xref: /linux/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c (revision 4b911a9690d72641879ea6d13cce1de31d346d79)
1 // SPDX-License-Identifier: GPL-2.0
2 #include "bpf_misc.h"
3 #include "bpf_experimental.h"
4 
5 struct {
6 	__uint(type, BPF_MAP_TYPE_ARRAY);
7 	__uint(max_entries, 8);
8 	__type(key, __u32);
9 	__type(value, __u64);
10 } map SEC(".maps");
11 
12 struct {
13 	__uint(type, BPF_MAP_TYPE_USER_RINGBUF);
14 	__uint(max_entries, 8);
15 } ringbuf SEC(".maps");
16 
17 struct vm_area_struct;
18 struct bpf_map;
19 
20 struct buf_context {
21 	char *buf;
22 };
23 
24 struct num_context {
25 	__u64 i;
26 	__u64 j;
27 };
28 
29 __u8 choice_arr[2] = { 0, 1 };
30 
31 static int unsafe_on_2nd_iter_cb(__u32 idx, struct buf_context *ctx)
32 {
33 	if (idx == 0) {
34 		ctx->buf = (char *)(0xDEAD);
35 		return 0;
36 	}
37 
38 	if (bpf_probe_read_user(ctx->buf, 8, (void *)(0xBADC0FFEE)))
39 		return 1;
40 
41 	return 0;
42 }
43 
44 SEC("?raw_tp")
45 __failure __msg("R1 type=scalar expected=fp")
46 int unsafe_on_2nd_iter(void *unused)
47 {
48 	char buf[4];
49 	struct buf_context loop_ctx = { .buf = buf };
50 
51 	bpf_loop(100, unsafe_on_2nd_iter_cb, &loop_ctx, 0);
52 	return 0;
53 }
54 
55 static int unsafe_on_zero_iter_cb(__u32 idx, struct num_context *ctx)
56 {
57 	ctx->i = 0;
58 	return 0;
59 }
60 
61 SEC("?raw_tp")
62 __failure __msg("invalid access to map value, value_size=2 off=32 size=1")
63 int unsafe_on_zero_iter(void *unused)
64 {
65 	struct num_context loop_ctx = { .i = 32 };
66 
67 	bpf_loop(100, unsafe_on_zero_iter_cb, &loop_ctx, 0);
68 	return choice_arr[loop_ctx.i];
69 }
70 
71 static int widening_cb(__u32 idx, struct num_context *ctx)
72 {
73 	++ctx->i;
74 	return 0;
75 }
76 
77 SEC("?raw_tp")
78 __success
79 int widening(void *unused)
80 {
81 	struct num_context loop_ctx = { .i = 0, .j = 1 };
82 
83 	bpf_loop(100, widening_cb, &loop_ctx, 0);
84 	/* loop_ctx.j is not changed during callback iteration,
85 	 * verifier should not apply widening to it.
86 	 */
87 	return choice_arr[loop_ctx.j];
88 }
89 
90 static int loop_detection_cb(__u32 idx, struct num_context *ctx)
91 {
92 	for (;;) {}
93 	return 0;
94 }
95 
96 SEC("?raw_tp")
97 __failure __msg("infinite loop detected")
98 int loop_detection(void *unused)
99 {
100 	struct num_context loop_ctx = { .i = 0 };
101 
102 	bpf_loop(100, loop_detection_cb, &loop_ctx, 0);
103 	return 0;
104 }
105 
106 static __always_inline __u64 oob_state_machine(struct num_context *ctx)
107 {
108 	switch (ctx->i) {
109 	case 0:
110 		ctx->i = 1;
111 		break;
112 	case 1:
113 		ctx->i = 32;
114 		break;
115 	}
116 	return 0;
117 }
118 
119 static __u64 for_each_map_elem_cb(struct bpf_map *map, __u32 *key, __u64 *val, void *data)
120 {
121 	return oob_state_machine(data);
122 }
123 
124 SEC("?raw_tp")
125 __failure __msg("invalid access to map value, value_size=2 off=32 size=1")
126 int unsafe_for_each_map_elem(void *unused)
127 {
128 	struct num_context loop_ctx = { .i = 0 };
129 
130 	bpf_for_each_map_elem(&map, for_each_map_elem_cb, &loop_ctx, 0);
131 	return choice_arr[loop_ctx.i];
132 }
133 
134 static __u64 ringbuf_drain_cb(struct bpf_dynptr *dynptr, void *data)
135 {
136 	return oob_state_machine(data);
137 }
138 
139 SEC("?raw_tp")
140 __failure __msg("invalid access to map value, value_size=2 off=32 size=1")
141 int unsafe_ringbuf_drain(void *unused)
142 {
143 	struct num_context loop_ctx = { .i = 0 };
144 
145 	bpf_user_ringbuf_drain(&ringbuf, ringbuf_drain_cb, &loop_ctx, 0);
146 	return choice_arr[loop_ctx.i];
147 }
148 
149 static __u64 find_vma_cb(struct task_struct *task, struct vm_area_struct *vma, void *data)
150 {
151 	return oob_state_machine(data);
152 }
153 
154 SEC("?raw_tp")
155 __failure __msg("invalid access to map value, value_size=2 off=32 size=1")
156 int unsafe_find_vma(void *unused)
157 {
158 	struct task_struct *task = bpf_get_current_task_btf();
159 	struct num_context loop_ctx = { .i = 0 };
160 
161 	bpf_find_vma(task, 0, find_vma_cb, &loop_ctx, 0);
162 	return choice_arr[loop_ctx.i];
163 }
164 
165 static int iter_limit_cb(__u32 idx, struct num_context *ctx)
166 {
167 	ctx->i++;
168 	return 0;
169 }
170 
171 SEC("?raw_tp")
172 __success
173 int bpf_loop_iter_limit_ok(void *unused)
174 {
175 	struct num_context ctx = { .i = 0 };
176 
177 	bpf_loop(1, iter_limit_cb, &ctx, 0);
178 	return choice_arr[ctx.i];
179 }
180 
181 SEC("?raw_tp")
182 __failure __msg("invalid access to map value, value_size=2 off=2 size=1")
183 int bpf_loop_iter_limit_overflow(void *unused)
184 {
185 	struct num_context ctx = { .i = 0 };
186 
187 	bpf_loop(2, iter_limit_cb, &ctx, 0);
188 	return choice_arr[ctx.i];
189 }
190 
191 static int iter_limit_level2a_cb(__u32 idx, struct num_context *ctx)
192 {
193 	ctx->i += 100;
194 	return 0;
195 }
196 
197 static int iter_limit_level2b_cb(__u32 idx, struct num_context *ctx)
198 {
199 	ctx->i += 10;
200 	return 0;
201 }
202 
203 static int iter_limit_level1_cb(__u32 idx, struct num_context *ctx)
204 {
205 	ctx->i += 1;
206 	bpf_loop(1, iter_limit_level2a_cb, ctx, 0);
207 	bpf_loop(1, iter_limit_level2b_cb, ctx, 0);
208 	return 0;
209 }
210 
211 /* Check that path visiting every callback function once had been
212  * reached by verifier. Variables 'ctx{1,2}i' below serve as flags,
213  * with each decimal digit corresponding to a callback visit marker.
214  */
215 SEC("socket")
216 __success __retval(111111)
217 int bpf_loop_iter_limit_nested(void *unused)
218 {
219 	struct num_context ctx1 = { .i = 0 };
220 	struct num_context ctx2 = { .i = 0 };
221 	__u64 a, b, c;
222 
223 	bpf_loop(1, iter_limit_level1_cb, &ctx1, 0);
224 	bpf_loop(1, iter_limit_level1_cb, &ctx2, 0);
225 	a = ctx1.i;
226 	b = ctx2.i;
227 	/* Force 'ctx1.i' and 'ctx2.i' precise. */
228 	c = choice_arr[(a + b) % 2];
229 	/* This makes 'c' zero, but neither clang nor verifier know it. */
230 	c /= 10;
231 	/* Make sure that verifier does not visit 'impossible' states:
232 	 * enumerate all possible callback visit masks.
233 	 */
234 	if (a != 0 && a != 1 && a != 11 && a != 101 && a != 111 &&
235 	    b != 0 && b != 1 && b != 11 && b != 101 && b != 111)
236 		asm volatile ("r0 /= 0;" ::: "r0");
237 	return 1000 * a + b + c;
238 }
239 
240 struct iter_limit_bug_ctx {
241 	__u64 a;
242 	__u64 b;
243 	__u64 c;
244 };
245 
246 static __naked void iter_limit_bug_cb(void)
247 {
248 	/* This is the same as C code below, but written
249 	 * in assembly to control which branches are fall-through.
250 	 *
251 	 *   switch (bpf_get_prandom_u32()) {
252 	 *   case 1:  ctx->a = 42; break;
253 	 *   case 2:  ctx->b = 42; break;
254 	 *   default: ctx->c = 42; break;
255 	 *   }
256 	 */
257 	asm volatile (
258 	"r9 = r2;"
259 	"call %[bpf_get_prandom_u32];"
260 	"r1 = r0;"
261 	"r2 = 42;"
262 	"r0 = 0;"
263 	"if r1 == 0x1 goto 1f;"
264 	"if r1 == 0x2 goto 2f;"
265 	"*(u64 *)(r9 + 16) = r2;"
266 	"exit;"
267 	"1: *(u64 *)(r9 + 0) = r2;"
268 	"exit;"
269 	"2: *(u64 *)(r9 + 8) = r2;"
270 	"exit;"
271 	:
272 	: __imm(bpf_get_prandom_u32)
273 	: __clobber_all
274 	);
275 }
276 
277 SEC("tc")
278 __failure
279 __flag(BPF_F_TEST_STATE_FREQ)
280 int iter_limit_bug(struct __sk_buff *skb)
281 {
282 	struct iter_limit_bug_ctx ctx = { 7, 7, 7 };
283 
284 	bpf_loop(2, iter_limit_bug_cb, &ctx, 0);
285 
286 	/* This is the same as C code below,
287 	 * written in assembly to guarantee checks order.
288 	 *
289 	 *   if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7)
290 	 *     asm volatile("r1 /= 0;":::"r1");
291 	 */
292 	asm volatile (
293 	"r1 = *(u64 *)%[ctx_a];"
294 	"if r1 != 42 goto 1f;"
295 	"r1 = *(u64 *)%[ctx_b];"
296 	"if r1 != 42 goto 1f;"
297 	"r1 = *(u64 *)%[ctx_c];"
298 	"if r1 != 7 goto 1f;"
299 	"r1 /= 0;"
300 	"1:"
301 	:
302 	: [ctx_a]"m"(ctx.a),
303 	  [ctx_b]"m"(ctx.b),
304 	  [ctx_c]"m"(ctx.c)
305 	: "r1"
306 	);
307 	return 0;
308 }
309 
310 #define ARR_SZ 1000000
311 int zero;
312 char arr[ARR_SZ];
313 
314 SEC("socket")
315 __success __retval(0xd495cdc0)
316 int cond_break1(const void *ctx)
317 {
318 	unsigned long i;
319 	unsigned int sum = 0;
320 
321 	for (i = zero; i < ARR_SZ; cond_break, i++)
322 		sum += i;
323 	for (i = zero; i < ARR_SZ; i++) {
324 		barrier_var(i);
325 		sum += i + arr[i];
326 		cond_break;
327 	}
328 
329 	return sum;
330 }
331 
332 SEC("socket")
333 __success __retval(999000000)
334 int cond_break2(const void *ctx)
335 {
336 	int i, j;
337 	int sum = 0;
338 
339 	for (i = zero; i < 1000; cond_break, i++)
340 		for (j = zero; j < 1000; j++) {
341 			sum += i + j;
342 			cond_break;
343 		}
344 
345 	return sum;
346 }
347 
348 static __noinline int loop(void)
349 {
350 	int i, sum = 0;
351 
352 	for (i = zero; i <= 1000000; i++, cond_break)
353 		sum += i;
354 
355 	return sum;
356 }
357 
358 SEC("socket")
359 __success __retval(0x6a5a2920)
360 int cond_break3(const void *ctx)
361 {
362 	return loop();
363 }
364 
365 SEC("socket")
366 __success __retval(1)
367 int cond_break4(const void *ctx)
368 {
369 	int cnt = zero;
370 
371 	for (;;) {
372 		/* should eventually break out of the loop */
373 		cond_break;
374 		cnt++;
375 	}
376 	/* if we looped a bit, it's a success */
377 	return cnt > 1 ? 1 : 0;
378 }
379 
380 static __noinline int static_subprog(void)
381 {
382 	int cnt = zero;
383 
384 	for (;;) {
385 		cond_break;
386 		cnt++;
387 	}
388 
389 	return cnt;
390 }
391 
392 SEC("socket")
393 __success __retval(1)
394 int cond_break5(const void *ctx)
395 {
396 	int cnt1 = zero, cnt2;
397 
398 	for (;;) {
399 		cond_break;
400 		cnt1++;
401 	}
402 
403 	cnt2 = static_subprog();
404 
405 	/* main and subprog have to loop a bit */
406 	return cnt1 > 1 && cnt2 > 1 ? 1 : 0;
407 }
408 
409 char _license[] SEC("license") = "GPL";
410