1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Converted from tools/testing/selftests/bpf/verifier/int_ptr.c */ |
3 | |
4 | #include <linux/bpf.h> |
5 | #include <bpf/bpf_helpers.h> |
6 | #include "bpf_misc.h" |
7 | |
8 | SEC("socket" ) |
9 | __description("ARG_PTR_TO_LONG uninitialized" ) |
10 | __success |
11 | __failure_unpriv __msg_unpriv("invalid indirect read from stack R4 off -16+0 size 8" ) |
12 | __naked void arg_ptr_to_long_uninitialized(void) |
13 | { |
14 | asm volatile (" \ |
15 | /* bpf_strtoul arg1 (buf) */ \ |
16 | r7 = r10; \ |
17 | r7 += -8; \ |
18 | r0 = 0x00303036; \ |
19 | *(u64*)(r7 + 0) = r0; \ |
20 | r1 = r7; \ |
21 | /* bpf_strtoul arg2 (buf_len) */ \ |
22 | r2 = 4; \ |
23 | /* bpf_strtoul arg3 (flags) */ \ |
24 | r3 = 0; \ |
25 | /* bpf_strtoul arg4 (res) */ \ |
26 | r7 += -8; \ |
27 | r4 = r7; \ |
28 | /* bpf_strtoul() */ \ |
29 | call %[bpf_strtoul]; \ |
30 | r0 = 1; \ |
31 | exit; \ |
32 | " : |
33 | : __imm(bpf_strtoul) |
34 | : __clobber_all); |
35 | } |
36 | |
37 | SEC("socket" ) |
38 | __description("ARG_PTR_TO_LONG half-uninitialized" ) |
39 | /* in privileged mode reads from uninitialized stack locations are permitted */ |
40 | __success __failure_unpriv |
41 | __msg_unpriv("invalid indirect read from stack R4 off -16+4 size 8" ) |
42 | __retval(0) |
43 | __naked void ptr_to_long_half_uninitialized(void) |
44 | { |
45 | asm volatile (" \ |
46 | /* bpf_strtoul arg1 (buf) */ \ |
47 | r7 = r10; \ |
48 | r7 += -8; \ |
49 | r0 = 0x00303036; \ |
50 | *(u64*)(r7 + 0) = r0; \ |
51 | r1 = r7; \ |
52 | /* bpf_strtoul arg2 (buf_len) */ \ |
53 | r2 = 4; \ |
54 | /* bpf_strtoul arg3 (flags) */ \ |
55 | r3 = 0; \ |
56 | /* bpf_strtoul arg4 (res) */ \ |
57 | r7 += -8; \ |
58 | *(u32*)(r7 + 0) = r0; \ |
59 | r4 = r7; \ |
60 | /* bpf_strtoul() */ \ |
61 | call %[bpf_strtoul]; \ |
62 | r0 = 0; \ |
63 | exit; \ |
64 | " : |
65 | : __imm(bpf_strtoul) |
66 | : __clobber_all); |
67 | } |
68 | |
69 | SEC("cgroup/sysctl" ) |
70 | __description("ARG_PTR_TO_LONG misaligned" ) |
71 | __failure __msg("misaligned stack access off 0+-20+0 size 8" ) |
72 | __naked void arg_ptr_to_long_misaligned(void) |
73 | { |
74 | asm volatile (" \ |
75 | /* bpf_strtoul arg1 (buf) */ \ |
76 | r7 = r10; \ |
77 | r7 += -8; \ |
78 | r0 = 0x00303036; \ |
79 | *(u64*)(r7 + 0) = r0; \ |
80 | r1 = r7; \ |
81 | /* bpf_strtoul arg2 (buf_len) */ \ |
82 | r2 = 4; \ |
83 | /* bpf_strtoul arg3 (flags) */ \ |
84 | r3 = 0; \ |
85 | /* bpf_strtoul arg4 (res) */ \ |
86 | r7 += -12; \ |
87 | r0 = 0; \ |
88 | *(u32*)(r7 + 0) = r0; \ |
89 | *(u64*)(r7 + 4) = r0; \ |
90 | r4 = r7; \ |
91 | /* bpf_strtoul() */ \ |
92 | call %[bpf_strtoul]; \ |
93 | r0 = 1; \ |
94 | exit; \ |
95 | " : |
96 | : __imm(bpf_strtoul) |
97 | : __clobber_all); |
98 | } |
99 | |
100 | SEC("cgroup/sysctl" ) |
101 | __description("ARG_PTR_TO_LONG size < sizeof(long)" ) |
102 | __failure __msg("invalid indirect access to stack R4 off=-4 size=8" ) |
103 | __naked void to_long_size_sizeof_long(void) |
104 | { |
105 | asm volatile (" \ |
106 | /* bpf_strtoul arg1 (buf) */ \ |
107 | r7 = r10; \ |
108 | r7 += -16; \ |
109 | r0 = 0x00303036; \ |
110 | *(u64*)(r7 + 0) = r0; \ |
111 | r1 = r7; \ |
112 | /* bpf_strtoul arg2 (buf_len) */ \ |
113 | r2 = 4; \ |
114 | /* bpf_strtoul arg3 (flags) */ \ |
115 | r3 = 0; \ |
116 | /* bpf_strtoul arg4 (res) */ \ |
117 | r7 += 12; \ |
118 | *(u32*)(r7 + 0) = r0; \ |
119 | r4 = r7; \ |
120 | /* bpf_strtoul() */ \ |
121 | call %[bpf_strtoul]; \ |
122 | r0 = 1; \ |
123 | exit; \ |
124 | " : |
125 | : __imm(bpf_strtoul) |
126 | : __clobber_all); |
127 | } |
128 | |
129 | SEC("cgroup/sysctl" ) |
130 | __description("ARG_PTR_TO_LONG initialized" ) |
131 | __success |
132 | __naked void arg_ptr_to_long_initialized(void) |
133 | { |
134 | asm volatile (" \ |
135 | /* bpf_strtoul arg1 (buf) */ \ |
136 | r7 = r10; \ |
137 | r7 += -8; \ |
138 | r0 = 0x00303036; \ |
139 | *(u64*)(r7 + 0) = r0; \ |
140 | r1 = r7; \ |
141 | /* bpf_strtoul arg2 (buf_len) */ \ |
142 | r2 = 4; \ |
143 | /* bpf_strtoul arg3 (flags) */ \ |
144 | r3 = 0; \ |
145 | /* bpf_strtoul arg4 (res) */ \ |
146 | r7 += -8; \ |
147 | *(u64*)(r7 + 0) = r0; \ |
148 | r4 = r7; \ |
149 | /* bpf_strtoul() */ \ |
150 | call %[bpf_strtoul]; \ |
151 | r0 = 1; \ |
152 | exit; \ |
153 | " : |
154 | : __imm(bpf_strtoul) |
155 | : __clobber_all); |
156 | } |
157 | |
158 | char _license[] SEC("license" ) = "GPL" ; |
159 | |