Linux/tools/testing/selftests/bpf/progs/verifier

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/ctx.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 SEC("tc") 9 __description("context stores via BPF_ATOMIC") 10 __failure __msg("BPF_ATOMIC stores into R1 ctx is not allowed") 11 __naked void context_stores_via_bpf_atomic(void) 12 { 13 asm volatile (" \ 14 r0 = 0; \ 15 lock *(u32 *)(r1 + %[__sk_buff_mark]) += w0; \ 16 exit; \ 17 " : 18 : __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)) 19 : __clobber_all); 20 } 21 22 SEC("tc") 23 __description("arithmetic ops make PTR_TO_CTX unusable") 24 __failure __msg("dereference of modified ctx ptr") 25 __naked void make_ptr_to_ctx_unusable(void) 26 { 27 asm volatile (" \ 28 r1 += %[__imm_0]; \ 29 r0 = *(u32*)(r1 + %[__sk_buff_mark]); \ 30 exit; \ 31 " : 32 : __imm_const(__imm_0, 33 offsetof(struct __sk_buff, data) - offsetof(struct __sk_buff, mark)), 34 __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)) 35 : __clobber_all); 36 } 37 38 SEC("tc") 39 __description("pass unmodified ctx pointer to helper") 40 __success __retval(0) 41 __naked void unmodified_ctx_pointer_to_helper(void) 42 { 43 asm volatile (" \ 44 r2 = 0; \ 45 call %[bpf_csum_update]; \ 46 r0 = 0; \ 47 exit; \ 48 " : 49 : __imm(bpf_csum_update) 50 : __clobber_all); 51 } 52 53 SEC("tc") 54 __description("pass modified ctx pointer to helper, 1") 55 __failure __msg("negative offset ctx ptr R1 off=-612 disallowed") 56 __naked void ctx_pointer_to_helper_1(void) 57 { 58 asm volatile (" \ 59 r1 += -612; \ 60 r2 = 0; \ 61 call %[bpf_csum_update]; \ 62 r0 = 0; \ 63 exit; \ 64 " : 65 : __imm(bpf_csum_update) 66 : __clobber_all); 67 } 68 69 SEC("socket") 70 __description("pass modified ctx pointer to helper, 2") 71 __failure __msg("negative offset ctx ptr R1 off=-612 disallowed") 72 __failure_unpriv __msg_unpriv("negative offset ctx ptr R1 off=-612 disallowed") 73 __naked void ctx_pointer_to_helper_2(void) 74 { 75 asm volatile (" \ 76 r1 += -612; \ 77 call %[bpf_get_socket_cookie]; \ 78 r0 = 0; \ 79 exit; \ 80 " : 81 : __imm(bpf_get_socket_cookie) 82 : __clobber_all); 83 } 84 85 SEC("tc") 86 __description("pass modified ctx pointer to helper, 3") 87 __failure __msg("variable ctx access var_off=(0x0; 0x4)") 88 __naked void ctx_pointer_to_helper_3(void) 89 { 90 asm volatile (" \ 91 r3 = *(u32*)(r1 + 0); \ 92 r3 &= 4; \ 93 r1 += r3; \ 94 r2 = 0; \ 95 call %[bpf_csum_update]; \ 96 r0 = 0; \ 97 exit; \ 98 " : 99 : __imm(bpf_csum_update) 100 : __clobber_all); 101 } 102 103 SEC("cgroup/sendmsg6") 104 __description("pass ctx or null check, 1: ctx") 105 __success 106 __naked void or_null_check_1_ctx(void) 107 { 108 asm volatile (" \ 109 call %[bpf_get_netns_cookie]; \ 110 r0 = 0; \ 111 exit; \ 112 " : 113 : __imm(bpf_get_netns_cookie) 114 : __clobber_all); 115 } 116 117 SEC("cgroup/sendmsg6") 118 __description("pass ctx or null check, 2: null") 119 __success 120 __naked void or_null_check_2_null(void) 121 { 122 asm volatile (" \ 123 r1 = 0; \ 124 call %[bpf_get_netns_cookie]; \ 125 r0 = 0; \ 126 exit; \ 127 " : 128 : __imm(bpf_get_netns_cookie) 129 : __clobber_all); 130 } 131 132 SEC("cgroup/sendmsg6") 133 __description("pass ctx or null check, 3: 1") 134 __failure __msg("R1 type=scalar expected=ctx") 135 __naked void or_null_check_3_1(void) 136 { 137 asm volatile (" \ 138 r1 = 1; \ 139 call %[bpf_get_netns_cookie]; \ 140 r0 = 0; \ 141 exit; \ 142 " : 143 : __imm(bpf_get_netns_cookie) 144 : __clobber_all); 145 } 146 147 SEC("cgroup/sendmsg6") 148 __description("pass ctx or null check, 4: ctx - const") 149 __failure __msg("negative offset ctx ptr R1 off=-612 disallowed") 150 __naked void null_check_4_ctx_const(void) 151 { 152 asm volatile (" \ 153 r1 += -612; \ 154 call %[bpf_get_netns_cookie]; \ 155 r0 = 0; \ 156 exit; \ 157 " : 158 : __imm(bpf_get_netns_cookie) 159 : __clobber_all); 160 } 161 162 SEC("cgroup/connect4") 163 __description("pass ctx or null check, 5: null (connect)") 164 __success 165 __naked void null_check_5_null_connect(void) 166 { 167 asm volatile (" \ 168 r1 = 0; \ 169 call %[bpf_get_netns_cookie]; \ 170 r0 = 0; \ 171 exit; \ 172 " : 173 : __imm(bpf_get_netns_cookie) 174 : __clobber_all); 175 } 176 177 SEC("cgroup/post_bind4") 178 __description("pass ctx or null check, 6: null (bind)") 179 __success 180 __naked void null_check_6_null_bind(void) 181 { 182 asm volatile (" \ 183 r1 = 0; \ 184 call %[bpf_get_netns_cookie]; \ 185 r0 = 0; \ 186 exit; \ 187 " : 188 : __imm(bpf_get_netns_cookie) 189 : __clobber_all); 190 } 191 192 SEC("cgroup/post_bind4") 193 __description("pass ctx or null check, 7: ctx (bind)") 194 __success 195 __naked void null_check_7_ctx_bind(void) 196 { 197 asm volatile (" \ 198 call %[bpf_get_socket_cookie]; \ 199 r0 = 0; \ 200 exit; \ 201 " : 202 : __imm(bpf_get_socket_cookie) 203 : __clobber_all); 204 } 205 206 SEC("cgroup/post_bind4") 207 __description("pass ctx or null check, 8: null (bind)") 208 __failure __msg("R1 type=scalar expected=ctx") 209 __naked void null_check_8_null_bind(void) 210 { 211 asm volatile (" \ 212 r1 = 0; \ 213 call %[bpf_get_socket_cookie]; \ 214 r0 = 0; \ 215 exit; \ 216 " : 217 : __imm(bpf_get_socket_cookie) 218 : __clobber_all); 219 } 220 221 char _license[] SEC("license") = "GPL"; 222

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference Linux/tools/testing/selftests/bpf/progs/verifier_ctx.c

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/progs/verifier_ctx.c