linux/tools/testing/selftests/bpf/verifier/value_or_null.c

{
	"multiple registers share map_lookup_elem result",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.result = ACCEPT,
	.prog_type = BPF_PROG_TYPE_SCHED_CLS
},
{
	"alu ops on ptr_to_map_value_or_null, 1",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.errstr = "R4 pointer arithmetic on map_value_or_null",
	.result = REJECT,
	.prog_type = BPF_PROG_TYPE_SCHED_CLS
},
{
	"alu ops on ptr_to_map_value_or_null, 2",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
	BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.errstr = "R4 pointer arithmetic on map_value_or_null",
	.result = REJECT,
	.prog_type = BPF_PROG_TYPE_SCHED_CLS
},
{
	"alu ops on ptr_to_map_value_or_null, 3",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
	BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.errstr = "R4 pointer arithmetic on map_value_or_null",
	.result = REJECT,
	.prog_type = BPF_PROG_TYPE_SCHED_CLS
},
{
	"invalid memory access with multiple map_lookup_elem calls",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.result = REJECT,
	.errstr = "R4 !read_ok",
	.prog_type = BPF_PROG_TYPE_SCHED_CLS
},
{
	"valid indirect map_lookup_elem access with 2nd lookup in branch",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_IMM(BPF_REG_2, 10),
	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.result = ACCEPT,
	.prog_type = BPF_PROG_TYPE_SCHED_CLS
},
{
	"invalid map access from else condition",
	.insns = {
	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
	BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
	BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_48b = { 3 },
	.errstr = "R0 unbounded memory access",
	.result = REJECT,
	.errstr_unpriv = "R0 leaks addr",
	.result_unpriv = REJECT,
	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
},
{
	"map lookup and null branch prediction",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 10),
	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
	BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 2),
	BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_10, 10),
	BPF_EXIT_INSN(),
	},
	.fixup_map_hash_8b = { 4 },
	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
	.result = ACCEPT,
},
selftests: bpf: break up test_verifier Break up the first 10 kLoC of test verifier test cases out into smaller files. Looks like git line counting gets a little flismy above 16 bit integers, so we need two commits to break up test_verifier. Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Acked-by: Jiong Wang <jiong.wang@netronome.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2019-01-25 15:24:43 -08:00			`{`
			`"multiple registers share map_lookup_elem result",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.result = ACCEPT,`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS`
			`},`
			`{`
			`"alu ops on ptr_to_map_value_or_null, 1",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.errstr = "R4 pointer arithmetic on map_value_or_null",`
			`.result = REJECT,`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS`
			`},`
			`{`
			`"alu ops on ptr_to_map_value_or_null, 2",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),`
			`BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.errstr = "R4 pointer arithmetic on map_value_or_null",`
			`.result = REJECT,`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS`
			`},`
			`{`
			`"alu ops on ptr_to_map_value_or_null, 3",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),`
			`BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.errstr = "R4 pointer arithmetic on map_value_or_null",`
			`.result = REJECT,`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS`
			`},`
			`{`
			`"invalid memory access with multiple map_lookup_elem calls",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),`
			`BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),`
			`BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.result = REJECT,`
			`.errstr = "R4 !read_ok",`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS`
			`},`
			`{`
			`"valid indirect map_lookup_elem access with 2nd lookup in branch",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),`
			`BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_IMM(BPF_REG_2, 10),`
			`BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),`
			`BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.result = ACCEPT,`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS`
			`},`
			`{`
			`"invalid map access from else condition",`
			`.insns = {`
			`BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),`
			`BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),`
			`BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),`
			`BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),`
			`BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),`
			`BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_48b = { 3 },`
			`.errstr = "R0 unbounded memory access",`
			`.result = REJECT,`
			`.errstr_unpriv = "R0 leaks addr",`
			`.result_unpriv = REJECT,`
			`.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,`
			`},`
bpf: Selftests, verifier case for non null pointer map value branch When we have pointer type that is known to be non-null we only follow the non-null branch. This adds tests to cover the map_value pointer returned from a map lookup. To force an error if both branches are followed we do an ALU op on R10. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andriin@fb.com> Link: https://lore.kernel.org/bpf/159009168650.6313.7434084136067263554.stgit@john-Precision-5820-Tower 2020-05-21 13:08:06 -07:00			`{`
			`"map lookup and null branch prediction",`
			`.insns = {`
			`BPF_MOV64_IMM(BPF_REG_1, 10),`
			`BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),`
			`BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),`
			`BPF_LD_MAP_FD(BPF_REG_1, 0),`
			`BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),`
			`BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),`
			`BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 2),`
			`BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1),`
			`BPF_ALU64_IMM(BPF_ADD, BPF_REG_10, 10),`
			`BPF_EXIT_INSN(),`
			`},`
			`.fixup_map_hash_8b = { 4 },`
			`.prog_type = BPF_PROG_TYPE_SCHED_CLS,`
			`.result = ACCEPT,`
			`},`