On 6/3/25 5:37 PM, Ihor Solodrai wrote:
Add a test for CONST_PTR_TO_MAP comparison with a non-0 constant. A
BPF program with this code must not pass verification in unpriv.
Signed-off-by: Ihor Solodrai <isolodrai@xxxxxxxx>
---
.../selftests/bpf/progs/verifier_unpriv.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
index 28200f068ce5..85b41f927272 100644
--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
@@ -634,6 +634,23 @@ l0_%=: r0 = 0; \
: __clobber_all);
}
+SEC("socket")
+__description("unpriv: cmp map pointer with const")
+__success __failure_unpriv __msg_unpriv("R1 pointer comparison prohibited")
+__retval(0)
+__naked void cmp_map_pointer_with_const(void)
+{
+ asm volatile (" \
+ r1 = 0; \
+ r1 = %[map_hash_8b] ll; \
+ if r1 == 0xcafefeeddeadbeef goto l0_%=; \
GCC BPF caught (correctly) that this is not a valid instruction because
imm is supposed to be 32bit [1]:
progs/verifier_unpriv.c: Assembler messages:
progs/verifier_unpriv.c:643: Error: immediate out of range, shall
fit in 32 bits
make: *** [Makefile:751:
/tmp/work/bpf/bpf/src/tools/testing/selftests/bpf/bpf_gcc/verifier_unpriv.bpf.o]
Error 1
But LLVM 20 let it compile and the test passes. I wonder whether it's a
bug in LLVM worth reporting?
[1]
https://github.com/kernel-patches/bpf/actions/runs/15430930573/job/43428666342
+l0_%=: r0 = 0; \
+ exit; \
+" :
+ : __imm_addr(map_hash_8b)
+ : __clobber_all);
+}
+
SEC("socket")
__description("unpriv: write into frame pointer")
__failure __msg("frame pointer is read only")
