xref: /OK3568_Linux_fs/kernel/tools/testing/selftests/bpf/verifier/ctx.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun {
2*4882a593Smuzhiyun 	"context stores via ST",
3*4882a593Smuzhiyun 	.insns = {
4*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 0),
5*4882a593Smuzhiyun 	BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
6*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
7*4882a593Smuzhiyun 	},
8*4882a593Smuzhiyun 	.errstr = "BPF_ST stores into R1 ctx is not allowed",
9*4882a593Smuzhiyun 	.result = REJECT,
10*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11*4882a593Smuzhiyun },
12*4882a593Smuzhiyun {
13*4882a593Smuzhiyun 	"context stores via XADD",
14*4882a593Smuzhiyun 	.insns = {
15*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 0),
16*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
17*4882a593Smuzhiyun 		     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
18*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
19*4882a593Smuzhiyun 	},
20*4882a593Smuzhiyun 	.errstr = "BPF_XADD stores into R1 ctx is not allowed",
21*4882a593Smuzhiyun 	.result = REJECT,
22*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
23*4882a593Smuzhiyun },
24*4882a593Smuzhiyun {
25*4882a593Smuzhiyun 	"arithmetic ops make PTR_TO_CTX unusable",
26*4882a593Smuzhiyun 	.insns = {
27*4882a593Smuzhiyun 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
28*4882a593Smuzhiyun 			      offsetof(struct __sk_buff, data) -
29*4882a593Smuzhiyun 			      offsetof(struct __sk_buff, mark)),
30*4882a593Smuzhiyun 		BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
31*4882a593Smuzhiyun 			    offsetof(struct __sk_buff, mark)),
32*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
33*4882a593Smuzhiyun 	},
34*4882a593Smuzhiyun 	.errstr = "dereference of modified ctx ptr",
35*4882a593Smuzhiyun 	.result = REJECT,
36*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
37*4882a593Smuzhiyun },
38*4882a593Smuzhiyun {
39*4882a593Smuzhiyun 	"pass unmodified ctx pointer to helper",
40*4882a593Smuzhiyun 	.insns = {
41*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_2, 0),
42*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
43*4882a593Smuzhiyun 			     BPF_FUNC_csum_update),
44*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
45*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
46*4882a593Smuzhiyun 	},
47*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
48*4882a593Smuzhiyun 	.result = ACCEPT,
49*4882a593Smuzhiyun },
50*4882a593Smuzhiyun {
51*4882a593Smuzhiyun 	"pass modified ctx pointer to helper, 1",
52*4882a593Smuzhiyun 	.insns = {
53*4882a593Smuzhiyun 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
54*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_2, 0),
55*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
56*4882a593Smuzhiyun 			     BPF_FUNC_csum_update),
57*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
58*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
59*4882a593Smuzhiyun 	},
60*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
61*4882a593Smuzhiyun 	.result = REJECT,
62*4882a593Smuzhiyun 	.errstr = "dereference of modified ctx ptr",
63*4882a593Smuzhiyun },
64*4882a593Smuzhiyun {
65*4882a593Smuzhiyun 	"pass modified ctx pointer to helper, 2",
66*4882a593Smuzhiyun 	.insns = {
67*4882a593Smuzhiyun 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
68*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
69*4882a593Smuzhiyun 			     BPF_FUNC_get_socket_cookie),
70*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
71*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
72*4882a593Smuzhiyun 	},
73*4882a593Smuzhiyun 	.result_unpriv = REJECT,
74*4882a593Smuzhiyun 	.result = REJECT,
75*4882a593Smuzhiyun 	.errstr_unpriv = "dereference of modified ctx ptr",
76*4882a593Smuzhiyun 	.errstr = "dereference of modified ctx ptr",
77*4882a593Smuzhiyun },
78*4882a593Smuzhiyun {
79*4882a593Smuzhiyun 	"pass modified ctx pointer to helper, 3",
80*4882a593Smuzhiyun 	.insns = {
81*4882a593Smuzhiyun 		BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
82*4882a593Smuzhiyun 		BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
83*4882a593Smuzhiyun 		BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
84*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_2, 0),
85*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
86*4882a593Smuzhiyun 			     BPF_FUNC_csum_update),
87*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
88*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
89*4882a593Smuzhiyun 	},
90*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
91*4882a593Smuzhiyun 	.result = REJECT,
92*4882a593Smuzhiyun 	.errstr = "variable ctx access var_off=(0x0; 0x4)",
93*4882a593Smuzhiyun },
94*4882a593Smuzhiyun {
95*4882a593Smuzhiyun 	"pass ctx or null check, 1: ctx",
96*4882a593Smuzhiyun 	.insns = {
97*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
98*4882a593Smuzhiyun 			     BPF_FUNC_get_netns_cookie),
99*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
100*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
101*4882a593Smuzhiyun 	},
102*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
103*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
104*4882a593Smuzhiyun 	.result = ACCEPT,
105*4882a593Smuzhiyun },
106*4882a593Smuzhiyun {
107*4882a593Smuzhiyun 	"pass ctx or null check, 2: null",
108*4882a593Smuzhiyun 	.insns = {
109*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_1, 0),
110*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
111*4882a593Smuzhiyun 			     BPF_FUNC_get_netns_cookie),
112*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
113*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
114*4882a593Smuzhiyun 	},
115*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
116*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
117*4882a593Smuzhiyun 	.result = ACCEPT,
118*4882a593Smuzhiyun },
119*4882a593Smuzhiyun {
120*4882a593Smuzhiyun 	"pass ctx or null check, 3: 1",
121*4882a593Smuzhiyun 	.insns = {
122*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_1, 1),
123*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124*4882a593Smuzhiyun 			     BPF_FUNC_get_netns_cookie),
125*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
126*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
127*4882a593Smuzhiyun 	},
128*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
129*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
130*4882a593Smuzhiyun 	.result = REJECT,
131*4882a593Smuzhiyun 	.errstr = "R1 type=inv expected=ctx",
132*4882a593Smuzhiyun },
133*4882a593Smuzhiyun {
134*4882a593Smuzhiyun 	"pass ctx or null check, 4: ctx - const",
135*4882a593Smuzhiyun 	.insns = {
136*4882a593Smuzhiyun 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
137*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
138*4882a593Smuzhiyun 			     BPF_FUNC_get_netns_cookie),
139*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
140*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
141*4882a593Smuzhiyun 	},
142*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
143*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
144*4882a593Smuzhiyun 	.result = REJECT,
145*4882a593Smuzhiyun 	.errstr = "dereference of modified ctx ptr",
146*4882a593Smuzhiyun },
147*4882a593Smuzhiyun {
148*4882a593Smuzhiyun 	"pass ctx or null check, 5: null (connect)",
149*4882a593Smuzhiyun 	.insns = {
150*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_1, 0),
151*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
152*4882a593Smuzhiyun 			     BPF_FUNC_get_netns_cookie),
153*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
154*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
155*4882a593Smuzhiyun 	},
156*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
157*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_INET4_CONNECT,
158*4882a593Smuzhiyun 	.result = ACCEPT,
159*4882a593Smuzhiyun },
160*4882a593Smuzhiyun {
161*4882a593Smuzhiyun 	"pass ctx or null check, 6: null (bind)",
162*4882a593Smuzhiyun 	.insns = {
163*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_1, 0),
164*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
165*4882a593Smuzhiyun 			     BPF_FUNC_get_netns_cookie),
166*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
167*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
168*4882a593Smuzhiyun 	},
169*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
170*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
171*4882a593Smuzhiyun 	.result = ACCEPT,
172*4882a593Smuzhiyun },
173*4882a593Smuzhiyun {
174*4882a593Smuzhiyun 	"pass ctx or null check, 7: ctx (bind)",
175*4882a593Smuzhiyun 	.insns = {
176*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
177*4882a593Smuzhiyun 			     BPF_FUNC_get_socket_cookie),
178*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
179*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
180*4882a593Smuzhiyun 	},
181*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
182*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
183*4882a593Smuzhiyun 	.result = ACCEPT,
184*4882a593Smuzhiyun },
185*4882a593Smuzhiyun {
186*4882a593Smuzhiyun 	"pass ctx or null check, 8: null (bind)",
187*4882a593Smuzhiyun 	.insns = {
188*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_1, 0),
189*4882a593Smuzhiyun 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
190*4882a593Smuzhiyun 			     BPF_FUNC_get_socket_cookie),
191*4882a593Smuzhiyun 		BPF_MOV64_IMM(BPF_REG_0, 0),
192*4882a593Smuzhiyun 		BPF_EXIT_INSN(),
193*4882a593Smuzhiyun 	},
194*4882a593Smuzhiyun 	.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
195*4882a593Smuzhiyun 	.expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
196*4882a593Smuzhiyun 	.result = REJECT,
197*4882a593Smuzhiyun 	.errstr = "R1 type=inv expected=ctx",
198*4882a593Smuzhiyun },
199