From eb6c99278490a9045662cbc2df9e2a99489df37a Mon Sep 17 00:00:00 2001 From: Ihor Solodrai Date: Mon, 9 Jun 2025 11:30:23 -0700 Subject: [PATCH] selftests/bpf: Add cmp_map_pointer_with_const test Add a test for CONST_PTR_TO_MAP comparison with a non-0 constant. A BPF program with this code must not pass verification in unpriv. Signed-off-by: Ihor Solodrai Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20250609183024.359974-3-isolodrai@meta.com --- .../selftests/bpf/progs/verifier_unpriv.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c index 28200f068ce53..db52ba66e880c 100644 --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c @@ -624,7 +624,6 @@ __retval(0) __naked void cmp_map_pointer_with_zero(void) { asm volatile (" \ - r1 = 0; \ r1 = %[map_hash_8b] ll; \ if r1 == 0 goto l0_%=; \ l0_%=: r0 = 0; \ @@ -634,6 +633,22 @@ l0_%=: r0 = 0; \ : __clobber_all); } +SEC("socket") +__description("unpriv: cmp map pointer with const") +__success __failure_unpriv __msg_unpriv("R1 pointer comparison prohibited") +__retval(0) +__naked void cmp_map_pointer_with_const(void) +{ + asm volatile (" \ + r1 = %[map_hash_8b] ll; \ + if r1 == 0x0000beef goto l0_%=; \ +l0_%=: r0 = 0; \ + exit; \ +" : + : __imm_addr(map_hash_8b) + : __clobber_all); +} + SEC("socket") __description("unpriv: write into frame pointer") __failure __msg("frame pointer is read only") -- 2.47.2