1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/int_ptr.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 SEC("cgroup/sysctl") 9 __description("ARG_PTR_TO_LONG uninitialized") 10 __failure __msg("invalid indirect read from stack R4 off -16+0 size 8") 11 __naked void arg_ptr_to_long_uninitialized(void) 12 { 13 asm volatile (" \ 14 /* bpf_strtoul arg1 (buf) */ \ 15 r7 = r10; \ 16 r7 += -8; \ 17 r0 = 0x00303036; \ 18 *(u64*)(r7 + 0) = r0; \ 19 r1 = r7; \ 20 /* bpf_strtoul arg2 (buf_len) */ \ 21 r2 = 4; \ 22 /* bpf_strtoul arg3 (flags) */ \ 23 r3 = 0; \ 24 /* bpf_strtoul arg4 (res) */ \ 25 r7 += -8; \ 26 r4 = r7; \ 27 /* bpf_strtoul() */ \ 28 call %[bpf_strtoul]; \ 29 r0 = 1; \ 30 exit; \ 31 " : 32 : __imm(bpf_strtoul) 33 : __clobber_all); 34 } 35 36 SEC("socket") 37 __description("ARG_PTR_TO_LONG half-uninitialized") 38 /* in privileged mode reads from uninitialized stack locations are permitted */ 39 __success __failure_unpriv 40 __msg_unpriv("invalid indirect read from stack R4 off -16+4 size 8") 41 __retval(0) 42 __naked void ptr_to_long_half_uninitialized(void) 43 { 44 asm volatile (" \ 45 /* bpf_strtoul arg1 (buf) */ \ 46 r7 = r10; \ 47 r7 += -8; \ 48 r0 = 0x00303036; \ 49 *(u64*)(r7 + 0) = r0; \ 50 r1 = r7; \ 51 /* bpf_strtoul arg2 (buf_len) */ \ 52 r2 = 4; \ 53 /* bpf_strtoul arg3 (flags) */ \ 54 r3 = 0; \ 55 /* bpf_strtoul arg4 (res) */ \ 56 r7 += -8; \ 57 *(u32*)(r7 + 0) = r0; \ 58 r4 = r7; \ 59 /* bpf_strtoul() */ \ 60 call %[bpf_strtoul]; \ 61 r0 = 0; \ 62 exit; \ 63 " : 64 : __imm(bpf_strtoul) 65 : __clobber_all); 66 } 67 68 SEC("cgroup/sysctl") 69 __description("ARG_PTR_TO_LONG misaligned") 70 __failure __msg("misaligned stack access off (0x0; 0x0)+-20+0 size 8") 71 __naked void arg_ptr_to_long_misaligned(void) 72 { 73 asm volatile (" \ 74 /* bpf_strtoul arg1 (buf) */ \ 75 r7 = r10; \ 76 r7 += -8; \ 77 r0 = 0x00303036; \ 78 *(u64*)(r7 + 0) = r0; \ 79 r1 = r7; \ 80 /* bpf_strtoul arg2 (buf_len) */ \ 81 r2 = 4; \ 82 /* bpf_strtoul arg3 (flags) */ \ 83 r3 = 0; \ 84 /* bpf_strtoul arg4 (res) */ \ 85 r7 += -12; \ 86 r0 = 0; \ 87 *(u32*)(r7 + 0) = r0; \ 88 *(u64*)(r7 + 4) = r0; \ 89 r4 = r7; \ 90 /* bpf_strtoul() */ \ 91 call %[bpf_strtoul]; \ 92 r0 = 1; \ 93 exit; \ 94 " : 95 : __imm(bpf_strtoul) 96 : __clobber_all); 97 } 98 99 SEC("cgroup/sysctl") 100 __description("ARG_PTR_TO_LONG size < sizeof(long)") 101 __failure __msg("invalid indirect access to stack R4 off=-4 size=8") 102 __naked void to_long_size_sizeof_long(void) 103 { 104 asm volatile (" \ 105 /* bpf_strtoul arg1 (buf) */ \ 106 r7 = r10; \ 107 r7 += -16; \ 108 r0 = 0x00303036; \ 109 *(u64*)(r7 + 0) = r0; \ 110 r1 = r7; \ 111 /* bpf_strtoul arg2 (buf_len) */ \ 112 r2 = 4; \ 113 /* bpf_strtoul arg3 (flags) */ \ 114 r3 = 0; \ 115 /* bpf_strtoul arg4 (res) */ \ 116 r7 += 12; \ 117 *(u32*)(r7 + 0) = r0; \ 118 r4 = r7; \ 119 /* bpf_strtoul() */ \ 120 call %[bpf_strtoul]; \ 121 r0 = 1; \ 122 exit; \ 123 " : 124 : __imm(bpf_strtoul) 125 : __clobber_all); 126 } 127 128 SEC("cgroup/sysctl") 129 __description("ARG_PTR_TO_LONG initialized") 130 __success 131 __naked void arg_ptr_to_long_initialized(void) 132 { 133 asm volatile (" \ 134 /* bpf_strtoul arg1 (buf) */ \ 135 r7 = r10; \ 136 r7 += -8; \ 137 r0 = 0x00303036; \ 138 *(u64*)(r7 + 0) = r0; \ 139 r1 = r7; \ 140 /* bpf_strtoul arg2 (buf_len) */ \ 141 r2 = 4; \ 142 /* bpf_strtoul arg3 (flags) */ \ 143 r3 = 0; \ 144 /* bpf_strtoul arg4 (res) */ \ 145 r7 += -8; \ 146 *(u64*)(r7 + 0) = r0; \ 147 r4 = r7; \ 148 /* bpf_strtoul() */ \ 149 call %[bpf_strtoul]; \ 150 r0 = 1; \ 151 exit; \ 152 " : 153 : __imm(bpf_strtoul) 154 : __clobber_all); 155 } 156 157 char _license[] SEC("license") = "GPL"; 158