1 // SPDX-License-Identifier: GPL-2.0 2 /* Converted from tools/testing/selftests/bpf/verifier/int_ptr.c */ 3 4 #include <linux/bpf.h> 5 #include <bpf/bpf_helpers.h> 6 #include "bpf_misc.h" 7 8 SEC("socket") 9 __description("ARG_PTR_TO_LONG uninitialized") 10 __success 11 __failure_unpriv __msg_unpriv("invalid indirect read from stack R4 off -16+0 size 8") 12 __naked void arg_ptr_to_long_uninitialized(void) 13 { 14 asm volatile (" \ 15 /* bpf_strtoul arg1 (buf) */ \ 16 r7 = r10; \ 17 r7 += -8; \ 18 r0 = 0x00303036; \ 19 *(u64*)(r7 + 0) = r0; \ 20 r1 = r7; \ 21 /* bpf_strtoul arg2 (buf_len) */ \ 22 r2 = 4; \ 23 /* bpf_strtoul arg3 (flags) */ \ 24 r3 = 0; \ 25 /* bpf_strtoul arg4 (res) */ \ 26 r7 += -8; \ 27 r4 = r7; \ 28 /* bpf_strtoul() */ \ 29 call %[bpf_strtoul]; \ 30 r0 = 1; \ 31 exit; \ 32 " : 33 : __imm(bpf_strtoul) 34 : __clobber_all); 35 } 36 37 SEC("socket") 38 __description("ARG_PTR_TO_LONG half-uninitialized") 39 /* in privileged mode reads from uninitialized stack locations are permitted */ 40 __success __failure_unpriv 41 __msg_unpriv("invalid indirect read from stack R4 off -16+4 size 8") 42 __retval(0) 43 __naked void ptr_to_long_half_uninitialized(void) 44 { 45 asm volatile (" \ 46 /* bpf_strtoul arg1 (buf) */ \ 47 r7 = r10; \ 48 r7 += -8; \ 49 r0 = 0x00303036; \ 50 *(u64*)(r7 + 0) = r0; \ 51 r1 = r7; \ 52 /* bpf_strtoul arg2 (buf_len) */ \ 53 r2 = 4; \ 54 /* bpf_strtoul arg3 (flags) */ \ 55 r3 = 0; \ 56 /* bpf_strtoul arg4 (res) */ \ 57 r7 += -8; \ 58 *(u32*)(r7 + 0) = r0; \ 59 r4 = r7; \ 60 /* bpf_strtoul() */ \ 61 call %[bpf_strtoul]; \ 62 r0 = 0; \ 63 exit; \ 64 " : 65 : __imm(bpf_strtoul) 66 : __clobber_all); 67 } 68 69 SEC("cgroup/sysctl") 70 __description("ARG_PTR_TO_LONG misaligned") 71 __failure __msg("misaligned stack access off (0x0; 0x0)+-20+0 size 8") 72 __naked void arg_ptr_to_long_misaligned(void) 73 { 74 asm volatile (" \ 75 /* bpf_strtoul arg1 (buf) */ \ 76 r7 = r10; \ 77 r7 += -8; \ 78 r0 = 0x00303036; \ 79 *(u64*)(r7 + 0) = r0; \ 80 r1 = r7; \ 81 /* bpf_strtoul arg2 (buf_len) */ \ 82 r2 = 4; \ 83 /* bpf_strtoul arg3 (flags) */ \ 84 r3 = 0; \ 85 /* bpf_strtoul arg4 (res) */ \ 86 r7 += -12; \ 87 r0 = 0; \ 88 *(u32*)(r7 + 0) = r0; \ 89 *(u64*)(r7 + 4) = r0; \ 90 r4 = r7; \ 91 /* bpf_strtoul() */ \ 92 call %[bpf_strtoul]; \ 93 r0 = 1; \ 94 exit; \ 95 " : 96 : __imm(bpf_strtoul) 97 : __clobber_all); 98 } 99 100 SEC("cgroup/sysctl") 101 __description("ARG_PTR_TO_LONG size < sizeof(long)") 102 __failure __msg("invalid indirect access to stack R4 off=-4 size=8") 103 __naked void to_long_size_sizeof_long(void) 104 { 105 asm volatile (" \ 106 /* bpf_strtoul arg1 (buf) */ \ 107 r7 = r10; \ 108 r7 += -16; \ 109 r0 = 0x00303036; \ 110 *(u64*)(r7 + 0) = r0; \ 111 r1 = r7; \ 112 /* bpf_strtoul arg2 (buf_len) */ \ 113 r2 = 4; \ 114 /* bpf_strtoul arg3 (flags) */ \ 115 r3 = 0; \ 116 /* bpf_strtoul arg4 (res) */ \ 117 r7 += 12; \ 118 *(u32*)(r7 + 0) = r0; \ 119 r4 = r7; \ 120 /* bpf_strtoul() */ \ 121 call %[bpf_strtoul]; \ 122 r0 = 1; \ 123 exit; \ 124 " : 125 : __imm(bpf_strtoul) 126 : __clobber_all); 127 } 128 129 SEC("cgroup/sysctl") 130 __description("ARG_PTR_TO_LONG initialized") 131 __success 132 __naked void arg_ptr_to_long_initialized(void) 133 { 134 asm volatile (" \ 135 /* bpf_strtoul arg1 (buf) */ \ 136 r7 = r10; \ 137 r7 += -8; \ 138 r0 = 0x00303036; \ 139 *(u64*)(r7 + 0) = r0; \ 140 r1 = r7; \ 141 /* bpf_strtoul arg2 (buf_len) */ \ 142 r2 = 4; \ 143 /* bpf_strtoul arg3 (flags) */ \ 144 r3 = 0; \ 145 /* bpf_strtoul arg4 (res) */ \ 146 r7 += -8; \ 147 *(u64*)(r7 + 0) = r0; \ 148 r4 = r7; \ 149 /* bpf_strtoul() */ \ 150 call %[bpf_strtoul]; \ 151 r0 = 1; \ 152 exit; \ 153 " : 154 : __imm(bpf_strtoul) 155 : __clobber_all); 156 } 157 158 char _license[] SEC("license") = "GPL"; 159