bpf: Add verifier regression test for previous patch

Add a regression test for var-off zero-sized reads.

Signed-off-by: Andrei Matei <andreimatei1@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20231207041150.229139-3-andreimatei1@gmail.com

diff --git a/tools/testing/selftests/bpf/progs/verifier_var_off.c b/tools/testing/selftests/bpf/progs/verifier_var_off.c
index 83a90afba78576c81c709955e136207ee90f8d82..b7bdd7db3a3579c8167a24847ef6d79e472b9c4c 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_var_off.c
+++ b/tools/testing/selftests/bpf/progs/verifier_var_off.c
@@ -224,6 +224,35 @@ __naked void access_max_out_of_bound(void)
        : __clobber_all);
 }
 
+/* Similar to the test above, but this time check the special case of a
+ * zero-sized stack access. We used to have a bug causing crashes for zero-sized
+ * out-of-bounds accesses.
+ */
+SEC("socket")
+__description("indirect variable-offset stack access, zero-sized, max out of bound")
+__failure __msg("invalid variable-offset indirect access to stack R1")
+__naked void zero_sized_access_max_out_of_bound(void)
+{
+       asm volatile ("                      \
+       r0 = 0;                              \
+       /* Fill some stack */                \
+       *(u64*)(r10 - 16) = r0;              \
+       *(u64*)(r10 - 8) = r0;               \
+       /* Get an unknown value */           \
+       r1 = *(u32*)(r1 + 0);                \
+       r1 &= 63;                            \
+       r1 += -16;                           \
+       /* r1 is now anywhere in [-16,48) */ \
+       r1 += r10;                           \
+       r2 = 0;                              \
+       r3 = 0;                              \
+       call %[bpf_probe_read_kernel];       \
+       exit;                                \
+"      :
+       : __imm(bpf_probe_read_kernel)
+       : __clobber_all);
+}
+
 SEC("lwt_in")
 __description("indirect variable-offset stack access, min out of bound")
 __failure __msg("invalid variable-offset indirect access to stack R2")