1*9d0f1568SEduard Zingerman // SPDX-License-Identifier: GPL-2.0 2*9d0f1568SEduard Zingerman /* Converted from tools/testing/selftests/bpf/verifier/and.c */ 3*9d0f1568SEduard Zingerman 4*9d0f1568SEduard Zingerman #include <linux/bpf.h> 5*9d0f1568SEduard Zingerman #include <bpf/bpf_helpers.h> 6*9d0f1568SEduard Zingerman #include "bpf_misc.h" 7*9d0f1568SEduard Zingerman 8*9d0f1568SEduard Zingerman #define MAX_ENTRIES 11 9*9d0f1568SEduard Zingerman 10*9d0f1568SEduard Zingerman struct test_val { 11*9d0f1568SEduard Zingerman unsigned int index; 12*9d0f1568SEduard Zingerman int foo[MAX_ENTRIES]; 13*9d0f1568SEduard Zingerman }; 14*9d0f1568SEduard Zingerman 15*9d0f1568SEduard Zingerman struct { 16*9d0f1568SEduard Zingerman __uint(type, BPF_MAP_TYPE_HASH); 17*9d0f1568SEduard Zingerman __uint(max_entries, 1); 18*9d0f1568SEduard Zingerman __type(key, long long); 19*9d0f1568SEduard Zingerman __type(value, struct test_val); 20*9d0f1568SEduard Zingerman } map_hash_48b SEC(".maps"); 21*9d0f1568SEduard Zingerman 22*9d0f1568SEduard Zingerman SEC("socket") 23*9d0f1568SEduard Zingerman __description("invalid and of negative number") 24*9d0f1568SEduard Zingerman __failure __msg("R0 max value is outside of the allowed memory range") 25*9d0f1568SEduard Zingerman __failure_unpriv __flag(BPF_F_ANY_ALIGNMENT)26*9d0f1568SEduard Zingerman__flag(BPF_F_ANY_ALIGNMENT) 27*9d0f1568SEduard Zingerman __naked void invalid_and_of_negative_number(void) 28*9d0f1568SEduard Zingerman { 29*9d0f1568SEduard Zingerman asm volatile (" \ 30*9d0f1568SEduard Zingerman r1 = 0; \ 31*9d0f1568SEduard Zingerman *(u64*)(r10 - 8) = r1; \ 32*9d0f1568SEduard Zingerman r2 = r10; \ 33*9d0f1568SEduard Zingerman r2 += -8; \ 34*9d0f1568SEduard Zingerman r1 = %[map_hash_48b] ll; \ 35*9d0f1568SEduard Zingerman call %[bpf_map_lookup_elem]; \ 36*9d0f1568SEduard Zingerman if r0 == 0 goto l0_%=; \ 37*9d0f1568SEduard Zingerman r1 = *(u8*)(r0 + 0); \ 38*9d0f1568SEduard Zingerman r1 &= -4; \ 39*9d0f1568SEduard Zingerman r1 <<= 2; \ 40*9d0f1568SEduard Zingerman r0 += r1; \ 41*9d0f1568SEduard Zingerman l0_%=: r1 = %[test_val_foo]; \ 42*9d0f1568SEduard Zingerman *(u64*)(r0 + 0) = r1; \ 43*9d0f1568SEduard Zingerman exit; \ 44*9d0f1568SEduard Zingerman " : 45*9d0f1568SEduard Zingerman : __imm(bpf_map_lookup_elem), 46*9d0f1568SEduard Zingerman __imm_addr(map_hash_48b), 47*9d0f1568SEduard Zingerman __imm_const(test_val_foo, offsetof(struct test_val, foo)) 48*9d0f1568SEduard Zingerman : __clobber_all); 49*9d0f1568SEduard Zingerman } 50*9d0f1568SEduard Zingerman 51*9d0f1568SEduard Zingerman SEC("socket") 52*9d0f1568SEduard Zingerman __description("invalid range check") 53*9d0f1568SEduard Zingerman __failure __msg("R0 max value is outside of the allowed memory range") 54*9d0f1568SEduard Zingerman __failure_unpriv __flag(BPF_F_ANY_ALIGNMENT)55*9d0f1568SEduard Zingerman__flag(BPF_F_ANY_ALIGNMENT) 56*9d0f1568SEduard Zingerman __naked void invalid_range_check(void) 57*9d0f1568SEduard Zingerman { 58*9d0f1568SEduard Zingerman asm volatile (" \ 59*9d0f1568SEduard Zingerman r1 = 0; \ 60*9d0f1568SEduard Zingerman *(u64*)(r10 - 8) = r1; \ 61*9d0f1568SEduard Zingerman r2 = r10; \ 62*9d0f1568SEduard Zingerman r2 += -8; \ 63*9d0f1568SEduard Zingerman r1 = %[map_hash_48b] ll; \ 64*9d0f1568SEduard Zingerman call %[bpf_map_lookup_elem]; \ 65*9d0f1568SEduard Zingerman if r0 == 0 goto l0_%=; \ 66*9d0f1568SEduard Zingerman r1 = *(u32*)(r0 + 0); \ 67*9d0f1568SEduard Zingerman r9 = 1; \ 68*9d0f1568SEduard Zingerman w1 %%= 2; \ 69*9d0f1568SEduard Zingerman w1 += 1; \ 70*9d0f1568SEduard Zingerman w9 &= w1; \ 71*9d0f1568SEduard Zingerman w9 += 1; \ 72*9d0f1568SEduard Zingerman w9 >>= 1; \ 73*9d0f1568SEduard Zingerman w3 = 1; \ 74*9d0f1568SEduard Zingerman w3 -= w9; \ 75*9d0f1568SEduard Zingerman w3 *= 0x10000000; \ 76*9d0f1568SEduard Zingerman r0 += r3; \ 77*9d0f1568SEduard Zingerman *(u32*)(r0 + 0) = r3; \ 78*9d0f1568SEduard Zingerman l0_%=: r0 = r0; \ 79*9d0f1568SEduard Zingerman exit; \ 80*9d0f1568SEduard Zingerman " : 81*9d0f1568SEduard Zingerman : __imm(bpf_map_lookup_elem), 82*9d0f1568SEduard Zingerman __imm_addr(map_hash_48b) 83*9d0f1568SEduard Zingerman : __clobber_all); 84*9d0f1568SEduard Zingerman } 85*9d0f1568SEduard Zingerman 86*9d0f1568SEduard Zingerman SEC("socket") 87*9d0f1568SEduard Zingerman __description("check known subreg with unknown reg") 88*9d0f1568SEduard Zingerman __success __failure_unpriv __msg_unpriv("R1 !read_ok") 89*9d0f1568SEduard Zingerman __retval(0) known_subreg_with_unknown_reg(void)90*9d0f1568SEduard Zingerman__naked void known_subreg_with_unknown_reg(void) 91*9d0f1568SEduard Zingerman { 92*9d0f1568SEduard Zingerman asm volatile (" \ 93*9d0f1568SEduard Zingerman call %[bpf_get_prandom_u32]; \ 94*9d0f1568SEduard Zingerman r0 <<= 32; \ 95*9d0f1568SEduard Zingerman r0 += 1; \ 96*9d0f1568SEduard Zingerman r0 &= 0xFFFF1234; \ 97*9d0f1568SEduard Zingerman /* Upper bits are unknown but AND above masks out 1 zero'ing lower bits */\ 98*9d0f1568SEduard Zingerman if w0 < 1 goto l0_%=; \ 99*9d0f1568SEduard Zingerman r1 = *(u32*)(r1 + 512); \ 100*9d0f1568SEduard Zingerman l0_%=: r0 = 0; \ 101*9d0f1568SEduard Zingerman exit; \ 102*9d0f1568SEduard Zingerman " : 103*9d0f1568SEduard Zingerman : __imm(bpf_get_prandom_u32) 104*9d0f1568SEduard Zingerman : __clobber_all); 105*9d0f1568SEduard Zingerman } 106*9d0f1568SEduard Zingerman 107*9d0f1568SEduard Zingerman char _license[] SEC("license") = "GPL"; 108