root/tools/testing/selftests/bpf/verifier/spill_fill.c

   1 {
   2         "check valid spill/fill",
   3         .insns = {
   4         /* spill R1(ctx) into stack */
   5         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
   6         /* fill it back into R2 */
   7         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
   8         /* should be able to access R0 = *(R2 + 8) */
   9         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
  10         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
  11         BPF_EXIT_INSN(),
  12         },
  13         .errstr_unpriv = "R0 leaks addr",
  14         .result = ACCEPT,
  15         .result_unpriv = REJECT,
  16         .retval = POINTER_VALUE,
  17 },
  18 {
  19         "check valid spill/fill, skb mark",
  20         .insns = {
  21         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
  22         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
  23         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
  24         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
  25                     offsetof(struct __sk_buff, mark)),
  26         BPF_EXIT_INSN(),
  27         },
  28         .result = ACCEPT,
  29         .result_unpriv = ACCEPT,
  30 },
  31 {
  32         "check corrupted spill/fill",
  33         .insns = {
  34         /* spill R1(ctx) into stack */
  35         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
  36         /* mess up with R1 pointer on stack */
  37         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
  38         /* fill back into R0 is fine for priv.
  39          * R0 now becomes SCALAR_VALUE.
  40          */
  41         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
  42         /* Load from R0 should fail. */
  43         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
  44         BPF_EXIT_INSN(),
  45         },
  46         .errstr_unpriv = "attempt to corrupt spilled",
  47         .errstr = "R0 invalid mem access 'inv",
  48         .result = REJECT,
  49         .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
  50 },
  51 {
  52         "check corrupted spill/fill, LSB",
  53         .insns = {
  54         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
  55         BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
  56         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
  57         BPF_EXIT_INSN(),
  58         },
  59         .errstr_unpriv = "attempt to corrupt spilled",
  60         .result_unpriv = REJECT,
  61         .result = ACCEPT,
  62         .retval = POINTER_VALUE,
  63 },
  64 {
  65         "check corrupted spill/fill, MSB",
  66         .insns = {
  67         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
  68         BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
  69         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
  70         BPF_EXIT_INSN(),
  71         },
  72         .errstr_unpriv = "attempt to corrupt spilled",
  73         .result_unpriv = REJECT,
  74         .result = ACCEPT,
  75         .retval = POINTER_VALUE,
  76 },