1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/and.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 #define MAX_ENTRIES 11 9 10 struct test_val { 11 unsigned int index; 12 int foo[MAX_ENTRIES]; 13 }; 14 15 struct { 16 __uint(type, BPF_MAP_TYPE_HASH); 17 __uint(max_entries, 1); 18 __type(key, long long); 19 __type(value, struct test_val); 20 } map_hash_48b SEC(".maps"); 21 22 SEC("socket") 23 __description("invalid and of negative number") 24 __failure __msg("R0 max value is outside of the allowed memory range") 25 __failure_unpriv 26 __flag(BPF_F_ANY_ALIGNMENT) 27 __naked void invalid_and_of_negative_number(void) 28 { 29 asm volatile (" \ 30 r1 = 0; \ 31 *(u64*)(r10 - 8) = r1; \ 32 r2 = r10; \ 33 r2 += -8; \ 34 r1 = %[map_hash_48b] ll; \ 35 call %[bpf_map_lookup_elem]; \ 36 if r0 == 0 goto l0_%=; \ 37 r1 = *(u8*)(r0 + 0); \ 38 r1 &= -4; \ 39 r1 <<= 2; \ 40 r0 += r1; \ 41 l0_%=: r1 = %[test_val_foo]; \ 42 *(u64*)(r0 + 0) = r1; \ 43 exit; \ 44 " : 45 : __imm(bpf_map_lookup_elem), 46 __imm_addr(map_hash_48b), 47 __imm_const(test_val_foo, offsetof(struct test_val, foo)) 48 : __clobber_all); 49 } 50 51 SEC("socket") 52 __description("invalid range check") 53 __failure __msg("R0 max value is outside of the allowed memory range") 54 __failure_unpriv 55 __flag(BPF_F_ANY_ALIGNMENT) 56 __naked void invalid_range_check(void) 57 { 58 asm volatile (" \ 59 r1 = 0; \ 60 *(u64*)(r10 - 8) = r1; \ 61 r2 = r10; \ 62 r2 += -8; \ 63 r1 = %[map_hash_48b] ll; \ 64 call %[bpf_map_lookup_elem]; \ 65 if r0 == 0 goto l0_%=; \ 66 r1 = *(u32*)(r0 + 0); \ 67 r9 = 1; \ 68 w1 %%= 2; \ 69 w1 += 1; \ 70 w9 &= w1; \ 71 w9 += 1; \ 72 w9 >>= 1; \ 73 w3 = 1; \ 74 w3 -= w9; \ 75 w3 *= 0x10000000; \ 76 r0 += r3; \ 77 *(u32*)(r0 + 0) = r3; \ 78 l0_%=: r0 = r0; \ 79 exit; \ 80 " : 81 : __imm(bpf_map_lookup_elem), 82 __imm_addr(map_hash_48b) 83 : __clobber_all); 84 } 85 86 SEC("socket") 87 __description("check known subreg with unknown reg") 88 __success __failure_unpriv __msg_unpriv("R1 !read_ok") 89 __retval(0) 90 __naked void known_subreg_with_unknown_reg(void) 91 { 92 asm volatile (" \ 93 call %[bpf_get_prandom_u32]; \ 94 r0 <<= 32; \ 95 r0 += 1; \ 96 r0 &= 0xFFFF1234; \ 97 /* Upper bits are unknown but AND above masks out 1 zero'ing lower bits */\ 98 if w0 < 1 goto l0_%=; \ 99 r1 = *(u32*)(r1 + 512); \ 100 l0_%=: r0 = 0; \ 101 exit; \ 102 " : 103 : __imm(bpf_get_prandom_u32) 104 : __clobber_all); 105 } 106 107 char _license[] SEC("license") = "GPL"; 108