Commit 1a3148fc authored by Xu Kuohai's avatar Xu Kuohai Committed by Andrii Nakryiko
Browse files

selftests/bpf: Check when bounds are not in the 32-bit range 



Add cases to check if bound is updated correctly when 64-bit value is
not in the 32-bit range.

Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20230322213056.2470-2-daniel@iogearbox.net
parent 7be14c1c

tools/testing/selftests/bpf/verifier/bounds.c

+121 −0
Original line number Diff line number Diff line
@@ -753,3 +753,124 @@ 
	.result_unpriv = REJECT,

	.result = ACCEPT,

},

{

	"bound check with JMP_JLT for crossing 64-bit signed boundary",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct xdp_md, data)),

	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, offsetof(struct xdp_md, data_end)),

	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),

	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 8),



	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),

	BPF_LD_IMM64(BPF_REG_0, 0x7fffffffffffff10),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),



	BPF_LD_IMM64(BPF_REG_0, 0x8000000000000000),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),

	/* r1 unsigned range is [0x7fffffffffffff10, 0x800000000000000f] */

	BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_1, -2),



	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.result = ACCEPT,

	.prog_type = BPF_PROG_TYPE_XDP,

},

{

	"bound check with JMP_JSLT for crossing 64-bit signed boundary",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct xdp_md, data)),

	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, offsetof(struct xdp_md, data_end)),

	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),

	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 8),



	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),

	BPF_LD_IMM64(BPF_REG_0, 0x7fffffffffffff10),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),



	BPF_LD_IMM64(BPF_REG_0, 0x8000000000000000),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),

	/* r1 signed range is [S64_MIN, S64_MAX] */

	BPF_JMP_REG(BPF_JSLT, BPF_REG_0, BPF_REG_1, -2),



	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.errstr = "BPF program is too large",

	.result = REJECT,

	.prog_type = BPF_PROG_TYPE_XDP,

},

{

	"bound check for loop upper bound greater than U32_MAX",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct xdp_md, data)),

	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, offsetof(struct xdp_md, data_end)),

	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),

	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 8),



	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),

	BPF_LD_IMM64(BPF_REG_0, 0x100000000),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),



	BPF_LD_IMM64(BPF_REG_0, 0x100000000),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),

	BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_1, -2),



	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.result = ACCEPT,

	.prog_type = BPF_PROG_TYPE_XDP,

},

{

	"bound check with JMP32_JLT for crossing 32-bit signed boundary",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct xdp_md, data)),

	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, offsetof(struct xdp_md, data_end)),

	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),

	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 6),



	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),

	BPF_MOV32_IMM(BPF_REG_0, 0x7fffff10),

	BPF_ALU32_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),



	BPF_MOV32_IMM(BPF_REG_0, 0x80000000),

	BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 1),

	/* r1 unsigned range is [0, 0x8000000f] */

	BPF_JMP32_REG(BPF_JLT, BPF_REG_0, BPF_REG_1, -2),



	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.result = ACCEPT,

	.prog_type = BPF_PROG_TYPE_XDP,

},

{

	"bound check with JMP32_JSLT for crossing 32-bit signed boundary",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct xdp_md, data)),

	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, offsetof(struct xdp_md, data_end)),

	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),

	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 6),



	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),

	BPF_MOV32_IMM(BPF_REG_0, 0x7fffff10),

	BPF_ALU32_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),



	BPF_MOV32_IMM(BPF_REG_0, 0x80000000),

	BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 1),

	/* r1 signed range is [S32_MIN, S32_MAX] */

	BPF_JMP32_REG(BPF_JSLT, BPF_REG_0, BPF_REG_1, -2),



	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.errstr = "BPF program is too large",

	.result = REJECT,

	.prog_type = BPF_PROG_TYPE_XDP,

},