1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/value_illegal_alu.c */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7 
8 #define MAX_ENTRIES 11
9 
10 struct test_val {
11 	unsigned int index;
12 	int foo[MAX_ENTRIES];
13 };
14 
15 struct {
16 	__uint(type, BPF_MAP_TYPE_HASH);
17 	__uint(max_entries, 1);
18 	__type(key, long long);
19 	__type(value, struct test_val);
20 } map_hash_48b SEC(".maps");
21 
22 SEC("socket")
23 __description("map element value illegal alu op, 1")
24 __failure __msg("R0 bitwise operator &= on pointer")
25 __failure_unpriv
value_illegal_alu_op_1(void)26 __naked void value_illegal_alu_op_1(void)
27 {
28 	asm volatile ("					\
29 	r2 = r10;					\
30 	r2 += -8;					\
31 	r1 = 0;						\
32 	*(u64*)(r2 + 0) = r1;				\
33 	r1 = %[map_hash_48b] ll;			\
34 	call %[bpf_map_lookup_elem];			\
35 	if r0 == 0 goto l0_%=;				\
36 	r0 &= 8;					\
37 	r1 = 22;					\
38 	*(u64*)(r0 + 0) = r1;				\
39 l0_%=:	exit;						\
40 "	:
41 	: __imm(bpf_map_lookup_elem),
42 	  __imm_addr(map_hash_48b)
43 	: __clobber_all);
44 }
45 
46 SEC("socket")
47 __description("map element value illegal alu op, 2")
48 __failure __msg("R0 32-bit pointer arithmetic prohibited")
49 __failure_unpriv
value_illegal_alu_op_2(void)50 __naked void value_illegal_alu_op_2(void)
51 {
52 	asm volatile ("					\
53 	r2 = r10;					\
54 	r2 += -8;					\
55 	r1 = 0;						\
56 	*(u64*)(r2 + 0) = r1;				\
57 	r1 = %[map_hash_48b] ll;			\
58 	call %[bpf_map_lookup_elem];			\
59 	if r0 == 0 goto l0_%=;				\
60 	w0 += 0;					\
61 	r1 = 22;					\
62 	*(u64*)(r0 + 0) = r1;				\
63 l0_%=:	exit;						\
64 "	:
65 	: __imm(bpf_map_lookup_elem),
66 	  __imm_addr(map_hash_48b)
67 	: __clobber_all);
68 }
69 
70 SEC("socket")
71 __description("map element value illegal alu op, 3")
72 __failure __msg("R0 pointer arithmetic with /= operator")
73 __failure_unpriv
value_illegal_alu_op_3(void)74 __naked void value_illegal_alu_op_3(void)
75 {
76 	asm volatile ("					\
77 	r2 = r10;					\
78 	r2 += -8;					\
79 	r1 = 0;						\
80 	*(u64*)(r2 + 0) = r1;				\
81 	r1 = %[map_hash_48b] ll;			\
82 	call %[bpf_map_lookup_elem];			\
83 	if r0 == 0 goto l0_%=;				\
84 	r0 /= 42;					\
85 	r1 = 22;					\
86 	*(u64*)(r0 + 0) = r1;				\
87 l0_%=:	exit;						\
88 "	:
89 	: __imm(bpf_map_lookup_elem),
90 	  __imm_addr(map_hash_48b)
91 	: __clobber_all);
92 }
93 
94 SEC("socket")
95 __description("map element value illegal alu op, 4")
96 __failure __msg("invalid mem access 'scalar'")
97 __failure_unpriv __msg_unpriv("R0 pointer arithmetic prohibited")
__flag(BPF_F_ANY_ALIGNMENT)98 __flag(BPF_F_ANY_ALIGNMENT)
99 __naked void value_illegal_alu_op_4(void)
100 {
101 	asm volatile ("					\
102 	r2 = r10;					\
103 	r2 += -8;					\
104 	r1 = 0;						\
105 	*(u64*)(r2 + 0) = r1;				\
106 	r1 = %[map_hash_48b] ll;			\
107 	call %[bpf_map_lookup_elem];			\
108 	if r0 == 0 goto l0_%=;				\
109 	r0 = be64 r0;					\
110 	r1 = 22;					\
111 	*(u64*)(r0 + 0) = r1;				\
112 l0_%=:	exit;						\
113 "	:
114 	: __imm(bpf_map_lookup_elem),
115 	  __imm_addr(map_hash_48b)
116 	: __clobber_all);
117 }
118 
119 SEC("socket")
120 __description("map element value illegal alu op, 5")
121 __failure __msg("R0 invalid mem access 'scalar'")
122 __msg_unpriv("leaking pointer from stack off -8")
__flag(BPF_F_ANY_ALIGNMENT)123 __flag(BPF_F_ANY_ALIGNMENT)
124 __naked void value_illegal_alu_op_5(void)
125 {
126 	asm volatile ("					\
127 	r2 = r10;					\
128 	r2 += -8;					\
129 	r1 = 0;						\
130 	*(u64*)(r2 + 0) = r1;				\
131 	r1 = %[map_hash_48b] ll;			\
132 	call %[bpf_map_lookup_elem];			\
133 	if r0 == 0 goto l0_%=;				\
134 	r3 = 4096;					\
135 	r2 = r10;					\
136 	r2 += -8;					\
137 	*(u64*)(r2 + 0) = r0;				\
138 	lock *(u64 *)(r2 + 0) += r3;			\
139 	r0 = *(u64*)(r2 + 0);				\
140 	r1 = 22;					\
141 	*(u64*)(r0 + 0) = r1;				\
142 l0_%=:	exit;						\
143 "	:
144 	: __imm(bpf_map_lookup_elem),
145 	  __imm_addr(map_hash_48b)
146 	: __clobber_all);
147 }
148 
149 SEC("flow_dissector")
150 __description("flow_keys illegal alu op with variable offset")
151 __failure __msg("R7 pointer arithmetic on flow_keys prohibited")
flow_keys_illegal_variable_offset_alu(void)152 __naked void flow_keys_illegal_variable_offset_alu(void)
153 {
154 	asm volatile("					\
155 	r6 = r1;					\
156 	r7 = *(u64*)(r6 + %[flow_keys_off]);		\
157 	r8 = 8;						\
158 	r8 /= 1;					\
159 	r8 &= 8;					\
160 	r7 += r8;					\
161 	r0 = *(u64*)(r7 + 0);				\
162 	exit;						\
163 "	:
164 	: __imm_const(flow_keys_off, offsetof(struct __sk_buff, flow_keys))
165 	: __clobber_all);
166 }
167 
168 char _license[] SEC("license") = "GPL";
169