1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/value_adj_spill.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 #define MAX_ENTRIES 11 9 10 struct test_val { 11 unsigned int index; 12 int foo[MAX_ENTRIES]; 13 }; 14 15 struct { 16 __uint(type, BPF_MAP_TYPE_HASH); 17 __uint(max_entries, 1); 18 __type(key, long long); 19 __type(value, struct test_val); 20 } map_hash_48b SEC(".maps"); 21 22 SEC("socket") 23 __description("map element value is preserved across register spilling") 24 __success __failure_unpriv __msg_unpriv("R0 leaks addr") 25 __retval(0) is_preserved_across_register_spilling(void)26__naked void is_preserved_across_register_spilling(void) 27 { 28 asm volatile (" \ 29 r2 = r10; \ 30 r2 += -8; \ 31 r1 = 0; \ 32 *(u64*)(r2 + 0) = r1; \ 33 r1 = %[map_hash_48b] ll; \ 34 call %[bpf_map_lookup_elem]; \ 35 if r0 == 0 goto l0_%=; \ 36 r1 = 42; \ 37 *(u64*)(r0 + 0) = r1; \ 38 r1 = r10; \ 39 r1 += -184; \ 40 *(u64*)(r1 + 0) = r0; \ 41 r3 = *(u64*)(r1 + 0); \ 42 r1 = 42; \ 43 *(u64*)(r3 + 0) = r1; \ 44 l0_%=: exit; \ 45 " : 46 : __imm(bpf_map_lookup_elem), 47 __imm_addr(map_hash_48b) 48 : __clobber_all); 49 } 50 51 SEC("socket") 52 __description("map element value or null is marked on register spilling") 53 __success __failure_unpriv __msg_unpriv("R0 leaks addr") 54 __retval(0) is_marked_on_register_spilling(void)55__naked void is_marked_on_register_spilling(void) 56 { 57 asm volatile (" \ 58 r2 = r10; \ 59 r2 += -8; \ 60 r1 = 0; \ 61 *(u64*)(r2 + 0) = r1; \ 62 r1 = %[map_hash_48b] ll; \ 63 call %[bpf_map_lookup_elem]; \ 64 r1 = r10; \ 65 r1 += -152; \ 66 *(u64*)(r1 + 0) = r0; \ 67 if r0 == 0 goto l0_%=; \ 68 r3 = *(u64*)(r1 + 0); \ 69 r1 = 42; \ 70 *(u64*)(r3 + 0) = r1; \ 71 l0_%=: exit; \ 72 " : 73 : __imm(bpf_map_lookup_elem), 74 __imm_addr(map_hash_48b) 75 : __clobber_all); 76 } 77 78 char _license[] SEC("license") = "GPL"; 79