tools/testing/selftests/bpf/progs/verifier_map_ptr.c

Source file repositories/reference/linux-study-clean/tools/testing/selftests/bpf/progs/verifier_map_ptr.c

File Facts

System
Linux kernel
Corpus path
tools/testing/selftests/bpf/progs/verifier_map_ptr.c
Extension
.c
Size
4664 bytes
Lines
191
Domain
Support Tooling And Documentation
Bucket
tools
Inferred role
Support Tooling And Documentation: implementation source
Status
source implementation candidate

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

struct test_val {
	unsigned int index;
	int foo[MAX_ENTRIES];
};

struct {
	__uint(type, BPF_MAP_TYPE_ARRAY);
	__uint(max_entries, 1);
	__type(key, int);
	__type(value, struct test_val);
} map_array_48b SEC(".maps");

struct other_val {
	long long foo;
	long long bar;
};

struct {
	__uint(type, BPF_MAP_TYPE_HASH);
	__uint(max_entries, 1);
	__type(key, long long);
	__type(value, struct other_val);
} map_hash_16b SEC(".maps");

SEC("socket")
__description("bpf_map_ptr: read with negative offset rejected")
__failure __msg("R1 is bpf_array invalid negative access: off=-8")
__failure_unpriv
__msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
__naked void read_with_negative_offset_rejected(void)
{
	asm volatile ("					\
	r1 = r10;					\
	r1 = %[map_array_48b] ll;			\
	r6 = *(u64*)(r1 - 8);				\
	r0 = 1;						\
	exit;						\
"	:
	: __imm_addr(map_array_48b)
	: __clobber_all);
}

SEC("socket")
__description("bpf_map_ptr: write rejected")
__failure __msg("only read from bpf_array is supported")
__failure_unpriv
__msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
__naked void bpf_map_ptr_write_rejected(void)
{
	asm volatile ("					\
	r0 = 0;						\
	*(u64*)(r10 - 8) = r0;				\
	r2 = r10;					\
	r2 += -8;					\
	r1 = %[map_array_48b] ll;			\
	*(u64*)(r1 + 0) = r2;				\
	r0 = 1;						\
	exit;						\
"	:
	: __imm_addr(map_array_48b)
	: __clobber_all);
}

/*
 * struct bpf_map starts with the SHA256 hash sha[32] at offset 0 (a readable
 * byte array), the u32 excl field at offset 32, and the ops pointer at offset
 * 40. Reading a u32 at offset 41 reaches into the middle of the ops pointer,
 * i.e. a partial pointer access, which is rejected.
 */
SEC("socket")
__description("bpf_map_ptr: read non-existent field rejected")
__failure
__msg("cannot access ptr member ops with moff 40 in struct bpf_map with off 41 size 4")
__failure_unpriv
__msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
__flag(BPF_F_ANY_ALIGNMENT)
__naked void read_non_existent_field_rejected(void)
{
	asm volatile ("					\
	r6 = 0;						\
	r1 = %[map_array_48b] ll;			\
	r6 = *(u32*)(r1 + 41);				\
	r0 = 1;						\
	exit;						\
"	:
	: __imm_addr(map_array_48b)
	: __clobber_all);
}

/*

Annotation

Implementation Notes