[PATCH bpf-next 2/2] selftests/bpf: Cover scalar addition from rdonly untrusted memory

Next message: Taniya Das: "[PATCH v6 6/7] clk: qcom: camcc: Add support for camera clock controller for Eliza"
Previous message: Nuoqi Gui: "[PATCH bpf-next 1/2] bpf: Reject scalar addition from untrusted memory"
In reply to: Nuoqi Gui: "Re: Re: [PATCH bpf-next 1/2] bpf: Reject scalar addition from untrusted memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nuoqi Gui

Date: Tue Jun 09 2026 - 11:26:04 EST

Add a verifier test for scalar += rdonly_untrusted_mem. The program gets a
read-only untrusted memory value from bpf_rdonly_cast(..., 0). It then adds
that value to a scalar destination. The verifier should reject this instead
of preserving stale scalar state.

Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
---
.../testing/selftests/bpf/progs/mem_rdonly_untrusted.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c b/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c
index 5b4453747c23..303b8ed3e70b 100644
--- a/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c
+++ b/tools/testing/selftests/bpf/progs/mem_rdonly_untrusted.c
@@ -77,6 +77,23 @@ int offset_not_tracked(void *ctx)
return s;
}

+SEC("socket")
+__failure
+__msg("R1 tried to add from rdonly_untrusted_mem to scalar")
+__naked void scalar_add_not_ok(void)
+{
+ asm volatile ("r1 = 0;"
+ "r2 = 0;"
+ "call %[bpf_rdonly_cast];"
+ "r1 = 0;"
+ "r1 += r0;"
+ "r0 = 0;"
+ "exit;"
+ :
+ : __imm(bpf_rdonly_cast)
+ : __clobber_all);
+}
+
SEC("socket")
__failure
__msg("cannot write into rdonly_untrusted_mem")

--
2.34.1