1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of version 2 of the GNU General Public 8 * License as published by the Free Software Foundation. 9 */ 10 11 #include <stdint.h> 12 #include <stdio.h> 13 #include <stdlib.h> 14 #include <unistd.h> 15 #include <errno.h> 16 #include <string.h> 17 #include <stddef.h> 18 #include <stdbool.h> 19 #include <sched.h> 20 21 #include <sys/capability.h> 22 #include <sys/resource.h> 23 24 #include <linux/unistd.h> 25 #include <linux/filter.h> 26 #include <linux/bpf_perf_event.h> 27 #include <linux/bpf.h> 28 29 #include <bpf/bpf.h> 30 31 #include "../../../include/linux/filter.h" 32 33 #ifndef ARRAY_SIZE 34 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 35 #endif 36 37 #define MAX_INSNS 512 38 #define MAX_FIXUPS 8 39 40 struct bpf_test { 41 const char *descr; 42 struct bpf_insn insns[MAX_INSNS]; 43 int fixup_map1[MAX_FIXUPS]; 44 int fixup_map2[MAX_FIXUPS]; 45 int fixup_prog[MAX_FIXUPS]; 46 const char *errstr; 47 const char *errstr_unpriv; 48 enum { 49 UNDEF, 50 ACCEPT, 51 REJECT 52 } result, result_unpriv; 53 enum bpf_prog_type prog_type; 54 }; 55 56 /* Note we want this to be 64 bit aligned so that the end of our array is 57 * actually the end of the structure. 58 */ 59 #define MAX_ENTRIES 11 60 61 struct test_val { 62 unsigned int index; 63 int foo[MAX_ENTRIES]; 64 }; 65 66 static struct bpf_test tests[] = { 67 { 68 "add+sub+mul", 69 .insns = { 70 BPF_MOV64_IMM(BPF_REG_1, 1), 71 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 72 BPF_MOV64_IMM(BPF_REG_2, 3), 73 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 74 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 75 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 76 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 77 BPF_EXIT_INSN(), 78 }, 79 .result = ACCEPT, 80 }, 81 { 82 "unreachable", 83 .insns = { 84 BPF_EXIT_INSN(), 85 BPF_EXIT_INSN(), 86 }, 87 .errstr = "unreachable", 88 .result = REJECT, 89 }, 90 { 91 "unreachable2", 92 .insns = { 93 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 94 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 95 BPF_EXIT_INSN(), 96 }, 97 .errstr = "unreachable", 98 .result = REJECT, 99 }, 100 { 101 "out of range jump", 102 .insns = { 103 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 104 BPF_EXIT_INSN(), 105 }, 106 .errstr = "jump out of range", 107 .result = REJECT, 108 }, 109 { 110 "out of range jump2", 111 .insns = { 112 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 113 BPF_EXIT_INSN(), 114 }, 115 .errstr = "jump out of range", 116 .result = REJECT, 117 }, 118 { 119 "test1 ld_imm64", 120 .insns = { 121 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 122 BPF_LD_IMM64(BPF_REG_0, 0), 123 BPF_LD_IMM64(BPF_REG_0, 0), 124 BPF_LD_IMM64(BPF_REG_0, 1), 125 BPF_LD_IMM64(BPF_REG_0, 1), 126 BPF_MOV64_IMM(BPF_REG_0, 2), 127 BPF_EXIT_INSN(), 128 }, 129 .errstr = "invalid BPF_LD_IMM insn", 130 .errstr_unpriv = "R1 pointer comparison", 131 .result = REJECT, 132 }, 133 { 134 "test2 ld_imm64", 135 .insns = { 136 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 137 BPF_LD_IMM64(BPF_REG_0, 0), 138 BPF_LD_IMM64(BPF_REG_0, 0), 139 BPF_LD_IMM64(BPF_REG_0, 1), 140 BPF_LD_IMM64(BPF_REG_0, 1), 141 BPF_EXIT_INSN(), 142 }, 143 .errstr = "invalid BPF_LD_IMM insn", 144 .errstr_unpriv = "R1 pointer comparison", 145 .result = REJECT, 146 }, 147 { 148 "test3 ld_imm64", 149 .insns = { 150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 151 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 152 BPF_LD_IMM64(BPF_REG_0, 0), 153 BPF_LD_IMM64(BPF_REG_0, 0), 154 BPF_LD_IMM64(BPF_REG_0, 1), 155 BPF_LD_IMM64(BPF_REG_0, 1), 156 BPF_EXIT_INSN(), 157 }, 158 .errstr = "invalid bpf_ld_imm64 insn", 159 .result = REJECT, 160 }, 161 { 162 "test4 ld_imm64", 163 .insns = { 164 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 165 BPF_EXIT_INSN(), 166 }, 167 .errstr = "invalid bpf_ld_imm64 insn", 168 .result = REJECT, 169 }, 170 { 171 "test5 ld_imm64", 172 .insns = { 173 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 174 }, 175 .errstr = "invalid bpf_ld_imm64 insn", 176 .result = REJECT, 177 }, 178 { 179 "no bpf_exit", 180 .insns = { 181 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 182 }, 183 .errstr = "jump out of range", 184 .result = REJECT, 185 }, 186 { 187 "loop (back-edge)", 188 .insns = { 189 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 190 BPF_EXIT_INSN(), 191 }, 192 .errstr = "back-edge", 193 .result = REJECT, 194 }, 195 { 196 "loop2 (back-edge)", 197 .insns = { 198 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 199 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 200 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 201 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 202 BPF_EXIT_INSN(), 203 }, 204 .errstr = "back-edge", 205 .result = REJECT, 206 }, 207 { 208 "conditional loop", 209 .insns = { 210 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 211 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 212 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 213 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 214 BPF_EXIT_INSN(), 215 }, 216 .errstr = "back-edge", 217 .result = REJECT, 218 }, 219 { 220 "read uninitialized register", 221 .insns = { 222 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 223 BPF_EXIT_INSN(), 224 }, 225 .errstr = "R2 !read_ok", 226 .result = REJECT, 227 }, 228 { 229 "read invalid register", 230 .insns = { 231 BPF_MOV64_REG(BPF_REG_0, -1), 232 BPF_EXIT_INSN(), 233 }, 234 .errstr = "R15 is invalid", 235 .result = REJECT, 236 }, 237 { 238 "program doesn't init R0 before exit", 239 .insns = { 240 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 241 BPF_EXIT_INSN(), 242 }, 243 .errstr = "R0 !read_ok", 244 .result = REJECT, 245 }, 246 { 247 "program doesn't init R0 before exit in all branches", 248 .insns = { 249 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 250 BPF_MOV64_IMM(BPF_REG_0, 1), 251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 252 BPF_EXIT_INSN(), 253 }, 254 .errstr = "R0 !read_ok", 255 .errstr_unpriv = "R1 pointer comparison", 256 .result = REJECT, 257 }, 258 { 259 "stack out of bounds", 260 .insns = { 261 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 262 BPF_EXIT_INSN(), 263 }, 264 .errstr = "invalid stack", 265 .result = REJECT, 266 }, 267 { 268 "invalid call insn1", 269 .insns = { 270 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 271 BPF_EXIT_INSN(), 272 }, 273 .errstr = "BPF_CALL uses reserved", 274 .result = REJECT, 275 }, 276 { 277 "invalid call insn2", 278 .insns = { 279 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 280 BPF_EXIT_INSN(), 281 }, 282 .errstr = "BPF_CALL uses reserved", 283 .result = REJECT, 284 }, 285 { 286 "invalid function call", 287 .insns = { 288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 289 BPF_EXIT_INSN(), 290 }, 291 .errstr = "invalid func unknown#1234567", 292 .result = REJECT, 293 }, 294 { 295 "uninitialized stack1", 296 .insns = { 297 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 299 BPF_LD_MAP_FD(BPF_REG_1, 0), 300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 301 BPF_FUNC_map_lookup_elem), 302 BPF_EXIT_INSN(), 303 }, 304 .fixup_map1 = { 2 }, 305 .errstr = "invalid indirect read from stack", 306 .result = REJECT, 307 }, 308 { 309 "uninitialized stack2", 310 .insns = { 311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 312 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 313 BPF_EXIT_INSN(), 314 }, 315 .errstr = "invalid read from stack", 316 .result = REJECT, 317 }, 318 { 319 "invalid argument register", 320 .insns = { 321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 322 BPF_FUNC_get_cgroup_classid), 323 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 324 BPF_FUNC_get_cgroup_classid), 325 BPF_EXIT_INSN(), 326 }, 327 .errstr = "R1 !read_ok", 328 .result = REJECT, 329 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 330 }, 331 { 332 "non-invalid argument register", 333 .insns = { 334 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 336 BPF_FUNC_get_cgroup_classid), 337 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 339 BPF_FUNC_get_cgroup_classid), 340 BPF_EXIT_INSN(), 341 }, 342 .result = ACCEPT, 343 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 344 }, 345 { 346 "check valid spill/fill", 347 .insns = { 348 /* spill R1(ctx) into stack */ 349 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 350 /* fill it back into R2 */ 351 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 352 /* should be able to access R0 = *(R2 + 8) */ 353 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 354 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 355 BPF_EXIT_INSN(), 356 }, 357 .errstr_unpriv = "R0 leaks addr", 358 .result = ACCEPT, 359 .result_unpriv = REJECT, 360 }, 361 { 362 "check valid spill/fill, skb mark", 363 .insns = { 364 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 365 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 367 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 368 offsetof(struct __sk_buff, mark)), 369 BPF_EXIT_INSN(), 370 }, 371 .result = ACCEPT, 372 .result_unpriv = ACCEPT, 373 }, 374 { 375 "check corrupted spill/fill", 376 .insns = { 377 /* spill R1(ctx) into stack */ 378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 379 /* mess up with R1 pointer on stack */ 380 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 381 /* fill back into R0 should fail */ 382 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 383 BPF_EXIT_INSN(), 384 }, 385 .errstr_unpriv = "attempt to corrupt spilled", 386 .errstr = "corrupted spill", 387 .result = REJECT, 388 }, 389 { 390 "invalid src register in STX", 391 .insns = { 392 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 393 BPF_EXIT_INSN(), 394 }, 395 .errstr = "R15 is invalid", 396 .result = REJECT, 397 }, 398 { 399 "invalid dst register in STX", 400 .insns = { 401 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 402 BPF_EXIT_INSN(), 403 }, 404 .errstr = "R14 is invalid", 405 .result = REJECT, 406 }, 407 { 408 "invalid dst register in ST", 409 .insns = { 410 BPF_ST_MEM(BPF_B, 14, -1, -1), 411 BPF_EXIT_INSN(), 412 }, 413 .errstr = "R14 is invalid", 414 .result = REJECT, 415 }, 416 { 417 "invalid src register in LDX", 418 .insns = { 419 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 420 BPF_EXIT_INSN(), 421 }, 422 .errstr = "R12 is invalid", 423 .result = REJECT, 424 }, 425 { 426 "invalid dst register in LDX", 427 .insns = { 428 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 429 BPF_EXIT_INSN(), 430 }, 431 .errstr = "R11 is invalid", 432 .result = REJECT, 433 }, 434 { 435 "junk insn", 436 .insns = { 437 BPF_RAW_INSN(0, 0, 0, 0, 0), 438 BPF_EXIT_INSN(), 439 }, 440 .errstr = "invalid BPF_LD_IMM", 441 .result = REJECT, 442 }, 443 { 444 "junk insn2", 445 .insns = { 446 BPF_RAW_INSN(1, 0, 0, 0, 0), 447 BPF_EXIT_INSN(), 448 }, 449 .errstr = "BPF_LDX uses reserved fields", 450 .result = REJECT, 451 }, 452 { 453 "junk insn3", 454 .insns = { 455 BPF_RAW_INSN(-1, 0, 0, 0, 0), 456 BPF_EXIT_INSN(), 457 }, 458 .errstr = "invalid BPF_ALU opcode f0", 459 .result = REJECT, 460 }, 461 { 462 "junk insn4", 463 .insns = { 464 BPF_RAW_INSN(-1, -1, -1, -1, -1), 465 BPF_EXIT_INSN(), 466 }, 467 .errstr = "invalid BPF_ALU opcode f0", 468 .result = REJECT, 469 }, 470 { 471 "junk insn5", 472 .insns = { 473 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 474 BPF_EXIT_INSN(), 475 }, 476 .errstr = "BPF_ALU uses reserved fields", 477 .result = REJECT, 478 }, 479 { 480 "misaligned read from stack", 481 .insns = { 482 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 483 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 484 BPF_EXIT_INSN(), 485 }, 486 .errstr = "misaligned access", 487 .result = REJECT, 488 }, 489 { 490 "invalid map_fd for function call", 491 .insns = { 492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 493 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 495 BPF_LD_MAP_FD(BPF_REG_1, 0), 496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 497 BPF_FUNC_map_delete_elem), 498 BPF_EXIT_INSN(), 499 }, 500 .errstr = "fd 0 is not pointing to valid bpf_map", 501 .result = REJECT, 502 }, 503 { 504 "don't check return value before access", 505 .insns = { 506 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 507 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 509 BPF_LD_MAP_FD(BPF_REG_1, 0), 510 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 511 BPF_FUNC_map_lookup_elem), 512 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 513 BPF_EXIT_INSN(), 514 }, 515 .fixup_map1 = { 3 }, 516 .errstr = "R0 invalid mem access 'map_value_or_null'", 517 .result = REJECT, 518 }, 519 { 520 "access memory with incorrect alignment", 521 .insns = { 522 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 525 BPF_LD_MAP_FD(BPF_REG_1, 0), 526 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 527 BPF_FUNC_map_lookup_elem), 528 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 529 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 530 BPF_EXIT_INSN(), 531 }, 532 .fixup_map1 = { 3 }, 533 .errstr = "misaligned access", 534 .result = REJECT, 535 }, 536 { 537 "sometimes access memory with incorrect alignment", 538 .insns = { 539 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 540 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 542 BPF_LD_MAP_FD(BPF_REG_1, 0), 543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 544 BPF_FUNC_map_lookup_elem), 545 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 546 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 547 BPF_EXIT_INSN(), 548 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 549 BPF_EXIT_INSN(), 550 }, 551 .fixup_map1 = { 3 }, 552 .errstr = "R0 invalid mem access", 553 .errstr_unpriv = "R0 leaks addr", 554 .result = REJECT, 555 }, 556 { 557 "jump test 1", 558 .insns = { 559 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 560 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 561 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 562 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 563 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 564 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 565 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 566 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 567 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 568 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 569 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 570 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 572 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 573 BPF_MOV64_IMM(BPF_REG_0, 0), 574 BPF_EXIT_INSN(), 575 }, 576 .errstr_unpriv = "R1 pointer comparison", 577 .result_unpriv = REJECT, 578 .result = ACCEPT, 579 }, 580 { 581 "jump test 2", 582 .insns = { 583 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 585 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 586 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 588 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 589 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 590 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 591 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 592 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 594 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 595 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 597 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 598 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 600 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 601 BPF_MOV64_IMM(BPF_REG_0, 0), 602 BPF_EXIT_INSN(), 603 }, 604 .errstr_unpriv = "R1 pointer comparison", 605 .result_unpriv = REJECT, 606 .result = ACCEPT, 607 }, 608 { 609 "jump test 3", 610 .insns = { 611 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 613 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 615 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 616 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 617 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 619 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 621 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 623 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 624 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 625 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 627 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 628 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 629 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 631 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 632 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 633 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 635 BPF_LD_MAP_FD(BPF_REG_1, 0), 636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 637 BPF_FUNC_map_delete_elem), 638 BPF_EXIT_INSN(), 639 }, 640 .fixup_map1 = { 24 }, 641 .errstr_unpriv = "R1 pointer comparison", 642 .result_unpriv = REJECT, 643 .result = ACCEPT, 644 }, 645 { 646 "jump test 4", 647 .insns = { 648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 651 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 654 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 658 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 660 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 662 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 667 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 670 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 674 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 676 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 681 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 688 BPF_MOV64_IMM(BPF_REG_0, 0), 689 BPF_EXIT_INSN(), 690 }, 691 .errstr_unpriv = "R1 pointer comparison", 692 .result_unpriv = REJECT, 693 .result = ACCEPT, 694 }, 695 { 696 "jump test 5", 697 .insns = { 698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 699 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 700 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 701 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 702 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 703 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 704 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 705 BPF_MOV64_IMM(BPF_REG_0, 0), 706 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 707 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 708 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 709 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 710 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 711 BPF_MOV64_IMM(BPF_REG_0, 0), 712 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 713 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 714 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 715 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 716 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 717 BPF_MOV64_IMM(BPF_REG_0, 0), 718 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 719 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 720 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 721 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 722 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 723 BPF_MOV64_IMM(BPF_REG_0, 0), 724 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 725 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 726 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 727 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 728 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 729 BPF_MOV64_IMM(BPF_REG_0, 0), 730 BPF_EXIT_INSN(), 731 }, 732 .errstr_unpriv = "R1 pointer comparison", 733 .result_unpriv = REJECT, 734 .result = ACCEPT, 735 }, 736 { 737 "access skb fields ok", 738 .insns = { 739 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 740 offsetof(struct __sk_buff, len)), 741 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 743 offsetof(struct __sk_buff, mark)), 744 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 746 offsetof(struct __sk_buff, pkt_type)), 747 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 748 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 749 offsetof(struct __sk_buff, queue_mapping)), 750 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 751 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 752 offsetof(struct __sk_buff, protocol)), 753 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 754 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 755 offsetof(struct __sk_buff, vlan_present)), 756 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 757 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 758 offsetof(struct __sk_buff, vlan_tci)), 759 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 760 BPF_EXIT_INSN(), 761 }, 762 .result = ACCEPT, 763 }, 764 { 765 "access skb fields bad1", 766 .insns = { 767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 768 BPF_EXIT_INSN(), 769 }, 770 .errstr = "invalid bpf_context access", 771 .result = REJECT, 772 }, 773 { 774 "access skb fields bad2", 775 .insns = { 776 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 777 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 780 BPF_LD_MAP_FD(BPF_REG_1, 0), 781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 782 BPF_FUNC_map_lookup_elem), 783 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 784 BPF_EXIT_INSN(), 785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 786 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 787 offsetof(struct __sk_buff, pkt_type)), 788 BPF_EXIT_INSN(), 789 }, 790 .fixup_map1 = { 4 }, 791 .errstr = "different pointers", 792 .errstr_unpriv = "R1 pointer comparison", 793 .result = REJECT, 794 }, 795 { 796 "access skb fields bad3", 797 .insns = { 798 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 799 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 800 offsetof(struct __sk_buff, pkt_type)), 801 BPF_EXIT_INSN(), 802 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 803 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 805 BPF_LD_MAP_FD(BPF_REG_1, 0), 806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 807 BPF_FUNC_map_lookup_elem), 808 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 809 BPF_EXIT_INSN(), 810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 811 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 812 }, 813 .fixup_map1 = { 6 }, 814 .errstr = "different pointers", 815 .errstr_unpriv = "R1 pointer comparison", 816 .result = REJECT, 817 }, 818 { 819 "access skb fields bad4", 820 .insns = { 821 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 822 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 823 offsetof(struct __sk_buff, len)), 824 BPF_MOV64_IMM(BPF_REG_0, 0), 825 BPF_EXIT_INSN(), 826 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 827 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 829 BPF_LD_MAP_FD(BPF_REG_1, 0), 830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 831 BPF_FUNC_map_lookup_elem), 832 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 833 BPF_EXIT_INSN(), 834 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 835 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 836 }, 837 .fixup_map1 = { 7 }, 838 .errstr = "different pointers", 839 .errstr_unpriv = "R1 pointer comparison", 840 .result = REJECT, 841 }, 842 { 843 "check skb->mark is not writeable by sockets", 844 .insns = { 845 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 846 offsetof(struct __sk_buff, mark)), 847 BPF_EXIT_INSN(), 848 }, 849 .errstr = "invalid bpf_context access", 850 .errstr_unpriv = "R1 leaks addr", 851 .result = REJECT, 852 }, 853 { 854 "check skb->tc_index is not writeable by sockets", 855 .insns = { 856 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 857 offsetof(struct __sk_buff, tc_index)), 858 BPF_EXIT_INSN(), 859 }, 860 .errstr = "invalid bpf_context access", 861 .errstr_unpriv = "R1 leaks addr", 862 .result = REJECT, 863 }, 864 { 865 "check cb access: byte", 866 .insns = { 867 BPF_MOV64_IMM(BPF_REG_0, 0), 868 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 869 offsetof(struct __sk_buff, cb[0])), 870 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 871 offsetof(struct __sk_buff, cb[0]) + 1), 872 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 873 offsetof(struct __sk_buff, cb[0]) + 2), 874 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 875 offsetof(struct __sk_buff, cb[0]) + 3), 876 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 877 offsetof(struct __sk_buff, cb[1])), 878 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 879 offsetof(struct __sk_buff, cb[1]) + 1), 880 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 881 offsetof(struct __sk_buff, cb[1]) + 2), 882 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 883 offsetof(struct __sk_buff, cb[1]) + 3), 884 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 885 offsetof(struct __sk_buff, cb[2])), 886 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 887 offsetof(struct __sk_buff, cb[2]) + 1), 888 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 889 offsetof(struct __sk_buff, cb[2]) + 2), 890 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 891 offsetof(struct __sk_buff, cb[2]) + 3), 892 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 893 offsetof(struct __sk_buff, cb[3])), 894 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 895 offsetof(struct __sk_buff, cb[3]) + 1), 896 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 897 offsetof(struct __sk_buff, cb[3]) + 2), 898 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 899 offsetof(struct __sk_buff, cb[3]) + 3), 900 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 901 offsetof(struct __sk_buff, cb[4])), 902 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 903 offsetof(struct __sk_buff, cb[4]) + 1), 904 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 905 offsetof(struct __sk_buff, cb[4]) + 2), 906 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 907 offsetof(struct __sk_buff, cb[4]) + 3), 908 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 909 offsetof(struct __sk_buff, cb[0])), 910 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 911 offsetof(struct __sk_buff, cb[0]) + 1), 912 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 913 offsetof(struct __sk_buff, cb[0]) + 2), 914 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 915 offsetof(struct __sk_buff, cb[0]) + 3), 916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 917 offsetof(struct __sk_buff, cb[1])), 918 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 919 offsetof(struct __sk_buff, cb[1]) + 1), 920 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 921 offsetof(struct __sk_buff, cb[1]) + 2), 922 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 923 offsetof(struct __sk_buff, cb[1]) + 3), 924 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 925 offsetof(struct __sk_buff, cb[2])), 926 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 927 offsetof(struct __sk_buff, cb[2]) + 1), 928 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 929 offsetof(struct __sk_buff, cb[2]) + 2), 930 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 931 offsetof(struct __sk_buff, cb[2]) + 3), 932 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 933 offsetof(struct __sk_buff, cb[3])), 934 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 935 offsetof(struct __sk_buff, cb[3]) + 1), 936 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 937 offsetof(struct __sk_buff, cb[3]) + 2), 938 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 939 offsetof(struct __sk_buff, cb[3]) + 3), 940 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 941 offsetof(struct __sk_buff, cb[4])), 942 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 943 offsetof(struct __sk_buff, cb[4]) + 1), 944 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 945 offsetof(struct __sk_buff, cb[4]) + 2), 946 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 947 offsetof(struct __sk_buff, cb[4]) + 3), 948 BPF_EXIT_INSN(), 949 }, 950 .result = ACCEPT, 951 }, 952 { 953 "check cb access: byte, oob 1", 954 .insns = { 955 BPF_MOV64_IMM(BPF_REG_0, 0), 956 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 957 offsetof(struct __sk_buff, cb[4]) + 4), 958 BPF_EXIT_INSN(), 959 }, 960 .errstr = "invalid bpf_context access", 961 .result = REJECT, 962 }, 963 { 964 "check cb access: byte, oob 2", 965 .insns = { 966 BPF_MOV64_IMM(BPF_REG_0, 0), 967 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 968 offsetof(struct __sk_buff, cb[0]) - 1), 969 BPF_EXIT_INSN(), 970 }, 971 .errstr = "invalid bpf_context access", 972 .result = REJECT, 973 }, 974 { 975 "check cb access: byte, oob 3", 976 .insns = { 977 BPF_MOV64_IMM(BPF_REG_0, 0), 978 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 979 offsetof(struct __sk_buff, cb[4]) + 4), 980 BPF_EXIT_INSN(), 981 }, 982 .errstr = "invalid bpf_context access", 983 .result = REJECT, 984 }, 985 { 986 "check cb access: byte, oob 4", 987 .insns = { 988 BPF_MOV64_IMM(BPF_REG_0, 0), 989 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 990 offsetof(struct __sk_buff, cb[0]) - 1), 991 BPF_EXIT_INSN(), 992 }, 993 .errstr = "invalid bpf_context access", 994 .result = REJECT, 995 }, 996 { 997 "check cb access: byte, wrong type", 998 .insns = { 999 BPF_MOV64_IMM(BPF_REG_0, 0), 1000 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1001 offsetof(struct __sk_buff, cb[0])), 1002 BPF_EXIT_INSN(), 1003 }, 1004 .errstr = "invalid bpf_context access", 1005 .result = REJECT, 1006 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1007 }, 1008 { 1009 "check cb access: half", 1010 .insns = { 1011 BPF_MOV64_IMM(BPF_REG_0, 0), 1012 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1013 offsetof(struct __sk_buff, cb[0])), 1014 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1015 offsetof(struct __sk_buff, cb[0]) + 2), 1016 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1017 offsetof(struct __sk_buff, cb[1])), 1018 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1019 offsetof(struct __sk_buff, cb[1]) + 2), 1020 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1021 offsetof(struct __sk_buff, cb[2])), 1022 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1023 offsetof(struct __sk_buff, cb[2]) + 2), 1024 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1025 offsetof(struct __sk_buff, cb[3])), 1026 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1027 offsetof(struct __sk_buff, cb[3]) + 2), 1028 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1029 offsetof(struct __sk_buff, cb[4])), 1030 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1031 offsetof(struct __sk_buff, cb[4]) + 2), 1032 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1033 offsetof(struct __sk_buff, cb[0])), 1034 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1035 offsetof(struct __sk_buff, cb[0]) + 2), 1036 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1037 offsetof(struct __sk_buff, cb[1])), 1038 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1039 offsetof(struct __sk_buff, cb[1]) + 2), 1040 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1041 offsetof(struct __sk_buff, cb[2])), 1042 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1043 offsetof(struct __sk_buff, cb[2]) + 2), 1044 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1045 offsetof(struct __sk_buff, cb[3])), 1046 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1047 offsetof(struct __sk_buff, cb[3]) + 2), 1048 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1049 offsetof(struct __sk_buff, cb[4])), 1050 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1051 offsetof(struct __sk_buff, cb[4]) + 2), 1052 BPF_EXIT_INSN(), 1053 }, 1054 .result = ACCEPT, 1055 }, 1056 { 1057 "check cb access: half, unaligned", 1058 .insns = { 1059 BPF_MOV64_IMM(BPF_REG_0, 0), 1060 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1061 offsetof(struct __sk_buff, cb[0]) + 1), 1062 BPF_EXIT_INSN(), 1063 }, 1064 .errstr = "misaligned access", 1065 .result = REJECT, 1066 }, 1067 { 1068 "check cb access: half, oob 1", 1069 .insns = { 1070 BPF_MOV64_IMM(BPF_REG_0, 0), 1071 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1072 offsetof(struct __sk_buff, cb[4]) + 4), 1073 BPF_EXIT_INSN(), 1074 }, 1075 .errstr = "invalid bpf_context access", 1076 .result = REJECT, 1077 }, 1078 { 1079 "check cb access: half, oob 2", 1080 .insns = { 1081 BPF_MOV64_IMM(BPF_REG_0, 0), 1082 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1083 offsetof(struct __sk_buff, cb[0]) - 2), 1084 BPF_EXIT_INSN(), 1085 }, 1086 .errstr = "invalid bpf_context access", 1087 .result = REJECT, 1088 }, 1089 { 1090 "check cb access: half, oob 3", 1091 .insns = { 1092 BPF_MOV64_IMM(BPF_REG_0, 0), 1093 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1094 offsetof(struct __sk_buff, cb[4]) + 4), 1095 BPF_EXIT_INSN(), 1096 }, 1097 .errstr = "invalid bpf_context access", 1098 .result = REJECT, 1099 }, 1100 { 1101 "check cb access: half, oob 4", 1102 .insns = { 1103 BPF_MOV64_IMM(BPF_REG_0, 0), 1104 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1105 offsetof(struct __sk_buff, cb[0]) - 2), 1106 BPF_EXIT_INSN(), 1107 }, 1108 .errstr = "invalid bpf_context access", 1109 .result = REJECT, 1110 }, 1111 { 1112 "check cb access: half, wrong type", 1113 .insns = { 1114 BPF_MOV64_IMM(BPF_REG_0, 0), 1115 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1116 offsetof(struct __sk_buff, cb[0])), 1117 BPF_EXIT_INSN(), 1118 }, 1119 .errstr = "invalid bpf_context access", 1120 .result = REJECT, 1121 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1122 }, 1123 { 1124 "check cb access: word", 1125 .insns = { 1126 BPF_MOV64_IMM(BPF_REG_0, 0), 1127 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1128 offsetof(struct __sk_buff, cb[0])), 1129 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1130 offsetof(struct __sk_buff, cb[1])), 1131 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1132 offsetof(struct __sk_buff, cb[2])), 1133 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1134 offsetof(struct __sk_buff, cb[3])), 1135 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1136 offsetof(struct __sk_buff, cb[4])), 1137 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1138 offsetof(struct __sk_buff, cb[0])), 1139 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1140 offsetof(struct __sk_buff, cb[1])), 1141 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1142 offsetof(struct __sk_buff, cb[2])), 1143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1144 offsetof(struct __sk_buff, cb[3])), 1145 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1146 offsetof(struct __sk_buff, cb[4])), 1147 BPF_EXIT_INSN(), 1148 }, 1149 .result = ACCEPT, 1150 }, 1151 { 1152 "check cb access: word, unaligned 1", 1153 .insns = { 1154 BPF_MOV64_IMM(BPF_REG_0, 0), 1155 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1156 offsetof(struct __sk_buff, cb[0]) + 2), 1157 BPF_EXIT_INSN(), 1158 }, 1159 .errstr = "misaligned access", 1160 .result = REJECT, 1161 }, 1162 { 1163 "check cb access: word, unaligned 2", 1164 .insns = { 1165 BPF_MOV64_IMM(BPF_REG_0, 0), 1166 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1167 offsetof(struct __sk_buff, cb[4]) + 1), 1168 BPF_EXIT_INSN(), 1169 }, 1170 .errstr = "misaligned access", 1171 .result = REJECT, 1172 }, 1173 { 1174 "check cb access: word, unaligned 3", 1175 .insns = { 1176 BPF_MOV64_IMM(BPF_REG_0, 0), 1177 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1178 offsetof(struct __sk_buff, cb[4]) + 2), 1179 BPF_EXIT_INSN(), 1180 }, 1181 .errstr = "misaligned access", 1182 .result = REJECT, 1183 }, 1184 { 1185 "check cb access: word, unaligned 4", 1186 .insns = { 1187 BPF_MOV64_IMM(BPF_REG_0, 0), 1188 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1189 offsetof(struct __sk_buff, cb[4]) + 3), 1190 BPF_EXIT_INSN(), 1191 }, 1192 .errstr = "misaligned access", 1193 .result = REJECT, 1194 }, 1195 { 1196 "check cb access: double", 1197 .insns = { 1198 BPF_MOV64_IMM(BPF_REG_0, 0), 1199 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1200 offsetof(struct __sk_buff, cb[0])), 1201 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1202 offsetof(struct __sk_buff, cb[2])), 1203 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1204 offsetof(struct __sk_buff, cb[0])), 1205 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1206 offsetof(struct __sk_buff, cb[2])), 1207 BPF_EXIT_INSN(), 1208 }, 1209 .result = ACCEPT, 1210 }, 1211 { 1212 "check cb access: double, unaligned 1", 1213 .insns = { 1214 BPF_MOV64_IMM(BPF_REG_0, 0), 1215 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1216 offsetof(struct __sk_buff, cb[1])), 1217 BPF_EXIT_INSN(), 1218 }, 1219 .errstr = "misaligned access", 1220 .result = REJECT, 1221 }, 1222 { 1223 "check cb access: double, unaligned 2", 1224 .insns = { 1225 BPF_MOV64_IMM(BPF_REG_0, 0), 1226 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1227 offsetof(struct __sk_buff, cb[3])), 1228 BPF_EXIT_INSN(), 1229 }, 1230 .errstr = "misaligned access", 1231 .result = REJECT, 1232 }, 1233 { 1234 "check cb access: double, oob 1", 1235 .insns = { 1236 BPF_MOV64_IMM(BPF_REG_0, 0), 1237 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1238 offsetof(struct __sk_buff, cb[4])), 1239 BPF_EXIT_INSN(), 1240 }, 1241 .errstr = "invalid bpf_context access", 1242 .result = REJECT, 1243 }, 1244 { 1245 "check cb access: double, oob 2", 1246 .insns = { 1247 BPF_MOV64_IMM(BPF_REG_0, 0), 1248 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1249 offsetof(struct __sk_buff, cb[4]) + 8), 1250 BPF_EXIT_INSN(), 1251 }, 1252 .errstr = "invalid bpf_context access", 1253 .result = REJECT, 1254 }, 1255 { 1256 "check cb access: double, oob 3", 1257 .insns = { 1258 BPF_MOV64_IMM(BPF_REG_0, 0), 1259 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1260 offsetof(struct __sk_buff, cb[0]) - 8), 1261 BPF_EXIT_INSN(), 1262 }, 1263 .errstr = "invalid bpf_context access", 1264 .result = REJECT, 1265 }, 1266 { 1267 "check cb access: double, oob 4", 1268 .insns = { 1269 BPF_MOV64_IMM(BPF_REG_0, 0), 1270 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1271 offsetof(struct __sk_buff, cb[4])), 1272 BPF_EXIT_INSN(), 1273 }, 1274 .errstr = "invalid bpf_context access", 1275 .result = REJECT, 1276 }, 1277 { 1278 "check cb access: double, oob 5", 1279 .insns = { 1280 BPF_MOV64_IMM(BPF_REG_0, 0), 1281 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1282 offsetof(struct __sk_buff, cb[4]) + 8), 1283 BPF_EXIT_INSN(), 1284 }, 1285 .errstr = "invalid bpf_context access", 1286 .result = REJECT, 1287 }, 1288 { 1289 "check cb access: double, oob 6", 1290 .insns = { 1291 BPF_MOV64_IMM(BPF_REG_0, 0), 1292 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1293 offsetof(struct __sk_buff, cb[0]) - 8), 1294 BPF_EXIT_INSN(), 1295 }, 1296 .errstr = "invalid bpf_context access", 1297 .result = REJECT, 1298 }, 1299 { 1300 "check cb access: double, wrong type", 1301 .insns = { 1302 BPF_MOV64_IMM(BPF_REG_0, 0), 1303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1304 offsetof(struct __sk_buff, cb[0])), 1305 BPF_EXIT_INSN(), 1306 }, 1307 .errstr = "invalid bpf_context access", 1308 .result = REJECT, 1309 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1310 }, 1311 { 1312 "check out of range skb->cb access", 1313 .insns = { 1314 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1315 offsetof(struct __sk_buff, cb[0]) + 256), 1316 BPF_EXIT_INSN(), 1317 }, 1318 .errstr = "invalid bpf_context access", 1319 .errstr_unpriv = "", 1320 .result = REJECT, 1321 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 1322 }, 1323 { 1324 "write skb fields from socket prog", 1325 .insns = { 1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1327 offsetof(struct __sk_buff, cb[4])), 1328 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1330 offsetof(struct __sk_buff, mark)), 1331 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1332 offsetof(struct __sk_buff, tc_index)), 1333 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1334 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1335 offsetof(struct __sk_buff, cb[0])), 1336 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1337 offsetof(struct __sk_buff, cb[2])), 1338 BPF_EXIT_INSN(), 1339 }, 1340 .result = ACCEPT, 1341 .errstr_unpriv = "R1 leaks addr", 1342 .result_unpriv = REJECT, 1343 }, 1344 { 1345 "write skb fields from tc_cls_act prog", 1346 .insns = { 1347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1348 offsetof(struct __sk_buff, cb[0])), 1349 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1350 offsetof(struct __sk_buff, mark)), 1351 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1352 offsetof(struct __sk_buff, tc_index)), 1353 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1354 offsetof(struct __sk_buff, tc_index)), 1355 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1356 offsetof(struct __sk_buff, cb[3])), 1357 BPF_EXIT_INSN(), 1358 }, 1359 .errstr_unpriv = "", 1360 .result_unpriv = REJECT, 1361 .result = ACCEPT, 1362 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1363 }, 1364 { 1365 "PTR_TO_STACK store/load", 1366 .insns = { 1367 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1368 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1369 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1370 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1371 BPF_EXIT_INSN(), 1372 }, 1373 .result = ACCEPT, 1374 }, 1375 { 1376 "PTR_TO_STACK store/load - bad alignment on off", 1377 .insns = { 1378 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1380 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1381 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1382 BPF_EXIT_INSN(), 1383 }, 1384 .result = REJECT, 1385 .errstr = "misaligned access off -6 size 8", 1386 }, 1387 { 1388 "PTR_TO_STACK store/load - bad alignment on reg", 1389 .insns = { 1390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1392 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1393 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1394 BPF_EXIT_INSN(), 1395 }, 1396 .result = REJECT, 1397 .errstr = "misaligned access off -2 size 8", 1398 }, 1399 { 1400 "PTR_TO_STACK store/load - out of bounds low", 1401 .insns = { 1402 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 1404 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1405 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1406 BPF_EXIT_INSN(), 1407 }, 1408 .result = REJECT, 1409 .errstr = "invalid stack off=-79992 size=8", 1410 }, 1411 { 1412 "PTR_TO_STACK store/load - out of bounds high", 1413 .insns = { 1414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1416 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1417 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1418 BPF_EXIT_INSN(), 1419 }, 1420 .result = REJECT, 1421 .errstr = "invalid stack off=0 size=8", 1422 }, 1423 { 1424 "unpriv: return pointer", 1425 .insns = { 1426 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 1427 BPF_EXIT_INSN(), 1428 }, 1429 .result = ACCEPT, 1430 .result_unpriv = REJECT, 1431 .errstr_unpriv = "R0 leaks addr", 1432 }, 1433 { 1434 "unpriv: add const to pointer", 1435 .insns = { 1436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 1437 BPF_MOV64_IMM(BPF_REG_0, 0), 1438 BPF_EXIT_INSN(), 1439 }, 1440 .result = ACCEPT, 1441 .result_unpriv = REJECT, 1442 .errstr_unpriv = "R1 pointer arithmetic", 1443 }, 1444 { 1445 "unpriv: add pointer to pointer", 1446 .insns = { 1447 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1448 BPF_MOV64_IMM(BPF_REG_0, 0), 1449 BPF_EXIT_INSN(), 1450 }, 1451 .result = ACCEPT, 1452 .result_unpriv = REJECT, 1453 .errstr_unpriv = "R1 pointer arithmetic", 1454 }, 1455 { 1456 "unpriv: neg pointer", 1457 .insns = { 1458 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 1459 BPF_MOV64_IMM(BPF_REG_0, 0), 1460 BPF_EXIT_INSN(), 1461 }, 1462 .result = ACCEPT, 1463 .result_unpriv = REJECT, 1464 .errstr_unpriv = "R1 pointer arithmetic", 1465 }, 1466 { 1467 "unpriv: cmp pointer with const", 1468 .insns = { 1469 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1470 BPF_MOV64_IMM(BPF_REG_0, 0), 1471 BPF_EXIT_INSN(), 1472 }, 1473 .result = ACCEPT, 1474 .result_unpriv = REJECT, 1475 .errstr_unpriv = "R1 pointer comparison", 1476 }, 1477 { 1478 "unpriv: cmp pointer with pointer", 1479 .insns = { 1480 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1481 BPF_MOV64_IMM(BPF_REG_0, 0), 1482 BPF_EXIT_INSN(), 1483 }, 1484 .result = ACCEPT, 1485 .result_unpriv = REJECT, 1486 .errstr_unpriv = "R10 pointer comparison", 1487 }, 1488 { 1489 "unpriv: check that printk is disallowed", 1490 .insns = { 1491 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1494 BPF_MOV64_IMM(BPF_REG_2, 8), 1495 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1497 BPF_FUNC_trace_printk), 1498 BPF_MOV64_IMM(BPF_REG_0, 0), 1499 BPF_EXIT_INSN(), 1500 }, 1501 .errstr_unpriv = "unknown func bpf_trace_printk#6", 1502 .result_unpriv = REJECT, 1503 .result = ACCEPT, 1504 }, 1505 { 1506 "unpriv: pass pointer to helper function", 1507 .insns = { 1508 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1509 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1511 BPF_LD_MAP_FD(BPF_REG_1, 0), 1512 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1513 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 1514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1515 BPF_FUNC_map_update_elem), 1516 BPF_MOV64_IMM(BPF_REG_0, 0), 1517 BPF_EXIT_INSN(), 1518 }, 1519 .fixup_map1 = { 3 }, 1520 .errstr_unpriv = "R4 leaks addr", 1521 .result_unpriv = REJECT, 1522 .result = ACCEPT, 1523 }, 1524 { 1525 "unpriv: indirectly pass pointer on stack to helper function", 1526 .insns = { 1527 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1530 BPF_LD_MAP_FD(BPF_REG_1, 0), 1531 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1532 BPF_FUNC_map_lookup_elem), 1533 BPF_MOV64_IMM(BPF_REG_0, 0), 1534 BPF_EXIT_INSN(), 1535 }, 1536 .fixup_map1 = { 3 }, 1537 .errstr = "invalid indirect read from stack off -8+0 size 8", 1538 .result = REJECT, 1539 }, 1540 { 1541 "unpriv: mangle pointer on stack 1", 1542 .insns = { 1543 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1544 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 1545 BPF_MOV64_IMM(BPF_REG_0, 0), 1546 BPF_EXIT_INSN(), 1547 }, 1548 .errstr_unpriv = "attempt to corrupt spilled", 1549 .result_unpriv = REJECT, 1550 .result = ACCEPT, 1551 }, 1552 { 1553 "unpriv: mangle pointer on stack 2", 1554 .insns = { 1555 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1556 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 1557 BPF_MOV64_IMM(BPF_REG_0, 0), 1558 BPF_EXIT_INSN(), 1559 }, 1560 .errstr_unpriv = "attempt to corrupt spilled", 1561 .result_unpriv = REJECT, 1562 .result = ACCEPT, 1563 }, 1564 { 1565 "unpriv: read pointer from stack in small chunks", 1566 .insns = { 1567 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1568 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 1569 BPF_MOV64_IMM(BPF_REG_0, 0), 1570 BPF_EXIT_INSN(), 1571 }, 1572 .errstr = "invalid size", 1573 .result = REJECT, 1574 }, 1575 { 1576 "unpriv: write pointer into ctx", 1577 .insns = { 1578 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 1579 BPF_MOV64_IMM(BPF_REG_0, 0), 1580 BPF_EXIT_INSN(), 1581 }, 1582 .errstr_unpriv = "R1 leaks addr", 1583 .result_unpriv = REJECT, 1584 .errstr = "invalid bpf_context access", 1585 .result = REJECT, 1586 }, 1587 { 1588 "unpriv: spill/fill of ctx", 1589 .insns = { 1590 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1592 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1593 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1594 BPF_MOV64_IMM(BPF_REG_0, 0), 1595 BPF_EXIT_INSN(), 1596 }, 1597 .result = ACCEPT, 1598 }, 1599 { 1600 "unpriv: spill/fill of ctx 2", 1601 .insns = { 1602 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1604 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1605 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1606 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1607 BPF_FUNC_get_hash_recalc), 1608 BPF_EXIT_INSN(), 1609 }, 1610 .result = ACCEPT, 1611 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1612 }, 1613 { 1614 "unpriv: spill/fill of ctx 3", 1615 .insns = { 1616 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1617 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1618 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1619 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1620 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1622 BPF_FUNC_get_hash_recalc), 1623 BPF_EXIT_INSN(), 1624 }, 1625 .result = REJECT, 1626 .errstr = "R1 type=fp expected=ctx", 1627 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1628 }, 1629 { 1630 "unpriv: spill/fill of ctx 4", 1631 .insns = { 1632 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1634 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1635 BPF_MOV64_IMM(BPF_REG_0, 1), 1636 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 1637 BPF_REG_0, -8, 0), 1638 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1639 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1640 BPF_FUNC_get_hash_recalc), 1641 BPF_EXIT_INSN(), 1642 }, 1643 .result = REJECT, 1644 .errstr = "R1 type=inv expected=ctx", 1645 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1646 }, 1647 { 1648 "unpriv: spill/fill of different pointers stx", 1649 .insns = { 1650 BPF_MOV64_IMM(BPF_REG_3, 42), 1651 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1654 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 1656 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1657 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1658 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1659 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1660 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 1661 offsetof(struct __sk_buff, mark)), 1662 BPF_MOV64_IMM(BPF_REG_0, 0), 1663 BPF_EXIT_INSN(), 1664 }, 1665 .result = REJECT, 1666 .errstr = "same insn cannot be used with different pointers", 1667 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1668 }, 1669 { 1670 "unpriv: spill/fill of different pointers ldx", 1671 .insns = { 1672 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1674 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1677 -(__s32)offsetof(struct bpf_perf_event_data, 1678 sample_period) - 8), 1679 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1680 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1681 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1682 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1683 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 1684 offsetof(struct bpf_perf_event_data, 1685 sample_period)), 1686 BPF_MOV64_IMM(BPF_REG_0, 0), 1687 BPF_EXIT_INSN(), 1688 }, 1689 .result = REJECT, 1690 .errstr = "same insn cannot be used with different pointers", 1691 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 1692 }, 1693 { 1694 "unpriv: write pointer into map elem value", 1695 .insns = { 1696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1699 BPF_LD_MAP_FD(BPF_REG_1, 0), 1700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1701 BPF_FUNC_map_lookup_elem), 1702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1703 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 1704 BPF_EXIT_INSN(), 1705 }, 1706 .fixup_map1 = { 3 }, 1707 .errstr_unpriv = "R0 leaks addr", 1708 .result_unpriv = REJECT, 1709 .result = ACCEPT, 1710 }, 1711 { 1712 "unpriv: partial copy of pointer", 1713 .insns = { 1714 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 1715 BPF_MOV64_IMM(BPF_REG_0, 0), 1716 BPF_EXIT_INSN(), 1717 }, 1718 .errstr_unpriv = "R10 partial copy", 1719 .result_unpriv = REJECT, 1720 .result = ACCEPT, 1721 }, 1722 { 1723 "unpriv: pass pointer to tail_call", 1724 .insns = { 1725 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1726 BPF_LD_MAP_FD(BPF_REG_2, 0), 1727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1728 BPF_FUNC_tail_call), 1729 BPF_MOV64_IMM(BPF_REG_0, 0), 1730 BPF_EXIT_INSN(), 1731 }, 1732 .fixup_prog = { 1 }, 1733 .errstr_unpriv = "R3 leaks addr into helper", 1734 .result_unpriv = REJECT, 1735 .result = ACCEPT, 1736 }, 1737 { 1738 "unpriv: cmp map pointer with zero", 1739 .insns = { 1740 BPF_MOV64_IMM(BPF_REG_1, 0), 1741 BPF_LD_MAP_FD(BPF_REG_1, 0), 1742 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1743 BPF_MOV64_IMM(BPF_REG_0, 0), 1744 BPF_EXIT_INSN(), 1745 }, 1746 .fixup_map1 = { 1 }, 1747 .errstr_unpriv = "R1 pointer comparison", 1748 .result_unpriv = REJECT, 1749 .result = ACCEPT, 1750 }, 1751 { 1752 "unpriv: write into frame pointer", 1753 .insns = { 1754 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 1755 BPF_MOV64_IMM(BPF_REG_0, 0), 1756 BPF_EXIT_INSN(), 1757 }, 1758 .errstr = "frame pointer is read only", 1759 .result = REJECT, 1760 }, 1761 { 1762 "unpriv: spill/fill frame pointer", 1763 .insns = { 1764 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1766 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1767 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 1768 BPF_MOV64_IMM(BPF_REG_0, 0), 1769 BPF_EXIT_INSN(), 1770 }, 1771 .errstr = "frame pointer is read only", 1772 .result = REJECT, 1773 }, 1774 { 1775 "unpriv: cmp of frame pointer", 1776 .insns = { 1777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 1778 BPF_MOV64_IMM(BPF_REG_0, 0), 1779 BPF_EXIT_INSN(), 1780 }, 1781 .errstr_unpriv = "R10 pointer comparison", 1782 .result_unpriv = REJECT, 1783 .result = ACCEPT, 1784 }, 1785 { 1786 "unpriv: cmp of stack pointer", 1787 .insns = { 1788 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 1791 BPF_MOV64_IMM(BPF_REG_0, 0), 1792 BPF_EXIT_INSN(), 1793 }, 1794 .errstr_unpriv = "R2 pointer comparison", 1795 .result_unpriv = REJECT, 1796 .result = ACCEPT, 1797 }, 1798 { 1799 "unpriv: obfuscate stack pointer", 1800 .insns = { 1801 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1804 BPF_MOV64_IMM(BPF_REG_0, 0), 1805 BPF_EXIT_INSN(), 1806 }, 1807 .errstr_unpriv = "R2 pointer arithmetic", 1808 .result_unpriv = REJECT, 1809 .result = ACCEPT, 1810 }, 1811 { 1812 "raw_stack: no skb_load_bytes", 1813 .insns = { 1814 BPF_MOV64_IMM(BPF_REG_2, 4), 1815 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1816 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1817 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1818 BPF_MOV64_IMM(BPF_REG_4, 8), 1819 /* Call to skb_load_bytes() omitted. */ 1820 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1821 BPF_EXIT_INSN(), 1822 }, 1823 .result = REJECT, 1824 .errstr = "invalid read from stack off -8+0 size 8", 1825 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1826 }, 1827 { 1828 "raw_stack: skb_load_bytes, negative len", 1829 .insns = { 1830 BPF_MOV64_IMM(BPF_REG_2, 4), 1831 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1833 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1834 BPF_MOV64_IMM(BPF_REG_4, -8), 1835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1836 BPF_FUNC_skb_load_bytes), 1837 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1838 BPF_EXIT_INSN(), 1839 }, 1840 .result = REJECT, 1841 .errstr = "invalid stack type R3", 1842 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1843 }, 1844 { 1845 "raw_stack: skb_load_bytes, negative len 2", 1846 .insns = { 1847 BPF_MOV64_IMM(BPF_REG_2, 4), 1848 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1849 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1850 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1851 BPF_MOV64_IMM(BPF_REG_4, ~0), 1852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1853 BPF_FUNC_skb_load_bytes), 1854 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1855 BPF_EXIT_INSN(), 1856 }, 1857 .result = REJECT, 1858 .errstr = "invalid stack type R3", 1859 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1860 }, 1861 { 1862 "raw_stack: skb_load_bytes, zero len", 1863 .insns = { 1864 BPF_MOV64_IMM(BPF_REG_2, 4), 1865 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1867 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1868 BPF_MOV64_IMM(BPF_REG_4, 0), 1869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1870 BPF_FUNC_skb_load_bytes), 1871 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1872 BPF_EXIT_INSN(), 1873 }, 1874 .result = REJECT, 1875 .errstr = "invalid stack type R3", 1876 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1877 }, 1878 { 1879 "raw_stack: skb_load_bytes, no init", 1880 .insns = { 1881 BPF_MOV64_IMM(BPF_REG_2, 4), 1882 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1884 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1885 BPF_MOV64_IMM(BPF_REG_4, 8), 1886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1887 BPF_FUNC_skb_load_bytes), 1888 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1889 BPF_EXIT_INSN(), 1890 }, 1891 .result = ACCEPT, 1892 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1893 }, 1894 { 1895 "raw_stack: skb_load_bytes, init", 1896 .insns = { 1897 BPF_MOV64_IMM(BPF_REG_2, 4), 1898 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1900 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 1901 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1902 BPF_MOV64_IMM(BPF_REG_4, 8), 1903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1904 BPF_FUNC_skb_load_bytes), 1905 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1906 BPF_EXIT_INSN(), 1907 }, 1908 .result = ACCEPT, 1909 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1910 }, 1911 { 1912 "raw_stack: skb_load_bytes, spilled regs around bounds", 1913 .insns = { 1914 BPF_MOV64_IMM(BPF_REG_2, 4), 1915 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 1917 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 1918 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 1919 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1920 BPF_MOV64_IMM(BPF_REG_4, 8), 1921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1922 BPF_FUNC_skb_load_bytes), 1923 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 1924 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 1925 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 1926 offsetof(struct __sk_buff, mark)), 1927 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 1928 offsetof(struct __sk_buff, priority)), 1929 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 1930 BPF_EXIT_INSN(), 1931 }, 1932 .result = ACCEPT, 1933 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1934 }, 1935 { 1936 "raw_stack: skb_load_bytes, spilled regs corruption", 1937 .insns = { 1938 BPF_MOV64_IMM(BPF_REG_2, 4), 1939 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1941 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1942 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1943 BPF_MOV64_IMM(BPF_REG_4, 8), 1944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1945 BPF_FUNC_skb_load_bytes), 1946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1947 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 1948 offsetof(struct __sk_buff, mark)), 1949 BPF_EXIT_INSN(), 1950 }, 1951 .result = REJECT, 1952 .errstr = "R0 invalid mem access 'inv'", 1953 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1954 }, 1955 { 1956 "raw_stack: skb_load_bytes, spilled regs corruption 2", 1957 .insns = { 1958 BPF_MOV64_IMM(BPF_REG_2, 4), 1959 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 1961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 1962 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1963 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 1964 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1965 BPF_MOV64_IMM(BPF_REG_4, 8), 1966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1967 BPF_FUNC_skb_load_bytes), 1968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 1969 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 1970 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 1971 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 1972 offsetof(struct __sk_buff, mark)), 1973 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 1974 offsetof(struct __sk_buff, priority)), 1975 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 1976 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 1977 offsetof(struct __sk_buff, pkt_type)), 1978 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 1979 BPF_EXIT_INSN(), 1980 }, 1981 .result = REJECT, 1982 .errstr = "R3 invalid mem access 'inv'", 1983 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1984 }, 1985 { 1986 "raw_stack: skb_load_bytes, spilled regs + data", 1987 .insns = { 1988 BPF_MOV64_IMM(BPF_REG_2, 4), 1989 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 1991 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 1992 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1993 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 1994 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1995 BPF_MOV64_IMM(BPF_REG_4, 8), 1996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1997 BPF_FUNC_skb_load_bytes), 1998 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 1999 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2000 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2001 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2002 offsetof(struct __sk_buff, mark)), 2003 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2004 offsetof(struct __sk_buff, priority)), 2005 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2006 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2007 BPF_EXIT_INSN(), 2008 }, 2009 .result = ACCEPT, 2010 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2011 }, 2012 { 2013 "raw_stack: skb_load_bytes, invalid access 1", 2014 .insns = { 2015 BPF_MOV64_IMM(BPF_REG_2, 4), 2016 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 2018 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2019 BPF_MOV64_IMM(BPF_REG_4, 8), 2020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2021 BPF_FUNC_skb_load_bytes), 2022 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2023 BPF_EXIT_INSN(), 2024 }, 2025 .result = REJECT, 2026 .errstr = "invalid stack type R3 off=-513 access_size=8", 2027 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2028 }, 2029 { 2030 "raw_stack: skb_load_bytes, invalid access 2", 2031 .insns = { 2032 BPF_MOV64_IMM(BPF_REG_2, 4), 2033 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2035 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2036 BPF_MOV64_IMM(BPF_REG_4, 8), 2037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2038 BPF_FUNC_skb_load_bytes), 2039 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2040 BPF_EXIT_INSN(), 2041 }, 2042 .result = REJECT, 2043 .errstr = "invalid stack type R3 off=-1 access_size=8", 2044 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2045 }, 2046 { 2047 "raw_stack: skb_load_bytes, invalid access 3", 2048 .insns = { 2049 BPF_MOV64_IMM(BPF_REG_2, 4), 2050 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 2052 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2053 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2055 BPF_FUNC_skb_load_bytes), 2056 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2057 BPF_EXIT_INSN(), 2058 }, 2059 .result = REJECT, 2060 .errstr = "invalid stack type R3 off=-1 access_size=-1", 2061 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2062 }, 2063 { 2064 "raw_stack: skb_load_bytes, invalid access 4", 2065 .insns = { 2066 BPF_MOV64_IMM(BPF_REG_2, 4), 2067 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2069 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2070 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2071 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2072 BPF_FUNC_skb_load_bytes), 2073 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2074 BPF_EXIT_INSN(), 2075 }, 2076 .result = REJECT, 2077 .errstr = "invalid stack type R3 off=-1 access_size=2147483647", 2078 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2079 }, 2080 { 2081 "raw_stack: skb_load_bytes, invalid access 5", 2082 .insns = { 2083 BPF_MOV64_IMM(BPF_REG_2, 4), 2084 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2086 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2087 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2089 BPF_FUNC_skb_load_bytes), 2090 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2091 BPF_EXIT_INSN(), 2092 }, 2093 .result = REJECT, 2094 .errstr = "invalid stack type R3 off=-512 access_size=2147483647", 2095 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2096 }, 2097 { 2098 "raw_stack: skb_load_bytes, invalid access 6", 2099 .insns = { 2100 BPF_MOV64_IMM(BPF_REG_2, 4), 2101 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2103 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2104 BPF_MOV64_IMM(BPF_REG_4, 0), 2105 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2106 BPF_FUNC_skb_load_bytes), 2107 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2108 BPF_EXIT_INSN(), 2109 }, 2110 .result = REJECT, 2111 .errstr = "invalid stack type R3 off=-512 access_size=0", 2112 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2113 }, 2114 { 2115 "raw_stack: skb_load_bytes, large access", 2116 .insns = { 2117 BPF_MOV64_IMM(BPF_REG_2, 4), 2118 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2120 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2121 BPF_MOV64_IMM(BPF_REG_4, 512), 2122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2123 BPF_FUNC_skb_load_bytes), 2124 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2125 BPF_EXIT_INSN(), 2126 }, 2127 .result = ACCEPT, 2128 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2129 }, 2130 { 2131 "direct packet access: test1", 2132 .insns = { 2133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2134 offsetof(struct __sk_buff, data)), 2135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2136 offsetof(struct __sk_buff, data_end)), 2137 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2139 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2140 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2141 BPF_MOV64_IMM(BPF_REG_0, 0), 2142 BPF_EXIT_INSN(), 2143 }, 2144 .result = ACCEPT, 2145 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2146 }, 2147 { 2148 "direct packet access: test2", 2149 .insns = { 2150 BPF_MOV64_IMM(BPF_REG_0, 1), 2151 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 2152 offsetof(struct __sk_buff, data_end)), 2153 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2154 offsetof(struct __sk_buff, data)), 2155 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 2157 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 2158 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 2159 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 2160 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 2161 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2162 offsetof(struct __sk_buff, data)), 2163 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2165 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48), 2166 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48), 2167 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 2168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 2169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2170 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2171 offsetof(struct __sk_buff, data_end)), 2172 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 2173 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 2174 BPF_MOV64_IMM(BPF_REG_0, 0), 2175 BPF_EXIT_INSN(), 2176 }, 2177 .result = ACCEPT, 2178 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2179 }, 2180 { 2181 "direct packet access: test3", 2182 .insns = { 2183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2184 offsetof(struct __sk_buff, data)), 2185 BPF_MOV64_IMM(BPF_REG_0, 0), 2186 BPF_EXIT_INSN(), 2187 }, 2188 .errstr = "invalid bpf_context access off=76", 2189 .result = REJECT, 2190 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 2191 }, 2192 { 2193 "direct packet access: test4 (write)", 2194 .insns = { 2195 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2196 offsetof(struct __sk_buff, data)), 2197 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2198 offsetof(struct __sk_buff, data_end)), 2199 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2200 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2201 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2202 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2203 BPF_MOV64_IMM(BPF_REG_0, 0), 2204 BPF_EXIT_INSN(), 2205 }, 2206 .result = ACCEPT, 2207 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2208 }, 2209 { 2210 "direct packet access: test5 (pkt_end >= reg, good access)", 2211 .insns = { 2212 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2213 offsetof(struct __sk_buff, data)), 2214 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2215 offsetof(struct __sk_buff, data_end)), 2216 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2218 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2219 BPF_MOV64_IMM(BPF_REG_0, 1), 2220 BPF_EXIT_INSN(), 2221 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2222 BPF_MOV64_IMM(BPF_REG_0, 0), 2223 BPF_EXIT_INSN(), 2224 }, 2225 .result = ACCEPT, 2226 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2227 }, 2228 { 2229 "direct packet access: test6 (pkt_end >= reg, bad access)", 2230 .insns = { 2231 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2232 offsetof(struct __sk_buff, data)), 2233 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2234 offsetof(struct __sk_buff, data_end)), 2235 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2237 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2238 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2239 BPF_MOV64_IMM(BPF_REG_0, 1), 2240 BPF_EXIT_INSN(), 2241 BPF_MOV64_IMM(BPF_REG_0, 0), 2242 BPF_EXIT_INSN(), 2243 }, 2244 .errstr = "invalid access to packet", 2245 .result = REJECT, 2246 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2247 }, 2248 { 2249 "direct packet access: test7 (pkt_end >= reg, both accesses)", 2250 .insns = { 2251 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2252 offsetof(struct __sk_buff, data)), 2253 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2254 offsetof(struct __sk_buff, data_end)), 2255 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2257 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2258 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2259 BPF_MOV64_IMM(BPF_REG_0, 1), 2260 BPF_EXIT_INSN(), 2261 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2262 BPF_MOV64_IMM(BPF_REG_0, 0), 2263 BPF_EXIT_INSN(), 2264 }, 2265 .errstr = "invalid access to packet", 2266 .result = REJECT, 2267 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2268 }, 2269 { 2270 "direct packet access: test8 (double test, variant 1)", 2271 .insns = { 2272 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2273 offsetof(struct __sk_buff, data)), 2274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2275 offsetof(struct __sk_buff, data_end)), 2276 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2278 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 2279 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2280 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2281 BPF_MOV64_IMM(BPF_REG_0, 1), 2282 BPF_EXIT_INSN(), 2283 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2284 BPF_MOV64_IMM(BPF_REG_0, 0), 2285 BPF_EXIT_INSN(), 2286 }, 2287 .result = ACCEPT, 2288 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2289 }, 2290 { 2291 "direct packet access: test9 (double test, variant 2)", 2292 .insns = { 2293 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2294 offsetof(struct __sk_buff, data)), 2295 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2296 offsetof(struct __sk_buff, data_end)), 2297 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2299 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2300 BPF_MOV64_IMM(BPF_REG_0, 1), 2301 BPF_EXIT_INSN(), 2302 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2303 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2304 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2305 BPF_MOV64_IMM(BPF_REG_0, 0), 2306 BPF_EXIT_INSN(), 2307 }, 2308 .result = ACCEPT, 2309 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2310 }, 2311 { 2312 "direct packet access: test10 (write invalid)", 2313 .insns = { 2314 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2315 offsetof(struct __sk_buff, data)), 2316 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2317 offsetof(struct __sk_buff, data_end)), 2318 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2320 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 2321 BPF_MOV64_IMM(BPF_REG_0, 0), 2322 BPF_EXIT_INSN(), 2323 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2324 BPF_MOV64_IMM(BPF_REG_0, 0), 2325 BPF_EXIT_INSN(), 2326 }, 2327 .errstr = "invalid access to packet", 2328 .result = REJECT, 2329 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2330 }, 2331 { 2332 "direct packet access: test11 (shift, good access)", 2333 .insns = { 2334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2335 offsetof(struct __sk_buff, data)), 2336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2337 offsetof(struct __sk_buff, data_end)), 2338 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2340 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2341 BPF_MOV64_IMM(BPF_REG_3, 144), 2342 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2344 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 2345 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2346 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2347 BPF_MOV64_IMM(BPF_REG_0, 1), 2348 BPF_EXIT_INSN(), 2349 BPF_MOV64_IMM(BPF_REG_0, 0), 2350 BPF_EXIT_INSN(), 2351 }, 2352 .result = ACCEPT, 2353 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2354 }, 2355 { 2356 "direct packet access: test12 (and, good access)", 2357 .insns = { 2358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2359 offsetof(struct __sk_buff, data)), 2360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2361 offsetof(struct __sk_buff, data_end)), 2362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2364 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2365 BPF_MOV64_IMM(BPF_REG_3, 144), 2366 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2368 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2369 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2370 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2371 BPF_MOV64_IMM(BPF_REG_0, 1), 2372 BPF_EXIT_INSN(), 2373 BPF_MOV64_IMM(BPF_REG_0, 0), 2374 BPF_EXIT_INSN(), 2375 }, 2376 .result = ACCEPT, 2377 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2378 }, 2379 { 2380 "direct packet access: test13 (branches, good access)", 2381 .insns = { 2382 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2383 offsetof(struct __sk_buff, data)), 2384 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2385 offsetof(struct __sk_buff, data_end)), 2386 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2388 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 2389 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2390 offsetof(struct __sk_buff, mark)), 2391 BPF_MOV64_IMM(BPF_REG_4, 1), 2392 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 2393 BPF_MOV64_IMM(BPF_REG_3, 14), 2394 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 2395 BPF_MOV64_IMM(BPF_REG_3, 24), 2396 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2398 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2399 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2400 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2401 BPF_MOV64_IMM(BPF_REG_0, 1), 2402 BPF_EXIT_INSN(), 2403 BPF_MOV64_IMM(BPF_REG_0, 0), 2404 BPF_EXIT_INSN(), 2405 }, 2406 .result = ACCEPT, 2407 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2408 }, 2409 { 2410 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 2411 .insns = { 2412 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2413 offsetof(struct __sk_buff, data)), 2414 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2415 offsetof(struct __sk_buff, data_end)), 2416 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2418 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 2419 BPF_MOV64_IMM(BPF_REG_5, 12), 2420 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 2421 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2422 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2423 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 2424 BPF_MOV64_IMM(BPF_REG_0, 1), 2425 BPF_EXIT_INSN(), 2426 BPF_MOV64_IMM(BPF_REG_0, 0), 2427 BPF_EXIT_INSN(), 2428 }, 2429 .result = ACCEPT, 2430 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2431 }, 2432 { 2433 "helper access to packet: test1, valid packet_ptr range", 2434 .insns = { 2435 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2436 offsetof(struct xdp_md, data)), 2437 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2438 offsetof(struct xdp_md, data_end)), 2439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2441 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2442 BPF_LD_MAP_FD(BPF_REG_1, 0), 2443 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2444 BPF_MOV64_IMM(BPF_REG_4, 0), 2445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2446 BPF_FUNC_map_update_elem), 2447 BPF_MOV64_IMM(BPF_REG_0, 0), 2448 BPF_EXIT_INSN(), 2449 }, 2450 .fixup_map1 = { 5 }, 2451 .result_unpriv = ACCEPT, 2452 .result = ACCEPT, 2453 .prog_type = BPF_PROG_TYPE_XDP, 2454 }, 2455 { 2456 "helper access to packet: test2, unchecked packet_ptr", 2457 .insns = { 2458 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2459 offsetof(struct xdp_md, data)), 2460 BPF_LD_MAP_FD(BPF_REG_1, 0), 2461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2462 BPF_FUNC_map_lookup_elem), 2463 BPF_MOV64_IMM(BPF_REG_0, 0), 2464 BPF_EXIT_INSN(), 2465 }, 2466 .fixup_map1 = { 1 }, 2467 .result = REJECT, 2468 .errstr = "invalid access to packet", 2469 .prog_type = BPF_PROG_TYPE_XDP, 2470 }, 2471 { 2472 "helper access to packet: test3, variable add", 2473 .insns = { 2474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2475 offsetof(struct xdp_md, data)), 2476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2477 offsetof(struct xdp_md, data_end)), 2478 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2480 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2481 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2482 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2483 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2484 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2486 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2487 BPF_LD_MAP_FD(BPF_REG_1, 0), 2488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2489 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2490 BPF_FUNC_map_lookup_elem), 2491 BPF_MOV64_IMM(BPF_REG_0, 0), 2492 BPF_EXIT_INSN(), 2493 }, 2494 .fixup_map1 = { 11 }, 2495 .result = ACCEPT, 2496 .prog_type = BPF_PROG_TYPE_XDP, 2497 }, 2498 { 2499 "helper access to packet: test4, packet_ptr with bad range", 2500 .insns = { 2501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2502 offsetof(struct xdp_md, data)), 2503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2504 offsetof(struct xdp_md, data_end)), 2505 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2507 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2508 BPF_MOV64_IMM(BPF_REG_0, 0), 2509 BPF_EXIT_INSN(), 2510 BPF_LD_MAP_FD(BPF_REG_1, 0), 2511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2512 BPF_FUNC_map_lookup_elem), 2513 BPF_MOV64_IMM(BPF_REG_0, 0), 2514 BPF_EXIT_INSN(), 2515 }, 2516 .fixup_map1 = { 7 }, 2517 .result = REJECT, 2518 .errstr = "invalid access to packet", 2519 .prog_type = BPF_PROG_TYPE_XDP, 2520 }, 2521 { 2522 "helper access to packet: test5, packet_ptr with too short range", 2523 .insns = { 2524 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2525 offsetof(struct xdp_md, data)), 2526 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2527 offsetof(struct xdp_md, data_end)), 2528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2529 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2531 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2532 BPF_LD_MAP_FD(BPF_REG_1, 0), 2533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2534 BPF_FUNC_map_lookup_elem), 2535 BPF_MOV64_IMM(BPF_REG_0, 0), 2536 BPF_EXIT_INSN(), 2537 }, 2538 .fixup_map1 = { 6 }, 2539 .result = REJECT, 2540 .errstr = "invalid access to packet", 2541 .prog_type = BPF_PROG_TYPE_XDP, 2542 }, 2543 { 2544 "helper access to packet: test6, cls valid packet_ptr range", 2545 .insns = { 2546 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2547 offsetof(struct __sk_buff, data)), 2548 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2549 offsetof(struct __sk_buff, data_end)), 2550 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2552 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2553 BPF_LD_MAP_FD(BPF_REG_1, 0), 2554 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2555 BPF_MOV64_IMM(BPF_REG_4, 0), 2556 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2557 BPF_FUNC_map_update_elem), 2558 BPF_MOV64_IMM(BPF_REG_0, 0), 2559 BPF_EXIT_INSN(), 2560 }, 2561 .fixup_map1 = { 5 }, 2562 .result = ACCEPT, 2563 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2564 }, 2565 { 2566 "helper access to packet: test7, cls unchecked packet_ptr", 2567 .insns = { 2568 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2569 offsetof(struct __sk_buff, data)), 2570 BPF_LD_MAP_FD(BPF_REG_1, 0), 2571 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2572 BPF_FUNC_map_lookup_elem), 2573 BPF_MOV64_IMM(BPF_REG_0, 0), 2574 BPF_EXIT_INSN(), 2575 }, 2576 .fixup_map1 = { 1 }, 2577 .result = REJECT, 2578 .errstr = "invalid access to packet", 2579 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2580 }, 2581 { 2582 "helper access to packet: test8, cls variable add", 2583 .insns = { 2584 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2585 offsetof(struct __sk_buff, data)), 2586 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2587 offsetof(struct __sk_buff, data_end)), 2588 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2590 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2591 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2592 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2593 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2594 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2596 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2597 BPF_LD_MAP_FD(BPF_REG_1, 0), 2598 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2599 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2600 BPF_FUNC_map_lookup_elem), 2601 BPF_MOV64_IMM(BPF_REG_0, 0), 2602 BPF_EXIT_INSN(), 2603 }, 2604 .fixup_map1 = { 11 }, 2605 .result = ACCEPT, 2606 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2607 }, 2608 { 2609 "helper access to packet: test9, cls packet_ptr with bad range", 2610 .insns = { 2611 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2612 offsetof(struct __sk_buff, data)), 2613 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2614 offsetof(struct __sk_buff, data_end)), 2615 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2617 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2618 BPF_MOV64_IMM(BPF_REG_0, 0), 2619 BPF_EXIT_INSN(), 2620 BPF_LD_MAP_FD(BPF_REG_1, 0), 2621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2622 BPF_FUNC_map_lookup_elem), 2623 BPF_MOV64_IMM(BPF_REG_0, 0), 2624 BPF_EXIT_INSN(), 2625 }, 2626 .fixup_map1 = { 7 }, 2627 .result = REJECT, 2628 .errstr = "invalid access to packet", 2629 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2630 }, 2631 { 2632 "helper access to packet: test10, cls packet_ptr with too short range", 2633 .insns = { 2634 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2635 offsetof(struct __sk_buff, data)), 2636 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2637 offsetof(struct __sk_buff, data_end)), 2638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2639 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2641 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2642 BPF_LD_MAP_FD(BPF_REG_1, 0), 2643 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2644 BPF_FUNC_map_lookup_elem), 2645 BPF_MOV64_IMM(BPF_REG_0, 0), 2646 BPF_EXIT_INSN(), 2647 }, 2648 .fixup_map1 = { 6 }, 2649 .result = REJECT, 2650 .errstr = "invalid access to packet", 2651 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2652 }, 2653 { 2654 "helper access to packet: test11, cls unsuitable helper 1", 2655 .insns = { 2656 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2657 offsetof(struct __sk_buff, data)), 2658 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2659 offsetof(struct __sk_buff, data_end)), 2660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2661 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 2663 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 2664 BPF_MOV64_IMM(BPF_REG_2, 0), 2665 BPF_MOV64_IMM(BPF_REG_4, 42), 2666 BPF_MOV64_IMM(BPF_REG_5, 0), 2667 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2668 BPF_FUNC_skb_store_bytes), 2669 BPF_MOV64_IMM(BPF_REG_0, 0), 2670 BPF_EXIT_INSN(), 2671 }, 2672 .result = REJECT, 2673 .errstr = "helper access to the packet", 2674 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2675 }, 2676 { 2677 "helper access to packet: test12, cls unsuitable helper 2", 2678 .insns = { 2679 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2680 offsetof(struct __sk_buff, data)), 2681 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2682 offsetof(struct __sk_buff, data_end)), 2683 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 2685 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 2686 BPF_MOV64_IMM(BPF_REG_2, 0), 2687 BPF_MOV64_IMM(BPF_REG_4, 4), 2688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2689 BPF_FUNC_skb_load_bytes), 2690 BPF_MOV64_IMM(BPF_REG_0, 0), 2691 BPF_EXIT_INSN(), 2692 }, 2693 .result = REJECT, 2694 .errstr = "helper access to the packet", 2695 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2696 }, 2697 { 2698 "helper access to packet: test13, cls helper ok", 2699 .insns = { 2700 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2701 offsetof(struct __sk_buff, data)), 2702 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2703 offsetof(struct __sk_buff, data_end)), 2704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2705 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2707 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2708 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2709 BPF_MOV64_IMM(BPF_REG_2, 4), 2710 BPF_MOV64_IMM(BPF_REG_3, 0), 2711 BPF_MOV64_IMM(BPF_REG_4, 0), 2712 BPF_MOV64_IMM(BPF_REG_5, 0), 2713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2714 BPF_FUNC_csum_diff), 2715 BPF_MOV64_IMM(BPF_REG_0, 0), 2716 BPF_EXIT_INSN(), 2717 }, 2718 .result = ACCEPT, 2719 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2720 }, 2721 { 2722 "helper access to packet: test14, cls helper fail sub", 2723 .insns = { 2724 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2725 offsetof(struct __sk_buff, data)), 2726 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2727 offsetof(struct __sk_buff, data_end)), 2728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2731 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2732 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 2733 BPF_MOV64_IMM(BPF_REG_2, 4), 2734 BPF_MOV64_IMM(BPF_REG_3, 0), 2735 BPF_MOV64_IMM(BPF_REG_4, 0), 2736 BPF_MOV64_IMM(BPF_REG_5, 0), 2737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2738 BPF_FUNC_csum_diff), 2739 BPF_MOV64_IMM(BPF_REG_0, 0), 2740 BPF_EXIT_INSN(), 2741 }, 2742 .result = REJECT, 2743 .errstr = "type=inv expected=fp", 2744 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2745 }, 2746 { 2747 "helper access to packet: test15, cls helper fail range 1", 2748 .insns = { 2749 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2750 offsetof(struct __sk_buff, data)), 2751 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2752 offsetof(struct __sk_buff, data_end)), 2753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2756 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2757 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2758 BPF_MOV64_IMM(BPF_REG_2, 8), 2759 BPF_MOV64_IMM(BPF_REG_3, 0), 2760 BPF_MOV64_IMM(BPF_REG_4, 0), 2761 BPF_MOV64_IMM(BPF_REG_5, 0), 2762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2763 BPF_FUNC_csum_diff), 2764 BPF_MOV64_IMM(BPF_REG_0, 0), 2765 BPF_EXIT_INSN(), 2766 }, 2767 .result = REJECT, 2768 .errstr = "invalid access to packet", 2769 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2770 }, 2771 { 2772 "helper access to packet: test16, cls helper fail range 2", 2773 .insns = { 2774 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2775 offsetof(struct __sk_buff, data)), 2776 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2777 offsetof(struct __sk_buff, data_end)), 2778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2781 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2783 BPF_MOV64_IMM(BPF_REG_2, -9), 2784 BPF_MOV64_IMM(BPF_REG_3, 0), 2785 BPF_MOV64_IMM(BPF_REG_4, 0), 2786 BPF_MOV64_IMM(BPF_REG_5, 0), 2787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2788 BPF_FUNC_csum_diff), 2789 BPF_MOV64_IMM(BPF_REG_0, 0), 2790 BPF_EXIT_INSN(), 2791 }, 2792 .result = REJECT, 2793 .errstr = "invalid access to packet", 2794 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2795 }, 2796 { 2797 "helper access to packet: test17, cls helper fail range 3", 2798 .insns = { 2799 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2800 offsetof(struct __sk_buff, data)), 2801 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2802 offsetof(struct __sk_buff, data_end)), 2803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2806 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2807 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2808 BPF_MOV64_IMM(BPF_REG_2, ~0), 2809 BPF_MOV64_IMM(BPF_REG_3, 0), 2810 BPF_MOV64_IMM(BPF_REG_4, 0), 2811 BPF_MOV64_IMM(BPF_REG_5, 0), 2812 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2813 BPF_FUNC_csum_diff), 2814 BPF_MOV64_IMM(BPF_REG_0, 0), 2815 BPF_EXIT_INSN(), 2816 }, 2817 .result = REJECT, 2818 .errstr = "invalid access to packet", 2819 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2820 }, 2821 { 2822 "helper access to packet: test18, cls helper fail range zero", 2823 .insns = { 2824 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2825 offsetof(struct __sk_buff, data)), 2826 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2827 offsetof(struct __sk_buff, data_end)), 2828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2829 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2831 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2832 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2833 BPF_MOV64_IMM(BPF_REG_2, 0), 2834 BPF_MOV64_IMM(BPF_REG_3, 0), 2835 BPF_MOV64_IMM(BPF_REG_4, 0), 2836 BPF_MOV64_IMM(BPF_REG_5, 0), 2837 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2838 BPF_FUNC_csum_diff), 2839 BPF_MOV64_IMM(BPF_REG_0, 0), 2840 BPF_EXIT_INSN(), 2841 }, 2842 .result = REJECT, 2843 .errstr = "invalid access to packet", 2844 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2845 }, 2846 { 2847 "helper access to packet: test19, pkt end as input", 2848 .insns = { 2849 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2850 offsetof(struct __sk_buff, data)), 2851 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2852 offsetof(struct __sk_buff, data_end)), 2853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2854 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2856 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2857 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 2858 BPF_MOV64_IMM(BPF_REG_2, 4), 2859 BPF_MOV64_IMM(BPF_REG_3, 0), 2860 BPF_MOV64_IMM(BPF_REG_4, 0), 2861 BPF_MOV64_IMM(BPF_REG_5, 0), 2862 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2863 BPF_FUNC_csum_diff), 2864 BPF_MOV64_IMM(BPF_REG_0, 0), 2865 BPF_EXIT_INSN(), 2866 }, 2867 .result = REJECT, 2868 .errstr = "R1 type=pkt_end expected=fp", 2869 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2870 }, 2871 { 2872 "helper access to packet: test20, wrong reg", 2873 .insns = { 2874 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2875 offsetof(struct __sk_buff, data)), 2876 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2877 offsetof(struct __sk_buff, data_end)), 2878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2881 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2882 BPF_MOV64_IMM(BPF_REG_2, 4), 2883 BPF_MOV64_IMM(BPF_REG_3, 0), 2884 BPF_MOV64_IMM(BPF_REG_4, 0), 2885 BPF_MOV64_IMM(BPF_REG_5, 0), 2886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2887 BPF_FUNC_csum_diff), 2888 BPF_MOV64_IMM(BPF_REG_0, 0), 2889 BPF_EXIT_INSN(), 2890 }, 2891 .result = REJECT, 2892 .errstr = "invalid access to packet", 2893 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2894 }, 2895 { 2896 "valid map access into an array with a constant", 2897 .insns = { 2898 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2901 BPF_LD_MAP_FD(BPF_REG_1, 0), 2902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2903 BPF_FUNC_map_lookup_elem), 2904 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 2905 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 2906 offsetof(struct test_val, foo)), 2907 BPF_EXIT_INSN(), 2908 }, 2909 .fixup_map2 = { 3 }, 2910 .errstr_unpriv = "R0 leaks addr", 2911 .result_unpriv = REJECT, 2912 .result = ACCEPT, 2913 }, 2914 { 2915 "valid map access into an array with a register", 2916 .insns = { 2917 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2920 BPF_LD_MAP_FD(BPF_REG_1, 0), 2921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2922 BPF_FUNC_map_lookup_elem), 2923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 2924 BPF_MOV64_IMM(BPF_REG_1, 4), 2925 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 2926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 2927 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 2928 offsetof(struct test_val, foo)), 2929 BPF_EXIT_INSN(), 2930 }, 2931 .fixup_map2 = { 3 }, 2932 .errstr_unpriv = "R0 pointer arithmetic prohibited", 2933 .result_unpriv = REJECT, 2934 .result = ACCEPT, 2935 }, 2936 { 2937 "valid map access into an array with a variable", 2938 .insns = { 2939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2942 BPF_LD_MAP_FD(BPF_REG_1, 0), 2943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2944 BPF_FUNC_map_lookup_elem), 2945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 2946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 2947 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 2948 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 2949 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 2950 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 2951 offsetof(struct test_val, foo)), 2952 BPF_EXIT_INSN(), 2953 }, 2954 .fixup_map2 = { 3 }, 2955 .errstr_unpriv = "R0 pointer arithmetic prohibited", 2956 .result_unpriv = REJECT, 2957 .result = ACCEPT, 2958 }, 2959 { 2960 "valid map access into an array with a signed variable", 2961 .insns = { 2962 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2965 BPF_LD_MAP_FD(BPF_REG_1, 0), 2966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2967 BPF_FUNC_map_lookup_elem), 2968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 2969 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 2970 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 2971 BPF_MOV32_IMM(BPF_REG_1, 0), 2972 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 2973 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 2974 BPF_MOV32_IMM(BPF_REG_1, 0), 2975 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 2976 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 2977 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 2978 offsetof(struct test_val, foo)), 2979 BPF_EXIT_INSN(), 2980 }, 2981 .fixup_map2 = { 3 }, 2982 .errstr_unpriv = "R0 pointer arithmetic prohibited", 2983 .result_unpriv = REJECT, 2984 .result = ACCEPT, 2985 }, 2986 { 2987 "invalid map access into an array with a constant", 2988 .insns = { 2989 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2992 BPF_LD_MAP_FD(BPF_REG_1, 0), 2993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2994 BPF_FUNC_map_lookup_elem), 2995 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 2996 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 2997 offsetof(struct test_val, foo)), 2998 BPF_EXIT_INSN(), 2999 }, 3000 .fixup_map2 = { 3 }, 3001 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 3002 .result = REJECT, 3003 }, 3004 { 3005 "invalid map access into an array with a register", 3006 .insns = { 3007 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3010 BPF_LD_MAP_FD(BPF_REG_1, 0), 3011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3012 BPF_FUNC_map_lookup_elem), 3013 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3014 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 3015 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3016 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3017 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3018 offsetof(struct test_val, foo)), 3019 BPF_EXIT_INSN(), 3020 }, 3021 .fixup_map2 = { 3 }, 3022 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3023 .errstr = "R0 min value is outside of the array range", 3024 .result_unpriv = REJECT, 3025 .result = REJECT, 3026 }, 3027 { 3028 "invalid map access into an array with a variable", 3029 .insns = { 3030 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3033 BPF_LD_MAP_FD(BPF_REG_1, 0), 3034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3035 BPF_FUNC_map_lookup_elem), 3036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3037 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3038 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3039 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3040 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3041 offsetof(struct test_val, foo)), 3042 BPF_EXIT_INSN(), 3043 }, 3044 .fixup_map2 = { 3 }, 3045 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3046 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3047 .result_unpriv = REJECT, 3048 .result = REJECT, 3049 }, 3050 { 3051 "invalid map access into an array with no floor check", 3052 .insns = { 3053 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3054 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3056 BPF_LD_MAP_FD(BPF_REG_1, 0), 3057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3058 BPF_FUNC_map_lookup_elem), 3059 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3060 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3061 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3062 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3063 BPF_MOV32_IMM(BPF_REG_1, 0), 3064 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3065 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3066 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3067 offsetof(struct test_val, foo)), 3068 BPF_EXIT_INSN(), 3069 }, 3070 .fixup_map2 = { 3 }, 3071 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3072 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3073 .result_unpriv = REJECT, 3074 .result = REJECT, 3075 }, 3076 { 3077 "invalid map access into an array with a invalid max check", 3078 .insns = { 3079 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3082 BPF_LD_MAP_FD(BPF_REG_1, 0), 3083 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3084 BPF_FUNC_map_lookup_elem), 3085 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3086 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3087 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 3088 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3089 BPF_MOV32_IMM(BPF_REG_1, 0), 3090 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3091 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3092 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3093 offsetof(struct test_val, foo)), 3094 BPF_EXIT_INSN(), 3095 }, 3096 .fixup_map2 = { 3 }, 3097 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3098 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 3099 .result_unpriv = REJECT, 3100 .result = REJECT, 3101 }, 3102 { 3103 "invalid map access into an array with a invalid max check", 3104 .insns = { 3105 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3106 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3108 BPF_LD_MAP_FD(BPF_REG_1, 0), 3109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3110 BPF_FUNC_map_lookup_elem), 3111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 3112 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 3113 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3114 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3116 BPF_LD_MAP_FD(BPF_REG_1, 0), 3117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3118 BPF_FUNC_map_lookup_elem), 3119 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3120 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 3121 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3122 offsetof(struct test_val, foo)), 3123 BPF_EXIT_INSN(), 3124 }, 3125 .fixup_map2 = { 3, 11 }, 3126 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3127 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3128 .result_unpriv = REJECT, 3129 .result = REJECT, 3130 }, 3131 { 3132 "multiple registers share map_lookup_elem result", 3133 .insns = { 3134 BPF_MOV64_IMM(BPF_REG_1, 10), 3135 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3136 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3138 BPF_LD_MAP_FD(BPF_REG_1, 0), 3139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3140 BPF_FUNC_map_lookup_elem), 3141 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3143 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3144 BPF_EXIT_INSN(), 3145 }, 3146 .fixup_map1 = { 4 }, 3147 .result = ACCEPT, 3148 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3149 }, 3150 { 3151 "invalid memory access with multiple map_lookup_elem calls", 3152 .insns = { 3153 BPF_MOV64_IMM(BPF_REG_1, 10), 3154 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3155 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3157 BPF_LD_MAP_FD(BPF_REG_1, 0), 3158 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3159 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3161 BPF_FUNC_map_lookup_elem), 3162 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3163 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3166 BPF_FUNC_map_lookup_elem), 3167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3168 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3169 BPF_EXIT_INSN(), 3170 }, 3171 .fixup_map1 = { 4 }, 3172 .result = REJECT, 3173 .errstr = "R4 !read_ok", 3174 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3175 }, 3176 { 3177 "valid indirect map_lookup_elem access with 2nd lookup in branch", 3178 .insns = { 3179 BPF_MOV64_IMM(BPF_REG_1, 10), 3180 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3181 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3183 BPF_LD_MAP_FD(BPF_REG_1, 0), 3184 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3185 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3187 BPF_FUNC_map_lookup_elem), 3188 BPF_MOV64_IMM(BPF_REG_2, 10), 3189 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 3190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3193 BPF_FUNC_map_lookup_elem), 3194 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3195 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3196 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3197 BPF_EXIT_INSN(), 3198 }, 3199 .fixup_map1 = { 4 }, 3200 .result = ACCEPT, 3201 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3202 }, 3203 { 3204 "multiple registers share map_lookup_elem bad reg type", 3205 .insns = { 3206 BPF_MOV64_IMM(BPF_REG_1, 10), 3207 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3208 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3210 BPF_LD_MAP_FD(BPF_REG_1, 0), 3211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3212 BPF_FUNC_map_lookup_elem), 3213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 3214 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 3215 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3216 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3217 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3218 BPF_MOV64_IMM(BPF_REG_1, 1), 3219 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3220 BPF_MOV64_IMM(BPF_REG_1, 2), 3221 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1), 3222 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0), 3223 BPF_MOV64_IMM(BPF_REG_1, 3), 3224 BPF_EXIT_INSN(), 3225 }, 3226 .fixup_map1 = { 4 }, 3227 .result = REJECT, 3228 .errstr = "R3 invalid mem access 'inv'", 3229 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3230 }, 3231 { 3232 "invalid map access from else condition", 3233 .insns = { 3234 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3235 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3237 BPF_LD_MAP_FD(BPF_REG_1, 0), 3238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3240 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3241 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 3242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 3243 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3244 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3245 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 3246 BPF_EXIT_INSN(), 3247 }, 3248 .fixup_map2 = { 3 }, 3249 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 3250 .result = REJECT, 3251 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3252 .result_unpriv = REJECT, 3253 }, 3254 { 3255 "constant register |= constant should keep constant type", 3256 .insns = { 3257 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3259 BPF_MOV64_IMM(BPF_REG_2, 34), 3260 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 3261 BPF_MOV64_IMM(BPF_REG_3, 0), 3262 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3263 BPF_EXIT_INSN(), 3264 }, 3265 .result = ACCEPT, 3266 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3267 }, 3268 { 3269 "constant register |= constant should not bypass stack boundary checks", 3270 .insns = { 3271 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3273 BPF_MOV64_IMM(BPF_REG_2, 34), 3274 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 3275 BPF_MOV64_IMM(BPF_REG_3, 0), 3276 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3277 BPF_EXIT_INSN(), 3278 }, 3279 .errstr = "invalid stack type R1 off=-48 access_size=58", 3280 .result = REJECT, 3281 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3282 }, 3283 { 3284 "constant register |= constant register should keep constant type", 3285 .insns = { 3286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3288 BPF_MOV64_IMM(BPF_REG_2, 34), 3289 BPF_MOV64_IMM(BPF_REG_4, 13), 3290 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3291 BPF_MOV64_IMM(BPF_REG_3, 0), 3292 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3293 BPF_EXIT_INSN(), 3294 }, 3295 .result = ACCEPT, 3296 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3297 }, 3298 { 3299 "constant register |= constant register should not bypass stack boundary checks", 3300 .insns = { 3301 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3303 BPF_MOV64_IMM(BPF_REG_2, 34), 3304 BPF_MOV64_IMM(BPF_REG_4, 24), 3305 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3306 BPF_MOV64_IMM(BPF_REG_3, 0), 3307 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3308 BPF_EXIT_INSN(), 3309 }, 3310 .errstr = "invalid stack type R1 off=-48 access_size=58", 3311 .result = REJECT, 3312 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3313 }, 3314 { 3315 "invalid direct packet write for LWT_IN", 3316 .insns = { 3317 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3318 offsetof(struct __sk_buff, data)), 3319 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3320 offsetof(struct __sk_buff, data_end)), 3321 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3323 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3324 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3325 BPF_MOV64_IMM(BPF_REG_0, 0), 3326 BPF_EXIT_INSN(), 3327 }, 3328 .errstr = "cannot write into packet", 3329 .result = REJECT, 3330 .prog_type = BPF_PROG_TYPE_LWT_IN, 3331 }, 3332 { 3333 "invalid direct packet write for LWT_OUT", 3334 .insns = { 3335 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3336 offsetof(struct __sk_buff, data)), 3337 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3338 offsetof(struct __sk_buff, data_end)), 3339 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3341 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3342 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3343 BPF_MOV64_IMM(BPF_REG_0, 0), 3344 BPF_EXIT_INSN(), 3345 }, 3346 .errstr = "cannot write into packet", 3347 .result = REJECT, 3348 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3349 }, 3350 { 3351 "direct packet write for LWT_XMIT", 3352 .insns = { 3353 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3354 offsetof(struct __sk_buff, data)), 3355 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3356 offsetof(struct __sk_buff, data_end)), 3357 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3359 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3360 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3361 BPF_MOV64_IMM(BPF_REG_0, 0), 3362 BPF_EXIT_INSN(), 3363 }, 3364 .result = ACCEPT, 3365 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3366 }, 3367 { 3368 "direct packet read for LWT_IN", 3369 .insns = { 3370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3371 offsetof(struct __sk_buff, data)), 3372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3373 offsetof(struct __sk_buff, data_end)), 3374 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3376 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3377 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3378 BPF_MOV64_IMM(BPF_REG_0, 0), 3379 BPF_EXIT_INSN(), 3380 }, 3381 .result = ACCEPT, 3382 .prog_type = BPF_PROG_TYPE_LWT_IN, 3383 }, 3384 { 3385 "direct packet read for LWT_OUT", 3386 .insns = { 3387 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3388 offsetof(struct __sk_buff, data)), 3389 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3390 offsetof(struct __sk_buff, data_end)), 3391 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3392 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3393 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3394 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3395 BPF_MOV64_IMM(BPF_REG_0, 0), 3396 BPF_EXIT_INSN(), 3397 }, 3398 .result = ACCEPT, 3399 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3400 }, 3401 { 3402 "direct packet read for LWT_XMIT", 3403 .insns = { 3404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3405 offsetof(struct __sk_buff, data)), 3406 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3407 offsetof(struct __sk_buff, data_end)), 3408 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3410 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3411 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3412 BPF_MOV64_IMM(BPF_REG_0, 0), 3413 BPF_EXIT_INSN(), 3414 }, 3415 .result = ACCEPT, 3416 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3417 }, 3418 { 3419 "invalid access of tc_classid for LWT_IN", 3420 .insns = { 3421 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3422 offsetof(struct __sk_buff, tc_classid)), 3423 BPF_EXIT_INSN(), 3424 }, 3425 .result = REJECT, 3426 .errstr = "invalid bpf_context access", 3427 }, 3428 { 3429 "invalid access of tc_classid for LWT_OUT", 3430 .insns = { 3431 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3432 offsetof(struct __sk_buff, tc_classid)), 3433 BPF_EXIT_INSN(), 3434 }, 3435 .result = REJECT, 3436 .errstr = "invalid bpf_context access", 3437 }, 3438 { 3439 "invalid access of tc_classid for LWT_XMIT", 3440 .insns = { 3441 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3442 offsetof(struct __sk_buff, tc_classid)), 3443 BPF_EXIT_INSN(), 3444 }, 3445 .result = REJECT, 3446 .errstr = "invalid bpf_context access", 3447 }, 3448 { 3449 "helper access to map: full range", 3450 .insns = { 3451 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3453 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3454 BPF_LD_MAP_FD(BPF_REG_1, 0), 3455 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3456 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3457 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3458 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 3459 BPF_MOV64_IMM(BPF_REG_3, 0), 3460 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3461 BPF_EXIT_INSN(), 3462 }, 3463 .fixup_map2 = { 3 }, 3464 .result = ACCEPT, 3465 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3466 }, 3467 { 3468 "helper access to map: partial range", 3469 .insns = { 3470 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3471 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3472 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3473 BPF_LD_MAP_FD(BPF_REG_1, 0), 3474 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3475 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3476 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3477 BPF_MOV64_IMM(BPF_REG_2, 8), 3478 BPF_MOV64_IMM(BPF_REG_3, 0), 3479 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3480 BPF_EXIT_INSN(), 3481 }, 3482 .fixup_map2 = { 3 }, 3483 .result = ACCEPT, 3484 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3485 }, 3486 { 3487 "helper access to map: empty range", 3488 .insns = { 3489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3491 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3492 BPF_LD_MAP_FD(BPF_REG_1, 0), 3493 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3494 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3496 BPF_MOV64_IMM(BPF_REG_2, 0), 3497 BPF_MOV64_IMM(BPF_REG_3, 0), 3498 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3499 BPF_EXIT_INSN(), 3500 }, 3501 .fixup_map2 = { 3 }, 3502 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 3503 .result = REJECT, 3504 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3505 }, 3506 { 3507 "helper access to map: out-of-bound range", 3508 .insns = { 3509 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3511 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3512 BPF_LD_MAP_FD(BPF_REG_1, 0), 3513 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3514 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3515 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3516 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 3517 BPF_MOV64_IMM(BPF_REG_3, 0), 3518 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3519 BPF_EXIT_INSN(), 3520 }, 3521 .fixup_map2 = { 3 }, 3522 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 3523 .result = REJECT, 3524 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3525 }, 3526 { 3527 "helper access to map: negative range", 3528 .insns = { 3529 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3531 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3532 BPF_LD_MAP_FD(BPF_REG_1, 0), 3533 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3534 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3535 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3536 BPF_MOV64_IMM(BPF_REG_2, -8), 3537 BPF_MOV64_IMM(BPF_REG_3, 0), 3538 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3539 BPF_EXIT_INSN(), 3540 }, 3541 .fixup_map2 = { 3 }, 3542 .errstr = "invalid access to map value, value_size=48 off=0 size=-8", 3543 .result = REJECT, 3544 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3545 }, 3546 { 3547 "helper access to adjusted map (via const imm): full range", 3548 .insns = { 3549 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3551 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3552 BPF_LD_MAP_FD(BPF_REG_1, 0), 3553 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3554 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3557 offsetof(struct test_val, foo)), 3558 BPF_MOV64_IMM(BPF_REG_2, 3559 sizeof(struct test_val) - 3560 offsetof(struct test_val, foo)), 3561 BPF_MOV64_IMM(BPF_REG_3, 0), 3562 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3563 BPF_EXIT_INSN(), 3564 }, 3565 .fixup_map2 = { 3 }, 3566 .result = ACCEPT, 3567 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3568 }, 3569 { 3570 "helper access to adjusted map (via const imm): partial range", 3571 .insns = { 3572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3574 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3575 BPF_LD_MAP_FD(BPF_REG_1, 0), 3576 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3577 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3578 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3580 offsetof(struct test_val, foo)), 3581 BPF_MOV64_IMM(BPF_REG_2, 8), 3582 BPF_MOV64_IMM(BPF_REG_3, 0), 3583 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3584 BPF_EXIT_INSN(), 3585 }, 3586 .fixup_map2 = { 3 }, 3587 .result = ACCEPT, 3588 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3589 }, 3590 { 3591 "helper access to adjusted map (via const imm): empty range", 3592 .insns = { 3593 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3595 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3596 BPF_LD_MAP_FD(BPF_REG_1, 0), 3597 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3598 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3599 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3601 offsetof(struct test_val, foo)), 3602 BPF_MOV64_IMM(BPF_REG_2, 0), 3603 BPF_MOV64_IMM(BPF_REG_3, 0), 3604 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3605 BPF_EXIT_INSN(), 3606 }, 3607 .fixup_map2 = { 3 }, 3608 .errstr = "R1 min value is outside of the array range", 3609 .result = REJECT, 3610 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3611 }, 3612 { 3613 "helper access to adjusted map (via const imm): out-of-bound range", 3614 .insns = { 3615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3617 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3618 BPF_LD_MAP_FD(BPF_REG_1, 0), 3619 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3623 offsetof(struct test_val, foo)), 3624 BPF_MOV64_IMM(BPF_REG_2, 3625 sizeof(struct test_val) - 3626 offsetof(struct test_val, foo) + 8), 3627 BPF_MOV64_IMM(BPF_REG_3, 0), 3628 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3629 BPF_EXIT_INSN(), 3630 }, 3631 .fixup_map2 = { 3 }, 3632 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 3633 .result = REJECT, 3634 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3635 }, 3636 { 3637 "helper access to adjusted map (via const imm): negative range (> adjustment)", 3638 .insns = { 3639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3642 BPF_LD_MAP_FD(BPF_REG_1, 0), 3643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3647 offsetof(struct test_val, foo)), 3648 BPF_MOV64_IMM(BPF_REG_2, -8), 3649 BPF_MOV64_IMM(BPF_REG_3, 0), 3650 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3651 BPF_EXIT_INSN(), 3652 }, 3653 .fixup_map2 = { 3 }, 3654 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 3655 .result = REJECT, 3656 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3657 }, 3658 { 3659 "helper access to adjusted map (via const imm): negative range (< adjustment)", 3660 .insns = { 3661 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3663 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3664 BPF_LD_MAP_FD(BPF_REG_1, 0), 3665 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3669 offsetof(struct test_val, foo)), 3670 BPF_MOV64_IMM(BPF_REG_2, -1), 3671 BPF_MOV64_IMM(BPF_REG_3, 0), 3672 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3673 BPF_EXIT_INSN(), 3674 }, 3675 .fixup_map2 = { 3 }, 3676 .errstr = "R1 min value is outside of the array range", 3677 .result = REJECT, 3678 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3679 }, 3680 { 3681 "helper access to adjusted map (via const reg): full range", 3682 .insns = { 3683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3685 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3686 BPF_LD_MAP_FD(BPF_REG_1, 0), 3687 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3689 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3690 BPF_MOV64_IMM(BPF_REG_3, 3691 offsetof(struct test_val, foo)), 3692 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3693 BPF_MOV64_IMM(BPF_REG_2, 3694 sizeof(struct test_val) - 3695 offsetof(struct test_val, foo)), 3696 BPF_MOV64_IMM(BPF_REG_3, 0), 3697 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3698 BPF_EXIT_INSN(), 3699 }, 3700 .fixup_map2 = { 3 }, 3701 .result = ACCEPT, 3702 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3703 }, 3704 { 3705 "helper access to adjusted map (via const reg): partial range", 3706 .insns = { 3707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3709 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3710 BPF_LD_MAP_FD(BPF_REG_1, 0), 3711 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3714 BPF_MOV64_IMM(BPF_REG_3, 3715 offsetof(struct test_val, foo)), 3716 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3717 BPF_MOV64_IMM(BPF_REG_2, 8), 3718 BPF_MOV64_IMM(BPF_REG_3, 0), 3719 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3720 BPF_EXIT_INSN(), 3721 }, 3722 .fixup_map2 = { 3 }, 3723 .result = ACCEPT, 3724 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3725 }, 3726 { 3727 "helper access to adjusted map (via const reg): empty range", 3728 .insns = { 3729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3731 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3732 BPF_LD_MAP_FD(BPF_REG_1, 0), 3733 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3735 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3736 BPF_MOV64_IMM(BPF_REG_3, 0), 3737 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3738 BPF_MOV64_IMM(BPF_REG_2, 0), 3739 BPF_MOV64_IMM(BPF_REG_3, 0), 3740 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3741 BPF_EXIT_INSN(), 3742 }, 3743 .fixup_map2 = { 3 }, 3744 .errstr = "R1 min value is outside of the array range", 3745 .result = REJECT, 3746 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3747 }, 3748 { 3749 "helper access to adjusted map (via const reg): out-of-bound range", 3750 .insns = { 3751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3753 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3754 BPF_LD_MAP_FD(BPF_REG_1, 0), 3755 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3757 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3758 BPF_MOV64_IMM(BPF_REG_3, 3759 offsetof(struct test_val, foo)), 3760 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3761 BPF_MOV64_IMM(BPF_REG_2, 3762 sizeof(struct test_val) - 3763 offsetof(struct test_val, foo) + 8), 3764 BPF_MOV64_IMM(BPF_REG_3, 0), 3765 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3766 BPF_EXIT_INSN(), 3767 }, 3768 .fixup_map2 = { 3 }, 3769 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 3770 .result = REJECT, 3771 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3772 }, 3773 { 3774 "helper access to adjusted map (via const reg): negative range (> adjustment)", 3775 .insns = { 3776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3779 BPF_LD_MAP_FD(BPF_REG_1, 0), 3780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3783 BPF_MOV64_IMM(BPF_REG_3, 3784 offsetof(struct test_val, foo)), 3785 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3786 BPF_MOV64_IMM(BPF_REG_2, -8), 3787 BPF_MOV64_IMM(BPF_REG_3, 0), 3788 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3789 BPF_EXIT_INSN(), 3790 }, 3791 .fixup_map2 = { 3 }, 3792 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 3793 .result = REJECT, 3794 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3795 }, 3796 { 3797 "helper access to adjusted map (via const reg): negative range (< adjustment)", 3798 .insns = { 3799 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3801 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3802 BPF_LD_MAP_FD(BPF_REG_1, 0), 3803 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3806 BPF_MOV64_IMM(BPF_REG_3, 3807 offsetof(struct test_val, foo)), 3808 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3809 BPF_MOV64_IMM(BPF_REG_2, -1), 3810 BPF_MOV64_IMM(BPF_REG_3, 0), 3811 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3812 BPF_EXIT_INSN(), 3813 }, 3814 .fixup_map2 = { 3 }, 3815 .errstr = "R1 min value is outside of the array range", 3816 .result = REJECT, 3817 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3818 }, 3819 { 3820 "helper access to adjusted map (via variable): full range", 3821 .insns = { 3822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3824 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3825 BPF_LD_MAP_FD(BPF_REG_1, 0), 3826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3828 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3829 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 3830 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 3831 offsetof(struct test_val, foo), 4), 3832 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3833 BPF_MOV64_IMM(BPF_REG_2, 3834 sizeof(struct test_val) - 3835 offsetof(struct test_val, foo)), 3836 BPF_MOV64_IMM(BPF_REG_3, 0), 3837 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3838 BPF_EXIT_INSN(), 3839 }, 3840 .fixup_map2 = { 3 }, 3841 .result = ACCEPT, 3842 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3843 }, 3844 { 3845 "helper access to adjusted map (via variable): partial range", 3846 .insns = { 3847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3849 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3850 BPF_LD_MAP_FD(BPF_REG_1, 0), 3851 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 3855 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 3856 offsetof(struct test_val, foo), 4), 3857 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3858 BPF_MOV64_IMM(BPF_REG_2, 8), 3859 BPF_MOV64_IMM(BPF_REG_3, 0), 3860 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3861 BPF_EXIT_INSN(), 3862 }, 3863 .fixup_map2 = { 3 }, 3864 .result = ACCEPT, 3865 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3866 }, 3867 { 3868 "helper access to adjusted map (via variable): empty range", 3869 .insns = { 3870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3872 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3873 BPF_LD_MAP_FD(BPF_REG_1, 0), 3874 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3875 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 3878 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 3879 offsetof(struct test_val, foo), 4), 3880 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3881 BPF_MOV64_IMM(BPF_REG_2, 0), 3882 BPF_MOV64_IMM(BPF_REG_3, 0), 3883 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3884 BPF_EXIT_INSN(), 3885 }, 3886 .fixup_map2 = { 3 }, 3887 .errstr = "R1 min value is outside of the array range", 3888 .result = REJECT, 3889 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3890 }, 3891 { 3892 "helper access to adjusted map (via variable): no max check", 3893 .insns = { 3894 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3896 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3897 BPF_LD_MAP_FD(BPF_REG_1, 0), 3898 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3901 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 3902 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3903 BPF_MOV64_IMM(BPF_REG_2, 0), 3904 BPF_MOV64_IMM(BPF_REG_3, 0), 3905 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3906 BPF_EXIT_INSN(), 3907 }, 3908 .fixup_map2 = { 3 }, 3909 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check", 3910 .result = REJECT, 3911 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3912 }, 3913 { 3914 "helper access to adjusted map (via variable): wrong max check", 3915 .insns = { 3916 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3918 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3919 BPF_LD_MAP_FD(BPF_REG_1, 0), 3920 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3923 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 3924 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 3925 offsetof(struct test_val, foo), 4), 3926 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3927 BPF_MOV64_IMM(BPF_REG_2, 3928 sizeof(struct test_val) - 3929 offsetof(struct test_val, foo) + 1), 3930 BPF_MOV64_IMM(BPF_REG_3, 0), 3931 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3932 BPF_EXIT_INSN(), 3933 }, 3934 .fixup_map2 = { 3 }, 3935 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 3936 .result = REJECT, 3937 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3938 }, 3939 { 3940 "map element value is preserved across register spilling", 3941 .insns = { 3942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3944 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3945 BPF_LD_MAP_FD(BPF_REG_1, 0), 3946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3948 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 3949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 3951 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 3952 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 3953 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 3954 BPF_EXIT_INSN(), 3955 }, 3956 .fixup_map2 = { 3 }, 3957 .errstr_unpriv = "R0 leaks addr", 3958 .result = ACCEPT, 3959 .result_unpriv = REJECT, 3960 }, 3961 { 3962 "map element value (adjusted) is preserved across register spilling", 3963 .insns = { 3964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3966 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3967 BPF_LD_MAP_FD(BPF_REG_1, 0), 3968 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3969 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3971 offsetof(struct test_val, foo)), 3972 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 3973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 3975 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 3976 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 3977 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 3978 BPF_EXIT_INSN(), 3979 }, 3980 .fixup_map2 = { 3 }, 3981 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3982 .result = ACCEPT, 3983 .result_unpriv = REJECT, 3984 }, 3985 { 3986 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 3987 .insns = { 3988 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 3990 BPF_MOV64_IMM(BPF_REG_0, 0), 3991 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 3992 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 3993 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 3994 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 3995 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 3996 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 3997 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 3998 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3999 BPF_MOV64_IMM(BPF_REG_2, 16), 4000 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4001 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4002 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4003 BPF_MOV64_IMM(BPF_REG_4, 0), 4004 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4005 BPF_MOV64_IMM(BPF_REG_3, 0), 4006 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4007 BPF_MOV64_IMM(BPF_REG_0, 0), 4008 BPF_EXIT_INSN(), 4009 }, 4010 .result = ACCEPT, 4011 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4012 }, 4013 { 4014 "helper access to variable memory: stack, bitwise AND, zero included", 4015 .insns = { 4016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4018 BPF_MOV64_IMM(BPF_REG_2, 16), 4019 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4020 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4021 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4022 BPF_MOV64_IMM(BPF_REG_3, 0), 4023 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4024 BPF_EXIT_INSN(), 4025 }, 4026 .errstr = "invalid stack type R1 off=-64 access_size=0", 4027 .result = REJECT, 4028 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4029 }, 4030 { 4031 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 4032 .insns = { 4033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4035 BPF_MOV64_IMM(BPF_REG_2, 16), 4036 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4037 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4038 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 4039 BPF_MOV64_IMM(BPF_REG_4, 0), 4040 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4041 BPF_MOV64_IMM(BPF_REG_3, 0), 4042 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4043 BPF_MOV64_IMM(BPF_REG_0, 0), 4044 BPF_EXIT_INSN(), 4045 }, 4046 .errstr = "invalid stack type R1 off=-64 access_size=65", 4047 .result = REJECT, 4048 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4049 }, 4050 { 4051 "helper access to variable memory: stack, JMP, correct bounds", 4052 .insns = { 4053 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4055 BPF_MOV64_IMM(BPF_REG_0, 0), 4056 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4057 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4058 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4059 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4060 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4061 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4062 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4063 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4064 BPF_MOV64_IMM(BPF_REG_2, 16), 4065 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4066 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4067 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 4068 BPF_MOV64_IMM(BPF_REG_4, 0), 4069 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4070 BPF_MOV64_IMM(BPF_REG_3, 0), 4071 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4072 BPF_MOV64_IMM(BPF_REG_0, 0), 4073 BPF_EXIT_INSN(), 4074 }, 4075 .result = ACCEPT, 4076 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4077 }, 4078 { 4079 "helper access to variable memory: stack, JMP (signed), correct bounds", 4080 .insns = { 4081 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4083 BPF_MOV64_IMM(BPF_REG_0, 0), 4084 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4085 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4086 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4087 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4088 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4089 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4090 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4091 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4092 BPF_MOV64_IMM(BPF_REG_2, 16), 4093 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4094 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4095 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 4096 BPF_MOV64_IMM(BPF_REG_4, 0), 4097 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 4098 BPF_MOV64_IMM(BPF_REG_3, 0), 4099 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4100 BPF_MOV64_IMM(BPF_REG_0, 0), 4101 BPF_EXIT_INSN(), 4102 }, 4103 .result = ACCEPT, 4104 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4105 }, 4106 { 4107 "helper access to variable memory: stack, JMP, bounds + offset", 4108 .insns = { 4109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4111 BPF_MOV64_IMM(BPF_REG_2, 16), 4112 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4113 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4114 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 4115 BPF_MOV64_IMM(BPF_REG_4, 0), 4116 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 4117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4118 BPF_MOV64_IMM(BPF_REG_3, 0), 4119 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4120 BPF_MOV64_IMM(BPF_REG_0, 0), 4121 BPF_EXIT_INSN(), 4122 }, 4123 .errstr = "invalid stack type R1 off=-64 access_size=65", 4124 .result = REJECT, 4125 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4126 }, 4127 { 4128 "helper access to variable memory: stack, JMP, wrong max", 4129 .insns = { 4130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4132 BPF_MOV64_IMM(BPF_REG_2, 16), 4133 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4134 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4135 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 4136 BPF_MOV64_IMM(BPF_REG_4, 0), 4137 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4138 BPF_MOV64_IMM(BPF_REG_3, 0), 4139 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4140 BPF_MOV64_IMM(BPF_REG_0, 0), 4141 BPF_EXIT_INSN(), 4142 }, 4143 .errstr = "invalid stack type R1 off=-64 access_size=65", 4144 .result = REJECT, 4145 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4146 }, 4147 { 4148 "helper access to variable memory: stack, JMP, no max check", 4149 .insns = { 4150 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4152 BPF_MOV64_IMM(BPF_REG_2, 16), 4153 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4154 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4155 BPF_MOV64_IMM(BPF_REG_4, 0), 4156 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4157 BPF_MOV64_IMM(BPF_REG_3, 0), 4158 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4159 BPF_MOV64_IMM(BPF_REG_0, 0), 4160 BPF_EXIT_INSN(), 4161 }, 4162 .errstr = "R2 unbounded memory access", 4163 .result = REJECT, 4164 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4165 }, 4166 { 4167 "helper access to variable memory: stack, JMP, no min check", 4168 .insns = { 4169 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4171 BPF_MOV64_IMM(BPF_REG_2, 16), 4172 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4173 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4174 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 4175 BPF_MOV64_IMM(BPF_REG_3, 0), 4176 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4177 BPF_MOV64_IMM(BPF_REG_0, 0), 4178 BPF_EXIT_INSN(), 4179 }, 4180 .errstr = "invalid stack type R1 off=-64 access_size=0", 4181 .result = REJECT, 4182 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4183 }, 4184 { 4185 "helper access to variable memory: stack, JMP (signed), no min check", 4186 .insns = { 4187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4189 BPF_MOV64_IMM(BPF_REG_2, 16), 4190 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4191 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4192 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 4193 BPF_MOV64_IMM(BPF_REG_3, 0), 4194 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4195 BPF_MOV64_IMM(BPF_REG_0, 0), 4196 BPF_EXIT_INSN(), 4197 }, 4198 .errstr = "R2 min value is negative", 4199 .result = REJECT, 4200 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4201 }, 4202 { 4203 "helper access to variable memory: map, JMP, correct bounds", 4204 .insns = { 4205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4207 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4208 BPF_LD_MAP_FD(BPF_REG_1, 0), 4209 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4211 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4212 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4213 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4214 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4215 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4216 sizeof(struct test_val), 4), 4217 BPF_MOV64_IMM(BPF_REG_4, 0), 4218 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4219 BPF_MOV64_IMM(BPF_REG_3, 0), 4220 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4221 BPF_MOV64_IMM(BPF_REG_0, 0), 4222 BPF_EXIT_INSN(), 4223 }, 4224 .fixup_map2 = { 3 }, 4225 .result = ACCEPT, 4226 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4227 }, 4228 { 4229 "helper access to variable memory: map, JMP, wrong max", 4230 .insns = { 4231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4233 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4234 BPF_LD_MAP_FD(BPF_REG_1, 0), 4235 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4238 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4239 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4240 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4241 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4242 sizeof(struct test_val) + 1, 4), 4243 BPF_MOV64_IMM(BPF_REG_4, 0), 4244 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4245 BPF_MOV64_IMM(BPF_REG_3, 0), 4246 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4247 BPF_MOV64_IMM(BPF_REG_0, 0), 4248 BPF_EXIT_INSN(), 4249 }, 4250 .fixup_map2 = { 3 }, 4251 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 4252 .result = REJECT, 4253 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4254 }, 4255 { 4256 "helper access to variable memory: map adjusted, JMP, correct bounds", 4257 .insns = { 4258 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4260 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4261 BPF_LD_MAP_FD(BPF_REG_1, 0), 4262 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4264 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4266 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4267 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4268 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4269 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4270 sizeof(struct test_val) - 20, 4), 4271 BPF_MOV64_IMM(BPF_REG_4, 0), 4272 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4273 BPF_MOV64_IMM(BPF_REG_3, 0), 4274 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4275 BPF_MOV64_IMM(BPF_REG_0, 0), 4276 BPF_EXIT_INSN(), 4277 }, 4278 .fixup_map2 = { 3 }, 4279 .result = ACCEPT, 4280 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4281 }, 4282 { 4283 "helper access to variable memory: map adjusted, JMP, wrong max", 4284 .insns = { 4285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4288 BPF_LD_MAP_FD(BPF_REG_1, 0), 4289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4293 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4294 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4295 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4296 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4297 sizeof(struct test_val) - 19, 4), 4298 BPF_MOV64_IMM(BPF_REG_4, 0), 4299 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4300 BPF_MOV64_IMM(BPF_REG_3, 0), 4301 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4302 BPF_MOV64_IMM(BPF_REG_0, 0), 4303 BPF_EXIT_INSN(), 4304 }, 4305 .fixup_map2 = { 3 }, 4306 .errstr = "R1 min value is outside of the array range", 4307 .result = REJECT, 4308 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4309 }, 4310 { 4311 "helper access to variable memory: size > 0 not allowed on NULL", 4312 .insns = { 4313 BPF_MOV64_IMM(BPF_REG_1, 0), 4314 BPF_MOV64_IMM(BPF_REG_2, 0), 4315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4316 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4317 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4318 BPF_MOV64_IMM(BPF_REG_3, 0), 4319 BPF_MOV64_IMM(BPF_REG_4, 0), 4320 BPF_MOV64_IMM(BPF_REG_5, 0), 4321 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4322 BPF_EXIT_INSN(), 4323 }, 4324 .errstr = "R1 type=imm expected=fp", 4325 .result = REJECT, 4326 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4327 }, 4328 { 4329 "helper access to variable memory: size = 0 not allowed on != NULL", 4330 .insns = { 4331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 4333 BPF_MOV64_IMM(BPF_REG_2, 0), 4334 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 4335 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 4336 BPF_MOV64_IMM(BPF_REG_3, 0), 4337 BPF_MOV64_IMM(BPF_REG_4, 0), 4338 BPF_MOV64_IMM(BPF_REG_5, 0), 4339 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4340 BPF_EXIT_INSN(), 4341 }, 4342 .errstr = "invalid stack type R1 off=-8 access_size=0", 4343 .result = REJECT, 4344 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4345 }, 4346 { 4347 "helper access to variable memory: 8 bytes leak", 4348 .insns = { 4349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4351 BPF_MOV64_IMM(BPF_REG_0, 0), 4352 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4353 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4354 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4355 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4356 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4357 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4358 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4359 BPF_MOV64_IMM(BPF_REG_2, 0), 4360 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4361 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4362 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 4363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4364 BPF_MOV64_IMM(BPF_REG_3, 0), 4365 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4366 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4367 BPF_EXIT_INSN(), 4368 }, 4369 .errstr = "invalid indirect read from stack off -64+32 size 64", 4370 .result = REJECT, 4371 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4372 }, 4373 { 4374 "helper access to variable memory: 8 bytes no leak (init memory)", 4375 .insns = { 4376 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4377 BPF_MOV64_IMM(BPF_REG_0, 0), 4378 BPF_MOV64_IMM(BPF_REG_0, 0), 4379 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4381 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4386 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4388 BPF_MOV64_IMM(BPF_REG_2, 0), 4389 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 4390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 4391 BPF_MOV64_IMM(BPF_REG_3, 0), 4392 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4393 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4394 BPF_EXIT_INSN(), 4395 }, 4396 .result = ACCEPT, 4397 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4398 }, 4399 { 4400 "invalid and of negative number", 4401 .insns = { 4402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4405 BPF_LD_MAP_FD(BPF_REG_1, 0), 4406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4407 BPF_FUNC_map_lookup_elem), 4408 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4409 BPF_MOV64_IMM(BPF_REG_1, 6), 4410 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 4411 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4412 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4413 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4414 offsetof(struct test_val, foo)), 4415 BPF_EXIT_INSN(), 4416 }, 4417 .fixup_map2 = { 3 }, 4418 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4419 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4420 .result = REJECT, 4421 .result_unpriv = REJECT, 4422 }, 4423 { 4424 "invalid range check", 4425 .insns = { 4426 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4427 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4429 BPF_LD_MAP_FD(BPF_REG_1, 0), 4430 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4431 BPF_FUNC_map_lookup_elem), 4432 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 4433 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4434 BPF_MOV64_IMM(BPF_REG_9, 1), 4435 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 4436 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 4437 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 4438 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 4439 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 4440 BPF_MOV32_IMM(BPF_REG_3, 1), 4441 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 4442 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 4443 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 4444 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 4445 BPF_MOV64_REG(BPF_REG_0, 0), 4446 BPF_EXIT_INSN(), 4447 }, 4448 .fixup_map2 = { 3 }, 4449 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4450 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4451 .result = REJECT, 4452 .result_unpriv = REJECT, 4453 } 4454 }; 4455 4456 static int probe_filter_length(const struct bpf_insn *fp) 4457 { 4458 int len; 4459 4460 for (len = MAX_INSNS - 1; len > 0; --len) 4461 if (fp[len].code != 0 || fp[len].imm != 0) 4462 break; 4463 return len + 1; 4464 } 4465 4466 static int create_map(uint32_t size_value, uint32_t max_elem) 4467 { 4468 int fd; 4469 4470 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 4471 size_value, max_elem, BPF_F_NO_PREALLOC); 4472 if (fd < 0) 4473 printf("Failed to create hash map '%s'!\n", strerror(errno)); 4474 4475 return fd; 4476 } 4477 4478 static int create_prog_array(void) 4479 { 4480 int fd; 4481 4482 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 4483 sizeof(int), 4, 0); 4484 if (fd < 0) 4485 printf("Failed to create prog array '%s'!\n", strerror(errno)); 4486 4487 return fd; 4488 } 4489 4490 static char bpf_vlog[32768]; 4491 4492 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 4493 int *fd_f1, int *fd_f2, int *fd_f3) 4494 { 4495 int *fixup_map1 = test->fixup_map1; 4496 int *fixup_map2 = test->fixup_map2; 4497 int *fixup_prog = test->fixup_prog; 4498 4499 /* Allocating HTs with 1 elem is fine here, since we only test 4500 * for verifier and not do a runtime lookup, so the only thing 4501 * that really matters is value size in this case. 4502 */ 4503 if (*fixup_map1) { 4504 *fd_f1 = create_map(sizeof(long long), 1); 4505 do { 4506 prog[*fixup_map1].imm = *fd_f1; 4507 fixup_map1++; 4508 } while (*fixup_map1); 4509 } 4510 4511 if (*fixup_map2) { 4512 *fd_f2 = create_map(sizeof(struct test_val), 1); 4513 do { 4514 prog[*fixup_map2].imm = *fd_f2; 4515 fixup_map2++; 4516 } while (*fixup_map2); 4517 } 4518 4519 if (*fixup_prog) { 4520 *fd_f3 = create_prog_array(); 4521 do { 4522 prog[*fixup_prog].imm = *fd_f3; 4523 fixup_prog++; 4524 } while (*fixup_prog); 4525 } 4526 } 4527 4528 static void do_test_single(struct bpf_test *test, bool unpriv, 4529 int *passes, int *errors) 4530 { 4531 struct bpf_insn *prog = test->insns; 4532 int prog_len = probe_filter_length(prog); 4533 int prog_type = test->prog_type; 4534 int fd_f1 = -1, fd_f2 = -1, fd_f3 = -1; 4535 int fd_prog, expected_ret; 4536 const char *expected_err; 4537 4538 do_test_fixup(test, prog, &fd_f1, &fd_f2, &fd_f3); 4539 4540 fd_prog = bpf_load_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 4541 prog, prog_len, "GPL", 0, bpf_vlog, 4542 sizeof(bpf_vlog)); 4543 4544 expected_ret = unpriv && test->result_unpriv != UNDEF ? 4545 test->result_unpriv : test->result; 4546 expected_err = unpriv && test->errstr_unpriv ? 4547 test->errstr_unpriv : test->errstr; 4548 if (expected_ret == ACCEPT) { 4549 if (fd_prog < 0) { 4550 printf("FAIL\nFailed to load prog '%s'!\n", 4551 strerror(errno)); 4552 goto fail_log; 4553 } 4554 } else { 4555 if (fd_prog >= 0) { 4556 printf("FAIL\nUnexpected success to load!\n"); 4557 goto fail_log; 4558 } 4559 if (!strstr(bpf_vlog, expected_err)) { 4560 printf("FAIL\nUnexpected error message!\n"); 4561 goto fail_log; 4562 } 4563 } 4564 4565 (*passes)++; 4566 printf("OK\n"); 4567 close_fds: 4568 close(fd_prog); 4569 close(fd_f1); 4570 close(fd_f2); 4571 close(fd_f3); 4572 sched_yield(); 4573 return; 4574 fail_log: 4575 (*errors)++; 4576 printf("%s", bpf_vlog); 4577 goto close_fds; 4578 } 4579 4580 static bool is_admin(void) 4581 { 4582 cap_t caps; 4583 cap_flag_value_t sysadmin = CAP_CLEAR; 4584 const cap_value_t cap_val = CAP_SYS_ADMIN; 4585 4586 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 4587 perror("cap_get_flag"); 4588 return false; 4589 } 4590 caps = cap_get_proc(); 4591 if (!caps) { 4592 perror("cap_get_proc"); 4593 return false; 4594 } 4595 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 4596 perror("cap_get_flag"); 4597 if (cap_free(caps)) 4598 perror("cap_free"); 4599 return (sysadmin == CAP_SET); 4600 } 4601 4602 static int set_admin(bool admin) 4603 { 4604 cap_t caps; 4605 const cap_value_t cap_val = CAP_SYS_ADMIN; 4606 int ret = -1; 4607 4608 caps = cap_get_proc(); 4609 if (!caps) { 4610 perror("cap_get_proc"); 4611 return -1; 4612 } 4613 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 4614 admin ? CAP_SET : CAP_CLEAR)) { 4615 perror("cap_set_flag"); 4616 goto out; 4617 } 4618 if (cap_set_proc(caps)) { 4619 perror("cap_set_proc"); 4620 goto out; 4621 } 4622 ret = 0; 4623 out: 4624 if (cap_free(caps)) 4625 perror("cap_free"); 4626 return ret; 4627 } 4628 4629 static int do_test(bool unpriv, unsigned int from, unsigned int to) 4630 { 4631 int i, passes = 0, errors = 0; 4632 4633 for (i = from; i < to; i++) { 4634 struct bpf_test *test = &tests[i]; 4635 4636 /* Program types that are not supported by non-root we 4637 * skip right away. 4638 */ 4639 if (!test->prog_type) { 4640 if (!unpriv) 4641 set_admin(false); 4642 printf("#%d/u %s ", i, test->descr); 4643 do_test_single(test, true, &passes, &errors); 4644 if (!unpriv) 4645 set_admin(true); 4646 } 4647 4648 if (!unpriv) { 4649 printf("#%d/p %s ", i, test->descr); 4650 do_test_single(test, false, &passes, &errors); 4651 } 4652 } 4653 4654 printf("Summary: %d PASSED, %d FAILED\n", passes, errors); 4655 return errors ? -errors : 0; 4656 } 4657 4658 int main(int argc, char **argv) 4659 { 4660 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY }; 4661 struct rlimit rlim = { 1 << 20, 1 << 20 }; 4662 unsigned int from = 0, to = ARRAY_SIZE(tests); 4663 bool unpriv = !is_admin(); 4664 4665 if (argc == 3) { 4666 unsigned int l = atoi(argv[argc - 2]); 4667 unsigned int u = atoi(argv[argc - 1]); 4668 4669 if (l < to && u < to) { 4670 from = l; 4671 to = u + 1; 4672 } 4673 } else if (argc == 2) { 4674 unsigned int t = atoi(argv[argc - 1]); 4675 4676 if (t < to) { 4677 from = t; 4678 to = t + 1; 4679 } 4680 } 4681 4682 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf); 4683 return do_test(unpriv, from, to); 4684 } 4685