1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/and.c */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7 
8 #define MAX_ENTRIES 11
9 
10 struct test_val {
11 	unsigned int index;
12 	int foo[MAX_ENTRIES];
13 };
14 
15 struct {
16 	__uint(type, BPF_MAP_TYPE_HASH);
17 	__uint(max_entries, 1);
18 	__type(key, long long);
19 	__type(value, struct test_val);
20 } map_hash_48b SEC(".maps");
21 
22 SEC("socket")
23 __description("invalid and of negative number")
24 __failure __msg("R0 max value is outside of the allowed memory range")
25 __failure_unpriv
__flag(BPF_F_ANY_ALIGNMENT)26 __flag(BPF_F_ANY_ALIGNMENT)
27 __naked void invalid_and_of_negative_number(void)
28 {
29 	asm volatile ("					\
30 	r1 = 0;						\
31 	*(u64*)(r10 - 8) = r1;				\
32 	r2 = r10;					\
33 	r2 += -8;					\
34 	r1 = %[map_hash_48b] ll;			\
35 	call %[bpf_map_lookup_elem];			\
36 	if r0 == 0 goto l0_%=;				\
37 	r1 = *(u8*)(r0 + 0);				\
38 	r1 &= -4;					\
39 	r1 <<= 2;					\
40 	r0 += r1;					\
41 l0_%=:	r1 = %[test_val_foo];				\
42 	*(u64*)(r0 + 0) = r1;				\
43 	exit;						\
44 "	:
45 	: __imm(bpf_map_lookup_elem),
46 	  __imm_addr(map_hash_48b),
47 	  __imm_const(test_val_foo, offsetof(struct test_val, foo))
48 	: __clobber_all);
49 }
50 
51 SEC("socket")
52 __description("invalid range check")
53 __failure __msg("R0 max value is outside of the allowed memory range")
54 __failure_unpriv
__flag(BPF_F_ANY_ALIGNMENT)55 __flag(BPF_F_ANY_ALIGNMENT)
56 __naked void invalid_range_check(void)
57 {
58 	asm volatile ("					\
59 	r1 = 0;						\
60 	*(u64*)(r10 - 8) = r1;				\
61 	r2 = r10;					\
62 	r2 += -8;					\
63 	r1 = %[map_hash_48b] ll;			\
64 	call %[bpf_map_lookup_elem];			\
65 	if r0 == 0 goto l0_%=;				\
66 	r1 = *(u32*)(r0 + 0);				\
67 	r9 = 1;						\
68 	w1 %%= 2;					\
69 	w1 += 1;					\
70 	w9 &= w1;					\
71 	w9 += 1;					\
72 	w9 >>= 1;					\
73 	w3 = 1;						\
74 	w3 -= w9;					\
75 	w3 *= 0x10000000;				\
76 	r0 += r3;					\
77 	*(u32*)(r0 + 0) = r3;				\
78 l0_%=:	r0 = r0;					\
79 	exit;						\
80 "	:
81 	: __imm(bpf_map_lookup_elem),
82 	  __imm_addr(map_hash_48b)
83 	: __clobber_all);
84 }
85 
86 SEC("socket")
87 __description("check known subreg with unknown reg")
88 __success __failure_unpriv __msg_unpriv("R1 !read_ok")
89 __retval(0)
known_subreg_with_unknown_reg(void)90 __naked void known_subreg_with_unknown_reg(void)
91 {
92 	asm volatile ("					\
93 	call %[bpf_get_prandom_u32];			\
94 	r0 <<= 32;					\
95 	r0 += 1;					\
96 	r0 &= 0xFFFF1234;				\
97 	/* Upper bits are unknown but AND above masks out 1 zero'ing lower bits */\
98 	if w0 < 1 goto l0_%=;				\
99 	r1 = *(u32*)(r1 + 512);				\
100 l0_%=:	r0 = 0;						\
101 	exit;						\
102 "	:
103 	: __imm(bpf_get_prandom_u32)
104 	: __clobber_all);
105 }
106 
107 char _license[] SEC("license") = "GPL";
108