xref: /linux/tools/testing/selftests/bpf/progs/verifier_search_pruning.c (revision 6a9a092eb25851e16ecacc04ca2b155635d4e52f)
1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/search_pruning.c */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7 
8 #define MAX_ENTRIES 11
9 
10 struct test_val {
11 	unsigned int index;
12 	int foo[MAX_ENTRIES];
13 };
14 
15 struct {
16 	__uint(type, BPF_MAP_TYPE_HASH);
17 	__uint(max_entries, 1);
18 	__type(key, long long);
19 	__type(value, struct test_val);
20 } map_hash_48b SEC(".maps");
21 
22 struct {
23 	__uint(type, BPF_MAP_TYPE_HASH);
24 	__uint(max_entries, 1);
25 	__type(key, long long);
26 	__type(value, long long);
27 } map_hash_8b SEC(".maps");
28 
29 SEC("socket")
30 __description("pointer/scalar confusion in state equality check (way 1)")
31 __success __failure_unpriv __msg_unpriv("R0 leaks addr as return value")
32 __retval(POINTER_VALUE)
33 __naked void state_equality_check_way_1(void)
34 {
35 	asm volatile ("					\
36 	r1 = 0;						\
37 	*(u64*)(r10 - 8) = r1;				\
38 	r2 = r10;					\
39 	r2 += -8;					\
40 	r1 = %[map_hash_8b] ll;				\
41 	call %[bpf_map_lookup_elem];			\
42 	if r0 == 0 goto l0_%=;				\
43 	r0 = *(u64*)(r0 + 0);				\
44 	goto l1_%=;					\
45 l0_%=:	r0 = r10;					\
46 l1_%=:	goto l2_%=;					\
47 l2_%=:	exit;						\
48 "	:
49 	: __imm(bpf_map_lookup_elem),
50 	  __imm_addr(map_hash_8b)
51 	: __clobber_all);
52 }
53 
54 SEC("socket")
55 __description("pointer/scalar confusion in state equality check (way 2)")
56 __success __failure_unpriv __msg_unpriv("R0 leaks addr as return value")
57 __retval(POINTER_VALUE)
58 __naked void state_equality_check_way_2(void)
59 {
60 	asm volatile ("					\
61 	r1 = 0;						\
62 	*(u64*)(r10 - 8) = r1;				\
63 	r2 = r10;					\
64 	r2 += -8;					\
65 	r1 = %[map_hash_8b] ll;				\
66 	call %[bpf_map_lookup_elem];			\
67 	if r0 != 0 goto l0_%=;				\
68 	r0 = r10;					\
69 	goto l1_%=;					\
70 l0_%=:	r0 = *(u64*)(r0 + 0);				\
71 l1_%=:	exit;						\
72 "	:
73 	: __imm(bpf_map_lookup_elem),
74 	  __imm_addr(map_hash_8b)
75 	: __clobber_all);
76 }
77 
78 SEC("lwt_in")
79 __description("liveness pruning and write screening")
80 __failure __msg("R0 !read_ok")
81 __naked void liveness_pruning_and_write_screening(void)
82 {
83 	asm volatile ("					\
84 	/* Get an unknown value */			\
85 	r2 = *(u32*)(r1 + 0);				\
86 	/* branch conditions teach us nothing about R2 */\
87 	if r2 >= 0 goto l0_%=;				\
88 	r0 = 0;						\
89 l0_%=:	if r2 >= 0 goto l1_%=;				\
90 	r0 = 0;						\
91 l1_%=:	exit;						\
92 "	::: __clobber_all);
93 }
94 
95 SEC("socket")
96 __description("varlen_map_value_access pruning")
97 __failure __msg("R0 unbounded memory access")
98 __failure_unpriv __msg_unpriv("R0 leaks addr")
99 __flag(BPF_F_ANY_ALIGNMENT)
100 __naked void varlen_map_value_access_pruning(void)
101 {
102 	asm volatile ("					\
103 	r1 = 0;						\
104 	*(u64*)(r10 - 8) = r1;				\
105 	r2 = r10;					\
106 	r2 += -8;					\
107 	r1 = %[map_hash_48b] ll;			\
108 	call %[bpf_map_lookup_elem];			\
109 	if r0 == 0 goto l0_%=;				\
110 	r1 = *(u64*)(r0 + 0);				\
111 	w2 = %[max_entries];				\
112 	if r2 s> r1 goto l1_%=;				\
113 	w1 = 0;						\
114 l1_%=:	w1 <<= 2;					\
115 	r0 += r1;					\
116 	goto l2_%=;					\
117 l2_%=:	r1 = %[test_val_foo];				\
118 	*(u64*)(r0 + 0) = r1;				\
119 l0_%=:	exit;						\
120 "	:
121 	: __imm(bpf_map_lookup_elem),
122 	  __imm_addr(map_hash_48b),
123 	  __imm_const(max_entries, MAX_ENTRIES),
124 	  __imm_const(test_val_foo, offsetof(struct test_val, foo))
125 	: __clobber_all);
126 }
127 
128 SEC("tracepoint")
129 __description("search pruning: all branches should be verified (nop operation)")
130 __failure __msg("R6 invalid mem access 'scalar'")
131 __naked void should_be_verified_nop_operation(void)
132 {
133 	asm volatile ("					\
134 	r2 = r10;					\
135 	r2 += -8;					\
136 	r1 = 0;						\
137 	*(u64*)(r2 + 0) = r1;				\
138 	r1 = %[map_hash_8b] ll;				\
139 	call %[bpf_map_lookup_elem];			\
140 	if r0 == 0 goto l0_%=;				\
141 	r3 = *(u64*)(r0 + 0);				\
142 	if r3 == 0xbeef goto l1_%=;			\
143 	r4 = 0;						\
144 	goto l2_%=;					\
145 l1_%=:	r4 = 1;						\
146 l2_%=:	*(u64*)(r10 - 16) = r4;				\
147 	call %[bpf_ktime_get_ns];			\
148 	r5 = *(u64*)(r10 - 16);				\
149 	if r5 == 0 goto l0_%=;				\
150 	r6 = 0;						\
151 	r1 = 0xdead;					\
152 	*(u64*)(r6 + 0) = r1;				\
153 l0_%=:	exit;						\
154 "	:
155 	: __imm(bpf_ktime_get_ns),
156 	  __imm(bpf_map_lookup_elem),
157 	  __imm_addr(map_hash_8b)
158 	: __clobber_all);
159 }
160 
161 SEC("socket")
162 __description("search pruning: all branches should be verified (invalid stack access)")
163 /* in privileged mode reads from uninitialized stack locations are permitted */
164 __success __failure_unpriv
165 __msg_unpriv("invalid read from stack off -16+0 size 8")
166 __retval(0)
167 __naked void be_verified_invalid_stack_access(void)
168 {
169 	asm volatile ("					\
170 	r2 = r10;					\
171 	r2 += -8;					\
172 	r1 = 0;						\
173 	*(u64*)(r2 + 0) = r1;				\
174 	r1 = %[map_hash_8b] ll;				\
175 	call %[bpf_map_lookup_elem];			\
176 	if r0 == 0 goto l0_%=;				\
177 	r3 = *(u64*)(r0 + 0);				\
178 	r4 = 0;						\
179 	if r3 == 0xbeef goto l1_%=;			\
180 	*(u64*)(r10 - 16) = r4;				\
181 	goto l2_%=;					\
182 l1_%=:	*(u64*)(r10 - 24) = r4;				\
183 l2_%=:	call %[bpf_ktime_get_ns];			\
184 	r5 = *(u64*)(r10 - 16);				\
185 l0_%=:	exit;						\
186 "	:
187 	: __imm(bpf_ktime_get_ns),
188 	  __imm(bpf_map_lookup_elem),
189 	  __imm_addr(map_hash_8b)
190 	: __clobber_all);
191 }
192 
193 SEC("tracepoint")
194 __description("precision tracking for u32 spill/fill")
195 __failure __msg("R0 min value is outside of the allowed memory range")
196 __naked void tracking_for_u32_spill_fill(void)
197 {
198 	asm volatile ("					\
199 	r7 = r1;					\
200 	call %[bpf_get_prandom_u32];			\
201 	w6 = 32;					\
202 	if r0 == 0 goto l0_%=;				\
203 	w6 = 4;						\
204 l0_%=:	/* Additional insns to introduce a pruning point. */\
205 	call %[bpf_get_prandom_u32];			\
206 	r3 = 0;						\
207 	r3 = 0;						\
208 	if r0 == 0 goto l1_%=;				\
209 	r3 = 0;						\
210 l1_%=:	/* u32 spill/fill */				\
211 	*(u32*)(r10 - 8) = r6;				\
212 	r8 = *(u32*)(r10 - 8);				\
213 	/* out-of-bound map value access for r6=32 */	\
214 	r1 = 0;						\
215 	*(u64*)(r10 - 16) = r1;				\
216 	r2 = r10;					\
217 	r2 += -16;					\
218 	r1 = %[map_hash_8b] ll;				\
219 	call %[bpf_map_lookup_elem];			\
220 	if r0 == 0 goto l2_%=;				\
221 	r0 += r8;					\
222 	r1 = *(u32*)(r0 + 0);				\
223 l2_%=:	r0 = 0;						\
224 	exit;						\
225 "	:
226 	: __imm(bpf_get_prandom_u32),
227 	  __imm(bpf_map_lookup_elem),
228 	  __imm_addr(map_hash_8b)
229 	: __clobber_all);
230 }
231 
232 SEC("tracepoint")
233 __description("precision tracking for u32 spills, u64 fill")
234 __failure __msg("div by zero")
235 __naked void for_u32_spills_u64_fill(void)
236 {
237 	asm volatile ("					\
238 	call %[bpf_get_prandom_u32];			\
239 	r6 = r0;					\
240 	w7 = 0xffffffff;				\
241 	/* Additional insns to introduce a pruning point. */\
242 	r3 = 1;						\
243 	r3 = 1;						\
244 	r3 = 1;						\
245 	r3 = 1;						\
246 	call %[bpf_get_prandom_u32];			\
247 	if r0 == 0 goto l0_%=;				\
248 	r3 = 1;						\
249 l0_%=:	w3 /= 0;					\
250 	/* u32 spills, u64 fill */			\
251 	*(u32*)(r10 - 4) = r6;				\
252 	*(u32*)(r10 - 8) = r7;				\
253 	r8 = *(u64*)(r10 - 8);				\
254 	/* if r8 != X goto pc+1  r8 known in fallthrough branch */\
255 	if r8 != 0xffffffff goto l1_%=;			\
256 	r3 = 1;						\
257 l1_%=:	/* if r8 == X goto pc+1  condition always true on first\
258 	 * traversal, so starts backtracking to mark r8 as requiring\
259 	 * precision. r7 marked as needing precision. r6 not marked\
260 	 * since it's not tracked.			\
261 	 */						\
262 	if r8 == 0xffffffff goto l2_%=;			\
263 	/* fails if r8 correctly marked unknown after fill. */\
264 	w3 /= 0;					\
265 l2_%=:	r0 = 0;						\
266 	exit;						\
267 "	:
268 	: __imm(bpf_get_prandom_u32)
269 	: __clobber_all);
270 }
271 
272 SEC("socket")
273 __description("allocated_stack")
274 __success __msg("processed 15 insns")
275 __success_unpriv __msg_unpriv("") __log_level(1) __retval(0)
276 __naked void allocated_stack(void)
277 {
278 	asm volatile ("					\
279 	r6 = r1;					\
280 	call %[bpf_get_prandom_u32];			\
281 	r7 = r0;					\
282 	if r0 == 0 goto l0_%=;				\
283 	r0 = 0;						\
284 	*(u64*)(r10 - 8) = r6;				\
285 	r6 = *(u64*)(r10 - 8);				\
286 	*(u8*)(r10 - 9) = r7;				\
287 	r7 = *(u8*)(r10 - 9);				\
288 l0_%=:	if r0 != 0 goto l1_%=;				\
289 l1_%=:	if r0 != 0 goto l2_%=;				\
290 l2_%=:	if r0 != 0 goto l3_%=;				\
291 l3_%=:	if r0 != 0 goto l4_%=;				\
292 l4_%=:	exit;						\
293 "	:
294 	: __imm(bpf_get_prandom_u32)
295 	: __clobber_all);
296 }
297 
298 /* The test performs a conditional 64-bit write to a stack location
299  * fp[-8], this is followed by an unconditional 8-bit write to fp[-8],
300  * then data is read from fp[-8]. This sequence is unsafe.
301  *
302  * The test would be mistakenly marked as safe w/o dst register parent
303  * preservation in verifier.c:copy_register_state() function.
304  *
305  * Note the usage of BPF_F_TEST_STATE_FREQ to force creation of the
306  * checkpoint state after conditional 64-bit assignment.
307  */
308 
309 SEC("socket")
310 __description("write tracking and register parent chain bug")
311 /* in privileged mode reads from uninitialized stack locations are permitted */
312 __success __failure_unpriv
313 __msg_unpriv("invalid read from stack off -8+1 size 8")
314 __retval(0) __flag(BPF_F_TEST_STATE_FREQ)
315 __naked void and_register_parent_chain_bug(void)
316 {
317 	asm volatile ("					\
318 	/* r6 = ktime_get_ns() */			\
319 	call %[bpf_ktime_get_ns];			\
320 	r6 = r0;					\
321 	/* r0 = ktime_get_ns() */			\
322 	call %[bpf_ktime_get_ns];			\
323 	/* if r0 > r6 goto +1 */			\
324 	if r0 > r6 goto l0_%=;				\
325 	/* *(u64 *)(r10 - 8) = 0xdeadbeef */		\
326 	r0 = 0xdeadbeef;				\
327 	*(u64*)(r10 - 8) = r0;				\
328 l0_%=:	r1 = 42;					\
329 	*(u8*)(r10 - 8) = r1;				\
330 	r2 = *(u64*)(r10 - 8);				\
331 	/* exit(0) */					\
332 	r0 = 0;						\
333 	exit;						\
334 "	:
335 	: __imm(bpf_ktime_get_ns)
336 	: __clobber_all);
337 }
338 
339 char _license[] SEC("license") = "GPL";
340