From: Daniel Borkmann <daniel@iogearbox.net>
To: eddyz87@gmail.com
Cc: puranjay@kernel.org, memxor@gmail.com, yonghong.song@linux.dev,
info@starlabs.sg, bpf@vger.kernel.org
Subject: [PATCH bpf-next 2/2] selftests/bpf: Add test for scalar id on sign-extending stack fill
Date: Thu, 9 Jul 2026 17:31:31 +0200 [thread overview]
Message-ID: <20260709153131.386599-2-daniel@iogearbox.net> (raw)
In-Reply-To: <20260709153131.386599-1-daniel@iogearbox.net>
Add a verifier test where a spilled scalar is filled once via a sign-
extending load (BPF_MEMSX) and once via a zero-extending load (BPF_MEM).
The two destination registers must not share a scalar id.
# LDLIBS=-static PKG_CONFIG='pkg-config --static' ./vmtest.sh -- ./test_progs -t verifier_scalar_ids
[...]
#643/1 verifier_scalar_ids/linked_regs_bpf_k:OK
#643/2 verifier_scalar_ids/linked_regs_bpf_x_src:OK
#643/3 verifier_scalar_ids/linked_regs_bpf_x_dst:OK
#643/4 verifier_scalar_ids/linked_regs_broken_link:OK
#643/5 verifier_scalar_ids/precision_many_frames:OK
#643/6 verifier_scalar_ids/precision_stack:OK
#643/7 verifier_scalar_ids/precision_two_ids:OK
#643/8 verifier_scalar_ids/linked_regs_too_many_regs:OK
#643/9 verifier_scalar_ids/linked_regs_broken_link_2:OK
#643/10 verifier_scalar_ids/cjmp_no_linked_regs_trigger:OK
#643/11 verifier_scalar_ids/check_ids_in_regsafe:OK
#643/12 verifier_scalar_ids/check_ids_in_regsafe_2:OK
#643/13 verifier_scalar_ids/no_scalar_id_for_const:OK
#643/14 verifier_scalar_ids/no_scalar_id_for_const32:OK
#643/15 verifier_scalar_ids/ignore_unique_scalar_ids_cur:OK
#643/16 verifier_scalar_ids/ignore_unique_scalar_ids_old:OK
#643/17 verifier_scalar_ids/two_nil_old_ids_one_cur_id:OK
#643/18 verifier_scalar_ids/two_old_ids_one_cur_id:OK
#643/19 verifier_scalar_ids/linked_regs_and_subreg_def:OK
#643/20 verifier_scalar_ids/ldsx_fill_scalar_id_not_shared:OK
#643 verifier_scalar_ids:OK
Summary: 1/20 PASSED, 0 SKIPPED, 0 FAILED
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
.../selftests/bpf/progs/verifier_scalar_ids.c | 56 +++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c b/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c
index e38f102da45f..663d15fc5fd2 100644
--- a/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c
+++ b/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c
@@ -4,6 +4,13 @@
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"
+struct {
+ __uint(type, BPF_MAP_TYPE_HASH);
+ __uint(max_entries, 1);
+ __type(key, long long);
+ __type(value, long long);
+} map_hash_8b SEC(".maps");
+
/* Check that precision marks propagate through scalar IDs.
* Registers r{0,1,2} have the same scalar ID.
* Range information is propagated for scalars sharing same ID.
@@ -915,4 +922,53 @@ __naked void linked_regs_and_subreg_def(void)
: __clobber_all);
}
+/*
+ * A scalar is spilled to the stack and then filled twice: once via a
+ * sign-extending load (BPF_MEMSX) into r4 and once via a zero-extending
+ * load (BPF_MEM) into r5. coerce_reg_to_size_sx() gives r4 a different
+ * value than the spilled/zero-extended siblings, so r4 must not keep the
+ * shared scalar id. Otherwise the later 'if r5 == 0x80000000' refines r4
+ * through sync_linked_regs() to a known 0x80000000, while at runtime r4
+ * is the sign-extended 0xffffffff80000000. The test turns that discrepancy
+ * into an out-of-bounds map value access (r4 >> 63 is believed 0 but is 1
+ * at runtime), which must be rejected.
+ */
+SEC("socket")
+__failure __msg("R0 max value is outside of the allowed memory range")
+__naked void ldsx_fill_scalar_id_not_shared(void)
+{
+ asm volatile (" \
+ r1 = 0; \
+ *(u64*)(r10 - 8) = r1; \
+ r2 = r10; \
+ r2 += -8; \
+ r1 = %[map_hash_8b] ll; \
+ call %[bpf_map_lookup_elem]; \
+ if r0 == 0 goto l0_%=; \
+ /* r7 = unknown u32, keep only bit 31 */ \
+ r7 = *(u32*)(r0 + 0); \
+ r2 = 0x80000000 ll; \
+ r7 &= r2; \
+ /* link r6 and r7 via a fresh scalar id */ \
+ r6 = r7; \
+ /* spill r7 (u32) to the stack */ \
+ *(u32*)(r10 - 8) = r7; \
+ /* sign-extending fill: must drop the id */ \
+ r4 = *(s32*)(r10 - 8); \
+ /* zero-extending fill: keeps the id */ \
+ r5 = *(u32*)(r10 - 8); \
+ /* r5 becomes known 0x80000000 on fall-through */\
+ if r5 != r2 goto l0_%=; \
+ /* verifier believes r4 == 0 here, runtime is 1 */\
+ r4 >>= 63; \
+ r0 += r4; \
+ r0 = *(u8*)(r0 + 7); \
+l0_%=: r0 = 0; \
+ exit; \
+" :
+ : __imm(bpf_map_lookup_elem),
+ __imm_addr(map_hash_8b)
+ : __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.43.0
next prev parent reply other threads:[~2026-07-09 15:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 15:31 [PATCH bpf-next 1/2] bpf: Drop scalar id on sign-extending narrowing stack fills Daniel Borkmann
2026-07-09 15:31 ` Daniel Borkmann [this message]
2026-07-09 19:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709153131.386599-2-daniel@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=bpf@vger.kernel.org \
--cc=eddyz87@gmail.com \
--cc=info@starlabs.sg \
--cc=memxor@gmail.com \
--cc=puranjay@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox