Ensure that variable offset is handled correctly, and verifier takes
both fixed and variable part into account. Also ensures that only
constant var_off is allowed.
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
---
.../testing/selftests/bpf/progs/dynptr_fail.c | 40 +++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/dynptr_fail.c b/tools/testing/selftests/bpf/progs/dynptr_fail.c
index 023b3c36bc78..063d351f327a 100644
--- a/tools/testing/selftests/bpf/progs/dynptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/dynptr_fail.c
@@ -794,3 +794,43 @@ int dynptr_pruning_type_confusion(struct __sk_buff *ctx)
);
return 0;
}
+
+SEC("?tc")
+__failure __msg("dynptr has to be at the constant offset") __log_level(2)
+int dynptr_var_off_overwrite(struct __sk_buff *ctx)
+{
+ asm volatile (
+ "r9 = 16;"
+ "*(u32 *)(r10 - 4) = r9;"
+ "r8 = *(u32 *)(r10 - 4);"
+ "if r8 >= 0 goto vjmp1;"
+ "r0 = 1;"
+ "exit;"
+ "vjmp1:"
+ "if r8 <= 16 goto vjmp2;"
+ "r0 = 1;"
+ "exit;"
+ "vjmp2:"
+ "r8 &= 16;"
+ "r1 = %[ringbuf] ll;"
+ "r2 = 8;"
+ "r3 = 0;"
+ "r4 = r10;"
+ "r4 += -32;"
+ "r4 += r8;"
+ "call %[bpf_ringbuf_reserve_dynptr];"
+ "r9 = 0xeB9F;"
+ "*(u64 *)(r10 - 16) = r9;"
+ "r1 = r10;"
+ "r1 += -32;"
+ "r1 += r8;"
+ "r2 = 0;"
+ "call %[bpf_ringbuf_discard_dynptr];"
+ :
+ : __imm(bpf_ringbuf_reserve_dynptr),
+ __imm(bpf_ringbuf_discard_dynptr),
+ __imm_addr(ringbuf)
+ : __clobber_all
+ );
+ return 0;
+}
--
2.39.1
