#include "verifier_div0.skel.h"
#include "verifier_div_mod_bounds.skel.h"
#include "verifier_div_overflow.skel.h"
+#include "verifier_flow_keys.skel.h"
#include "verifier_global_subprogs.skel.h"
#include "verifier_global_ptr_args.skel.h"
#include "verifier_gotol.skel.h"
void test_verifier_div0(void) { RUN(verifier_div0); }
void test_verifier_div_mod_bounds(void) { RUN(verifier_div_mod_bounds); }
void test_verifier_div_overflow(void) { RUN(verifier_div_overflow); }
+void test_verifier_flow_keys(void) { RUN(verifier_flow_keys); }
void test_verifier_global_subprogs(void) { RUN(verifier_global_subprogs); }
void test_verifier_global_ptr_args(void) { RUN(verifier_global_ptr_args); }
void test_verifier_gotol(void) { RUN(verifier_gotol); }
--- /dev/null
+// SPDX-License-Identifier: GPL-2.0
+/* Bounds checks for PTR_TO_FLOW_KEYS pointer arithmetic. */
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+/* sizeof(struct bpf_flow_keys) is well under 4096, so +0x1000 is OOB. */
+
+SEC("flow_dissector")
+__description("flow_keys: in-bounds constant pointer arithmetic accepted")
+__success
+__naked void flow_keys_const_inbounds(void)
+{
+ asm volatile (" \
+ r1 = *(u64 *)(r1 + %[flow_keys]); \
+ r1 += 8; \
+ r0 = *(u64 *)(r1 + 0); \
+ r0 = 0; \
+ exit; \
+" :
+ : __imm_const(flow_keys, offsetof(struct __sk_buff, flow_keys))
+ : __clobber_all);
+}
+
+SEC("flow_dissector")
+__description("flow_keys: OOB via constant pointer arithmetic rejected")
+__failure __msg("invalid access to flow keys off=4096 size=8")
+__naked void flow_keys_const_oob_read(void)
+{
+ asm volatile (" \
+ r1 = *(u64 *)(r1 + %[flow_keys]); \
+ r1 += 4096; \
+ r0 = *(u64 *)(r1 + 0); \
+ r0 = 0; \
+ exit; \
+" :
+ : __imm_const(flow_keys, offsetof(struct __sk_buff, flow_keys))
+ : __clobber_all);
+}
+
+SEC("flow_dissector")
+__description("flow_keys: OOB write via constant pointer arithmetic rejected")
+__failure __msg("invalid access to flow keys off=4096 size=8")
+__naked void flow_keys_const_oob_write(void)
+{
+ asm volatile (" \
+ r1 = *(u64 *)(r1 + %[flow_keys]); \
+ r1 += 4096; \
+ r2 = 0; \
+ *(u64 *)(r1 + 0) = r2; \
+ r0 = 0; \
+ exit; \
+" :
+ : __imm_const(flow_keys, offsetof(struct __sk_buff, flow_keys))
+ : __clobber_all);
+}
+
+/* Equivalent OOB expressed directly in insn->off; this form was always
+ * rejected and is kept to show both forms now share one diagnostic.
+ */
+SEC("flow_dissector")
+__description("flow_keys: OOB via insn->off rejected")
+__failure __msg("invalid access to flow keys off=4096 size=8")
+__naked void flow_keys_insn_off_oob(void)
+{
+ asm volatile (" \
+ r1 = *(u64 *)(r1 + %[flow_keys]); \
+ r0 = *(u64 *)(r1 + 4096); \
+ r0 = 0; \
+ exit; \
+" :
+ : __imm_const(flow_keys, offsetof(struct __sk_buff, flow_keys))
+ : __clobber_all);
+}
+
+SEC("flow_dissector")
+__description("flow_keys: variable pointer arithmetic rejected")
+__failure __msg("R1 pointer arithmetic on flow_keys prohibited")
+__naked void flow_keys_var_read(void)
+{
+ asm volatile (" \
+ r6 = r1; \
+ call %[bpf_get_prandom_u32]; \
+ r0 &= 0xFFFF; \
+ r1 = *(u64 *)(r6 + %[flow_keys]); \
+ r1 += r0; \
+ r0 = *(u64 *)(r1 + 0); \
+ r0 = 0; \
+ exit; \
+" :
+ : __imm_const(flow_keys, offsetof(struct __sk_buff, flow_keys)),
+ __imm(bpf_get_prandom_u32)
+ : __clobber_all);
+}
+
+char _license[] SEC("license") = "GPL";
projects / thirdparty / linux.git / commitdiff
