Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / a254a9da455c171441ab3a76ed8f5d1e9412e15f / . / tools / testing / selftests / bpf / verifier / ringbuf.c
blob: b64d33e4833c8582fbbf8d5de8fbb640f4352a22 [file] [log] [blame]
Daniel Borkmann722e4db2022-01-10 13:44:18 +0000[diff] [blame]1{
2 "ringbuf: invalid reservation offset 1",
3 .insns = {
4 /* reserve 8 byte ringbuf memory */
5 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6 BPF_LD_MAP_FD(BPF_REG_1, 0),
7 BPF_MOV64_IMM(BPF_REG_2, 8),
8 BPF_MOV64_IMM(BPF_REG_3, 0),
9 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
10 /* store a pointer to the reserved memory in R6 */
11 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12 /* check whether the reservation was successful */
13 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
14 /* spill R6(mem) into the stack */
15 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
16 /* fill it back in R7 */
17 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8),
18 /* should be able to access *(R7) = 0 */
19 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0),
20 /* submit the reserved ringbuf memory */
21 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
22 /* add invalid offset to reserved ringbuf memory */
23 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xcafe),
24 BPF_MOV64_IMM(BPF_REG_2, 0),
25 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
26 BPF_MOV64_IMM(BPF_REG_0, 0),
27 BPF_EXIT_INSN(),
28 },
29 .fixup_map_ringbuf = { 1 },
30 .result = REJECT,
Daniel Borkmann37c8d482022-01-12 12:39:48 +0000[diff] [blame]31 .errstr = "dereference of modified alloc_mem ptr R1",
Daniel Borkmann722e4db2022-01-10 13:44:18 +0000[diff] [blame]32},
33{
34 "ringbuf: invalid reservation offset 2",
35 .insns = {
36 /* reserve 8 byte ringbuf memory */
37 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
38 BPF_LD_MAP_FD(BPF_REG_1, 0),
39 BPF_MOV64_IMM(BPF_REG_2, 8),
40 BPF_MOV64_IMM(BPF_REG_3, 0),
41 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
42 /* store a pointer to the reserved memory in R6 */
43 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
44 /* check whether the reservation was successful */
45 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
46 /* spill R6(mem) into the stack */
47 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
48 /* fill it back in R7 */
49 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8),
50 /* add invalid offset to reserved ringbuf memory */
51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 0xcafe),
52 /* should be able to access *(R7) = 0 */
53 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0),
54 /* submit the reserved ringbuf memory */
55 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
56 BPF_MOV64_IMM(BPF_REG_2, 0),
57 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
58 BPF_MOV64_IMM(BPF_REG_0, 0),
59 BPF_EXIT_INSN(),
60 },
61 .fixup_map_ringbuf = { 1 },
62 .result = REJECT,
63 .errstr = "R7 min value is outside of the allowed memory range",
64},
Daniel Borkmann37c8d482022-01-12 12:39:48 +0000[diff] [blame]65{
66 "ringbuf: check passing rb mem to helpers",
67 .insns = {
68 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
69 /* reserve 8 byte ringbuf memory */
70 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
71 BPF_LD_MAP_FD(BPF_REG_1, 0),
72 BPF_MOV64_IMM(BPF_REG_2, 8),
73 BPF_MOV64_IMM(BPF_REG_3, 0),
74 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
75 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
76 /* check whether the reservation was successful */
77 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
78 BPF_EXIT_INSN(),
79 /* pass allocated ring buffer memory to fib lookup */
80 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
81 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
82 BPF_MOV64_IMM(BPF_REG_3, 8),
83 BPF_MOV64_IMM(BPF_REG_4, 0),
84 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_fib_lookup),
85 /* submit the ringbuf memory */
86 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
87 BPF_MOV64_IMM(BPF_REG_2, 0),
88 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
89 BPF_MOV64_IMM(BPF_REG_0, 0),
90 BPF_EXIT_INSN(),
91 },
92 .fixup_map_ringbuf = { 2 },
93 .prog_type = BPF_PROG_TYPE_XDP,
94 .result = ACCEPT,
95},