1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
{
"BPF_ATOMIC_FETCH_ADD smoketest - 64bit",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
/* Write 3 to stack */
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
/* Put a 1 in R1, add it to the 3 on the stack, and load the value back into R1 */
BPF_MOV64_IMM(BPF_REG_1, 1),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
/* Check the value we loaded back was 3 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
/* Load value from stack */
BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -8),
/* Check value loaded from stack was 4 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
BPF_MOV64_IMM(BPF_REG_0, 2),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
},
{
"BPF_ATOMIC_FETCH_ADD smoketest - 32bit",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
/* Write 3 to stack */
BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 3),
/* Put a 1 in R1, add it to the 3 on the stack, and load the value back into R1 */
BPF_MOV32_IMM(BPF_REG_1, 1),
BPF_ATOMIC_OP(BPF_W, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -4),
/* Check the value we loaded back was 3 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
/* Load value from stack */
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -4),
/* Check value loaded from stack was 4 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
BPF_MOV64_IMM(BPF_REG_0, 2),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
},
{
"Can't use ATM_FETCH_ADD on frame pointer",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_10, -8),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr_unpriv = "R10 leaks addr into mem",
.errstr = "frame pointer is read only",
},
{
"Can't use ATM_FETCH_ADD on uninit src reg",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_2, -8),
BPF_EXIT_INSN(),
},
.result = REJECT,
/* It happens that the address leak check is first, but it would also be
* complain about the fact that we're trying to modify R10.
*/
.errstr = "!read_ok",
},
{
"Can't use ATM_FETCH_ADD on uninit dst reg",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_2, BPF_REG_0, -8),
BPF_EXIT_INSN(),
},
.result = REJECT,
/* It happens that the address leak check is first, but it would also be
* complain about the fact that we're trying to modify R10.
*/
.errstr = "!read_ok",
},
{
"Can't use ATM_FETCH_ADD on kernel memory",
.insns = {
/* This is an fentry prog, context is array of the args of the
* kernel function being called. Load first arg into R2.
*/
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 0),
/* First arg of bpf_fentry_test7 is a pointer to a struct.
* Attempt to modify that struct. Verifier shouldn't let us
* because it's kernel memory.
*/
BPF_MOV64_IMM(BPF_REG_3, 1),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_2, BPF_REG_3, 0),
/* Done */
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.prog_type = BPF_PROG_TYPE_TRACING,
.expected_attach_type = BPF_TRACE_FENTRY,
.kfunc = "bpf_fentry_test7",
.result = REJECT,
.errstr = "only read is supported",
},
|