On Thu, 3 Jul 2025 at 00:42, Eduard Zingerman <eddyz87@xxxxxxxxx> wrote:
>
> Check usage of __arg_untrusted parameters with PTR_TO_BTF_ID:
> - combining __arg_untrusted with other tags is forbidden;
> - passing of {trusted, untrusted, map value, scalar value, values with
> variable offset} to untrusted is ok;
> - passing of PTR_TO_BTF_ID with a different type to untrusted is ok;
> - passing of untrusted to trusted is forbidden.
If you decide or do not decide to support program local types, one
extra test could exercise support/lack of support as well.
It should fail to find the candidate if unsupported, succeed if supported.
>
> Signed-off-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
> ---
Acked-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> .../bpf/progs/verifier_global_ptr_args.c | 66 +++++++++++++++++++
> 1 file changed, 66 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
> index 4ab0ef18d7eb..772e8dd3e001 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_global_ptr_args.c
> @@ -179,4 +179,70 @@ int BPF_PROG(trusted_acq_rel, struct task_struct *task, u64 clone_flags)
> return subprog_trusted_acq_rel(task);
> }
>
> +__weak int subprog_untrusted_bad_tags(struct task_struct *task __arg_untrusted __arg_nullable)
> +{
> + return task->pid;
> +}
> +
> +SEC("tp_btf/sys_enter")
> +__failure
> +__msg("arg#0 untrusted cannot be combined with any other tags")
> +int untrusted_bad_tags(void *ctx)
> +{
> + return subprog_untrusted_bad_tags(0);
> +}
> +
> +__weak int subprog_untrusted(struct task_struct *task __arg_untrusted)
> +{
> + return task->pid;
> +}
> +
> +SEC("tp_btf/sys_enter")
> +__success
> +__log_level(2)
> +__msg("r1 = {{.*}}; {{.*}}R1_w=trusted_ptr_task_struct()")
> +__msg("Func#1 ('subprog_untrusted') is global and assumed valid.")
> +__msg("Validating subprog_untrusted() func#1...")
> +__msg(": R1=untrusted_ptr_task_struct")
> +int trusted_to_untrusted(void *ctx)
> +{
> + return subprog_untrusted(bpf_get_current_task_btf());
> +}
> +
> +char mem[16];
> +u32 off;
> +
> +SEC("tp_btf/sys_enter")
> +__success
> +int anything_to_untrusted(void *ctx)
> +{
> + /* untrusted to untrusted */
> + subprog_untrusted(bpf_core_cast(0, struct task_struct));
> + /* wrong type to untrusted */
> + subprog_untrusted((void *)bpf_core_cast(0, struct bpf_verifier_env));
> + /* map value to untrusted */
> + subprog_untrusted((void *)mem);
> + /* scalar to untrusted */
> + subprog_untrusted(0);
> + /* variable offset to untrusted (map) */
> + subprog_untrusted((void *)mem + off);
> + /* variable offset to untrusted (trusted) */
> + subprog_untrusted((void *)bpf_get_current_task_btf() + off);
> + return 0;
> +}
> +
> +__weak int subprog_untrusted2(struct task_struct *task __arg_untrusted)
> +{
> + return subprog_trusted_task_nullable(task);
> +}
> +
> +SEC("tp_btf/sys_enter")
> +__failure
> +__msg("R1 type=untrusted_ptr_ expected=ptr_, trusted_ptr_, rcu_ptr_")
> +__msg("Caller passes invalid args into func#{{.*}} ('subprog_trusted_task_nullable')")
> +int untrusted_to_trusted(void *ctx)
> +{
> + return subprog_untrusted2(bpf_get_current_task_btf());
> +}
> +
> char _license[] SEC("license") = "GPL";
> --
> 2.47.1
>
>
