162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 262306a36Sopenharmony_ci/* Copyright (c) 2022 Facebook */ 362306a36Sopenharmony_ci 462306a36Sopenharmony_ci#include <errno.h> 562306a36Sopenharmony_ci#include <string.h> 662306a36Sopenharmony_ci#include <stdbool.h> 762306a36Sopenharmony_ci#include <linux/bpf.h> 862306a36Sopenharmony_ci#include <bpf/bpf_helpers.h> 962306a36Sopenharmony_ci#include <linux/if_ether.h> 1062306a36Sopenharmony_ci#include "bpf_misc.h" 1162306a36Sopenharmony_ci#include "bpf_kfuncs.h" 1262306a36Sopenharmony_ci 1362306a36Sopenharmony_cichar _license[] SEC("license") = "GPL"; 1462306a36Sopenharmony_ci 1562306a36Sopenharmony_cistruct test_info { 1662306a36Sopenharmony_ci int x; 1762306a36Sopenharmony_ci struct bpf_dynptr ptr; 1862306a36Sopenharmony_ci}; 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_cistruct { 2162306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY); 2262306a36Sopenharmony_ci __uint(max_entries, 1); 2362306a36Sopenharmony_ci __type(key, __u32); 2462306a36Sopenharmony_ci __type(value, struct bpf_dynptr); 2562306a36Sopenharmony_ci} array_map1 SEC(".maps"); 2662306a36Sopenharmony_ci 2762306a36Sopenharmony_cistruct { 2862306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY); 2962306a36Sopenharmony_ci __uint(max_entries, 1); 3062306a36Sopenharmony_ci __type(key, __u32); 3162306a36Sopenharmony_ci __type(value, struct test_info); 3262306a36Sopenharmony_ci} array_map2 SEC(".maps"); 3362306a36Sopenharmony_ci 3462306a36Sopenharmony_cistruct { 3562306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY); 3662306a36Sopenharmony_ci __uint(max_entries, 1); 3762306a36Sopenharmony_ci __type(key, __u32); 3862306a36Sopenharmony_ci __type(value, __u32); 3962306a36Sopenharmony_ci} array_map3 SEC(".maps"); 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_cistruct { 4262306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_ARRAY); 4362306a36Sopenharmony_ci __uint(max_entries, 1); 4462306a36Sopenharmony_ci __type(key, __u32); 4562306a36Sopenharmony_ci __type(value, __u64); 4662306a36Sopenharmony_ci} array_map4 SEC(".maps"); 4762306a36Sopenharmony_ci 4862306a36Sopenharmony_cistruct sample { 4962306a36Sopenharmony_ci int pid; 5062306a36Sopenharmony_ci long value; 5162306a36Sopenharmony_ci char comm[16]; 5262306a36Sopenharmony_ci}; 5362306a36Sopenharmony_ci 5462306a36Sopenharmony_cistruct { 5562306a36Sopenharmony_ci __uint(type, BPF_MAP_TYPE_RINGBUF); 5662306a36Sopenharmony_ci __uint(max_entries, 4096); 5762306a36Sopenharmony_ci} ringbuf SEC(".maps"); 5862306a36Sopenharmony_ci 5962306a36Sopenharmony_ciint err, val; 6062306a36Sopenharmony_ci 6162306a36Sopenharmony_cistatic int get_map_val_dynptr(struct bpf_dynptr *ptr) 6262306a36Sopenharmony_ci{ 6362306a36Sopenharmony_ci __u32 key = 0, *map_val; 6462306a36Sopenharmony_ci 6562306a36Sopenharmony_ci bpf_map_update_elem(&array_map3, &key, &val, 0); 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ci map_val = bpf_map_lookup_elem(&array_map3, &key); 6862306a36Sopenharmony_ci if (!map_val) 6962306a36Sopenharmony_ci return -ENOENT; 7062306a36Sopenharmony_ci 7162306a36Sopenharmony_ci bpf_dynptr_from_mem(map_val, sizeof(*map_val), 0, ptr); 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_ci return 0; 7462306a36Sopenharmony_ci} 7562306a36Sopenharmony_ci 7662306a36Sopenharmony_ci/* Every bpf_ringbuf_reserve_dynptr call must have a corresponding 7762306a36Sopenharmony_ci * bpf_ringbuf_submit/discard_dynptr call 7862306a36Sopenharmony_ci */ 7962306a36Sopenharmony_ciSEC("?raw_tp") 8062306a36Sopenharmony_ci__failure __msg("Unreleased reference id=2") 8162306a36Sopenharmony_ciint ringbuf_missing_release1(void *ctx) 8262306a36Sopenharmony_ci{ 8362306a36Sopenharmony_ci struct bpf_dynptr ptr; 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 8662306a36Sopenharmony_ci 8762306a36Sopenharmony_ci /* missing a call to bpf_ringbuf_discard/submit_dynptr */ 8862306a36Sopenharmony_ci 8962306a36Sopenharmony_ci return 0; 9062306a36Sopenharmony_ci} 9162306a36Sopenharmony_ci 9262306a36Sopenharmony_ciSEC("?raw_tp") 9362306a36Sopenharmony_ci__failure __msg("Unreleased reference id=4") 9462306a36Sopenharmony_ciint ringbuf_missing_release2(void *ctx) 9562306a36Sopenharmony_ci{ 9662306a36Sopenharmony_ci struct bpf_dynptr ptr1, ptr2; 9762306a36Sopenharmony_ci struct sample *sample; 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr1); 10062306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr2); 10162306a36Sopenharmony_ci 10262306a36Sopenharmony_ci sample = bpf_dynptr_data(&ptr1, 0, sizeof(*sample)); 10362306a36Sopenharmony_ci if (!sample) { 10462306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr1, 0); 10562306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr2, 0); 10662306a36Sopenharmony_ci return 0; 10762306a36Sopenharmony_ci } 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr1, 0); 11062306a36Sopenharmony_ci 11162306a36Sopenharmony_ci /* missing a call to bpf_ringbuf_discard/submit_dynptr on ptr2 */ 11262306a36Sopenharmony_ci 11362306a36Sopenharmony_ci return 0; 11462306a36Sopenharmony_ci} 11562306a36Sopenharmony_ci 11662306a36Sopenharmony_cistatic int missing_release_callback_fn(__u32 index, void *data) 11762306a36Sopenharmony_ci{ 11862306a36Sopenharmony_ci struct bpf_dynptr ptr; 11962306a36Sopenharmony_ci 12062306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ci /* missing a call to bpf_ringbuf_discard/submit_dynptr */ 12362306a36Sopenharmony_ci 12462306a36Sopenharmony_ci return 0; 12562306a36Sopenharmony_ci} 12662306a36Sopenharmony_ci 12762306a36Sopenharmony_ci/* Any dynptr initialized within a callback must have bpf_dynptr_put called */ 12862306a36Sopenharmony_ciSEC("?raw_tp") 12962306a36Sopenharmony_ci__failure __msg("Unreleased reference id") 13062306a36Sopenharmony_ciint ringbuf_missing_release_callback(void *ctx) 13162306a36Sopenharmony_ci{ 13262306a36Sopenharmony_ci bpf_loop(10, missing_release_callback_fn, NULL, 0); 13362306a36Sopenharmony_ci return 0; 13462306a36Sopenharmony_ci} 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_ci/* Can't call bpf_ringbuf_submit/discard_dynptr on a non-initialized dynptr */ 13762306a36Sopenharmony_ciSEC("?raw_tp") 13862306a36Sopenharmony_ci__failure __msg("arg 1 is an unacquired reference") 13962306a36Sopenharmony_ciint ringbuf_release_uninit_dynptr(void *ctx) 14062306a36Sopenharmony_ci{ 14162306a36Sopenharmony_ci struct bpf_dynptr ptr; 14262306a36Sopenharmony_ci 14362306a36Sopenharmony_ci /* this should fail */ 14462306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 14562306a36Sopenharmony_ci 14662306a36Sopenharmony_ci return 0; 14762306a36Sopenharmony_ci} 14862306a36Sopenharmony_ci 14962306a36Sopenharmony_ci/* A dynptr can't be used after it has been invalidated */ 15062306a36Sopenharmony_ciSEC("?raw_tp") 15162306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #3") 15262306a36Sopenharmony_ciint use_after_invalid(void *ctx) 15362306a36Sopenharmony_ci{ 15462306a36Sopenharmony_ci struct bpf_dynptr ptr; 15562306a36Sopenharmony_ci char read_data[64]; 15662306a36Sopenharmony_ci 15762306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(read_data), 0, &ptr); 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 16062306a36Sopenharmony_ci 16162306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 16262306a36Sopenharmony_ci 16362306a36Sopenharmony_ci /* this should fail */ 16462306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 16562306a36Sopenharmony_ci 16662306a36Sopenharmony_ci return 0; 16762306a36Sopenharmony_ci} 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ci/* Can't call non-dynptr ringbuf APIs on a dynptr ringbuf sample */ 17062306a36Sopenharmony_ciSEC("?raw_tp") 17162306a36Sopenharmony_ci__failure __msg("type=mem expected=ringbuf_mem") 17262306a36Sopenharmony_ciint ringbuf_invalid_api(void *ctx) 17362306a36Sopenharmony_ci{ 17462306a36Sopenharmony_ci struct bpf_dynptr ptr; 17562306a36Sopenharmony_ci struct sample *sample; 17662306a36Sopenharmony_ci 17762306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr); 17862306a36Sopenharmony_ci sample = bpf_dynptr_data(&ptr, 0, sizeof(*sample)); 17962306a36Sopenharmony_ci if (!sample) 18062306a36Sopenharmony_ci goto done; 18162306a36Sopenharmony_ci 18262306a36Sopenharmony_ci sample->pid = 123; 18362306a36Sopenharmony_ci 18462306a36Sopenharmony_ci /* invalid API use. need to use dynptr API to submit/discard */ 18562306a36Sopenharmony_ci bpf_ringbuf_submit(sample, 0); 18662306a36Sopenharmony_ci 18762306a36Sopenharmony_cidone: 18862306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 18962306a36Sopenharmony_ci return 0; 19062306a36Sopenharmony_ci} 19162306a36Sopenharmony_ci 19262306a36Sopenharmony_ci/* Can't add a dynptr to a map */ 19362306a36Sopenharmony_ciSEC("?raw_tp") 19462306a36Sopenharmony_ci__failure __msg("invalid indirect read from stack") 19562306a36Sopenharmony_ciint add_dynptr_to_map1(void *ctx) 19662306a36Sopenharmony_ci{ 19762306a36Sopenharmony_ci struct bpf_dynptr ptr; 19862306a36Sopenharmony_ci int key = 0; 19962306a36Sopenharmony_ci 20062306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 20162306a36Sopenharmony_ci 20262306a36Sopenharmony_ci /* this should fail */ 20362306a36Sopenharmony_ci bpf_map_update_elem(&array_map1, &key, &ptr, 0); 20462306a36Sopenharmony_ci 20562306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 20662306a36Sopenharmony_ci 20762306a36Sopenharmony_ci return 0; 20862306a36Sopenharmony_ci} 20962306a36Sopenharmony_ci 21062306a36Sopenharmony_ci/* Can't add a struct with an embedded dynptr to a map */ 21162306a36Sopenharmony_ciSEC("?raw_tp") 21262306a36Sopenharmony_ci__failure __msg("invalid indirect read from stack") 21362306a36Sopenharmony_ciint add_dynptr_to_map2(void *ctx) 21462306a36Sopenharmony_ci{ 21562306a36Sopenharmony_ci struct test_info x; 21662306a36Sopenharmony_ci int key = 0; 21762306a36Sopenharmony_ci 21862306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &x.ptr); 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_ci /* this should fail */ 22162306a36Sopenharmony_ci bpf_map_update_elem(&array_map2, &key, &x, 0); 22262306a36Sopenharmony_ci 22362306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&x.ptr, 0); 22462306a36Sopenharmony_ci 22562306a36Sopenharmony_ci return 0; 22662306a36Sopenharmony_ci} 22762306a36Sopenharmony_ci 22862306a36Sopenharmony_ci/* A data slice can't be accessed out of bounds */ 22962306a36Sopenharmony_ciSEC("?raw_tp") 23062306a36Sopenharmony_ci__failure __msg("value is outside of the allowed memory range") 23162306a36Sopenharmony_ciint data_slice_out_of_bounds_ringbuf(void *ctx) 23262306a36Sopenharmony_ci{ 23362306a36Sopenharmony_ci struct bpf_dynptr ptr; 23462306a36Sopenharmony_ci void *data; 23562306a36Sopenharmony_ci 23662306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr); 23762306a36Sopenharmony_ci 23862306a36Sopenharmony_ci data = bpf_dynptr_data(&ptr, 0, 8); 23962306a36Sopenharmony_ci if (!data) 24062306a36Sopenharmony_ci goto done; 24162306a36Sopenharmony_ci 24262306a36Sopenharmony_ci /* can't index out of bounds of the data slice */ 24362306a36Sopenharmony_ci val = *((char *)data + 8); 24462306a36Sopenharmony_ci 24562306a36Sopenharmony_cidone: 24662306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 24762306a36Sopenharmony_ci return 0; 24862306a36Sopenharmony_ci} 24962306a36Sopenharmony_ci 25062306a36Sopenharmony_ci/* A data slice can't be accessed out of bounds */ 25162306a36Sopenharmony_ciSEC("?tc") 25262306a36Sopenharmony_ci__failure __msg("value is outside of the allowed memory range") 25362306a36Sopenharmony_ciint data_slice_out_of_bounds_skb(struct __sk_buff *skb) 25462306a36Sopenharmony_ci{ 25562306a36Sopenharmony_ci struct bpf_dynptr ptr; 25662306a36Sopenharmony_ci struct ethhdr *hdr; 25762306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 25862306a36Sopenharmony_ci 25962306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 26062306a36Sopenharmony_ci 26162306a36Sopenharmony_ci hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 26262306a36Sopenharmony_ci if (!hdr) 26362306a36Sopenharmony_ci return SK_DROP; 26462306a36Sopenharmony_ci 26562306a36Sopenharmony_ci /* this should fail */ 26662306a36Sopenharmony_ci *(__u8*)(hdr + 1) = 1; 26762306a36Sopenharmony_ci 26862306a36Sopenharmony_ci return SK_PASS; 26962306a36Sopenharmony_ci} 27062306a36Sopenharmony_ci 27162306a36Sopenharmony_ciSEC("?raw_tp") 27262306a36Sopenharmony_ci__failure __msg("value is outside of the allowed memory range") 27362306a36Sopenharmony_ciint data_slice_out_of_bounds_map_value(void *ctx) 27462306a36Sopenharmony_ci{ 27562306a36Sopenharmony_ci __u32 map_val; 27662306a36Sopenharmony_ci struct bpf_dynptr ptr; 27762306a36Sopenharmony_ci void *data; 27862306a36Sopenharmony_ci 27962306a36Sopenharmony_ci get_map_val_dynptr(&ptr); 28062306a36Sopenharmony_ci 28162306a36Sopenharmony_ci data = bpf_dynptr_data(&ptr, 0, sizeof(map_val)); 28262306a36Sopenharmony_ci if (!data) 28362306a36Sopenharmony_ci return 0; 28462306a36Sopenharmony_ci 28562306a36Sopenharmony_ci /* can't index out of bounds of the data slice */ 28662306a36Sopenharmony_ci val = *((char *)data + (sizeof(map_val) + 1)); 28762306a36Sopenharmony_ci 28862306a36Sopenharmony_ci return 0; 28962306a36Sopenharmony_ci} 29062306a36Sopenharmony_ci 29162306a36Sopenharmony_ci/* A data slice can't be used after it has been released */ 29262306a36Sopenharmony_ciSEC("?raw_tp") 29362306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 29462306a36Sopenharmony_ciint data_slice_use_after_release1(void *ctx) 29562306a36Sopenharmony_ci{ 29662306a36Sopenharmony_ci struct bpf_dynptr ptr; 29762306a36Sopenharmony_ci struct sample *sample; 29862306a36Sopenharmony_ci 29962306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr); 30062306a36Sopenharmony_ci sample = bpf_dynptr_data(&ptr, 0, sizeof(*sample)); 30162306a36Sopenharmony_ci if (!sample) 30262306a36Sopenharmony_ci goto done; 30362306a36Sopenharmony_ci 30462306a36Sopenharmony_ci sample->pid = 123; 30562306a36Sopenharmony_ci 30662306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 30762306a36Sopenharmony_ci 30862306a36Sopenharmony_ci /* this should fail */ 30962306a36Sopenharmony_ci val = sample->pid; 31062306a36Sopenharmony_ci 31162306a36Sopenharmony_ci return 0; 31262306a36Sopenharmony_ci 31362306a36Sopenharmony_cidone: 31462306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 31562306a36Sopenharmony_ci return 0; 31662306a36Sopenharmony_ci} 31762306a36Sopenharmony_ci 31862306a36Sopenharmony_ci/* A data slice can't be used after it has been released. 31962306a36Sopenharmony_ci * 32062306a36Sopenharmony_ci * This tests the case where the data slice tracks a dynptr (ptr2) 32162306a36Sopenharmony_ci * that is at a non-zero offset from the frame pointer (ptr1 is at fp, 32262306a36Sopenharmony_ci * ptr2 is at fp - 16). 32362306a36Sopenharmony_ci */ 32462306a36Sopenharmony_ciSEC("?raw_tp") 32562306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 32662306a36Sopenharmony_ciint data_slice_use_after_release2(void *ctx) 32762306a36Sopenharmony_ci{ 32862306a36Sopenharmony_ci struct bpf_dynptr ptr1, ptr2; 32962306a36Sopenharmony_ci struct sample *sample; 33062306a36Sopenharmony_ci 33162306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr1); 33262306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr2); 33362306a36Sopenharmony_ci 33462306a36Sopenharmony_ci sample = bpf_dynptr_data(&ptr2, 0, sizeof(*sample)); 33562306a36Sopenharmony_ci if (!sample) 33662306a36Sopenharmony_ci goto done; 33762306a36Sopenharmony_ci 33862306a36Sopenharmony_ci sample->pid = 23; 33962306a36Sopenharmony_ci 34062306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr2, 0); 34162306a36Sopenharmony_ci 34262306a36Sopenharmony_ci /* this should fail */ 34362306a36Sopenharmony_ci sample->pid = 23; 34462306a36Sopenharmony_ci 34562306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr1, 0); 34662306a36Sopenharmony_ci 34762306a36Sopenharmony_ci return 0; 34862306a36Sopenharmony_ci 34962306a36Sopenharmony_cidone: 35062306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr2, 0); 35162306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr1, 0); 35262306a36Sopenharmony_ci return 0; 35362306a36Sopenharmony_ci} 35462306a36Sopenharmony_ci 35562306a36Sopenharmony_ci/* A data slice must be first checked for NULL */ 35662306a36Sopenharmony_ciSEC("?raw_tp") 35762306a36Sopenharmony_ci__failure __msg("invalid mem access 'mem_or_null'") 35862306a36Sopenharmony_ciint data_slice_missing_null_check1(void *ctx) 35962306a36Sopenharmony_ci{ 36062306a36Sopenharmony_ci struct bpf_dynptr ptr; 36162306a36Sopenharmony_ci void *data; 36262306a36Sopenharmony_ci 36362306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr); 36462306a36Sopenharmony_ci 36562306a36Sopenharmony_ci data = bpf_dynptr_data(&ptr, 0, 8); 36662306a36Sopenharmony_ci 36762306a36Sopenharmony_ci /* missing if (!data) check */ 36862306a36Sopenharmony_ci 36962306a36Sopenharmony_ci /* this should fail */ 37062306a36Sopenharmony_ci *(__u8 *)data = 3; 37162306a36Sopenharmony_ci 37262306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 37362306a36Sopenharmony_ci return 0; 37462306a36Sopenharmony_ci} 37562306a36Sopenharmony_ci 37662306a36Sopenharmony_ci/* A data slice can't be dereferenced if it wasn't checked for null */ 37762306a36Sopenharmony_ciSEC("?raw_tp") 37862306a36Sopenharmony_ci__failure __msg("invalid mem access 'mem_or_null'") 37962306a36Sopenharmony_ciint data_slice_missing_null_check2(void *ctx) 38062306a36Sopenharmony_ci{ 38162306a36Sopenharmony_ci struct bpf_dynptr ptr; 38262306a36Sopenharmony_ci __u64 *data1, *data2; 38362306a36Sopenharmony_ci 38462306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr); 38562306a36Sopenharmony_ci 38662306a36Sopenharmony_ci data1 = bpf_dynptr_data(&ptr, 0, 8); 38762306a36Sopenharmony_ci data2 = bpf_dynptr_data(&ptr, 0, 8); 38862306a36Sopenharmony_ci if (data1) 38962306a36Sopenharmony_ci /* this should fail */ 39062306a36Sopenharmony_ci *data2 = 3; 39162306a36Sopenharmony_ci 39262306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 39362306a36Sopenharmony_ci return 0; 39462306a36Sopenharmony_ci} 39562306a36Sopenharmony_ci 39662306a36Sopenharmony_ci/* Can't pass in a dynptr as an arg to a helper function that doesn't take in a 39762306a36Sopenharmony_ci * dynptr argument 39862306a36Sopenharmony_ci */ 39962306a36Sopenharmony_ciSEC("?raw_tp") 40062306a36Sopenharmony_ci__failure __msg("invalid indirect read from stack") 40162306a36Sopenharmony_ciint invalid_helper1(void *ctx) 40262306a36Sopenharmony_ci{ 40362306a36Sopenharmony_ci struct bpf_dynptr ptr; 40462306a36Sopenharmony_ci 40562306a36Sopenharmony_ci get_map_val_dynptr(&ptr); 40662306a36Sopenharmony_ci 40762306a36Sopenharmony_ci /* this should fail */ 40862306a36Sopenharmony_ci bpf_strncmp((const char *)&ptr, sizeof(ptr), "hello!"); 40962306a36Sopenharmony_ci 41062306a36Sopenharmony_ci return 0; 41162306a36Sopenharmony_ci} 41262306a36Sopenharmony_ci 41362306a36Sopenharmony_ci/* A dynptr can't be passed into a helper function at a non-zero offset */ 41462306a36Sopenharmony_ciSEC("?raw_tp") 41562306a36Sopenharmony_ci__failure __msg("cannot pass in dynptr at an offset=-8") 41662306a36Sopenharmony_ciint invalid_helper2(void *ctx) 41762306a36Sopenharmony_ci{ 41862306a36Sopenharmony_ci struct bpf_dynptr ptr; 41962306a36Sopenharmony_ci char read_data[64]; 42062306a36Sopenharmony_ci 42162306a36Sopenharmony_ci get_map_val_dynptr(&ptr); 42262306a36Sopenharmony_ci 42362306a36Sopenharmony_ci /* this should fail */ 42462306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), (void *)&ptr + 8, 0, 0); 42562306a36Sopenharmony_ci return 0; 42662306a36Sopenharmony_ci} 42762306a36Sopenharmony_ci 42862306a36Sopenharmony_ci/* A bpf_dynptr is invalidated if it's been written into */ 42962306a36Sopenharmony_ciSEC("?raw_tp") 43062306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #1") 43162306a36Sopenharmony_ciint invalid_write1(void *ctx) 43262306a36Sopenharmony_ci{ 43362306a36Sopenharmony_ci struct bpf_dynptr ptr; 43462306a36Sopenharmony_ci void *data; 43562306a36Sopenharmony_ci __u8 x = 0; 43662306a36Sopenharmony_ci 43762306a36Sopenharmony_ci get_map_val_dynptr(&ptr); 43862306a36Sopenharmony_ci 43962306a36Sopenharmony_ci memcpy(&ptr, &x, sizeof(x)); 44062306a36Sopenharmony_ci 44162306a36Sopenharmony_ci /* this should fail */ 44262306a36Sopenharmony_ci data = bpf_dynptr_data(&ptr, 0, 1); 44362306a36Sopenharmony_ci __sink(data); 44462306a36Sopenharmony_ci 44562306a36Sopenharmony_ci return 0; 44662306a36Sopenharmony_ci} 44762306a36Sopenharmony_ci 44862306a36Sopenharmony_ci/* 44962306a36Sopenharmony_ci * A bpf_dynptr can't be used as a dynptr if it has been written into at a fixed 45062306a36Sopenharmony_ci * offset 45162306a36Sopenharmony_ci */ 45262306a36Sopenharmony_ciSEC("?raw_tp") 45362306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") 45462306a36Sopenharmony_ciint invalid_write2(void *ctx) 45562306a36Sopenharmony_ci{ 45662306a36Sopenharmony_ci struct bpf_dynptr ptr; 45762306a36Sopenharmony_ci char read_data[64]; 45862306a36Sopenharmony_ci __u8 x = 0; 45962306a36Sopenharmony_ci 46062306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 46162306a36Sopenharmony_ci 46262306a36Sopenharmony_ci memcpy((void *)&ptr + 8, &x, sizeof(x)); 46362306a36Sopenharmony_ci 46462306a36Sopenharmony_ci /* this should fail */ 46562306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 46662306a36Sopenharmony_ci 46762306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 46862306a36Sopenharmony_ci 46962306a36Sopenharmony_ci return 0; 47062306a36Sopenharmony_ci} 47162306a36Sopenharmony_ci 47262306a36Sopenharmony_ci/* 47362306a36Sopenharmony_ci * A bpf_dynptr can't be used as a dynptr if it has been written into at a 47462306a36Sopenharmony_ci * non-const offset 47562306a36Sopenharmony_ci */ 47662306a36Sopenharmony_ciSEC("?raw_tp") 47762306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") 47862306a36Sopenharmony_ciint invalid_write3(void *ctx) 47962306a36Sopenharmony_ci{ 48062306a36Sopenharmony_ci struct bpf_dynptr ptr; 48162306a36Sopenharmony_ci char stack_buf[16]; 48262306a36Sopenharmony_ci unsigned long len; 48362306a36Sopenharmony_ci __u8 x = 0; 48462306a36Sopenharmony_ci 48562306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr); 48662306a36Sopenharmony_ci 48762306a36Sopenharmony_ci memcpy(stack_buf, &val, sizeof(val)); 48862306a36Sopenharmony_ci len = stack_buf[0] & 0xf; 48962306a36Sopenharmony_ci 49062306a36Sopenharmony_ci memcpy((void *)&ptr + len, &x, sizeof(x)); 49162306a36Sopenharmony_ci 49262306a36Sopenharmony_ci /* this should fail */ 49362306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 49462306a36Sopenharmony_ci 49562306a36Sopenharmony_ci return 0; 49662306a36Sopenharmony_ci} 49762306a36Sopenharmony_ci 49862306a36Sopenharmony_cistatic int invalid_write4_callback(__u32 index, void *data) 49962306a36Sopenharmony_ci{ 50062306a36Sopenharmony_ci *(__u32 *)data = 123; 50162306a36Sopenharmony_ci 50262306a36Sopenharmony_ci return 0; 50362306a36Sopenharmony_ci} 50462306a36Sopenharmony_ci 50562306a36Sopenharmony_ci/* If the dynptr is written into in a callback function, it should 50662306a36Sopenharmony_ci * be invalidated as a dynptr 50762306a36Sopenharmony_ci */ 50862306a36Sopenharmony_ciSEC("?raw_tp") 50962306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") 51062306a36Sopenharmony_ciint invalid_write4(void *ctx) 51162306a36Sopenharmony_ci{ 51262306a36Sopenharmony_ci struct bpf_dynptr ptr; 51362306a36Sopenharmony_ci 51462306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 51562306a36Sopenharmony_ci 51662306a36Sopenharmony_ci bpf_loop(10, invalid_write4_callback, &ptr, 0); 51762306a36Sopenharmony_ci 51862306a36Sopenharmony_ci /* this should fail */ 51962306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 52062306a36Sopenharmony_ci 52162306a36Sopenharmony_ci return 0; 52262306a36Sopenharmony_ci} 52362306a36Sopenharmony_ci 52462306a36Sopenharmony_ci/* A globally-defined bpf_dynptr can't be used (it must reside as a stack frame) */ 52562306a36Sopenharmony_cistruct bpf_dynptr global_dynptr; 52662306a36Sopenharmony_ci 52762306a36Sopenharmony_ciSEC("?raw_tp") 52862306a36Sopenharmony_ci__failure __msg("type=map_value expected=fp") 52962306a36Sopenharmony_ciint global(void *ctx) 53062306a36Sopenharmony_ci{ 53162306a36Sopenharmony_ci /* this should fail */ 53262306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &global_dynptr); 53362306a36Sopenharmony_ci 53462306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&global_dynptr, 0); 53562306a36Sopenharmony_ci 53662306a36Sopenharmony_ci return 0; 53762306a36Sopenharmony_ci} 53862306a36Sopenharmony_ci 53962306a36Sopenharmony_ci/* A direct read should fail */ 54062306a36Sopenharmony_ciSEC("?raw_tp") 54162306a36Sopenharmony_ci__failure __msg("invalid read from stack") 54262306a36Sopenharmony_ciint invalid_read1(void *ctx) 54362306a36Sopenharmony_ci{ 54462306a36Sopenharmony_ci struct bpf_dynptr ptr; 54562306a36Sopenharmony_ci 54662306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 54762306a36Sopenharmony_ci 54862306a36Sopenharmony_ci /* this should fail */ 54962306a36Sopenharmony_ci val = *(int *)&ptr; 55062306a36Sopenharmony_ci 55162306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 55262306a36Sopenharmony_ci 55362306a36Sopenharmony_ci return 0; 55462306a36Sopenharmony_ci} 55562306a36Sopenharmony_ci 55662306a36Sopenharmony_ci/* A direct read at an offset should fail */ 55762306a36Sopenharmony_ciSEC("?raw_tp") 55862306a36Sopenharmony_ci__failure __msg("cannot pass in dynptr at an offset") 55962306a36Sopenharmony_ciint invalid_read2(void *ctx) 56062306a36Sopenharmony_ci{ 56162306a36Sopenharmony_ci struct bpf_dynptr ptr; 56262306a36Sopenharmony_ci char read_data[64]; 56362306a36Sopenharmony_ci 56462306a36Sopenharmony_ci get_map_val_dynptr(&ptr); 56562306a36Sopenharmony_ci 56662306a36Sopenharmony_ci /* this should fail */ 56762306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), (void *)&ptr + 1, 0, 0); 56862306a36Sopenharmony_ci 56962306a36Sopenharmony_ci return 0; 57062306a36Sopenharmony_ci} 57162306a36Sopenharmony_ci 57262306a36Sopenharmony_ci/* A direct read at an offset into the lower stack slot should fail */ 57362306a36Sopenharmony_ciSEC("?raw_tp") 57462306a36Sopenharmony_ci__failure __msg("invalid read from stack") 57562306a36Sopenharmony_ciint invalid_read3(void *ctx) 57662306a36Sopenharmony_ci{ 57762306a36Sopenharmony_ci struct bpf_dynptr ptr1, ptr2; 57862306a36Sopenharmony_ci 57962306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr1); 58062306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr2); 58162306a36Sopenharmony_ci 58262306a36Sopenharmony_ci /* this should fail */ 58362306a36Sopenharmony_ci memcpy(&val, (void *)&ptr1 + 8, sizeof(val)); 58462306a36Sopenharmony_ci 58562306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr1, 0); 58662306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr2, 0); 58762306a36Sopenharmony_ci 58862306a36Sopenharmony_ci return 0; 58962306a36Sopenharmony_ci} 59062306a36Sopenharmony_ci 59162306a36Sopenharmony_cistatic int invalid_read4_callback(__u32 index, void *data) 59262306a36Sopenharmony_ci{ 59362306a36Sopenharmony_ci /* this should fail */ 59462306a36Sopenharmony_ci val = *(__u32 *)data; 59562306a36Sopenharmony_ci 59662306a36Sopenharmony_ci return 0; 59762306a36Sopenharmony_ci} 59862306a36Sopenharmony_ci 59962306a36Sopenharmony_ci/* A direct read within a callback function should fail */ 60062306a36Sopenharmony_ciSEC("?raw_tp") 60162306a36Sopenharmony_ci__failure __msg("invalid read from stack") 60262306a36Sopenharmony_ciint invalid_read4(void *ctx) 60362306a36Sopenharmony_ci{ 60462306a36Sopenharmony_ci struct bpf_dynptr ptr; 60562306a36Sopenharmony_ci 60662306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 60762306a36Sopenharmony_ci 60862306a36Sopenharmony_ci bpf_loop(10, invalid_read4_callback, &ptr, 0); 60962306a36Sopenharmony_ci 61062306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 61162306a36Sopenharmony_ci 61262306a36Sopenharmony_ci return 0; 61362306a36Sopenharmony_ci} 61462306a36Sopenharmony_ci 61562306a36Sopenharmony_ci/* Initializing a dynptr on an offset should fail */ 61662306a36Sopenharmony_ciSEC("?raw_tp") 61762306a36Sopenharmony_ci__failure __msg("cannot pass in dynptr at an offset=0") 61862306a36Sopenharmony_ciint invalid_offset(void *ctx) 61962306a36Sopenharmony_ci{ 62062306a36Sopenharmony_ci struct bpf_dynptr ptr; 62162306a36Sopenharmony_ci 62262306a36Sopenharmony_ci /* this should fail */ 62362306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr + 1); 62462306a36Sopenharmony_ci 62562306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 62662306a36Sopenharmony_ci 62762306a36Sopenharmony_ci return 0; 62862306a36Sopenharmony_ci} 62962306a36Sopenharmony_ci 63062306a36Sopenharmony_ci/* Can't release a dynptr twice */ 63162306a36Sopenharmony_ciSEC("?raw_tp") 63262306a36Sopenharmony_ci__failure __msg("arg 1 is an unacquired reference") 63362306a36Sopenharmony_ciint release_twice(void *ctx) 63462306a36Sopenharmony_ci{ 63562306a36Sopenharmony_ci struct bpf_dynptr ptr; 63662306a36Sopenharmony_ci 63762306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr); 63862306a36Sopenharmony_ci 63962306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 64062306a36Sopenharmony_ci 64162306a36Sopenharmony_ci /* this second release should fail */ 64262306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 64362306a36Sopenharmony_ci 64462306a36Sopenharmony_ci return 0; 64562306a36Sopenharmony_ci} 64662306a36Sopenharmony_ci 64762306a36Sopenharmony_cistatic int release_twice_callback_fn(__u32 index, void *data) 64862306a36Sopenharmony_ci{ 64962306a36Sopenharmony_ci /* this should fail */ 65062306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(data, 0); 65162306a36Sopenharmony_ci 65262306a36Sopenharmony_ci return 0; 65362306a36Sopenharmony_ci} 65462306a36Sopenharmony_ci 65562306a36Sopenharmony_ci/* Test that releasing a dynptr twice, where one of the releases happens 65662306a36Sopenharmony_ci * within a callback function, fails 65762306a36Sopenharmony_ci */ 65862306a36Sopenharmony_ciSEC("?raw_tp") 65962306a36Sopenharmony_ci__failure __msg("arg 1 is an unacquired reference") 66062306a36Sopenharmony_ciint release_twice_callback(void *ctx) 66162306a36Sopenharmony_ci{ 66262306a36Sopenharmony_ci struct bpf_dynptr ptr; 66362306a36Sopenharmony_ci 66462306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 32, 0, &ptr); 66562306a36Sopenharmony_ci 66662306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 66762306a36Sopenharmony_ci 66862306a36Sopenharmony_ci bpf_loop(10, release_twice_callback_fn, &ptr, 0); 66962306a36Sopenharmony_ci 67062306a36Sopenharmony_ci return 0; 67162306a36Sopenharmony_ci} 67262306a36Sopenharmony_ci 67362306a36Sopenharmony_ci/* Reject unsupported local mem types for dynptr_from_mem API */ 67462306a36Sopenharmony_ciSEC("?raw_tp") 67562306a36Sopenharmony_ci__failure __msg("Unsupported reg type fp for bpf_dynptr_from_mem data") 67662306a36Sopenharmony_ciint dynptr_from_mem_invalid_api(void *ctx) 67762306a36Sopenharmony_ci{ 67862306a36Sopenharmony_ci struct bpf_dynptr ptr; 67962306a36Sopenharmony_ci int x = 0; 68062306a36Sopenharmony_ci 68162306a36Sopenharmony_ci /* this should fail */ 68262306a36Sopenharmony_ci bpf_dynptr_from_mem(&x, sizeof(x), 0, &ptr); 68362306a36Sopenharmony_ci 68462306a36Sopenharmony_ci return 0; 68562306a36Sopenharmony_ci} 68662306a36Sopenharmony_ci 68762306a36Sopenharmony_ciSEC("?tc") 68862306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") __log_level(2) 68962306a36Sopenharmony_ciint dynptr_pruning_overwrite(struct __sk_buff *ctx) 69062306a36Sopenharmony_ci{ 69162306a36Sopenharmony_ci asm volatile ( 69262306a36Sopenharmony_ci "r9 = 0xeB9F; \ 69362306a36Sopenharmony_ci r6 = %[ringbuf] ll; \ 69462306a36Sopenharmony_ci r1 = r6; \ 69562306a36Sopenharmony_ci r2 = 8; \ 69662306a36Sopenharmony_ci r3 = 0; \ 69762306a36Sopenharmony_ci r4 = r10; \ 69862306a36Sopenharmony_ci r4 += -16; \ 69962306a36Sopenharmony_ci call %[bpf_ringbuf_reserve_dynptr]; \ 70062306a36Sopenharmony_ci if r0 == 0 goto pjmp1; \ 70162306a36Sopenharmony_ci goto pjmp2; \ 70262306a36Sopenharmony_ci pjmp1: \ 70362306a36Sopenharmony_ci *(u64 *)(r10 - 16) = r9; \ 70462306a36Sopenharmony_ci pjmp2: \ 70562306a36Sopenharmony_ci r1 = r10; \ 70662306a36Sopenharmony_ci r1 += -16; \ 70762306a36Sopenharmony_ci r2 = 0; \ 70862306a36Sopenharmony_ci call %[bpf_ringbuf_discard_dynptr]; " 70962306a36Sopenharmony_ci : 71062306a36Sopenharmony_ci : __imm(bpf_ringbuf_reserve_dynptr), 71162306a36Sopenharmony_ci __imm(bpf_ringbuf_discard_dynptr), 71262306a36Sopenharmony_ci __imm_addr(ringbuf) 71362306a36Sopenharmony_ci : __clobber_all 71462306a36Sopenharmony_ci ); 71562306a36Sopenharmony_ci return 0; 71662306a36Sopenharmony_ci} 71762306a36Sopenharmony_ci 71862306a36Sopenharmony_ciSEC("?tc") 71962306a36Sopenharmony_ci__success __msg("12: safe") __log_level(2) 72062306a36Sopenharmony_ciint dynptr_pruning_stacksafe(struct __sk_buff *ctx) 72162306a36Sopenharmony_ci{ 72262306a36Sopenharmony_ci asm volatile ( 72362306a36Sopenharmony_ci "r9 = 0xeB9F; \ 72462306a36Sopenharmony_ci r6 = %[ringbuf] ll; \ 72562306a36Sopenharmony_ci r1 = r6; \ 72662306a36Sopenharmony_ci r2 = 8; \ 72762306a36Sopenharmony_ci r3 = 0; \ 72862306a36Sopenharmony_ci r4 = r10; \ 72962306a36Sopenharmony_ci r4 += -16; \ 73062306a36Sopenharmony_ci call %[bpf_ringbuf_reserve_dynptr]; \ 73162306a36Sopenharmony_ci if r0 == 0 goto stjmp1; \ 73262306a36Sopenharmony_ci goto stjmp2; \ 73362306a36Sopenharmony_ci stjmp1: \ 73462306a36Sopenharmony_ci r9 = r9; \ 73562306a36Sopenharmony_ci stjmp2: \ 73662306a36Sopenharmony_ci r1 = r10; \ 73762306a36Sopenharmony_ci r1 += -16; \ 73862306a36Sopenharmony_ci r2 = 0; \ 73962306a36Sopenharmony_ci call %[bpf_ringbuf_discard_dynptr]; " 74062306a36Sopenharmony_ci : 74162306a36Sopenharmony_ci : __imm(bpf_ringbuf_reserve_dynptr), 74262306a36Sopenharmony_ci __imm(bpf_ringbuf_discard_dynptr), 74362306a36Sopenharmony_ci __imm_addr(ringbuf) 74462306a36Sopenharmony_ci : __clobber_all 74562306a36Sopenharmony_ci ); 74662306a36Sopenharmony_ci return 0; 74762306a36Sopenharmony_ci} 74862306a36Sopenharmony_ci 74962306a36Sopenharmony_ciSEC("?tc") 75062306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") __log_level(2) 75162306a36Sopenharmony_ciint dynptr_pruning_type_confusion(struct __sk_buff *ctx) 75262306a36Sopenharmony_ci{ 75362306a36Sopenharmony_ci asm volatile ( 75462306a36Sopenharmony_ci "r6 = %[array_map4] ll; \ 75562306a36Sopenharmony_ci r7 = %[ringbuf] ll; \ 75662306a36Sopenharmony_ci r1 = r6; \ 75762306a36Sopenharmony_ci r2 = r10; \ 75862306a36Sopenharmony_ci r2 += -8; \ 75962306a36Sopenharmony_ci r9 = 0; \ 76062306a36Sopenharmony_ci *(u64 *)(r2 + 0) = r9; \ 76162306a36Sopenharmony_ci r3 = r10; \ 76262306a36Sopenharmony_ci r3 += -24; \ 76362306a36Sopenharmony_ci r9 = 0xeB9FeB9F; \ 76462306a36Sopenharmony_ci *(u64 *)(r10 - 16) = r9; \ 76562306a36Sopenharmony_ci *(u64 *)(r10 - 24) = r9; \ 76662306a36Sopenharmony_ci r9 = 0; \ 76762306a36Sopenharmony_ci r4 = 0; \ 76862306a36Sopenharmony_ci r8 = r2; \ 76962306a36Sopenharmony_ci call %[bpf_map_update_elem]; \ 77062306a36Sopenharmony_ci r1 = r6; \ 77162306a36Sopenharmony_ci r2 = r8; \ 77262306a36Sopenharmony_ci call %[bpf_map_lookup_elem]; \ 77362306a36Sopenharmony_ci if r0 != 0 goto tjmp1; \ 77462306a36Sopenharmony_ci exit; \ 77562306a36Sopenharmony_ci tjmp1: \ 77662306a36Sopenharmony_ci r8 = r0; \ 77762306a36Sopenharmony_ci r1 = r7; \ 77862306a36Sopenharmony_ci r2 = 8; \ 77962306a36Sopenharmony_ci r3 = 0; \ 78062306a36Sopenharmony_ci r4 = r10; \ 78162306a36Sopenharmony_ci r4 += -16; \ 78262306a36Sopenharmony_ci r0 = *(u64 *)(r0 + 0); \ 78362306a36Sopenharmony_ci call %[bpf_ringbuf_reserve_dynptr]; \ 78462306a36Sopenharmony_ci if r0 == 0 goto tjmp2; \ 78562306a36Sopenharmony_ci r8 = r8; \ 78662306a36Sopenharmony_ci r8 = r8; \ 78762306a36Sopenharmony_ci r8 = r8; \ 78862306a36Sopenharmony_ci r8 = r8; \ 78962306a36Sopenharmony_ci r8 = r8; \ 79062306a36Sopenharmony_ci r8 = r8; \ 79162306a36Sopenharmony_ci r8 = r8; \ 79262306a36Sopenharmony_ci goto tjmp3; \ 79362306a36Sopenharmony_ci tjmp2: \ 79462306a36Sopenharmony_ci *(u64 *)(r10 - 8) = r9; \ 79562306a36Sopenharmony_ci *(u64 *)(r10 - 16) = r9; \ 79662306a36Sopenharmony_ci r1 = r8; \ 79762306a36Sopenharmony_ci r1 += 8; \ 79862306a36Sopenharmony_ci r2 = 0; \ 79962306a36Sopenharmony_ci r3 = 0; \ 80062306a36Sopenharmony_ci r4 = r10; \ 80162306a36Sopenharmony_ci r4 += -16; \ 80262306a36Sopenharmony_ci call %[bpf_dynptr_from_mem]; \ 80362306a36Sopenharmony_ci tjmp3: \ 80462306a36Sopenharmony_ci r1 = r10; \ 80562306a36Sopenharmony_ci r1 += -16; \ 80662306a36Sopenharmony_ci r2 = 0; \ 80762306a36Sopenharmony_ci call %[bpf_ringbuf_discard_dynptr]; " 80862306a36Sopenharmony_ci : 80962306a36Sopenharmony_ci : __imm(bpf_map_update_elem), 81062306a36Sopenharmony_ci __imm(bpf_map_lookup_elem), 81162306a36Sopenharmony_ci __imm(bpf_ringbuf_reserve_dynptr), 81262306a36Sopenharmony_ci __imm(bpf_dynptr_from_mem), 81362306a36Sopenharmony_ci __imm(bpf_ringbuf_discard_dynptr), 81462306a36Sopenharmony_ci __imm_addr(array_map4), 81562306a36Sopenharmony_ci __imm_addr(ringbuf) 81662306a36Sopenharmony_ci : __clobber_all 81762306a36Sopenharmony_ci ); 81862306a36Sopenharmony_ci return 0; 81962306a36Sopenharmony_ci} 82062306a36Sopenharmony_ci 82162306a36Sopenharmony_ciSEC("?tc") 82262306a36Sopenharmony_ci__failure __msg("dynptr has to be at a constant offset") __log_level(2) 82362306a36Sopenharmony_ciint dynptr_var_off_overwrite(struct __sk_buff *ctx) 82462306a36Sopenharmony_ci{ 82562306a36Sopenharmony_ci asm volatile ( 82662306a36Sopenharmony_ci "r9 = 16; \ 82762306a36Sopenharmony_ci *(u32 *)(r10 - 4) = r9; \ 82862306a36Sopenharmony_ci r8 = *(u32 *)(r10 - 4); \ 82962306a36Sopenharmony_ci if r8 >= 0 goto vjmp1; \ 83062306a36Sopenharmony_ci r0 = 1; \ 83162306a36Sopenharmony_ci exit; \ 83262306a36Sopenharmony_ci vjmp1: \ 83362306a36Sopenharmony_ci if r8 <= 16 goto vjmp2; \ 83462306a36Sopenharmony_ci r0 = 1; \ 83562306a36Sopenharmony_ci exit; \ 83662306a36Sopenharmony_ci vjmp2: \ 83762306a36Sopenharmony_ci r8 &= 16; \ 83862306a36Sopenharmony_ci r1 = %[ringbuf] ll; \ 83962306a36Sopenharmony_ci r2 = 8; \ 84062306a36Sopenharmony_ci r3 = 0; \ 84162306a36Sopenharmony_ci r4 = r10; \ 84262306a36Sopenharmony_ci r4 += -32; \ 84362306a36Sopenharmony_ci r4 += r8; \ 84462306a36Sopenharmony_ci call %[bpf_ringbuf_reserve_dynptr]; \ 84562306a36Sopenharmony_ci r9 = 0xeB9F; \ 84662306a36Sopenharmony_ci *(u64 *)(r10 - 16) = r9; \ 84762306a36Sopenharmony_ci r1 = r10; \ 84862306a36Sopenharmony_ci r1 += -32; \ 84962306a36Sopenharmony_ci r1 += r8; \ 85062306a36Sopenharmony_ci r2 = 0; \ 85162306a36Sopenharmony_ci call %[bpf_ringbuf_discard_dynptr]; " 85262306a36Sopenharmony_ci : 85362306a36Sopenharmony_ci : __imm(bpf_ringbuf_reserve_dynptr), 85462306a36Sopenharmony_ci __imm(bpf_ringbuf_discard_dynptr), 85562306a36Sopenharmony_ci __imm_addr(ringbuf) 85662306a36Sopenharmony_ci : __clobber_all 85762306a36Sopenharmony_ci ); 85862306a36Sopenharmony_ci return 0; 85962306a36Sopenharmony_ci} 86062306a36Sopenharmony_ci 86162306a36Sopenharmony_ciSEC("?tc") 86262306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") __log_level(2) 86362306a36Sopenharmony_ciint dynptr_partial_slot_invalidate(struct __sk_buff *ctx) 86462306a36Sopenharmony_ci{ 86562306a36Sopenharmony_ci asm volatile ( 86662306a36Sopenharmony_ci "r6 = %[ringbuf] ll; \ 86762306a36Sopenharmony_ci r7 = %[array_map4] ll; \ 86862306a36Sopenharmony_ci r1 = r7; \ 86962306a36Sopenharmony_ci r2 = r10; \ 87062306a36Sopenharmony_ci r2 += -8; \ 87162306a36Sopenharmony_ci r9 = 0; \ 87262306a36Sopenharmony_ci *(u64 *)(r2 + 0) = r9; \ 87362306a36Sopenharmony_ci r3 = r2; \ 87462306a36Sopenharmony_ci r4 = 0; \ 87562306a36Sopenharmony_ci r8 = r2; \ 87662306a36Sopenharmony_ci call %[bpf_map_update_elem]; \ 87762306a36Sopenharmony_ci r1 = r7; \ 87862306a36Sopenharmony_ci r2 = r8; \ 87962306a36Sopenharmony_ci call %[bpf_map_lookup_elem]; \ 88062306a36Sopenharmony_ci if r0 != 0 goto sjmp1; \ 88162306a36Sopenharmony_ci exit; \ 88262306a36Sopenharmony_ci sjmp1: \ 88362306a36Sopenharmony_ci r7 = r0; \ 88462306a36Sopenharmony_ci r1 = r6; \ 88562306a36Sopenharmony_ci r2 = 8; \ 88662306a36Sopenharmony_ci r3 = 0; \ 88762306a36Sopenharmony_ci r4 = r10; \ 88862306a36Sopenharmony_ci r4 += -24; \ 88962306a36Sopenharmony_ci call %[bpf_ringbuf_reserve_dynptr]; \ 89062306a36Sopenharmony_ci *(u64 *)(r10 - 16) = r9; \ 89162306a36Sopenharmony_ci r1 = r7; \ 89262306a36Sopenharmony_ci r2 = 8; \ 89362306a36Sopenharmony_ci r3 = 0; \ 89462306a36Sopenharmony_ci r4 = r10; \ 89562306a36Sopenharmony_ci r4 += -16; \ 89662306a36Sopenharmony_ci call %[bpf_dynptr_from_mem]; \ 89762306a36Sopenharmony_ci r1 = r10; \ 89862306a36Sopenharmony_ci r1 += -512; \ 89962306a36Sopenharmony_ci r2 = 488; \ 90062306a36Sopenharmony_ci r3 = r10; \ 90162306a36Sopenharmony_ci r3 += -24; \ 90262306a36Sopenharmony_ci r4 = 0; \ 90362306a36Sopenharmony_ci r5 = 0; \ 90462306a36Sopenharmony_ci call %[bpf_dynptr_read]; \ 90562306a36Sopenharmony_ci r8 = 1; \ 90662306a36Sopenharmony_ci if r0 != 0 goto sjmp2; \ 90762306a36Sopenharmony_ci r8 = 0; \ 90862306a36Sopenharmony_ci sjmp2: \ 90962306a36Sopenharmony_ci r1 = r10; \ 91062306a36Sopenharmony_ci r1 += -24; \ 91162306a36Sopenharmony_ci r2 = 0; \ 91262306a36Sopenharmony_ci call %[bpf_ringbuf_discard_dynptr]; " 91362306a36Sopenharmony_ci : 91462306a36Sopenharmony_ci : __imm(bpf_map_update_elem), 91562306a36Sopenharmony_ci __imm(bpf_map_lookup_elem), 91662306a36Sopenharmony_ci __imm(bpf_ringbuf_reserve_dynptr), 91762306a36Sopenharmony_ci __imm(bpf_ringbuf_discard_dynptr), 91862306a36Sopenharmony_ci __imm(bpf_dynptr_from_mem), 91962306a36Sopenharmony_ci __imm(bpf_dynptr_read), 92062306a36Sopenharmony_ci __imm_addr(ringbuf), 92162306a36Sopenharmony_ci __imm_addr(array_map4) 92262306a36Sopenharmony_ci : __clobber_all 92362306a36Sopenharmony_ci ); 92462306a36Sopenharmony_ci return 0; 92562306a36Sopenharmony_ci} 92662306a36Sopenharmony_ci 92762306a36Sopenharmony_ci/* Test that it is allowed to overwrite unreferenced dynptr. */ 92862306a36Sopenharmony_ciSEC("?raw_tp") 92962306a36Sopenharmony_ci__success 93062306a36Sopenharmony_ciint dynptr_overwrite_unref(void *ctx) 93162306a36Sopenharmony_ci{ 93262306a36Sopenharmony_ci struct bpf_dynptr ptr; 93362306a36Sopenharmony_ci 93462306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 93562306a36Sopenharmony_ci return 0; 93662306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 93762306a36Sopenharmony_ci return 0; 93862306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 93962306a36Sopenharmony_ci return 0; 94062306a36Sopenharmony_ci 94162306a36Sopenharmony_ci return 0; 94262306a36Sopenharmony_ci} 94362306a36Sopenharmony_ci 94462306a36Sopenharmony_ci/* Test that slices are invalidated on reinitializing a dynptr. */ 94562306a36Sopenharmony_ciSEC("?raw_tp") 94662306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 94762306a36Sopenharmony_ciint dynptr_invalidate_slice_reinit(void *ctx) 94862306a36Sopenharmony_ci{ 94962306a36Sopenharmony_ci struct bpf_dynptr ptr; 95062306a36Sopenharmony_ci __u8 *p; 95162306a36Sopenharmony_ci 95262306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 95362306a36Sopenharmony_ci return 0; 95462306a36Sopenharmony_ci p = bpf_dynptr_data(&ptr, 0, 1); 95562306a36Sopenharmony_ci if (!p) 95662306a36Sopenharmony_ci return 0; 95762306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 95862306a36Sopenharmony_ci return 0; 95962306a36Sopenharmony_ci /* this should fail */ 96062306a36Sopenharmony_ci return *p; 96162306a36Sopenharmony_ci} 96262306a36Sopenharmony_ci 96362306a36Sopenharmony_ci/* Invalidation of dynptr slices on destruction of dynptr should not miss 96462306a36Sopenharmony_ci * mem_or_null pointers. 96562306a36Sopenharmony_ci */ 96662306a36Sopenharmony_ciSEC("?raw_tp") 96762306a36Sopenharmony_ci__failure __msg("R1 type=scalar expected=percpu_ptr_") 96862306a36Sopenharmony_ciint dynptr_invalidate_slice_or_null(void *ctx) 96962306a36Sopenharmony_ci{ 97062306a36Sopenharmony_ci struct bpf_dynptr ptr; 97162306a36Sopenharmony_ci __u8 *p; 97262306a36Sopenharmony_ci 97362306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 97462306a36Sopenharmony_ci return 0; 97562306a36Sopenharmony_ci 97662306a36Sopenharmony_ci p = bpf_dynptr_data(&ptr, 0, 1); 97762306a36Sopenharmony_ci *(__u8 *)&ptr = 0; 97862306a36Sopenharmony_ci /* this should fail */ 97962306a36Sopenharmony_ci bpf_this_cpu_ptr(p); 98062306a36Sopenharmony_ci return 0; 98162306a36Sopenharmony_ci} 98262306a36Sopenharmony_ci 98362306a36Sopenharmony_ci/* Destruction of dynptr should also any slices obtained from it */ 98462306a36Sopenharmony_ciSEC("?raw_tp") 98562306a36Sopenharmony_ci__failure __msg("R7 invalid mem access 'scalar'") 98662306a36Sopenharmony_ciint dynptr_invalidate_slice_failure(void *ctx) 98762306a36Sopenharmony_ci{ 98862306a36Sopenharmony_ci struct bpf_dynptr ptr1; 98962306a36Sopenharmony_ci struct bpf_dynptr ptr2; 99062306a36Sopenharmony_ci __u8 *p1, *p2; 99162306a36Sopenharmony_ci 99262306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr1)) 99362306a36Sopenharmony_ci return 0; 99462306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr2)) 99562306a36Sopenharmony_ci return 0; 99662306a36Sopenharmony_ci 99762306a36Sopenharmony_ci p1 = bpf_dynptr_data(&ptr1, 0, 1); 99862306a36Sopenharmony_ci if (!p1) 99962306a36Sopenharmony_ci return 0; 100062306a36Sopenharmony_ci p2 = bpf_dynptr_data(&ptr2, 0, 1); 100162306a36Sopenharmony_ci if (!p2) 100262306a36Sopenharmony_ci return 0; 100362306a36Sopenharmony_ci 100462306a36Sopenharmony_ci *(__u8 *)&ptr1 = 0; 100562306a36Sopenharmony_ci /* this should fail */ 100662306a36Sopenharmony_ci return *p1; 100762306a36Sopenharmony_ci} 100862306a36Sopenharmony_ci 100962306a36Sopenharmony_ci/* Invalidation of slices should be scoped and should not prevent dereferencing 101062306a36Sopenharmony_ci * slices of another dynptr after destroying unrelated dynptr 101162306a36Sopenharmony_ci */ 101262306a36Sopenharmony_ciSEC("?raw_tp") 101362306a36Sopenharmony_ci__success 101462306a36Sopenharmony_ciint dynptr_invalidate_slice_success(void *ctx) 101562306a36Sopenharmony_ci{ 101662306a36Sopenharmony_ci struct bpf_dynptr ptr1; 101762306a36Sopenharmony_ci struct bpf_dynptr ptr2; 101862306a36Sopenharmony_ci __u8 *p1, *p2; 101962306a36Sopenharmony_ci 102062306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr1)) 102162306a36Sopenharmony_ci return 1; 102262306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr2)) 102362306a36Sopenharmony_ci return 1; 102462306a36Sopenharmony_ci 102562306a36Sopenharmony_ci p1 = bpf_dynptr_data(&ptr1, 0, 1); 102662306a36Sopenharmony_ci if (!p1) 102762306a36Sopenharmony_ci return 1; 102862306a36Sopenharmony_ci p2 = bpf_dynptr_data(&ptr2, 0, 1); 102962306a36Sopenharmony_ci if (!p2) 103062306a36Sopenharmony_ci return 1; 103162306a36Sopenharmony_ci 103262306a36Sopenharmony_ci *(__u8 *)&ptr1 = 0; 103362306a36Sopenharmony_ci return *p2; 103462306a36Sopenharmony_ci} 103562306a36Sopenharmony_ci 103662306a36Sopenharmony_ci/* Overwriting referenced dynptr should be rejected */ 103762306a36Sopenharmony_ciSEC("?raw_tp") 103862306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") 103962306a36Sopenharmony_ciint dynptr_overwrite_ref(void *ctx) 104062306a36Sopenharmony_ci{ 104162306a36Sopenharmony_ci struct bpf_dynptr ptr; 104262306a36Sopenharmony_ci 104362306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr); 104462306a36Sopenharmony_ci /* this should fail */ 104562306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 104662306a36Sopenharmony_ci bpf_ringbuf_discard_dynptr(&ptr, 0); 104762306a36Sopenharmony_ci return 0; 104862306a36Sopenharmony_ci} 104962306a36Sopenharmony_ci 105062306a36Sopenharmony_ci/* Reject writes to dynptr slot from bpf_dynptr_read */ 105162306a36Sopenharmony_ciSEC("?raw_tp") 105262306a36Sopenharmony_ci__failure __msg("potential write to dynptr at off=-16") 105362306a36Sopenharmony_ciint dynptr_read_into_slot(void *ctx) 105462306a36Sopenharmony_ci{ 105562306a36Sopenharmony_ci union { 105662306a36Sopenharmony_ci struct { 105762306a36Sopenharmony_ci char _pad[48]; 105862306a36Sopenharmony_ci struct bpf_dynptr ptr; 105962306a36Sopenharmony_ci }; 106062306a36Sopenharmony_ci char buf[64]; 106162306a36Sopenharmony_ci } data; 106262306a36Sopenharmony_ci 106362306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &data.ptr); 106462306a36Sopenharmony_ci /* this should fail */ 106562306a36Sopenharmony_ci bpf_dynptr_read(data.buf, sizeof(data.buf), &data.ptr, 0, 0); 106662306a36Sopenharmony_ci 106762306a36Sopenharmony_ci return 0; 106862306a36Sopenharmony_ci} 106962306a36Sopenharmony_ci 107062306a36Sopenharmony_ci/* bpf_dynptr_slice()s are read-only and cannot be written to */ 107162306a36Sopenharmony_ciSEC("?tc") 107262306a36Sopenharmony_ci__failure __msg("R0 cannot write into rdonly_mem") 107362306a36Sopenharmony_ciint skb_invalid_slice_write(struct __sk_buff *skb) 107462306a36Sopenharmony_ci{ 107562306a36Sopenharmony_ci struct bpf_dynptr ptr; 107662306a36Sopenharmony_ci struct ethhdr *hdr; 107762306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 107862306a36Sopenharmony_ci 107962306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 108062306a36Sopenharmony_ci 108162306a36Sopenharmony_ci hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 108262306a36Sopenharmony_ci if (!hdr) 108362306a36Sopenharmony_ci return SK_DROP; 108462306a36Sopenharmony_ci 108562306a36Sopenharmony_ci /* this should fail */ 108662306a36Sopenharmony_ci hdr->h_proto = 1; 108762306a36Sopenharmony_ci 108862306a36Sopenharmony_ci return SK_PASS; 108962306a36Sopenharmony_ci} 109062306a36Sopenharmony_ci 109162306a36Sopenharmony_ci/* The read-only data slice is invalidated whenever a helper changes packet data */ 109262306a36Sopenharmony_ciSEC("?tc") 109362306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 109462306a36Sopenharmony_ciint skb_invalid_data_slice1(struct __sk_buff *skb) 109562306a36Sopenharmony_ci{ 109662306a36Sopenharmony_ci struct bpf_dynptr ptr; 109762306a36Sopenharmony_ci struct ethhdr *hdr; 109862306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 109962306a36Sopenharmony_ci 110062306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 110162306a36Sopenharmony_ci 110262306a36Sopenharmony_ci hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 110362306a36Sopenharmony_ci if (!hdr) 110462306a36Sopenharmony_ci return SK_DROP; 110562306a36Sopenharmony_ci 110662306a36Sopenharmony_ci val = hdr->h_proto; 110762306a36Sopenharmony_ci 110862306a36Sopenharmony_ci if (bpf_skb_pull_data(skb, skb->len)) 110962306a36Sopenharmony_ci return SK_DROP; 111062306a36Sopenharmony_ci 111162306a36Sopenharmony_ci /* this should fail */ 111262306a36Sopenharmony_ci val = hdr->h_proto; 111362306a36Sopenharmony_ci 111462306a36Sopenharmony_ci return SK_PASS; 111562306a36Sopenharmony_ci} 111662306a36Sopenharmony_ci 111762306a36Sopenharmony_ci/* The read-write data slice is invalidated whenever a helper changes packet data */ 111862306a36Sopenharmony_ciSEC("?tc") 111962306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 112062306a36Sopenharmony_ciint skb_invalid_data_slice2(struct __sk_buff *skb) 112162306a36Sopenharmony_ci{ 112262306a36Sopenharmony_ci struct bpf_dynptr ptr; 112362306a36Sopenharmony_ci struct ethhdr *hdr; 112462306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 112562306a36Sopenharmony_ci 112662306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 112762306a36Sopenharmony_ci 112862306a36Sopenharmony_ci hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 112962306a36Sopenharmony_ci if (!hdr) 113062306a36Sopenharmony_ci return SK_DROP; 113162306a36Sopenharmony_ci 113262306a36Sopenharmony_ci hdr->h_proto = 123; 113362306a36Sopenharmony_ci 113462306a36Sopenharmony_ci if (bpf_skb_pull_data(skb, skb->len)) 113562306a36Sopenharmony_ci return SK_DROP; 113662306a36Sopenharmony_ci 113762306a36Sopenharmony_ci /* this should fail */ 113862306a36Sopenharmony_ci hdr->h_proto = 1; 113962306a36Sopenharmony_ci 114062306a36Sopenharmony_ci return SK_PASS; 114162306a36Sopenharmony_ci} 114262306a36Sopenharmony_ci 114362306a36Sopenharmony_ci/* The read-only data slice is invalidated whenever bpf_dynptr_write() is called */ 114462306a36Sopenharmony_ciSEC("?tc") 114562306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 114662306a36Sopenharmony_ciint skb_invalid_data_slice3(struct __sk_buff *skb) 114762306a36Sopenharmony_ci{ 114862306a36Sopenharmony_ci char write_data[64] = "hello there, world!!"; 114962306a36Sopenharmony_ci struct bpf_dynptr ptr; 115062306a36Sopenharmony_ci struct ethhdr *hdr; 115162306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 115262306a36Sopenharmony_ci 115362306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 115462306a36Sopenharmony_ci 115562306a36Sopenharmony_ci hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 115662306a36Sopenharmony_ci if (!hdr) 115762306a36Sopenharmony_ci return SK_DROP; 115862306a36Sopenharmony_ci 115962306a36Sopenharmony_ci val = hdr->h_proto; 116062306a36Sopenharmony_ci 116162306a36Sopenharmony_ci bpf_dynptr_write(&ptr, 0, write_data, sizeof(write_data), 0); 116262306a36Sopenharmony_ci 116362306a36Sopenharmony_ci /* this should fail */ 116462306a36Sopenharmony_ci val = hdr->h_proto; 116562306a36Sopenharmony_ci 116662306a36Sopenharmony_ci return SK_PASS; 116762306a36Sopenharmony_ci} 116862306a36Sopenharmony_ci 116962306a36Sopenharmony_ci/* The read-write data slice is invalidated whenever bpf_dynptr_write() is called */ 117062306a36Sopenharmony_ciSEC("?tc") 117162306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 117262306a36Sopenharmony_ciint skb_invalid_data_slice4(struct __sk_buff *skb) 117362306a36Sopenharmony_ci{ 117462306a36Sopenharmony_ci char write_data[64] = "hello there, world!!"; 117562306a36Sopenharmony_ci struct bpf_dynptr ptr; 117662306a36Sopenharmony_ci struct ethhdr *hdr; 117762306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 117862306a36Sopenharmony_ci 117962306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 118062306a36Sopenharmony_ci hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 118162306a36Sopenharmony_ci if (!hdr) 118262306a36Sopenharmony_ci return SK_DROP; 118362306a36Sopenharmony_ci 118462306a36Sopenharmony_ci hdr->h_proto = 123; 118562306a36Sopenharmony_ci 118662306a36Sopenharmony_ci bpf_dynptr_write(&ptr, 0, write_data, sizeof(write_data), 0); 118762306a36Sopenharmony_ci 118862306a36Sopenharmony_ci /* this should fail */ 118962306a36Sopenharmony_ci hdr->h_proto = 1; 119062306a36Sopenharmony_ci 119162306a36Sopenharmony_ci return SK_PASS; 119262306a36Sopenharmony_ci} 119362306a36Sopenharmony_ci 119462306a36Sopenharmony_ci/* The read-only data slice is invalidated whenever a helper changes packet data */ 119562306a36Sopenharmony_ciSEC("?xdp") 119662306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 119762306a36Sopenharmony_ciint xdp_invalid_data_slice1(struct xdp_md *xdp) 119862306a36Sopenharmony_ci{ 119962306a36Sopenharmony_ci struct bpf_dynptr ptr; 120062306a36Sopenharmony_ci struct ethhdr *hdr; 120162306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 120262306a36Sopenharmony_ci 120362306a36Sopenharmony_ci bpf_dynptr_from_xdp(xdp, 0, &ptr); 120462306a36Sopenharmony_ci hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer)); 120562306a36Sopenharmony_ci if (!hdr) 120662306a36Sopenharmony_ci return SK_DROP; 120762306a36Sopenharmony_ci 120862306a36Sopenharmony_ci val = hdr->h_proto; 120962306a36Sopenharmony_ci 121062306a36Sopenharmony_ci if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr))) 121162306a36Sopenharmony_ci return XDP_DROP; 121262306a36Sopenharmony_ci 121362306a36Sopenharmony_ci /* this should fail */ 121462306a36Sopenharmony_ci val = hdr->h_proto; 121562306a36Sopenharmony_ci 121662306a36Sopenharmony_ci return XDP_PASS; 121762306a36Sopenharmony_ci} 121862306a36Sopenharmony_ci 121962306a36Sopenharmony_ci/* The read-write data slice is invalidated whenever a helper changes packet data */ 122062306a36Sopenharmony_ciSEC("?xdp") 122162306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 122262306a36Sopenharmony_ciint xdp_invalid_data_slice2(struct xdp_md *xdp) 122362306a36Sopenharmony_ci{ 122462306a36Sopenharmony_ci struct bpf_dynptr ptr; 122562306a36Sopenharmony_ci struct ethhdr *hdr; 122662306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 122762306a36Sopenharmony_ci 122862306a36Sopenharmony_ci bpf_dynptr_from_xdp(xdp, 0, &ptr); 122962306a36Sopenharmony_ci hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 123062306a36Sopenharmony_ci if (!hdr) 123162306a36Sopenharmony_ci return SK_DROP; 123262306a36Sopenharmony_ci 123362306a36Sopenharmony_ci hdr->h_proto = 9; 123462306a36Sopenharmony_ci 123562306a36Sopenharmony_ci if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr))) 123662306a36Sopenharmony_ci return XDP_DROP; 123762306a36Sopenharmony_ci 123862306a36Sopenharmony_ci /* this should fail */ 123962306a36Sopenharmony_ci hdr->h_proto = 1; 124062306a36Sopenharmony_ci 124162306a36Sopenharmony_ci return XDP_PASS; 124262306a36Sopenharmony_ci} 124362306a36Sopenharmony_ci 124462306a36Sopenharmony_ci/* Only supported prog type can create skb-type dynptrs */ 124562306a36Sopenharmony_ciSEC("?raw_tp") 124662306a36Sopenharmony_ci__failure __msg("calling kernel function bpf_dynptr_from_skb is not allowed") 124762306a36Sopenharmony_ciint skb_invalid_ctx(void *ctx) 124862306a36Sopenharmony_ci{ 124962306a36Sopenharmony_ci struct bpf_dynptr ptr; 125062306a36Sopenharmony_ci 125162306a36Sopenharmony_ci /* this should fail */ 125262306a36Sopenharmony_ci bpf_dynptr_from_skb(ctx, 0, &ptr); 125362306a36Sopenharmony_ci 125462306a36Sopenharmony_ci return 0; 125562306a36Sopenharmony_ci} 125662306a36Sopenharmony_ci 125762306a36Sopenharmony_ci/* Reject writes to dynptr slot for uninit arg */ 125862306a36Sopenharmony_ciSEC("?raw_tp") 125962306a36Sopenharmony_ci__failure __msg("potential write to dynptr at off=-16") 126062306a36Sopenharmony_ciint uninit_write_into_slot(void *ctx) 126162306a36Sopenharmony_ci{ 126262306a36Sopenharmony_ci struct { 126362306a36Sopenharmony_ci char buf[64]; 126462306a36Sopenharmony_ci struct bpf_dynptr ptr; 126562306a36Sopenharmony_ci } data; 126662306a36Sopenharmony_ci 126762306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 80, 0, &data.ptr); 126862306a36Sopenharmony_ci /* this should fail */ 126962306a36Sopenharmony_ci bpf_get_current_comm(data.buf, 80); 127062306a36Sopenharmony_ci 127162306a36Sopenharmony_ci return 0; 127262306a36Sopenharmony_ci} 127362306a36Sopenharmony_ci 127462306a36Sopenharmony_ci/* Only supported prog type can create xdp-type dynptrs */ 127562306a36Sopenharmony_ciSEC("?raw_tp") 127662306a36Sopenharmony_ci__failure __msg("calling kernel function bpf_dynptr_from_xdp is not allowed") 127762306a36Sopenharmony_ciint xdp_invalid_ctx(void *ctx) 127862306a36Sopenharmony_ci{ 127962306a36Sopenharmony_ci struct bpf_dynptr ptr; 128062306a36Sopenharmony_ci 128162306a36Sopenharmony_ci /* this should fail */ 128262306a36Sopenharmony_ci bpf_dynptr_from_xdp(ctx, 0, &ptr); 128362306a36Sopenharmony_ci 128462306a36Sopenharmony_ci return 0; 128562306a36Sopenharmony_ci} 128662306a36Sopenharmony_ci 128762306a36Sopenharmony_ci__u32 hdr_size = sizeof(struct ethhdr); 128862306a36Sopenharmony_ci/* Can't pass in variable-sized len to bpf_dynptr_slice */ 128962306a36Sopenharmony_ciSEC("?tc") 129062306a36Sopenharmony_ci__failure __msg("unbounded memory access") 129162306a36Sopenharmony_ciint dynptr_slice_var_len1(struct __sk_buff *skb) 129262306a36Sopenharmony_ci{ 129362306a36Sopenharmony_ci struct bpf_dynptr ptr; 129462306a36Sopenharmony_ci struct ethhdr *hdr; 129562306a36Sopenharmony_ci char buffer[sizeof(*hdr)] = {}; 129662306a36Sopenharmony_ci 129762306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 129862306a36Sopenharmony_ci 129962306a36Sopenharmony_ci /* this should fail */ 130062306a36Sopenharmony_ci hdr = bpf_dynptr_slice(&ptr, 0, buffer, hdr_size); 130162306a36Sopenharmony_ci if (!hdr) 130262306a36Sopenharmony_ci return SK_DROP; 130362306a36Sopenharmony_ci 130462306a36Sopenharmony_ci return SK_PASS; 130562306a36Sopenharmony_ci} 130662306a36Sopenharmony_ci 130762306a36Sopenharmony_ci/* Can't pass in variable-sized len to bpf_dynptr_slice */ 130862306a36Sopenharmony_ciSEC("?tc") 130962306a36Sopenharmony_ci__failure __msg("must be a known constant") 131062306a36Sopenharmony_ciint dynptr_slice_var_len2(struct __sk_buff *skb) 131162306a36Sopenharmony_ci{ 131262306a36Sopenharmony_ci char buffer[sizeof(struct ethhdr)] = {}; 131362306a36Sopenharmony_ci struct bpf_dynptr ptr; 131462306a36Sopenharmony_ci struct ethhdr *hdr; 131562306a36Sopenharmony_ci 131662306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 131762306a36Sopenharmony_ci 131862306a36Sopenharmony_ci if (hdr_size <= sizeof(buffer)) { 131962306a36Sopenharmony_ci /* this should fail */ 132062306a36Sopenharmony_ci hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, hdr_size); 132162306a36Sopenharmony_ci if (!hdr) 132262306a36Sopenharmony_ci return SK_DROP; 132362306a36Sopenharmony_ci hdr->h_proto = 12; 132462306a36Sopenharmony_ci } 132562306a36Sopenharmony_ci 132662306a36Sopenharmony_ci return SK_PASS; 132762306a36Sopenharmony_ci} 132862306a36Sopenharmony_ci 132962306a36Sopenharmony_cistatic int callback(__u32 index, void *data) 133062306a36Sopenharmony_ci{ 133162306a36Sopenharmony_ci *(__u32 *)data = 123; 133262306a36Sopenharmony_ci 133362306a36Sopenharmony_ci return 0; 133462306a36Sopenharmony_ci} 133562306a36Sopenharmony_ci 133662306a36Sopenharmony_ci/* If the dynptr is written into in a callback function, its data 133762306a36Sopenharmony_ci * slices should be invalidated as well. 133862306a36Sopenharmony_ci */ 133962306a36Sopenharmony_ciSEC("?raw_tp") 134062306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 134162306a36Sopenharmony_ciint invalid_data_slices(void *ctx) 134262306a36Sopenharmony_ci{ 134362306a36Sopenharmony_ci struct bpf_dynptr ptr; 134462306a36Sopenharmony_ci __u32 *slice; 134562306a36Sopenharmony_ci 134662306a36Sopenharmony_ci if (get_map_val_dynptr(&ptr)) 134762306a36Sopenharmony_ci return 0; 134862306a36Sopenharmony_ci 134962306a36Sopenharmony_ci slice = bpf_dynptr_data(&ptr, 0, sizeof(__u32)); 135062306a36Sopenharmony_ci if (!slice) 135162306a36Sopenharmony_ci return 0; 135262306a36Sopenharmony_ci 135362306a36Sopenharmony_ci bpf_loop(10, callback, &ptr, 0); 135462306a36Sopenharmony_ci 135562306a36Sopenharmony_ci /* this should fail */ 135662306a36Sopenharmony_ci *slice = 1; 135762306a36Sopenharmony_ci 135862306a36Sopenharmony_ci return 0; 135962306a36Sopenharmony_ci} 136062306a36Sopenharmony_ci 136162306a36Sopenharmony_ci/* Program types that don't allow writes to packet data should fail if 136262306a36Sopenharmony_ci * bpf_dynptr_slice_rdwr is called 136362306a36Sopenharmony_ci */ 136462306a36Sopenharmony_ciSEC("cgroup_skb/ingress") 136562306a36Sopenharmony_ci__failure __msg("the prog does not allow writes to packet data") 136662306a36Sopenharmony_ciint invalid_slice_rdwr_rdonly(struct __sk_buff *skb) 136762306a36Sopenharmony_ci{ 136862306a36Sopenharmony_ci char buffer[sizeof(struct ethhdr)] = {}; 136962306a36Sopenharmony_ci struct bpf_dynptr ptr; 137062306a36Sopenharmony_ci struct ethhdr *hdr; 137162306a36Sopenharmony_ci 137262306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 137362306a36Sopenharmony_ci 137462306a36Sopenharmony_ci /* this should fail since cgroup_skb doesn't allow 137562306a36Sopenharmony_ci * changing packet data 137662306a36Sopenharmony_ci */ 137762306a36Sopenharmony_ci hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer)); 137862306a36Sopenharmony_ci __sink(hdr); 137962306a36Sopenharmony_ci 138062306a36Sopenharmony_ci return 0; 138162306a36Sopenharmony_ci} 138262306a36Sopenharmony_ci 138362306a36Sopenharmony_ci/* bpf_dynptr_adjust can only be called on initialized dynptrs */ 138462306a36Sopenharmony_ciSEC("?raw_tp") 138562306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #1") 138662306a36Sopenharmony_ciint dynptr_adjust_invalid(void *ctx) 138762306a36Sopenharmony_ci{ 138862306a36Sopenharmony_ci struct bpf_dynptr ptr; 138962306a36Sopenharmony_ci 139062306a36Sopenharmony_ci /* this should fail */ 139162306a36Sopenharmony_ci bpf_dynptr_adjust(&ptr, 1, 2); 139262306a36Sopenharmony_ci 139362306a36Sopenharmony_ci return 0; 139462306a36Sopenharmony_ci} 139562306a36Sopenharmony_ci 139662306a36Sopenharmony_ci/* bpf_dynptr_is_null can only be called on initialized dynptrs */ 139762306a36Sopenharmony_ciSEC("?raw_tp") 139862306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #1") 139962306a36Sopenharmony_ciint dynptr_is_null_invalid(void *ctx) 140062306a36Sopenharmony_ci{ 140162306a36Sopenharmony_ci struct bpf_dynptr ptr; 140262306a36Sopenharmony_ci 140362306a36Sopenharmony_ci /* this should fail */ 140462306a36Sopenharmony_ci bpf_dynptr_is_null(&ptr); 140562306a36Sopenharmony_ci 140662306a36Sopenharmony_ci return 0; 140762306a36Sopenharmony_ci} 140862306a36Sopenharmony_ci 140962306a36Sopenharmony_ci/* bpf_dynptr_is_rdonly can only be called on initialized dynptrs */ 141062306a36Sopenharmony_ciSEC("?raw_tp") 141162306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #1") 141262306a36Sopenharmony_ciint dynptr_is_rdonly_invalid(void *ctx) 141362306a36Sopenharmony_ci{ 141462306a36Sopenharmony_ci struct bpf_dynptr ptr; 141562306a36Sopenharmony_ci 141662306a36Sopenharmony_ci /* this should fail */ 141762306a36Sopenharmony_ci bpf_dynptr_is_rdonly(&ptr); 141862306a36Sopenharmony_ci 141962306a36Sopenharmony_ci return 0; 142062306a36Sopenharmony_ci} 142162306a36Sopenharmony_ci 142262306a36Sopenharmony_ci/* bpf_dynptr_size can only be called on initialized dynptrs */ 142362306a36Sopenharmony_ciSEC("?raw_tp") 142462306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #1") 142562306a36Sopenharmony_ciint dynptr_size_invalid(void *ctx) 142662306a36Sopenharmony_ci{ 142762306a36Sopenharmony_ci struct bpf_dynptr ptr; 142862306a36Sopenharmony_ci 142962306a36Sopenharmony_ci /* this should fail */ 143062306a36Sopenharmony_ci bpf_dynptr_size(&ptr); 143162306a36Sopenharmony_ci 143262306a36Sopenharmony_ci return 0; 143362306a36Sopenharmony_ci} 143462306a36Sopenharmony_ci 143562306a36Sopenharmony_ci/* Only initialized dynptrs can be cloned */ 143662306a36Sopenharmony_ciSEC("?raw_tp") 143762306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #1") 143862306a36Sopenharmony_ciint clone_invalid1(void *ctx) 143962306a36Sopenharmony_ci{ 144062306a36Sopenharmony_ci struct bpf_dynptr ptr1; 144162306a36Sopenharmony_ci struct bpf_dynptr ptr2; 144262306a36Sopenharmony_ci 144362306a36Sopenharmony_ci /* this should fail */ 144462306a36Sopenharmony_ci bpf_dynptr_clone(&ptr1, &ptr2); 144562306a36Sopenharmony_ci 144662306a36Sopenharmony_ci return 0; 144762306a36Sopenharmony_ci} 144862306a36Sopenharmony_ci 144962306a36Sopenharmony_ci/* Can't overwrite an existing dynptr when cloning */ 145062306a36Sopenharmony_ciSEC("?xdp") 145162306a36Sopenharmony_ci__failure __msg("cannot overwrite referenced dynptr") 145262306a36Sopenharmony_ciint clone_invalid2(struct xdp_md *xdp) 145362306a36Sopenharmony_ci{ 145462306a36Sopenharmony_ci struct bpf_dynptr ptr1; 145562306a36Sopenharmony_ci struct bpf_dynptr clone; 145662306a36Sopenharmony_ci 145762306a36Sopenharmony_ci bpf_dynptr_from_xdp(xdp, 0, &ptr1); 145862306a36Sopenharmony_ci 145962306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &clone); 146062306a36Sopenharmony_ci 146162306a36Sopenharmony_ci /* this should fail */ 146262306a36Sopenharmony_ci bpf_dynptr_clone(&ptr1, &clone); 146362306a36Sopenharmony_ci 146462306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&clone, 0); 146562306a36Sopenharmony_ci 146662306a36Sopenharmony_ci return 0; 146762306a36Sopenharmony_ci} 146862306a36Sopenharmony_ci 146962306a36Sopenharmony_ci/* Invalidating a dynptr should invalidate its clones */ 147062306a36Sopenharmony_ciSEC("?raw_tp") 147162306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #3") 147262306a36Sopenharmony_ciint clone_invalidate1(void *ctx) 147362306a36Sopenharmony_ci{ 147462306a36Sopenharmony_ci struct bpf_dynptr clone; 147562306a36Sopenharmony_ci struct bpf_dynptr ptr; 147662306a36Sopenharmony_ci char read_data[64]; 147762306a36Sopenharmony_ci 147862306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 147962306a36Sopenharmony_ci 148062306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone); 148162306a36Sopenharmony_ci 148262306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 148362306a36Sopenharmony_ci 148462306a36Sopenharmony_ci /* this should fail */ 148562306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), &clone, 0, 0); 148662306a36Sopenharmony_ci 148762306a36Sopenharmony_ci return 0; 148862306a36Sopenharmony_ci} 148962306a36Sopenharmony_ci 149062306a36Sopenharmony_ci/* Invalidating a dynptr should invalidate its parent */ 149162306a36Sopenharmony_ciSEC("?raw_tp") 149262306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #3") 149362306a36Sopenharmony_ciint clone_invalidate2(void *ctx) 149462306a36Sopenharmony_ci{ 149562306a36Sopenharmony_ci struct bpf_dynptr ptr; 149662306a36Sopenharmony_ci struct bpf_dynptr clone; 149762306a36Sopenharmony_ci char read_data[64]; 149862306a36Sopenharmony_ci 149962306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 150062306a36Sopenharmony_ci 150162306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone); 150262306a36Sopenharmony_ci 150362306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&clone, 0); 150462306a36Sopenharmony_ci 150562306a36Sopenharmony_ci /* this should fail */ 150662306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0); 150762306a36Sopenharmony_ci 150862306a36Sopenharmony_ci return 0; 150962306a36Sopenharmony_ci} 151062306a36Sopenharmony_ci 151162306a36Sopenharmony_ci/* Invalidating a dynptr should invalidate its siblings */ 151262306a36Sopenharmony_ciSEC("?raw_tp") 151362306a36Sopenharmony_ci__failure __msg("Expected an initialized dynptr as arg #3") 151462306a36Sopenharmony_ciint clone_invalidate3(void *ctx) 151562306a36Sopenharmony_ci{ 151662306a36Sopenharmony_ci struct bpf_dynptr ptr; 151762306a36Sopenharmony_ci struct bpf_dynptr clone1; 151862306a36Sopenharmony_ci struct bpf_dynptr clone2; 151962306a36Sopenharmony_ci char read_data[64]; 152062306a36Sopenharmony_ci 152162306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 152262306a36Sopenharmony_ci 152362306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone1); 152462306a36Sopenharmony_ci 152562306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone2); 152662306a36Sopenharmony_ci 152762306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&clone2, 0); 152862306a36Sopenharmony_ci 152962306a36Sopenharmony_ci /* this should fail */ 153062306a36Sopenharmony_ci bpf_dynptr_read(read_data, sizeof(read_data), &clone1, 0, 0); 153162306a36Sopenharmony_ci 153262306a36Sopenharmony_ci return 0; 153362306a36Sopenharmony_ci} 153462306a36Sopenharmony_ci 153562306a36Sopenharmony_ci/* Invalidating a dynptr should invalidate any data slices 153662306a36Sopenharmony_ci * of its clones 153762306a36Sopenharmony_ci */ 153862306a36Sopenharmony_ciSEC("?raw_tp") 153962306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 154062306a36Sopenharmony_ciint clone_invalidate4(void *ctx) 154162306a36Sopenharmony_ci{ 154262306a36Sopenharmony_ci struct bpf_dynptr ptr; 154362306a36Sopenharmony_ci struct bpf_dynptr clone; 154462306a36Sopenharmony_ci int *data; 154562306a36Sopenharmony_ci 154662306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 154762306a36Sopenharmony_ci 154862306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone); 154962306a36Sopenharmony_ci data = bpf_dynptr_data(&clone, 0, sizeof(val)); 155062306a36Sopenharmony_ci if (!data) 155162306a36Sopenharmony_ci return 0; 155262306a36Sopenharmony_ci 155362306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&ptr, 0); 155462306a36Sopenharmony_ci 155562306a36Sopenharmony_ci /* this should fail */ 155662306a36Sopenharmony_ci *data = 123; 155762306a36Sopenharmony_ci 155862306a36Sopenharmony_ci return 0; 155962306a36Sopenharmony_ci} 156062306a36Sopenharmony_ci 156162306a36Sopenharmony_ci/* Invalidating a dynptr should invalidate any data slices 156262306a36Sopenharmony_ci * of its parent 156362306a36Sopenharmony_ci */ 156462306a36Sopenharmony_ciSEC("?raw_tp") 156562306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 156662306a36Sopenharmony_ciint clone_invalidate5(void *ctx) 156762306a36Sopenharmony_ci{ 156862306a36Sopenharmony_ci struct bpf_dynptr ptr; 156962306a36Sopenharmony_ci struct bpf_dynptr clone; 157062306a36Sopenharmony_ci int *data; 157162306a36Sopenharmony_ci 157262306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 157362306a36Sopenharmony_ci data = bpf_dynptr_data(&ptr, 0, sizeof(val)); 157462306a36Sopenharmony_ci if (!data) 157562306a36Sopenharmony_ci return 0; 157662306a36Sopenharmony_ci 157762306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone); 157862306a36Sopenharmony_ci 157962306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&clone, 0); 158062306a36Sopenharmony_ci 158162306a36Sopenharmony_ci /* this should fail */ 158262306a36Sopenharmony_ci *data = 123; 158362306a36Sopenharmony_ci 158462306a36Sopenharmony_ci return 0; 158562306a36Sopenharmony_ci} 158662306a36Sopenharmony_ci 158762306a36Sopenharmony_ci/* Invalidating a dynptr should invalidate any data slices 158862306a36Sopenharmony_ci * of its sibling 158962306a36Sopenharmony_ci */ 159062306a36Sopenharmony_ciSEC("?raw_tp") 159162306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 159262306a36Sopenharmony_ciint clone_invalidate6(void *ctx) 159362306a36Sopenharmony_ci{ 159462306a36Sopenharmony_ci struct bpf_dynptr ptr; 159562306a36Sopenharmony_ci struct bpf_dynptr clone1; 159662306a36Sopenharmony_ci struct bpf_dynptr clone2; 159762306a36Sopenharmony_ci int *data; 159862306a36Sopenharmony_ci 159962306a36Sopenharmony_ci bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr); 160062306a36Sopenharmony_ci 160162306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone1); 160262306a36Sopenharmony_ci 160362306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone2); 160462306a36Sopenharmony_ci 160562306a36Sopenharmony_ci data = bpf_dynptr_data(&clone1, 0, sizeof(val)); 160662306a36Sopenharmony_ci if (!data) 160762306a36Sopenharmony_ci return 0; 160862306a36Sopenharmony_ci 160962306a36Sopenharmony_ci bpf_ringbuf_submit_dynptr(&clone2, 0); 161062306a36Sopenharmony_ci 161162306a36Sopenharmony_ci /* this should fail */ 161262306a36Sopenharmony_ci *data = 123; 161362306a36Sopenharmony_ci 161462306a36Sopenharmony_ci return 0; 161562306a36Sopenharmony_ci} 161662306a36Sopenharmony_ci 161762306a36Sopenharmony_ci/* A skb clone's data slices should be invalid anytime packet data changes */ 161862306a36Sopenharmony_ciSEC("?tc") 161962306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 162062306a36Sopenharmony_ciint clone_skb_packet_data(struct __sk_buff *skb) 162162306a36Sopenharmony_ci{ 162262306a36Sopenharmony_ci char buffer[sizeof(__u32)] = {}; 162362306a36Sopenharmony_ci struct bpf_dynptr clone; 162462306a36Sopenharmony_ci struct bpf_dynptr ptr; 162562306a36Sopenharmony_ci __u32 *data; 162662306a36Sopenharmony_ci 162762306a36Sopenharmony_ci bpf_dynptr_from_skb(skb, 0, &ptr); 162862306a36Sopenharmony_ci 162962306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone); 163062306a36Sopenharmony_ci data = bpf_dynptr_slice_rdwr(&clone, 0, buffer, sizeof(buffer)); 163162306a36Sopenharmony_ci if (!data) 163262306a36Sopenharmony_ci return XDP_DROP; 163362306a36Sopenharmony_ci 163462306a36Sopenharmony_ci if (bpf_skb_pull_data(skb, skb->len)) 163562306a36Sopenharmony_ci return SK_DROP; 163662306a36Sopenharmony_ci 163762306a36Sopenharmony_ci /* this should fail */ 163862306a36Sopenharmony_ci *data = 123; 163962306a36Sopenharmony_ci 164062306a36Sopenharmony_ci return 0; 164162306a36Sopenharmony_ci} 164262306a36Sopenharmony_ci 164362306a36Sopenharmony_ci/* A xdp clone's data slices should be invalid anytime packet data changes */ 164462306a36Sopenharmony_ciSEC("?xdp") 164562306a36Sopenharmony_ci__failure __msg("invalid mem access 'scalar'") 164662306a36Sopenharmony_ciint clone_xdp_packet_data(struct xdp_md *xdp) 164762306a36Sopenharmony_ci{ 164862306a36Sopenharmony_ci char buffer[sizeof(__u32)] = {}; 164962306a36Sopenharmony_ci struct bpf_dynptr clone; 165062306a36Sopenharmony_ci struct bpf_dynptr ptr; 165162306a36Sopenharmony_ci struct ethhdr *hdr; 165262306a36Sopenharmony_ci __u32 *data; 165362306a36Sopenharmony_ci 165462306a36Sopenharmony_ci bpf_dynptr_from_xdp(xdp, 0, &ptr); 165562306a36Sopenharmony_ci 165662306a36Sopenharmony_ci bpf_dynptr_clone(&ptr, &clone); 165762306a36Sopenharmony_ci data = bpf_dynptr_slice_rdwr(&clone, 0, buffer, sizeof(buffer)); 165862306a36Sopenharmony_ci if (!data) 165962306a36Sopenharmony_ci return XDP_DROP; 166062306a36Sopenharmony_ci 166162306a36Sopenharmony_ci if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr))) 166262306a36Sopenharmony_ci return XDP_DROP; 166362306a36Sopenharmony_ci 166462306a36Sopenharmony_ci /* this should fail */ 166562306a36Sopenharmony_ci *data = 123; 166662306a36Sopenharmony_ci 166762306a36Sopenharmony_ci return 0; 166862306a36Sopenharmony_ci} 166962306a36Sopenharmony_ci 167062306a36Sopenharmony_ci/* Buffers that are provided must be sufficiently long */ 167162306a36Sopenharmony_ciSEC("?cgroup_skb/egress") 167262306a36Sopenharmony_ci__failure __msg("memory, len pair leads to invalid memory access") 167362306a36Sopenharmony_ciint test_dynptr_skb_small_buff(struct __sk_buff *skb) 167462306a36Sopenharmony_ci{ 167562306a36Sopenharmony_ci struct bpf_dynptr ptr; 167662306a36Sopenharmony_ci char buffer[8] = {}; 167762306a36Sopenharmony_ci __u64 *data; 167862306a36Sopenharmony_ci 167962306a36Sopenharmony_ci if (bpf_dynptr_from_skb(skb, 0, &ptr)) { 168062306a36Sopenharmony_ci err = 1; 168162306a36Sopenharmony_ci return 1; 168262306a36Sopenharmony_ci } 168362306a36Sopenharmony_ci 168462306a36Sopenharmony_ci /* This may return NULL. SKB may require a buffer */ 168562306a36Sopenharmony_ci data = bpf_dynptr_slice(&ptr, 0, buffer, 9); 168662306a36Sopenharmony_ci 168762306a36Sopenharmony_ci return !!data; 168862306a36Sopenharmony_ci} 1689