On Wed, Apr 24, 2024 at 3:41 PM Cupertino Miranda
<cupertino.miranda@xxxxxxxxxx> wrote:
>
> Added a test for bound computation in MUL when non constant
> values are used and both registers have bounded ranges.
>
> Signed-off-by: Cupertino Miranda <cupertino.miranda@xxxxxxxxxx>
> Cc: Yonghong Song <yonghong.song@xxxxxxxxx>
> Cc: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
> Cc: David Faust <david.faust@xxxxxxxxxx>
> Cc: Jose Marchesi <jose.marchesi@xxxxxxxxxx>
> Cc: Elena Zannoni <elena.zannoni@xxxxxxxxxx>
> ---
> .../selftests/bpf/progs/verifier_bounds.c | 21 +++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> index aeb88a9c7a86..8fd7e93b112f 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
> @@ -927,6 +927,27 @@ __naked void non_const_or_src_dst(void)
> : __clobber_all);
> }
>
> +SEC("socket")
> +__description("bounds check for non const mul regs")
> +__success __log_level(2)
> +__msg("5: (2f) r0 *= r6 ; R0_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=3825,var_off=(0x0; 0xfff))")
> +__naked void non_const_mul_regs(void)
> +{
> + asm volatile (" \
> + call %[bpf_get_prandom_u32]; \
> + r6 = r0; \
> + call %[bpf_get_prandom_u32]; \
> + r6 &= 0xff; \
> + r0 &= 0x0f; \
> + r0 *= r6; \
> + exit; \
> +" :
> + : __imm(bpf_map_lookup_elem),
> + __imm_addr(map_hash_8b),
> + __imm(bpf_get_prandom_u32)
> + : __clobber_all);
> +}
> +
LGTM, but it would be a bit more interesting to have a few known bits
as well. Just setting 0x100 bit for r6 and 0x10 bit for r0 (before
multiplication) would test that tnum actually tracks those known bits
during multiplication correctly. Consider it as a follow up, I guess.
Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> SEC("socket")
> __description("bounds checks after 32-bit truncation. test 1")
> __success __failure_unpriv __msg_unpriv("R0 leaks addr")
> --
> 2.39.2
>
>
