1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Converted from tools/testing/selftests/bpf/verifier/map_ret_val.c */ |
3 | |
4 | #include <linux/bpf.h> |
5 | #include <bpf/bpf_helpers.h> |
6 | #include "../../../include/linux/filter.h" |
7 | #include "bpf_misc.h" |
8 | |
9 | struct { |
10 | __uint(type, BPF_MAP_TYPE_HASH); |
11 | __uint(max_entries, 1); |
12 | __type(key, long long); |
13 | __type(value, long long); |
14 | } map_hash_8b SEC(".maps" ); |
15 | |
16 | SEC("socket" ) |
17 | __description("invalid map_fd for function call" ) |
18 | __failure __msg("fd 0 is not pointing to valid bpf_map" ) |
19 | __failure_unpriv |
20 | __naked void map_fd_for_function_call(void) |
21 | { |
22 | asm volatile (" \ |
23 | r2 = 0; \ |
24 | *(u64*)(r10 - 8) = r2; \ |
25 | r2 = r10; \ |
26 | r2 += -8; \ |
27 | .8byte %[ld_map_fd]; \ |
28 | .8byte 0; \ |
29 | call %[bpf_map_delete_elem]; \ |
30 | exit; \ |
31 | " : |
32 | : __imm(bpf_map_delete_elem), |
33 | __imm_insn(ld_map_fd, BPF_RAW_INSN(BPF_LD | BPF_DW | BPF_IMM, BPF_REG_1, BPF_PSEUDO_MAP_FD, 0, 0)) |
34 | : __clobber_all); |
35 | } |
36 | |
37 | SEC("socket" ) |
38 | __description("don't check return value before access" ) |
39 | __failure __msg("R0 invalid mem access 'map_value_or_null'" ) |
40 | __failure_unpriv |
41 | __naked void check_return_value_before_access(void) |
42 | { |
43 | asm volatile (" \ |
44 | r1 = 0; \ |
45 | *(u64*)(r10 - 8) = r1; \ |
46 | r2 = r10; \ |
47 | r2 += -8; \ |
48 | r1 = %[map_hash_8b] ll; \ |
49 | call %[bpf_map_lookup_elem]; \ |
50 | r1 = 0; \ |
51 | *(u64*)(r0 + 0) = r1; \ |
52 | exit; \ |
53 | " : |
54 | : __imm(bpf_map_lookup_elem), |
55 | __imm_addr(map_hash_8b) |
56 | : __clobber_all); |
57 | } |
58 | |
59 | SEC("socket" ) |
60 | __description("access memory with incorrect alignment" ) |
61 | __failure __msg("misaligned value access" ) |
62 | __failure_unpriv |
63 | __flag(BPF_F_STRICT_ALIGNMENT) |
64 | __naked void access_memory_with_incorrect_alignment_1(void) |
65 | { |
66 | asm volatile (" \ |
67 | r1 = 0; \ |
68 | *(u64*)(r10 - 8) = r1; \ |
69 | r2 = r10; \ |
70 | r2 += -8; \ |
71 | r1 = %[map_hash_8b] ll; \ |
72 | call %[bpf_map_lookup_elem]; \ |
73 | if r0 == 0 goto l0_%=; \ |
74 | r1 = 0; \ |
75 | *(u64*)(r0 + 4) = r1; \ |
76 | l0_%=: exit; \ |
77 | " : |
78 | : __imm(bpf_map_lookup_elem), |
79 | __imm_addr(map_hash_8b) |
80 | : __clobber_all); |
81 | } |
82 | |
83 | SEC("socket" ) |
84 | __description("sometimes access memory with incorrect alignment" ) |
85 | __failure __msg("R0 invalid mem access" ) |
86 | __msg_unpriv("R0 leaks addr" ) |
87 | __flag(BPF_F_STRICT_ALIGNMENT) |
88 | __naked void access_memory_with_incorrect_alignment_2(void) |
89 | { |
90 | asm volatile (" \ |
91 | r1 = 0; \ |
92 | *(u64*)(r10 - 8) = r1; \ |
93 | r2 = r10; \ |
94 | r2 += -8; \ |
95 | r1 = %[map_hash_8b] ll; \ |
96 | call %[bpf_map_lookup_elem]; \ |
97 | if r0 == 0 goto l0_%=; \ |
98 | r1 = 0; \ |
99 | *(u64*)(r0 + 0) = r1; \ |
100 | exit; \ |
101 | l0_%=: r1 = 1; \ |
102 | *(u64*)(r0 + 0) = r1; \ |
103 | exit; \ |
104 | " : |
105 | : __imm(bpf_map_lookup_elem), |
106 | __imm_addr(map_hash_8b) |
107 | : __clobber_all); |
108 | } |
109 | |
110 | char _license[] SEC("license" ) = "GPL" ; |
111 | |