1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of version 2 of the GNU General Public 8 * License as published by the Free Software Foundation. 9 */ 10 11 #include <asm/types.h> 12 #include <linux/types.h> 13 #include <stdint.h> 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <unistd.h> 17 #include <errno.h> 18 #include <string.h> 19 #include <stddef.h> 20 #include <stdbool.h> 21 #include <sched.h> 22 23 #include <sys/capability.h> 24 #include <sys/resource.h> 25 26 #include <linux/unistd.h> 27 #include <linux/filter.h> 28 #include <linux/bpf_perf_event.h> 29 #include <linux/bpf.h> 30 31 #include <bpf/bpf.h> 32 33 #ifdef HAVE_GENHDR 34 # include "autoconf.h" 35 #else 36 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 37 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 38 # endif 39 #endif 40 41 #include "../../../include/linux/filter.h" 42 43 #ifndef ARRAY_SIZE 44 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 45 #endif 46 47 #define MAX_INSNS 512 48 #define MAX_FIXUPS 8 49 #define MAX_NR_MAPS 4 50 51 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 52 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 53 54 struct bpf_test { 55 const char *descr; 56 struct bpf_insn insns[MAX_INSNS]; 57 int fixup_map1[MAX_FIXUPS]; 58 int fixup_map2[MAX_FIXUPS]; 59 int fixup_prog[MAX_FIXUPS]; 60 int fixup_map_in_map[MAX_FIXUPS]; 61 const char *errstr; 62 const char *errstr_unpriv; 63 enum { 64 UNDEF, 65 ACCEPT, 66 REJECT 67 } result, result_unpriv; 68 enum bpf_prog_type prog_type; 69 uint8_t flags; 70 }; 71 72 /* Note we want this to be 64 bit aligned so that the end of our array is 73 * actually the end of the structure. 74 */ 75 #define MAX_ENTRIES 11 76 77 struct test_val { 78 unsigned int index; 79 int foo[MAX_ENTRIES]; 80 }; 81 82 static struct bpf_test tests[] = { 83 { 84 "add+sub+mul", 85 .insns = { 86 BPF_MOV64_IMM(BPF_REG_1, 1), 87 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 88 BPF_MOV64_IMM(BPF_REG_2, 3), 89 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 90 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 91 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 92 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 93 BPF_EXIT_INSN(), 94 }, 95 .result = ACCEPT, 96 }, 97 { 98 "unreachable", 99 .insns = { 100 BPF_EXIT_INSN(), 101 BPF_EXIT_INSN(), 102 }, 103 .errstr = "unreachable", 104 .result = REJECT, 105 }, 106 { 107 "unreachable2", 108 .insns = { 109 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 110 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 111 BPF_EXIT_INSN(), 112 }, 113 .errstr = "unreachable", 114 .result = REJECT, 115 }, 116 { 117 "out of range jump", 118 .insns = { 119 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 120 BPF_EXIT_INSN(), 121 }, 122 .errstr = "jump out of range", 123 .result = REJECT, 124 }, 125 { 126 "out of range jump2", 127 .insns = { 128 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 129 BPF_EXIT_INSN(), 130 }, 131 .errstr = "jump out of range", 132 .result = REJECT, 133 }, 134 { 135 "test1 ld_imm64", 136 .insns = { 137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 138 BPF_LD_IMM64(BPF_REG_0, 0), 139 BPF_LD_IMM64(BPF_REG_0, 0), 140 BPF_LD_IMM64(BPF_REG_0, 1), 141 BPF_LD_IMM64(BPF_REG_0, 1), 142 BPF_MOV64_IMM(BPF_REG_0, 2), 143 BPF_EXIT_INSN(), 144 }, 145 .errstr = "invalid BPF_LD_IMM insn", 146 .errstr_unpriv = "R1 pointer comparison", 147 .result = REJECT, 148 }, 149 { 150 "test2 ld_imm64", 151 .insns = { 152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 153 BPF_LD_IMM64(BPF_REG_0, 0), 154 BPF_LD_IMM64(BPF_REG_0, 0), 155 BPF_LD_IMM64(BPF_REG_0, 1), 156 BPF_LD_IMM64(BPF_REG_0, 1), 157 BPF_EXIT_INSN(), 158 }, 159 .errstr = "invalid BPF_LD_IMM insn", 160 .errstr_unpriv = "R1 pointer comparison", 161 .result = REJECT, 162 }, 163 { 164 "test3 ld_imm64", 165 .insns = { 166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 167 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 168 BPF_LD_IMM64(BPF_REG_0, 0), 169 BPF_LD_IMM64(BPF_REG_0, 0), 170 BPF_LD_IMM64(BPF_REG_0, 1), 171 BPF_LD_IMM64(BPF_REG_0, 1), 172 BPF_EXIT_INSN(), 173 }, 174 .errstr = "invalid bpf_ld_imm64 insn", 175 .result = REJECT, 176 }, 177 { 178 "test4 ld_imm64", 179 .insns = { 180 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 181 BPF_EXIT_INSN(), 182 }, 183 .errstr = "invalid bpf_ld_imm64 insn", 184 .result = REJECT, 185 }, 186 { 187 "test5 ld_imm64", 188 .insns = { 189 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 190 }, 191 .errstr = "invalid bpf_ld_imm64 insn", 192 .result = REJECT, 193 }, 194 { 195 "test6 ld_imm64", 196 .insns = { 197 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 198 BPF_RAW_INSN(0, 0, 0, 0, 0), 199 BPF_EXIT_INSN(), 200 }, 201 .result = ACCEPT, 202 }, 203 { 204 "test7 ld_imm64", 205 .insns = { 206 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 207 BPF_RAW_INSN(0, 0, 0, 0, 1), 208 BPF_EXIT_INSN(), 209 }, 210 .result = ACCEPT, 211 }, 212 { 213 "test8 ld_imm64", 214 .insns = { 215 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1), 216 BPF_RAW_INSN(0, 0, 0, 0, 1), 217 BPF_EXIT_INSN(), 218 }, 219 .errstr = "uses reserved fields", 220 .result = REJECT, 221 }, 222 { 223 "test9 ld_imm64", 224 .insns = { 225 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 226 BPF_RAW_INSN(0, 0, 0, 1, 1), 227 BPF_EXIT_INSN(), 228 }, 229 .errstr = "invalid bpf_ld_imm64 insn", 230 .result = REJECT, 231 }, 232 { 233 "test10 ld_imm64", 234 .insns = { 235 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 236 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1), 237 BPF_EXIT_INSN(), 238 }, 239 .errstr = "invalid bpf_ld_imm64 insn", 240 .result = REJECT, 241 }, 242 { 243 "test11 ld_imm64", 244 .insns = { 245 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 246 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 247 BPF_EXIT_INSN(), 248 }, 249 .errstr = "invalid bpf_ld_imm64 insn", 250 .result = REJECT, 251 }, 252 { 253 "test12 ld_imm64", 254 .insns = { 255 BPF_MOV64_IMM(BPF_REG_1, 0), 256 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 257 BPF_RAW_INSN(0, 0, 0, 0, 1), 258 BPF_EXIT_INSN(), 259 }, 260 .errstr = "not pointing to valid bpf_map", 261 .result = REJECT, 262 }, 263 { 264 "test13 ld_imm64", 265 .insns = { 266 BPF_MOV64_IMM(BPF_REG_1, 0), 267 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 268 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 269 BPF_EXIT_INSN(), 270 }, 271 .errstr = "invalid bpf_ld_imm64 insn", 272 .result = REJECT, 273 }, 274 { 275 "no bpf_exit", 276 .insns = { 277 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 278 }, 279 .errstr = "jump out of range", 280 .result = REJECT, 281 }, 282 { 283 "loop (back-edge)", 284 .insns = { 285 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 286 BPF_EXIT_INSN(), 287 }, 288 .errstr = "back-edge", 289 .result = REJECT, 290 }, 291 { 292 "loop2 (back-edge)", 293 .insns = { 294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 296 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 297 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 298 BPF_EXIT_INSN(), 299 }, 300 .errstr = "back-edge", 301 .result = REJECT, 302 }, 303 { 304 "conditional loop", 305 .insns = { 306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 308 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 310 BPF_EXIT_INSN(), 311 }, 312 .errstr = "back-edge", 313 .result = REJECT, 314 }, 315 { 316 "read uninitialized register", 317 .insns = { 318 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 319 BPF_EXIT_INSN(), 320 }, 321 .errstr = "R2 !read_ok", 322 .result = REJECT, 323 }, 324 { 325 "read invalid register", 326 .insns = { 327 BPF_MOV64_REG(BPF_REG_0, -1), 328 BPF_EXIT_INSN(), 329 }, 330 .errstr = "R15 is invalid", 331 .result = REJECT, 332 }, 333 { 334 "program doesn't init R0 before exit", 335 .insns = { 336 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 337 BPF_EXIT_INSN(), 338 }, 339 .errstr = "R0 !read_ok", 340 .result = REJECT, 341 }, 342 { 343 "program doesn't init R0 before exit in all branches", 344 .insns = { 345 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 346 BPF_MOV64_IMM(BPF_REG_0, 1), 347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 348 BPF_EXIT_INSN(), 349 }, 350 .errstr = "R0 !read_ok", 351 .errstr_unpriv = "R1 pointer comparison", 352 .result = REJECT, 353 }, 354 { 355 "stack out of bounds", 356 .insns = { 357 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 358 BPF_EXIT_INSN(), 359 }, 360 .errstr = "invalid stack", 361 .result = REJECT, 362 }, 363 { 364 "invalid call insn1", 365 .insns = { 366 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 367 BPF_EXIT_INSN(), 368 }, 369 .errstr = "BPF_CALL uses reserved", 370 .result = REJECT, 371 }, 372 { 373 "invalid call insn2", 374 .insns = { 375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 376 BPF_EXIT_INSN(), 377 }, 378 .errstr = "BPF_CALL uses reserved", 379 .result = REJECT, 380 }, 381 { 382 "invalid function call", 383 .insns = { 384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 385 BPF_EXIT_INSN(), 386 }, 387 .errstr = "invalid func unknown#1234567", 388 .result = REJECT, 389 }, 390 { 391 "uninitialized stack1", 392 .insns = { 393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 395 BPF_LD_MAP_FD(BPF_REG_1, 0), 396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 397 BPF_FUNC_map_lookup_elem), 398 BPF_EXIT_INSN(), 399 }, 400 .fixup_map1 = { 2 }, 401 .errstr = "invalid indirect read from stack", 402 .result = REJECT, 403 }, 404 { 405 "uninitialized stack2", 406 .insns = { 407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 409 BPF_EXIT_INSN(), 410 }, 411 .errstr = "invalid read from stack", 412 .result = REJECT, 413 }, 414 { 415 "invalid fp arithmetic", 416 /* If this gets ever changed, make sure JITs can deal with it. */ 417 .insns = { 418 BPF_MOV64_IMM(BPF_REG_0, 0), 419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 420 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8), 421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 422 BPF_EXIT_INSN(), 423 }, 424 .errstr_unpriv = "R1 pointer arithmetic", 425 .result_unpriv = REJECT, 426 .errstr = "R1 invalid mem access", 427 .result = REJECT, 428 }, 429 { 430 "non-invalid fp arithmetic", 431 .insns = { 432 BPF_MOV64_IMM(BPF_REG_0, 0), 433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 434 BPF_EXIT_INSN(), 435 }, 436 .result = ACCEPT, 437 }, 438 { 439 "invalid argument register", 440 .insns = { 441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 442 BPF_FUNC_get_cgroup_classid), 443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 444 BPF_FUNC_get_cgroup_classid), 445 BPF_EXIT_INSN(), 446 }, 447 .errstr = "R1 !read_ok", 448 .result = REJECT, 449 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 450 }, 451 { 452 "non-invalid argument register", 453 .insns = { 454 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 456 BPF_FUNC_get_cgroup_classid), 457 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 459 BPF_FUNC_get_cgroup_classid), 460 BPF_EXIT_INSN(), 461 }, 462 .result = ACCEPT, 463 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 464 }, 465 { 466 "check valid spill/fill", 467 .insns = { 468 /* spill R1(ctx) into stack */ 469 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 470 /* fill it back into R2 */ 471 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 472 /* should be able to access R0 = *(R2 + 8) */ 473 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 475 BPF_EXIT_INSN(), 476 }, 477 .errstr_unpriv = "R0 leaks addr", 478 .result = ACCEPT, 479 .result_unpriv = REJECT, 480 }, 481 { 482 "check valid spill/fill, skb mark", 483 .insns = { 484 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 485 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 487 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 488 offsetof(struct __sk_buff, mark)), 489 BPF_EXIT_INSN(), 490 }, 491 .result = ACCEPT, 492 .result_unpriv = ACCEPT, 493 }, 494 { 495 "check corrupted spill/fill", 496 .insns = { 497 /* spill R1(ctx) into stack */ 498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 499 /* mess up with R1 pointer on stack */ 500 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 501 /* fill back into R0 should fail */ 502 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 503 BPF_EXIT_INSN(), 504 }, 505 .errstr_unpriv = "attempt to corrupt spilled", 506 .errstr = "corrupted spill", 507 .result = REJECT, 508 }, 509 { 510 "invalid src register in STX", 511 .insns = { 512 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 513 BPF_EXIT_INSN(), 514 }, 515 .errstr = "R15 is invalid", 516 .result = REJECT, 517 }, 518 { 519 "invalid dst register in STX", 520 .insns = { 521 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 522 BPF_EXIT_INSN(), 523 }, 524 .errstr = "R14 is invalid", 525 .result = REJECT, 526 }, 527 { 528 "invalid dst register in ST", 529 .insns = { 530 BPF_ST_MEM(BPF_B, 14, -1, -1), 531 BPF_EXIT_INSN(), 532 }, 533 .errstr = "R14 is invalid", 534 .result = REJECT, 535 }, 536 { 537 "invalid src register in LDX", 538 .insns = { 539 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 540 BPF_EXIT_INSN(), 541 }, 542 .errstr = "R12 is invalid", 543 .result = REJECT, 544 }, 545 { 546 "invalid dst register in LDX", 547 .insns = { 548 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 549 BPF_EXIT_INSN(), 550 }, 551 .errstr = "R11 is invalid", 552 .result = REJECT, 553 }, 554 { 555 "junk insn", 556 .insns = { 557 BPF_RAW_INSN(0, 0, 0, 0, 0), 558 BPF_EXIT_INSN(), 559 }, 560 .errstr = "invalid BPF_LD_IMM", 561 .result = REJECT, 562 }, 563 { 564 "junk insn2", 565 .insns = { 566 BPF_RAW_INSN(1, 0, 0, 0, 0), 567 BPF_EXIT_INSN(), 568 }, 569 .errstr = "BPF_LDX uses reserved fields", 570 .result = REJECT, 571 }, 572 { 573 "junk insn3", 574 .insns = { 575 BPF_RAW_INSN(-1, 0, 0, 0, 0), 576 BPF_EXIT_INSN(), 577 }, 578 .errstr = "invalid BPF_ALU opcode f0", 579 .result = REJECT, 580 }, 581 { 582 "junk insn4", 583 .insns = { 584 BPF_RAW_INSN(-1, -1, -1, -1, -1), 585 BPF_EXIT_INSN(), 586 }, 587 .errstr = "invalid BPF_ALU opcode f0", 588 .result = REJECT, 589 }, 590 { 591 "junk insn5", 592 .insns = { 593 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 594 BPF_EXIT_INSN(), 595 }, 596 .errstr = "BPF_ALU uses reserved fields", 597 .result = REJECT, 598 }, 599 { 600 "misaligned read from stack", 601 .insns = { 602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 604 BPF_EXIT_INSN(), 605 }, 606 .errstr = "misaligned access", 607 .result = REJECT, 608 }, 609 { 610 "invalid map_fd for function call", 611 .insns = { 612 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 613 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 615 BPF_LD_MAP_FD(BPF_REG_1, 0), 616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 617 BPF_FUNC_map_delete_elem), 618 BPF_EXIT_INSN(), 619 }, 620 .errstr = "fd 0 is not pointing to valid bpf_map", 621 .result = REJECT, 622 }, 623 { 624 "don't check return value before access", 625 .insns = { 626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 629 BPF_LD_MAP_FD(BPF_REG_1, 0), 630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 631 BPF_FUNC_map_lookup_elem), 632 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 633 BPF_EXIT_INSN(), 634 }, 635 .fixup_map1 = { 3 }, 636 .errstr = "R0 invalid mem access 'map_value_or_null'", 637 .result = REJECT, 638 }, 639 { 640 "access memory with incorrect alignment", 641 .insns = { 642 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 643 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 645 BPF_LD_MAP_FD(BPF_REG_1, 0), 646 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 647 BPF_FUNC_map_lookup_elem), 648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 649 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 650 BPF_EXIT_INSN(), 651 }, 652 .fixup_map1 = { 3 }, 653 .errstr = "misaligned access", 654 .result = REJECT, 655 }, 656 { 657 "sometimes access memory with incorrect alignment", 658 .insns = { 659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 662 BPF_LD_MAP_FD(BPF_REG_1, 0), 663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 664 BPF_FUNC_map_lookup_elem), 665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 667 BPF_EXIT_INSN(), 668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 669 BPF_EXIT_INSN(), 670 }, 671 .fixup_map1 = { 3 }, 672 .errstr = "R0 invalid mem access", 673 .errstr_unpriv = "R0 leaks addr", 674 .result = REJECT, 675 }, 676 { 677 "jump test 1", 678 .insns = { 679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 680 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 681 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 682 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 684 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 693 BPF_MOV64_IMM(BPF_REG_0, 0), 694 BPF_EXIT_INSN(), 695 }, 696 .errstr_unpriv = "R1 pointer comparison", 697 .result_unpriv = REJECT, 698 .result = ACCEPT, 699 }, 700 { 701 "jump test 2", 702 .insns = { 703 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 705 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 706 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 708 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 709 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 711 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 712 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 714 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 715 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 717 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 718 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 720 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 721 BPF_MOV64_IMM(BPF_REG_0, 0), 722 BPF_EXIT_INSN(), 723 }, 724 .errstr_unpriv = "R1 pointer comparison", 725 .result_unpriv = REJECT, 726 .result = ACCEPT, 727 }, 728 { 729 "jump test 3", 730 .insns = { 731 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 733 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 735 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 739 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 743 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 747 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 751 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 755 BPF_LD_MAP_FD(BPF_REG_1, 0), 756 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 757 BPF_FUNC_map_delete_elem), 758 BPF_EXIT_INSN(), 759 }, 760 .fixup_map1 = { 24 }, 761 .errstr_unpriv = "R1 pointer comparison", 762 .result_unpriv = REJECT, 763 .result = ACCEPT, 764 }, 765 { 766 "jump test 4", 767 .insns = { 768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 808 BPF_MOV64_IMM(BPF_REG_0, 0), 809 BPF_EXIT_INSN(), 810 }, 811 .errstr_unpriv = "R1 pointer comparison", 812 .result_unpriv = REJECT, 813 .result = ACCEPT, 814 }, 815 { 816 "jump test 5", 817 .insns = { 818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 819 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 820 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 821 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 822 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 823 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 824 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 825 BPF_MOV64_IMM(BPF_REG_0, 0), 826 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 828 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 829 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 830 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 831 BPF_MOV64_IMM(BPF_REG_0, 0), 832 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 834 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 835 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 836 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 837 BPF_MOV64_IMM(BPF_REG_0, 0), 838 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 840 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 841 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 842 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 843 BPF_MOV64_IMM(BPF_REG_0, 0), 844 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 846 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 847 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 848 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 849 BPF_MOV64_IMM(BPF_REG_0, 0), 850 BPF_EXIT_INSN(), 851 }, 852 .errstr_unpriv = "R1 pointer comparison", 853 .result_unpriv = REJECT, 854 .result = ACCEPT, 855 }, 856 { 857 "access skb fields ok", 858 .insns = { 859 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 860 offsetof(struct __sk_buff, len)), 861 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 862 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 863 offsetof(struct __sk_buff, mark)), 864 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 866 offsetof(struct __sk_buff, pkt_type)), 867 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 868 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 869 offsetof(struct __sk_buff, queue_mapping)), 870 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 871 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 872 offsetof(struct __sk_buff, protocol)), 873 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 874 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 875 offsetof(struct __sk_buff, vlan_present)), 876 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 877 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 878 offsetof(struct __sk_buff, vlan_tci)), 879 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 880 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 881 offsetof(struct __sk_buff, napi_id)), 882 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 883 BPF_EXIT_INSN(), 884 }, 885 .result = ACCEPT, 886 }, 887 { 888 "access skb fields bad1", 889 .insns = { 890 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 891 BPF_EXIT_INSN(), 892 }, 893 .errstr = "invalid bpf_context access", 894 .result = REJECT, 895 }, 896 { 897 "access skb fields bad2", 898 .insns = { 899 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 900 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 903 BPF_LD_MAP_FD(BPF_REG_1, 0), 904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 905 BPF_FUNC_map_lookup_elem), 906 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 907 BPF_EXIT_INSN(), 908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 910 offsetof(struct __sk_buff, pkt_type)), 911 BPF_EXIT_INSN(), 912 }, 913 .fixup_map1 = { 4 }, 914 .errstr = "different pointers", 915 .errstr_unpriv = "R1 pointer comparison", 916 .result = REJECT, 917 }, 918 { 919 "access skb fields bad3", 920 .insns = { 921 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 922 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 923 offsetof(struct __sk_buff, pkt_type)), 924 BPF_EXIT_INSN(), 925 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 928 BPF_LD_MAP_FD(BPF_REG_1, 0), 929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 930 BPF_FUNC_map_lookup_elem), 931 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 932 BPF_EXIT_INSN(), 933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 934 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 935 }, 936 .fixup_map1 = { 6 }, 937 .errstr = "different pointers", 938 .errstr_unpriv = "R1 pointer comparison", 939 .result = REJECT, 940 }, 941 { 942 "access skb fields bad4", 943 .insns = { 944 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 945 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 946 offsetof(struct __sk_buff, len)), 947 BPF_MOV64_IMM(BPF_REG_0, 0), 948 BPF_EXIT_INSN(), 949 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 952 BPF_LD_MAP_FD(BPF_REG_1, 0), 953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 954 BPF_FUNC_map_lookup_elem), 955 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 956 BPF_EXIT_INSN(), 957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 958 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 959 }, 960 .fixup_map1 = { 7 }, 961 .errstr = "different pointers", 962 .errstr_unpriv = "R1 pointer comparison", 963 .result = REJECT, 964 }, 965 { 966 "check skb->mark is not writeable by sockets", 967 .insns = { 968 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 969 offsetof(struct __sk_buff, mark)), 970 BPF_EXIT_INSN(), 971 }, 972 .errstr = "invalid bpf_context access", 973 .errstr_unpriv = "R1 leaks addr", 974 .result = REJECT, 975 }, 976 { 977 "check skb->tc_index is not writeable by sockets", 978 .insns = { 979 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 980 offsetof(struct __sk_buff, tc_index)), 981 BPF_EXIT_INSN(), 982 }, 983 .errstr = "invalid bpf_context access", 984 .errstr_unpriv = "R1 leaks addr", 985 .result = REJECT, 986 }, 987 { 988 "check cb access: byte", 989 .insns = { 990 BPF_MOV64_IMM(BPF_REG_0, 0), 991 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 992 offsetof(struct __sk_buff, cb[0])), 993 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 994 offsetof(struct __sk_buff, cb[0]) + 1), 995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 996 offsetof(struct __sk_buff, cb[0]) + 2), 997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 998 offsetof(struct __sk_buff, cb[0]) + 3), 999 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1000 offsetof(struct __sk_buff, cb[1])), 1001 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1002 offsetof(struct __sk_buff, cb[1]) + 1), 1003 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1004 offsetof(struct __sk_buff, cb[1]) + 2), 1005 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1006 offsetof(struct __sk_buff, cb[1]) + 3), 1007 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1008 offsetof(struct __sk_buff, cb[2])), 1009 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1010 offsetof(struct __sk_buff, cb[2]) + 1), 1011 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1012 offsetof(struct __sk_buff, cb[2]) + 2), 1013 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1014 offsetof(struct __sk_buff, cb[2]) + 3), 1015 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1016 offsetof(struct __sk_buff, cb[3])), 1017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1018 offsetof(struct __sk_buff, cb[3]) + 1), 1019 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1020 offsetof(struct __sk_buff, cb[3]) + 2), 1021 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1022 offsetof(struct __sk_buff, cb[3]) + 3), 1023 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1024 offsetof(struct __sk_buff, cb[4])), 1025 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1026 offsetof(struct __sk_buff, cb[4]) + 1), 1027 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1028 offsetof(struct __sk_buff, cb[4]) + 2), 1029 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1030 offsetof(struct __sk_buff, cb[4]) + 3), 1031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1032 offsetof(struct __sk_buff, cb[0])), 1033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1034 offsetof(struct __sk_buff, cb[0]) + 1), 1035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1036 offsetof(struct __sk_buff, cb[0]) + 2), 1037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1038 offsetof(struct __sk_buff, cb[0]) + 3), 1039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1040 offsetof(struct __sk_buff, cb[1])), 1041 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1042 offsetof(struct __sk_buff, cb[1]) + 1), 1043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1044 offsetof(struct __sk_buff, cb[1]) + 2), 1045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1046 offsetof(struct __sk_buff, cb[1]) + 3), 1047 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1048 offsetof(struct __sk_buff, cb[2])), 1049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1050 offsetof(struct __sk_buff, cb[2]) + 1), 1051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1052 offsetof(struct __sk_buff, cb[2]) + 2), 1053 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1054 offsetof(struct __sk_buff, cb[2]) + 3), 1055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1056 offsetof(struct __sk_buff, cb[3])), 1057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1058 offsetof(struct __sk_buff, cb[3]) + 1), 1059 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1060 offsetof(struct __sk_buff, cb[3]) + 2), 1061 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1062 offsetof(struct __sk_buff, cb[3]) + 3), 1063 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1064 offsetof(struct __sk_buff, cb[4])), 1065 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1066 offsetof(struct __sk_buff, cb[4]) + 1), 1067 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1068 offsetof(struct __sk_buff, cb[4]) + 2), 1069 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1070 offsetof(struct __sk_buff, cb[4]) + 3), 1071 BPF_EXIT_INSN(), 1072 }, 1073 .result = ACCEPT, 1074 }, 1075 { 1076 "check cb access: byte, oob 1", 1077 .insns = { 1078 BPF_MOV64_IMM(BPF_REG_0, 0), 1079 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1080 offsetof(struct __sk_buff, cb[4]) + 4), 1081 BPF_EXIT_INSN(), 1082 }, 1083 .errstr = "invalid bpf_context access", 1084 .result = REJECT, 1085 }, 1086 { 1087 "check cb access: byte, oob 2", 1088 .insns = { 1089 BPF_MOV64_IMM(BPF_REG_0, 0), 1090 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1091 offsetof(struct __sk_buff, cb[0]) - 1), 1092 BPF_EXIT_INSN(), 1093 }, 1094 .errstr = "invalid bpf_context access", 1095 .result = REJECT, 1096 }, 1097 { 1098 "check cb access: byte, oob 3", 1099 .insns = { 1100 BPF_MOV64_IMM(BPF_REG_0, 0), 1101 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1102 offsetof(struct __sk_buff, cb[4]) + 4), 1103 BPF_EXIT_INSN(), 1104 }, 1105 .errstr = "invalid bpf_context access", 1106 .result = REJECT, 1107 }, 1108 { 1109 "check cb access: byte, oob 4", 1110 .insns = { 1111 BPF_MOV64_IMM(BPF_REG_0, 0), 1112 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1113 offsetof(struct __sk_buff, cb[0]) - 1), 1114 BPF_EXIT_INSN(), 1115 }, 1116 .errstr = "invalid bpf_context access", 1117 .result = REJECT, 1118 }, 1119 { 1120 "check cb access: byte, wrong type", 1121 .insns = { 1122 BPF_MOV64_IMM(BPF_REG_0, 0), 1123 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1124 offsetof(struct __sk_buff, cb[0])), 1125 BPF_EXIT_INSN(), 1126 }, 1127 .errstr = "invalid bpf_context access", 1128 .result = REJECT, 1129 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1130 }, 1131 { 1132 "check cb access: half", 1133 .insns = { 1134 BPF_MOV64_IMM(BPF_REG_0, 0), 1135 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1136 offsetof(struct __sk_buff, cb[0])), 1137 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1138 offsetof(struct __sk_buff, cb[0]) + 2), 1139 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1140 offsetof(struct __sk_buff, cb[1])), 1141 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1142 offsetof(struct __sk_buff, cb[1]) + 2), 1143 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1144 offsetof(struct __sk_buff, cb[2])), 1145 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1146 offsetof(struct __sk_buff, cb[2]) + 2), 1147 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1148 offsetof(struct __sk_buff, cb[3])), 1149 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1150 offsetof(struct __sk_buff, cb[3]) + 2), 1151 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1152 offsetof(struct __sk_buff, cb[4])), 1153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1154 offsetof(struct __sk_buff, cb[4]) + 2), 1155 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1156 offsetof(struct __sk_buff, cb[0])), 1157 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1158 offsetof(struct __sk_buff, cb[0]) + 2), 1159 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1160 offsetof(struct __sk_buff, cb[1])), 1161 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1162 offsetof(struct __sk_buff, cb[1]) + 2), 1163 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1164 offsetof(struct __sk_buff, cb[2])), 1165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1166 offsetof(struct __sk_buff, cb[2]) + 2), 1167 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1168 offsetof(struct __sk_buff, cb[3])), 1169 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1170 offsetof(struct __sk_buff, cb[3]) + 2), 1171 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1172 offsetof(struct __sk_buff, cb[4])), 1173 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1174 offsetof(struct __sk_buff, cb[4]) + 2), 1175 BPF_EXIT_INSN(), 1176 }, 1177 .result = ACCEPT, 1178 }, 1179 { 1180 "check cb access: half, unaligned", 1181 .insns = { 1182 BPF_MOV64_IMM(BPF_REG_0, 0), 1183 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1184 offsetof(struct __sk_buff, cb[0]) + 1), 1185 BPF_EXIT_INSN(), 1186 }, 1187 .errstr = "misaligned access", 1188 .result = REJECT, 1189 }, 1190 { 1191 "check cb access: half, oob 1", 1192 .insns = { 1193 BPF_MOV64_IMM(BPF_REG_0, 0), 1194 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1195 offsetof(struct __sk_buff, cb[4]) + 4), 1196 BPF_EXIT_INSN(), 1197 }, 1198 .errstr = "invalid bpf_context access", 1199 .result = REJECT, 1200 }, 1201 { 1202 "check cb access: half, oob 2", 1203 .insns = { 1204 BPF_MOV64_IMM(BPF_REG_0, 0), 1205 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1206 offsetof(struct __sk_buff, cb[0]) - 2), 1207 BPF_EXIT_INSN(), 1208 }, 1209 .errstr = "invalid bpf_context access", 1210 .result = REJECT, 1211 }, 1212 { 1213 "check cb access: half, oob 3", 1214 .insns = { 1215 BPF_MOV64_IMM(BPF_REG_0, 0), 1216 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1217 offsetof(struct __sk_buff, cb[4]) + 4), 1218 BPF_EXIT_INSN(), 1219 }, 1220 .errstr = "invalid bpf_context access", 1221 .result = REJECT, 1222 }, 1223 { 1224 "check cb access: half, oob 4", 1225 .insns = { 1226 BPF_MOV64_IMM(BPF_REG_0, 0), 1227 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1228 offsetof(struct __sk_buff, cb[0]) - 2), 1229 BPF_EXIT_INSN(), 1230 }, 1231 .errstr = "invalid bpf_context access", 1232 .result = REJECT, 1233 }, 1234 { 1235 "check cb access: half, wrong type", 1236 .insns = { 1237 BPF_MOV64_IMM(BPF_REG_0, 0), 1238 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1239 offsetof(struct __sk_buff, cb[0])), 1240 BPF_EXIT_INSN(), 1241 }, 1242 .errstr = "invalid bpf_context access", 1243 .result = REJECT, 1244 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1245 }, 1246 { 1247 "check cb access: word", 1248 .insns = { 1249 BPF_MOV64_IMM(BPF_REG_0, 0), 1250 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1251 offsetof(struct __sk_buff, cb[0])), 1252 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1253 offsetof(struct __sk_buff, cb[1])), 1254 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1255 offsetof(struct __sk_buff, cb[2])), 1256 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1257 offsetof(struct __sk_buff, cb[3])), 1258 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1259 offsetof(struct __sk_buff, cb[4])), 1260 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1261 offsetof(struct __sk_buff, cb[0])), 1262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1263 offsetof(struct __sk_buff, cb[1])), 1264 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1265 offsetof(struct __sk_buff, cb[2])), 1266 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1267 offsetof(struct __sk_buff, cb[3])), 1268 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1269 offsetof(struct __sk_buff, cb[4])), 1270 BPF_EXIT_INSN(), 1271 }, 1272 .result = ACCEPT, 1273 }, 1274 { 1275 "check cb access: word, unaligned 1", 1276 .insns = { 1277 BPF_MOV64_IMM(BPF_REG_0, 0), 1278 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1279 offsetof(struct __sk_buff, cb[0]) + 2), 1280 BPF_EXIT_INSN(), 1281 }, 1282 .errstr = "misaligned access", 1283 .result = REJECT, 1284 }, 1285 { 1286 "check cb access: word, unaligned 2", 1287 .insns = { 1288 BPF_MOV64_IMM(BPF_REG_0, 0), 1289 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1290 offsetof(struct __sk_buff, cb[4]) + 1), 1291 BPF_EXIT_INSN(), 1292 }, 1293 .errstr = "misaligned access", 1294 .result = REJECT, 1295 }, 1296 { 1297 "check cb access: word, unaligned 3", 1298 .insns = { 1299 BPF_MOV64_IMM(BPF_REG_0, 0), 1300 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1301 offsetof(struct __sk_buff, cb[4]) + 2), 1302 BPF_EXIT_INSN(), 1303 }, 1304 .errstr = "misaligned access", 1305 .result = REJECT, 1306 }, 1307 { 1308 "check cb access: word, unaligned 4", 1309 .insns = { 1310 BPF_MOV64_IMM(BPF_REG_0, 0), 1311 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1312 offsetof(struct __sk_buff, cb[4]) + 3), 1313 BPF_EXIT_INSN(), 1314 }, 1315 .errstr = "misaligned access", 1316 .result = REJECT, 1317 }, 1318 { 1319 "check cb access: double", 1320 .insns = { 1321 BPF_MOV64_IMM(BPF_REG_0, 0), 1322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1323 offsetof(struct __sk_buff, cb[0])), 1324 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1325 offsetof(struct __sk_buff, cb[2])), 1326 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1327 offsetof(struct __sk_buff, cb[0])), 1328 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1329 offsetof(struct __sk_buff, cb[2])), 1330 BPF_EXIT_INSN(), 1331 }, 1332 .result = ACCEPT, 1333 }, 1334 { 1335 "check cb access: double, unaligned 1", 1336 .insns = { 1337 BPF_MOV64_IMM(BPF_REG_0, 0), 1338 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1339 offsetof(struct __sk_buff, cb[1])), 1340 BPF_EXIT_INSN(), 1341 }, 1342 .errstr = "misaligned access", 1343 .result = REJECT, 1344 }, 1345 { 1346 "check cb access: double, unaligned 2", 1347 .insns = { 1348 BPF_MOV64_IMM(BPF_REG_0, 0), 1349 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1350 offsetof(struct __sk_buff, cb[3])), 1351 BPF_EXIT_INSN(), 1352 }, 1353 .errstr = "misaligned access", 1354 .result = REJECT, 1355 }, 1356 { 1357 "check cb access: double, oob 1", 1358 .insns = { 1359 BPF_MOV64_IMM(BPF_REG_0, 0), 1360 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1361 offsetof(struct __sk_buff, cb[4])), 1362 BPF_EXIT_INSN(), 1363 }, 1364 .errstr = "invalid bpf_context access", 1365 .result = REJECT, 1366 }, 1367 { 1368 "check cb access: double, oob 2", 1369 .insns = { 1370 BPF_MOV64_IMM(BPF_REG_0, 0), 1371 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1372 offsetof(struct __sk_buff, cb[4]) + 8), 1373 BPF_EXIT_INSN(), 1374 }, 1375 .errstr = "invalid bpf_context access", 1376 .result = REJECT, 1377 }, 1378 { 1379 "check cb access: double, oob 3", 1380 .insns = { 1381 BPF_MOV64_IMM(BPF_REG_0, 0), 1382 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1383 offsetof(struct __sk_buff, cb[0]) - 8), 1384 BPF_EXIT_INSN(), 1385 }, 1386 .errstr = "invalid bpf_context access", 1387 .result = REJECT, 1388 }, 1389 { 1390 "check cb access: double, oob 4", 1391 .insns = { 1392 BPF_MOV64_IMM(BPF_REG_0, 0), 1393 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1394 offsetof(struct __sk_buff, cb[4])), 1395 BPF_EXIT_INSN(), 1396 }, 1397 .errstr = "invalid bpf_context access", 1398 .result = REJECT, 1399 }, 1400 { 1401 "check cb access: double, oob 5", 1402 .insns = { 1403 BPF_MOV64_IMM(BPF_REG_0, 0), 1404 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1405 offsetof(struct __sk_buff, cb[4]) + 8), 1406 BPF_EXIT_INSN(), 1407 }, 1408 .errstr = "invalid bpf_context access", 1409 .result = REJECT, 1410 }, 1411 { 1412 "check cb access: double, oob 6", 1413 .insns = { 1414 BPF_MOV64_IMM(BPF_REG_0, 0), 1415 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1416 offsetof(struct __sk_buff, cb[0]) - 8), 1417 BPF_EXIT_INSN(), 1418 }, 1419 .errstr = "invalid bpf_context access", 1420 .result = REJECT, 1421 }, 1422 { 1423 "check cb access: double, wrong type", 1424 .insns = { 1425 BPF_MOV64_IMM(BPF_REG_0, 0), 1426 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1427 offsetof(struct __sk_buff, cb[0])), 1428 BPF_EXIT_INSN(), 1429 }, 1430 .errstr = "invalid bpf_context access", 1431 .result = REJECT, 1432 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1433 }, 1434 { 1435 "check out of range skb->cb access", 1436 .insns = { 1437 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1438 offsetof(struct __sk_buff, cb[0]) + 256), 1439 BPF_EXIT_INSN(), 1440 }, 1441 .errstr = "invalid bpf_context access", 1442 .errstr_unpriv = "", 1443 .result = REJECT, 1444 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 1445 }, 1446 { 1447 "write skb fields from socket prog", 1448 .insns = { 1449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1450 offsetof(struct __sk_buff, cb[4])), 1451 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1452 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1453 offsetof(struct __sk_buff, mark)), 1454 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1455 offsetof(struct __sk_buff, tc_index)), 1456 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1457 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1458 offsetof(struct __sk_buff, cb[0])), 1459 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1460 offsetof(struct __sk_buff, cb[2])), 1461 BPF_EXIT_INSN(), 1462 }, 1463 .result = ACCEPT, 1464 .errstr_unpriv = "R1 leaks addr", 1465 .result_unpriv = REJECT, 1466 }, 1467 { 1468 "write skb fields from tc_cls_act prog", 1469 .insns = { 1470 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1471 offsetof(struct __sk_buff, cb[0])), 1472 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1473 offsetof(struct __sk_buff, mark)), 1474 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1475 offsetof(struct __sk_buff, tc_index)), 1476 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1477 offsetof(struct __sk_buff, tc_index)), 1478 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1479 offsetof(struct __sk_buff, cb[3])), 1480 BPF_EXIT_INSN(), 1481 }, 1482 .errstr_unpriv = "", 1483 .result_unpriv = REJECT, 1484 .result = ACCEPT, 1485 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1486 }, 1487 { 1488 "PTR_TO_STACK store/load", 1489 .insns = { 1490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1492 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1493 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1494 BPF_EXIT_INSN(), 1495 }, 1496 .result = ACCEPT, 1497 }, 1498 { 1499 "PTR_TO_STACK store/load - bad alignment on off", 1500 .insns = { 1501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1503 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1505 BPF_EXIT_INSN(), 1506 }, 1507 .result = REJECT, 1508 .errstr = "misaligned access off -6 size 8", 1509 }, 1510 { 1511 "PTR_TO_STACK store/load - bad alignment on reg", 1512 .insns = { 1513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1515 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1516 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1517 BPF_EXIT_INSN(), 1518 }, 1519 .result = REJECT, 1520 .errstr = "misaligned access off -2 size 8", 1521 }, 1522 { 1523 "PTR_TO_STACK store/load - out of bounds low", 1524 .insns = { 1525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 1527 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1529 BPF_EXIT_INSN(), 1530 }, 1531 .result = REJECT, 1532 .errstr = "invalid stack off=-79992 size=8", 1533 }, 1534 { 1535 "PTR_TO_STACK store/load - out of bounds high", 1536 .insns = { 1537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1539 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1541 BPF_EXIT_INSN(), 1542 }, 1543 .result = REJECT, 1544 .errstr = "invalid stack off=0 size=8", 1545 }, 1546 { 1547 "unpriv: return pointer", 1548 .insns = { 1549 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 1550 BPF_EXIT_INSN(), 1551 }, 1552 .result = ACCEPT, 1553 .result_unpriv = REJECT, 1554 .errstr_unpriv = "R0 leaks addr", 1555 }, 1556 { 1557 "unpriv: add const to pointer", 1558 .insns = { 1559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 1560 BPF_MOV64_IMM(BPF_REG_0, 0), 1561 BPF_EXIT_INSN(), 1562 }, 1563 .result = ACCEPT, 1564 .result_unpriv = REJECT, 1565 .errstr_unpriv = "R1 pointer arithmetic", 1566 }, 1567 { 1568 "unpriv: add pointer to pointer", 1569 .insns = { 1570 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1571 BPF_MOV64_IMM(BPF_REG_0, 0), 1572 BPF_EXIT_INSN(), 1573 }, 1574 .result = ACCEPT, 1575 .result_unpriv = REJECT, 1576 .errstr_unpriv = "R1 pointer arithmetic", 1577 }, 1578 { 1579 "unpriv: neg pointer", 1580 .insns = { 1581 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 1582 BPF_MOV64_IMM(BPF_REG_0, 0), 1583 BPF_EXIT_INSN(), 1584 }, 1585 .result = ACCEPT, 1586 .result_unpriv = REJECT, 1587 .errstr_unpriv = "R1 pointer arithmetic", 1588 }, 1589 { 1590 "unpriv: cmp pointer with const", 1591 .insns = { 1592 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1593 BPF_MOV64_IMM(BPF_REG_0, 0), 1594 BPF_EXIT_INSN(), 1595 }, 1596 .result = ACCEPT, 1597 .result_unpriv = REJECT, 1598 .errstr_unpriv = "R1 pointer comparison", 1599 }, 1600 { 1601 "unpriv: cmp pointer with pointer", 1602 .insns = { 1603 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1604 BPF_MOV64_IMM(BPF_REG_0, 0), 1605 BPF_EXIT_INSN(), 1606 }, 1607 .result = ACCEPT, 1608 .result_unpriv = REJECT, 1609 .errstr_unpriv = "R10 pointer comparison", 1610 }, 1611 { 1612 "unpriv: check that printk is disallowed", 1613 .insns = { 1614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1615 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1617 BPF_MOV64_IMM(BPF_REG_2, 8), 1618 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1620 BPF_FUNC_trace_printk), 1621 BPF_MOV64_IMM(BPF_REG_0, 0), 1622 BPF_EXIT_INSN(), 1623 }, 1624 .errstr_unpriv = "unknown func bpf_trace_printk#6", 1625 .result_unpriv = REJECT, 1626 .result = ACCEPT, 1627 }, 1628 { 1629 "unpriv: pass pointer to helper function", 1630 .insns = { 1631 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1634 BPF_LD_MAP_FD(BPF_REG_1, 0), 1635 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1636 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 1637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1638 BPF_FUNC_map_update_elem), 1639 BPF_MOV64_IMM(BPF_REG_0, 0), 1640 BPF_EXIT_INSN(), 1641 }, 1642 .fixup_map1 = { 3 }, 1643 .errstr_unpriv = "R4 leaks addr", 1644 .result_unpriv = REJECT, 1645 .result = ACCEPT, 1646 }, 1647 { 1648 "unpriv: indirectly pass pointer on stack to helper function", 1649 .insns = { 1650 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1653 BPF_LD_MAP_FD(BPF_REG_1, 0), 1654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1655 BPF_FUNC_map_lookup_elem), 1656 BPF_MOV64_IMM(BPF_REG_0, 0), 1657 BPF_EXIT_INSN(), 1658 }, 1659 .fixup_map1 = { 3 }, 1660 .errstr = "invalid indirect read from stack off -8+0 size 8", 1661 .result = REJECT, 1662 }, 1663 { 1664 "unpriv: mangle pointer on stack 1", 1665 .insns = { 1666 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1667 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 1668 BPF_MOV64_IMM(BPF_REG_0, 0), 1669 BPF_EXIT_INSN(), 1670 }, 1671 .errstr_unpriv = "attempt to corrupt spilled", 1672 .result_unpriv = REJECT, 1673 .result = ACCEPT, 1674 }, 1675 { 1676 "unpriv: mangle pointer on stack 2", 1677 .insns = { 1678 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1679 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 1680 BPF_MOV64_IMM(BPF_REG_0, 0), 1681 BPF_EXIT_INSN(), 1682 }, 1683 .errstr_unpriv = "attempt to corrupt spilled", 1684 .result_unpriv = REJECT, 1685 .result = ACCEPT, 1686 }, 1687 { 1688 "unpriv: read pointer from stack in small chunks", 1689 .insns = { 1690 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1691 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 1692 BPF_MOV64_IMM(BPF_REG_0, 0), 1693 BPF_EXIT_INSN(), 1694 }, 1695 .errstr = "invalid size", 1696 .result = REJECT, 1697 }, 1698 { 1699 "unpriv: write pointer into ctx", 1700 .insns = { 1701 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 1702 BPF_MOV64_IMM(BPF_REG_0, 0), 1703 BPF_EXIT_INSN(), 1704 }, 1705 .errstr_unpriv = "R1 leaks addr", 1706 .result_unpriv = REJECT, 1707 .errstr = "invalid bpf_context access", 1708 .result = REJECT, 1709 }, 1710 { 1711 "unpriv: spill/fill of ctx", 1712 .insns = { 1713 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1715 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1716 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1717 BPF_MOV64_IMM(BPF_REG_0, 0), 1718 BPF_EXIT_INSN(), 1719 }, 1720 .result = ACCEPT, 1721 }, 1722 { 1723 "unpriv: spill/fill of ctx 2", 1724 .insns = { 1725 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1727 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1728 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1729 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1730 BPF_FUNC_get_hash_recalc), 1731 BPF_EXIT_INSN(), 1732 }, 1733 .result = ACCEPT, 1734 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1735 }, 1736 { 1737 "unpriv: spill/fill of ctx 3", 1738 .insns = { 1739 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1741 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1742 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1743 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1744 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1745 BPF_FUNC_get_hash_recalc), 1746 BPF_EXIT_INSN(), 1747 }, 1748 .result = REJECT, 1749 .errstr = "R1 type=fp expected=ctx", 1750 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1751 }, 1752 { 1753 "unpriv: spill/fill of ctx 4", 1754 .insns = { 1755 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1757 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1758 BPF_MOV64_IMM(BPF_REG_0, 1), 1759 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 1760 BPF_REG_0, -8, 0), 1761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1763 BPF_FUNC_get_hash_recalc), 1764 BPF_EXIT_INSN(), 1765 }, 1766 .result = REJECT, 1767 .errstr = "R1 type=inv expected=ctx", 1768 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1769 }, 1770 { 1771 "unpriv: spill/fill of different pointers stx", 1772 .insns = { 1773 BPF_MOV64_IMM(BPF_REG_3, 42), 1774 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1777 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 1779 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1780 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1781 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1782 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1783 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 1784 offsetof(struct __sk_buff, mark)), 1785 BPF_MOV64_IMM(BPF_REG_0, 0), 1786 BPF_EXIT_INSN(), 1787 }, 1788 .result = REJECT, 1789 .errstr = "same insn cannot be used with different pointers", 1790 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1791 }, 1792 { 1793 "unpriv: spill/fill of different pointers ldx", 1794 .insns = { 1795 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1800 -(__s32)offsetof(struct bpf_perf_event_data, 1801 sample_period) - 8), 1802 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1803 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1804 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1805 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1806 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 1807 offsetof(struct bpf_perf_event_data, 1808 sample_period)), 1809 BPF_MOV64_IMM(BPF_REG_0, 0), 1810 BPF_EXIT_INSN(), 1811 }, 1812 .result = REJECT, 1813 .errstr = "same insn cannot be used with different pointers", 1814 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 1815 }, 1816 { 1817 "unpriv: write pointer into map elem value", 1818 .insns = { 1819 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1820 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1822 BPF_LD_MAP_FD(BPF_REG_1, 0), 1823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1824 BPF_FUNC_map_lookup_elem), 1825 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1826 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 1827 BPF_EXIT_INSN(), 1828 }, 1829 .fixup_map1 = { 3 }, 1830 .errstr_unpriv = "R0 leaks addr", 1831 .result_unpriv = REJECT, 1832 .result = ACCEPT, 1833 }, 1834 { 1835 "unpriv: partial copy of pointer", 1836 .insns = { 1837 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 1838 BPF_MOV64_IMM(BPF_REG_0, 0), 1839 BPF_EXIT_INSN(), 1840 }, 1841 .errstr_unpriv = "R10 partial copy", 1842 .result_unpriv = REJECT, 1843 .result = ACCEPT, 1844 }, 1845 { 1846 "unpriv: pass pointer to tail_call", 1847 .insns = { 1848 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1849 BPF_LD_MAP_FD(BPF_REG_2, 0), 1850 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1851 BPF_FUNC_tail_call), 1852 BPF_MOV64_IMM(BPF_REG_0, 0), 1853 BPF_EXIT_INSN(), 1854 }, 1855 .fixup_prog = { 1 }, 1856 .errstr_unpriv = "R3 leaks addr into helper", 1857 .result_unpriv = REJECT, 1858 .result = ACCEPT, 1859 }, 1860 { 1861 "unpriv: cmp map pointer with zero", 1862 .insns = { 1863 BPF_MOV64_IMM(BPF_REG_1, 0), 1864 BPF_LD_MAP_FD(BPF_REG_1, 0), 1865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1866 BPF_MOV64_IMM(BPF_REG_0, 0), 1867 BPF_EXIT_INSN(), 1868 }, 1869 .fixup_map1 = { 1 }, 1870 .errstr_unpriv = "R1 pointer comparison", 1871 .result_unpriv = REJECT, 1872 .result = ACCEPT, 1873 }, 1874 { 1875 "unpriv: write into frame pointer", 1876 .insns = { 1877 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 1878 BPF_MOV64_IMM(BPF_REG_0, 0), 1879 BPF_EXIT_INSN(), 1880 }, 1881 .errstr = "frame pointer is read only", 1882 .result = REJECT, 1883 }, 1884 { 1885 "unpriv: spill/fill frame pointer", 1886 .insns = { 1887 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1889 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1890 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 1891 BPF_MOV64_IMM(BPF_REG_0, 0), 1892 BPF_EXIT_INSN(), 1893 }, 1894 .errstr = "frame pointer is read only", 1895 .result = REJECT, 1896 }, 1897 { 1898 "unpriv: cmp of frame pointer", 1899 .insns = { 1900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 1901 BPF_MOV64_IMM(BPF_REG_0, 0), 1902 BPF_EXIT_INSN(), 1903 }, 1904 .errstr_unpriv = "R10 pointer comparison", 1905 .result_unpriv = REJECT, 1906 .result = ACCEPT, 1907 }, 1908 { 1909 "unpriv: adding of fp", 1910 .insns = { 1911 BPF_MOV64_IMM(BPF_REG_0, 0), 1912 BPF_MOV64_IMM(BPF_REG_1, 0), 1913 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1914 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 1915 BPF_EXIT_INSN(), 1916 }, 1917 .errstr_unpriv = "pointer arithmetic prohibited", 1918 .result_unpriv = REJECT, 1919 .errstr = "R1 invalid mem access", 1920 .result = REJECT, 1921 }, 1922 { 1923 "unpriv: cmp of stack pointer", 1924 .insns = { 1925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1927 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 1928 BPF_MOV64_IMM(BPF_REG_0, 0), 1929 BPF_EXIT_INSN(), 1930 }, 1931 .errstr_unpriv = "R2 pointer comparison", 1932 .result_unpriv = REJECT, 1933 .result = ACCEPT, 1934 }, 1935 { 1936 "stack pointer arithmetic", 1937 .insns = { 1938 BPF_MOV64_IMM(BPF_REG_1, 4), 1939 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1940 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 1941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 1942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 1943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 1944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 1945 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 1946 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 1947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 1948 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 1949 BPF_MOV64_IMM(BPF_REG_0, 0), 1950 BPF_EXIT_INSN(), 1951 }, 1952 .result = ACCEPT, 1953 }, 1954 { 1955 "raw_stack: no skb_load_bytes", 1956 .insns = { 1957 BPF_MOV64_IMM(BPF_REG_2, 4), 1958 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1960 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1961 BPF_MOV64_IMM(BPF_REG_4, 8), 1962 /* Call to skb_load_bytes() omitted. */ 1963 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1964 BPF_EXIT_INSN(), 1965 }, 1966 .result = REJECT, 1967 .errstr = "invalid read from stack off -8+0 size 8", 1968 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1969 }, 1970 { 1971 "raw_stack: skb_load_bytes, negative len", 1972 .insns = { 1973 BPF_MOV64_IMM(BPF_REG_2, 4), 1974 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1976 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1977 BPF_MOV64_IMM(BPF_REG_4, -8), 1978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1979 BPF_FUNC_skb_load_bytes), 1980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1981 BPF_EXIT_INSN(), 1982 }, 1983 .result = REJECT, 1984 .errstr = "invalid stack type R3", 1985 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1986 }, 1987 { 1988 "raw_stack: skb_load_bytes, negative len 2", 1989 .insns = { 1990 BPF_MOV64_IMM(BPF_REG_2, 4), 1991 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1993 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1994 BPF_MOV64_IMM(BPF_REG_4, ~0), 1995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1996 BPF_FUNC_skb_load_bytes), 1997 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1998 BPF_EXIT_INSN(), 1999 }, 2000 .result = REJECT, 2001 .errstr = "invalid stack type R3", 2002 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2003 }, 2004 { 2005 "raw_stack: skb_load_bytes, zero len", 2006 .insns = { 2007 BPF_MOV64_IMM(BPF_REG_2, 4), 2008 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2010 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2011 BPF_MOV64_IMM(BPF_REG_4, 0), 2012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2013 BPF_FUNC_skb_load_bytes), 2014 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2015 BPF_EXIT_INSN(), 2016 }, 2017 .result = REJECT, 2018 .errstr = "invalid stack type R3", 2019 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2020 }, 2021 { 2022 "raw_stack: skb_load_bytes, no init", 2023 .insns = { 2024 BPF_MOV64_IMM(BPF_REG_2, 4), 2025 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2027 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2028 BPF_MOV64_IMM(BPF_REG_4, 8), 2029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2030 BPF_FUNC_skb_load_bytes), 2031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2032 BPF_EXIT_INSN(), 2033 }, 2034 .result = ACCEPT, 2035 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2036 }, 2037 { 2038 "raw_stack: skb_load_bytes, init", 2039 .insns = { 2040 BPF_MOV64_IMM(BPF_REG_2, 4), 2041 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2043 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 2044 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2045 BPF_MOV64_IMM(BPF_REG_4, 8), 2046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2047 BPF_FUNC_skb_load_bytes), 2048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2049 BPF_EXIT_INSN(), 2050 }, 2051 .result = ACCEPT, 2052 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2053 }, 2054 { 2055 "raw_stack: skb_load_bytes, spilled regs around bounds", 2056 .insns = { 2057 BPF_MOV64_IMM(BPF_REG_2, 4), 2058 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2060 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2061 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2062 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2063 BPF_MOV64_IMM(BPF_REG_4, 8), 2064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2065 BPF_FUNC_skb_load_bytes), 2066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2067 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2068 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2069 offsetof(struct __sk_buff, mark)), 2070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2071 offsetof(struct __sk_buff, priority)), 2072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2073 BPF_EXIT_INSN(), 2074 }, 2075 .result = ACCEPT, 2076 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2077 }, 2078 { 2079 "raw_stack: skb_load_bytes, spilled regs corruption", 2080 .insns = { 2081 BPF_MOV64_IMM(BPF_REG_2, 4), 2082 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2084 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2085 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2086 BPF_MOV64_IMM(BPF_REG_4, 8), 2087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2088 BPF_FUNC_skb_load_bytes), 2089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2091 offsetof(struct __sk_buff, mark)), 2092 BPF_EXIT_INSN(), 2093 }, 2094 .result = REJECT, 2095 .errstr = "R0 invalid mem access 'inv'", 2096 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2097 }, 2098 { 2099 "raw_stack: skb_load_bytes, spilled regs corruption 2", 2100 .insns = { 2101 BPF_MOV64_IMM(BPF_REG_2, 4), 2102 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2106 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2107 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2108 BPF_MOV64_IMM(BPF_REG_4, 8), 2109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2110 BPF_FUNC_skb_load_bytes), 2111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2112 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2113 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2115 offsetof(struct __sk_buff, mark)), 2116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2117 offsetof(struct __sk_buff, priority)), 2118 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 2120 offsetof(struct __sk_buff, pkt_type)), 2121 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2122 BPF_EXIT_INSN(), 2123 }, 2124 .result = REJECT, 2125 .errstr = "R3 invalid mem access 'inv'", 2126 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2127 }, 2128 { 2129 "raw_stack: skb_load_bytes, spilled regs + data", 2130 .insns = { 2131 BPF_MOV64_IMM(BPF_REG_2, 4), 2132 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2136 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2137 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2138 BPF_MOV64_IMM(BPF_REG_4, 8), 2139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2140 BPF_FUNC_skb_load_bytes), 2141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2142 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2143 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2145 offsetof(struct __sk_buff, mark)), 2146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2147 offsetof(struct __sk_buff, priority)), 2148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2149 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2150 BPF_EXIT_INSN(), 2151 }, 2152 .result = ACCEPT, 2153 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2154 }, 2155 { 2156 "raw_stack: skb_load_bytes, invalid access 1", 2157 .insns = { 2158 BPF_MOV64_IMM(BPF_REG_2, 4), 2159 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 2161 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2162 BPF_MOV64_IMM(BPF_REG_4, 8), 2163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2164 BPF_FUNC_skb_load_bytes), 2165 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2166 BPF_EXIT_INSN(), 2167 }, 2168 .result = REJECT, 2169 .errstr = "invalid stack type R3 off=-513 access_size=8", 2170 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2171 }, 2172 { 2173 "raw_stack: skb_load_bytes, invalid access 2", 2174 .insns = { 2175 BPF_MOV64_IMM(BPF_REG_2, 4), 2176 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2178 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2179 BPF_MOV64_IMM(BPF_REG_4, 8), 2180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2181 BPF_FUNC_skb_load_bytes), 2182 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2183 BPF_EXIT_INSN(), 2184 }, 2185 .result = REJECT, 2186 .errstr = "invalid stack type R3 off=-1 access_size=8", 2187 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2188 }, 2189 { 2190 "raw_stack: skb_load_bytes, invalid access 3", 2191 .insns = { 2192 BPF_MOV64_IMM(BPF_REG_2, 4), 2193 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 2195 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2196 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2198 BPF_FUNC_skb_load_bytes), 2199 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2200 BPF_EXIT_INSN(), 2201 }, 2202 .result = REJECT, 2203 .errstr = "invalid stack type R3 off=-1 access_size=-1", 2204 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2205 }, 2206 { 2207 "raw_stack: skb_load_bytes, invalid access 4", 2208 .insns = { 2209 BPF_MOV64_IMM(BPF_REG_2, 4), 2210 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2212 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2213 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2215 BPF_FUNC_skb_load_bytes), 2216 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2217 BPF_EXIT_INSN(), 2218 }, 2219 .result = REJECT, 2220 .errstr = "invalid stack type R3 off=-1 access_size=2147483647", 2221 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2222 }, 2223 { 2224 "raw_stack: skb_load_bytes, invalid access 5", 2225 .insns = { 2226 BPF_MOV64_IMM(BPF_REG_2, 4), 2227 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2229 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2230 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2232 BPF_FUNC_skb_load_bytes), 2233 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2234 BPF_EXIT_INSN(), 2235 }, 2236 .result = REJECT, 2237 .errstr = "invalid stack type R3 off=-512 access_size=2147483647", 2238 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2239 }, 2240 { 2241 "raw_stack: skb_load_bytes, invalid access 6", 2242 .insns = { 2243 BPF_MOV64_IMM(BPF_REG_2, 4), 2244 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2246 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2247 BPF_MOV64_IMM(BPF_REG_4, 0), 2248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2249 BPF_FUNC_skb_load_bytes), 2250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2251 BPF_EXIT_INSN(), 2252 }, 2253 .result = REJECT, 2254 .errstr = "invalid stack type R3 off=-512 access_size=0", 2255 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2256 }, 2257 { 2258 "raw_stack: skb_load_bytes, large access", 2259 .insns = { 2260 BPF_MOV64_IMM(BPF_REG_2, 4), 2261 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2263 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2264 BPF_MOV64_IMM(BPF_REG_4, 512), 2265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2266 BPF_FUNC_skb_load_bytes), 2267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2268 BPF_EXIT_INSN(), 2269 }, 2270 .result = ACCEPT, 2271 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2272 }, 2273 { 2274 "direct packet access: test1", 2275 .insns = { 2276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2277 offsetof(struct __sk_buff, data)), 2278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2279 offsetof(struct __sk_buff, data_end)), 2280 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2282 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2283 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2284 BPF_MOV64_IMM(BPF_REG_0, 0), 2285 BPF_EXIT_INSN(), 2286 }, 2287 .result = ACCEPT, 2288 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2289 }, 2290 { 2291 "direct packet access: test2", 2292 .insns = { 2293 BPF_MOV64_IMM(BPF_REG_0, 1), 2294 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 2295 offsetof(struct __sk_buff, data_end)), 2296 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2297 offsetof(struct __sk_buff, data)), 2298 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 2300 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 2301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 2302 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 2303 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 2304 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2305 offsetof(struct __sk_buff, data)), 2306 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2308 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48), 2309 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48), 2310 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 2311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 2312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2313 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2314 offsetof(struct __sk_buff, data_end)), 2315 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 2316 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 2317 BPF_MOV64_IMM(BPF_REG_0, 0), 2318 BPF_EXIT_INSN(), 2319 }, 2320 .result = ACCEPT, 2321 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2322 }, 2323 { 2324 "direct packet access: test3", 2325 .insns = { 2326 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2327 offsetof(struct __sk_buff, data)), 2328 BPF_MOV64_IMM(BPF_REG_0, 0), 2329 BPF_EXIT_INSN(), 2330 }, 2331 .errstr = "invalid bpf_context access off=76", 2332 .result = REJECT, 2333 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 2334 }, 2335 { 2336 "direct packet access: test4 (write)", 2337 .insns = { 2338 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2339 offsetof(struct __sk_buff, data)), 2340 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2341 offsetof(struct __sk_buff, data_end)), 2342 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2344 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2345 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2346 BPF_MOV64_IMM(BPF_REG_0, 0), 2347 BPF_EXIT_INSN(), 2348 }, 2349 .result = ACCEPT, 2350 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2351 }, 2352 { 2353 "direct packet access: test5 (pkt_end >= reg, good access)", 2354 .insns = { 2355 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2356 offsetof(struct __sk_buff, data)), 2357 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2358 offsetof(struct __sk_buff, data_end)), 2359 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2361 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2362 BPF_MOV64_IMM(BPF_REG_0, 1), 2363 BPF_EXIT_INSN(), 2364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2365 BPF_MOV64_IMM(BPF_REG_0, 0), 2366 BPF_EXIT_INSN(), 2367 }, 2368 .result = ACCEPT, 2369 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2370 }, 2371 { 2372 "direct packet access: test6 (pkt_end >= reg, bad access)", 2373 .insns = { 2374 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2375 offsetof(struct __sk_buff, data)), 2376 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2377 offsetof(struct __sk_buff, data_end)), 2378 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2380 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2381 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2382 BPF_MOV64_IMM(BPF_REG_0, 1), 2383 BPF_EXIT_INSN(), 2384 BPF_MOV64_IMM(BPF_REG_0, 0), 2385 BPF_EXIT_INSN(), 2386 }, 2387 .errstr = "invalid access to packet", 2388 .result = REJECT, 2389 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2390 }, 2391 { 2392 "direct packet access: test7 (pkt_end >= reg, both accesses)", 2393 .insns = { 2394 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2395 offsetof(struct __sk_buff, data)), 2396 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2397 offsetof(struct __sk_buff, data_end)), 2398 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2400 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2401 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2402 BPF_MOV64_IMM(BPF_REG_0, 1), 2403 BPF_EXIT_INSN(), 2404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2405 BPF_MOV64_IMM(BPF_REG_0, 0), 2406 BPF_EXIT_INSN(), 2407 }, 2408 .errstr = "invalid access to packet", 2409 .result = REJECT, 2410 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2411 }, 2412 { 2413 "direct packet access: test8 (double test, variant 1)", 2414 .insns = { 2415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2416 offsetof(struct __sk_buff, data)), 2417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2418 offsetof(struct __sk_buff, data_end)), 2419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2421 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 2422 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2423 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2424 BPF_MOV64_IMM(BPF_REG_0, 1), 2425 BPF_EXIT_INSN(), 2426 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2427 BPF_MOV64_IMM(BPF_REG_0, 0), 2428 BPF_EXIT_INSN(), 2429 }, 2430 .result = ACCEPT, 2431 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2432 }, 2433 { 2434 "direct packet access: test9 (double test, variant 2)", 2435 .insns = { 2436 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2437 offsetof(struct __sk_buff, data)), 2438 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2439 offsetof(struct __sk_buff, data_end)), 2440 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2442 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2443 BPF_MOV64_IMM(BPF_REG_0, 1), 2444 BPF_EXIT_INSN(), 2445 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2446 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2448 BPF_MOV64_IMM(BPF_REG_0, 0), 2449 BPF_EXIT_INSN(), 2450 }, 2451 .result = ACCEPT, 2452 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2453 }, 2454 { 2455 "direct packet access: test10 (write invalid)", 2456 .insns = { 2457 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2458 offsetof(struct __sk_buff, data)), 2459 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2460 offsetof(struct __sk_buff, data_end)), 2461 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2463 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 2464 BPF_MOV64_IMM(BPF_REG_0, 0), 2465 BPF_EXIT_INSN(), 2466 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2467 BPF_MOV64_IMM(BPF_REG_0, 0), 2468 BPF_EXIT_INSN(), 2469 }, 2470 .errstr = "invalid access to packet", 2471 .result = REJECT, 2472 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2473 }, 2474 { 2475 "direct packet access: test11 (shift, good access)", 2476 .insns = { 2477 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2478 offsetof(struct __sk_buff, data)), 2479 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2480 offsetof(struct __sk_buff, data_end)), 2481 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2483 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2484 BPF_MOV64_IMM(BPF_REG_3, 144), 2485 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2487 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 2488 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2489 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2490 BPF_MOV64_IMM(BPF_REG_0, 1), 2491 BPF_EXIT_INSN(), 2492 BPF_MOV64_IMM(BPF_REG_0, 0), 2493 BPF_EXIT_INSN(), 2494 }, 2495 .result = ACCEPT, 2496 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2497 }, 2498 { 2499 "direct packet access: test12 (and, good access)", 2500 .insns = { 2501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2502 offsetof(struct __sk_buff, data)), 2503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2504 offsetof(struct __sk_buff, data_end)), 2505 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2507 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2508 BPF_MOV64_IMM(BPF_REG_3, 144), 2509 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2511 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2513 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2514 BPF_MOV64_IMM(BPF_REG_0, 1), 2515 BPF_EXIT_INSN(), 2516 BPF_MOV64_IMM(BPF_REG_0, 0), 2517 BPF_EXIT_INSN(), 2518 }, 2519 .result = ACCEPT, 2520 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2521 }, 2522 { 2523 "direct packet access: test13 (branches, good access)", 2524 .insns = { 2525 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2526 offsetof(struct __sk_buff, data)), 2527 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2528 offsetof(struct __sk_buff, data_end)), 2529 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2531 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 2532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2533 offsetof(struct __sk_buff, mark)), 2534 BPF_MOV64_IMM(BPF_REG_4, 1), 2535 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 2536 BPF_MOV64_IMM(BPF_REG_3, 14), 2537 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 2538 BPF_MOV64_IMM(BPF_REG_3, 24), 2539 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2541 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2542 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2543 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2544 BPF_MOV64_IMM(BPF_REG_0, 1), 2545 BPF_EXIT_INSN(), 2546 BPF_MOV64_IMM(BPF_REG_0, 0), 2547 BPF_EXIT_INSN(), 2548 }, 2549 .result = ACCEPT, 2550 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2551 }, 2552 { 2553 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 2554 .insns = { 2555 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2556 offsetof(struct __sk_buff, data)), 2557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2558 offsetof(struct __sk_buff, data_end)), 2559 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2561 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 2562 BPF_MOV64_IMM(BPF_REG_5, 12), 2563 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 2564 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2565 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2566 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 2567 BPF_MOV64_IMM(BPF_REG_0, 1), 2568 BPF_EXIT_INSN(), 2569 BPF_MOV64_IMM(BPF_REG_0, 0), 2570 BPF_EXIT_INSN(), 2571 }, 2572 .result = ACCEPT, 2573 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2574 }, 2575 { 2576 "direct packet access: test15 (spill with xadd)", 2577 .insns = { 2578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2579 offsetof(struct __sk_buff, data)), 2580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2581 offsetof(struct __sk_buff, data_end)), 2582 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2584 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2585 BPF_MOV64_IMM(BPF_REG_5, 4096), 2586 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 2588 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 2589 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 2590 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 2591 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0), 2592 BPF_MOV64_IMM(BPF_REG_0, 0), 2593 BPF_EXIT_INSN(), 2594 }, 2595 .errstr = "R2 invalid mem access 'inv'", 2596 .result = REJECT, 2597 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2598 }, 2599 { 2600 "direct packet access: test16 (arith on data_end)", 2601 .insns = { 2602 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2603 offsetof(struct __sk_buff, data)), 2604 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2605 offsetof(struct __sk_buff, data_end)), 2606 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16), 2609 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2610 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2611 BPF_MOV64_IMM(BPF_REG_0, 0), 2612 BPF_EXIT_INSN(), 2613 }, 2614 .errstr = "invalid access to packet", 2615 .result = REJECT, 2616 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2617 }, 2618 { 2619 "direct packet access: test17 (pruning, alignment)", 2620 .insns = { 2621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2622 offsetof(struct __sk_buff, data)), 2623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2624 offsetof(struct __sk_buff, data_end)), 2625 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2626 offsetof(struct __sk_buff, mark)), 2627 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14), 2629 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4), 2630 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2631 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4), 2632 BPF_MOV64_IMM(BPF_REG_0, 0), 2633 BPF_EXIT_INSN(), 2634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1), 2635 BPF_JMP_A(-6), 2636 }, 2637 .errstr = "misaligned packet access off 2+15+-4 size 4", 2638 .result = REJECT, 2639 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2640 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2641 }, 2642 { 2643 "helper access to packet: test1, valid packet_ptr range", 2644 .insns = { 2645 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2646 offsetof(struct xdp_md, data)), 2647 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2648 offsetof(struct xdp_md, data_end)), 2649 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2651 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2652 BPF_LD_MAP_FD(BPF_REG_1, 0), 2653 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2654 BPF_MOV64_IMM(BPF_REG_4, 0), 2655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2656 BPF_FUNC_map_update_elem), 2657 BPF_MOV64_IMM(BPF_REG_0, 0), 2658 BPF_EXIT_INSN(), 2659 }, 2660 .fixup_map1 = { 5 }, 2661 .result_unpriv = ACCEPT, 2662 .result = ACCEPT, 2663 .prog_type = BPF_PROG_TYPE_XDP, 2664 }, 2665 { 2666 "helper access to packet: test2, unchecked packet_ptr", 2667 .insns = { 2668 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2669 offsetof(struct xdp_md, data)), 2670 BPF_LD_MAP_FD(BPF_REG_1, 0), 2671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2672 BPF_FUNC_map_lookup_elem), 2673 BPF_MOV64_IMM(BPF_REG_0, 0), 2674 BPF_EXIT_INSN(), 2675 }, 2676 .fixup_map1 = { 1 }, 2677 .result = REJECT, 2678 .errstr = "invalid access to packet", 2679 .prog_type = BPF_PROG_TYPE_XDP, 2680 }, 2681 { 2682 "helper access to packet: test3, variable add", 2683 .insns = { 2684 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2685 offsetof(struct xdp_md, data)), 2686 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2687 offsetof(struct xdp_md, data_end)), 2688 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2690 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2691 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2692 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2693 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2694 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2696 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2697 BPF_LD_MAP_FD(BPF_REG_1, 0), 2698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2699 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2700 BPF_FUNC_map_lookup_elem), 2701 BPF_MOV64_IMM(BPF_REG_0, 0), 2702 BPF_EXIT_INSN(), 2703 }, 2704 .fixup_map1 = { 11 }, 2705 .result = ACCEPT, 2706 .prog_type = BPF_PROG_TYPE_XDP, 2707 }, 2708 { 2709 "helper access to packet: test4, packet_ptr with bad range", 2710 .insns = { 2711 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2712 offsetof(struct xdp_md, data)), 2713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2714 offsetof(struct xdp_md, data_end)), 2715 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2717 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2718 BPF_MOV64_IMM(BPF_REG_0, 0), 2719 BPF_EXIT_INSN(), 2720 BPF_LD_MAP_FD(BPF_REG_1, 0), 2721 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2722 BPF_FUNC_map_lookup_elem), 2723 BPF_MOV64_IMM(BPF_REG_0, 0), 2724 BPF_EXIT_INSN(), 2725 }, 2726 .fixup_map1 = { 7 }, 2727 .result = REJECT, 2728 .errstr = "invalid access to packet", 2729 .prog_type = BPF_PROG_TYPE_XDP, 2730 }, 2731 { 2732 "helper access to packet: test5, packet_ptr with too short range", 2733 .insns = { 2734 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2735 offsetof(struct xdp_md, data)), 2736 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2737 offsetof(struct xdp_md, data_end)), 2738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2739 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2741 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2742 BPF_LD_MAP_FD(BPF_REG_1, 0), 2743 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2744 BPF_FUNC_map_lookup_elem), 2745 BPF_MOV64_IMM(BPF_REG_0, 0), 2746 BPF_EXIT_INSN(), 2747 }, 2748 .fixup_map1 = { 6 }, 2749 .result = REJECT, 2750 .errstr = "invalid access to packet", 2751 .prog_type = BPF_PROG_TYPE_XDP, 2752 }, 2753 { 2754 "helper access to packet: test6, cls valid packet_ptr range", 2755 .insns = { 2756 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2757 offsetof(struct __sk_buff, data)), 2758 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2759 offsetof(struct __sk_buff, data_end)), 2760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2762 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2763 BPF_LD_MAP_FD(BPF_REG_1, 0), 2764 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2765 BPF_MOV64_IMM(BPF_REG_4, 0), 2766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2767 BPF_FUNC_map_update_elem), 2768 BPF_MOV64_IMM(BPF_REG_0, 0), 2769 BPF_EXIT_INSN(), 2770 }, 2771 .fixup_map1 = { 5 }, 2772 .result = ACCEPT, 2773 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2774 }, 2775 { 2776 "helper access to packet: test7, cls unchecked packet_ptr", 2777 .insns = { 2778 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2779 offsetof(struct __sk_buff, data)), 2780 BPF_LD_MAP_FD(BPF_REG_1, 0), 2781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2782 BPF_FUNC_map_lookup_elem), 2783 BPF_MOV64_IMM(BPF_REG_0, 0), 2784 BPF_EXIT_INSN(), 2785 }, 2786 .fixup_map1 = { 1 }, 2787 .result = REJECT, 2788 .errstr = "invalid access to packet", 2789 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2790 }, 2791 { 2792 "helper access to packet: test8, cls variable add", 2793 .insns = { 2794 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2795 offsetof(struct __sk_buff, data)), 2796 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2797 offsetof(struct __sk_buff, data_end)), 2798 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2800 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2801 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2802 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2803 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2804 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2806 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2807 BPF_LD_MAP_FD(BPF_REG_1, 0), 2808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2810 BPF_FUNC_map_lookup_elem), 2811 BPF_MOV64_IMM(BPF_REG_0, 0), 2812 BPF_EXIT_INSN(), 2813 }, 2814 .fixup_map1 = { 11 }, 2815 .result = ACCEPT, 2816 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2817 }, 2818 { 2819 "helper access to packet: test9, cls packet_ptr with bad range", 2820 .insns = { 2821 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2822 offsetof(struct __sk_buff, data)), 2823 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2824 offsetof(struct __sk_buff, data_end)), 2825 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2827 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2828 BPF_MOV64_IMM(BPF_REG_0, 0), 2829 BPF_EXIT_INSN(), 2830 BPF_LD_MAP_FD(BPF_REG_1, 0), 2831 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2832 BPF_FUNC_map_lookup_elem), 2833 BPF_MOV64_IMM(BPF_REG_0, 0), 2834 BPF_EXIT_INSN(), 2835 }, 2836 .fixup_map1 = { 7 }, 2837 .result = REJECT, 2838 .errstr = "invalid access to packet", 2839 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2840 }, 2841 { 2842 "helper access to packet: test10, cls packet_ptr with too short range", 2843 .insns = { 2844 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2845 offsetof(struct __sk_buff, data)), 2846 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2847 offsetof(struct __sk_buff, data_end)), 2848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2849 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2851 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2852 BPF_LD_MAP_FD(BPF_REG_1, 0), 2853 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2854 BPF_FUNC_map_lookup_elem), 2855 BPF_MOV64_IMM(BPF_REG_0, 0), 2856 BPF_EXIT_INSN(), 2857 }, 2858 .fixup_map1 = { 6 }, 2859 .result = REJECT, 2860 .errstr = "invalid access to packet", 2861 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2862 }, 2863 { 2864 "helper access to packet: test11, cls unsuitable helper 1", 2865 .insns = { 2866 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2867 offsetof(struct __sk_buff, data)), 2868 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2869 offsetof(struct __sk_buff, data_end)), 2870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2871 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 2873 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 2874 BPF_MOV64_IMM(BPF_REG_2, 0), 2875 BPF_MOV64_IMM(BPF_REG_4, 42), 2876 BPF_MOV64_IMM(BPF_REG_5, 0), 2877 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2878 BPF_FUNC_skb_store_bytes), 2879 BPF_MOV64_IMM(BPF_REG_0, 0), 2880 BPF_EXIT_INSN(), 2881 }, 2882 .result = REJECT, 2883 .errstr = "helper access to the packet", 2884 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2885 }, 2886 { 2887 "helper access to packet: test12, cls unsuitable helper 2", 2888 .insns = { 2889 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2890 offsetof(struct __sk_buff, data)), 2891 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2892 offsetof(struct __sk_buff, data_end)), 2893 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 2895 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 2896 BPF_MOV64_IMM(BPF_REG_2, 0), 2897 BPF_MOV64_IMM(BPF_REG_4, 4), 2898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2899 BPF_FUNC_skb_load_bytes), 2900 BPF_MOV64_IMM(BPF_REG_0, 0), 2901 BPF_EXIT_INSN(), 2902 }, 2903 .result = REJECT, 2904 .errstr = "helper access to the packet", 2905 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2906 }, 2907 { 2908 "helper access to packet: test13, cls helper ok", 2909 .insns = { 2910 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2911 offsetof(struct __sk_buff, data)), 2912 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2913 offsetof(struct __sk_buff, data_end)), 2914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2917 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2918 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2919 BPF_MOV64_IMM(BPF_REG_2, 4), 2920 BPF_MOV64_IMM(BPF_REG_3, 0), 2921 BPF_MOV64_IMM(BPF_REG_4, 0), 2922 BPF_MOV64_IMM(BPF_REG_5, 0), 2923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2924 BPF_FUNC_csum_diff), 2925 BPF_MOV64_IMM(BPF_REG_0, 0), 2926 BPF_EXIT_INSN(), 2927 }, 2928 .result = ACCEPT, 2929 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2930 }, 2931 { 2932 "helper access to packet: test14, cls helper fail sub", 2933 .insns = { 2934 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2935 offsetof(struct __sk_buff, data)), 2936 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2937 offsetof(struct __sk_buff, data_end)), 2938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2941 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2942 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 2943 BPF_MOV64_IMM(BPF_REG_2, 4), 2944 BPF_MOV64_IMM(BPF_REG_3, 0), 2945 BPF_MOV64_IMM(BPF_REG_4, 0), 2946 BPF_MOV64_IMM(BPF_REG_5, 0), 2947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2948 BPF_FUNC_csum_diff), 2949 BPF_MOV64_IMM(BPF_REG_0, 0), 2950 BPF_EXIT_INSN(), 2951 }, 2952 .result = REJECT, 2953 .errstr = "type=inv expected=fp", 2954 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2955 }, 2956 { 2957 "helper access to packet: test15, cls helper fail range 1", 2958 .insns = { 2959 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2960 offsetof(struct __sk_buff, data)), 2961 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2962 offsetof(struct __sk_buff, data_end)), 2963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2964 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2966 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2968 BPF_MOV64_IMM(BPF_REG_2, 8), 2969 BPF_MOV64_IMM(BPF_REG_3, 0), 2970 BPF_MOV64_IMM(BPF_REG_4, 0), 2971 BPF_MOV64_IMM(BPF_REG_5, 0), 2972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2973 BPF_FUNC_csum_diff), 2974 BPF_MOV64_IMM(BPF_REG_0, 0), 2975 BPF_EXIT_INSN(), 2976 }, 2977 .result = REJECT, 2978 .errstr = "invalid access to packet", 2979 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2980 }, 2981 { 2982 "helper access to packet: test16, cls helper fail range 2", 2983 .insns = { 2984 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2985 offsetof(struct __sk_buff, data)), 2986 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2987 offsetof(struct __sk_buff, data_end)), 2988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2989 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2991 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2993 BPF_MOV64_IMM(BPF_REG_2, -9), 2994 BPF_MOV64_IMM(BPF_REG_3, 0), 2995 BPF_MOV64_IMM(BPF_REG_4, 0), 2996 BPF_MOV64_IMM(BPF_REG_5, 0), 2997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2998 BPF_FUNC_csum_diff), 2999 BPF_MOV64_IMM(BPF_REG_0, 0), 3000 BPF_EXIT_INSN(), 3001 }, 3002 .result = REJECT, 3003 .errstr = "invalid access to packet", 3004 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3005 }, 3006 { 3007 "helper access to packet: test17, cls helper fail range 3", 3008 .insns = { 3009 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3010 offsetof(struct __sk_buff, data)), 3011 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3012 offsetof(struct __sk_buff, data_end)), 3013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3016 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3018 BPF_MOV64_IMM(BPF_REG_2, ~0), 3019 BPF_MOV64_IMM(BPF_REG_3, 0), 3020 BPF_MOV64_IMM(BPF_REG_4, 0), 3021 BPF_MOV64_IMM(BPF_REG_5, 0), 3022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3023 BPF_FUNC_csum_diff), 3024 BPF_MOV64_IMM(BPF_REG_0, 0), 3025 BPF_EXIT_INSN(), 3026 }, 3027 .result = REJECT, 3028 .errstr = "invalid access to packet", 3029 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3030 }, 3031 { 3032 "helper access to packet: test18, cls helper fail range zero", 3033 .insns = { 3034 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3035 offsetof(struct __sk_buff, data)), 3036 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3037 offsetof(struct __sk_buff, data_end)), 3038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3039 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3041 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3042 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3043 BPF_MOV64_IMM(BPF_REG_2, 0), 3044 BPF_MOV64_IMM(BPF_REG_3, 0), 3045 BPF_MOV64_IMM(BPF_REG_4, 0), 3046 BPF_MOV64_IMM(BPF_REG_5, 0), 3047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3048 BPF_FUNC_csum_diff), 3049 BPF_MOV64_IMM(BPF_REG_0, 0), 3050 BPF_EXIT_INSN(), 3051 }, 3052 .result = REJECT, 3053 .errstr = "invalid access to packet", 3054 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3055 }, 3056 { 3057 "helper access to packet: test19, pkt end as input", 3058 .insns = { 3059 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3060 offsetof(struct __sk_buff, data)), 3061 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3062 offsetof(struct __sk_buff, data_end)), 3063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3066 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 3068 BPF_MOV64_IMM(BPF_REG_2, 4), 3069 BPF_MOV64_IMM(BPF_REG_3, 0), 3070 BPF_MOV64_IMM(BPF_REG_4, 0), 3071 BPF_MOV64_IMM(BPF_REG_5, 0), 3072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3073 BPF_FUNC_csum_diff), 3074 BPF_MOV64_IMM(BPF_REG_0, 0), 3075 BPF_EXIT_INSN(), 3076 }, 3077 .result = REJECT, 3078 .errstr = "R1 type=pkt_end expected=fp", 3079 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3080 }, 3081 { 3082 "helper access to packet: test20, wrong reg", 3083 .insns = { 3084 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3085 offsetof(struct __sk_buff, data)), 3086 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3087 offsetof(struct __sk_buff, data_end)), 3088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3091 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3092 BPF_MOV64_IMM(BPF_REG_2, 4), 3093 BPF_MOV64_IMM(BPF_REG_3, 0), 3094 BPF_MOV64_IMM(BPF_REG_4, 0), 3095 BPF_MOV64_IMM(BPF_REG_5, 0), 3096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3097 BPF_FUNC_csum_diff), 3098 BPF_MOV64_IMM(BPF_REG_0, 0), 3099 BPF_EXIT_INSN(), 3100 }, 3101 .result = REJECT, 3102 .errstr = "invalid access to packet", 3103 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3104 }, 3105 { 3106 "valid map access into an array with a constant", 3107 .insns = { 3108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3111 BPF_LD_MAP_FD(BPF_REG_1, 0), 3112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3113 BPF_FUNC_map_lookup_elem), 3114 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3115 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3116 offsetof(struct test_val, foo)), 3117 BPF_EXIT_INSN(), 3118 }, 3119 .fixup_map2 = { 3 }, 3120 .errstr_unpriv = "R0 leaks addr", 3121 .result_unpriv = REJECT, 3122 .result = ACCEPT, 3123 }, 3124 { 3125 "valid map access into an array with a register", 3126 .insns = { 3127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3130 BPF_LD_MAP_FD(BPF_REG_1, 0), 3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3132 BPF_FUNC_map_lookup_elem), 3133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3134 BPF_MOV64_IMM(BPF_REG_1, 4), 3135 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3136 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3137 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3138 offsetof(struct test_val, foo)), 3139 BPF_EXIT_INSN(), 3140 }, 3141 .fixup_map2 = { 3 }, 3142 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3143 .result_unpriv = REJECT, 3144 .result = ACCEPT, 3145 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3146 }, 3147 { 3148 "valid map access into an array with a variable", 3149 .insns = { 3150 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3153 BPF_LD_MAP_FD(BPF_REG_1, 0), 3154 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3155 BPF_FUNC_map_lookup_elem), 3156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3157 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3158 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 3159 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3160 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3161 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3162 offsetof(struct test_val, foo)), 3163 BPF_EXIT_INSN(), 3164 }, 3165 .fixup_map2 = { 3 }, 3166 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3167 .result_unpriv = REJECT, 3168 .result = ACCEPT, 3169 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3170 }, 3171 { 3172 "valid map access into an array with a signed variable", 3173 .insns = { 3174 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3175 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3177 BPF_LD_MAP_FD(BPF_REG_1, 0), 3178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3179 BPF_FUNC_map_lookup_elem), 3180 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 3181 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3182 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 3183 BPF_MOV32_IMM(BPF_REG_1, 0), 3184 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3185 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3186 BPF_MOV32_IMM(BPF_REG_1, 0), 3187 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3188 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3189 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3190 offsetof(struct test_val, foo)), 3191 BPF_EXIT_INSN(), 3192 }, 3193 .fixup_map2 = { 3 }, 3194 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3195 .result_unpriv = REJECT, 3196 .result = ACCEPT, 3197 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3198 }, 3199 { 3200 "invalid map access into an array with a constant", 3201 .insns = { 3202 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3205 BPF_LD_MAP_FD(BPF_REG_1, 0), 3206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3207 BPF_FUNC_map_lookup_elem), 3208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3209 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 3210 offsetof(struct test_val, foo)), 3211 BPF_EXIT_INSN(), 3212 }, 3213 .fixup_map2 = { 3 }, 3214 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 3215 .result = REJECT, 3216 }, 3217 { 3218 "invalid map access into an array with a register", 3219 .insns = { 3220 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3221 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3223 BPF_LD_MAP_FD(BPF_REG_1, 0), 3224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3225 BPF_FUNC_map_lookup_elem), 3226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3227 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 3228 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3229 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3230 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3231 offsetof(struct test_val, foo)), 3232 BPF_EXIT_INSN(), 3233 }, 3234 .fixup_map2 = { 3 }, 3235 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3236 .errstr = "R0 min value is outside of the array range", 3237 .result_unpriv = REJECT, 3238 .result = REJECT, 3239 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3240 }, 3241 { 3242 "invalid map access into an array with a variable", 3243 .insns = { 3244 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3245 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3247 BPF_LD_MAP_FD(BPF_REG_1, 0), 3248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3249 BPF_FUNC_map_lookup_elem), 3250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3251 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3252 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3253 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3254 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3255 offsetof(struct test_val, foo)), 3256 BPF_EXIT_INSN(), 3257 }, 3258 .fixup_map2 = { 3 }, 3259 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3260 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3261 .result_unpriv = REJECT, 3262 .result = REJECT, 3263 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3264 }, 3265 { 3266 "invalid map access into an array with no floor check", 3267 .insns = { 3268 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3271 BPF_LD_MAP_FD(BPF_REG_1, 0), 3272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3273 BPF_FUNC_map_lookup_elem), 3274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3275 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3276 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3277 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3278 BPF_MOV32_IMM(BPF_REG_1, 0), 3279 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3280 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3281 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3282 offsetof(struct test_val, foo)), 3283 BPF_EXIT_INSN(), 3284 }, 3285 .fixup_map2 = { 3 }, 3286 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3287 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3288 .result_unpriv = REJECT, 3289 .result = REJECT, 3290 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3291 }, 3292 { 3293 "invalid map access into an array with a invalid max check", 3294 .insns = { 3295 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3298 BPF_LD_MAP_FD(BPF_REG_1, 0), 3299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3300 BPF_FUNC_map_lookup_elem), 3301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3302 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3303 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 3304 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3305 BPF_MOV32_IMM(BPF_REG_1, 0), 3306 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3307 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3308 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3309 offsetof(struct test_val, foo)), 3310 BPF_EXIT_INSN(), 3311 }, 3312 .fixup_map2 = { 3 }, 3313 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3314 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 3315 .result_unpriv = REJECT, 3316 .result = REJECT, 3317 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3318 }, 3319 { 3320 "invalid map access into an array with a invalid max check", 3321 .insns = { 3322 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3325 BPF_LD_MAP_FD(BPF_REG_1, 0), 3326 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3327 BPF_FUNC_map_lookup_elem), 3328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 3329 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 3330 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3331 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3333 BPF_LD_MAP_FD(BPF_REG_1, 0), 3334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3335 BPF_FUNC_map_lookup_elem), 3336 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3337 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 3338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3339 offsetof(struct test_val, foo)), 3340 BPF_EXIT_INSN(), 3341 }, 3342 .fixup_map2 = { 3, 11 }, 3343 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3344 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3345 .result_unpriv = REJECT, 3346 .result = REJECT, 3347 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3348 }, 3349 { 3350 "multiple registers share map_lookup_elem result", 3351 .insns = { 3352 BPF_MOV64_IMM(BPF_REG_1, 10), 3353 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3354 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3356 BPF_LD_MAP_FD(BPF_REG_1, 0), 3357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3358 BPF_FUNC_map_lookup_elem), 3359 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3361 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3362 BPF_EXIT_INSN(), 3363 }, 3364 .fixup_map1 = { 4 }, 3365 .result = ACCEPT, 3366 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3367 }, 3368 { 3369 "alu ops on ptr_to_map_value_or_null, 1", 3370 .insns = { 3371 BPF_MOV64_IMM(BPF_REG_1, 10), 3372 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3373 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3375 BPF_LD_MAP_FD(BPF_REG_1, 0), 3376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3377 BPF_FUNC_map_lookup_elem), 3378 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2), 3380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2), 3381 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3382 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3383 BPF_EXIT_INSN(), 3384 }, 3385 .fixup_map1 = { 4 }, 3386 .errstr = "R4 invalid mem access", 3387 .result = REJECT, 3388 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3389 }, 3390 { 3391 "alu ops on ptr_to_map_value_or_null, 2", 3392 .insns = { 3393 BPF_MOV64_IMM(BPF_REG_1, 10), 3394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3397 BPF_LD_MAP_FD(BPF_REG_1, 0), 3398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3399 BPF_FUNC_map_lookup_elem), 3400 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3401 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1), 3402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3403 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3404 BPF_EXIT_INSN(), 3405 }, 3406 .fixup_map1 = { 4 }, 3407 .errstr = "R4 invalid mem access", 3408 .result = REJECT, 3409 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3410 }, 3411 { 3412 "alu ops on ptr_to_map_value_or_null, 3", 3413 .insns = { 3414 BPF_MOV64_IMM(BPF_REG_1, 10), 3415 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3416 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3418 BPF_LD_MAP_FD(BPF_REG_1, 0), 3419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3420 BPF_FUNC_map_lookup_elem), 3421 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3422 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1), 3423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3424 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3425 BPF_EXIT_INSN(), 3426 }, 3427 .fixup_map1 = { 4 }, 3428 .errstr = "R4 invalid mem access", 3429 .result = REJECT, 3430 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3431 }, 3432 { 3433 "invalid memory access with multiple map_lookup_elem calls", 3434 .insns = { 3435 BPF_MOV64_IMM(BPF_REG_1, 10), 3436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3437 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3439 BPF_LD_MAP_FD(BPF_REG_1, 0), 3440 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3441 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3443 BPF_FUNC_map_lookup_elem), 3444 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3445 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3447 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3448 BPF_FUNC_map_lookup_elem), 3449 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3450 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3451 BPF_EXIT_INSN(), 3452 }, 3453 .fixup_map1 = { 4 }, 3454 .result = REJECT, 3455 .errstr = "R4 !read_ok", 3456 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3457 }, 3458 { 3459 "valid indirect map_lookup_elem access with 2nd lookup in branch", 3460 .insns = { 3461 BPF_MOV64_IMM(BPF_REG_1, 10), 3462 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3465 BPF_LD_MAP_FD(BPF_REG_1, 0), 3466 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3467 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3469 BPF_FUNC_map_lookup_elem), 3470 BPF_MOV64_IMM(BPF_REG_2, 10), 3471 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 3472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3474 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3475 BPF_FUNC_map_lookup_elem), 3476 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3478 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3479 BPF_EXIT_INSN(), 3480 }, 3481 .fixup_map1 = { 4 }, 3482 .result = ACCEPT, 3483 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3484 }, 3485 { 3486 "multiple registers share map_lookup_elem bad reg type", 3487 .insns = { 3488 BPF_MOV64_IMM(BPF_REG_1, 10), 3489 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3492 BPF_LD_MAP_FD(BPF_REG_1, 0), 3493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3494 BPF_FUNC_map_lookup_elem), 3495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 3496 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 3497 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3498 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3499 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3500 BPF_MOV64_IMM(BPF_REG_1, 1), 3501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3502 BPF_MOV64_IMM(BPF_REG_1, 2), 3503 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1), 3504 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0), 3505 BPF_MOV64_IMM(BPF_REG_1, 3), 3506 BPF_EXIT_INSN(), 3507 }, 3508 .fixup_map1 = { 4 }, 3509 .result = REJECT, 3510 .errstr = "R3 invalid mem access 'inv'", 3511 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3512 }, 3513 { 3514 "invalid map access from else condition", 3515 .insns = { 3516 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3519 BPF_LD_MAP_FD(BPF_REG_1, 0), 3520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3522 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3523 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 3524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 3525 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3526 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3527 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 3528 BPF_EXIT_INSN(), 3529 }, 3530 .fixup_map2 = { 3 }, 3531 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 3532 .result = REJECT, 3533 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3534 .result_unpriv = REJECT, 3535 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3536 }, 3537 { 3538 "constant register |= constant should keep constant type", 3539 .insns = { 3540 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3542 BPF_MOV64_IMM(BPF_REG_2, 34), 3543 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 3544 BPF_MOV64_IMM(BPF_REG_3, 0), 3545 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3546 BPF_EXIT_INSN(), 3547 }, 3548 .result = ACCEPT, 3549 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3550 }, 3551 { 3552 "constant register |= constant should not bypass stack boundary checks", 3553 .insns = { 3554 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3556 BPF_MOV64_IMM(BPF_REG_2, 34), 3557 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 3558 BPF_MOV64_IMM(BPF_REG_3, 0), 3559 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3560 BPF_EXIT_INSN(), 3561 }, 3562 .errstr = "invalid stack type R1 off=-48 access_size=58", 3563 .result = REJECT, 3564 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3565 }, 3566 { 3567 "constant register |= constant register should keep constant type", 3568 .insns = { 3569 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3571 BPF_MOV64_IMM(BPF_REG_2, 34), 3572 BPF_MOV64_IMM(BPF_REG_4, 13), 3573 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3574 BPF_MOV64_IMM(BPF_REG_3, 0), 3575 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3576 BPF_EXIT_INSN(), 3577 }, 3578 .result = ACCEPT, 3579 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3580 }, 3581 { 3582 "constant register |= constant register should not bypass stack boundary checks", 3583 .insns = { 3584 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3586 BPF_MOV64_IMM(BPF_REG_2, 34), 3587 BPF_MOV64_IMM(BPF_REG_4, 24), 3588 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3589 BPF_MOV64_IMM(BPF_REG_3, 0), 3590 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3591 BPF_EXIT_INSN(), 3592 }, 3593 .errstr = "invalid stack type R1 off=-48 access_size=58", 3594 .result = REJECT, 3595 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3596 }, 3597 { 3598 "invalid direct packet write for LWT_IN", 3599 .insns = { 3600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3601 offsetof(struct __sk_buff, data)), 3602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3603 offsetof(struct __sk_buff, data_end)), 3604 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3606 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3607 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3608 BPF_MOV64_IMM(BPF_REG_0, 0), 3609 BPF_EXIT_INSN(), 3610 }, 3611 .errstr = "cannot write into packet", 3612 .result = REJECT, 3613 .prog_type = BPF_PROG_TYPE_LWT_IN, 3614 }, 3615 { 3616 "invalid direct packet write for LWT_OUT", 3617 .insns = { 3618 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3619 offsetof(struct __sk_buff, data)), 3620 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3621 offsetof(struct __sk_buff, data_end)), 3622 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3624 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3625 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3626 BPF_MOV64_IMM(BPF_REG_0, 0), 3627 BPF_EXIT_INSN(), 3628 }, 3629 .errstr = "cannot write into packet", 3630 .result = REJECT, 3631 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3632 }, 3633 { 3634 "direct packet write for LWT_XMIT", 3635 .insns = { 3636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3637 offsetof(struct __sk_buff, data)), 3638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3639 offsetof(struct __sk_buff, data_end)), 3640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3642 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3643 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3644 BPF_MOV64_IMM(BPF_REG_0, 0), 3645 BPF_EXIT_INSN(), 3646 }, 3647 .result = ACCEPT, 3648 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3649 }, 3650 { 3651 "direct packet read for LWT_IN", 3652 .insns = { 3653 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3654 offsetof(struct __sk_buff, data)), 3655 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3656 offsetof(struct __sk_buff, data_end)), 3657 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3659 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3660 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3661 BPF_MOV64_IMM(BPF_REG_0, 0), 3662 BPF_EXIT_INSN(), 3663 }, 3664 .result = ACCEPT, 3665 .prog_type = BPF_PROG_TYPE_LWT_IN, 3666 }, 3667 { 3668 "direct packet read for LWT_OUT", 3669 .insns = { 3670 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3671 offsetof(struct __sk_buff, data)), 3672 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3673 offsetof(struct __sk_buff, data_end)), 3674 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3676 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3677 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3678 BPF_MOV64_IMM(BPF_REG_0, 0), 3679 BPF_EXIT_INSN(), 3680 }, 3681 .result = ACCEPT, 3682 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3683 }, 3684 { 3685 "direct packet read for LWT_XMIT", 3686 .insns = { 3687 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3688 offsetof(struct __sk_buff, data)), 3689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3690 offsetof(struct __sk_buff, data_end)), 3691 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3693 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3694 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3695 BPF_MOV64_IMM(BPF_REG_0, 0), 3696 BPF_EXIT_INSN(), 3697 }, 3698 .result = ACCEPT, 3699 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3700 }, 3701 { 3702 "overlapping checks for direct packet access", 3703 .insns = { 3704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3705 offsetof(struct __sk_buff, data)), 3706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3707 offsetof(struct __sk_buff, data_end)), 3708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 3711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 3713 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 3714 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 3715 BPF_MOV64_IMM(BPF_REG_0, 0), 3716 BPF_EXIT_INSN(), 3717 }, 3718 .result = ACCEPT, 3719 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3720 }, 3721 { 3722 "invalid access of tc_classid for LWT_IN", 3723 .insns = { 3724 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3725 offsetof(struct __sk_buff, tc_classid)), 3726 BPF_EXIT_INSN(), 3727 }, 3728 .result = REJECT, 3729 .errstr = "invalid bpf_context access", 3730 }, 3731 { 3732 "invalid access of tc_classid for LWT_OUT", 3733 .insns = { 3734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3735 offsetof(struct __sk_buff, tc_classid)), 3736 BPF_EXIT_INSN(), 3737 }, 3738 .result = REJECT, 3739 .errstr = "invalid bpf_context access", 3740 }, 3741 { 3742 "invalid access of tc_classid for LWT_XMIT", 3743 .insns = { 3744 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3745 offsetof(struct __sk_buff, tc_classid)), 3746 BPF_EXIT_INSN(), 3747 }, 3748 .result = REJECT, 3749 .errstr = "invalid bpf_context access", 3750 }, 3751 { 3752 "leak pointer into ctx 1", 3753 .insns = { 3754 BPF_MOV64_IMM(BPF_REG_0, 0), 3755 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 3756 offsetof(struct __sk_buff, cb[0])), 3757 BPF_LD_MAP_FD(BPF_REG_2, 0), 3758 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2, 3759 offsetof(struct __sk_buff, cb[0])), 3760 BPF_EXIT_INSN(), 3761 }, 3762 .fixup_map1 = { 2 }, 3763 .errstr_unpriv = "R2 leaks addr into mem", 3764 .result_unpriv = REJECT, 3765 .result = ACCEPT, 3766 }, 3767 { 3768 "leak pointer into ctx 2", 3769 .insns = { 3770 BPF_MOV64_IMM(BPF_REG_0, 0), 3771 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 3772 offsetof(struct __sk_buff, cb[0])), 3773 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10, 3774 offsetof(struct __sk_buff, cb[0])), 3775 BPF_EXIT_INSN(), 3776 }, 3777 .errstr_unpriv = "R10 leaks addr into mem", 3778 .result_unpriv = REJECT, 3779 .result = ACCEPT, 3780 }, 3781 { 3782 "leak pointer into ctx 3", 3783 .insns = { 3784 BPF_MOV64_IMM(BPF_REG_0, 0), 3785 BPF_LD_MAP_FD(BPF_REG_2, 0), 3786 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 3787 offsetof(struct __sk_buff, cb[0])), 3788 BPF_EXIT_INSN(), 3789 }, 3790 .fixup_map1 = { 1 }, 3791 .errstr_unpriv = "R2 leaks addr into ctx", 3792 .result_unpriv = REJECT, 3793 .result = ACCEPT, 3794 }, 3795 { 3796 "leak pointer into map val", 3797 .insns = { 3798 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 3799 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3800 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3802 BPF_LD_MAP_FD(BPF_REG_1, 0), 3803 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3804 BPF_FUNC_map_lookup_elem), 3805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 3806 BPF_MOV64_IMM(BPF_REG_3, 0), 3807 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 3808 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3809 BPF_MOV64_IMM(BPF_REG_0, 0), 3810 BPF_EXIT_INSN(), 3811 }, 3812 .fixup_map1 = { 4 }, 3813 .errstr_unpriv = "R6 leaks addr into mem", 3814 .result_unpriv = REJECT, 3815 .result = ACCEPT, 3816 }, 3817 { 3818 "helper access to map: full range", 3819 .insns = { 3820 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3822 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3823 BPF_LD_MAP_FD(BPF_REG_1, 0), 3824 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3825 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3826 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3827 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 3828 BPF_MOV64_IMM(BPF_REG_3, 0), 3829 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3830 BPF_EXIT_INSN(), 3831 }, 3832 .fixup_map2 = { 3 }, 3833 .result = ACCEPT, 3834 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3835 }, 3836 { 3837 "helper access to map: partial range", 3838 .insns = { 3839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3841 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3842 BPF_LD_MAP_FD(BPF_REG_1, 0), 3843 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3845 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3846 BPF_MOV64_IMM(BPF_REG_2, 8), 3847 BPF_MOV64_IMM(BPF_REG_3, 0), 3848 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3849 BPF_EXIT_INSN(), 3850 }, 3851 .fixup_map2 = { 3 }, 3852 .result = ACCEPT, 3853 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3854 }, 3855 { 3856 "helper access to map: empty range", 3857 .insns = { 3858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3860 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3861 BPF_LD_MAP_FD(BPF_REG_1, 0), 3862 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3863 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3865 BPF_MOV64_IMM(BPF_REG_2, 0), 3866 BPF_MOV64_IMM(BPF_REG_3, 0), 3867 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3868 BPF_EXIT_INSN(), 3869 }, 3870 .fixup_map2 = { 3 }, 3871 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 3872 .result = REJECT, 3873 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3874 }, 3875 { 3876 "helper access to map: out-of-bound range", 3877 .insns = { 3878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3880 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3881 BPF_LD_MAP_FD(BPF_REG_1, 0), 3882 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3885 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 3886 BPF_MOV64_IMM(BPF_REG_3, 0), 3887 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3888 BPF_EXIT_INSN(), 3889 }, 3890 .fixup_map2 = { 3 }, 3891 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 3892 .result = REJECT, 3893 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3894 }, 3895 { 3896 "helper access to map: negative range", 3897 .insns = { 3898 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3900 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3901 BPF_LD_MAP_FD(BPF_REG_1, 0), 3902 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3903 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3905 BPF_MOV64_IMM(BPF_REG_2, -8), 3906 BPF_MOV64_IMM(BPF_REG_3, 0), 3907 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3908 BPF_EXIT_INSN(), 3909 }, 3910 .fixup_map2 = { 3 }, 3911 .errstr = "invalid access to map value, value_size=48 off=0 size=-8", 3912 .result = REJECT, 3913 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3914 }, 3915 { 3916 "helper access to adjusted map (via const imm): full range", 3917 .insns = { 3918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3920 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3921 BPF_LD_MAP_FD(BPF_REG_1, 0), 3922 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3926 offsetof(struct test_val, foo)), 3927 BPF_MOV64_IMM(BPF_REG_2, 3928 sizeof(struct test_val) - 3929 offsetof(struct test_val, foo)), 3930 BPF_MOV64_IMM(BPF_REG_3, 0), 3931 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3932 BPF_EXIT_INSN(), 3933 }, 3934 .fixup_map2 = { 3 }, 3935 .result = ACCEPT, 3936 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3937 }, 3938 { 3939 "helper access to adjusted map (via const imm): partial range", 3940 .insns = { 3941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3943 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3944 BPF_LD_MAP_FD(BPF_REG_1, 0), 3945 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3949 offsetof(struct test_val, foo)), 3950 BPF_MOV64_IMM(BPF_REG_2, 8), 3951 BPF_MOV64_IMM(BPF_REG_3, 0), 3952 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3953 BPF_EXIT_INSN(), 3954 }, 3955 .fixup_map2 = { 3 }, 3956 .result = ACCEPT, 3957 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3958 }, 3959 { 3960 "helper access to adjusted map (via const imm): empty range", 3961 .insns = { 3962 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3964 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3965 BPF_LD_MAP_FD(BPF_REG_1, 0), 3966 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3967 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3968 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3970 offsetof(struct test_val, foo)), 3971 BPF_MOV64_IMM(BPF_REG_2, 0), 3972 BPF_MOV64_IMM(BPF_REG_3, 0), 3973 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3974 BPF_EXIT_INSN(), 3975 }, 3976 .fixup_map2 = { 3 }, 3977 .errstr = "R1 min value is outside of the array range", 3978 .result = REJECT, 3979 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3980 }, 3981 { 3982 "helper access to adjusted map (via const imm): out-of-bound range", 3983 .insns = { 3984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3986 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3987 BPF_LD_MAP_FD(BPF_REG_1, 0), 3988 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3989 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3992 offsetof(struct test_val, foo)), 3993 BPF_MOV64_IMM(BPF_REG_2, 3994 sizeof(struct test_val) - 3995 offsetof(struct test_val, foo) + 8), 3996 BPF_MOV64_IMM(BPF_REG_3, 0), 3997 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3998 BPF_EXIT_INSN(), 3999 }, 4000 .fixup_map2 = { 3 }, 4001 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4002 .result = REJECT, 4003 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4004 }, 4005 { 4006 "helper access to adjusted map (via const imm): negative range (> adjustment)", 4007 .insns = { 4008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4010 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4011 BPF_LD_MAP_FD(BPF_REG_1, 0), 4012 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4013 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4016 offsetof(struct test_val, foo)), 4017 BPF_MOV64_IMM(BPF_REG_2, -8), 4018 BPF_MOV64_IMM(BPF_REG_3, 0), 4019 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4020 BPF_EXIT_INSN(), 4021 }, 4022 .fixup_map2 = { 3 }, 4023 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 4024 .result = REJECT, 4025 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4026 }, 4027 { 4028 "helper access to adjusted map (via const imm): negative range (< adjustment)", 4029 .insns = { 4030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4032 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4033 BPF_LD_MAP_FD(BPF_REG_1, 0), 4034 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4036 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4038 offsetof(struct test_val, foo)), 4039 BPF_MOV64_IMM(BPF_REG_2, -1), 4040 BPF_MOV64_IMM(BPF_REG_3, 0), 4041 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4042 BPF_EXIT_INSN(), 4043 }, 4044 .fixup_map2 = { 3 }, 4045 .errstr = "R1 min value is outside of the array range", 4046 .result = REJECT, 4047 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4048 }, 4049 { 4050 "helper access to adjusted map (via const reg): full range", 4051 .insns = { 4052 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4054 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4055 BPF_LD_MAP_FD(BPF_REG_1, 0), 4056 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4057 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4058 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4059 BPF_MOV64_IMM(BPF_REG_3, 4060 offsetof(struct test_val, foo)), 4061 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4062 BPF_MOV64_IMM(BPF_REG_2, 4063 sizeof(struct test_val) - 4064 offsetof(struct test_val, foo)), 4065 BPF_MOV64_IMM(BPF_REG_3, 0), 4066 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4067 BPF_EXIT_INSN(), 4068 }, 4069 .fixup_map2 = { 3 }, 4070 .result = ACCEPT, 4071 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4072 }, 4073 { 4074 "helper access to adjusted map (via const reg): partial range", 4075 .insns = { 4076 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4078 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4079 BPF_LD_MAP_FD(BPF_REG_1, 0), 4080 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4081 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4083 BPF_MOV64_IMM(BPF_REG_3, 4084 offsetof(struct test_val, foo)), 4085 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4086 BPF_MOV64_IMM(BPF_REG_2, 8), 4087 BPF_MOV64_IMM(BPF_REG_3, 0), 4088 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4089 BPF_EXIT_INSN(), 4090 }, 4091 .fixup_map2 = { 3 }, 4092 .result = ACCEPT, 4093 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4094 }, 4095 { 4096 "helper access to adjusted map (via const reg): empty range", 4097 .insns = { 4098 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4099 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4100 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4101 BPF_LD_MAP_FD(BPF_REG_1, 0), 4102 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4103 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4104 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4105 BPF_MOV64_IMM(BPF_REG_3, 0), 4106 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4107 BPF_MOV64_IMM(BPF_REG_2, 0), 4108 BPF_MOV64_IMM(BPF_REG_3, 0), 4109 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4110 BPF_EXIT_INSN(), 4111 }, 4112 .fixup_map2 = { 3 }, 4113 .errstr = "R1 min value is outside of the array range", 4114 .result = REJECT, 4115 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4116 }, 4117 { 4118 "helper access to adjusted map (via const reg): out-of-bound range", 4119 .insns = { 4120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4122 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4123 BPF_LD_MAP_FD(BPF_REG_1, 0), 4124 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4127 BPF_MOV64_IMM(BPF_REG_3, 4128 offsetof(struct test_val, foo)), 4129 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4130 BPF_MOV64_IMM(BPF_REG_2, 4131 sizeof(struct test_val) - 4132 offsetof(struct test_val, foo) + 8), 4133 BPF_MOV64_IMM(BPF_REG_3, 0), 4134 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4135 BPF_EXIT_INSN(), 4136 }, 4137 .fixup_map2 = { 3 }, 4138 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4139 .result = REJECT, 4140 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4141 }, 4142 { 4143 "helper access to adjusted map (via const reg): negative range (> adjustment)", 4144 .insns = { 4145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4147 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4148 BPF_LD_MAP_FD(BPF_REG_1, 0), 4149 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4152 BPF_MOV64_IMM(BPF_REG_3, 4153 offsetof(struct test_val, foo)), 4154 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4155 BPF_MOV64_IMM(BPF_REG_2, -8), 4156 BPF_MOV64_IMM(BPF_REG_3, 0), 4157 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4158 BPF_EXIT_INSN(), 4159 }, 4160 .fixup_map2 = { 3 }, 4161 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 4162 .result = REJECT, 4163 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4164 }, 4165 { 4166 "helper access to adjusted map (via const reg): negative range (< adjustment)", 4167 .insns = { 4168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4170 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4171 BPF_LD_MAP_FD(BPF_REG_1, 0), 4172 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4174 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4175 BPF_MOV64_IMM(BPF_REG_3, 4176 offsetof(struct test_val, foo)), 4177 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4178 BPF_MOV64_IMM(BPF_REG_2, -1), 4179 BPF_MOV64_IMM(BPF_REG_3, 0), 4180 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4181 BPF_EXIT_INSN(), 4182 }, 4183 .fixup_map2 = { 3 }, 4184 .errstr = "R1 min value is outside of the array range", 4185 .result = REJECT, 4186 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4187 }, 4188 { 4189 "helper access to adjusted map (via variable): full range", 4190 .insns = { 4191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4193 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4194 BPF_LD_MAP_FD(BPF_REG_1, 0), 4195 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4198 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4199 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4200 offsetof(struct test_val, foo), 4), 4201 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4202 BPF_MOV64_IMM(BPF_REG_2, 4203 sizeof(struct test_val) - 4204 offsetof(struct test_val, foo)), 4205 BPF_MOV64_IMM(BPF_REG_3, 0), 4206 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4207 BPF_EXIT_INSN(), 4208 }, 4209 .fixup_map2 = { 3 }, 4210 .result = ACCEPT, 4211 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4212 }, 4213 { 4214 "helper access to adjusted map (via variable): partial range", 4215 .insns = { 4216 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4218 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4219 BPF_LD_MAP_FD(BPF_REG_1, 0), 4220 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4221 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4222 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4223 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4224 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4225 offsetof(struct test_val, foo), 4), 4226 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4227 BPF_MOV64_IMM(BPF_REG_2, 8), 4228 BPF_MOV64_IMM(BPF_REG_3, 0), 4229 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4230 BPF_EXIT_INSN(), 4231 }, 4232 .fixup_map2 = { 3 }, 4233 .result = ACCEPT, 4234 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4235 }, 4236 { 4237 "helper access to adjusted map (via variable): empty range", 4238 .insns = { 4239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4241 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4242 BPF_LD_MAP_FD(BPF_REG_1, 0), 4243 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4246 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4247 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4248 offsetof(struct test_val, foo), 4), 4249 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4250 BPF_MOV64_IMM(BPF_REG_2, 0), 4251 BPF_MOV64_IMM(BPF_REG_3, 0), 4252 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4253 BPF_EXIT_INSN(), 4254 }, 4255 .fixup_map2 = { 3 }, 4256 .errstr = "R1 min value is outside of the array range", 4257 .result = REJECT, 4258 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4259 }, 4260 { 4261 "helper access to adjusted map (via variable): no max check", 4262 .insns = { 4263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4265 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4266 BPF_LD_MAP_FD(BPF_REG_1, 0), 4267 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4269 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4270 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4271 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4272 BPF_MOV64_IMM(BPF_REG_2, 0), 4273 BPF_MOV64_IMM(BPF_REG_3, 0), 4274 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4275 BPF_EXIT_INSN(), 4276 }, 4277 .fixup_map2 = { 3 }, 4278 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check", 4279 .result = REJECT, 4280 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4281 }, 4282 { 4283 "helper access to adjusted map (via variable): wrong max check", 4284 .insns = { 4285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4288 BPF_LD_MAP_FD(BPF_REG_1, 0), 4289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4292 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4293 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4294 offsetof(struct test_val, foo), 4), 4295 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4296 BPF_MOV64_IMM(BPF_REG_2, 4297 sizeof(struct test_val) - 4298 offsetof(struct test_val, foo) + 1), 4299 BPF_MOV64_IMM(BPF_REG_3, 0), 4300 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4301 BPF_EXIT_INSN(), 4302 }, 4303 .fixup_map2 = { 3 }, 4304 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 4305 .result = REJECT, 4306 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4307 }, 4308 { 4309 "map element value is preserved across register spilling", 4310 .insns = { 4311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4313 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4314 BPF_LD_MAP_FD(BPF_REG_1, 0), 4315 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4317 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 4320 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4321 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4322 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4323 BPF_EXIT_INSN(), 4324 }, 4325 .fixup_map2 = { 3 }, 4326 .errstr_unpriv = "R0 leaks addr", 4327 .result = ACCEPT, 4328 .result_unpriv = REJECT, 4329 }, 4330 { 4331 "map element value or null is marked on register spilling", 4332 .insns = { 4333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4335 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4336 BPF_LD_MAP_FD(BPF_REG_1, 0), 4337 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), 4340 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4342 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4343 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4344 BPF_EXIT_INSN(), 4345 }, 4346 .fixup_map2 = { 3 }, 4347 .errstr_unpriv = "R0 leaks addr", 4348 .result = ACCEPT, 4349 .result_unpriv = REJECT, 4350 }, 4351 { 4352 "map element value store of cleared call register", 4353 .insns = { 4354 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4356 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4357 BPF_LD_MAP_FD(BPF_REG_1, 0), 4358 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4359 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4360 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 4361 BPF_EXIT_INSN(), 4362 }, 4363 .fixup_map2 = { 3 }, 4364 .errstr_unpriv = "R1 !read_ok", 4365 .errstr = "R1 !read_ok", 4366 .result = REJECT, 4367 .result_unpriv = REJECT, 4368 }, 4369 { 4370 "map element value with unaligned store", 4371 .insns = { 4372 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4374 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4375 BPF_LD_MAP_FD(BPF_REG_1, 0), 4376 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4377 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17), 4378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 4379 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4380 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43), 4381 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44), 4382 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4383 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32), 4384 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33), 4385 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34), 4386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5), 4387 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22), 4388 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23), 4389 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24), 4390 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), 4391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3), 4392 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22), 4393 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23), 4394 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24), 4395 BPF_EXIT_INSN(), 4396 }, 4397 .fixup_map2 = { 3 }, 4398 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4399 .result = ACCEPT, 4400 .result_unpriv = REJECT, 4401 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4402 }, 4403 { 4404 "map element value with unaligned load", 4405 .insns = { 4406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4408 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4409 BPF_LD_MAP_FD(BPF_REG_1, 0), 4410 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4412 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4413 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9), 4414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 4415 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 4416 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2), 4417 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4418 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 4419 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2), 4420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5), 4421 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 4422 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4), 4423 BPF_EXIT_INSN(), 4424 }, 4425 .fixup_map2 = { 3 }, 4426 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4427 .result = ACCEPT, 4428 .result_unpriv = REJECT, 4429 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4430 }, 4431 { 4432 "map element value illegal alu op, 1", 4433 .insns = { 4434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4436 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4437 BPF_LD_MAP_FD(BPF_REG_1, 0), 4438 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4440 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8), 4441 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4442 BPF_EXIT_INSN(), 4443 }, 4444 .fixup_map2 = { 3 }, 4445 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4446 .errstr = "invalid mem access 'inv'", 4447 .result = REJECT, 4448 .result_unpriv = REJECT, 4449 }, 4450 { 4451 "map element value illegal alu op, 2", 4452 .insns = { 4453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4455 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4456 BPF_LD_MAP_FD(BPF_REG_1, 0), 4457 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4459 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0), 4460 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4461 BPF_EXIT_INSN(), 4462 }, 4463 .fixup_map2 = { 3 }, 4464 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4465 .errstr = "invalid mem access 'inv'", 4466 .result = REJECT, 4467 .result_unpriv = REJECT, 4468 }, 4469 { 4470 "map element value illegal alu op, 3", 4471 .insns = { 4472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4474 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4475 BPF_LD_MAP_FD(BPF_REG_1, 0), 4476 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4478 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42), 4479 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4480 BPF_EXIT_INSN(), 4481 }, 4482 .fixup_map2 = { 3 }, 4483 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4484 .errstr = "invalid mem access 'inv'", 4485 .result = REJECT, 4486 .result_unpriv = REJECT, 4487 }, 4488 { 4489 "map element value illegal alu op, 4", 4490 .insns = { 4491 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4492 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4493 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4494 BPF_LD_MAP_FD(BPF_REG_1, 0), 4495 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4496 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4497 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64), 4498 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4499 BPF_EXIT_INSN(), 4500 }, 4501 .fixup_map2 = { 3 }, 4502 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4503 .errstr = "invalid mem access 'inv'", 4504 .result = REJECT, 4505 .result_unpriv = REJECT, 4506 }, 4507 { 4508 "map element value illegal alu op, 5", 4509 .insns = { 4510 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4512 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4513 BPF_LD_MAP_FD(BPF_REG_1, 0), 4514 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4515 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4516 BPF_MOV64_IMM(BPF_REG_3, 4096), 4517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4519 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 4520 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0), 4521 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 4522 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4523 BPF_EXIT_INSN(), 4524 }, 4525 .fixup_map2 = { 3 }, 4526 .errstr_unpriv = "R0 invalid mem access 'inv'", 4527 .errstr = "R0 invalid mem access 'inv'", 4528 .result = REJECT, 4529 .result_unpriv = REJECT, 4530 }, 4531 { 4532 "map element value is preserved across register spilling", 4533 .insns = { 4534 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4536 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4537 BPF_LD_MAP_FD(BPF_REG_1, 0), 4538 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4539 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4541 offsetof(struct test_val, foo)), 4542 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4543 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 4545 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4546 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4547 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4548 BPF_EXIT_INSN(), 4549 }, 4550 .fixup_map2 = { 3 }, 4551 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4552 .result = ACCEPT, 4553 .result_unpriv = REJECT, 4554 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4555 }, 4556 { 4557 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 4558 .insns = { 4559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4561 BPF_MOV64_IMM(BPF_REG_0, 0), 4562 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4563 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4564 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4565 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4566 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4567 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4568 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4569 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4570 BPF_MOV64_IMM(BPF_REG_2, 16), 4571 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4572 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4573 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4574 BPF_MOV64_IMM(BPF_REG_4, 0), 4575 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4576 BPF_MOV64_IMM(BPF_REG_3, 0), 4577 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4578 BPF_MOV64_IMM(BPF_REG_0, 0), 4579 BPF_EXIT_INSN(), 4580 }, 4581 .result = ACCEPT, 4582 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4583 }, 4584 { 4585 "helper access to variable memory: stack, bitwise AND, zero included", 4586 .insns = { 4587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4589 BPF_MOV64_IMM(BPF_REG_2, 16), 4590 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4591 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4592 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4593 BPF_MOV64_IMM(BPF_REG_3, 0), 4594 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4595 BPF_EXIT_INSN(), 4596 }, 4597 .errstr = "invalid stack type R1 off=-64 access_size=0", 4598 .result = REJECT, 4599 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4600 }, 4601 { 4602 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 4603 .insns = { 4604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4606 BPF_MOV64_IMM(BPF_REG_2, 16), 4607 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4608 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4609 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 4610 BPF_MOV64_IMM(BPF_REG_4, 0), 4611 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4612 BPF_MOV64_IMM(BPF_REG_3, 0), 4613 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4614 BPF_MOV64_IMM(BPF_REG_0, 0), 4615 BPF_EXIT_INSN(), 4616 }, 4617 .errstr = "invalid stack type R1 off=-64 access_size=65", 4618 .result = REJECT, 4619 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4620 }, 4621 { 4622 "helper access to variable memory: stack, JMP, correct bounds", 4623 .insns = { 4624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4626 BPF_MOV64_IMM(BPF_REG_0, 0), 4627 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4628 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4629 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4630 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4631 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4632 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4633 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4634 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4635 BPF_MOV64_IMM(BPF_REG_2, 16), 4636 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4637 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4638 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 4639 BPF_MOV64_IMM(BPF_REG_4, 0), 4640 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4641 BPF_MOV64_IMM(BPF_REG_3, 0), 4642 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4643 BPF_MOV64_IMM(BPF_REG_0, 0), 4644 BPF_EXIT_INSN(), 4645 }, 4646 .result = ACCEPT, 4647 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4648 }, 4649 { 4650 "helper access to variable memory: stack, JMP (signed), correct bounds", 4651 .insns = { 4652 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4654 BPF_MOV64_IMM(BPF_REG_0, 0), 4655 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4656 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4657 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4658 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4659 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4660 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4661 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4662 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4663 BPF_MOV64_IMM(BPF_REG_2, 16), 4664 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4665 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4666 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 4667 BPF_MOV64_IMM(BPF_REG_4, 0), 4668 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 4669 BPF_MOV64_IMM(BPF_REG_3, 0), 4670 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4671 BPF_MOV64_IMM(BPF_REG_0, 0), 4672 BPF_EXIT_INSN(), 4673 }, 4674 .result = ACCEPT, 4675 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4676 }, 4677 { 4678 "helper access to variable memory: stack, JMP, bounds + offset", 4679 .insns = { 4680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4682 BPF_MOV64_IMM(BPF_REG_2, 16), 4683 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4684 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4685 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 4686 BPF_MOV64_IMM(BPF_REG_4, 0), 4687 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 4688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4689 BPF_MOV64_IMM(BPF_REG_3, 0), 4690 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4691 BPF_MOV64_IMM(BPF_REG_0, 0), 4692 BPF_EXIT_INSN(), 4693 }, 4694 .errstr = "invalid stack type R1 off=-64 access_size=65", 4695 .result = REJECT, 4696 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4697 }, 4698 { 4699 "helper access to variable memory: stack, JMP, wrong max", 4700 .insns = { 4701 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4703 BPF_MOV64_IMM(BPF_REG_2, 16), 4704 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4705 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4706 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 4707 BPF_MOV64_IMM(BPF_REG_4, 0), 4708 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4709 BPF_MOV64_IMM(BPF_REG_3, 0), 4710 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4711 BPF_MOV64_IMM(BPF_REG_0, 0), 4712 BPF_EXIT_INSN(), 4713 }, 4714 .errstr = "invalid stack type R1 off=-64 access_size=65", 4715 .result = REJECT, 4716 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4717 }, 4718 { 4719 "helper access to variable memory: stack, JMP, no max check", 4720 .insns = { 4721 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4723 BPF_MOV64_IMM(BPF_REG_2, 16), 4724 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4725 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4726 BPF_MOV64_IMM(BPF_REG_4, 0), 4727 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4728 BPF_MOV64_IMM(BPF_REG_3, 0), 4729 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4730 BPF_MOV64_IMM(BPF_REG_0, 0), 4731 BPF_EXIT_INSN(), 4732 }, 4733 .errstr = "R2 unbounded memory access", 4734 .result = REJECT, 4735 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4736 }, 4737 { 4738 "helper access to variable memory: stack, JMP, no min check", 4739 .insns = { 4740 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4741 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4742 BPF_MOV64_IMM(BPF_REG_2, 16), 4743 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4744 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4745 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 4746 BPF_MOV64_IMM(BPF_REG_3, 0), 4747 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4748 BPF_MOV64_IMM(BPF_REG_0, 0), 4749 BPF_EXIT_INSN(), 4750 }, 4751 .errstr = "invalid stack type R1 off=-64 access_size=0", 4752 .result = REJECT, 4753 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4754 }, 4755 { 4756 "helper access to variable memory: stack, JMP (signed), no min check", 4757 .insns = { 4758 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4760 BPF_MOV64_IMM(BPF_REG_2, 16), 4761 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4762 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4763 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 4764 BPF_MOV64_IMM(BPF_REG_3, 0), 4765 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4766 BPF_MOV64_IMM(BPF_REG_0, 0), 4767 BPF_EXIT_INSN(), 4768 }, 4769 .errstr = "R2 min value is negative", 4770 .result = REJECT, 4771 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4772 }, 4773 { 4774 "helper access to variable memory: map, JMP, correct bounds", 4775 .insns = { 4776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4779 BPF_LD_MAP_FD(BPF_REG_1, 0), 4780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4783 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4784 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4785 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4786 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4787 sizeof(struct test_val), 4), 4788 BPF_MOV64_IMM(BPF_REG_4, 0), 4789 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4790 BPF_MOV64_IMM(BPF_REG_3, 0), 4791 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4792 BPF_MOV64_IMM(BPF_REG_0, 0), 4793 BPF_EXIT_INSN(), 4794 }, 4795 .fixup_map2 = { 3 }, 4796 .result = ACCEPT, 4797 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4798 }, 4799 { 4800 "helper access to variable memory: map, JMP, wrong max", 4801 .insns = { 4802 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4804 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4805 BPF_LD_MAP_FD(BPF_REG_1, 0), 4806 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4808 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4809 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4810 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4811 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4812 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4813 sizeof(struct test_val) + 1, 4), 4814 BPF_MOV64_IMM(BPF_REG_4, 0), 4815 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4816 BPF_MOV64_IMM(BPF_REG_3, 0), 4817 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4818 BPF_MOV64_IMM(BPF_REG_0, 0), 4819 BPF_EXIT_INSN(), 4820 }, 4821 .fixup_map2 = { 3 }, 4822 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 4823 .result = REJECT, 4824 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4825 }, 4826 { 4827 "helper access to variable memory: map adjusted, JMP, correct bounds", 4828 .insns = { 4829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4831 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4832 BPF_LD_MAP_FD(BPF_REG_1, 0), 4833 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4835 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4836 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4837 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4838 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4839 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4840 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4841 sizeof(struct test_val) - 20, 4), 4842 BPF_MOV64_IMM(BPF_REG_4, 0), 4843 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4844 BPF_MOV64_IMM(BPF_REG_3, 0), 4845 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4846 BPF_MOV64_IMM(BPF_REG_0, 0), 4847 BPF_EXIT_INSN(), 4848 }, 4849 .fixup_map2 = { 3 }, 4850 .result = ACCEPT, 4851 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4852 }, 4853 { 4854 "helper access to variable memory: map adjusted, JMP, wrong max", 4855 .insns = { 4856 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4858 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4859 BPF_LD_MAP_FD(BPF_REG_1, 0), 4860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4864 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4865 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4866 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4867 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4868 sizeof(struct test_val) - 19, 4), 4869 BPF_MOV64_IMM(BPF_REG_4, 0), 4870 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4871 BPF_MOV64_IMM(BPF_REG_3, 0), 4872 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4873 BPF_MOV64_IMM(BPF_REG_0, 0), 4874 BPF_EXIT_INSN(), 4875 }, 4876 .fixup_map2 = { 3 }, 4877 .errstr = "R1 min value is outside of the array range", 4878 .result = REJECT, 4879 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4880 }, 4881 { 4882 "helper access to variable memory: size > 0 not allowed on NULL", 4883 .insns = { 4884 BPF_MOV64_IMM(BPF_REG_1, 0), 4885 BPF_MOV64_IMM(BPF_REG_2, 0), 4886 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4887 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4888 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4889 BPF_MOV64_IMM(BPF_REG_3, 0), 4890 BPF_MOV64_IMM(BPF_REG_4, 0), 4891 BPF_MOV64_IMM(BPF_REG_5, 0), 4892 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4893 BPF_EXIT_INSN(), 4894 }, 4895 .errstr = "R1 type=imm expected=fp", 4896 .result = REJECT, 4897 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4898 }, 4899 { 4900 "helper access to variable memory: size = 0 not allowed on != NULL", 4901 .insns = { 4902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 4904 BPF_MOV64_IMM(BPF_REG_2, 0), 4905 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 4906 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 4907 BPF_MOV64_IMM(BPF_REG_3, 0), 4908 BPF_MOV64_IMM(BPF_REG_4, 0), 4909 BPF_MOV64_IMM(BPF_REG_5, 0), 4910 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4911 BPF_EXIT_INSN(), 4912 }, 4913 .errstr = "invalid stack type R1 off=-8 access_size=0", 4914 .result = REJECT, 4915 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4916 }, 4917 { 4918 "helper access to variable memory: 8 bytes leak", 4919 .insns = { 4920 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4922 BPF_MOV64_IMM(BPF_REG_0, 0), 4923 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4924 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4925 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4926 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4927 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4928 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4929 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4930 BPF_MOV64_IMM(BPF_REG_2, 0), 4931 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4932 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4933 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 4934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4935 BPF_MOV64_IMM(BPF_REG_3, 0), 4936 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4937 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4938 BPF_EXIT_INSN(), 4939 }, 4940 .errstr = "invalid indirect read from stack off -64+32 size 64", 4941 .result = REJECT, 4942 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4943 }, 4944 { 4945 "helper access to variable memory: 8 bytes no leak (init memory)", 4946 .insns = { 4947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4948 BPF_MOV64_IMM(BPF_REG_0, 0), 4949 BPF_MOV64_IMM(BPF_REG_0, 0), 4950 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4951 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4952 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4953 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4954 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4955 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4959 BPF_MOV64_IMM(BPF_REG_2, 0), 4960 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 4961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 4962 BPF_MOV64_IMM(BPF_REG_3, 0), 4963 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4964 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4965 BPF_EXIT_INSN(), 4966 }, 4967 .result = ACCEPT, 4968 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4969 }, 4970 { 4971 "invalid and of negative number", 4972 .insns = { 4973 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4974 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4976 BPF_LD_MAP_FD(BPF_REG_1, 0), 4977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4978 BPF_FUNC_map_lookup_elem), 4979 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4980 BPF_MOV64_IMM(BPF_REG_1, 6), 4981 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 4982 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4983 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4984 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4985 offsetof(struct test_val, foo)), 4986 BPF_EXIT_INSN(), 4987 }, 4988 .fixup_map2 = { 3 }, 4989 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4990 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4991 .result = REJECT, 4992 .result_unpriv = REJECT, 4993 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4994 }, 4995 { 4996 "invalid range check", 4997 .insns = { 4998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5001 BPF_LD_MAP_FD(BPF_REG_1, 0), 5002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5003 BPF_FUNC_map_lookup_elem), 5004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 5005 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 5006 BPF_MOV64_IMM(BPF_REG_9, 1), 5007 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 5008 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 5009 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 5010 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 5011 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 5012 BPF_MOV32_IMM(BPF_REG_3, 1), 5013 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 5014 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 5015 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 5016 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 5017 BPF_MOV64_REG(BPF_REG_0, 0), 5018 BPF_EXIT_INSN(), 5019 }, 5020 .fixup_map2 = { 3 }, 5021 .errstr_unpriv = "R0 pointer arithmetic prohibited", 5022 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 5023 .result = REJECT, 5024 .result_unpriv = REJECT, 5025 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5026 }, 5027 { 5028 "map in map access", 5029 .insns = { 5030 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5033 BPF_LD_MAP_FD(BPF_REG_1, 0), 5034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5035 BPF_FUNC_map_lookup_elem), 5036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5037 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5038 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5040 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5041 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5042 BPF_FUNC_map_lookup_elem), 5043 BPF_MOV64_REG(BPF_REG_0, 0), 5044 BPF_EXIT_INSN(), 5045 }, 5046 .fixup_map_in_map = { 3 }, 5047 .result = ACCEPT, 5048 }, 5049 { 5050 "invalid inner map pointer", 5051 .insns = { 5052 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5053 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5055 BPF_LD_MAP_FD(BPF_REG_1, 0), 5056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5057 BPF_FUNC_map_lookup_elem), 5058 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5059 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 5064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5065 BPF_FUNC_map_lookup_elem), 5066 BPF_MOV64_REG(BPF_REG_0, 0), 5067 BPF_EXIT_INSN(), 5068 }, 5069 .fixup_map_in_map = { 3 }, 5070 .errstr = "R1 type=inv expected=map_ptr", 5071 .errstr_unpriv = "R1 pointer arithmetic prohibited", 5072 .result = REJECT, 5073 }, 5074 { 5075 "forgot null checking on the inner map pointer", 5076 .insns = { 5077 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5080 BPF_LD_MAP_FD(BPF_REG_1, 0), 5081 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5082 BPF_FUNC_map_lookup_elem), 5083 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5088 BPF_FUNC_map_lookup_elem), 5089 BPF_MOV64_REG(BPF_REG_0, 0), 5090 BPF_EXIT_INSN(), 5091 }, 5092 .fixup_map_in_map = { 3 }, 5093 .errstr = "R1 type=map_value_or_null expected=map_ptr", 5094 .result = REJECT, 5095 }, 5096 { 5097 "ld_abs: check calling conv, r1", 5098 .insns = { 5099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5100 BPF_MOV64_IMM(BPF_REG_1, 0), 5101 BPF_LD_ABS(BPF_W, -0x200000), 5102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 5103 BPF_EXIT_INSN(), 5104 }, 5105 .errstr = "R1 !read_ok", 5106 .result = REJECT, 5107 }, 5108 { 5109 "ld_abs: check calling conv, r2", 5110 .insns = { 5111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5112 BPF_MOV64_IMM(BPF_REG_2, 0), 5113 BPF_LD_ABS(BPF_W, -0x200000), 5114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 5115 BPF_EXIT_INSN(), 5116 }, 5117 .errstr = "R2 !read_ok", 5118 .result = REJECT, 5119 }, 5120 { 5121 "ld_abs: check calling conv, r3", 5122 .insns = { 5123 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5124 BPF_MOV64_IMM(BPF_REG_3, 0), 5125 BPF_LD_ABS(BPF_W, -0x200000), 5126 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 5127 BPF_EXIT_INSN(), 5128 }, 5129 .errstr = "R3 !read_ok", 5130 .result = REJECT, 5131 }, 5132 { 5133 "ld_abs: check calling conv, r4", 5134 .insns = { 5135 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5136 BPF_MOV64_IMM(BPF_REG_4, 0), 5137 BPF_LD_ABS(BPF_W, -0x200000), 5138 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 5139 BPF_EXIT_INSN(), 5140 }, 5141 .errstr = "R4 !read_ok", 5142 .result = REJECT, 5143 }, 5144 { 5145 "ld_abs: check calling conv, r5", 5146 .insns = { 5147 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5148 BPF_MOV64_IMM(BPF_REG_5, 0), 5149 BPF_LD_ABS(BPF_W, -0x200000), 5150 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 5151 BPF_EXIT_INSN(), 5152 }, 5153 .errstr = "R5 !read_ok", 5154 .result = REJECT, 5155 }, 5156 { 5157 "ld_abs: check calling conv, r7", 5158 .insns = { 5159 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5160 BPF_MOV64_IMM(BPF_REG_7, 0), 5161 BPF_LD_ABS(BPF_W, -0x200000), 5162 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 5163 BPF_EXIT_INSN(), 5164 }, 5165 .result = ACCEPT, 5166 }, 5167 { 5168 "ld_ind: check calling conv, r1", 5169 .insns = { 5170 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5171 BPF_MOV64_IMM(BPF_REG_1, 1), 5172 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000), 5173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 5174 BPF_EXIT_INSN(), 5175 }, 5176 .errstr = "R1 !read_ok", 5177 .result = REJECT, 5178 }, 5179 { 5180 "ld_ind: check calling conv, r2", 5181 .insns = { 5182 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5183 BPF_MOV64_IMM(BPF_REG_2, 1), 5184 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000), 5185 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 5186 BPF_EXIT_INSN(), 5187 }, 5188 .errstr = "R2 !read_ok", 5189 .result = REJECT, 5190 }, 5191 { 5192 "ld_ind: check calling conv, r3", 5193 .insns = { 5194 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5195 BPF_MOV64_IMM(BPF_REG_3, 1), 5196 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000), 5197 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 5198 BPF_EXIT_INSN(), 5199 }, 5200 .errstr = "R3 !read_ok", 5201 .result = REJECT, 5202 }, 5203 { 5204 "ld_ind: check calling conv, r4", 5205 .insns = { 5206 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5207 BPF_MOV64_IMM(BPF_REG_4, 1), 5208 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000), 5209 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 5210 BPF_EXIT_INSN(), 5211 }, 5212 .errstr = "R4 !read_ok", 5213 .result = REJECT, 5214 }, 5215 { 5216 "ld_ind: check calling conv, r5", 5217 .insns = { 5218 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5219 BPF_MOV64_IMM(BPF_REG_5, 1), 5220 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000), 5221 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 5222 BPF_EXIT_INSN(), 5223 }, 5224 .errstr = "R5 !read_ok", 5225 .result = REJECT, 5226 }, 5227 { 5228 "ld_ind: check calling conv, r7", 5229 .insns = { 5230 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5231 BPF_MOV64_IMM(BPF_REG_7, 1), 5232 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 5233 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 5234 BPF_EXIT_INSN(), 5235 }, 5236 .result = ACCEPT, 5237 }, 5238 }; 5239 5240 static int probe_filter_length(const struct bpf_insn *fp) 5241 { 5242 int len; 5243 5244 for (len = MAX_INSNS - 1; len > 0; --len) 5245 if (fp[len].code != 0 || fp[len].imm != 0) 5246 break; 5247 return len + 1; 5248 } 5249 5250 static int create_map(uint32_t size_value, uint32_t max_elem) 5251 { 5252 int fd; 5253 5254 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 5255 size_value, max_elem, BPF_F_NO_PREALLOC); 5256 if (fd < 0) 5257 printf("Failed to create hash map '%s'!\n", strerror(errno)); 5258 5259 return fd; 5260 } 5261 5262 static int create_prog_array(void) 5263 { 5264 int fd; 5265 5266 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 5267 sizeof(int), 4, 0); 5268 if (fd < 0) 5269 printf("Failed to create prog array '%s'!\n", strerror(errno)); 5270 5271 return fd; 5272 } 5273 5274 static int create_map_in_map(void) 5275 { 5276 int inner_map_fd, outer_map_fd; 5277 5278 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 5279 sizeof(int), 1, 0); 5280 if (inner_map_fd < 0) { 5281 printf("Failed to create array '%s'!\n", strerror(errno)); 5282 return inner_map_fd; 5283 } 5284 5285 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, 5286 sizeof(int), inner_map_fd, 1, 0); 5287 if (outer_map_fd < 0) 5288 printf("Failed to create array of maps '%s'!\n", 5289 strerror(errno)); 5290 5291 close(inner_map_fd); 5292 5293 return outer_map_fd; 5294 } 5295 5296 static char bpf_vlog[32768]; 5297 5298 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 5299 int *map_fds) 5300 { 5301 int *fixup_map1 = test->fixup_map1; 5302 int *fixup_map2 = test->fixup_map2; 5303 int *fixup_prog = test->fixup_prog; 5304 int *fixup_map_in_map = test->fixup_map_in_map; 5305 5306 /* Allocating HTs with 1 elem is fine here, since we only test 5307 * for verifier and not do a runtime lookup, so the only thing 5308 * that really matters is value size in this case. 5309 */ 5310 if (*fixup_map1) { 5311 map_fds[0] = create_map(sizeof(long long), 1); 5312 do { 5313 prog[*fixup_map1].imm = map_fds[0]; 5314 fixup_map1++; 5315 } while (*fixup_map1); 5316 } 5317 5318 if (*fixup_map2) { 5319 map_fds[1] = create_map(sizeof(struct test_val), 1); 5320 do { 5321 prog[*fixup_map2].imm = map_fds[1]; 5322 fixup_map2++; 5323 } while (*fixup_map2); 5324 } 5325 5326 if (*fixup_prog) { 5327 map_fds[2] = create_prog_array(); 5328 do { 5329 prog[*fixup_prog].imm = map_fds[2]; 5330 fixup_prog++; 5331 } while (*fixup_prog); 5332 } 5333 5334 if (*fixup_map_in_map) { 5335 map_fds[3] = create_map_in_map(); 5336 do { 5337 prog[*fixup_map_in_map].imm = map_fds[3]; 5338 fixup_map_in_map++; 5339 } while (*fixup_map_in_map); 5340 } 5341 } 5342 5343 static void do_test_single(struct bpf_test *test, bool unpriv, 5344 int *passes, int *errors) 5345 { 5346 int fd_prog, expected_ret, reject_from_alignment; 5347 struct bpf_insn *prog = test->insns; 5348 int prog_len = probe_filter_length(prog); 5349 int prog_type = test->prog_type; 5350 int map_fds[MAX_NR_MAPS]; 5351 const char *expected_err; 5352 int i; 5353 5354 for (i = 0; i < MAX_NR_MAPS; i++) 5355 map_fds[i] = -1; 5356 5357 do_test_fixup(test, prog, map_fds); 5358 5359 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 5360 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT, 5361 "GPL", 0, bpf_vlog, sizeof(bpf_vlog)); 5362 5363 expected_ret = unpriv && test->result_unpriv != UNDEF ? 5364 test->result_unpriv : test->result; 5365 expected_err = unpriv && test->errstr_unpriv ? 5366 test->errstr_unpriv : test->errstr; 5367 5368 reject_from_alignment = fd_prog < 0 && 5369 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) && 5370 strstr(bpf_vlog, "Unknown alignment."); 5371 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 5372 if (reject_from_alignment) { 5373 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n", 5374 strerror(errno)); 5375 goto fail_log; 5376 } 5377 #endif 5378 if (expected_ret == ACCEPT) { 5379 if (fd_prog < 0 && !reject_from_alignment) { 5380 printf("FAIL\nFailed to load prog '%s'!\n", 5381 strerror(errno)); 5382 goto fail_log; 5383 } 5384 } else { 5385 if (fd_prog >= 0) { 5386 printf("FAIL\nUnexpected success to load!\n"); 5387 goto fail_log; 5388 } 5389 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) { 5390 printf("FAIL\nUnexpected error message!\n"); 5391 goto fail_log; 5392 } 5393 } 5394 5395 (*passes)++; 5396 printf("OK%s\n", reject_from_alignment ? 5397 " (NOTE: reject due to unknown alignment)" : ""); 5398 close_fds: 5399 close(fd_prog); 5400 for (i = 0; i < MAX_NR_MAPS; i++) 5401 close(map_fds[i]); 5402 sched_yield(); 5403 return; 5404 fail_log: 5405 (*errors)++; 5406 printf("%s", bpf_vlog); 5407 goto close_fds; 5408 } 5409 5410 static bool is_admin(void) 5411 { 5412 cap_t caps; 5413 cap_flag_value_t sysadmin = CAP_CLEAR; 5414 const cap_value_t cap_val = CAP_SYS_ADMIN; 5415 5416 #ifdef CAP_IS_SUPPORTED 5417 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 5418 perror("cap_get_flag"); 5419 return false; 5420 } 5421 #endif 5422 caps = cap_get_proc(); 5423 if (!caps) { 5424 perror("cap_get_proc"); 5425 return false; 5426 } 5427 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 5428 perror("cap_get_flag"); 5429 if (cap_free(caps)) 5430 perror("cap_free"); 5431 return (sysadmin == CAP_SET); 5432 } 5433 5434 static int set_admin(bool admin) 5435 { 5436 cap_t caps; 5437 const cap_value_t cap_val = CAP_SYS_ADMIN; 5438 int ret = -1; 5439 5440 caps = cap_get_proc(); 5441 if (!caps) { 5442 perror("cap_get_proc"); 5443 return -1; 5444 } 5445 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 5446 admin ? CAP_SET : CAP_CLEAR)) { 5447 perror("cap_set_flag"); 5448 goto out; 5449 } 5450 if (cap_set_proc(caps)) { 5451 perror("cap_set_proc"); 5452 goto out; 5453 } 5454 ret = 0; 5455 out: 5456 if (cap_free(caps)) 5457 perror("cap_free"); 5458 return ret; 5459 } 5460 5461 static int do_test(bool unpriv, unsigned int from, unsigned int to) 5462 { 5463 int i, passes = 0, errors = 0; 5464 5465 for (i = from; i < to; i++) { 5466 struct bpf_test *test = &tests[i]; 5467 5468 /* Program types that are not supported by non-root we 5469 * skip right away. 5470 */ 5471 if (!test->prog_type) { 5472 if (!unpriv) 5473 set_admin(false); 5474 printf("#%d/u %s ", i, test->descr); 5475 do_test_single(test, true, &passes, &errors); 5476 if (!unpriv) 5477 set_admin(true); 5478 } 5479 5480 if (!unpriv) { 5481 printf("#%d/p %s ", i, test->descr); 5482 do_test_single(test, false, &passes, &errors); 5483 } 5484 } 5485 5486 printf("Summary: %d PASSED, %d FAILED\n", passes, errors); 5487 return errors ? -errors : 0; 5488 } 5489 5490 int main(int argc, char **argv) 5491 { 5492 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY }; 5493 struct rlimit rlim = { 1 << 20, 1 << 20 }; 5494 unsigned int from = 0, to = ARRAY_SIZE(tests); 5495 bool unpriv = !is_admin(); 5496 5497 if (argc == 3) { 5498 unsigned int l = atoi(argv[argc - 2]); 5499 unsigned int u = atoi(argv[argc - 1]); 5500 5501 if (l < to && u < to) { 5502 from = l; 5503 to = u + 1; 5504 } 5505 } else if (argc == 2) { 5506 unsigned int t = atoi(argv[argc - 1]); 5507 5508 if (t < to) { 5509 from = t; 5510 to = t + 1; 5511 } 5512 } 5513 5514 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf); 5515 return do_test(unpriv, from, to); 5516 } 5517