1 files changed, 120 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 10d44446e801..2fd90d456892 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6934,6 +6934,126 @@ static struct bpf_test tests[] = {
                .retval = 1,
        },
        {
+                "map access: mixing value pointer and scalar, 1",
+                .insns = {
+                        // load map value pointer into r0 and r2
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        // load some number from the map into r1
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
+                        // branch A
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_JMP_A(2),
+                        // branch B
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100000),
+                        // common instruction
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
+                        // branch A
+                        BPF_JMP_A(4),
+                        // branch B
+                        BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
+                        // verifier follows fall-through
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        // fake-dead code; targeted from branch A to
+                        // prevent dead code sanitization
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 1 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R2 tried to add from different pointers or scalars",
+                .retval = 0,
+        },
+        {
+                "map access: mixing value pointer and scalar, 2",
+                .insns = {
+                        // load map value pointer into r0 and r2
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        // load some number from the map into r1
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
+                        // branch A
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100000),
+                        BPF_JMP_A(2),
+                        // branch B
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        // common instruction
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
+                        // depending on r1, branch:
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
+                        // branch A
+                        BPF_JMP_A(4),
+                        // branch B
+                        BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
+                        // verifier follows fall-through
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        // fake-dead code; targeted from branch A to
+                        // prevent dead code sanitization
+                        BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 1 },
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .errstr_unpriv = "R2 tried to add from different maps or paths",
+                .retval = 0,
+        },
+        {
+                "sanitation: alu with different scalars",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
+                        BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100000),
+                        BPF_JMP_A(2),
+                        BPF_MOV64_IMM(BPF_REG_2, 42),
+                        BPF_MOV64_IMM(BPF_REG_3, 0x100001),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map_array_48b = { 1 },
+                .result = ACCEPT,
+                .retval = 0x100000,
+        },
+        {
                "map access: value_ptr += known scalar, upper oob arith, test 1",
                .insns = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 10d44446e801..2fd90d456892 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6934,6 +6934,126 @@ static struct bpf_test tests[] = {
6934	.retval = 1,	6934	.retval = 1,
6935	},	6935	},
6936	{	6936	{
		6937	"map access: mixing value pointer and scalar, 1",
		6938	.insns = {
		6939	// load map value pointer into r0 and r2
		6940	BPF_MOV64_IMM(BPF_REG_0, 1),
		6941	BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
		6942	BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
		6943	BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
		6944	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
		6945	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
		6946	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		6947	BPF_EXIT_INSN(),
		6948	// load some number from the map into r1
		6949	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
		6950	// depending on r1, branch:
		6951	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
		6952	// branch A
		6953	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
		6954	BPF_MOV64_IMM(BPF_REG_3, 0),
		6955	BPF_JMP_A(2),
		6956	// branch B
		6957	BPF_MOV64_IMM(BPF_REG_2, 0),
		6958	BPF_MOV64_IMM(BPF_REG_3, 0x100000),
		6959	// common instruction
		6960	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
		6961	// depending on r1, branch:
		6962	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
		6963	// branch A
		6964	BPF_JMP_A(4),
		6965	// branch B
		6966	BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
		6967	// verifier follows fall-through
		6968	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
		6969	BPF_MOV64_IMM(BPF_REG_0, 0),
		6970	BPF_EXIT_INSN(),
		6971	// fake-dead code; targeted from branch A to
		6972	// prevent dead code sanitization
		6973	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
		6974	BPF_MOV64_IMM(BPF_REG_0, 0),
		6975	BPF_EXIT_INSN(),
		6976	},
		6977	.fixup_map_array_48b = { 1 },
		6978	.result = ACCEPT,
		6979	.result_unpriv = REJECT,
		6980	.errstr_unpriv = "R2 tried to add from different pointers or scalars",
		6981	.retval = 0,
		6982	},
		6983	{
		6984	"map access: mixing value pointer and scalar, 2",
		6985	.insns = {
		6986	// load map value pointer into r0 and r2
		6987	BPF_MOV64_IMM(BPF_REG_0, 1),
		6988	BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
		6989	BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
		6990	BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
		6991	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
		6992	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
		6993	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		6994	BPF_EXIT_INSN(),
		6995	// load some number from the map into r1
		6996	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
		6997	// depending on r1, branch:
		6998	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
		6999	// branch A
		7000	BPF_MOV64_IMM(BPF_REG_2, 0),
		7001	BPF_MOV64_IMM(BPF_REG_3, 0x100000),
		7002	BPF_JMP_A(2),
		7003	// branch B
		7004	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
		7005	BPF_MOV64_IMM(BPF_REG_3, 0),
		7006	// common instruction
		7007	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
		7008	// depending on r1, branch:
		7009	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
		7010	// branch A
		7011	BPF_JMP_A(4),
		7012	// branch B
		7013	BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
		7014	// verifier follows fall-through
		7015	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
		7016	BPF_MOV64_IMM(BPF_REG_0, 0),
		7017	BPF_EXIT_INSN(),
		7018	// fake-dead code; targeted from branch A to
		7019	// prevent dead code sanitization
		7020	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
		7021	BPF_MOV64_IMM(BPF_REG_0, 0),
		7022	BPF_EXIT_INSN(),
		7023	},
		7024	.fixup_map_array_48b = { 1 },
		7025	.result = ACCEPT,
		7026	.result_unpriv = REJECT,
		7027	.errstr_unpriv = "R2 tried to add from different maps or paths",
		7028	.retval = 0,
		7029	},
		7030	{
		7031	"sanitation: alu with different scalars",
		7032	.insns = {
		7033	BPF_MOV64_IMM(BPF_REG_0, 1),
		7034	BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
		7035	BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
		7036	BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
		7037	BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
		7038	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
		7039	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		7040	BPF_EXIT_INSN(),
		7041	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
		7042	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
		7043	BPF_MOV64_IMM(BPF_REG_2, 0),
		7044	BPF_MOV64_IMM(BPF_REG_3, 0x100000),
		7045	BPF_JMP_A(2),
		7046	BPF_MOV64_IMM(BPF_REG_2, 42),
		7047	BPF_MOV64_IMM(BPF_REG_3, 0x100001),
		7048	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
		7049	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
		7050	BPF_EXIT_INSN(),
		7051	},
		7052	.fixup_map_array_48b = { 1 },
		7053	.result = ACCEPT,
		7054	.retval = 0x100000,
		7055	},
		7056	{
6937	"map access: value_ptr += known scalar, upper oob arith, test 1",	7057	"map access: value_ptr += known scalar, upper oob arith, test 1",
6938	.insns = {	7058	.insns = {
6939	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),	7059	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),