1 // SPDX-License-Identifier: GPL-2.0
2
3 #include <linux/bpf.h>
4 #include <bpf/bpf_helpers.h>
5 #include "bpf_misc.h"
6
7 /* Read an uninitialized value from stack at a fixed offset */
8 SEC("socket")
read_uninit_stack_fixed_off(void * ctx)9 __naked int read_uninit_stack_fixed_off(void *ctx)
10 {
11 asm volatile (" \
12 r0 = 0; \
13 /* force stack depth to be 128 */ \
14 *(u64*)(r10 - 128) = r1; \
15 r1 = *(u8 *)(r10 - 8 ); \
16 r0 += r1; \
17 r1 = *(u8 *)(r10 - 11); \
18 r1 = *(u8 *)(r10 - 13); \
19 r1 = *(u8 *)(r10 - 15); \
20 r1 = *(u16*)(r10 - 16); \
21 r1 = *(u32*)(r10 - 32); \
22 r1 = *(u64*)(r10 - 64); \
23 /* read from a spill of a wrong size, it is a separate \
24 * branch in check_stack_read_fixed_off() \
25 */ \
26 *(u32*)(r10 - 72) = r1; \
27 r1 = *(u64*)(r10 - 72); \
28 r0 = 0; \
29 exit; \
30 "
31 ::: __clobber_all);
32 }
33
34 /* Read an uninitialized value from stack at a variable offset */
35 SEC("socket")
read_uninit_stack_var_off(void * ctx)36 __naked int read_uninit_stack_var_off(void *ctx)
37 {
38 asm volatile (" \
39 call %[bpf_get_prandom_u32]; \
40 /* force stack depth to be 64 */ \
41 *(u64*)(r10 - 64) = r0; \
42 r0 = -r0; \
43 /* give r0 a range [-31, -1] */ \
44 if r0 s<= -32 goto exit_%=; \
45 if r0 s>= 0 goto exit_%=; \
46 /* access stack using r0 */ \
47 r1 = r10; \
48 r1 += r0; \
49 r2 = *(u8*)(r1 + 0); \
50 exit_%=: r0 = 0; \
51 exit; \
52 "
53 :
54 : __imm(bpf_get_prandom_u32)
55 : __clobber_all);
56 }
57
dummy(void)58 static __noinline void dummy(void) {}
59
60 /* Pass a pointer to uninitialized stack memory to a helper.
61 * Passed memory block should be marked as STACK_MISC after helper call.
62 */
63 SEC("socket")
64 __log_level(7) __msg("fp-104=mmmmmmmm")
helper_uninit_to_misc(void * ctx)65 __naked int helper_uninit_to_misc(void *ctx)
66 {
67 asm volatile (" \
68 /* force stack depth to be 128 */ \
69 *(u64*)(r10 - 128) = r1; \
70 r1 = r10; \
71 r1 += -128; \
72 r2 = 32; \
73 call %[bpf_trace_printk]; \
74 /* Call to dummy() forces print_verifier_state(..., true), \
75 * thus showing the stack state, matched by __msg(). \
76 */ \
77 call %[dummy]; \
78 r0 = 0; \
79 exit; \
80 "
81 :
82 : __imm(bpf_trace_printk),
83 __imm(dummy)
84 : __clobber_all);
85 }
86
87 char _license[] SEC("license") = "GPL";
88