xref: /OK3568_Linux_fs/kernel/tools/testing/selftests/bpf/verifier/map_ptr.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun {
2*4882a593Smuzhiyun 	"bpf_map_ptr: read with negative offset rejected",
3*4882a593Smuzhiyun 	.insns = {
4*4882a593Smuzhiyun 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_1, 0),
6*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
7*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
8*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
9*4882a593Smuzhiyun 	},
10*4882a593Smuzhiyun 	.fixup_map_array_48b = { 1 },
11*4882a593Smuzhiyun 	.result_unpriv = REJECT,
12*4882a593Smuzhiyun 	.errstr_unpriv = "bpf_array access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN",
13*4882a593Smuzhiyun 	.result = REJECT,
14*4882a593Smuzhiyun 	.errstr = "R1 is bpf_array invalid negative access: off=-8",
15*4882a593Smuzhiyun },
16*4882a593Smuzhiyun {
17*4882a593Smuzhiyun 	"bpf_map_ptr: write rejected",
18*4882a593Smuzhiyun 	.insns = {
19*4882a593Smuzhiyun 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
20*4882a593Smuzhiyun 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
21*4882a593Smuzhiyun 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
22*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_1, 0),
23*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
24*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
25*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
26*4882a593Smuzhiyun 	},
27*4882a593Smuzhiyun 	.fixup_map_array_48b = { 3 },
28*4882a593Smuzhiyun 	.result_unpriv = REJECT,
29*4882a593Smuzhiyun 	.errstr_unpriv = "bpf_array access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN",
30*4882a593Smuzhiyun 	.result = REJECT,
31*4882a593Smuzhiyun 	.errstr = "only read from bpf_array is supported",
32*4882a593Smuzhiyun },
33*4882a593Smuzhiyun {
34*4882a593Smuzhiyun 	"bpf_map_ptr: read non-existent field rejected",
35*4882a593Smuzhiyun 	.insns = {
36*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_6, 0),
37*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_1, 0),
38*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 1),
39*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
40*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
41*4882a593Smuzhiyun 	},
42*4882a593Smuzhiyun 	.fixup_map_array_48b = { 1 },
43*4882a593Smuzhiyun 	.result_unpriv = REJECT,
44*4882a593Smuzhiyun 	.errstr_unpriv = "bpf_array access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN",
45*4882a593Smuzhiyun 	.result = REJECT,
46*4882a593Smuzhiyun 	.errstr = "cannot access ptr member ops with moff 0 in struct bpf_map with off 1 size 4",
47*4882a593Smuzhiyun },
48*4882a593Smuzhiyun {
49*4882a593Smuzhiyun 	"bpf_map_ptr: read ops field accepted",
50*4882a593Smuzhiyun 	.insns = {
51*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_6, 0),
52*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_1, 0),
53*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
54*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
55*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
56*4882a593Smuzhiyun 	},
57*4882a593Smuzhiyun 	.fixup_map_array_48b = { 1 },
58*4882a593Smuzhiyun 	.result_unpriv = REJECT,
59*4882a593Smuzhiyun 	.errstr_unpriv = "bpf_array access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN",
60*4882a593Smuzhiyun 	.result = ACCEPT,
61*4882a593Smuzhiyun 	.retval = 1,
62*4882a593Smuzhiyun },
63*4882a593Smuzhiyun {
64*4882a593Smuzhiyun 	"bpf_map_ptr: r = 0, map_ptr = map_ptr + r",
65*4882a593Smuzhiyun 	.insns = {
66*4882a593Smuzhiyun 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
67*4882a593Smuzhiyun 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
68*4882a593Smuzhiyun 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
69*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 0),
70*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_1, 0),
71*4882a593Smuzhiyun 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
72*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
73*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 0),
74*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
75*4882a593Smuzhiyun 	},
76*4882a593Smuzhiyun 	.fixup_map_hash_16b = { 4 },
77*4882a593Smuzhiyun 	.result_unpriv = REJECT,
78*4882a593Smuzhiyun 	.errstr_unpriv = "R1 has pointer with unsupported alu operation",
79*4882a593Smuzhiyun 	.result = ACCEPT,
80*4882a593Smuzhiyun },
81*4882a593Smuzhiyun {
82*4882a593Smuzhiyun 	"bpf_map_ptr: r = 0, r = r + map_ptr",
83*4882a593Smuzhiyun 	.insns = {
84*4882a593Smuzhiyun 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
85*4882a593Smuzhiyun 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
86*4882a593Smuzhiyun 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
87*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_1, 0),
88*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_0, 0),
89*4882a593Smuzhiyun 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
90*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
91*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 0),
92*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
93*4882a593Smuzhiyun 	},
94*4882a593Smuzhiyun 	.fixup_map_hash_16b = { 4 },
95*4882a593Smuzhiyun 	.result_unpriv = REJECT,
96*4882a593Smuzhiyun 	.errstr_unpriv = "R0 has pointer with unsupported alu operation",
97*4882a593Smuzhiyun 	.result = ACCEPT,
98*4882a593Smuzhiyun },
99