tools/testing/selftests/bpf/verifier/precise.c

   1 {
   2         "precise: test 1",
   3         .insns = {
   4         BPF_MOV64_IMM(BPF_REG_0, 1),
   5         BPF_LD_MAP_FD(BPF_REG_6, 0),
   6         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
   7         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
   8         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
   9         BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
  10         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
  11         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  12         BPF_EXIT_INSN(),
  13
  14         BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
  15
  16         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
  17         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
  18         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  19         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
  20         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  21         BPF_EXIT_INSN(),
  22
  23         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
  24
  25         BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
  26         BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
  27         BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
  28         BPF_EXIT_INSN(),
  29
  30         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=inv(umin=1, umax=8) */
  31         BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
  32         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
  33         BPF_MOV64_IMM(BPF_REG_3, 0),
  34         BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
  35         BPF_EXIT_INSN(),
  36         },
  37         .prog_type = BPF_PROG_TYPE_TRACEPOINT,
  38         .fixup_map_array_48b = { 1 },
  39         .result = VERBOSE_ACCEPT,
  40         .errstr =
  41         "26: (85) call bpf_probe_read_kernel#113\
  42         last_idx 26 first_idx 20\
  43         regs=4 stack=0 before 25\
  44         regs=4 stack=0 before 24\
  45         regs=4 stack=0 before 23\
  46         regs=4 stack=0 before 22\
  47         regs=4 stack=0 before 20\
  48         parent didn't have regs=4 stack=0 marks\
  49         last_idx 19 first_idx 10\
  50         regs=4 stack=0 before 19\
  51         regs=200 stack=0 before 18\
  52         regs=300 stack=0 before 17\
  53         regs=201 stack=0 before 15\
  54         regs=201 stack=0 before 14\
  55         regs=200 stack=0 before 13\
  56         regs=200 stack=0 before 12\
  57         regs=200 stack=0 before 11\
  58         regs=200 stack=0 before 10\
  59         parent already had regs=0 stack=0 marks",
  60 },
  61 {
  62         "precise: test 2",
  63         .insns = {
  64         BPF_MOV64_IMM(BPF_REG_0, 1),
  65         BPF_LD_MAP_FD(BPF_REG_6, 0),
  66         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
  67         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
  68         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  69         BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0),
  70         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
  71         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  72         BPF_EXIT_INSN(),
  73
  74         BPF_MOV64_REG(BPF_REG_9, BPF_REG_0),
  75
  76         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
  77         BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
  78         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  79         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
  80         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  81         BPF_EXIT_INSN(),
  82
  83         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
  84
  85         BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */
  86         BPF_MOV64_REG(BPF_REG_2, BPF_REG_9),
  87         BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1),
  88         BPF_EXIT_INSN(),
  89
  90         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=inv(umin=1, umax=8) */
  91         BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
  92         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
  93         BPF_MOV64_IMM(BPF_REG_3, 0),
  94         BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
  95         BPF_EXIT_INSN(),
  96         },
  97         .prog_type = BPF_PROG_TYPE_TRACEPOINT,
  98         .fixup_map_array_48b = { 1 },
  99         .result = VERBOSE_ACCEPT,
 100         .flags = BPF_F_TEST_STATE_FREQ,
 101         .errstr =
 102         "26: (85) call bpf_probe_read_kernel#113\
 103         last_idx 26 first_idx 22\
 104         regs=4 stack=0 before 25\
 105         regs=4 stack=0 before 24\
 106         regs=4 stack=0 before 23\
 107         regs=4 stack=0 before 22\
 108         parent didn't have regs=4 stack=0 marks\
 109         last_idx 20 first_idx 20\
 110         regs=4 stack=0 before 20\
 111         parent didn't have regs=4 stack=0 marks\
 112         last_idx 19 first_idx 17\
 113         regs=4 stack=0 before 19\
 114         regs=200 stack=0 before 18\
 115         regs=300 stack=0 before 17\
 116         parent already had regs=0 stack=0 marks",
 117 },
 118 {
 119         "precise: cross frame pruning",
 120         .insns = {
 121         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
 122         BPF_MOV64_IMM(BPF_REG_8, 0),
 123         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 124         BPF_MOV64_IMM(BPF_REG_8, 1),
 125         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
 126         BPF_MOV64_IMM(BPF_REG_9, 0),
 127         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
 128         BPF_MOV64_IMM(BPF_REG_9, 1),
 129         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
 130         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
 131         BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
 132         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
 133         BPF_MOV64_IMM(BPF_REG_0, 0),
 134         BPF_EXIT_INSN(),
 135         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
 136         BPF_EXIT_INSN(),
 137         },
 138         .prog_type = BPF_PROG_TYPE_XDP,
 139         .flags = BPF_F_TEST_STATE_FREQ,
 140         .errstr = "!read_ok",
 141         .result = REJECT,
 142 },
 143 {
 144         "precise: ST insn causing spi > allocated_stack",
 145         .insns = {
 146         BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
 147         BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
 148         BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0),
 149         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
 150         BPF_MOV64_IMM(BPF_REG_0, -1),
 151         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
 152         BPF_EXIT_INSN(),
 153         },
 154         .prog_type = BPF_PROG_TYPE_XDP,
 155         .flags = BPF_F_TEST_STATE_FREQ,
 156         .errstr = "5: (2d) if r4 > r0 goto pc+0\
 157         last_idx 5 first_idx 5\
 158         parent didn't have regs=10 stack=0 marks\
 159         last_idx 4 first_idx 2\
 160         regs=10 stack=0 before 4\
 161         regs=10 stack=0 before 3\
 162         regs=0 stack=1 before 2\
 163         last_idx 5 first_idx 5\
 164         parent didn't have regs=1 stack=0 marks",
 165         .result = VERBOSE_ACCEPT,
 166         .retval = -1,
 167 },
 168 {
 169         "precise: STX insn causing spi > allocated_stack",
 170         .insns = {
 171         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
 172         BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
 173         BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0),
 174         BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8),
 175         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
 176         BPF_MOV64_IMM(BPF_REG_0, -1),
 177         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0),
 178         BPF_EXIT_INSN(),
 179         },
 180         .prog_type = BPF_PROG_TYPE_XDP,
 181         .flags = BPF_F_TEST_STATE_FREQ,
 182         .errstr = "last_idx 6 first_idx 6\
 183         parent didn't have regs=10 stack=0 marks\
 184         last_idx 5 first_idx 3\
 185         regs=10 stack=0 before 5\
 186         regs=10 stack=0 before 4\
 187         regs=0 stack=1 before 3\
 188         last_idx 6 first_idx 6\
 189         parent didn't have regs=1 stack=0 marks\
 190         last_idx 5 first_idx 3\
 191         regs=1 stack=0 before 5",
 192         .result = VERBOSE_ACCEPT,
 193         .retval = -1,
 194 },