Add a verifier test for scalar += rdonly_untrusted_mem. The program gets a read-only untrusted memory value from bpf_rdonly_cast(..., 0). It then adds that value to a scalar destination. The verifier should reject this instead of preserving stale scalar state.
Signed-off-by: Nuoqi Gui <[email protected]> --- .../testing/selftests/bpf/progs/mem_rdonly_untrusted.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c b/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c index 5b4453747c23..303b8ed3e70b 100644 --- a/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c +++ b/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c @@ -77,6 +77,23 @@ int offset_not_tracked(void *ctx) return s; } +SEC("socket") +__failure +__msg("R1 tried to add from rdonly_untrusted_mem to scalar") +__naked void scalar_add_not_ok(void) +{ + asm volatile ("r1 = 0;" + "r2 = 0;" + "call %[bpf_rdonly_cast];" + "r1 = 0;" + "r1 += r0;" + "r0 = 0;" + "exit;" + : + : __imm(bpf_rdonly_cast) + : __clobber_all); +} + SEC("socket") __failure __msg("cannot write into rdonly_untrusted_mem") -- 2.34.1
