xref: /linux/tools/testing/selftests/bpf/verifier/precise.c (revision 0f7e753fc3851aac8aeea6b551cbbcf6ca9093dd)
1 {
2 	"precise: test 1",
3 	.insns = {
4 	BPF_MOV64_IMM(BPF_REG_0, 1),
5 	BPF_LD_MAP_FD(BPF_REG_6, 0),
6 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
8 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9 	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
10 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12 	BPF_EXIT_INSN(),
13 
14 	BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
15 
16 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
17 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
18 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
19 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
20 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
21 	BPF_EXIT_INSN(),
22 
23 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
24 
25 	BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
26 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
27 	BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
28 	BPF_EXIT_INSN(),
29 
30 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */
31 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
32 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
33 	BPF_MOV64_IMM(BPF_REG_3, 0),
34 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
35 	BPF_EXIT_INSN(),
36 	},
37 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
38 	.fixup_map_array_48b = { 1 },
39 	.result = VERBOSE_ACCEPT,
40 	.errstr =
41 	"mark_precise: frame0: last_idx 26 first_idx 20\
42 	mark_precise: frame0: regs=r2 stack= before 25\
43 	mark_precise: frame0: regs=r2 stack= before 24\
44 	mark_precise: frame0: regs=r2 stack= before 23\
45 	mark_precise: frame0: regs=r2 stack= before 22\
46 	mark_precise: frame0: regs=r2 stack= before 20\
47 	mark_precise: frame0: parent state regs=r2 stack=:\
48 	mark_precise: frame0: last_idx 19 first_idx 10\
49 	mark_precise: frame0: regs=r2,r9 stack= before 19\
50 	mark_precise: frame0: regs=r9 stack= before 18\
51 	mark_precise: frame0: regs=r8,r9 stack= before 17\
52 	mark_precise: frame0: regs=r0,r9 stack= before 15\
53 	mark_precise: frame0: regs=r0,r9 stack= before 14\
54 	mark_precise: frame0: regs=r9 stack= before 13\
55 	mark_precise: frame0: regs=r9 stack= before 12\
56 	mark_precise: frame0: regs=r9 stack= before 11\
57 	mark_precise: frame0: regs=r9 stack= before 10\
58 	mark_precise: frame0: parent state regs= stack=:",
59 },
60 {
61 	"precise: test 2",
62 	.insns = {
63 	BPF_MOV64_IMM(BPF_REG_0, 1),
64 	BPF_LD_MAP_FD(BPF_REG_6, 0),
65 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
66 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
67 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
68 	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
69 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
70 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
71 	BPF_EXIT_INSN(),
72 
73 	BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
74 
75 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
76 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
77 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
78 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
79 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
80 	BPF_EXIT_INSN(),
81 
82 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
83 
84 	BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
85 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
86 	BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
87 	BPF_EXIT_INSN(),
88 
89 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */
90 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
91 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
92 	BPF_MOV64_IMM(BPF_REG_3, 0),
93 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
94 	BPF_EXIT_INSN(),
95 	},
96 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
97 	.fixup_map_array_48b = { 1 },
98 	.result = VERBOSE_ACCEPT,
99 	.flags = BPF_F_TEST_STATE_FREQ,
100 	.errstr =
101 	"26: (85) call bpf_probe_read_kernel#113\
102 	mark_precise: frame0: last_idx 26 first_idx 22\
103 	mark_precise: frame0: regs=r2 stack= before 25\
104 	mark_precise: frame0: regs=r2 stack= before 24\
105 	mark_precise: frame0: regs=r2 stack= before 23\
106 	mark_precise: frame0: regs=r2 stack= before 22\
107 	mark_precise: frame0: parent state regs=r2 stack=:\
108 	mark_precise: frame0: last_idx 20 first_idx 20\
109 	mark_precise: frame0: regs=r2,r9 stack= before 20\
110 	mark_precise: frame0: parent state regs=r2,r9 stack=:\
111 	mark_precise: frame0: last_idx 19 first_idx 17\
112 	mark_precise: frame0: regs=r2,r9 stack= before 19\
113 	mark_precise: frame0: regs=r9 stack= before 18\
114 	mark_precise: frame0: regs=r8,r9 stack= before 17\
115 	mark_precise: frame0: parent state regs= stack=:",
116 },
117 {
118 	"precise: cross frame pruning",
119 	.insns = {
120 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
121 	BPF_MOV64_IMM(BPF_REG_8, 0),
122 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
123 	BPF_MOV64_IMM(BPF_REG_8, 1),
124 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
125 	BPF_MOV64_IMM(BPF_REG_9, 0),
126 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
127 	BPF_MOV64_IMM(BPF_REG_9, 1),
128 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
130 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
131 	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
132 	BPF_MOV64_IMM(BPF_REG_0, 0),
133 	BPF_EXIT_INSN(),
134 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
135 	BPF_EXIT_INSN(),
136 	},
137 	.prog_type = BPF_PROG_TYPE_XDP,
138 	.flags = BPF_F_TEST_STATE_FREQ,
139 	.errstr = "!read_ok",
140 	.result = REJECT,
141 },
142 {
143 	"precise: ST insn causing spi > allocated_stack",
144 	.insns = {
145 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
146 	BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
147 	BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
148 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
149 	BPF_MOV64_IMM(BPF_REG_0, -1),
150 	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
151 	BPF_EXIT_INSN(),
152 	},
153 	.prog_type = BPF_PROG_TYPE_XDP,
154 	.flags = BPF_F_TEST_STATE_FREQ,
155 	.errstr = "mark_precise: frame0: last_idx 5 first_idx 5\
156 	mark_precise: frame0: parent state regs=r4 stack=:\
157 	mark_precise: frame0: last_idx 4 first_idx 2\
158 	mark_precise: frame0: regs=r4 stack= before 4\
159 	mark_precise: frame0: regs=r4 stack= before 3\
160 	mark_precise: frame0: regs= stack=-8 before 2\
161 	mark_precise: frame0: falling back to forcing all scalars precise\
162 	force_precise: frame0: forcing r0 to be precise\
163 	mark_precise: frame0: last_idx 5 first_idx 5\
164 	mark_precise: frame0: parent state regs= stack=:",
165 	.result = VERBOSE_ACCEPT,
166 	.retval = -1,
167 },
168 {
169 	"precise: STX insn causing spi > allocated_stack",
170 	.insns = {
171 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
172 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
173 	BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
174 	BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
175 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
176 	BPF_MOV64_IMM(BPF_REG_0, -1),
177 	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
178 	BPF_EXIT_INSN(),
179 	},
180 	.prog_type = BPF_PROG_TYPE_XDP,
181 	.flags = BPF_F_TEST_STATE_FREQ,
182 	.errstr = "mark_precise: frame0: last_idx 6 first_idx 6\
183 	mark_precise: frame0: parent state regs=r4 stack=:\
184 	mark_precise: frame0: last_idx 5 first_idx 3\
185 	mark_precise: frame0: regs=r4 stack= before 5\
186 	mark_precise: frame0: regs=r4 stack= before 4\
187 	mark_precise: frame0: regs= stack=-8 before 3\
188 	mark_precise: frame0: falling back to forcing all scalars precise\
189 	force_precise: frame0: forcing r0 to be precise\
190 	force_precise: frame0: forcing r0 to be precise\
191 	force_precise: frame0: forcing r0 to be precise\
192 	force_precise: frame0: forcing r0 to be precise\
193 	mark_precise: frame0: last_idx 6 first_idx 6\
194 	mark_precise: frame0: parent state regs= stack=:",
195 	.result = VERBOSE_ACCEPT,
196 	.retval = -1,
197 },
198 {
199 	"precise: mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO",
200 	.insns = {
201 	BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, offsetof(struct xdp_md, ingress_ifindex)),
202 	BPF_LD_MAP_FD(BPF_REG_6, 0),
203 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
204 	BPF_MOV64_IMM(BPF_REG_2, 1),
205 	BPF_MOV64_IMM(BPF_REG_3, 0),
206 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0, 1),
207 	BPF_MOV64_IMM(BPF_REG_2, 0x1000),
208 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
209 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
210 	BPF_EXIT_INSN(),
211 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
212 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 42),
213 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
214 	BPF_MOV64_IMM(BPF_REG_0, 0),
215 	BPF_EXIT_INSN(),
216 	},
217 	.fixup_map_ringbuf = { 1 },
218 	.prog_type = BPF_PROG_TYPE_XDP,
219 	.flags = BPF_F_TEST_STATE_FREQ | F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
220 	.errstr = "invalid access to memory, mem_size=1 off=42 size=8",
221 	.result = REJECT,
222 },
223 {
224 	"precise: program doesn't prematurely prune branches",
225 	.insns = {
226 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_6, 0x400),
227 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
228 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_8, 0),
229 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_9, 0x80000000),
230 		BPF_ALU64_IMM(BPF_MOD, BPF_REG_6, 0x401),
231 		BPF_JMP_IMM(BPF_JA, 0, 0, 0),
232 		BPF_JMP_REG(BPF_JLE, BPF_REG_6, BPF_REG_9, 2),
233 		BPF_ALU64_IMM(BPF_MOD, BPF_REG_6, 1),
234 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_9, 0),
235 		BPF_JMP_REG(BPF_JLE, BPF_REG_6, BPF_REG_9, 1),
236 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_6, 0),
237 		BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0),
238 		BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),
239 		BPF_LD_MAP_FD(BPF_REG_4, 0),
240 		BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_4),
241 		BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
242 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
243 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
244 		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
245 		BPF_EXIT_INSN(),
246 		BPF_ALU64_IMM(BPF_RSH, BPF_REG_6, 10),
247 		BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 8192),
248 		BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_0),
249 		BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
250 		BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
251 		BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_3, 0),
252 		BPF_EXIT_INSN(),
253 	},
254 	.fixup_map_array_48b = { 13 },
255 	.prog_type = BPF_PROG_TYPE_XDP,
256 	.result = REJECT,
257 	.errstr = "register with unbounded min value is not allowed",
258 },
259