xref: /linux/tools/testing/selftests/bpf/verifier/precise.c (revision 51a8f9d7f587290944d6fc733d1f897091c63159)
1 {
2 	"precise: test 1",
3 	.insns = {
4 	BPF_MOV64_IMM(BPF_REG_0, 1),
5 	BPF_LD_MAP_FD(BPF_REG_6, 0),
6 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
8 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9 	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
10 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12 	BPF_EXIT_INSN(),
13 
14 	BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
15 
16 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
17 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
18 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
19 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
20 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
21 	BPF_EXIT_INSN(),
22 
23 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
24 
25 	BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
26 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
27 	BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
28 	BPF_EXIT_INSN(),
29 
30 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */
31 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
32 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
33 	BPF_MOV64_IMM(BPF_REG_3, 0),
34 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
35 	BPF_EXIT_INSN(),
36 	},
37 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
38 	.fixup_map_array_48b = { 1 },
39 	.result = VERBOSE_ACCEPT,
40 	.errstr =
41 	"26: (85) call bpf_probe_read_kernel#113\
42 	last_idx 26 first_idx 20\
43 	regs=4 stack=0 before 25\
44 	regs=4 stack=0 before 24\
45 	regs=4 stack=0 before 23\
46 	regs=4 stack=0 before 22\
47 	regs=4 stack=0 before 20\
48 	parent didn't have regs=4 stack=0 marks\
49 	last_idx 19 first_idx 10\
50 	regs=4 stack=0 before 19\
51 	regs=200 stack=0 before 18\
52 	regs=300 stack=0 before 17\
53 	regs=201 stack=0 before 15\
54 	regs=201 stack=0 before 14\
55 	regs=200 stack=0 before 13\
56 	regs=200 stack=0 before 12\
57 	regs=200 stack=0 before 11\
58 	regs=200 stack=0 before 10\
59 	parent already had regs=0 stack=0 marks",
60 },
61 {
62 	"precise: test 2",
63 	.insns = {
64 	BPF_MOV64_IMM(BPF_REG_0, 1),
65 	BPF_LD_MAP_FD(BPF_REG_6, 0),
66 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
67 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
68 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
69 	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
70 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
71 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
72 	BPF_EXIT_INSN(),
73 
74 	BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
75 
76 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
77 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
78 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
79 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
80 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
81 	BPF_EXIT_INSN(),
82 
83 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
84 
85 	BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
86 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
87 	BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
88 	BPF_EXIT_INSN(),
89 
90 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */
91 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
92 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
93 	BPF_MOV64_IMM(BPF_REG_3, 0),
94 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
95 	BPF_EXIT_INSN(),
96 	},
97 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
98 	.fixup_map_array_48b = { 1 },
99 	.result = VERBOSE_ACCEPT,
100 	.flags = BPF_F_TEST_STATE_FREQ,
101 	.errstr =
102 	"26: (85) call bpf_probe_read_kernel#113\
103 	last_idx 26 first_idx 22\
104 	regs=4 stack=0 before 25\
105 	regs=4 stack=0 before 24\
106 	regs=4 stack=0 before 23\
107 	regs=4 stack=0 before 22\
108 	parent didn't have regs=4 stack=0 marks\
109 	last_idx 20 first_idx 20\
110 	regs=4 stack=0 before 20\
111 	parent didn't have regs=4 stack=0 marks\
112 	last_idx 19 first_idx 17\
113 	regs=4 stack=0 before 19\
114 	regs=200 stack=0 before 18\
115 	regs=300 stack=0 before 17\
116 	parent already had regs=0 stack=0 marks",
117 },
118 {
119 	"precise: cross frame pruning",
120 	.insns = {
121 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
122 	BPF_MOV64_IMM(BPF_REG_8, 0),
123 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
124 	BPF_MOV64_IMM(BPF_REG_8, 1),
125 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
126 	BPF_MOV64_IMM(BPF_REG_9, 0),
127 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
128 	BPF_MOV64_IMM(BPF_REG_9, 1),
129 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
130 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
131 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
132 	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
133 	BPF_MOV64_IMM(BPF_REG_0, 0),
134 	BPF_EXIT_INSN(),
135 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
136 	BPF_EXIT_INSN(),
137 	},
138 	.prog_type = BPF_PROG_TYPE_XDP,
139 	.flags = BPF_F_TEST_STATE_FREQ,
140 	.errstr = "!read_ok",
141 	.result = REJECT,
142 },
143 {
144 	"precise: ST insn causing spi > allocated_stack",
145 	.insns = {
146 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
147 	BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
148 	BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
149 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
150 	BPF_MOV64_IMM(BPF_REG_0, -1),
151 	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
152 	BPF_EXIT_INSN(),
153 	},
154 	.prog_type = BPF_PROG_TYPE_XDP,
155 	.flags = BPF_F_TEST_STATE_FREQ,
156 	.errstr = "5: (2d) if r4 > r0 goto pc+0\
157 	last_idx 5 first_idx 5\
158 	parent didn't have regs=10 stack=0 marks\
159 	last_idx 4 first_idx 2\
160 	regs=10 stack=0 before 4\
161 	regs=10 stack=0 before 3\
162 	regs=0 stack=1 before 2\
163 	last_idx 5 first_idx 5\
164 	parent didn't have regs=1 stack=0 marks",
165 	.result = VERBOSE_ACCEPT,
166 	.retval = -1,
167 },
168 {
169 	"precise: STX insn causing spi > allocated_stack",
170 	.insns = {
171 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
172 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
173 	BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
174 	BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
175 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
176 	BPF_MOV64_IMM(BPF_REG_0, -1),
177 	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
178 	BPF_EXIT_INSN(),
179 	},
180 	.prog_type = BPF_PROG_TYPE_XDP,
181 	.flags = BPF_F_TEST_STATE_FREQ,
182 	.errstr = "last_idx 6 first_idx 6\
183 	parent didn't have regs=10 stack=0 marks\
184 	last_idx 5 first_idx 3\
185 	regs=10 stack=0 before 5\
186 	regs=10 stack=0 before 4\
187 	regs=0 stack=1 before 3\
188 	last_idx 6 first_idx 6\
189 	parent didn't have regs=1 stack=0 marks\
190 	last_idx 5 first_idx 3\
191 	regs=1 stack=0 before 5",
192 	.result = VERBOSE_ACCEPT,
193 	.retval = -1,
194 },
195 {
196 	"precise: mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO",
197 	.insns = {
198 	BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, offsetof(struct xdp_md, ingress_ifindex)),
199 	BPF_LD_MAP_FD(BPF_REG_6, 0),
200 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
201 	BPF_MOV64_IMM(BPF_REG_2, 1),
202 	BPF_MOV64_IMM(BPF_REG_3, 0),
203 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0, 1),
204 	BPF_MOV64_IMM(BPF_REG_2, 0x1000),
205 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
206 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
207 	BPF_EXIT_INSN(),
208 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
209 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 42),
210 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
211 	BPF_MOV64_IMM(BPF_REG_0, 0),
212 	BPF_EXIT_INSN(),
213 	},
214 	.fixup_map_ringbuf = { 1 },
215 	.prog_type = BPF_PROG_TYPE_XDP,
216 	.flags = BPF_F_TEST_STATE_FREQ,
217 	.errstr = "invalid access to memory, mem_size=1 off=42 size=8",
218 	.result = REJECT,
219 },
220