tools/testing/selftests/bpf/verifier/ctx.c

   1 {
   2         "context stores via ST",
   3         .insns = {
   4         BPF_MOV64_IMM(BPF_REG_0, 0),
   5         BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
   6         BPF_EXIT_INSN(),
   7         },
   8         .errstr = "BPF_ST stores into R1 ctx is not allowed",
   9         .result = REJECT,
  10         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
  11 },
  12 {
  13         "context stores via XADD",
  14         .insns = {
  15         BPF_MOV64_IMM(BPF_REG_0, 0),
  16         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
  17                      BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
  18         BPF_EXIT_INSN(),
  19         },
  20         .errstr = "BPF_XADD stores into R1 ctx is not allowed",
  21         .result = REJECT,
  22         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
  23 },
  24 {
  25         "arithmetic ops make PTR_TO_CTX unusable",
  26         .insns = {
  27                 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
  28                               offsetof(struct __sk_buff, data) -
  29                               offsetof(struct __sk_buff, mark)),
  30                 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  31                             offsetof(struct __sk_buff, mark)),
  32                 BPF_EXIT_INSN(),
  33         },
  34         .errstr = "dereference of modified ctx ptr",
  35         .result = REJECT,
  36         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
  37 },
  38 {
  39         "pass unmodified ctx pointer to helper",
  40         .insns = {
  41                 BPF_MOV64_IMM(BPF_REG_2, 0),
  42                 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
  43                              BPF_FUNC_csum_update),
  44                 BPF_MOV64_IMM(BPF_REG_0, 0),
  45                 BPF_EXIT_INSN(),
  46         },
  47         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
  48         .result = ACCEPT,
  49 },
  50 {
  51         "pass modified ctx pointer to helper, 1",
  52         .insns = {
  53                 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
  54                 BPF_MOV64_IMM(BPF_REG_2, 0),
  55                 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
  56                              BPF_FUNC_csum_update),
  57                 BPF_MOV64_IMM(BPF_REG_0, 0),
  58                 BPF_EXIT_INSN(),
  59         },
  60         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
  61         .result = REJECT,
  62         .errstr = "dereference of modified ctx ptr",
  63 },
  64 {
  65         "pass modified ctx pointer to helper, 2",
  66         .insns = {
  67                 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
  68                 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
  69                              BPF_FUNC_get_socket_cookie),
  70                 BPF_MOV64_IMM(BPF_REG_0, 0),
  71                 BPF_EXIT_INSN(),
  72         },
  73         .result_unpriv = REJECT,
  74         .result = REJECT,
  75         .errstr_unpriv = "dereference of modified ctx ptr",
  76         .errstr = "dereference of modified ctx ptr",
  77 },
  78 {
  79         "pass modified ctx pointer to helper, 3",
  80         .insns = {
  81                 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
  82                 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
  83                 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
  84                 BPF_MOV64_IMM(BPF_REG_2, 0),
  85                 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
  86                              BPF_FUNC_csum_update),
  87                 BPF_MOV64_IMM(BPF_REG_0, 0),
  88                 BPF_EXIT_INSN(),
  89         },
  90         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
  91         .result = REJECT,
  92         .errstr = "variable ctx access var_off=(0x0; 0x4)",
  93 },