1*fcd36964SEduard Zingerman // SPDX-License-Identifier: GPL-2.0
2*fcd36964SEduard Zingerman /* Converted from tools/testing/selftests/bpf/verifier/ctx.c */
3*fcd36964SEduard Zingerman
4*fcd36964SEduard Zingerman #include <linux/bpf.h>
5*fcd36964SEduard Zingerman #include <bpf/bpf_helpers.h>
6*fcd36964SEduard Zingerman #include "bpf_misc.h"
7*fcd36964SEduard Zingerman
8*fcd36964SEduard Zingerman SEC("tc")
9*fcd36964SEduard Zingerman __description("context stores via BPF_ATOMIC")
10*fcd36964SEduard Zingerman __failure __msg("BPF_ATOMIC stores into R1 ctx is not allowed")
context_stores_via_bpf_atomic(void)11*fcd36964SEduard Zingerman __naked void context_stores_via_bpf_atomic(void)
12*fcd36964SEduard Zingerman {
13*fcd36964SEduard Zingerman asm volatile (" \
14*fcd36964SEduard Zingerman r0 = 0; \
15*fcd36964SEduard Zingerman lock *(u32 *)(r1 + %[__sk_buff_mark]) += w0; \
16*fcd36964SEduard Zingerman exit; \
17*fcd36964SEduard Zingerman " :
18*fcd36964SEduard Zingerman : __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
19*fcd36964SEduard Zingerman : __clobber_all);
20*fcd36964SEduard Zingerman }
21*fcd36964SEduard Zingerman
22*fcd36964SEduard Zingerman SEC("tc")
23*fcd36964SEduard Zingerman __description("arithmetic ops make PTR_TO_CTX unusable")
24*fcd36964SEduard Zingerman __failure __msg("dereference of modified ctx ptr")
make_ptr_to_ctx_unusable(void)25*fcd36964SEduard Zingerman __naked void make_ptr_to_ctx_unusable(void)
26*fcd36964SEduard Zingerman {
27*fcd36964SEduard Zingerman asm volatile (" \
28*fcd36964SEduard Zingerman r1 += %[__imm_0]; \
29*fcd36964SEduard Zingerman r0 = *(u32*)(r1 + %[__sk_buff_mark]); \
30*fcd36964SEduard Zingerman exit; \
31*fcd36964SEduard Zingerman " :
32*fcd36964SEduard Zingerman : __imm_const(__imm_0,
33*fcd36964SEduard Zingerman offsetof(struct __sk_buff, data) - offsetof(struct __sk_buff, mark)),
34*fcd36964SEduard Zingerman __imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
35*fcd36964SEduard Zingerman : __clobber_all);
36*fcd36964SEduard Zingerman }
37*fcd36964SEduard Zingerman
38*fcd36964SEduard Zingerman SEC("tc")
39*fcd36964SEduard Zingerman __description("pass unmodified ctx pointer to helper")
40*fcd36964SEduard Zingerman __success __retval(0)
unmodified_ctx_pointer_to_helper(void)41*fcd36964SEduard Zingerman __naked void unmodified_ctx_pointer_to_helper(void)
42*fcd36964SEduard Zingerman {
43*fcd36964SEduard Zingerman asm volatile (" \
44*fcd36964SEduard Zingerman r2 = 0; \
45*fcd36964SEduard Zingerman call %[bpf_csum_update]; \
46*fcd36964SEduard Zingerman r0 = 0; \
47*fcd36964SEduard Zingerman exit; \
48*fcd36964SEduard Zingerman " :
49*fcd36964SEduard Zingerman : __imm(bpf_csum_update)
50*fcd36964SEduard Zingerman : __clobber_all);
51*fcd36964SEduard Zingerman }
52*fcd36964SEduard Zingerman
53*fcd36964SEduard Zingerman SEC("tc")
54*fcd36964SEduard Zingerman __description("pass modified ctx pointer to helper, 1")
55*fcd36964SEduard Zingerman __failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
ctx_pointer_to_helper_1(void)56*fcd36964SEduard Zingerman __naked void ctx_pointer_to_helper_1(void)
57*fcd36964SEduard Zingerman {
58*fcd36964SEduard Zingerman asm volatile (" \
59*fcd36964SEduard Zingerman r1 += -612; \
60*fcd36964SEduard Zingerman r2 = 0; \
61*fcd36964SEduard Zingerman call %[bpf_csum_update]; \
62*fcd36964SEduard Zingerman r0 = 0; \
63*fcd36964SEduard Zingerman exit; \
64*fcd36964SEduard Zingerman " :
65*fcd36964SEduard Zingerman : __imm(bpf_csum_update)
66*fcd36964SEduard Zingerman : __clobber_all);
67*fcd36964SEduard Zingerman }
68*fcd36964SEduard Zingerman
69*fcd36964SEduard Zingerman SEC("socket")
70*fcd36964SEduard Zingerman __description("pass modified ctx pointer to helper, 2")
71*fcd36964SEduard Zingerman __failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
72*fcd36964SEduard Zingerman __failure_unpriv __msg_unpriv("negative offset ctx ptr R1 off=-612 disallowed")
ctx_pointer_to_helper_2(void)73*fcd36964SEduard Zingerman __naked void ctx_pointer_to_helper_2(void)
74*fcd36964SEduard Zingerman {
75*fcd36964SEduard Zingerman asm volatile (" \
76*fcd36964SEduard Zingerman r1 += -612; \
77*fcd36964SEduard Zingerman call %[bpf_get_socket_cookie]; \
78*fcd36964SEduard Zingerman r0 = 0; \
79*fcd36964SEduard Zingerman exit; \
80*fcd36964SEduard Zingerman " :
81*fcd36964SEduard Zingerman : __imm(bpf_get_socket_cookie)
82*fcd36964SEduard Zingerman : __clobber_all);
83*fcd36964SEduard Zingerman }
84*fcd36964SEduard Zingerman
85*fcd36964SEduard Zingerman SEC("tc")
86*fcd36964SEduard Zingerman __description("pass modified ctx pointer to helper, 3")
87*fcd36964SEduard Zingerman __failure __msg("variable ctx access var_off=(0x0; 0x4)")
ctx_pointer_to_helper_3(void)88*fcd36964SEduard Zingerman __naked void ctx_pointer_to_helper_3(void)
89*fcd36964SEduard Zingerman {
90*fcd36964SEduard Zingerman asm volatile (" \
91*fcd36964SEduard Zingerman r3 = *(u32*)(r1 + 0); \
92*fcd36964SEduard Zingerman r3 &= 4; \
93*fcd36964SEduard Zingerman r1 += r3; \
94*fcd36964SEduard Zingerman r2 = 0; \
95*fcd36964SEduard Zingerman call %[bpf_csum_update]; \
96*fcd36964SEduard Zingerman r0 = 0; \
97*fcd36964SEduard Zingerman exit; \
98*fcd36964SEduard Zingerman " :
99*fcd36964SEduard Zingerman : __imm(bpf_csum_update)
100*fcd36964SEduard Zingerman : __clobber_all);
101*fcd36964SEduard Zingerman }
102*fcd36964SEduard Zingerman
103*fcd36964SEduard Zingerman SEC("cgroup/sendmsg6")
104*fcd36964SEduard Zingerman __description("pass ctx or null check, 1: ctx")
105*fcd36964SEduard Zingerman __success
or_null_check_1_ctx(void)106*fcd36964SEduard Zingerman __naked void or_null_check_1_ctx(void)
107*fcd36964SEduard Zingerman {
108*fcd36964SEduard Zingerman asm volatile (" \
109*fcd36964SEduard Zingerman call %[bpf_get_netns_cookie]; \
110*fcd36964SEduard Zingerman r0 = 0; \
111*fcd36964SEduard Zingerman exit; \
112*fcd36964SEduard Zingerman " :
113*fcd36964SEduard Zingerman : __imm(bpf_get_netns_cookie)
114*fcd36964SEduard Zingerman : __clobber_all);
115*fcd36964SEduard Zingerman }
116*fcd36964SEduard Zingerman
117*fcd36964SEduard Zingerman SEC("cgroup/sendmsg6")
118*fcd36964SEduard Zingerman __description("pass ctx or null check, 2: null")
119*fcd36964SEduard Zingerman __success
or_null_check_2_null(void)120*fcd36964SEduard Zingerman __naked void or_null_check_2_null(void)
121*fcd36964SEduard Zingerman {
122*fcd36964SEduard Zingerman asm volatile (" \
123*fcd36964SEduard Zingerman r1 = 0; \
124*fcd36964SEduard Zingerman call %[bpf_get_netns_cookie]; \
125*fcd36964SEduard Zingerman r0 = 0; \
126*fcd36964SEduard Zingerman exit; \
127*fcd36964SEduard Zingerman " :
128*fcd36964SEduard Zingerman : __imm(bpf_get_netns_cookie)
129*fcd36964SEduard Zingerman : __clobber_all);
130*fcd36964SEduard Zingerman }
131*fcd36964SEduard Zingerman
132*fcd36964SEduard Zingerman SEC("cgroup/sendmsg6")
133*fcd36964SEduard Zingerman __description("pass ctx or null check, 3: 1")
134*fcd36964SEduard Zingerman __failure __msg("R1 type=scalar expected=ctx")
or_null_check_3_1(void)135*fcd36964SEduard Zingerman __naked void or_null_check_3_1(void)
136*fcd36964SEduard Zingerman {
137*fcd36964SEduard Zingerman asm volatile (" \
138*fcd36964SEduard Zingerman r1 = 1; \
139*fcd36964SEduard Zingerman call %[bpf_get_netns_cookie]; \
140*fcd36964SEduard Zingerman r0 = 0; \
141*fcd36964SEduard Zingerman exit; \
142*fcd36964SEduard Zingerman " :
143*fcd36964SEduard Zingerman : __imm(bpf_get_netns_cookie)
144*fcd36964SEduard Zingerman : __clobber_all);
145*fcd36964SEduard Zingerman }
146*fcd36964SEduard Zingerman
147*fcd36964SEduard Zingerman SEC("cgroup/sendmsg6")
148*fcd36964SEduard Zingerman __description("pass ctx or null check, 4: ctx - const")
149*fcd36964SEduard Zingerman __failure __msg("negative offset ctx ptr R1 off=-612 disallowed")
null_check_4_ctx_const(void)150*fcd36964SEduard Zingerman __naked void null_check_4_ctx_const(void)
151*fcd36964SEduard Zingerman {
152*fcd36964SEduard Zingerman asm volatile (" \
153*fcd36964SEduard Zingerman r1 += -612; \
154*fcd36964SEduard Zingerman call %[bpf_get_netns_cookie]; \
155*fcd36964SEduard Zingerman r0 = 0; \
156*fcd36964SEduard Zingerman exit; \
157*fcd36964SEduard Zingerman " :
158*fcd36964SEduard Zingerman : __imm(bpf_get_netns_cookie)
159*fcd36964SEduard Zingerman : __clobber_all);
160*fcd36964SEduard Zingerman }
161*fcd36964SEduard Zingerman
162*fcd36964SEduard Zingerman SEC("cgroup/connect4")
163*fcd36964SEduard Zingerman __description("pass ctx or null check, 5: null (connect)")
164*fcd36964SEduard Zingerman __success
null_check_5_null_connect(void)165*fcd36964SEduard Zingerman __naked void null_check_5_null_connect(void)
166*fcd36964SEduard Zingerman {
167*fcd36964SEduard Zingerman asm volatile (" \
168*fcd36964SEduard Zingerman r1 = 0; \
169*fcd36964SEduard Zingerman call %[bpf_get_netns_cookie]; \
170*fcd36964SEduard Zingerman r0 = 0; \
171*fcd36964SEduard Zingerman exit; \
172*fcd36964SEduard Zingerman " :
173*fcd36964SEduard Zingerman : __imm(bpf_get_netns_cookie)
174*fcd36964SEduard Zingerman : __clobber_all);
175*fcd36964SEduard Zingerman }
176*fcd36964SEduard Zingerman
177*fcd36964SEduard Zingerman SEC("cgroup/post_bind4")
178*fcd36964SEduard Zingerman __description("pass ctx or null check, 6: null (bind)")
179*fcd36964SEduard Zingerman __success
null_check_6_null_bind(void)180*fcd36964SEduard Zingerman __naked void null_check_6_null_bind(void)
181*fcd36964SEduard Zingerman {
182*fcd36964SEduard Zingerman asm volatile (" \
183*fcd36964SEduard Zingerman r1 = 0; \
184*fcd36964SEduard Zingerman call %[bpf_get_netns_cookie]; \
185*fcd36964SEduard Zingerman r0 = 0; \
186*fcd36964SEduard Zingerman exit; \
187*fcd36964SEduard Zingerman " :
188*fcd36964SEduard Zingerman : __imm(bpf_get_netns_cookie)
189*fcd36964SEduard Zingerman : __clobber_all);
190*fcd36964SEduard Zingerman }
191*fcd36964SEduard Zingerman
192*fcd36964SEduard Zingerman SEC("cgroup/post_bind4")
193*fcd36964SEduard Zingerman __description("pass ctx or null check, 7: ctx (bind)")
194*fcd36964SEduard Zingerman __success
null_check_7_ctx_bind(void)195*fcd36964SEduard Zingerman __naked void null_check_7_ctx_bind(void)
196*fcd36964SEduard Zingerman {
197*fcd36964SEduard Zingerman asm volatile (" \
198*fcd36964SEduard Zingerman call %[bpf_get_socket_cookie]; \
199*fcd36964SEduard Zingerman r0 = 0; \
200*fcd36964SEduard Zingerman exit; \
201*fcd36964SEduard Zingerman " :
202*fcd36964SEduard Zingerman : __imm(bpf_get_socket_cookie)
203*fcd36964SEduard Zingerman : __clobber_all);
204*fcd36964SEduard Zingerman }
205*fcd36964SEduard Zingerman
206*fcd36964SEduard Zingerman SEC("cgroup/post_bind4")
207*fcd36964SEduard Zingerman __description("pass ctx or null check, 8: null (bind)")
208*fcd36964SEduard Zingerman __failure __msg("R1 type=scalar expected=ctx")
null_check_8_null_bind(void)209*fcd36964SEduard Zingerman __naked void null_check_8_null_bind(void)
210*fcd36964SEduard Zingerman {
211*fcd36964SEduard Zingerman asm volatile (" \
212*fcd36964SEduard Zingerman r1 = 0; \
213*fcd36964SEduard Zingerman call %[bpf_get_socket_cookie]; \
214*fcd36964SEduard Zingerman r0 = 0; \
215*fcd36964SEduard Zingerman exit; \
216*fcd36964SEduard Zingerman " :
217*fcd36964SEduard Zingerman : __imm(bpf_get_socket_cookie)
218*fcd36964SEduard Zingerman : __clobber_all);
219*fcd36964SEduard Zingerman }
220*fcd36964SEduard Zingerman
221*fcd36964SEduard Zingerman char _license[] SEC("license") = "GPL";
222