Commit a6c39de7 authored by Daniel Borkmann's avatar Daniel Borkmann
Browse files

bpf, selftests: Add test cases for pointer alu from multiple paths 



Add several test cases for checking update_alu_sanitation_state() under
multiple paths:

  # ./test_verifier
  [...]
  #1061/u map access: known scalar += value_ptr unknown vs const OK
  #1061/p map access: known scalar += value_ptr unknown vs const OK
  #1062/u map access: known scalar += value_ptr const vs unknown OK
  #1062/p map access: known scalar += value_ptr const vs unknown OK
  #1063/u map access: known scalar += value_ptr const vs const (ne) OK
  #1063/p map access: known scalar += value_ptr const vs const (ne) OK
  #1064/u map access: known scalar += value_ptr const vs const (eq) OK
  #1064/p map access: known scalar += value_ptr const vs const (eq) OK
  #1065/u map access: known scalar += value_ptr unknown vs unknown (eq) OK
  #1065/p map access: known scalar += value_ptr unknown vs unknown (eq) OK
  #1066/u map access: known scalar += value_ptr unknown vs unknown (lt) OK
  #1066/p map access: known scalar += value_ptr unknown vs unknown (lt) OK
  #1067/u map access: known scalar += value_ptr unknown vs unknown (gt) OK
  #1067/p map access: known scalar += value_ptr unknown vs unknown (gt) OK
  [...]
  Summary: 1762 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent e042aa53

tools/testing/selftests/bpf/verifier/value_ptr_arith.c

+229 −0
Original line number Diff line number Diff line 
{

	"map access: known scalar += value_ptr unknown vs const",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),

	BPF_JMP_IMM(BPF_JA, 0, 0, 1),

	BPF_MOV64_IMM(BPF_REG_1, 3),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result_unpriv = REJECT,

	.errstr_unpriv = "R1 tried to add from different maps, paths or scalars",

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr const vs unknown",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),

	BPF_MOV64_IMM(BPF_REG_1, 3),

	BPF_JMP_IMM(BPF_JA, 0, 0, 3),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result_unpriv = REJECT,

	.errstr_unpriv = "R1 tried to add from different maps, paths or scalars",

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr const vs const (ne)",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),

	BPF_MOV64_IMM(BPF_REG_1, 3),

	BPF_JMP_IMM(BPF_JA, 0, 0, 1),

	BPF_MOV64_IMM(BPF_REG_1, 5),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result_unpriv = REJECT,

	.errstr_unpriv = "R1 tried to add from different maps, paths or scalars",

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr const vs const (eq)",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),

	BPF_MOV64_IMM(BPF_REG_1, 5),

	BPF_JMP_IMM(BPF_JA, 0, 0, 1),

	BPF_MOV64_IMM(BPF_REG_1, 5),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr unknown vs unknown (eq)",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),

	BPF_JMP_IMM(BPF_JA, 0, 0, 3),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr unknown vs unknown (lt)",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3),

	BPF_JMP_IMM(BPF_JA, 0, 0, 3),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result_unpriv = REJECT,

	.errstr_unpriv = "R1 tried to add from different maps, paths or scalars",

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr unknown vs unknown (gt)",

	.insns = {

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,

		    offsetof(struct __sk_buff, len)),

	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),

	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),

	BPF_LD_MAP_FD(BPF_REG_1, 0),

	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),

	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),

	BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),

	BPF_JMP_IMM(BPF_JA, 0, 0, 3),

	BPF_MOV64_IMM(BPF_REG_1, 6),

	BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),

	BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3),

	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),

	BPF_MOV64_IMM(BPF_REG_0, 1),

	BPF_EXIT_INSN(),

	},

	.fixup_map_hash_16b = { 5 },

	.fixup_map_array_48b = { 8 },

	.result_unpriv = REJECT,

	.errstr_unpriv = "R1 tried to add from different maps, paths or scalars",

	.result = ACCEPT,

	.retval = 1,

},

{

	"map access: known scalar += value_ptr from different maps",

	.insns = {