1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/int_ptr.c */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7 
8 SEC("socket")
9 __description("ARG_PTR_TO_LONG uninitialized")
10 __success
11 __failure_unpriv __msg_unpriv("invalid indirect read from stack R4 off -16+0 size 8")
12 __naked void arg_ptr_to_long_uninitialized(void)
13 {
14 	asm volatile ("					\
15 	/* bpf_strtoul arg1 (buf) */			\
16 	r7 = r10;					\
17 	r7 += -8;					\
18 	r0 = 0x00303036;				\
19 	*(u64*)(r7 + 0) = r0;				\
20 	r1 = r7;					\
21 	/* bpf_strtoul arg2 (buf_len) */		\
22 	r2 = 4;						\
23 	/* bpf_strtoul arg3 (flags) */			\
24 	r3 = 0;						\
25 	/* bpf_strtoul arg4 (res) */			\
26 	r7 += -8;					\
27 	r4 = r7;					\
28 	/* bpf_strtoul() */				\
29 	call %[bpf_strtoul];				\
30 	r0 = 1;						\
31 	exit;						\
32 "	:
33 	: __imm(bpf_strtoul)
34 	: __clobber_all);
35 }
36 
37 SEC("socket")
38 __description("ARG_PTR_TO_LONG half-uninitialized")
39 /* in privileged mode reads from uninitialized stack locations are permitted */
40 __success __failure_unpriv
41 __msg_unpriv("invalid indirect read from stack R4 off -16+4 size 8")
42 __retval(0)
43 __naked void ptr_to_long_half_uninitialized(void)
44 {
45 	asm volatile ("					\
46 	/* bpf_strtoul arg1 (buf) */			\
47 	r7 = r10;					\
48 	r7 += -8;					\
49 	r0 = 0x00303036;				\
50 	*(u64*)(r7 + 0) = r0;				\
51 	r1 = r7;					\
52 	/* bpf_strtoul arg2 (buf_len) */		\
53 	r2 = 4;						\
54 	/* bpf_strtoul arg3 (flags) */			\
55 	r3 = 0;						\
56 	/* bpf_strtoul arg4 (res) */			\
57 	r7 += -8;					\
58 	*(u32*)(r7 + 0) = r0;				\
59 	r4 = r7;					\
60 	/* bpf_strtoul() */				\
61 	call %[bpf_strtoul];				\
62 	r0 = 0;						\
63 	exit;						\
64 "	:
65 	: __imm(bpf_strtoul)
66 	: __clobber_all);
67 }
68 
69 SEC("cgroup/sysctl")
70 __description("ARG_PTR_TO_LONG misaligned")
71 __failure __msg("misaligned stack access off (0x0; 0x0)+-20+0 size 8")
72 __naked void arg_ptr_to_long_misaligned(void)
73 {
74 	asm volatile ("					\
75 	/* bpf_strtoul arg1 (buf) */			\
76 	r7 = r10;					\
77 	r7 += -8;					\
78 	r0 = 0x00303036;				\
79 	*(u64*)(r7 + 0) = r0;				\
80 	r1 = r7;					\
81 	/* bpf_strtoul arg2 (buf_len) */		\
82 	r2 = 4;						\
83 	/* bpf_strtoul arg3 (flags) */			\
84 	r3 = 0;						\
85 	/* bpf_strtoul arg4 (res) */			\
86 	r7 += -12;					\
87 	r0 = 0;						\
88 	*(u32*)(r7 + 0) = r0;				\
89 	*(u64*)(r7 + 4) = r0;				\
90 	r4 = r7;					\
91 	/* bpf_strtoul() */				\
92 	call %[bpf_strtoul];				\
93 	r0 = 1;						\
94 	exit;						\
95 "	:
96 	: __imm(bpf_strtoul)
97 	: __clobber_all);
98 }
99 
100 SEC("cgroup/sysctl")
101 __description("ARG_PTR_TO_LONG size < sizeof(long)")
102 __failure __msg("invalid indirect access to stack R4 off=-4 size=8")
103 __naked void to_long_size_sizeof_long(void)
104 {
105 	asm volatile ("					\
106 	/* bpf_strtoul arg1 (buf) */			\
107 	r7 = r10;					\
108 	r7 += -16;					\
109 	r0 = 0x00303036;				\
110 	*(u64*)(r7 + 0) = r0;				\
111 	r1 = r7;					\
112 	/* bpf_strtoul arg2 (buf_len) */		\
113 	r2 = 4;						\
114 	/* bpf_strtoul arg3 (flags) */			\
115 	r3 = 0;						\
116 	/* bpf_strtoul arg4 (res) */			\
117 	r7 += 12;					\
118 	*(u32*)(r7 + 0) = r0;				\
119 	r4 = r7;					\
120 	/* bpf_strtoul() */				\
121 	call %[bpf_strtoul];				\
122 	r0 = 1;						\
123 	exit;						\
124 "	:
125 	: __imm(bpf_strtoul)
126 	: __clobber_all);
127 }
128 
129 SEC("cgroup/sysctl")
130 __description("ARG_PTR_TO_LONG initialized")
131 __success
132 __naked void arg_ptr_to_long_initialized(void)
133 {
134 	asm volatile ("					\
135 	/* bpf_strtoul arg1 (buf) */			\
136 	r7 = r10;					\
137 	r7 += -8;					\
138 	r0 = 0x00303036;				\
139 	*(u64*)(r7 + 0) = r0;				\
140 	r1 = r7;					\
141 	/* bpf_strtoul arg2 (buf_len) */		\
142 	r2 = 4;						\
143 	/* bpf_strtoul arg3 (flags) */			\
144 	r3 = 0;						\
145 	/* bpf_strtoul arg4 (res) */			\
146 	r7 += -8;					\
147 	*(u64*)(r7 + 0) = r0;				\
148 	r4 = r7;					\
149 	/* bpf_strtoul() */				\
150 	call %[bpf_strtoul];				\
151 	r0 = 1;						\
152 	exit;						\
153 "	:
154 	: __imm(bpf_strtoul)
155 	: __clobber_all);
156 }
157 
158 char _license[] SEC("license") = "GPL";
159