~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/verifier/precise.c

Version: ~ [ linux-6.11-rc3 ] ~ [ linux-6.10.4 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.45 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.104 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.164 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.223 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.281 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.319 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~ 
  1 {
  2         "precise: test 1",
  3         .insns = {
  4         BPF_MOV64_IMM(BPF_REG_0, 1),
  5         BPF_LD_MAP_FD(BPF_REG_6, 0),
  6         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
  7         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
  8         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  9         BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
 10         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
 11         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 12         BPF_EXIT_INSN(),
 13 
 14         BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
 15 
 16         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
 17         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
 18         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
 19         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
 20         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 21         BPF_EXIT_INSN(),
 22 
 23         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
 24 
 25         BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
 26         BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
 27         BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
 28         BPF_EXIT_INSN(),
 29 
 30         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */
 31         BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
 32         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
 33         BPF_MOV64_IMM(BPF_REG_3, 0),
 34         BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
 35         BPF_EXIT_INSN(),
 36         },
 37         .prog_type = BPF_PROG_TYPE_TRACEPOINT,
 38         .fixup_map_array_48b = { 1 },
 39         .result = VERBOSE_ACCEPT,
 40         .errstr =
 41         "mark_precise: frame0: last_idx 26 first_idx 20\
 42         mark_precise: frame0: regs=r2,r9 stack= before 25\
 43         mark_precise: frame0: regs=r2,r9 stack= before 24\
 44         mark_precise: frame0: regs=r2,r9 stack= before 23\
 45         mark_precise: frame0: regs=r2,r9 stack= before 22\
 46         mark_precise: frame0: regs=r2,r9 stack= before 20\
 47         mark_precise: frame0: parent state regs=r2,r9 stack=:\
 48         mark_precise: frame0: last_idx 19 first_idx 10\
 49         mark_precise: frame0: regs=r2,r9 stack= before 19\
 50         mark_precise: frame0: regs=r9 stack= before 18\
 51         mark_precise: frame0: regs=r8,r9 stack= before 17\
 52         mark_precise: frame0: regs=r0,r9 stack= before 15\
 53         mark_precise: frame0: regs=r0,r9 stack= before 14\
 54         mark_precise: frame0: regs=r9 stack= before 13\
 55         mark_precise: frame0: regs=r9 stack= before 12\
 56         mark_precise: frame0: regs=r9 stack= before 11\
 57         mark_precise: frame0: regs=r9 stack= before 10\
 58         mark_precise: frame0: parent state regs= stack=:",
 59 },
 60 {
 61         "precise: test 2",
 62         .insns = {
 63         BPF_MOV64_IMM(BPF_REG_0, 1),
 64         BPF_LD_MAP_FD(BPF_REG_6, 0),
 65         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
 66         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
 67         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
 68         BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
 69         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
 70         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 71         BPF_EXIT_INSN(),
 72 
 73         BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
 74 
 75         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
 76         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
 77         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
 78         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
 79         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 80         BPF_EXIT_INSN(),
 81 
 82         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
 83 
 84         BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
 85         BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
 86         BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
 87         BPF_EXIT_INSN(),
 88 
 89         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */
 90         BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
 91         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
 92         BPF_MOV64_IMM(BPF_REG_3, 0),
 93         BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
 94         BPF_EXIT_INSN(),
 95         },
 96         .prog_type = BPF_PROG_TYPE_TRACEPOINT,
 97         .fixup_map_array_48b = { 1 },
 98         .result = VERBOSE_ACCEPT,
 99         .flags = BPF_F_TEST_STATE_FREQ,
100         .errstr =
101         "26: (85) call bpf_probe_read_kernel#113\
102         mark_precise: frame0: last_idx 26 first_idx 22\
103         mark_precise: frame0: regs=r2,r9 stack= before 25\
104         mark_precise: frame0: regs=r2,r9 stack= before 24\
105         mark_precise: frame0: regs=r2,r9 stack= before 23\
106         mark_precise: frame0: regs=r2,r9 stack= before 22\
107         mark_precise: frame0: parent state regs=r2,r9 stack=:\
108         mark_precise: frame0: last_idx 20 first_idx 20\
109         mark_precise: frame0: regs=r2,r9 stack= before 20\
110         mark_precise: frame0: parent state regs=r2,r9 stack=:\
111         mark_precise: frame0: last_idx 19 first_idx 17\
112         mark_precise: frame0: regs=r2,r9 stack= before 19\
113         mark_precise: frame0: regs=r9 stack= before 18\
114         mark_precise: frame0: regs=r8,r9 stack= before 17\
115         mark_precise: frame0: parent state regs= stack=:",
116 },
117 {
118         "precise: cross frame pruning",
119         .insns = {
120         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
121         BPF_MOV64_IMM(BPF_REG_8, 0),
122         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
123         BPF_MOV64_IMM(BPF_REG_8, 1),
124         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
125         BPF_MOV64_IMM(BPF_REG_9, 0),
126         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
127         BPF_MOV64_IMM(BPF_REG_9, 1),
128         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
130         BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
131         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
132         BPF_MOV64_IMM(BPF_REG_0, 0),
133         BPF_EXIT_INSN(),
134         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
135         BPF_EXIT_INSN(),
136         },
137         .prog_type = BPF_PROG_TYPE_XDP,
138         .flags = BPF_F_TEST_STATE_FREQ,
139         .errstr = "!read_ok",
140         .result = REJECT,
141 },
142 {
143         "precise: ST zero to stack insn is supported",
144         .insns = {
145         BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
146         BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
147         /* not a register spill, so we stop precision propagation for R4 here */
148         BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
149         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
150         BPF_MOV64_IMM(BPF_REG_0, -1),
151         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
152         BPF_EXIT_INSN(),
153         },
154         .prog_type = BPF_PROG_TYPE_XDP,
155         .flags = BPF_F_TEST_STATE_FREQ,
156         .errstr = "mark_precise: frame0: last_idx 5 first_idx 5\
157         mark_precise: frame0: parent state regs=r4 stack=:\
158         mark_precise: frame0: last_idx 4 first_idx 2\
159         mark_precise: frame0: regs=r4 stack= before 4\
160         mark_precise: frame0: regs=r4 stack= before 3\
161         mark_precise: frame0: last_idx 5 first_idx 5\
162         mark_precise: frame0: parent state regs=r0 stack=:\
163         mark_precise: frame0: last_idx 4 first_idx 2\
164         mark_precise: frame0: regs=r0 stack= before 4\
165         5: R0=-1 R4=0",
166         .result = VERBOSE_ACCEPT,
167         .retval = -1,
168 },
169 {
170         "precise: STX insn causing spi > allocated_stack",
171         .insns = {
172         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
173         /* make later reg spill more interesting by having somewhat known scalar */
174         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
175         BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
176         BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
177         BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
178         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
179         BPF_MOV64_IMM(BPF_REG_0, -1),
180         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
181         BPF_EXIT_INSN(),
182         },
183         .prog_type = BPF_PROG_TYPE_XDP,
184         .flags = BPF_F_TEST_STATE_FREQ,
185         .errstr = "mark_precise: frame0: last_idx 7 first_idx 7\
186         mark_precise: frame0: parent state regs=r4 stack=-8:\
187         mark_precise: frame0: last_idx 6 first_idx 4\
188         mark_precise: frame0: regs=r4 stack=-8 before 6: (b7) r0 = -1\
189         mark_precise: frame0: regs=r4 stack=-8 before 5: (79) r4 = *(u64 *)(r10 -8)\
190         mark_precise: frame0: regs= stack=-8 before 4: (7b) *(u64 *)(r3 -8) = r0\
191         mark_precise: frame0: parent state regs=r0 stack=:\
192         mark_precise: frame0: last_idx 3 first_idx 3\
193         mark_precise: frame0: regs=r0 stack= before 3: (55) if r3 != 0x7b goto pc+0\
194         mark_precise: frame0: regs=r0 stack= before 2: (bf) r3 = r10\
195         mark_precise: frame0: regs=r0 stack= before 1: (57) r0 &= 255\
196         mark_precise: frame0: parent state regs=r0 stack=:\
197         mark_precise: frame0: last_idx 0 first_idx 0\
198         mark_precise: frame0: regs=r0 stack= before 0: (85) call bpf_get_prandom_u32#7\
199         mark_precise: frame0: last_idx 7 first_idx 7\
200         mark_precise: frame0: parent state regs= stack=:",
201         .result = VERBOSE_ACCEPT,
202         .retval = -1,
203 },
204 {
205         "precise: mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO",
206         .insns = {
207         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, offsetof(struct xdp_md, ingress_ifindex)),
208         BPF_LD_MAP_FD(BPF_REG_6, 0),
209         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
210         BPF_MOV64_IMM(BPF_REG_2, 1),
211         BPF_MOV64_IMM(BPF_REG_3, 0),
212         BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0, 1),
213         BPF_MOV64_IMM(BPF_REG_2, 0x1000),
214         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
215         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
216         BPF_EXIT_INSN(),
217         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
218         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 42),
219         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
220         BPF_MOV64_IMM(BPF_REG_0, 0),
221         BPF_EXIT_INSN(),
222         },
223         .fixup_map_ringbuf = { 1 },
224         .prog_type = BPF_PROG_TYPE_XDP,
225         .flags = BPF_F_TEST_STATE_FREQ | F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
226         .errstr = "invalid access to memory, mem_size=1 off=42 size=8",
227         .result = REJECT,
228 },
229 {
230         "precise: program doesn't prematurely prune branches",
231         .insns = {
232                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_6, 0x400),
233                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
234                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_8, 0),
235                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_9, 0x80000000),
236                 BPF_ALU64_IMM(BPF_MOD, BPF_REG_6, 0x401),
237                 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
238                 BPF_JMP_REG(BPF_JLE, BPF_REG_6, BPF_REG_9, 2),
239                 BPF_ALU64_IMM(BPF_MOD, BPF_REG_6, 1),
240                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_9, 0),
241                 BPF_JMP_REG(BPF_JLE, BPF_REG_6, BPF_REG_9, 1),
242                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_6, 0),
243                 BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0),
244                 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),
245                 BPF_LD_MAP_FD(BPF_REG_4, 0),
246                 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_4),
247                 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
248                 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
249                 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
250                 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
251                 BPF_EXIT_INSN(),
252                 BPF_ALU64_IMM(BPF_RSH, BPF_REG_6, 10),
253                 BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 8192),
254                 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_0),
255                 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
256                 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
257                 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_3, 0),
258                 BPF_EXIT_INSN(),
259         },
260         .fixup_map_array_48b = { 13 },
261         .prog_type = BPF_PROG_TYPE_XDP,
262         .result = REJECT,
263         .errstr = "register with unbounded min value is not allowed",
264 },
265
~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~
kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php