r0 + 0); \ 783 call %[bpf_ringbuf_reserve_dynptr]; \ 784 if r0 == 0 goto tjmp2; \ 785 r8 = r8; \ 786 r8 = r8; \ 787 r8 = r8; \ 788 r8 = r8; \ 789 r8 = r8; \ 790 r8 = r8; \ 791 r8 = r8; \ 792 goto tjmp3; \ 793 tjmp2: \ 794 *(u64 *)(r10 - 8) = r9; \ 795 *(u64 *)(r10 - 16) = r9; \ 796 r1 = r8; \ 797 r1 += 8; \ 798 r2 = 0; \ 799 r3 = 0; \ 800 r4 = r10; \ 801 r4 += -16; \ 802 call %[bpf_dynptr_from_mem]; \ 803 tjmp3: \ 804 r1 = r10; \ 805 r1 += -16; \ 806 r2 = 0; \ 807 call %[bpf_ringbuf_discard_dynptr]; " 808 : 809 : __imm(bpf_map_update_elem), 810 __imm(bpf_map_lookup_elem), 811 __imm(bpf_ringbuf_reserve_dynptr), 812 __imm(bpf_dynptr_from_mem), 813 __imm(bpf_ringbuf_discard_dynptr), 814 __imm_addr(array_map4), 815 __imm_addr(ringbuf) 816 : __clobber_all 817 ); 818 return 0; 819 } 820 821 SEC("?tc") 822 __failure __msg("dynptr has to be at a constant offset") __log_level(2) 823 int dynptr_var_off_overwrite(struct __sk_buff *ctx) 824 { 825 asm volatile ( 826 "r9 = 16; \ 827 *(u32 *)(r10 - 4) = r9; \ 828 r8 = *(u32 *)(r10 - 4); \ 829 if r8 >= 0 goto vjmp1; \ 830 r0 = 1; \ 831 exit; \ 832 vjmp1: \ 833 if r8 <= 16 goto vjmp2; \ 834 r0 = 1; \ 835 exit; \ 836 vjmp2: \ 837 r8 &= 16; \ 838 r1 = %[ringbuf] ll; \ 839 r2 = 8; \ 840 r3 = 0; \ 841 r4 = r10; \ 842 r4 += -32; \ 843 r4 += r8; \ 844 call %[bpf_ringbuf_reserve_dynptr]; \ 845 r9 = 0xeB9F; \ 846 *(u64 *)(r10 - 16) = r9; \ 847 r1 = r10; \ 848 r1 += -32; \ 849 r1 += r8; \ 850 r2 = 0; \ 851 call %[bpf_ringbuf_discard_dynptr]; " 852 : 853 : __imm(bpf_ringbuf_reserve_dynptr), 854 __imm(bpf_ringbuf_discard_dynptr), 855 __imm_addr(ringbuf) 856 : __clobber_all 857 ); 858 return 0; 859 } 860 861 SEC("?tc") 862 __failure __msg("cannot overwrite referenced dynptr") __log_level(2) 863 int dynptr_partial_slot_invalidate(struct __sk_buff *ctx) 864 { 865 asm volatile ( 866 "r6 = %[ringbuf] ll; \ 867 r7 = %[array_map4] ll; \ 868 r1 = r7; \ 869 r2 = r10; \ 870 r2 += -8; \ 871 r9 = 0; \ 872 *(u64 *)(r2 + 0) = r9; \ 873 r3 = r2; \ 874 r4 = 0; \ 875 r8 = r2; \ 876 call %[bpf_map_update_elem]; \ 877 r1 = r7; \ 878 r2 = r8; \ 879 call %[bpf_map_lookup_elem]; \ 880 if r0 != 0 goto sjmp1; \ 881 exit; \ 882 sjmp1: \ 883 r7 = r0; \ 884 r1 = r6; \ 885 r2 = 8; \ 886 r3 = 0; \ 887 r4 = r10; \ 888 r4 += -24; \ 889 call %[bpf_ringbuf_reserve_dynptr]; \ 890 *(u64 *)(r10 - 16) = r9; \ 891 r1 = r7; \ 892 r2 = 8; \ 893 r3 = 0; \ 894 r4 = r10; \ 895 r4 += -16; \ 896 call %[bpf_dynptr_from_mem]; \ 897 r1 = r10; \ 898 r1 += -512; \ 899 r2 = 488; \ 900 r3 = r10; \ 901 r3 += -24; \ 902 r4 = 0; \ 903 r5 = 0; \ 904 call %[bpf_dynptr_read]; \ 905 r8 = 1; \ 906 if r0 != 0 goto sjmp2; \ 907 r8 = 0; \ 908 sjmp2: \ 909 r1 = r10; \ 910 r1 += -24; \ 911 r2 = 0; \ 912 call %[bpf_ringbuf_discard_dynptr]; " 913 : 914 : __imm(bpf_map_update_elem), 915 __imm(bpf_map_lookup_elem), 916 __imm(bpf_ringbuf_reserve_dynptr), 917 __imm(bpf_ringbuf_discard_dynptr), 918 __imm(bpf_dynptr_from_mem), 919 __imm(bpf_dynptr_read), 920 __imm_addr(ringbuf), 921 __imm_addr(array_map4) 922 : __clobber_all 923 ); 924 return 0; 925 } 926 927 /* Test that it is allowed to overwrite unreferenced dynptr. */ 928 SEC("?raw_tp") 929 __success 930 int dynptr_overwrite_unref(void *ctx) 931 { 932 struct bpf_dynptr ptr; 933 934 if (get_map_val_dynptr(&ptr)) 935 return 0; 936 if (get_map_val_dynptr(&ptr)) 937 return 0; 938 if (get_map_val_dynptr(&ptr)) 939 return 0; 940 941 return 0; 942 } 943 944 /* Test that slices are invalidated on reinitializing a dynptr. */ 945 SEC("?raw_tp") 946 __failure __msg("invalid mem access 'scalar'") 947 int dynptr_invalidate_slice_reinit(void *ctx) 948 { 949 struct bpf_dynptr ptr; 950 __u8 *p; 951 952 if (get_map_val_dynptr(&ptr)) 953 return 0; 954 p = bpf_dynptr_data(&ptr, 0, 1); 955 if (!p) 956 return 0; 957 if (get_map_val_dynptr(&ptr)) 958 return 0; 959 /* this should fail */ 960 return *p; 961 } 962 963 /* Invalidation of dynptr slices on destruction of dynptr should not miss 964 * mem_or_null pointers. 965 */ 966 SEC("?raw_tp") 967 __failure __regex("R[0-9]+ type=scalar expected=percpu_ptr_") 968 int dynptr_invalidate_slice_or_null(void *ctx) 969 { 970 struct bpf_dynptr ptr; 971 __u8 *p; 972 973 if (get_map_val_dynptr(&ptr)) 974 return 0; 975 976 p = bpf_dynptr_data(&ptr, 0, 1); 977 *(__u8 *)&ptr = 0; 978 /* this should fail */ 979 bpf_this_cpu_ptr(p); 980 return 0; 981 } 982 983 /* Destruction of dynptr should also any slices obtained from it */ 984 SEC("?raw_tp") 985 __failure __regex("R[0-9]+ invalid mem access 'scalar'") 986 int dynptr_invalidate_slice_failure(void *ctx) 987 { 988 struct bpf_dynptr ptr1; 989 struct bpf_dynptr ptr2; 990 __u8 *p1, *p2; 991 992 if (get_map_val_dynptr(&ptr1)) 993 return 0; 994 if (get_map_val_dynptr(&ptr2)) 995 return 0; 996 997 p1 = bpf_dynptr_data(&ptr1, 0, 1); 998 if (!p1) 999 return 0; 1000 p2 = bpf_dynptr_data(&ptr2, 0, 1); 1001 if (!p2) 1002 return 0; 1003 1004 *(__u8 *)&ptr1 = 0; 1005 /* this should fail */ 1006 return *p1; 1007 } 1008 1009 /* Invalidation of slices should be scoped and should not prevent dereferencing 1010 * slices of another dynptr after destroying unrelated dynptr 1011 */ 1012 SEC("?raw_tp") 1013 __success 1014 int dynptr_invalidate_slice_success(void *ctx) 1015 { 1016 struct bpf_dynptr ptr1; 1017 struct bpf_dynptr ptr2; 1018 __u8 *p1, *p2; 1019 1020 if (get_map_val_dynptr(&ptr1)) 1021 return 1; 1022 if (get_map_val_dynptr(&ptr2)) 1023 return 1; 1024 1025 p1 = bpf_dynptr_data(&ptr1, 0, 1); 1026 if (!p1) 1027 return 1; 1028 p2 = bpf_dynptr_data(&ptr2, 0, 1); 1029 if (!p2) 1030 return 1; 1031 1032 *(__u8 *)&ptr1 = 0; 1033 return *p2; 1034 } 1035 1036 /* Overwriting referenced dynptr should be rejected */ 1037 SEC("?raw_tp") 1038 __failure __msg("cannot overwrite referenced dynptr") 1039 int dynptr_overwrite_ref(void *ctx) 1040 { 1041 struct bpf_dynptr ptr; 1042 1043 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 1044 /* this should fail */ 1045 if (get_map_val_dynptr(&ptr)) 1046 bpf_ringbuf_discard_dynptr(&ptr, 0); 1047 return 0; 1048 } 1049 1050 /* Reject writes to dynptr slot from bpf_dynptr_read */ 1051 SEC("?raw_tp") 1052 __failure __msg("potential write to dynptr at off=-16") 1053 int dynptr_read_into_slot(void *ctx) 1054 { 1055 union { 1056 struct { 1057 char _pad[48]; 1058 struct bpf_dynptr ptr; 1059 }; 1060 char buf[64]; 1061 } data; 1062 1063 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &data.ptr); 1064 /* this should fail */ 1065 bpf_dynptr_read(data.buf, sizeof(data.buf), &data.ptr, 0, 0); 1066 1067 return 0; 1068 } 1069 1070 /* bpf_dynptr_slice()s are read-only and cannot be written to */ 1071 SEC("?tc") 1072 __failure __regex("R[0-9]+ cannot write into rdonly_mem") 1073 int skb_invalid_slice_write(struct __sk_buff *skb) 1074 { 1075 struct bpf_dynptr ptr; 1076 struct ethhdr *hdr; 1077 char buffer[sizeof(*hdr)] = {}; 1078 1079 bpf_dynptr_from_skb(skb, 0, &ptr); 1080 1081 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 1082 if (!hdr) 1083 return SK_DROP; 1084 1085 /* this should fail */ 1086 hdr->h_proto = 1; 1087 1088 return SK_PASS; 1089 } 1090 1091 /* The read-only data slice is invalidated whenever a helper changes packet data */ 1092 SEC("?tc") 1093 __failure __msg("invalid mem access 'scalar'") 1094 int skb_invalid_data_slice1(struct __sk_buff *skb) 1095 { 1096 struct bpf_dynptr ptr; 1097 struct ethhdr *hdr; 1098 char buffer[sizeof(*hdr)] = {}; 1099 1100 bpf_dynptr_from_skb(skb, 0, &ptr); 1101 1102 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 1103 if (!hdr) 1104 return SK_DROP; 1105 1106 val = hdr->h_proto; 1107 1108 if (bpf_skb_pull_data(skb, skb->len)) 1109 return SK_DROP; 1110 1111 /* this should fail */ 1112 val = hdr->h_proto; 1113 1114 return SK_PASS; 1115 } 1116 1117 /* The read-write data slice is invalidated whenever a helper changes packet data */ 1118 SEC("?tc") 1119 __failure __msg("invalid mem access 'scalar'") 1120 int skb_invalid_data_slice2(struct __sk_buff *skb) 1121 { 1122 struct bpf_dynptr ptr; 1123 struct ethhdr *hdr; 1124 char buffer[sizeof(*hdr)] = {}; 1125 1126 bpf_dynptr_from_skb(skb, 0, &ptr); 1127 1128 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 1129 if (!hdr) 1130 return SK_DROP; 1131 1132 hdr->h_proto = 123; 1133 1134 if (bpf_skb_pull_data(skb, skb->len)) 1135 return SK_DROP; 1136 1137 /* this should fail */ 1138 hdr->h_proto = 1; 1139 1140 return SK_PASS; 1141 } 1142 1143 /* The read-only data slice is invalidated whenever bpf_dynptr_write() is called */ 1144 SEC("?tc") 1145 __failure __msg("invalid mem access 'scalar'") 1146 int skb_invalid_data_slice3(struct __sk_buff *skb) 1147 { 1148 char write_data[64] = "hello there, world!!"; 1149 struct bpf_dynptr ptr; 1150 struct ethhdr *hdr; 1151 char buffer[sizeof(*hdr)] = {}; 1152 1153 bpf_dynptr_from_skb(skb, 0, &ptr); 1154 1155 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 1156 if (!hdr) 1157 return SK_DROP; 1158 1159 val = hdr->h_proto; 1160 1161 bpf_dynptr_write(&ptr, 0, write_data, sizeof(write_data), 0); 1162 1163 /* this should fail */ 1164 val = hdr->h_proto; 1165 1166 return SK_PASS; 1167 } 1168 1169 /* The read-write data slice is invalidated whenever bpf_dynptr_write() is called */ 1170 SEC("?tc") 1171 __failure __msg("invalid mem access 'scalar'") 1172 int skb_invalid_data_slice4(struct __sk_buff *skb) 1173 { 1174 char write_data[64] = "hello there, world!!"; 1175 struct bpf_dynptr ptr; 1176 struct ethhdr *hdr; 1177 char buffer[sizeof(*hdr)] = {}; 1178 1179 bpf_dynptr_from_skb(skb, 0, &ptr); 1180 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 1181 if (!hdr) 1182 return SK_DROP; 1183 1184 hdr->h_proto = 123; 1185 1186 bpf_dynptr_write(&ptr, 0, write_data, sizeof(write_data), 0); 1187 1188 /* this should fail */ 1189 hdr->h_proto = 1; 1190 1191 return SK_PASS; 1192 } 1193 1194 /* The read-only data slice is invalidated whenever a helper changes packet data */ 1195 SEC("?xdp") 1196 __failure __msg("invalid mem access 'scalar'") 1197 int xdp_invalid_data_slice1(struct xdp_md *xdp) 1198 { 1199 struct bpf_dynptr ptr; 1200 struct ethhdr *hdr; 1201 char buffer[sizeof(*hdr)] = {}; 1202 1203 bpf_dynptr_from_xdp(xdp, 0, &ptr); 1204 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 1205 if (!hdr) 1206 return SK_DROP; 1207 1208 val = hdr->h_proto; 1209 1210 if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr))) 1211 return XDP_DROP; 1212 1213 /* this should fail */ 1214 val = hdr->h_proto; 1215 1216 return XDP_PASS; 1217 } 1218 1219 /* The read-write data slice is invalidated whenever a helper changes packet data */ 1220 SEC("?xdp") 1221 __failure __msg("invalid mem access 'scalar'") 1222 int xdp_invalid_data_slice2(struct xdp_md *xdp) 1223 { 1224 struct bpf_dynptr ptr; 1225 struct ethhdr *hdr; 1226 char buffer[sizeof(*hdr)] = {}; 1227 1228 bpf_dynptr_from_xdp(xdp, 0, &ptr); 1229 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 1230 if (!hdr) 1231 return SK_DROP; 1232 1233 hdr->h_proto = 9; 1234 1235 if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr))) 1236 return XDP_DROP; 1237 1238 /* this should fail */ 1239 hdr->h_proto = 1; 1240 1241 return XDP_PASS; 1242 } 1243 1244 /* Only supported prog type can create skb-type dynptrs */ 1245 SEC("?raw_tp") 1246 __failure __msg("calling kernel function bpf_dynptr_from_skb is not allowed") 1247 int skb_invalid_ctx(void *ctx) 1248 { 1249 struct bpf_dynptr ptr; 1250 1251 /* this should fail */ 1252 bpf_dynptr_from_skb(ctx, 0, &ptr); 1253 1254 return 0; 1255 } 1256 1257 /* Reject writes to dynptr slot for uninit arg */ 1258 SEC("?raw_tp") 1259 __failure __msg("potential write to dynptr at off=-16") 1260 int uninit_write_into_slot(void *ctx) 1261 { 1262 struct { 1263 char buf[64]; 1264 struct bpf_dynptr ptr; 1265 } data; 1266 1267 bpf_ringbuf_reserve_dynptr(&ringbuf, 80, 0, &data.ptr); 1268 /* this should fail */ 1269 bpf_get_current_comm(data.buf, 80); 1270 1271 return 0; 1272 } 1273 1274 /* Only supported prog type can create xdp-type dynptrs */ 1275 SEC("?raw_tp") 1276 __failure __msg("calling kernel function bpf_dynptr_from_xdp is not allowed") 1277 int xdp_invalid_ctx(void *ctx) 1278 { 1279 struct bpf_dynptr ptr; 1280 1281 /* this should fail */ 1282 bpf_dynptr_from_xdp(ctx, 0, &ptr); 1283 1284 return 0; 1285 } 1286 1287 __u32 hdr_size = sizeof(struct ethhdr); 1288 /* Can't pass in variable-sized len to bpf_dynptr_slice */ 1289 SEC("?tc") 1290 __failure __msg("unbounded memory access") 1291 int dynptr_slice_var_len1(struct __sk_buff *skb) 1292 { 1293 struct bpf_dynptr ptr; 1294 struct ethhdr *hdr; 1295 char buffer[sizeof(*hdr)] = {}; 1296 1297 bpf_dynptr_from_skb(skb, 0, &ptr); 1298 1299 /* this should fail */ 1300 hdr = bpf_dynptr_slice(&ptr, 0, buffer, hdr_size); 1301 if (!hdr) 1302 return SK_DROP; 1303 1304 return SK_PASS; 1305 } 1306 1307 /* Can't pass in variable-sized len to bpf_dynptr_slice */ 1308 SEC("?tc") 1309 __failure __msg("must be a known constant") 1310 int dynptr_slice_var_len2(struct __sk_buff *skb) 1311 { 1312 char buffer[sizeof(struct ethhdr)] = {}; 1313 struct bpf_dynptr ptr; 1314 struct ethhdr *hdr; 1315 1316 bpf_dynptr_from_skb(skb, 0, &ptr); 1317 1318 if (hdr_size <= sizeof(buffer)) { 1319 /* this should fail */ 1320 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, hdr_size); 1321 if (!hdr) 1322 return SK_DROP; 1323 hdr->h_proto = 12; 1324 } 1325 1326 return SK_PASS; 1327 } 1328 1329 static int callback(__u32 index, void *data) 1330 { 1331 *(__u32 *)data = 123; 1332 1333 return 0; 1334 } 1335 1336 /* If the dynptr is written into in a callback function, its data 1337 * slices should be invalidated as well. 1338 */ 1339 SEC("?raw_tp") 1340 __failure __msg("invalid mem access 'scalar'") 1341 int invalid_data_slices(void *ctx) 1342 { 1343 struct bpf_dynptr ptr; 1344 __u32 *slice; 1345 1346 if (get_map_val_dynptr(&ptr)) 1347 return 0; 1348 1349 slice = bpf_dynptr_data(&ptr, 0, sizeof(__u32)); 1350 if (!slice) 1351 return 0; 1352 1353 bpf_loop(10, callback, &ptr, 0); 1354 1355 /* this should fail */ 1356 *slice = 1; 1357 1358 return 0; 1359 } 1360 1361 /* Program types that don't allow writes to packet data should fail if 1362 * bpf_dynptr_slice_rdwr is called 1363 */ 1364 SEC("cgroup_skb/ingress") 1365 __failure __msg("the prog does not allow writes to packet data") 1366 int invalid_slice_rdwr_rdonly(struct __sk_buff *skb) 1367 { 1368 char buffer[sizeof(struct ethhdr)] = {}; 1369 struct bpf_dynptr ptr; 1370 struct ethhdr *hdr; 1371 1372 bpf_dynptr_from_skb(skb, 0, &ptr); 1373 1374 /* this should fail since cgroup_skb doesn't allow 1375 * changing packet data 1376 */ 1377 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 1378 __sink(hdr); 1379 1380 return 0; 1381 } 1382 1383 /* bpf_dynptr_adjust can only be called on initialized dynptrs */ 1384 SEC("?raw_tp") 1385 __failure __msg("Expected an initialized dynptr as arg #1") 1386 int dynptr_adjust_invalid(void *ctx) 1387 { 1388 struct bpf_dynptr ptr = {}; 1389 1390 /* this should fail */ 1391 bpf_dynptr_adjust(&ptr, 1, 2); 1392 1393 return 0; 1394 } 1395 1396 /* bpf_dynptr_is_null can only be called on initialized dynptrs */ 1397 SEC("?raw_tp") 1398 __failure __msg("Expected an initialized dynptr as arg #1") 1399 int dynptr_is_null_invalid(void *ctx) 1400 { 1401 struct bpf_dynptr ptr = {}; 1402 1403 /* this should fail */ 1404 bpf_dynptr_is_null(&ptr); 1405 1406 return 0; 1407 } 1408 1409 /* bpf_dynptr_is_rdonly can only be called on initialized dynptrs */ 1410 SEC("?raw_tp") 1411 __failure __msg("Expected an initialized dynptr as arg #1") 1412 int dynptr_is_rdonly_invalid(void *ctx) 1413 { 1414 struct bpf_dynptr ptr = {}; 1415 1416 /* this should fail */ 1417 bpf_dynptr_is_rdonly(&ptr); 1418 1419 return 0; 1420 } 1421 1422 /* bpf_dynptr_size can only be called on initialized dynptrs */ 1423 SEC("?raw_tp") 1424 __failure __msg("Expected an initialized dynptr as arg #1") 1425 int dynptr_size_invalid(void *ctx) 1426 { 1427 struct bpf_dynptr ptr = {}; 1428 1429 /* this should fail */ 1430 bpf_dynptr_size(&ptr); 1431 1432 return 0; 1433 } 1434 1435 /* Only initialized dynptrs can be cloned */ 1436 SEC("?raw_tp") 1437 __failure __msg("Expected an initialized dynptr as arg #1") 1438 int clone_invalid1(void *ctx) 1439 { 1440 struct bpf_dynptr ptr1 = {}; 1441 struct bpf_dynptr ptr2; 1442 1443 /* this should fail */ 1444 bpf_dynptr_clone(&ptr1, &ptr2); 1445 1446 return 0; 1447 } 1448 1449 /* Can't overwrite an existing dynptr when cloning */ 1450 SEC("?xdp") 1451 __failure __msg("cannot overwrite referenced dynptr") 1452 int clone_invalid2(struct xdp_md *xdp) 1453 { 1454 struct bpf_dynptr ptr1; 1455 struct bpf_dynptr clone; 1456 1457 bpf_dynptr_from_xdp(xdp, 0, &ptr1); 1458 1459 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &clone); 1460 1461 /* this should fail */ 1462 bpf_dynptr_clone(&ptr1, &clone); 1463 1464 bpf_ringbuf_submit_dynptr(&clone, 0); 1465 1466 return 0; 1467 } 1468 1469 /* Invalidating a dynptr should invalidate its clones */ 1470 SEC("?raw_tp") 1471 __failure __msg("Expected an initialized dynptr as arg #3") 1472 int clone_invalidate1(void *ctx) 1473 { 1474 struct bpf_dynptr clone; 1475 struct bpf_dynptr ptr; 1476 char read_data[64]; 1477 1478 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 1479 1480 bpf_dynptr_clone(&ptr, &clone); 1481 1482 bpf_ringbuf_submit_dynptr(&ptr, 0); 1483 1484 /* this should fail */ 1485 bpf_dynptr_read(read_data, sizeof(read_data), &clone, 0, 0); 1486 1487 return 0; 1488 } 1489 1490 /* Invalidating a dynptr should invalidate its parent */ 1491 SEC("?raw_tp") 1492 __failure __msg("Expected an initialized dynptr as arg #3") 1493 int clone_invalidate2(void *ctx) 1494 { 1495 struct bpf_dynptr ptr; 1496 struct bpf_dynptr clone; 1497 char read_data[64]; 1498 1499 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 1500 1501 bpf_dynptr_clone(&ptr, &clone); 1502 1503 bpf_ringbuf_submit_dynptr(&clone, 0); 1504 1505 /* this should fail */ 1506 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 1507 1508 return 0; 1509 } 1510 1511 /* Invalidating a dynptr should invalidate its siblings */ 1512 SEC("?raw_tp") 1513 __failure __msg("Expected an initialized dynptr as arg #3") 1514 int clone_invalidate3(void *ctx) 1515 { 1516 struct bpf_dynptr ptr; 1517 struct bpf_dynptr clone1; 1518 struct bpf_dynptr clone2; 1519 char read_data[64]; 1520 1521 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 1522 1523 bpf_dynptr_clone(&ptr, &clone1); 1524 1525 bpf_dynptr_clone(&ptr, &clone2); 1526 1527 bpf_ringbuf_submit_dynptr(&clone2, 0); 1528 1529 /* this should fail */ 1530 bpf_dynptr_read(read_data, sizeof(read_data), &clone1, 0, 0); 1531 1532 return 0; 1533 } 1534 1535 /* Invalidating a dynptr should invalidate any data slices 1536 * of its clones 1537 */ 1538 SEC("?raw_tp") 1539 __failure __msg("invalid mem access 'scalar'") 1540 int clone_invalidate4(void *ctx) 1541 { 1542 struct bpf_dynptr ptr; 1543 struct bpf_dynptr clone; 1544 int *data; 1545 1546 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 1547 1548 bpf_dynptr_clone(&ptr, &clone); 1549 data = bpf_dynptr_data(&clone, 0, sizeof(val)); 1550 if (!data) 1551 return 0; 1552 1553 bpf_ringbuf_submit_dynptr(&ptr, 0); 1554 1555 /* this should fail */ 1556 *data = 123; 1557 1558 return 0; 1559 } 1560 1561 /* Invalidating a dynptr should invalidate any data slices 1562 * of its parent 1563 */ 1564 SEC("?raw_tp") 1565 __failure __msg("invalid mem access 'scalar'") 1566 int clone_invalidate5(void *ctx) 1567 { 1568 struct bpf_dynptr ptr; 1569 struct bpf_dynptr clone; 1570 int *data; 1571 1572 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 1573 data = bpf_dynptr_data(&ptr, 0, sizeof(val)); 1574 if (!data) 1575 return 0; 1576 1577 bpf_dynptr_clone(&ptr, &clone); 1578 1579 bpf_ringbuf_submit_dynptr(&clone, 0); 1580 1581 /* this should fail */ 1582 *data = 123; 1583 1584 return 0; 1585 } 1586 1587 /* Invalidating a dynptr should invalidate any data slices 1588 * of its sibling 1589 */ 1590 SEC("?raw_tp") 1591 __failure __msg("invalid mem access 'scalar'") 1592 int clone_invalidate6(void *ctx) 1593 { 1594 struct bpf_dynptr ptr; 1595 struct bpf_dynptr clone1; 1596 struct bpf_dynptr clone2; 1597 int *data; 1598 1599 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 1600 1601 bpf_dynptr_clone(&ptr, &clone1); 1602 1603 bpf_dynptr_clone(&ptr, &clone2); 1604 1605 data = bpf_dynptr_data(&clone1, 0, sizeof(val)); 1606 if (!data) 1607 return 0; 1608 1609 bpf_ringbuf_submit_dynptr(&clone2, 0); 1610 1611 /* this should fail */ 1612 *data = 123; 1613 1614 return 0; 1615 } 1616 1617 /* A skb clone's data slices should be invalid anytime packet data changes */ 1618 SEC("?tc") 1619 __failure __msg("invalid mem access 'scalar'") 1620 int clone_skb_packet_data(struct __sk_buff *skb) 1621 { 1622 char buffer[sizeof(__u32)] = {}; 1623 struct bpf_dynptr clone; 1624 struct bpf_dynptr ptr; 1625 __u32 *data; 1626 1627 bpf_dynptr_from_skb(skb, 0, &ptr); 1628 1629 bpf_dynptr_clone(&ptr, &clone); 1630 data = bpf_dynptr_slice_rdwr(&clone, 0, buffer, sizeof(buffer)); 1631 if (!data) 1632 return XDP_DROP; 1633 1634 if (bpf_skb_pull_data(skb, skb->len)) 1635 return SK_DROP; 1636 1637 /* this should fail */ 1638 *data = 123; 1639 1640 return 0; 1641 } 1642 1643 /* A xdp clone's data slices should be invalid anytime packet data changes */ 1644 SEC("?xdp") 1645 __failure __msg("invalid mem access 'scalar'") 1646 int clone_xdp_packet_data(struct xdp_md *xdp) 1647 { 1648 char buffer[sizeof(__u32)] = {}; 1649 struct bpf_dynptr clone; 1650 struct bpf_dynptr ptr; 1651 struct ethhdr *hdr; 1652 __u32 *data; 1653 1654 bpf_dynptr_from_xdp(xdp, 0, &ptr); 1655 1656 bpf_dynptr_clone(&ptr, &clone); 1657 data = bpf_dynptr_slice_rdwr(&clone, 0, buffer, sizeof(buffer)); 1658 if (!data) 1659 return XDP_DROP; 1660 1661 if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr))) 1662 return XDP_DROP; 1663 1664 /* this should fail */ 1665 *data = 123; 1666 1667 return 0; 1668 } 1669 1670 /* Buffers that are provided must be sufficiently long */ 1671 SEC("?cgroup_skb/egress") 1672 __failure __msg("memory, len pair leads to invalid memory access") 1673 int test_dynptr_skb_small_buff(struct __sk_buff *skb) 1674 { 1675 struct bpf_dynptr ptr; 1676 char buffer[8] = {}; 1677 __u64 *data; 1678 1679 if (bpf_dynptr_from_skb(skb, 0, &ptr)) { 1680 err = 1; 1681 return 1; 1682 } 1683 1684 /* This may return NULL. SKB may require a buffer */ 1685 data = bpf_dynptr_slice(&ptr, 0, buffer, 9); 1686 1687 return !!data; 1688 } 1689 1690 __noinline long global_call_bpf_dynptr(const struct bpf_dynptr *dynptr) 1691 { 1692 long ret = 0; 1693 /* Avoid leaving this global function empty to avoid having the compiler 1694 * optimize away the call to this global function. 1695 */ 1696 __sink(ret); 1697 return ret; 1698 } 1699 1700 SEC("?raw_tp") 1701 __failure __msg("arg#1 expected pointer to stack or const struct bpf_dynptr") 1702 int test_dynptr_reg_type(void *ctx) 1703 { 1704 struct task_struct *current = NULL; 1705 /* R1 should be holding a PTR_TO_BTF_ID, so this shouldn't be a 1706 * reg->type that can be passed to a function accepting a 1707 * ARG_PTR_TO_DYNPTR | MEM_RDONLY. process_dynptr_func() should catch 1708 * this. 1709 */ 1710 global_call_bpf_dynptr((const struct bpf_dynptr *)current); 1711 return 0; 1712 } 1713