1e5a9df51SDavid Vernet // SPDX-License-Identifier: GPL-2.0
2e5a9df51SDavid Vernet /* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
3e5a9df51SDavid Vernet
4e5a9df51SDavid Vernet #include <linux/bpf.h>
5e5a9df51SDavid Vernet #include <bpf/bpf_helpers.h>
6e5a9df51SDavid Vernet #include "bpf_misc.h"
7e5a9df51SDavid Vernet
8e5a9df51SDavid Vernet char _license[] SEC("license") = "GPL";
9e5a9df51SDavid Vernet
10e5a9df51SDavid Vernet struct sample {
11e5a9df51SDavid Vernet int pid;
12e5a9df51SDavid Vernet int seq;
13e5a9df51SDavid Vernet long value;
14e5a9df51SDavid Vernet char comm[16];
15e5a9df51SDavid Vernet };
16e5a9df51SDavid Vernet
17e5a9df51SDavid Vernet struct {
18e5a9df51SDavid Vernet __uint(type, BPF_MAP_TYPE_USER_RINGBUF);
19*8032cad1SJoanne Koong __uint(max_entries, 4096);
20e5a9df51SDavid Vernet } user_ringbuf SEC(".maps");
21e5a9df51SDavid Vernet
22292064ccSKumar Kartikeya Dwivedi struct {
23292064ccSKumar Kartikeya Dwivedi __uint(type, BPF_MAP_TYPE_RINGBUF);
24292064ccSKumar Kartikeya Dwivedi __uint(max_entries, 2);
25292064ccSKumar Kartikeya Dwivedi } ringbuf SEC(".maps");
26292064ccSKumar Kartikeya Dwivedi
27292064ccSKumar Kartikeya Dwivedi static int map_value;
28292064ccSKumar Kartikeya Dwivedi
29e5a9df51SDavid Vernet static long
bad_access1(struct bpf_dynptr * dynptr,void * context)30e5a9df51SDavid Vernet bad_access1(struct bpf_dynptr *dynptr, void *context)
31e5a9df51SDavid Vernet {
32e5a9df51SDavid Vernet const struct sample *sample;
33e5a9df51SDavid Vernet
34e5a9df51SDavid Vernet sample = bpf_dynptr_data(dynptr - 1, 0, sizeof(*sample));
35e5a9df51SDavid Vernet bpf_printk("Was able to pass bad pointer %lx\n", (__u64)dynptr - 1);
36e5a9df51SDavid Vernet
37e5a9df51SDavid Vernet return 0;
38e5a9df51SDavid Vernet }
39e5a9df51SDavid Vernet
40e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
41e5a9df51SDavid Vernet * not be able to read before the pointer.
42e5a9df51SDavid Vernet */
43*8032cad1SJoanne Koong SEC("?raw_tp")
44*8032cad1SJoanne Koong __failure __msg("negative offset dynptr_ptr ptr")
user_ringbuf_callback_bad_access1(void * ctx)45e5a9df51SDavid Vernet int user_ringbuf_callback_bad_access1(void *ctx)
46e5a9df51SDavid Vernet {
47e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, bad_access1, NULL, 0);
48e5a9df51SDavid Vernet
49e5a9df51SDavid Vernet return 0;
50e5a9df51SDavid Vernet }
51e5a9df51SDavid Vernet
52e5a9df51SDavid Vernet static long
bad_access2(struct bpf_dynptr * dynptr,void * context)53e5a9df51SDavid Vernet bad_access2(struct bpf_dynptr *dynptr, void *context)
54e5a9df51SDavid Vernet {
55e5a9df51SDavid Vernet const struct sample *sample;
56e5a9df51SDavid Vernet
57e5a9df51SDavid Vernet sample = bpf_dynptr_data(dynptr + 1, 0, sizeof(*sample));
58e5a9df51SDavid Vernet bpf_printk("Was able to pass bad pointer %lx\n", (__u64)dynptr + 1);
59e5a9df51SDavid Vernet
60e5a9df51SDavid Vernet return 0;
61e5a9df51SDavid Vernet }
62e5a9df51SDavid Vernet
63e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
64e5a9df51SDavid Vernet * not be able to read past the end of the pointer.
65e5a9df51SDavid Vernet */
66*8032cad1SJoanne Koong SEC("?raw_tp")
67*8032cad1SJoanne Koong __failure __msg("dereference of modified dynptr_ptr ptr")
user_ringbuf_callback_bad_access2(void * ctx)68e5a9df51SDavid Vernet int user_ringbuf_callback_bad_access2(void *ctx)
69e5a9df51SDavid Vernet {
70e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, bad_access2, NULL, 0);
71e5a9df51SDavid Vernet
72e5a9df51SDavid Vernet return 0;
73e5a9df51SDavid Vernet }
74e5a9df51SDavid Vernet
75e5a9df51SDavid Vernet static long
write_forbidden(struct bpf_dynptr * dynptr,void * context)76e5a9df51SDavid Vernet write_forbidden(struct bpf_dynptr *dynptr, void *context)
77e5a9df51SDavid Vernet {
78e5a9df51SDavid Vernet *((long *)dynptr) = 0;
79e5a9df51SDavid Vernet
80e5a9df51SDavid Vernet return 0;
81e5a9df51SDavid Vernet }
82e5a9df51SDavid Vernet
83e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
84e5a9df51SDavid Vernet * not be able to write to that pointer.
85e5a9df51SDavid Vernet */
86*8032cad1SJoanne Koong SEC("?raw_tp")
87*8032cad1SJoanne Koong __failure __msg("invalid mem access 'dynptr_ptr'")
user_ringbuf_callback_write_forbidden(void * ctx)88e5a9df51SDavid Vernet int user_ringbuf_callback_write_forbidden(void *ctx)
89e5a9df51SDavid Vernet {
90e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, write_forbidden, NULL, 0);
91e5a9df51SDavid Vernet
92e5a9df51SDavid Vernet return 0;
93e5a9df51SDavid Vernet }
94e5a9df51SDavid Vernet
95e5a9df51SDavid Vernet static long
null_context_write(struct bpf_dynptr * dynptr,void * context)96e5a9df51SDavid Vernet null_context_write(struct bpf_dynptr *dynptr, void *context)
97e5a9df51SDavid Vernet {
98e5a9df51SDavid Vernet *((__u64 *)context) = 0;
99e5a9df51SDavid Vernet
100e5a9df51SDavid Vernet return 0;
101e5a9df51SDavid Vernet }
102e5a9df51SDavid Vernet
103e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
104e5a9df51SDavid Vernet * not be able to write to that pointer.
105e5a9df51SDavid Vernet */
106*8032cad1SJoanne Koong SEC("?raw_tp")
107*8032cad1SJoanne Koong __failure __msg("invalid mem access 'scalar'")
user_ringbuf_callback_null_context_write(void * ctx)108e5a9df51SDavid Vernet int user_ringbuf_callback_null_context_write(void *ctx)
109e5a9df51SDavid Vernet {
110e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, null_context_write, NULL, 0);
111e5a9df51SDavid Vernet
112e5a9df51SDavid Vernet return 0;
113e5a9df51SDavid Vernet }
114e5a9df51SDavid Vernet
115e5a9df51SDavid Vernet static long
null_context_read(struct bpf_dynptr * dynptr,void * context)116e5a9df51SDavid Vernet null_context_read(struct bpf_dynptr *dynptr, void *context)
117e5a9df51SDavid Vernet {
118e5a9df51SDavid Vernet __u64 id = *((__u64 *)context);
119e5a9df51SDavid Vernet
120e5a9df51SDavid Vernet bpf_printk("Read id %lu\n", id);
121e5a9df51SDavid Vernet
122e5a9df51SDavid Vernet return 0;
123e5a9df51SDavid Vernet }
124e5a9df51SDavid Vernet
125e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
126e5a9df51SDavid Vernet * not be able to write to that pointer.
127e5a9df51SDavid Vernet */
128*8032cad1SJoanne Koong SEC("?raw_tp")
129*8032cad1SJoanne Koong __failure __msg("invalid mem access 'scalar'")
user_ringbuf_callback_null_context_read(void * ctx)130e5a9df51SDavid Vernet int user_ringbuf_callback_null_context_read(void *ctx)
131e5a9df51SDavid Vernet {
132e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, null_context_read, NULL, 0);
133e5a9df51SDavid Vernet
134e5a9df51SDavid Vernet return 0;
135e5a9df51SDavid Vernet }
136e5a9df51SDavid Vernet
137e5a9df51SDavid Vernet static long
try_discard_dynptr(struct bpf_dynptr * dynptr,void * context)138e5a9df51SDavid Vernet try_discard_dynptr(struct bpf_dynptr *dynptr, void *context)
139e5a9df51SDavid Vernet {
140e5a9df51SDavid Vernet bpf_ringbuf_discard_dynptr(dynptr, 0);
141e5a9df51SDavid Vernet
142e5a9df51SDavid Vernet return 0;
143e5a9df51SDavid Vernet }
144e5a9df51SDavid Vernet
145e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
146e5a9df51SDavid Vernet * not be able to read past the end of the pointer.
147e5a9df51SDavid Vernet */
148*8032cad1SJoanne Koong SEC("?raw_tp")
149*8032cad1SJoanne Koong __failure __msg("cannot release unowned const bpf_dynptr")
user_ringbuf_callback_discard_dynptr(void * ctx)150e5a9df51SDavid Vernet int user_ringbuf_callback_discard_dynptr(void *ctx)
151e5a9df51SDavid Vernet {
152e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, try_discard_dynptr, NULL, 0);
153e5a9df51SDavid Vernet
154e5a9df51SDavid Vernet return 0;
155e5a9df51SDavid Vernet }
156e5a9df51SDavid Vernet
157e5a9df51SDavid Vernet static long
try_submit_dynptr(struct bpf_dynptr * dynptr,void * context)158e5a9df51SDavid Vernet try_submit_dynptr(struct bpf_dynptr *dynptr, void *context)
159e5a9df51SDavid Vernet {
160e5a9df51SDavid Vernet bpf_ringbuf_submit_dynptr(dynptr, 0);
161e5a9df51SDavid Vernet
162e5a9df51SDavid Vernet return 0;
163e5a9df51SDavid Vernet }
164e5a9df51SDavid Vernet
165e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
166e5a9df51SDavid Vernet * not be able to read past the end of the pointer.
167e5a9df51SDavid Vernet */
168*8032cad1SJoanne Koong SEC("?raw_tp")
169*8032cad1SJoanne Koong __failure __msg("cannot release unowned const bpf_dynptr")
user_ringbuf_callback_submit_dynptr(void * ctx)170e5a9df51SDavid Vernet int user_ringbuf_callback_submit_dynptr(void *ctx)
171e5a9df51SDavid Vernet {
172e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, try_submit_dynptr, NULL, 0);
173e5a9df51SDavid Vernet
174e5a9df51SDavid Vernet return 0;
175e5a9df51SDavid Vernet }
176e5a9df51SDavid Vernet
177e5a9df51SDavid Vernet static long
invalid_drain_callback_return(struct bpf_dynptr * dynptr,void * context)178e5a9df51SDavid Vernet invalid_drain_callback_return(struct bpf_dynptr *dynptr, void *context)
179e5a9df51SDavid Vernet {
180e5a9df51SDavid Vernet return 2;
181e5a9df51SDavid Vernet }
182e5a9df51SDavid Vernet
183e5a9df51SDavid Vernet /* A callback that accesses a dynptr in a bpf_user_ringbuf_drain callback should
184e5a9df51SDavid Vernet * not be able to write to that pointer.
185e5a9df51SDavid Vernet */
186*8032cad1SJoanne Koong SEC("?raw_tp")
187*8032cad1SJoanne Koong __failure __msg("At callback return the register R0 has value")
user_ringbuf_callback_invalid_return(void * ctx)188e5a9df51SDavid Vernet int user_ringbuf_callback_invalid_return(void *ctx)
189e5a9df51SDavid Vernet {
190e5a9df51SDavid Vernet bpf_user_ringbuf_drain(&user_ringbuf, invalid_drain_callback_return, NULL, 0);
191e5a9df51SDavid Vernet
192e5a9df51SDavid Vernet return 0;
193e5a9df51SDavid Vernet }
194292064ccSKumar Kartikeya Dwivedi
195292064ccSKumar Kartikeya Dwivedi static long
try_reinit_dynptr_mem(struct bpf_dynptr * dynptr,void * context)196292064ccSKumar Kartikeya Dwivedi try_reinit_dynptr_mem(struct bpf_dynptr *dynptr, void *context)
197292064ccSKumar Kartikeya Dwivedi {
198292064ccSKumar Kartikeya Dwivedi bpf_dynptr_from_mem(&map_value, 4, 0, dynptr);
199292064ccSKumar Kartikeya Dwivedi return 0;
200292064ccSKumar Kartikeya Dwivedi }
201292064ccSKumar Kartikeya Dwivedi
202292064ccSKumar Kartikeya Dwivedi static long
try_reinit_dynptr_ringbuf(struct bpf_dynptr * dynptr,void * context)203292064ccSKumar Kartikeya Dwivedi try_reinit_dynptr_ringbuf(struct bpf_dynptr *dynptr, void *context)
204292064ccSKumar Kartikeya Dwivedi {
205292064ccSKumar Kartikeya Dwivedi bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, dynptr);
206292064ccSKumar Kartikeya Dwivedi return 0;
207292064ccSKumar Kartikeya Dwivedi }
208292064ccSKumar Kartikeya Dwivedi
209*8032cad1SJoanne Koong SEC("?raw_tp")
210*8032cad1SJoanne Koong __failure __msg("Dynptr has to be an uninitialized dynptr")
user_ringbuf_callback_reinit_dynptr_mem(void * ctx)211292064ccSKumar Kartikeya Dwivedi int user_ringbuf_callback_reinit_dynptr_mem(void *ctx)
212292064ccSKumar Kartikeya Dwivedi {
213292064ccSKumar Kartikeya Dwivedi bpf_user_ringbuf_drain(&user_ringbuf, try_reinit_dynptr_mem, NULL, 0);
214292064ccSKumar Kartikeya Dwivedi return 0;
215292064ccSKumar Kartikeya Dwivedi }
216292064ccSKumar Kartikeya Dwivedi
217*8032cad1SJoanne Koong SEC("?raw_tp")
218*8032cad1SJoanne Koong __failure __msg("Dynptr has to be an uninitialized dynptr")
user_ringbuf_callback_reinit_dynptr_ringbuf(void * ctx)219292064ccSKumar Kartikeya Dwivedi int user_ringbuf_callback_reinit_dynptr_ringbuf(void *ctx)
220292064ccSKumar Kartikeya Dwivedi {
221292064ccSKumar Kartikeya Dwivedi bpf_user_ringbuf_drain(&user_ringbuf, try_reinit_dynptr_ringbuf, NULL, 0);
222292064ccSKumar Kartikeya Dwivedi return 0;
223292064ccSKumar Kartikeya Dwivedi }
224