tools/testing/selftests/bpf/progs/verifier_leak_ptr.c
Source file repositories/reference/linux-study-clean/tools/testing/selftests/bpf/progs/verifier_leak_ptr.c
File Facts
- System
- Linux kernel
- Corpus path
tools/testing/selftests/bpf/progs/verifier_leak_ptr.c- Extension
.c- Size
- 2354 bytes
- Lines
- 93
- Domain
- Support Tooling And Documentation
- Bucket
- tools
- Inferred role
- Support Tooling And Documentation: implementation source
- Status
- source implementation candidate
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/bpf.hbpf/bpf_helpers.hbpf_misc.h
Detected Declarations
function __msgfunction __msgfunction __msg_unprivfunction __msg_unpriv
Annotated Snippet
// SPDX-License-Identifier: GPL-2.0
/* Converted from tools/testing/selftests/bpf/verifier/leak_ptr.c */
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 1);
__type(key, long long);
__type(value, long long);
} map_hash_8b SEC(".maps");
SEC("socket")
__description("leak pointer into ctx 1")
__failure __msg("BPF_ATOMIC stores into R1 ctx is not allowed")
__failure_unpriv __msg_unpriv("R2 leaks addr into mem")
__naked void leak_pointer_into_ctx_1(void)
{
asm volatile (" \
r0 = 0; \
*(u64*)(r1 + %[__sk_buff_cb_0]) = r0; \
r2 = %[map_hash_8b] ll; \
lock *(u64 *)(r1 + %[__sk_buff_cb_0]) += r2; \
exit; \
" :
: __imm_addr(map_hash_8b),
__imm_const(__sk_buff_cb_0, offsetof(struct __sk_buff, cb[0]))
: __clobber_all);
}
SEC("socket")
__description("leak pointer into ctx 2")
__failure __msg("BPF_ATOMIC stores into R1 ctx is not allowed")
__failure_unpriv __msg_unpriv("R10 leaks addr into mem")
__naked void leak_pointer_into_ctx_2(void)
{
asm volatile (" \
r0 = 0; \
*(u64*)(r1 + %[__sk_buff_cb_0]) = r0; \
lock *(u64 *)(r1 + %[__sk_buff_cb_0]) += r10; \
exit; \
" :
: __imm_const(__sk_buff_cb_0, offsetof(struct __sk_buff, cb[0]))
: __clobber_all);
}
SEC("socket")
__description("leak pointer into ctx 3")
__success __failure_unpriv __msg_unpriv("R2 leaks addr into ctx")
__retval(0)
__naked void leak_pointer_into_ctx_3(void)
{
asm volatile (" \
r0 = 0; \
r2 = %[map_hash_8b] ll; \
*(u64*)(r1 + %[__sk_buff_cb_0]) = r2; \
exit; \
" :
: __imm_addr(map_hash_8b),
__imm_const(__sk_buff_cb_0, offsetof(struct __sk_buff, cb[0]))
: __clobber_all);
}
SEC("socket")
__description("leak pointer into map val")
__success __failure_unpriv __msg_unpriv("R6 leaks addr into mem")
__retval(0)
__naked void leak_pointer_into_map_val(void)
{
asm volatile (" \
r6 = r1; \
r1 = 0; \
*(u64*)(r10 - 8) = r1; \
r2 = r10; \
r2 += -8; \
r1 = %[map_hash_8b] ll; \
call %[bpf_map_lookup_elem]; \
if r0 == 0 goto l0_%=; \
r3 = 0; \
*(u64*)(r0 + 0) = r3; \
lock *(u64 *)(r0 + 0) += r6; \
l0_%=: r0 = 0; \
exit; \
" :
: __imm(bpf_map_lookup_elem),
__imm_addr(map_hash_8b)
: __clobber_all);
}
Annotation
- Immediate include surface: `linux/bpf.h`, `bpf/bpf_helpers.h`, `bpf_misc.h`.
- Detected declarations: `function __msg`, `function __msg`, `function __msg_unpriv`, `function __msg_unpriv`.
- Atlas domain: Support Tooling And Documentation / tools.
- Implementation status: source implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.