xref: /linux/tools/testing/selftests/bpf/progs/user_ringbuf_fail.c (revision 6e7fd890f1d6ac83805409e9c346240de2705584)
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7 
8 char _license[] SEC("license") = "GPL";
9 
10 struct sample {
11 	int pid;
12 	int seq;
13 	long value;
14 	char comm[16];
15 };
16 
17 struct {
18 	__uint(type, BPF_MAP_TYPE_USER_RINGBUF);
19 	__uint(max_entries, 4096);
20 } user_ringbuf SEC(".maps");
21 
22 struct {
23 	__uint(type, BPF_MAP_TYPE_RINGBUF);
24 	__uint(max_entries, 2);
25 } ringbuf SEC(".maps");
26 
27 static int map_value;
28 
29 static long
30 bad_access1(struct bpf_dynptr *dynptr, void *context)
31 {
32 	const struct sample *sample;
33 
34 	sample = bpf_dynptr_data(dynptr - 1, 0, sizeof(*sample));
35 	bpf_printk("Was able to pass bad pointer %lx\n", (__u64)dynptr - 1);
36 
37 	return 0;
38 }
39 
40 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
41  * not be able to read before the pointer.
42  */
43 SEC("?raw_tp")
44 __failure __msg("negative offset dynptr_ptr ptr")
45 int user_ringbuf_callback_bad_access1(void *ctx)
46 {
47 	bpf_user_ringbuf_drain(&user_ringbuf, bad_access1, NULL, 0);
48 
49 	return 0;
50 }
51 
52 static long
53 bad_access2(struct bpf_dynptr *dynptr, void *context)
54 {
55 	const struct sample *sample;
56 
57 	sample = bpf_dynptr_data(dynptr + 1, 0, sizeof(*sample));
58 	bpf_printk("Was able to pass bad pointer %lx\n", (__u64)dynptr + 1);
59 
60 	return 0;
61 }
62 
63 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
64  * not be able to read past the end of the pointer.
65  */
66 SEC("?raw_tp")
67 __failure __msg("dereference of modified dynptr_ptr ptr")
68 int user_ringbuf_callback_bad_access2(void *ctx)
69 {
70 	bpf_user_ringbuf_drain(&user_ringbuf, bad_access2, NULL, 0);
71 
72 	return 0;
73 }
74 
75 static long
76 write_forbidden(struct bpf_dynptr *dynptr, void *context)
77 {
78 	*((long *)dynptr) = 0;
79 
80 	return 0;
81 }
82 
83 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
84  * not be able to write to that pointer.
85  */
86 SEC("?raw_tp")
87 __failure __msg("invalid mem access 'dynptr_ptr'")
88 int user_ringbuf_callback_write_forbidden(void *ctx)
89 {
90 	bpf_user_ringbuf_drain(&user_ringbuf, write_forbidden, NULL, 0);
91 
92 	return 0;
93 }
94 
95 static long
96 null_context_write(struct bpf_dynptr *dynptr, void *context)
97 {
98 	*((__u64 *)context) = 0;
99 
100 	return 0;
101 }
102 
103 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
104  * not be able to write to that pointer.
105  */
106 SEC("?raw_tp")
107 __failure __msg("invalid mem access 'scalar'")
108 int user_ringbuf_callback_null_context_write(void *ctx)
109 {
110 	bpf_user_ringbuf_drain(&user_ringbuf, null_context_write, NULL, 0);
111 
112 	return 0;
113 }
114 
115 static long
116 null_context_read(struct bpf_dynptr *dynptr, void *context)
117 {
118 	__u64 id = *((__u64 *)context);
119 
120 	bpf_printk("Read id %lu\n", id);
121 
122 	return 0;
123 }
124 
125 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
126  * not be able to write to that pointer.
127  */
128 SEC("?raw_tp")
129 __failure __msg("invalid mem access 'scalar'")
130 int user_ringbuf_callback_null_context_read(void *ctx)
131 {
132 	bpf_user_ringbuf_drain(&user_ringbuf, null_context_read, NULL, 0);
133 
134 	return 0;
135 }
136 
137 static long
138 try_discard_dynptr(struct bpf_dynptr *dynptr, void *context)
139 {
140 	bpf_ringbuf_discard_dynptr(dynptr, 0);
141 
142 	return 0;
143 }
144 
145 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
146  * not be able to read past the end of the pointer.
147  */
148 SEC("?raw_tp")
149 __failure __msg("cannot release unowned const bpf_dynptr")
150 int user_ringbuf_callback_discard_dynptr(void *ctx)
151 {
152 	bpf_user_ringbuf_drain(&user_ringbuf, try_discard_dynptr, NULL, 0);
153 
154 	return 0;
155 }
156 
157 static long
158 try_submit_dynptr(struct bpf_dynptr *dynptr, void *context)
159 {
160 	bpf_ringbuf_submit_dynptr(dynptr, 0);
161 
162 	return 0;
163 }
164 
165 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
166  * not be able to read past the end of the pointer.
167  */
168 SEC("?raw_tp")
169 __failure __msg("cannot release unowned const bpf_dynptr")
170 int user_ringbuf_callback_submit_dynptr(void *ctx)
171 {
172 	bpf_user_ringbuf_drain(&user_ringbuf, try_submit_dynptr, NULL, 0);
173 
174 	return 0;
175 }
176 
177 static long
178 invalid_drain_callback_return(struct bpf_dynptr *dynptr, void *context)
179 {
180 	return 2;
181 }
182 
183 /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
184  * not be able to write to that pointer.
185  */
186 SEC("?raw_tp")
187 __failure __msg("At callback return the register R0 has ")
188 int user_ringbuf_callback_invalid_return(void *ctx)
189 {
190 	bpf_user_ringbuf_drain(&user_ringbuf, invalid_drain_callback_return, NULL, 0);
191 
192 	return 0;
193 }
194 
195 static long
196 try_reinit_dynptr_mem(struct bpf_dynptr *dynptr, void *context)
197 {
198 	bpf_dynptr_from_mem(&map_value, 4, 0, dynptr);
199 	return 0;
200 }
201 
202 static long
203 try_reinit_dynptr_ringbuf(struct bpf_dynptr *dynptr, void *context)
204 {
205 	bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, dynptr);
206 	return 0;
207 }
208 
209 SEC("?raw_tp")
210 __failure __msg("Dynptr has to be an uninitialized dynptr")
211 int user_ringbuf_callback_reinit_dynptr_mem(void *ctx)
212 {
213 	bpf_user_ringbuf_drain(&user_ringbuf, try_reinit_dynptr_mem, NULL, 0);
214 	return 0;
215 }
216 
217 SEC("?raw_tp")
218 __failure __msg("Dynptr has to be an uninitialized dynptr")
219 int user_ringbuf_callback_reinit_dynptr_ringbuf(void *ctx)
220 {
221 	bpf_user_ringbuf_drain(&user_ringbuf, try_reinit_dynptr_ringbuf, NULL, 0);
222 	return 0;
223 }
224 
225 __noinline long global_call_bpf_dynptr_data(struct bpf_dynptr *dynptr)
226 {
227 	bpf_dynptr_data(dynptr, 0xA, 0xA);
228 	return 0;
229 }
230 
231 static long callback_adjust_bpf_dynptr_reg_off(struct bpf_dynptr *dynptr,
232 					       void *ctx)
233 {
234 	global_call_bpf_dynptr_data(dynptr += 1024);
235 	return 0;
236 }
237 
238 SEC("?raw_tp")
239 __failure __msg("dereference of modified dynptr_ptr ptr R1 off=16384 disallowed")
240 int user_ringbuf_callback_const_ptr_to_dynptr_reg_off(void *ctx)
241 {
242 	bpf_user_ringbuf_drain(&user_ringbuf,
243 			       callback_adjust_bpf_dynptr_reg_off, NULL, 0);
244 	return 0;
245 }
246