[mirror_ubuntu-jammy-kernel.git] / tools / testing / selftests / bpf / verifier / leak_ptr.c

{
	"leak pointer into ctx 1",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_0, 0),
	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
		    offsetof(struct __sk_buff, cb[0])),
	BPF_LD_MAP_FD(BPF_REG_2, 0),
	BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_1, BPF_REG_2,
		      offsetof(struct __sk_buff, cb[0])),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 2 },
	.errstr_unpriv = "R2 leaks addr into mem",
	.result_unpriv = REJECT,
	.result = REJECT,
	.errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
},
{
	"leak pointer into ctx 2",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_0, 0),
	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
		    offsetof(struct __sk_buff, cb[0])),
	BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_1, BPF_REG_10,
		      offsetof(struct __sk_buff, cb[0])),
	BPF_EXIT_INSN(),
	},
	.errstr_unpriv = "R10 leaks addr into mem",
	.result_unpriv = REJECT,
	.result = REJECT,
	.errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
},
{
	"leak pointer into ctx 3",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_0, 0),
	BPF_LD_MAP_FD(BPF_REG_2, 0),
	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
		      offsetof(struct __sk_buff, cb[0])),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 1 },
	.errstr_unpriv = "R2 leaks addr into ctx",
	.result_unpriv = REJECT,
	.result = ACCEPT,
},
{
	"leak pointer into map val",
	.insns = {
	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
	BPF_MOV64_IMM(BPF_REG_3, 0),
	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
	BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_0, BPF_REG_6, 0),
	BPF_MOV64_IMM(BPF_REG_0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.errstr_unpriv = "R6 leaks addr into mem",
	.result_unpriv = REJECT,
	.result = ACCEPT,
},
Commit	Line	Data
40f2fbd5 JK	1	{
	2	"leak pointer into ctx 1",
	3	.insns = {
	4	BPF_MOV64_IMM(BPF_REG_0, 0),
	5	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
	6	offsetof(struct __sk_buff, cb[0])),
	7	BPF_LD_MAP_FD(BPF_REG_2, 0),
91c960b0	8	BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_1, BPF_REG_2,
40f2fbd5 JK	9	offsetof(struct __sk_buff, cb[0])),
	10	BPF_EXIT_INSN(),
	11	},
	12	.fixup_map_hash_8b = { 2 },
	13	.errstr_unpriv = "R2 leaks addr into mem",
	14	.result_unpriv = REJECT,
	15	.result = REJECT,
91c960b0	16	.errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
40f2fbd5 JK	17	},
	18	{
	19	"leak pointer into ctx 2",
	20	.insns = {
	21	BPF_MOV64_IMM(BPF_REG_0, 0),
	22	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
	23	offsetof(struct __sk_buff, cb[0])),
91c960b0	24	BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_1, BPF_REG_10,
40f2fbd5 JK	25	offsetof(struct __sk_buff, cb[0])),
	26	BPF_EXIT_INSN(),
	27	},
	28	.errstr_unpriv = "R10 leaks addr into mem",
	29	.result_unpriv = REJECT,
	30	.result = REJECT,
91c960b0	31	.errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
40f2fbd5 JK	32	},
	33	{
	34	"leak pointer into ctx 3",
	35	.insns = {
	36	BPF_MOV64_IMM(BPF_REG_0, 0),
	37	BPF_LD_MAP_FD(BPF_REG_2, 0),
	38	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
	39	offsetof(struct __sk_buff, cb[0])),
	40	BPF_EXIT_INSN(),
	41	},
	42	.fixup_map_hash_8b = { 1 },
	43	.errstr_unpriv = "R2 leaks addr into ctx",
	44	.result_unpriv = REJECT,
	45	.result = ACCEPT,
	46	},
	47	{
	48	"leak pointer into map val",
	49	.insns = {
	50	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
	51	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
	52	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	53	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	54	BPF_LD_MAP_FD(BPF_REG_1, 0),
	55	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	56	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
	57	BPF_MOV64_IMM(BPF_REG_3, 0),
	58	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
91c960b0	59	BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_0, BPF_REG_6, 0),
40f2fbd5 JK	60	BPF_MOV64_IMM(BPF_REG_0, 0),
	61	BPF_EXIT_INSN(),
	62	},
	63	.fixup_map_hash_8b = { 4 },
	64	.errstr_unpriv = "R6 leaks addr into mem",
	65	.result_unpriv = REJECT,
	66	.result = ACCEPT,
	67	},