1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/map_ptr.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 #define MAX_ENTRIES 11 9 10 struct test_val { 11 unsigned int index; 12 int foo[MAX_ENTRIES]; 13 }; 14 15 struct { 16 __uint(type, BPF_MAP_TYPE_ARRAY); 17 __uint(max_entries, 1); 18 __type(key, int); 19 __type(value, struct test_val); 20 } map_array_48b SEC(".maps"); 21 22 struct other_val { 23 long long foo; 24 long long bar; 25 }; 26 27 struct { 28 __uint(type, BPF_MAP_TYPE_HASH); 29 __uint(max_entries, 1); 30 __type(key, long long); 31 __type(value, struct other_val); 32 } map_hash_16b SEC(".maps"); 33 34 SEC("socket") 35 __description("bpf_map_ptr: read with negative offset rejected") 36 __failure __msg("R1 is bpf_array invalid negative access: off=-8") 37 __failure_unpriv 38 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 39 __naked void read_with_negative_offset_rejected(void) 40 { 41 asm volatile (" \ 42 r1 = r10; \ 43 r1 = %[map_array_48b] ll; \ 44 r6 = *(u64*)(r1 - 8); \ 45 r0 = 1; \ 46 exit; \ 47 " : 48 : __imm_addr(map_array_48b) 49 : __clobber_all); 50 } 51 52 SEC("socket") 53 __description("bpf_map_ptr: write rejected") 54 __failure __msg("only read from bpf_array is supported") 55 __failure_unpriv 56 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 57 __naked void bpf_map_ptr_write_rejected(void) 58 { 59 asm volatile (" \ 60 r0 = 0; \ 61 *(u64*)(r10 - 8) = r0; \ 62 r2 = r10; \ 63 r2 += -8; \ 64 r1 = %[map_array_48b] ll; \ 65 *(u64*)(r1 + 0) = r2; \ 66 r0 = 1; \ 67 exit; \ 68 " : 69 : __imm_addr(map_array_48b) 70 : __clobber_all); 71 } 72 73 /* 74 * struct bpf_map starts with the SHA256 hash sha[32] at offset 0 (a readable 75 * byte array), followed by the u32 excl field at offset 32. Reading a u32 at 76 * offset 33 runs past the end of excl and is rejected. 77 */ 78 SEC("socket") 79 __description("bpf_map_ptr: read non-existent field rejected") 80 __failure 81 __msg("access beyond the end of member excl (mend:36) in struct bpf_map with off 33 size 4") 82 __failure_unpriv 83 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 84 __flag(BPF_F_ANY_ALIGNMENT) 85 __naked void read_non_existent_field_rejected(void) 86 { 87 asm volatile (" \ 88 r6 = 0; \ 89 r1 = %[map_array_48b] ll; \ 90 r6 = *(u32*)(r1 + 33); \ 91 r0 = 1; \ 92 exit; \ 93 " : 94 : __imm_addr(map_array_48b) 95 : __clobber_all); 96 } 97 98 SEC("socket") 99 __description("bpf_map_ptr: read ops field accepted") 100 __success __failure_unpriv 101 __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN") 102 __retval(1) 103 __naked void ptr_read_ops_field_accepted(void) 104 { 105 asm volatile (" \ 106 r6 = 0; \ 107 r1 = %[map_array_48b] ll; \ 108 r6 = *(u64*)(r1 + 0); \ 109 r0 = 1; \ 110 exit; \ 111 " : 112 : __imm_addr(map_array_48b) 113 : __clobber_all); 114 } 115 116 SEC("socket") 117 __description("bpf_map_ptr: r = 0, map_ptr = map_ptr + r") 118 __success __failure_unpriv 119 __msg_unpriv("R1 has pointer with unsupported alu operation") 120 __retval(0) 121 __naked void map_ptr_map_ptr_r(void) 122 { 123 asm volatile (" \ 124 r0 = 0; \ 125 *(u64*)(r10 - 8) = r0; \ 126 r2 = r10; \ 127 r2 += -8; \ 128 r0 = 0; \ 129 r1 = %[map_hash_16b] ll; \ 130 r1 += r0; \ 131 call %[bpf_map_lookup_elem]; \ 132 r0 = 0; \ 133 exit; \ 134 " : 135 : __imm(bpf_map_lookup_elem), 136 __imm_addr(map_hash_16b) 137 : __clobber_all); 138 } 139 140 SEC("socket") 141 __description("bpf_map_ptr: r = 0, r = r + map_ptr") 142 __success __failure_unpriv 143 __msg_unpriv("R0 has pointer with unsupported alu operation") 144 __retval(0) 145 __naked void _0_r_r_map_ptr(void) 146 { 147 asm volatile (" \ 148 r0 = 0; \ 149 *(u64*)(r10 - 8) = r0; \ 150 r2 = r10; \ 151 r2 += -8; \ 152 r1 = 0; \ 153 r0 = %[map_hash_16b] ll; \ 154 r1 += r0; \ 155 call %[bpf_map_lookup_elem]; \ 156 r0 = 0; \ 157 exit; \ 158 " : 159 : __imm(bpf_map_lookup_elem), 160 __imm_addr(map_hash_16b) 161 : __clobber_all); 162 } 163 164 char _license[] SEC("license") = "GPL"; 165