1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of version 2 of the GNU General Public 8 * License as published by the Free Software Foundation. 9 */ 10 11 #include <asm/types.h> 12 #include <linux/types.h> 13 #include <stdint.h> 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <unistd.h> 17 #include <errno.h> 18 #include <string.h> 19 #include <stddef.h> 20 #include <stdbool.h> 21 #include <sched.h> 22 23 #include <sys/capability.h> 24 #include <sys/resource.h> 25 26 #include <linux/unistd.h> 27 #include <linux/filter.h> 28 #include <linux/bpf_perf_event.h> 29 #include <linux/bpf.h> 30 31 #include <bpf/bpf.h> 32 33 #ifdef HAVE_GENHDR 34 # include "autoconf.h" 35 #else 36 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 37 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 38 # endif 39 #endif 40 41 #include "../../../include/linux/filter.h" 42 43 #ifndef ARRAY_SIZE 44 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 45 #endif 46 47 #define MAX_INSNS 512 48 #define MAX_FIXUPS 8 49 #define MAX_NR_MAPS 4 50 51 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 52 53 struct bpf_test { 54 const char *descr; 55 struct bpf_insn insns[MAX_INSNS]; 56 int fixup_map1[MAX_FIXUPS]; 57 int fixup_map2[MAX_FIXUPS]; 58 int fixup_prog[MAX_FIXUPS]; 59 int fixup_map_in_map[MAX_FIXUPS]; 60 const char *errstr; 61 const char *errstr_unpriv; 62 enum { 63 UNDEF, 64 ACCEPT, 65 REJECT 66 } result, result_unpriv; 67 enum bpf_prog_type prog_type; 68 uint8_t flags; 69 }; 70 71 /* Note we want this to be 64 bit aligned so that the end of our array is 72 * actually the end of the structure. 73 */ 74 #define MAX_ENTRIES 11 75 76 struct test_val { 77 unsigned int index; 78 int foo[MAX_ENTRIES]; 79 }; 80 81 static struct bpf_test tests[] = { 82 { 83 "add+sub+mul", 84 .insns = { 85 BPF_MOV64_IMM(BPF_REG_1, 1), 86 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 87 BPF_MOV64_IMM(BPF_REG_2, 3), 88 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 89 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 90 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 91 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 92 BPF_EXIT_INSN(), 93 }, 94 .result = ACCEPT, 95 }, 96 { 97 "unreachable", 98 .insns = { 99 BPF_EXIT_INSN(), 100 BPF_EXIT_INSN(), 101 }, 102 .errstr = "unreachable", 103 .result = REJECT, 104 }, 105 { 106 "unreachable2", 107 .insns = { 108 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 109 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 110 BPF_EXIT_INSN(), 111 }, 112 .errstr = "unreachable", 113 .result = REJECT, 114 }, 115 { 116 "out of range jump", 117 .insns = { 118 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 119 BPF_EXIT_INSN(), 120 }, 121 .errstr = "jump out of range", 122 .result = REJECT, 123 }, 124 { 125 "out of range jump2", 126 .insns = { 127 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 128 BPF_EXIT_INSN(), 129 }, 130 .errstr = "jump out of range", 131 .result = REJECT, 132 }, 133 { 134 "test1 ld_imm64", 135 .insns = { 136 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 137 BPF_LD_IMM64(BPF_REG_0, 0), 138 BPF_LD_IMM64(BPF_REG_0, 0), 139 BPF_LD_IMM64(BPF_REG_0, 1), 140 BPF_LD_IMM64(BPF_REG_0, 1), 141 BPF_MOV64_IMM(BPF_REG_0, 2), 142 BPF_EXIT_INSN(), 143 }, 144 .errstr = "invalid BPF_LD_IMM insn", 145 .errstr_unpriv = "R1 pointer comparison", 146 .result = REJECT, 147 }, 148 { 149 "test2 ld_imm64", 150 .insns = { 151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 152 BPF_LD_IMM64(BPF_REG_0, 0), 153 BPF_LD_IMM64(BPF_REG_0, 0), 154 BPF_LD_IMM64(BPF_REG_0, 1), 155 BPF_LD_IMM64(BPF_REG_0, 1), 156 BPF_EXIT_INSN(), 157 }, 158 .errstr = "invalid BPF_LD_IMM insn", 159 .errstr_unpriv = "R1 pointer comparison", 160 .result = REJECT, 161 }, 162 { 163 "test3 ld_imm64", 164 .insns = { 165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 166 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 167 BPF_LD_IMM64(BPF_REG_0, 0), 168 BPF_LD_IMM64(BPF_REG_0, 0), 169 BPF_LD_IMM64(BPF_REG_0, 1), 170 BPF_LD_IMM64(BPF_REG_0, 1), 171 BPF_EXIT_INSN(), 172 }, 173 .errstr = "invalid bpf_ld_imm64 insn", 174 .result = REJECT, 175 }, 176 { 177 "test4 ld_imm64", 178 .insns = { 179 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 180 BPF_EXIT_INSN(), 181 }, 182 .errstr = "invalid bpf_ld_imm64 insn", 183 .result = REJECT, 184 }, 185 { 186 "test5 ld_imm64", 187 .insns = { 188 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 189 }, 190 .errstr = "invalid bpf_ld_imm64 insn", 191 .result = REJECT, 192 }, 193 { 194 "test6 ld_imm64", 195 .insns = { 196 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 197 BPF_RAW_INSN(0, 0, 0, 0, 0), 198 BPF_EXIT_INSN(), 199 }, 200 .result = ACCEPT, 201 }, 202 { 203 "test7 ld_imm64", 204 .insns = { 205 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 206 BPF_RAW_INSN(0, 0, 0, 0, 1), 207 BPF_EXIT_INSN(), 208 }, 209 .result = ACCEPT, 210 }, 211 { 212 "test8 ld_imm64", 213 .insns = { 214 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1), 215 BPF_RAW_INSN(0, 0, 0, 0, 1), 216 BPF_EXIT_INSN(), 217 }, 218 .errstr = "uses reserved fields", 219 .result = REJECT, 220 }, 221 { 222 "test9 ld_imm64", 223 .insns = { 224 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 225 BPF_RAW_INSN(0, 0, 0, 1, 1), 226 BPF_EXIT_INSN(), 227 }, 228 .errstr = "invalid bpf_ld_imm64 insn", 229 .result = REJECT, 230 }, 231 { 232 "test10 ld_imm64", 233 .insns = { 234 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 235 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1), 236 BPF_EXIT_INSN(), 237 }, 238 .errstr = "invalid bpf_ld_imm64 insn", 239 .result = REJECT, 240 }, 241 { 242 "test11 ld_imm64", 243 .insns = { 244 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 245 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 246 BPF_EXIT_INSN(), 247 }, 248 .errstr = "invalid bpf_ld_imm64 insn", 249 .result = REJECT, 250 }, 251 { 252 "test12 ld_imm64", 253 .insns = { 254 BPF_MOV64_IMM(BPF_REG_1, 0), 255 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 256 BPF_RAW_INSN(0, 0, 0, 0, 1), 257 BPF_EXIT_INSN(), 258 }, 259 .errstr = "not pointing to valid bpf_map", 260 .result = REJECT, 261 }, 262 { 263 "test13 ld_imm64", 264 .insns = { 265 BPF_MOV64_IMM(BPF_REG_1, 0), 266 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 267 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 268 BPF_EXIT_INSN(), 269 }, 270 .errstr = "invalid bpf_ld_imm64 insn", 271 .result = REJECT, 272 }, 273 { 274 "no bpf_exit", 275 .insns = { 276 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 277 }, 278 .errstr = "jump out of range", 279 .result = REJECT, 280 }, 281 { 282 "loop (back-edge)", 283 .insns = { 284 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 285 BPF_EXIT_INSN(), 286 }, 287 .errstr = "back-edge", 288 .result = REJECT, 289 }, 290 { 291 "loop2 (back-edge)", 292 .insns = { 293 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 295 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 296 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 297 BPF_EXIT_INSN(), 298 }, 299 .errstr = "back-edge", 300 .result = REJECT, 301 }, 302 { 303 "conditional loop", 304 .insns = { 305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 307 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 309 BPF_EXIT_INSN(), 310 }, 311 .errstr = "back-edge", 312 .result = REJECT, 313 }, 314 { 315 "read uninitialized register", 316 .insns = { 317 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 318 BPF_EXIT_INSN(), 319 }, 320 .errstr = "R2 !read_ok", 321 .result = REJECT, 322 }, 323 { 324 "read invalid register", 325 .insns = { 326 BPF_MOV64_REG(BPF_REG_0, -1), 327 BPF_EXIT_INSN(), 328 }, 329 .errstr = "R15 is invalid", 330 .result = REJECT, 331 }, 332 { 333 "program doesn't init R0 before exit", 334 .insns = { 335 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 336 BPF_EXIT_INSN(), 337 }, 338 .errstr = "R0 !read_ok", 339 .result = REJECT, 340 }, 341 { 342 "program doesn't init R0 before exit in all branches", 343 .insns = { 344 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 345 BPF_MOV64_IMM(BPF_REG_0, 1), 346 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 347 BPF_EXIT_INSN(), 348 }, 349 .errstr = "R0 !read_ok", 350 .errstr_unpriv = "R1 pointer comparison", 351 .result = REJECT, 352 }, 353 { 354 "stack out of bounds", 355 .insns = { 356 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 357 BPF_EXIT_INSN(), 358 }, 359 .errstr = "invalid stack", 360 .result = REJECT, 361 }, 362 { 363 "invalid call insn1", 364 .insns = { 365 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 366 BPF_EXIT_INSN(), 367 }, 368 .errstr = "BPF_CALL uses reserved", 369 .result = REJECT, 370 }, 371 { 372 "invalid call insn2", 373 .insns = { 374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 375 BPF_EXIT_INSN(), 376 }, 377 .errstr = "BPF_CALL uses reserved", 378 .result = REJECT, 379 }, 380 { 381 "invalid function call", 382 .insns = { 383 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 384 BPF_EXIT_INSN(), 385 }, 386 .errstr = "invalid func unknown#1234567", 387 .result = REJECT, 388 }, 389 { 390 "uninitialized stack1", 391 .insns = { 392 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 394 BPF_LD_MAP_FD(BPF_REG_1, 0), 395 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 396 BPF_FUNC_map_lookup_elem), 397 BPF_EXIT_INSN(), 398 }, 399 .fixup_map1 = { 2 }, 400 .errstr = "invalid indirect read from stack", 401 .result = REJECT, 402 }, 403 { 404 "uninitialized stack2", 405 .insns = { 406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 407 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 408 BPF_EXIT_INSN(), 409 }, 410 .errstr = "invalid read from stack", 411 .result = REJECT, 412 }, 413 { 414 "invalid fp arithmetic", 415 /* If this gets ever changed, make sure JITs can deal with it. */ 416 .insns = { 417 BPF_MOV64_IMM(BPF_REG_0, 0), 418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 419 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8), 420 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 421 BPF_EXIT_INSN(), 422 }, 423 .errstr_unpriv = "R1 pointer arithmetic", 424 .result_unpriv = REJECT, 425 .errstr = "R1 invalid mem access", 426 .result = REJECT, 427 }, 428 { 429 "non-invalid fp arithmetic", 430 .insns = { 431 BPF_MOV64_IMM(BPF_REG_0, 0), 432 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 433 BPF_EXIT_INSN(), 434 }, 435 .result = ACCEPT, 436 }, 437 { 438 "invalid argument register", 439 .insns = { 440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 441 BPF_FUNC_get_cgroup_classid), 442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 443 BPF_FUNC_get_cgroup_classid), 444 BPF_EXIT_INSN(), 445 }, 446 .errstr = "R1 !read_ok", 447 .result = REJECT, 448 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 449 }, 450 { 451 "non-invalid argument register", 452 .insns = { 453 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 455 BPF_FUNC_get_cgroup_classid), 456 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 458 BPF_FUNC_get_cgroup_classid), 459 BPF_EXIT_INSN(), 460 }, 461 .result = ACCEPT, 462 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 463 }, 464 { 465 "check valid spill/fill", 466 .insns = { 467 /* spill R1(ctx) into stack */ 468 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 469 /* fill it back into R2 */ 470 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 471 /* should be able to access R0 = *(R2 + 8) */ 472 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 473 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 474 BPF_EXIT_INSN(), 475 }, 476 .errstr_unpriv = "R0 leaks addr", 477 .result = ACCEPT, 478 .result_unpriv = REJECT, 479 }, 480 { 481 "check valid spill/fill, skb mark", 482 .insns = { 483 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 484 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 485 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 486 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 487 offsetof(struct __sk_buff, mark)), 488 BPF_EXIT_INSN(), 489 }, 490 .result = ACCEPT, 491 .result_unpriv = ACCEPT, 492 }, 493 { 494 "check corrupted spill/fill", 495 .insns = { 496 /* spill R1(ctx) into stack */ 497 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 498 /* mess up with R1 pointer on stack */ 499 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 500 /* fill back into R0 should fail */ 501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 502 BPF_EXIT_INSN(), 503 }, 504 .errstr_unpriv = "attempt to corrupt spilled", 505 .errstr = "corrupted spill", 506 .result = REJECT, 507 }, 508 { 509 "invalid src register in STX", 510 .insns = { 511 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 512 BPF_EXIT_INSN(), 513 }, 514 .errstr = "R15 is invalid", 515 .result = REJECT, 516 }, 517 { 518 "invalid dst register in STX", 519 .insns = { 520 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 521 BPF_EXIT_INSN(), 522 }, 523 .errstr = "R14 is invalid", 524 .result = REJECT, 525 }, 526 { 527 "invalid dst register in ST", 528 .insns = { 529 BPF_ST_MEM(BPF_B, 14, -1, -1), 530 BPF_EXIT_INSN(), 531 }, 532 .errstr = "R14 is invalid", 533 .result = REJECT, 534 }, 535 { 536 "invalid src register in LDX", 537 .insns = { 538 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 539 BPF_EXIT_INSN(), 540 }, 541 .errstr = "R12 is invalid", 542 .result = REJECT, 543 }, 544 { 545 "invalid dst register in LDX", 546 .insns = { 547 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 548 BPF_EXIT_INSN(), 549 }, 550 .errstr = "R11 is invalid", 551 .result = REJECT, 552 }, 553 { 554 "junk insn", 555 .insns = { 556 BPF_RAW_INSN(0, 0, 0, 0, 0), 557 BPF_EXIT_INSN(), 558 }, 559 .errstr = "invalid BPF_LD_IMM", 560 .result = REJECT, 561 }, 562 { 563 "junk insn2", 564 .insns = { 565 BPF_RAW_INSN(1, 0, 0, 0, 0), 566 BPF_EXIT_INSN(), 567 }, 568 .errstr = "BPF_LDX uses reserved fields", 569 .result = REJECT, 570 }, 571 { 572 "junk insn3", 573 .insns = { 574 BPF_RAW_INSN(-1, 0, 0, 0, 0), 575 BPF_EXIT_INSN(), 576 }, 577 .errstr = "invalid BPF_ALU opcode f0", 578 .result = REJECT, 579 }, 580 { 581 "junk insn4", 582 .insns = { 583 BPF_RAW_INSN(-1, -1, -1, -1, -1), 584 BPF_EXIT_INSN(), 585 }, 586 .errstr = "invalid BPF_ALU opcode f0", 587 .result = REJECT, 588 }, 589 { 590 "junk insn5", 591 .insns = { 592 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 593 BPF_EXIT_INSN(), 594 }, 595 .errstr = "BPF_ALU uses reserved fields", 596 .result = REJECT, 597 }, 598 { 599 "misaligned read from stack", 600 .insns = { 601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 602 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 603 BPF_EXIT_INSN(), 604 }, 605 .errstr = "misaligned access", 606 .result = REJECT, 607 }, 608 { 609 "invalid map_fd for function call", 610 .insns = { 611 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 612 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 614 BPF_LD_MAP_FD(BPF_REG_1, 0), 615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 616 BPF_FUNC_map_delete_elem), 617 BPF_EXIT_INSN(), 618 }, 619 .errstr = "fd 0 is not pointing to valid bpf_map", 620 .result = REJECT, 621 }, 622 { 623 "don't check return value before access", 624 .insns = { 625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 628 BPF_LD_MAP_FD(BPF_REG_1, 0), 629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 630 BPF_FUNC_map_lookup_elem), 631 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 632 BPF_EXIT_INSN(), 633 }, 634 .fixup_map1 = { 3 }, 635 .errstr = "R0 invalid mem access 'map_value_or_null'", 636 .result = REJECT, 637 }, 638 { 639 "access memory with incorrect alignment", 640 .insns = { 641 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 642 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 644 BPF_LD_MAP_FD(BPF_REG_1, 0), 645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 646 BPF_FUNC_map_lookup_elem), 647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 648 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 649 BPF_EXIT_INSN(), 650 }, 651 .fixup_map1 = { 3 }, 652 .errstr = "misaligned access", 653 .result = REJECT, 654 }, 655 { 656 "sometimes access memory with incorrect alignment", 657 .insns = { 658 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 661 BPF_LD_MAP_FD(BPF_REG_1, 0), 662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 663 BPF_FUNC_map_lookup_elem), 664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 665 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 666 BPF_EXIT_INSN(), 667 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 668 BPF_EXIT_INSN(), 669 }, 670 .fixup_map1 = { 3 }, 671 .errstr = "R0 invalid mem access", 672 .errstr_unpriv = "R0 leaks addr", 673 .result = REJECT, 674 }, 675 { 676 "jump test 1", 677 .insns = { 678 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 679 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 681 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 683 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 685 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 687 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 689 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 691 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 692 BPF_MOV64_IMM(BPF_REG_0, 0), 693 BPF_EXIT_INSN(), 694 }, 695 .errstr_unpriv = "R1 pointer comparison", 696 .result_unpriv = REJECT, 697 .result = ACCEPT, 698 }, 699 { 700 "jump test 2", 701 .insns = { 702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 703 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 704 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 705 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 706 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 707 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 708 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 709 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 710 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 711 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 713 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 714 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 716 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 717 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 718 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 719 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 720 BPF_MOV64_IMM(BPF_REG_0, 0), 721 BPF_EXIT_INSN(), 722 }, 723 .errstr_unpriv = "R1 pointer comparison", 724 .result_unpriv = REJECT, 725 .result = ACCEPT, 726 }, 727 { 728 "jump test 3", 729 .insns = { 730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 731 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 732 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 734 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 736 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 738 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 740 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 741 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 742 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 744 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 746 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 747 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 748 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 750 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 752 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 754 BPF_LD_MAP_FD(BPF_REG_1, 0), 755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 756 BPF_FUNC_map_delete_elem), 757 BPF_EXIT_INSN(), 758 }, 759 .fixup_map1 = { 24 }, 760 .errstr_unpriv = "R1 pointer comparison", 761 .result_unpriv = REJECT, 762 .result = ACCEPT, 763 }, 764 { 765 "jump test 4", 766 .insns = { 767 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 807 BPF_MOV64_IMM(BPF_REG_0, 0), 808 BPF_EXIT_INSN(), 809 }, 810 .errstr_unpriv = "R1 pointer comparison", 811 .result_unpriv = REJECT, 812 .result = ACCEPT, 813 }, 814 { 815 "jump test 5", 816 .insns = { 817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 818 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 819 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 820 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 821 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 822 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 823 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 824 BPF_MOV64_IMM(BPF_REG_0, 0), 825 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 826 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 827 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 828 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 829 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 830 BPF_MOV64_IMM(BPF_REG_0, 0), 831 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 832 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 833 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 834 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 835 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 836 BPF_MOV64_IMM(BPF_REG_0, 0), 837 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 838 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 839 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 840 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 841 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 842 BPF_MOV64_IMM(BPF_REG_0, 0), 843 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 844 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 845 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 846 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 847 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 848 BPF_MOV64_IMM(BPF_REG_0, 0), 849 BPF_EXIT_INSN(), 850 }, 851 .errstr_unpriv = "R1 pointer comparison", 852 .result_unpriv = REJECT, 853 .result = ACCEPT, 854 }, 855 { 856 "access skb fields ok", 857 .insns = { 858 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 859 offsetof(struct __sk_buff, len)), 860 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 861 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 862 offsetof(struct __sk_buff, mark)), 863 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 864 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 865 offsetof(struct __sk_buff, pkt_type)), 866 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 867 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 868 offsetof(struct __sk_buff, queue_mapping)), 869 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 870 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 871 offsetof(struct __sk_buff, protocol)), 872 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 873 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 874 offsetof(struct __sk_buff, vlan_present)), 875 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 876 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 877 offsetof(struct __sk_buff, vlan_tci)), 878 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 879 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 880 offsetof(struct __sk_buff, napi_id)), 881 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 882 BPF_EXIT_INSN(), 883 }, 884 .result = ACCEPT, 885 }, 886 { 887 "access skb fields bad1", 888 .insns = { 889 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 890 BPF_EXIT_INSN(), 891 }, 892 .errstr = "invalid bpf_context access", 893 .result = REJECT, 894 }, 895 { 896 "access skb fields bad2", 897 .insns = { 898 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 899 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 900 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 902 BPF_LD_MAP_FD(BPF_REG_1, 0), 903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 904 BPF_FUNC_map_lookup_elem), 905 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 906 BPF_EXIT_INSN(), 907 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 908 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 909 offsetof(struct __sk_buff, pkt_type)), 910 BPF_EXIT_INSN(), 911 }, 912 .fixup_map1 = { 4 }, 913 .errstr = "different pointers", 914 .errstr_unpriv = "R1 pointer comparison", 915 .result = REJECT, 916 }, 917 { 918 "access skb fields bad3", 919 .insns = { 920 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 921 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 922 offsetof(struct __sk_buff, pkt_type)), 923 BPF_EXIT_INSN(), 924 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 927 BPF_LD_MAP_FD(BPF_REG_1, 0), 928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 929 BPF_FUNC_map_lookup_elem), 930 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 931 BPF_EXIT_INSN(), 932 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 933 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 934 }, 935 .fixup_map1 = { 6 }, 936 .errstr = "different pointers", 937 .errstr_unpriv = "R1 pointer comparison", 938 .result = REJECT, 939 }, 940 { 941 "access skb fields bad4", 942 .insns = { 943 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 944 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 945 offsetof(struct __sk_buff, len)), 946 BPF_MOV64_IMM(BPF_REG_0, 0), 947 BPF_EXIT_INSN(), 948 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 949 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 951 BPF_LD_MAP_FD(BPF_REG_1, 0), 952 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 953 BPF_FUNC_map_lookup_elem), 954 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 955 BPF_EXIT_INSN(), 956 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 957 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 958 }, 959 .fixup_map1 = { 7 }, 960 .errstr = "different pointers", 961 .errstr_unpriv = "R1 pointer comparison", 962 .result = REJECT, 963 }, 964 { 965 "check skb->mark is not writeable by sockets", 966 .insns = { 967 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 968 offsetof(struct __sk_buff, mark)), 969 BPF_EXIT_INSN(), 970 }, 971 .errstr = "invalid bpf_context access", 972 .errstr_unpriv = "R1 leaks addr", 973 .result = REJECT, 974 }, 975 { 976 "check skb->tc_index is not writeable by sockets", 977 .insns = { 978 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 979 offsetof(struct __sk_buff, tc_index)), 980 BPF_EXIT_INSN(), 981 }, 982 .errstr = "invalid bpf_context access", 983 .errstr_unpriv = "R1 leaks addr", 984 .result = REJECT, 985 }, 986 { 987 "check cb access: byte", 988 .insns = { 989 BPF_MOV64_IMM(BPF_REG_0, 0), 990 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 991 offsetof(struct __sk_buff, cb[0])), 992 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 993 offsetof(struct __sk_buff, cb[0]) + 1), 994 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 995 offsetof(struct __sk_buff, cb[0]) + 2), 996 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 997 offsetof(struct __sk_buff, cb[0]) + 3), 998 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 999 offsetof(struct __sk_buff, cb[1])), 1000 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1001 offsetof(struct __sk_buff, cb[1]) + 1), 1002 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1003 offsetof(struct __sk_buff, cb[1]) + 2), 1004 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1005 offsetof(struct __sk_buff, cb[1]) + 3), 1006 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1007 offsetof(struct __sk_buff, cb[2])), 1008 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1009 offsetof(struct __sk_buff, cb[2]) + 1), 1010 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1011 offsetof(struct __sk_buff, cb[2]) + 2), 1012 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1013 offsetof(struct __sk_buff, cb[2]) + 3), 1014 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1015 offsetof(struct __sk_buff, cb[3])), 1016 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1017 offsetof(struct __sk_buff, cb[3]) + 1), 1018 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1019 offsetof(struct __sk_buff, cb[3]) + 2), 1020 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1021 offsetof(struct __sk_buff, cb[3]) + 3), 1022 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1023 offsetof(struct __sk_buff, cb[4])), 1024 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1025 offsetof(struct __sk_buff, cb[4]) + 1), 1026 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1027 offsetof(struct __sk_buff, cb[4]) + 2), 1028 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1029 offsetof(struct __sk_buff, cb[4]) + 3), 1030 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1031 offsetof(struct __sk_buff, cb[0])), 1032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1033 offsetof(struct __sk_buff, cb[0]) + 1), 1034 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1035 offsetof(struct __sk_buff, cb[0]) + 2), 1036 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1037 offsetof(struct __sk_buff, cb[0]) + 3), 1038 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1039 offsetof(struct __sk_buff, cb[1])), 1040 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1041 offsetof(struct __sk_buff, cb[1]) + 1), 1042 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1043 offsetof(struct __sk_buff, cb[1]) + 2), 1044 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1045 offsetof(struct __sk_buff, cb[1]) + 3), 1046 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1047 offsetof(struct __sk_buff, cb[2])), 1048 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1049 offsetof(struct __sk_buff, cb[2]) + 1), 1050 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1051 offsetof(struct __sk_buff, cb[2]) + 2), 1052 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1053 offsetof(struct __sk_buff, cb[2]) + 3), 1054 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1055 offsetof(struct __sk_buff, cb[3])), 1056 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1057 offsetof(struct __sk_buff, cb[3]) + 1), 1058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1059 offsetof(struct __sk_buff, cb[3]) + 2), 1060 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1061 offsetof(struct __sk_buff, cb[3]) + 3), 1062 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1063 offsetof(struct __sk_buff, cb[4])), 1064 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1065 offsetof(struct __sk_buff, cb[4]) + 1), 1066 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1067 offsetof(struct __sk_buff, cb[4]) + 2), 1068 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1069 offsetof(struct __sk_buff, cb[4]) + 3), 1070 BPF_EXIT_INSN(), 1071 }, 1072 .result = ACCEPT, 1073 }, 1074 { 1075 "check cb access: byte, oob 1", 1076 .insns = { 1077 BPF_MOV64_IMM(BPF_REG_0, 0), 1078 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1079 offsetof(struct __sk_buff, cb[4]) + 4), 1080 BPF_EXIT_INSN(), 1081 }, 1082 .errstr = "invalid bpf_context access", 1083 .result = REJECT, 1084 }, 1085 { 1086 "check cb access: byte, oob 2", 1087 .insns = { 1088 BPF_MOV64_IMM(BPF_REG_0, 0), 1089 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1090 offsetof(struct __sk_buff, cb[0]) - 1), 1091 BPF_EXIT_INSN(), 1092 }, 1093 .errstr = "invalid bpf_context access", 1094 .result = REJECT, 1095 }, 1096 { 1097 "check cb access: byte, oob 3", 1098 .insns = { 1099 BPF_MOV64_IMM(BPF_REG_0, 0), 1100 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1101 offsetof(struct __sk_buff, cb[4]) + 4), 1102 BPF_EXIT_INSN(), 1103 }, 1104 .errstr = "invalid bpf_context access", 1105 .result = REJECT, 1106 }, 1107 { 1108 "check cb access: byte, oob 4", 1109 .insns = { 1110 BPF_MOV64_IMM(BPF_REG_0, 0), 1111 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1112 offsetof(struct __sk_buff, cb[0]) - 1), 1113 BPF_EXIT_INSN(), 1114 }, 1115 .errstr = "invalid bpf_context access", 1116 .result = REJECT, 1117 }, 1118 { 1119 "check cb access: byte, wrong type", 1120 .insns = { 1121 BPF_MOV64_IMM(BPF_REG_0, 0), 1122 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1123 offsetof(struct __sk_buff, cb[0])), 1124 BPF_EXIT_INSN(), 1125 }, 1126 .errstr = "invalid bpf_context access", 1127 .result = REJECT, 1128 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1129 }, 1130 { 1131 "check cb access: half", 1132 .insns = { 1133 BPF_MOV64_IMM(BPF_REG_0, 0), 1134 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1135 offsetof(struct __sk_buff, cb[0])), 1136 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1137 offsetof(struct __sk_buff, cb[0]) + 2), 1138 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1139 offsetof(struct __sk_buff, cb[1])), 1140 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1141 offsetof(struct __sk_buff, cb[1]) + 2), 1142 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1143 offsetof(struct __sk_buff, cb[2])), 1144 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1145 offsetof(struct __sk_buff, cb[2]) + 2), 1146 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1147 offsetof(struct __sk_buff, cb[3])), 1148 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1149 offsetof(struct __sk_buff, cb[3]) + 2), 1150 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1151 offsetof(struct __sk_buff, cb[4])), 1152 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1153 offsetof(struct __sk_buff, cb[4]) + 2), 1154 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1155 offsetof(struct __sk_buff, cb[0])), 1156 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1157 offsetof(struct __sk_buff, cb[0]) + 2), 1158 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1159 offsetof(struct __sk_buff, cb[1])), 1160 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1161 offsetof(struct __sk_buff, cb[1]) + 2), 1162 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1163 offsetof(struct __sk_buff, cb[2])), 1164 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1165 offsetof(struct __sk_buff, cb[2]) + 2), 1166 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1167 offsetof(struct __sk_buff, cb[3])), 1168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1169 offsetof(struct __sk_buff, cb[3]) + 2), 1170 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1171 offsetof(struct __sk_buff, cb[4])), 1172 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1173 offsetof(struct __sk_buff, cb[4]) + 2), 1174 BPF_EXIT_INSN(), 1175 }, 1176 .result = ACCEPT, 1177 }, 1178 { 1179 "check cb access: half, unaligned", 1180 .insns = { 1181 BPF_MOV64_IMM(BPF_REG_0, 0), 1182 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1183 offsetof(struct __sk_buff, cb[0]) + 1), 1184 BPF_EXIT_INSN(), 1185 }, 1186 .errstr = "misaligned access", 1187 .result = REJECT, 1188 }, 1189 { 1190 "check cb access: half, oob 1", 1191 .insns = { 1192 BPF_MOV64_IMM(BPF_REG_0, 0), 1193 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1194 offsetof(struct __sk_buff, cb[4]) + 4), 1195 BPF_EXIT_INSN(), 1196 }, 1197 .errstr = "invalid bpf_context access", 1198 .result = REJECT, 1199 }, 1200 { 1201 "check cb access: half, oob 2", 1202 .insns = { 1203 BPF_MOV64_IMM(BPF_REG_0, 0), 1204 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1205 offsetof(struct __sk_buff, cb[0]) - 2), 1206 BPF_EXIT_INSN(), 1207 }, 1208 .errstr = "invalid bpf_context access", 1209 .result = REJECT, 1210 }, 1211 { 1212 "check cb access: half, oob 3", 1213 .insns = { 1214 BPF_MOV64_IMM(BPF_REG_0, 0), 1215 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1216 offsetof(struct __sk_buff, cb[4]) + 4), 1217 BPF_EXIT_INSN(), 1218 }, 1219 .errstr = "invalid bpf_context access", 1220 .result = REJECT, 1221 }, 1222 { 1223 "check cb access: half, oob 4", 1224 .insns = { 1225 BPF_MOV64_IMM(BPF_REG_0, 0), 1226 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1227 offsetof(struct __sk_buff, cb[0]) - 2), 1228 BPF_EXIT_INSN(), 1229 }, 1230 .errstr = "invalid bpf_context access", 1231 .result = REJECT, 1232 }, 1233 { 1234 "check cb access: half, wrong type", 1235 .insns = { 1236 BPF_MOV64_IMM(BPF_REG_0, 0), 1237 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1238 offsetof(struct __sk_buff, cb[0])), 1239 BPF_EXIT_INSN(), 1240 }, 1241 .errstr = "invalid bpf_context access", 1242 .result = REJECT, 1243 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1244 }, 1245 { 1246 "check cb access: word", 1247 .insns = { 1248 BPF_MOV64_IMM(BPF_REG_0, 0), 1249 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1250 offsetof(struct __sk_buff, cb[0])), 1251 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1252 offsetof(struct __sk_buff, cb[1])), 1253 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1254 offsetof(struct __sk_buff, cb[2])), 1255 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1256 offsetof(struct __sk_buff, cb[3])), 1257 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1258 offsetof(struct __sk_buff, cb[4])), 1259 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1260 offsetof(struct __sk_buff, cb[0])), 1261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1262 offsetof(struct __sk_buff, cb[1])), 1263 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1264 offsetof(struct __sk_buff, cb[2])), 1265 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1266 offsetof(struct __sk_buff, cb[3])), 1267 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1268 offsetof(struct __sk_buff, cb[4])), 1269 BPF_EXIT_INSN(), 1270 }, 1271 .result = ACCEPT, 1272 }, 1273 { 1274 "check cb access: word, unaligned 1", 1275 .insns = { 1276 BPF_MOV64_IMM(BPF_REG_0, 0), 1277 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1278 offsetof(struct __sk_buff, cb[0]) + 2), 1279 BPF_EXIT_INSN(), 1280 }, 1281 .errstr = "misaligned access", 1282 .result = REJECT, 1283 }, 1284 { 1285 "check cb access: word, unaligned 2", 1286 .insns = { 1287 BPF_MOV64_IMM(BPF_REG_0, 0), 1288 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1289 offsetof(struct __sk_buff, cb[4]) + 1), 1290 BPF_EXIT_INSN(), 1291 }, 1292 .errstr = "misaligned access", 1293 .result = REJECT, 1294 }, 1295 { 1296 "check cb access: word, unaligned 3", 1297 .insns = { 1298 BPF_MOV64_IMM(BPF_REG_0, 0), 1299 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1300 offsetof(struct __sk_buff, cb[4]) + 2), 1301 BPF_EXIT_INSN(), 1302 }, 1303 .errstr = "misaligned access", 1304 .result = REJECT, 1305 }, 1306 { 1307 "check cb access: word, unaligned 4", 1308 .insns = { 1309 BPF_MOV64_IMM(BPF_REG_0, 0), 1310 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1311 offsetof(struct __sk_buff, cb[4]) + 3), 1312 BPF_EXIT_INSN(), 1313 }, 1314 .errstr = "misaligned access", 1315 .result = REJECT, 1316 }, 1317 { 1318 "check cb access: double", 1319 .insns = { 1320 BPF_MOV64_IMM(BPF_REG_0, 0), 1321 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1322 offsetof(struct __sk_buff, cb[0])), 1323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1324 offsetof(struct __sk_buff, cb[2])), 1325 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1326 offsetof(struct __sk_buff, cb[0])), 1327 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1328 offsetof(struct __sk_buff, cb[2])), 1329 BPF_EXIT_INSN(), 1330 }, 1331 .result = ACCEPT, 1332 }, 1333 { 1334 "check cb access: double, unaligned 1", 1335 .insns = { 1336 BPF_MOV64_IMM(BPF_REG_0, 0), 1337 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1338 offsetof(struct __sk_buff, cb[1])), 1339 BPF_EXIT_INSN(), 1340 }, 1341 .errstr = "misaligned access", 1342 .result = REJECT, 1343 }, 1344 { 1345 "check cb access: double, unaligned 2", 1346 .insns = { 1347 BPF_MOV64_IMM(BPF_REG_0, 0), 1348 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1349 offsetof(struct __sk_buff, cb[3])), 1350 BPF_EXIT_INSN(), 1351 }, 1352 .errstr = "misaligned access", 1353 .result = REJECT, 1354 }, 1355 { 1356 "check cb access: double, oob 1", 1357 .insns = { 1358 BPF_MOV64_IMM(BPF_REG_0, 0), 1359 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1360 offsetof(struct __sk_buff, cb[4])), 1361 BPF_EXIT_INSN(), 1362 }, 1363 .errstr = "invalid bpf_context access", 1364 .result = REJECT, 1365 }, 1366 { 1367 "check cb access: double, oob 2", 1368 .insns = { 1369 BPF_MOV64_IMM(BPF_REG_0, 0), 1370 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1371 offsetof(struct __sk_buff, cb[4]) + 8), 1372 BPF_EXIT_INSN(), 1373 }, 1374 .errstr = "invalid bpf_context access", 1375 .result = REJECT, 1376 }, 1377 { 1378 "check cb access: double, oob 3", 1379 .insns = { 1380 BPF_MOV64_IMM(BPF_REG_0, 0), 1381 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1382 offsetof(struct __sk_buff, cb[0]) - 8), 1383 BPF_EXIT_INSN(), 1384 }, 1385 .errstr = "invalid bpf_context access", 1386 .result = REJECT, 1387 }, 1388 { 1389 "check cb access: double, oob 4", 1390 .insns = { 1391 BPF_MOV64_IMM(BPF_REG_0, 0), 1392 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1393 offsetof(struct __sk_buff, cb[4])), 1394 BPF_EXIT_INSN(), 1395 }, 1396 .errstr = "invalid bpf_context access", 1397 .result = REJECT, 1398 }, 1399 { 1400 "check cb access: double, oob 5", 1401 .insns = { 1402 BPF_MOV64_IMM(BPF_REG_0, 0), 1403 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1404 offsetof(struct __sk_buff, cb[4]) + 8), 1405 BPF_EXIT_INSN(), 1406 }, 1407 .errstr = "invalid bpf_context access", 1408 .result = REJECT, 1409 }, 1410 { 1411 "check cb access: double, oob 6", 1412 .insns = { 1413 BPF_MOV64_IMM(BPF_REG_0, 0), 1414 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1415 offsetof(struct __sk_buff, cb[0]) - 8), 1416 BPF_EXIT_INSN(), 1417 }, 1418 .errstr = "invalid bpf_context access", 1419 .result = REJECT, 1420 }, 1421 { 1422 "check cb access: double, wrong type", 1423 .insns = { 1424 BPF_MOV64_IMM(BPF_REG_0, 0), 1425 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1426 offsetof(struct __sk_buff, cb[0])), 1427 BPF_EXIT_INSN(), 1428 }, 1429 .errstr = "invalid bpf_context access", 1430 .result = REJECT, 1431 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1432 }, 1433 { 1434 "check out of range skb->cb access", 1435 .insns = { 1436 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1437 offsetof(struct __sk_buff, cb[0]) + 256), 1438 BPF_EXIT_INSN(), 1439 }, 1440 .errstr = "invalid bpf_context access", 1441 .errstr_unpriv = "", 1442 .result = REJECT, 1443 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 1444 }, 1445 { 1446 "write skb fields from socket prog", 1447 .insns = { 1448 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1449 offsetof(struct __sk_buff, cb[4])), 1450 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1451 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1452 offsetof(struct __sk_buff, mark)), 1453 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1454 offsetof(struct __sk_buff, tc_index)), 1455 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1456 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1457 offsetof(struct __sk_buff, cb[0])), 1458 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1459 offsetof(struct __sk_buff, cb[2])), 1460 BPF_EXIT_INSN(), 1461 }, 1462 .result = ACCEPT, 1463 .errstr_unpriv = "R1 leaks addr", 1464 .result_unpriv = REJECT, 1465 }, 1466 { 1467 "write skb fields from tc_cls_act prog", 1468 .insns = { 1469 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1470 offsetof(struct __sk_buff, cb[0])), 1471 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1472 offsetof(struct __sk_buff, mark)), 1473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1474 offsetof(struct __sk_buff, tc_index)), 1475 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1476 offsetof(struct __sk_buff, tc_index)), 1477 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1478 offsetof(struct __sk_buff, cb[3])), 1479 BPF_EXIT_INSN(), 1480 }, 1481 .errstr_unpriv = "", 1482 .result_unpriv = REJECT, 1483 .result = ACCEPT, 1484 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1485 }, 1486 { 1487 "PTR_TO_STACK store/load", 1488 .insns = { 1489 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1491 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1492 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1493 BPF_EXIT_INSN(), 1494 }, 1495 .result = ACCEPT, 1496 }, 1497 { 1498 "PTR_TO_STACK store/load - bad alignment on off", 1499 .insns = { 1500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1502 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1504 BPF_EXIT_INSN(), 1505 }, 1506 .result = REJECT, 1507 .errstr = "misaligned access off -6 size 8", 1508 }, 1509 { 1510 "PTR_TO_STACK store/load - bad alignment on reg", 1511 .insns = { 1512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1514 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1515 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1516 BPF_EXIT_INSN(), 1517 }, 1518 .result = REJECT, 1519 .errstr = "misaligned access off -2 size 8", 1520 }, 1521 { 1522 "PTR_TO_STACK store/load - out of bounds low", 1523 .insns = { 1524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 1526 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1527 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1528 BPF_EXIT_INSN(), 1529 }, 1530 .result = REJECT, 1531 .errstr = "invalid stack off=-79992 size=8", 1532 }, 1533 { 1534 "PTR_TO_STACK store/load - out of bounds high", 1535 .insns = { 1536 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1538 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1539 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1540 BPF_EXIT_INSN(), 1541 }, 1542 .result = REJECT, 1543 .errstr = "invalid stack off=0 size=8", 1544 }, 1545 { 1546 "unpriv: return pointer", 1547 .insns = { 1548 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 1549 BPF_EXIT_INSN(), 1550 }, 1551 .result = ACCEPT, 1552 .result_unpriv = REJECT, 1553 .errstr_unpriv = "R0 leaks addr", 1554 }, 1555 { 1556 "unpriv: add const to pointer", 1557 .insns = { 1558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 1559 BPF_MOV64_IMM(BPF_REG_0, 0), 1560 BPF_EXIT_INSN(), 1561 }, 1562 .result = ACCEPT, 1563 .result_unpriv = REJECT, 1564 .errstr_unpriv = "R1 pointer arithmetic", 1565 }, 1566 { 1567 "unpriv: add pointer to pointer", 1568 .insns = { 1569 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1570 BPF_MOV64_IMM(BPF_REG_0, 0), 1571 BPF_EXIT_INSN(), 1572 }, 1573 .result = ACCEPT, 1574 .result_unpriv = REJECT, 1575 .errstr_unpriv = "R1 pointer arithmetic", 1576 }, 1577 { 1578 "unpriv: neg pointer", 1579 .insns = { 1580 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 1581 BPF_MOV64_IMM(BPF_REG_0, 0), 1582 BPF_EXIT_INSN(), 1583 }, 1584 .result = ACCEPT, 1585 .result_unpriv = REJECT, 1586 .errstr_unpriv = "R1 pointer arithmetic", 1587 }, 1588 { 1589 "unpriv: cmp pointer with const", 1590 .insns = { 1591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1592 BPF_MOV64_IMM(BPF_REG_0, 0), 1593 BPF_EXIT_INSN(), 1594 }, 1595 .result = ACCEPT, 1596 .result_unpriv = REJECT, 1597 .errstr_unpriv = "R1 pointer comparison", 1598 }, 1599 { 1600 "unpriv: cmp pointer with pointer", 1601 .insns = { 1602 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1603 BPF_MOV64_IMM(BPF_REG_0, 0), 1604 BPF_EXIT_INSN(), 1605 }, 1606 .result = ACCEPT, 1607 .result_unpriv = REJECT, 1608 .errstr_unpriv = "R10 pointer comparison", 1609 }, 1610 { 1611 "unpriv: check that printk is disallowed", 1612 .insns = { 1613 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1616 BPF_MOV64_IMM(BPF_REG_2, 8), 1617 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1619 BPF_FUNC_trace_printk), 1620 BPF_MOV64_IMM(BPF_REG_0, 0), 1621 BPF_EXIT_INSN(), 1622 }, 1623 .errstr_unpriv = "unknown func bpf_trace_printk#6", 1624 .result_unpriv = REJECT, 1625 .result = ACCEPT, 1626 }, 1627 { 1628 "unpriv: pass pointer to helper function", 1629 .insns = { 1630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1631 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1633 BPF_LD_MAP_FD(BPF_REG_1, 0), 1634 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1635 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 1636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1637 BPF_FUNC_map_update_elem), 1638 BPF_MOV64_IMM(BPF_REG_0, 0), 1639 BPF_EXIT_INSN(), 1640 }, 1641 .fixup_map1 = { 3 }, 1642 .errstr_unpriv = "R4 leaks addr", 1643 .result_unpriv = REJECT, 1644 .result = ACCEPT, 1645 }, 1646 { 1647 "unpriv: indirectly pass pointer on stack to helper function", 1648 .insns = { 1649 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1650 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1652 BPF_LD_MAP_FD(BPF_REG_1, 0), 1653 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1654 BPF_FUNC_map_lookup_elem), 1655 BPF_MOV64_IMM(BPF_REG_0, 0), 1656 BPF_EXIT_INSN(), 1657 }, 1658 .fixup_map1 = { 3 }, 1659 .errstr = "invalid indirect read from stack off -8+0 size 8", 1660 .result = REJECT, 1661 }, 1662 { 1663 "unpriv: mangle pointer on stack 1", 1664 .insns = { 1665 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1666 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 1667 BPF_MOV64_IMM(BPF_REG_0, 0), 1668 BPF_EXIT_INSN(), 1669 }, 1670 .errstr_unpriv = "attempt to corrupt spilled", 1671 .result_unpriv = REJECT, 1672 .result = ACCEPT, 1673 }, 1674 { 1675 "unpriv: mangle pointer on stack 2", 1676 .insns = { 1677 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1678 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 1679 BPF_MOV64_IMM(BPF_REG_0, 0), 1680 BPF_EXIT_INSN(), 1681 }, 1682 .errstr_unpriv = "attempt to corrupt spilled", 1683 .result_unpriv = REJECT, 1684 .result = ACCEPT, 1685 }, 1686 { 1687 "unpriv: read pointer from stack in small chunks", 1688 .insns = { 1689 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1690 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 1691 BPF_MOV64_IMM(BPF_REG_0, 0), 1692 BPF_EXIT_INSN(), 1693 }, 1694 .errstr = "invalid size", 1695 .result = REJECT, 1696 }, 1697 { 1698 "unpriv: write pointer into ctx", 1699 .insns = { 1700 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 1701 BPF_MOV64_IMM(BPF_REG_0, 0), 1702 BPF_EXIT_INSN(), 1703 }, 1704 .errstr_unpriv = "R1 leaks addr", 1705 .result_unpriv = REJECT, 1706 .errstr = "invalid bpf_context access", 1707 .result = REJECT, 1708 }, 1709 { 1710 "unpriv: spill/fill of ctx", 1711 .insns = { 1712 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1714 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1715 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1716 BPF_MOV64_IMM(BPF_REG_0, 0), 1717 BPF_EXIT_INSN(), 1718 }, 1719 .result = ACCEPT, 1720 }, 1721 { 1722 "unpriv: spill/fill of ctx 2", 1723 .insns = { 1724 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1726 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1727 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1729 BPF_FUNC_get_hash_recalc), 1730 BPF_EXIT_INSN(), 1731 }, 1732 .result = ACCEPT, 1733 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1734 }, 1735 { 1736 "unpriv: spill/fill of ctx 3", 1737 .insns = { 1738 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1740 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1741 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1742 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1743 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1744 BPF_FUNC_get_hash_recalc), 1745 BPF_EXIT_INSN(), 1746 }, 1747 .result = REJECT, 1748 .errstr = "R1 type=fp expected=ctx", 1749 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1750 }, 1751 { 1752 "unpriv: spill/fill of ctx 4", 1753 .insns = { 1754 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1756 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1757 BPF_MOV64_IMM(BPF_REG_0, 1), 1758 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 1759 BPF_REG_0, -8, 0), 1760 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1762 BPF_FUNC_get_hash_recalc), 1763 BPF_EXIT_INSN(), 1764 }, 1765 .result = REJECT, 1766 .errstr = "R1 type=inv expected=ctx", 1767 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1768 }, 1769 { 1770 "unpriv: spill/fill of different pointers stx", 1771 .insns = { 1772 BPF_MOV64_IMM(BPF_REG_3, 42), 1773 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 1778 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1779 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1780 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1781 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1782 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 1783 offsetof(struct __sk_buff, mark)), 1784 BPF_MOV64_IMM(BPF_REG_0, 0), 1785 BPF_EXIT_INSN(), 1786 }, 1787 .result = REJECT, 1788 .errstr = "same insn cannot be used with different pointers", 1789 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1790 }, 1791 { 1792 "unpriv: spill/fill of different pointers ldx", 1793 .insns = { 1794 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1795 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1797 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1799 -(__s32)offsetof(struct bpf_perf_event_data, 1800 sample_period) - 8), 1801 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1802 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1803 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1804 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1805 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 1806 offsetof(struct bpf_perf_event_data, 1807 sample_period)), 1808 BPF_MOV64_IMM(BPF_REG_0, 0), 1809 BPF_EXIT_INSN(), 1810 }, 1811 .result = REJECT, 1812 .errstr = "same insn cannot be used with different pointers", 1813 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 1814 }, 1815 { 1816 "unpriv: write pointer into map elem value", 1817 .insns = { 1818 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1821 BPF_LD_MAP_FD(BPF_REG_1, 0), 1822 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1823 BPF_FUNC_map_lookup_elem), 1824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1825 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 1826 BPF_EXIT_INSN(), 1827 }, 1828 .fixup_map1 = { 3 }, 1829 .errstr_unpriv = "R0 leaks addr", 1830 .result_unpriv = REJECT, 1831 .result = ACCEPT, 1832 }, 1833 { 1834 "unpriv: partial copy of pointer", 1835 .insns = { 1836 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 1837 BPF_MOV64_IMM(BPF_REG_0, 0), 1838 BPF_EXIT_INSN(), 1839 }, 1840 .errstr_unpriv = "R10 partial copy", 1841 .result_unpriv = REJECT, 1842 .result = ACCEPT, 1843 }, 1844 { 1845 "unpriv: pass pointer to tail_call", 1846 .insns = { 1847 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1848 BPF_LD_MAP_FD(BPF_REG_2, 0), 1849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1850 BPF_FUNC_tail_call), 1851 BPF_MOV64_IMM(BPF_REG_0, 0), 1852 BPF_EXIT_INSN(), 1853 }, 1854 .fixup_prog = { 1 }, 1855 .errstr_unpriv = "R3 leaks addr into helper", 1856 .result_unpriv = REJECT, 1857 .result = ACCEPT, 1858 }, 1859 { 1860 "unpriv: cmp map pointer with zero", 1861 .insns = { 1862 BPF_MOV64_IMM(BPF_REG_1, 0), 1863 BPF_LD_MAP_FD(BPF_REG_1, 0), 1864 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1865 BPF_MOV64_IMM(BPF_REG_0, 0), 1866 BPF_EXIT_INSN(), 1867 }, 1868 .fixup_map1 = { 1 }, 1869 .errstr_unpriv = "R1 pointer comparison", 1870 .result_unpriv = REJECT, 1871 .result = ACCEPT, 1872 }, 1873 { 1874 "unpriv: write into frame pointer", 1875 .insns = { 1876 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 1877 BPF_MOV64_IMM(BPF_REG_0, 0), 1878 BPF_EXIT_INSN(), 1879 }, 1880 .errstr = "frame pointer is read only", 1881 .result = REJECT, 1882 }, 1883 { 1884 "unpriv: spill/fill frame pointer", 1885 .insns = { 1886 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1888 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1889 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 1890 BPF_MOV64_IMM(BPF_REG_0, 0), 1891 BPF_EXIT_INSN(), 1892 }, 1893 .errstr = "frame pointer is read only", 1894 .result = REJECT, 1895 }, 1896 { 1897 "unpriv: cmp of frame pointer", 1898 .insns = { 1899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 1900 BPF_MOV64_IMM(BPF_REG_0, 0), 1901 BPF_EXIT_INSN(), 1902 }, 1903 .errstr_unpriv = "R10 pointer comparison", 1904 .result_unpriv = REJECT, 1905 .result = ACCEPT, 1906 }, 1907 { 1908 "unpriv: adding of fp", 1909 .insns = { 1910 BPF_MOV64_IMM(BPF_REG_0, 0), 1911 BPF_MOV64_IMM(BPF_REG_1, 0), 1912 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1913 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 1914 BPF_EXIT_INSN(), 1915 }, 1916 .errstr_unpriv = "pointer arithmetic prohibited", 1917 .result_unpriv = REJECT, 1918 .errstr = "R1 invalid mem access", 1919 .result = REJECT, 1920 }, 1921 { 1922 "unpriv: cmp of stack pointer", 1923 .insns = { 1924 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 1927 BPF_MOV64_IMM(BPF_REG_0, 0), 1928 BPF_EXIT_INSN(), 1929 }, 1930 .errstr_unpriv = "R2 pointer comparison", 1931 .result_unpriv = REJECT, 1932 .result = ACCEPT, 1933 }, 1934 { 1935 "stack pointer arithmetic", 1936 .insns = { 1937 BPF_MOV64_IMM(BPF_REG_1, 4), 1938 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1939 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 1940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 1941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 1942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 1943 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 1944 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 1945 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 1946 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 1947 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 1948 BPF_MOV64_IMM(BPF_REG_0, 0), 1949 BPF_EXIT_INSN(), 1950 }, 1951 .result = ACCEPT, 1952 }, 1953 { 1954 "raw_stack: no skb_load_bytes", 1955 .insns = { 1956 BPF_MOV64_IMM(BPF_REG_2, 4), 1957 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1959 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1960 BPF_MOV64_IMM(BPF_REG_4, 8), 1961 /* Call to skb_load_bytes() omitted. */ 1962 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1963 BPF_EXIT_INSN(), 1964 }, 1965 .result = REJECT, 1966 .errstr = "invalid read from stack off -8+0 size 8", 1967 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1968 }, 1969 { 1970 "raw_stack: skb_load_bytes, negative len", 1971 .insns = { 1972 BPF_MOV64_IMM(BPF_REG_2, 4), 1973 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1975 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1976 BPF_MOV64_IMM(BPF_REG_4, -8), 1977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1978 BPF_FUNC_skb_load_bytes), 1979 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1980 BPF_EXIT_INSN(), 1981 }, 1982 .result = REJECT, 1983 .errstr = "invalid stack type R3", 1984 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1985 }, 1986 { 1987 "raw_stack: skb_load_bytes, negative len 2", 1988 .insns = { 1989 BPF_MOV64_IMM(BPF_REG_2, 4), 1990 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1992 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1993 BPF_MOV64_IMM(BPF_REG_4, ~0), 1994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1995 BPF_FUNC_skb_load_bytes), 1996 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1997 BPF_EXIT_INSN(), 1998 }, 1999 .result = REJECT, 2000 .errstr = "invalid stack type R3", 2001 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2002 }, 2003 { 2004 "raw_stack: skb_load_bytes, zero len", 2005 .insns = { 2006 BPF_MOV64_IMM(BPF_REG_2, 4), 2007 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2009 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2010 BPF_MOV64_IMM(BPF_REG_4, 0), 2011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2012 BPF_FUNC_skb_load_bytes), 2013 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2014 BPF_EXIT_INSN(), 2015 }, 2016 .result = REJECT, 2017 .errstr = "invalid stack type R3", 2018 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2019 }, 2020 { 2021 "raw_stack: skb_load_bytes, no init", 2022 .insns = { 2023 BPF_MOV64_IMM(BPF_REG_2, 4), 2024 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2026 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2027 BPF_MOV64_IMM(BPF_REG_4, 8), 2028 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2029 BPF_FUNC_skb_load_bytes), 2030 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2031 BPF_EXIT_INSN(), 2032 }, 2033 .result = ACCEPT, 2034 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2035 }, 2036 { 2037 "raw_stack: skb_load_bytes, init", 2038 .insns = { 2039 BPF_MOV64_IMM(BPF_REG_2, 4), 2040 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2042 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 2043 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2044 BPF_MOV64_IMM(BPF_REG_4, 8), 2045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2046 BPF_FUNC_skb_load_bytes), 2047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2048 BPF_EXIT_INSN(), 2049 }, 2050 .result = ACCEPT, 2051 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2052 }, 2053 { 2054 "raw_stack: skb_load_bytes, spilled regs around bounds", 2055 .insns = { 2056 BPF_MOV64_IMM(BPF_REG_2, 4), 2057 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2059 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2060 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2061 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2062 BPF_MOV64_IMM(BPF_REG_4, 8), 2063 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2064 BPF_FUNC_skb_load_bytes), 2065 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2066 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2067 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2068 offsetof(struct __sk_buff, mark)), 2069 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2070 offsetof(struct __sk_buff, priority)), 2071 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2072 BPF_EXIT_INSN(), 2073 }, 2074 .result = ACCEPT, 2075 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2076 }, 2077 { 2078 "raw_stack: skb_load_bytes, spilled regs corruption", 2079 .insns = { 2080 BPF_MOV64_IMM(BPF_REG_2, 4), 2081 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2083 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2084 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2085 BPF_MOV64_IMM(BPF_REG_4, 8), 2086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2087 BPF_FUNC_skb_load_bytes), 2088 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2089 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2090 offsetof(struct __sk_buff, mark)), 2091 BPF_EXIT_INSN(), 2092 }, 2093 .result = REJECT, 2094 .errstr = "R0 invalid mem access 'inv'", 2095 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2096 }, 2097 { 2098 "raw_stack: skb_load_bytes, spilled regs corruption 2", 2099 .insns = { 2100 BPF_MOV64_IMM(BPF_REG_2, 4), 2101 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2103 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2106 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2107 BPF_MOV64_IMM(BPF_REG_4, 8), 2108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2109 BPF_FUNC_skb_load_bytes), 2110 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2111 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2112 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2113 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2114 offsetof(struct __sk_buff, mark)), 2115 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2116 offsetof(struct __sk_buff, priority)), 2117 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 2119 offsetof(struct __sk_buff, pkt_type)), 2120 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2121 BPF_EXIT_INSN(), 2122 }, 2123 .result = REJECT, 2124 .errstr = "R3 invalid mem access 'inv'", 2125 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2126 }, 2127 { 2128 "raw_stack: skb_load_bytes, spilled regs + data", 2129 .insns = { 2130 BPF_MOV64_IMM(BPF_REG_2, 4), 2131 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2133 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2136 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2137 BPF_MOV64_IMM(BPF_REG_4, 8), 2138 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2139 BPF_FUNC_skb_load_bytes), 2140 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2141 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2142 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2144 offsetof(struct __sk_buff, mark)), 2145 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2146 offsetof(struct __sk_buff, priority)), 2147 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2149 BPF_EXIT_INSN(), 2150 }, 2151 .result = ACCEPT, 2152 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2153 }, 2154 { 2155 "raw_stack: skb_load_bytes, invalid access 1", 2156 .insns = { 2157 BPF_MOV64_IMM(BPF_REG_2, 4), 2158 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 2160 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2161 BPF_MOV64_IMM(BPF_REG_4, 8), 2162 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2163 BPF_FUNC_skb_load_bytes), 2164 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2165 BPF_EXIT_INSN(), 2166 }, 2167 .result = REJECT, 2168 .errstr = "invalid stack type R3 off=-513 access_size=8", 2169 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2170 }, 2171 { 2172 "raw_stack: skb_load_bytes, invalid access 2", 2173 .insns = { 2174 BPF_MOV64_IMM(BPF_REG_2, 4), 2175 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2177 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2178 BPF_MOV64_IMM(BPF_REG_4, 8), 2179 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2180 BPF_FUNC_skb_load_bytes), 2181 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2182 BPF_EXIT_INSN(), 2183 }, 2184 .result = REJECT, 2185 .errstr = "invalid stack type R3 off=-1 access_size=8", 2186 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2187 }, 2188 { 2189 "raw_stack: skb_load_bytes, invalid access 3", 2190 .insns = { 2191 BPF_MOV64_IMM(BPF_REG_2, 4), 2192 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 2194 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2195 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2197 BPF_FUNC_skb_load_bytes), 2198 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2199 BPF_EXIT_INSN(), 2200 }, 2201 .result = REJECT, 2202 .errstr = "invalid stack type R3 off=-1 access_size=-1", 2203 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2204 }, 2205 { 2206 "raw_stack: skb_load_bytes, invalid access 4", 2207 .insns = { 2208 BPF_MOV64_IMM(BPF_REG_2, 4), 2209 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2211 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2212 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2214 BPF_FUNC_skb_load_bytes), 2215 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2216 BPF_EXIT_INSN(), 2217 }, 2218 .result = REJECT, 2219 .errstr = "invalid stack type R3 off=-1 access_size=2147483647", 2220 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2221 }, 2222 { 2223 "raw_stack: skb_load_bytes, invalid access 5", 2224 .insns = { 2225 BPF_MOV64_IMM(BPF_REG_2, 4), 2226 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2228 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2229 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2231 BPF_FUNC_skb_load_bytes), 2232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2233 BPF_EXIT_INSN(), 2234 }, 2235 .result = REJECT, 2236 .errstr = "invalid stack type R3 off=-512 access_size=2147483647", 2237 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2238 }, 2239 { 2240 "raw_stack: skb_load_bytes, invalid access 6", 2241 .insns = { 2242 BPF_MOV64_IMM(BPF_REG_2, 4), 2243 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2245 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2246 BPF_MOV64_IMM(BPF_REG_4, 0), 2247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2248 BPF_FUNC_skb_load_bytes), 2249 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2250 BPF_EXIT_INSN(), 2251 }, 2252 .result = REJECT, 2253 .errstr = "invalid stack type R3 off=-512 access_size=0", 2254 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2255 }, 2256 { 2257 "raw_stack: skb_load_bytes, large access", 2258 .insns = { 2259 BPF_MOV64_IMM(BPF_REG_2, 4), 2260 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2262 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2263 BPF_MOV64_IMM(BPF_REG_4, 512), 2264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2265 BPF_FUNC_skb_load_bytes), 2266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2267 BPF_EXIT_INSN(), 2268 }, 2269 .result = ACCEPT, 2270 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2271 }, 2272 { 2273 "direct packet access: test1", 2274 .insns = { 2275 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2276 offsetof(struct __sk_buff, data)), 2277 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2278 offsetof(struct __sk_buff, data_end)), 2279 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2281 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2282 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2283 BPF_MOV64_IMM(BPF_REG_0, 0), 2284 BPF_EXIT_INSN(), 2285 }, 2286 .result = ACCEPT, 2287 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2288 }, 2289 { 2290 "direct packet access: test2", 2291 .insns = { 2292 BPF_MOV64_IMM(BPF_REG_0, 1), 2293 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 2294 offsetof(struct __sk_buff, data_end)), 2295 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2296 offsetof(struct __sk_buff, data)), 2297 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 2299 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 2300 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 2301 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 2302 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 2303 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2304 offsetof(struct __sk_buff, data)), 2305 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2307 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48), 2308 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48), 2309 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 2310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 2311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2312 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2313 offsetof(struct __sk_buff, data_end)), 2314 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 2315 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 2316 BPF_MOV64_IMM(BPF_REG_0, 0), 2317 BPF_EXIT_INSN(), 2318 }, 2319 .result = ACCEPT, 2320 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2321 }, 2322 { 2323 "direct packet access: test3", 2324 .insns = { 2325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2326 offsetof(struct __sk_buff, data)), 2327 BPF_MOV64_IMM(BPF_REG_0, 0), 2328 BPF_EXIT_INSN(), 2329 }, 2330 .errstr = "invalid bpf_context access off=76", 2331 .result = REJECT, 2332 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 2333 }, 2334 { 2335 "direct packet access: test4 (write)", 2336 .insns = { 2337 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2338 offsetof(struct __sk_buff, data)), 2339 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2340 offsetof(struct __sk_buff, data_end)), 2341 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2343 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2344 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2345 BPF_MOV64_IMM(BPF_REG_0, 0), 2346 BPF_EXIT_INSN(), 2347 }, 2348 .result = ACCEPT, 2349 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2350 }, 2351 { 2352 "direct packet access: test5 (pkt_end >= reg, good access)", 2353 .insns = { 2354 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2355 offsetof(struct __sk_buff, data)), 2356 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2357 offsetof(struct __sk_buff, data_end)), 2358 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2360 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2361 BPF_MOV64_IMM(BPF_REG_0, 1), 2362 BPF_EXIT_INSN(), 2363 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2364 BPF_MOV64_IMM(BPF_REG_0, 0), 2365 BPF_EXIT_INSN(), 2366 }, 2367 .result = ACCEPT, 2368 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2369 }, 2370 { 2371 "direct packet access: test6 (pkt_end >= reg, bad access)", 2372 .insns = { 2373 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2374 offsetof(struct __sk_buff, data)), 2375 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2376 offsetof(struct __sk_buff, data_end)), 2377 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2379 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2380 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2381 BPF_MOV64_IMM(BPF_REG_0, 1), 2382 BPF_EXIT_INSN(), 2383 BPF_MOV64_IMM(BPF_REG_0, 0), 2384 BPF_EXIT_INSN(), 2385 }, 2386 .errstr = "invalid access to packet", 2387 .result = REJECT, 2388 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2389 }, 2390 { 2391 "direct packet access: test7 (pkt_end >= reg, both accesses)", 2392 .insns = { 2393 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2394 offsetof(struct __sk_buff, data)), 2395 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2396 offsetof(struct __sk_buff, data_end)), 2397 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2399 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2400 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2401 BPF_MOV64_IMM(BPF_REG_0, 1), 2402 BPF_EXIT_INSN(), 2403 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2404 BPF_MOV64_IMM(BPF_REG_0, 0), 2405 BPF_EXIT_INSN(), 2406 }, 2407 .errstr = "invalid access to packet", 2408 .result = REJECT, 2409 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2410 }, 2411 { 2412 "direct packet access: test8 (double test, variant 1)", 2413 .insns = { 2414 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2415 offsetof(struct __sk_buff, data)), 2416 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2417 offsetof(struct __sk_buff, data_end)), 2418 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2420 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 2421 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2423 BPF_MOV64_IMM(BPF_REG_0, 1), 2424 BPF_EXIT_INSN(), 2425 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2426 BPF_MOV64_IMM(BPF_REG_0, 0), 2427 BPF_EXIT_INSN(), 2428 }, 2429 .result = ACCEPT, 2430 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2431 }, 2432 { 2433 "direct packet access: test9 (double test, variant 2)", 2434 .insns = { 2435 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2436 offsetof(struct __sk_buff, data)), 2437 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2438 offsetof(struct __sk_buff, data_end)), 2439 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2441 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2442 BPF_MOV64_IMM(BPF_REG_0, 1), 2443 BPF_EXIT_INSN(), 2444 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2446 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2447 BPF_MOV64_IMM(BPF_REG_0, 0), 2448 BPF_EXIT_INSN(), 2449 }, 2450 .result = ACCEPT, 2451 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2452 }, 2453 { 2454 "direct packet access: test10 (write invalid)", 2455 .insns = { 2456 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2457 offsetof(struct __sk_buff, data)), 2458 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2459 offsetof(struct __sk_buff, data_end)), 2460 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2462 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 2463 BPF_MOV64_IMM(BPF_REG_0, 0), 2464 BPF_EXIT_INSN(), 2465 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2466 BPF_MOV64_IMM(BPF_REG_0, 0), 2467 BPF_EXIT_INSN(), 2468 }, 2469 .errstr = "invalid access to packet", 2470 .result = REJECT, 2471 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2472 }, 2473 { 2474 "direct packet access: test11 (shift, good access)", 2475 .insns = { 2476 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2477 offsetof(struct __sk_buff, data)), 2478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2479 offsetof(struct __sk_buff, data_end)), 2480 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2482 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2483 BPF_MOV64_IMM(BPF_REG_3, 144), 2484 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2486 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 2487 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2488 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2489 BPF_MOV64_IMM(BPF_REG_0, 1), 2490 BPF_EXIT_INSN(), 2491 BPF_MOV64_IMM(BPF_REG_0, 0), 2492 BPF_EXIT_INSN(), 2493 }, 2494 .result = ACCEPT, 2495 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2496 }, 2497 { 2498 "direct packet access: test12 (and, good access)", 2499 .insns = { 2500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2501 offsetof(struct __sk_buff, data)), 2502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2503 offsetof(struct __sk_buff, data_end)), 2504 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2506 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2507 BPF_MOV64_IMM(BPF_REG_3, 144), 2508 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2510 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2511 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2512 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2513 BPF_MOV64_IMM(BPF_REG_0, 1), 2514 BPF_EXIT_INSN(), 2515 BPF_MOV64_IMM(BPF_REG_0, 0), 2516 BPF_EXIT_INSN(), 2517 }, 2518 .result = ACCEPT, 2519 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2520 }, 2521 { 2522 "direct packet access: test13 (branches, good access)", 2523 .insns = { 2524 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2525 offsetof(struct __sk_buff, data)), 2526 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2527 offsetof(struct __sk_buff, data_end)), 2528 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2530 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 2531 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2532 offsetof(struct __sk_buff, mark)), 2533 BPF_MOV64_IMM(BPF_REG_4, 1), 2534 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 2535 BPF_MOV64_IMM(BPF_REG_3, 14), 2536 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 2537 BPF_MOV64_IMM(BPF_REG_3, 24), 2538 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2540 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2541 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2542 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2543 BPF_MOV64_IMM(BPF_REG_0, 1), 2544 BPF_EXIT_INSN(), 2545 BPF_MOV64_IMM(BPF_REG_0, 0), 2546 BPF_EXIT_INSN(), 2547 }, 2548 .result = ACCEPT, 2549 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2550 }, 2551 { 2552 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 2553 .insns = { 2554 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2555 offsetof(struct __sk_buff, data)), 2556 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2557 offsetof(struct __sk_buff, data_end)), 2558 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2560 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 2561 BPF_MOV64_IMM(BPF_REG_5, 12), 2562 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 2563 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2564 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2565 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 2566 BPF_MOV64_IMM(BPF_REG_0, 1), 2567 BPF_EXIT_INSN(), 2568 BPF_MOV64_IMM(BPF_REG_0, 0), 2569 BPF_EXIT_INSN(), 2570 }, 2571 .result = ACCEPT, 2572 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2573 }, 2574 { 2575 "direct packet access: test15 (spill with xadd)", 2576 .insns = { 2577 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2578 offsetof(struct __sk_buff, data)), 2579 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2580 offsetof(struct __sk_buff, data_end)), 2581 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2583 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2584 BPF_MOV64_IMM(BPF_REG_5, 4096), 2585 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 2586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 2587 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 2588 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 2589 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 2590 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0), 2591 BPF_MOV64_IMM(BPF_REG_0, 0), 2592 BPF_EXIT_INSN(), 2593 }, 2594 .errstr = "R2 invalid mem access 'inv'", 2595 .result = REJECT, 2596 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2597 }, 2598 { 2599 "direct packet access: test16 (arith on data_end)", 2600 .insns = { 2601 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2602 offsetof(struct __sk_buff, data)), 2603 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2604 offsetof(struct __sk_buff, data_end)), 2605 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16), 2608 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2609 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2610 BPF_MOV64_IMM(BPF_REG_0, 0), 2611 BPF_EXIT_INSN(), 2612 }, 2613 .errstr = "invalid access to packet", 2614 .result = REJECT, 2615 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2616 }, 2617 { 2618 "helper access to packet: test1, valid packet_ptr range", 2619 .insns = { 2620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2621 offsetof(struct xdp_md, data)), 2622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2623 offsetof(struct xdp_md, data_end)), 2624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2626 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2627 BPF_LD_MAP_FD(BPF_REG_1, 0), 2628 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2629 BPF_MOV64_IMM(BPF_REG_4, 0), 2630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2631 BPF_FUNC_map_update_elem), 2632 BPF_MOV64_IMM(BPF_REG_0, 0), 2633 BPF_EXIT_INSN(), 2634 }, 2635 .fixup_map1 = { 5 }, 2636 .result_unpriv = ACCEPT, 2637 .result = ACCEPT, 2638 .prog_type = BPF_PROG_TYPE_XDP, 2639 }, 2640 { 2641 "helper access to packet: test2, unchecked packet_ptr", 2642 .insns = { 2643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2644 offsetof(struct xdp_md, data)), 2645 BPF_LD_MAP_FD(BPF_REG_1, 0), 2646 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2647 BPF_FUNC_map_lookup_elem), 2648 BPF_MOV64_IMM(BPF_REG_0, 0), 2649 BPF_EXIT_INSN(), 2650 }, 2651 .fixup_map1 = { 1 }, 2652 .result = REJECT, 2653 .errstr = "invalid access to packet", 2654 .prog_type = BPF_PROG_TYPE_XDP, 2655 }, 2656 { 2657 "helper access to packet: test3, variable add", 2658 .insns = { 2659 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2660 offsetof(struct xdp_md, data)), 2661 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2662 offsetof(struct xdp_md, data_end)), 2663 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2665 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2666 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2667 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2668 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2669 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2671 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2672 BPF_LD_MAP_FD(BPF_REG_1, 0), 2673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2675 BPF_FUNC_map_lookup_elem), 2676 BPF_MOV64_IMM(BPF_REG_0, 0), 2677 BPF_EXIT_INSN(), 2678 }, 2679 .fixup_map1 = { 11 }, 2680 .result = ACCEPT, 2681 .prog_type = BPF_PROG_TYPE_XDP, 2682 }, 2683 { 2684 "helper access to packet: test4, packet_ptr with bad range", 2685 .insns = { 2686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2687 offsetof(struct xdp_md, data)), 2688 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2689 offsetof(struct xdp_md, data_end)), 2690 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2692 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2693 BPF_MOV64_IMM(BPF_REG_0, 0), 2694 BPF_EXIT_INSN(), 2695 BPF_LD_MAP_FD(BPF_REG_1, 0), 2696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2697 BPF_FUNC_map_lookup_elem), 2698 BPF_MOV64_IMM(BPF_REG_0, 0), 2699 BPF_EXIT_INSN(), 2700 }, 2701 .fixup_map1 = { 7 }, 2702 .result = REJECT, 2703 .errstr = "invalid access to packet", 2704 .prog_type = BPF_PROG_TYPE_XDP, 2705 }, 2706 { 2707 "helper access to packet: test5, packet_ptr with too short range", 2708 .insns = { 2709 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2710 offsetof(struct xdp_md, data)), 2711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2712 offsetof(struct xdp_md, data_end)), 2713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2714 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2716 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2717 BPF_LD_MAP_FD(BPF_REG_1, 0), 2718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2719 BPF_FUNC_map_lookup_elem), 2720 BPF_MOV64_IMM(BPF_REG_0, 0), 2721 BPF_EXIT_INSN(), 2722 }, 2723 .fixup_map1 = { 6 }, 2724 .result = REJECT, 2725 .errstr = "invalid access to packet", 2726 .prog_type = BPF_PROG_TYPE_XDP, 2727 }, 2728 { 2729 "helper access to packet: test6, cls valid packet_ptr range", 2730 .insns = { 2731 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2732 offsetof(struct __sk_buff, data)), 2733 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2734 offsetof(struct __sk_buff, data_end)), 2735 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2737 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2738 BPF_LD_MAP_FD(BPF_REG_1, 0), 2739 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2740 BPF_MOV64_IMM(BPF_REG_4, 0), 2741 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2742 BPF_FUNC_map_update_elem), 2743 BPF_MOV64_IMM(BPF_REG_0, 0), 2744 BPF_EXIT_INSN(), 2745 }, 2746 .fixup_map1 = { 5 }, 2747 .result = ACCEPT, 2748 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2749 }, 2750 { 2751 "helper access to packet: test7, cls unchecked packet_ptr", 2752 .insns = { 2753 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2754 offsetof(struct __sk_buff, data)), 2755 BPF_LD_MAP_FD(BPF_REG_1, 0), 2756 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2757 BPF_FUNC_map_lookup_elem), 2758 BPF_MOV64_IMM(BPF_REG_0, 0), 2759 BPF_EXIT_INSN(), 2760 }, 2761 .fixup_map1 = { 1 }, 2762 .result = REJECT, 2763 .errstr = "invalid access to packet", 2764 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2765 }, 2766 { 2767 "helper access to packet: test8, cls variable add", 2768 .insns = { 2769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2770 offsetof(struct __sk_buff, data)), 2771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2772 offsetof(struct __sk_buff, data_end)), 2773 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2775 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2776 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2777 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2778 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2779 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2781 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2782 BPF_LD_MAP_FD(BPF_REG_1, 0), 2783 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2784 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2785 BPF_FUNC_map_lookup_elem), 2786 BPF_MOV64_IMM(BPF_REG_0, 0), 2787 BPF_EXIT_INSN(), 2788 }, 2789 .fixup_map1 = { 11 }, 2790 .result = ACCEPT, 2791 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2792 }, 2793 { 2794 "helper access to packet: test9, cls packet_ptr with bad range", 2795 .insns = { 2796 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2797 offsetof(struct __sk_buff, data)), 2798 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2799 offsetof(struct __sk_buff, data_end)), 2800 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2802 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2803 BPF_MOV64_IMM(BPF_REG_0, 0), 2804 BPF_EXIT_INSN(), 2805 BPF_LD_MAP_FD(BPF_REG_1, 0), 2806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2807 BPF_FUNC_map_lookup_elem), 2808 BPF_MOV64_IMM(BPF_REG_0, 0), 2809 BPF_EXIT_INSN(), 2810 }, 2811 .fixup_map1 = { 7 }, 2812 .result = REJECT, 2813 .errstr = "invalid access to packet", 2814 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2815 }, 2816 { 2817 "helper access to packet: test10, cls packet_ptr with too short range", 2818 .insns = { 2819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2820 offsetof(struct __sk_buff, data)), 2821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2822 offsetof(struct __sk_buff, data_end)), 2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2824 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2826 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2827 BPF_LD_MAP_FD(BPF_REG_1, 0), 2828 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2829 BPF_FUNC_map_lookup_elem), 2830 BPF_MOV64_IMM(BPF_REG_0, 0), 2831 BPF_EXIT_INSN(), 2832 }, 2833 .fixup_map1 = { 6 }, 2834 .result = REJECT, 2835 .errstr = "invalid access to packet", 2836 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2837 }, 2838 { 2839 "helper access to packet: test11, cls unsuitable helper 1", 2840 .insns = { 2841 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2842 offsetof(struct __sk_buff, data)), 2843 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2844 offsetof(struct __sk_buff, data_end)), 2845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2846 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 2848 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 2849 BPF_MOV64_IMM(BPF_REG_2, 0), 2850 BPF_MOV64_IMM(BPF_REG_4, 42), 2851 BPF_MOV64_IMM(BPF_REG_5, 0), 2852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2853 BPF_FUNC_skb_store_bytes), 2854 BPF_MOV64_IMM(BPF_REG_0, 0), 2855 BPF_EXIT_INSN(), 2856 }, 2857 .result = REJECT, 2858 .errstr = "helper access to the packet", 2859 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2860 }, 2861 { 2862 "helper access to packet: test12, cls unsuitable helper 2", 2863 .insns = { 2864 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2865 offsetof(struct __sk_buff, data)), 2866 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2867 offsetof(struct __sk_buff, data_end)), 2868 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 2870 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 2871 BPF_MOV64_IMM(BPF_REG_2, 0), 2872 BPF_MOV64_IMM(BPF_REG_4, 4), 2873 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2874 BPF_FUNC_skb_load_bytes), 2875 BPF_MOV64_IMM(BPF_REG_0, 0), 2876 BPF_EXIT_INSN(), 2877 }, 2878 .result = REJECT, 2879 .errstr = "helper access to the packet", 2880 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2881 }, 2882 { 2883 "helper access to packet: test13, cls helper ok", 2884 .insns = { 2885 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2886 offsetof(struct __sk_buff, data)), 2887 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2888 offsetof(struct __sk_buff, data_end)), 2889 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2892 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2894 BPF_MOV64_IMM(BPF_REG_2, 4), 2895 BPF_MOV64_IMM(BPF_REG_3, 0), 2896 BPF_MOV64_IMM(BPF_REG_4, 0), 2897 BPF_MOV64_IMM(BPF_REG_5, 0), 2898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2899 BPF_FUNC_csum_diff), 2900 BPF_MOV64_IMM(BPF_REG_0, 0), 2901 BPF_EXIT_INSN(), 2902 }, 2903 .result = ACCEPT, 2904 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2905 }, 2906 { 2907 "helper access to packet: test14, cls helper fail sub", 2908 .insns = { 2909 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2910 offsetof(struct __sk_buff, data)), 2911 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2912 offsetof(struct __sk_buff, data_end)), 2913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2916 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2917 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 2918 BPF_MOV64_IMM(BPF_REG_2, 4), 2919 BPF_MOV64_IMM(BPF_REG_3, 0), 2920 BPF_MOV64_IMM(BPF_REG_4, 0), 2921 BPF_MOV64_IMM(BPF_REG_5, 0), 2922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2923 BPF_FUNC_csum_diff), 2924 BPF_MOV64_IMM(BPF_REG_0, 0), 2925 BPF_EXIT_INSN(), 2926 }, 2927 .result = REJECT, 2928 .errstr = "type=inv expected=fp", 2929 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2930 }, 2931 { 2932 "helper access to packet: test15, cls helper fail range 1", 2933 .insns = { 2934 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2935 offsetof(struct __sk_buff, data)), 2936 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2937 offsetof(struct __sk_buff, data_end)), 2938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2941 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2943 BPF_MOV64_IMM(BPF_REG_2, 8), 2944 BPF_MOV64_IMM(BPF_REG_3, 0), 2945 BPF_MOV64_IMM(BPF_REG_4, 0), 2946 BPF_MOV64_IMM(BPF_REG_5, 0), 2947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2948 BPF_FUNC_csum_diff), 2949 BPF_MOV64_IMM(BPF_REG_0, 0), 2950 BPF_EXIT_INSN(), 2951 }, 2952 .result = REJECT, 2953 .errstr = "invalid access to packet", 2954 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2955 }, 2956 { 2957 "helper access to packet: test16, cls helper fail range 2", 2958 .insns = { 2959 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2960 offsetof(struct __sk_buff, data)), 2961 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2962 offsetof(struct __sk_buff, data_end)), 2963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2964 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2966 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2968 BPF_MOV64_IMM(BPF_REG_2, -9), 2969 BPF_MOV64_IMM(BPF_REG_3, 0), 2970 BPF_MOV64_IMM(BPF_REG_4, 0), 2971 BPF_MOV64_IMM(BPF_REG_5, 0), 2972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2973 BPF_FUNC_csum_diff), 2974 BPF_MOV64_IMM(BPF_REG_0, 0), 2975 BPF_EXIT_INSN(), 2976 }, 2977 .result = REJECT, 2978 .errstr = "invalid access to packet", 2979 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2980 }, 2981 { 2982 "helper access to packet: test17, cls helper fail range 3", 2983 .insns = { 2984 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2985 offsetof(struct __sk_buff, data)), 2986 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2987 offsetof(struct __sk_buff, data_end)), 2988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2989 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2991 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2993 BPF_MOV64_IMM(BPF_REG_2, ~0), 2994 BPF_MOV64_IMM(BPF_REG_3, 0), 2995 BPF_MOV64_IMM(BPF_REG_4, 0), 2996 BPF_MOV64_IMM(BPF_REG_5, 0), 2997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2998 BPF_FUNC_csum_diff), 2999 BPF_MOV64_IMM(BPF_REG_0, 0), 3000 BPF_EXIT_INSN(), 3001 }, 3002 .result = REJECT, 3003 .errstr = "invalid access to packet", 3004 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3005 }, 3006 { 3007 "helper access to packet: test18, cls helper fail range zero", 3008 .insns = { 3009 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3010 offsetof(struct __sk_buff, data)), 3011 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3012 offsetof(struct __sk_buff, data_end)), 3013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3016 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3018 BPF_MOV64_IMM(BPF_REG_2, 0), 3019 BPF_MOV64_IMM(BPF_REG_3, 0), 3020 BPF_MOV64_IMM(BPF_REG_4, 0), 3021 BPF_MOV64_IMM(BPF_REG_5, 0), 3022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3023 BPF_FUNC_csum_diff), 3024 BPF_MOV64_IMM(BPF_REG_0, 0), 3025 BPF_EXIT_INSN(), 3026 }, 3027 .result = REJECT, 3028 .errstr = "invalid access to packet", 3029 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3030 }, 3031 { 3032 "helper access to packet: test19, pkt end as input", 3033 .insns = { 3034 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3035 offsetof(struct __sk_buff, data)), 3036 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3037 offsetof(struct __sk_buff, data_end)), 3038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3039 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3041 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3042 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 3043 BPF_MOV64_IMM(BPF_REG_2, 4), 3044 BPF_MOV64_IMM(BPF_REG_3, 0), 3045 BPF_MOV64_IMM(BPF_REG_4, 0), 3046 BPF_MOV64_IMM(BPF_REG_5, 0), 3047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3048 BPF_FUNC_csum_diff), 3049 BPF_MOV64_IMM(BPF_REG_0, 0), 3050 BPF_EXIT_INSN(), 3051 }, 3052 .result = REJECT, 3053 .errstr = "R1 type=pkt_end expected=fp", 3054 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3055 }, 3056 { 3057 "helper access to packet: test20, wrong reg", 3058 .insns = { 3059 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3060 offsetof(struct __sk_buff, data)), 3061 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3062 offsetof(struct __sk_buff, data_end)), 3063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3066 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3067 BPF_MOV64_IMM(BPF_REG_2, 4), 3068 BPF_MOV64_IMM(BPF_REG_3, 0), 3069 BPF_MOV64_IMM(BPF_REG_4, 0), 3070 BPF_MOV64_IMM(BPF_REG_5, 0), 3071 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3072 BPF_FUNC_csum_diff), 3073 BPF_MOV64_IMM(BPF_REG_0, 0), 3074 BPF_EXIT_INSN(), 3075 }, 3076 .result = REJECT, 3077 .errstr = "invalid access to packet", 3078 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3079 }, 3080 { 3081 "valid map access into an array with a constant", 3082 .insns = { 3083 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3086 BPF_LD_MAP_FD(BPF_REG_1, 0), 3087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3088 BPF_FUNC_map_lookup_elem), 3089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3090 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3091 offsetof(struct test_val, foo)), 3092 BPF_EXIT_INSN(), 3093 }, 3094 .fixup_map2 = { 3 }, 3095 .errstr_unpriv = "R0 leaks addr", 3096 .result_unpriv = REJECT, 3097 .result = ACCEPT, 3098 }, 3099 { 3100 "valid map access into an array with a register", 3101 .insns = { 3102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3105 BPF_LD_MAP_FD(BPF_REG_1, 0), 3106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3107 BPF_FUNC_map_lookup_elem), 3108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3109 BPF_MOV64_IMM(BPF_REG_1, 4), 3110 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3111 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3112 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3113 offsetof(struct test_val, foo)), 3114 BPF_EXIT_INSN(), 3115 }, 3116 .fixup_map2 = { 3 }, 3117 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3118 .result_unpriv = REJECT, 3119 .result = ACCEPT, 3120 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3121 }, 3122 { 3123 "valid map access into an array with a variable", 3124 .insns = { 3125 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3126 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3128 BPF_LD_MAP_FD(BPF_REG_1, 0), 3129 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3130 BPF_FUNC_map_lookup_elem), 3131 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3132 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3133 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 3134 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3135 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3136 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3137 offsetof(struct test_val, foo)), 3138 BPF_EXIT_INSN(), 3139 }, 3140 .fixup_map2 = { 3 }, 3141 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3142 .result_unpriv = REJECT, 3143 .result = ACCEPT, 3144 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3145 }, 3146 { 3147 "valid map access into an array with a signed variable", 3148 .insns = { 3149 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3150 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3152 BPF_LD_MAP_FD(BPF_REG_1, 0), 3153 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3154 BPF_FUNC_map_lookup_elem), 3155 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 3156 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3157 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 3158 BPF_MOV32_IMM(BPF_REG_1, 0), 3159 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3160 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3161 BPF_MOV32_IMM(BPF_REG_1, 0), 3162 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3163 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3164 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3165 offsetof(struct test_val, foo)), 3166 BPF_EXIT_INSN(), 3167 }, 3168 .fixup_map2 = { 3 }, 3169 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3170 .result_unpriv = REJECT, 3171 .result = ACCEPT, 3172 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3173 }, 3174 { 3175 "invalid map access into an array with a constant", 3176 .insns = { 3177 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3180 BPF_LD_MAP_FD(BPF_REG_1, 0), 3181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3182 BPF_FUNC_map_lookup_elem), 3183 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3184 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 3185 offsetof(struct test_val, foo)), 3186 BPF_EXIT_INSN(), 3187 }, 3188 .fixup_map2 = { 3 }, 3189 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 3190 .result = REJECT, 3191 }, 3192 { 3193 "invalid map access into an array with a register", 3194 .insns = { 3195 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3198 BPF_LD_MAP_FD(BPF_REG_1, 0), 3199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3200 BPF_FUNC_map_lookup_elem), 3201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3202 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 3203 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3204 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3205 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3206 offsetof(struct test_val, foo)), 3207 BPF_EXIT_INSN(), 3208 }, 3209 .fixup_map2 = { 3 }, 3210 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3211 .errstr = "R0 min value is outside of the array range", 3212 .result_unpriv = REJECT, 3213 .result = REJECT, 3214 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3215 }, 3216 { 3217 "invalid map access into an array with a variable", 3218 .insns = { 3219 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3220 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3222 BPF_LD_MAP_FD(BPF_REG_1, 0), 3223 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3224 BPF_FUNC_map_lookup_elem), 3225 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3226 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3227 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3228 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3229 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3230 offsetof(struct test_val, foo)), 3231 BPF_EXIT_INSN(), 3232 }, 3233 .fixup_map2 = { 3 }, 3234 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3235 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3236 .result_unpriv = REJECT, 3237 .result = REJECT, 3238 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3239 }, 3240 { 3241 "invalid map access into an array with no floor check", 3242 .insns = { 3243 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3246 BPF_LD_MAP_FD(BPF_REG_1, 0), 3247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3248 BPF_FUNC_map_lookup_elem), 3249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3250 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3251 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3252 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3253 BPF_MOV32_IMM(BPF_REG_1, 0), 3254 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3255 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3256 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3257 offsetof(struct test_val, foo)), 3258 BPF_EXIT_INSN(), 3259 }, 3260 .fixup_map2 = { 3 }, 3261 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3262 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3263 .result_unpriv = REJECT, 3264 .result = REJECT, 3265 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3266 }, 3267 { 3268 "invalid map access into an array with a invalid max check", 3269 .insns = { 3270 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3273 BPF_LD_MAP_FD(BPF_REG_1, 0), 3274 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3275 BPF_FUNC_map_lookup_elem), 3276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3277 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3278 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 3279 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3280 BPF_MOV32_IMM(BPF_REG_1, 0), 3281 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3282 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3283 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3284 offsetof(struct test_val, foo)), 3285 BPF_EXIT_INSN(), 3286 }, 3287 .fixup_map2 = { 3 }, 3288 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3289 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 3290 .result_unpriv = REJECT, 3291 .result = REJECT, 3292 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3293 }, 3294 { 3295 "invalid map access into an array with a invalid max check", 3296 .insns = { 3297 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3298 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3300 BPF_LD_MAP_FD(BPF_REG_1, 0), 3301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3302 BPF_FUNC_map_lookup_elem), 3303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 3304 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 3305 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3308 BPF_LD_MAP_FD(BPF_REG_1, 0), 3309 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3310 BPF_FUNC_map_lookup_elem), 3311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3312 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 3313 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3314 offsetof(struct test_val, foo)), 3315 BPF_EXIT_INSN(), 3316 }, 3317 .fixup_map2 = { 3, 11 }, 3318 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3319 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3320 .result_unpriv = REJECT, 3321 .result = REJECT, 3322 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3323 }, 3324 { 3325 "multiple registers share map_lookup_elem result", 3326 .insns = { 3327 BPF_MOV64_IMM(BPF_REG_1, 10), 3328 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3331 BPF_LD_MAP_FD(BPF_REG_1, 0), 3332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3333 BPF_FUNC_map_lookup_elem), 3334 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3335 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3336 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3337 BPF_EXIT_INSN(), 3338 }, 3339 .fixup_map1 = { 4 }, 3340 .result = ACCEPT, 3341 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3342 }, 3343 { 3344 "invalid memory access with multiple map_lookup_elem calls", 3345 .insns = { 3346 BPF_MOV64_IMM(BPF_REG_1, 10), 3347 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3348 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3350 BPF_LD_MAP_FD(BPF_REG_1, 0), 3351 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3352 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3353 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3354 BPF_FUNC_map_lookup_elem), 3355 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3356 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3357 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3358 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3359 BPF_FUNC_map_lookup_elem), 3360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3361 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3362 BPF_EXIT_INSN(), 3363 }, 3364 .fixup_map1 = { 4 }, 3365 .result = REJECT, 3366 .errstr = "R4 !read_ok", 3367 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3368 }, 3369 { 3370 "valid indirect map_lookup_elem access with 2nd lookup in branch", 3371 .insns = { 3372 BPF_MOV64_IMM(BPF_REG_1, 10), 3373 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3376 BPF_LD_MAP_FD(BPF_REG_1, 0), 3377 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3378 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3380 BPF_FUNC_map_lookup_elem), 3381 BPF_MOV64_IMM(BPF_REG_2, 10), 3382 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 3383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3386 BPF_FUNC_map_lookup_elem), 3387 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3388 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3389 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3390 BPF_EXIT_INSN(), 3391 }, 3392 .fixup_map1 = { 4 }, 3393 .result = ACCEPT, 3394 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3395 }, 3396 { 3397 "multiple registers share map_lookup_elem bad reg type", 3398 .insns = { 3399 BPF_MOV64_IMM(BPF_REG_1, 10), 3400 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3401 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3403 BPF_LD_MAP_FD(BPF_REG_1, 0), 3404 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3405 BPF_FUNC_map_lookup_elem), 3406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 3407 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 3408 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3409 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3410 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3411 BPF_MOV64_IMM(BPF_REG_1, 1), 3412 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3413 BPF_MOV64_IMM(BPF_REG_1, 2), 3414 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1), 3415 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0), 3416 BPF_MOV64_IMM(BPF_REG_1, 3), 3417 BPF_EXIT_INSN(), 3418 }, 3419 .fixup_map1 = { 4 }, 3420 .result = REJECT, 3421 .errstr = "R3 invalid mem access 'inv'", 3422 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3423 }, 3424 { 3425 "invalid map access from else condition", 3426 .insns = { 3427 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3428 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3430 BPF_LD_MAP_FD(BPF_REG_1, 0), 3431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3432 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3433 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3434 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 3435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 3436 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3438 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 3439 BPF_EXIT_INSN(), 3440 }, 3441 .fixup_map2 = { 3 }, 3442 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 3443 .result = REJECT, 3444 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3445 .result_unpriv = REJECT, 3446 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3447 }, 3448 { 3449 "constant register |= constant should keep constant type", 3450 .insns = { 3451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3453 BPF_MOV64_IMM(BPF_REG_2, 34), 3454 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 3455 BPF_MOV64_IMM(BPF_REG_3, 0), 3456 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3457 BPF_EXIT_INSN(), 3458 }, 3459 .result = ACCEPT, 3460 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3461 }, 3462 { 3463 "constant register |= constant should not bypass stack boundary checks", 3464 .insns = { 3465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3467 BPF_MOV64_IMM(BPF_REG_2, 34), 3468 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 3469 BPF_MOV64_IMM(BPF_REG_3, 0), 3470 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3471 BPF_EXIT_INSN(), 3472 }, 3473 .errstr = "invalid stack type R1 off=-48 access_size=58", 3474 .result = REJECT, 3475 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3476 }, 3477 { 3478 "constant register |= constant register should keep constant type", 3479 .insns = { 3480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3482 BPF_MOV64_IMM(BPF_REG_2, 34), 3483 BPF_MOV64_IMM(BPF_REG_4, 13), 3484 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3485 BPF_MOV64_IMM(BPF_REG_3, 0), 3486 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3487 BPF_EXIT_INSN(), 3488 }, 3489 .result = ACCEPT, 3490 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3491 }, 3492 { 3493 "constant register |= constant register should not bypass stack boundary checks", 3494 .insns = { 3495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3497 BPF_MOV64_IMM(BPF_REG_2, 34), 3498 BPF_MOV64_IMM(BPF_REG_4, 24), 3499 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3500 BPF_MOV64_IMM(BPF_REG_3, 0), 3501 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3502 BPF_EXIT_INSN(), 3503 }, 3504 .errstr = "invalid stack type R1 off=-48 access_size=58", 3505 .result = REJECT, 3506 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3507 }, 3508 { 3509 "invalid direct packet write for LWT_IN", 3510 .insns = { 3511 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3512 offsetof(struct __sk_buff, data)), 3513 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3514 offsetof(struct __sk_buff, data_end)), 3515 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3517 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3518 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3519 BPF_MOV64_IMM(BPF_REG_0, 0), 3520 BPF_EXIT_INSN(), 3521 }, 3522 .errstr = "cannot write into packet", 3523 .result = REJECT, 3524 .prog_type = BPF_PROG_TYPE_LWT_IN, 3525 }, 3526 { 3527 "invalid direct packet write for LWT_OUT", 3528 .insns = { 3529 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3530 offsetof(struct __sk_buff, data)), 3531 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3532 offsetof(struct __sk_buff, data_end)), 3533 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3535 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3536 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3537 BPF_MOV64_IMM(BPF_REG_0, 0), 3538 BPF_EXIT_INSN(), 3539 }, 3540 .errstr = "cannot write into packet", 3541 .result = REJECT, 3542 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3543 }, 3544 { 3545 "direct packet write for LWT_XMIT", 3546 .insns = { 3547 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3548 offsetof(struct __sk_buff, data)), 3549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3550 offsetof(struct __sk_buff, data_end)), 3551 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3553 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3554 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3555 BPF_MOV64_IMM(BPF_REG_0, 0), 3556 BPF_EXIT_INSN(), 3557 }, 3558 .result = ACCEPT, 3559 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3560 }, 3561 { 3562 "direct packet read for LWT_IN", 3563 .insns = { 3564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3565 offsetof(struct __sk_buff, data)), 3566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3567 offsetof(struct __sk_buff, data_end)), 3568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3572 BPF_MOV64_IMM(BPF_REG_0, 0), 3573 BPF_EXIT_INSN(), 3574 }, 3575 .result = ACCEPT, 3576 .prog_type = BPF_PROG_TYPE_LWT_IN, 3577 }, 3578 { 3579 "direct packet read for LWT_OUT", 3580 .insns = { 3581 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3582 offsetof(struct __sk_buff, data)), 3583 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3584 offsetof(struct __sk_buff, data_end)), 3585 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3587 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3588 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3589 BPF_MOV64_IMM(BPF_REG_0, 0), 3590 BPF_EXIT_INSN(), 3591 }, 3592 .result = ACCEPT, 3593 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3594 }, 3595 { 3596 "direct packet read for LWT_XMIT", 3597 .insns = { 3598 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3599 offsetof(struct __sk_buff, data)), 3600 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3601 offsetof(struct __sk_buff, data_end)), 3602 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3604 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3605 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3606 BPF_MOV64_IMM(BPF_REG_0, 0), 3607 BPF_EXIT_INSN(), 3608 }, 3609 .result = ACCEPT, 3610 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3611 }, 3612 { 3613 "overlapping checks for direct packet access", 3614 .insns = { 3615 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3616 offsetof(struct __sk_buff, data)), 3617 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3618 offsetof(struct __sk_buff, data_end)), 3619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3621 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 3622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 3624 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 3625 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 3626 BPF_MOV64_IMM(BPF_REG_0, 0), 3627 BPF_EXIT_INSN(), 3628 }, 3629 .result = ACCEPT, 3630 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3631 }, 3632 { 3633 "invalid access of tc_classid for LWT_IN", 3634 .insns = { 3635 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3636 offsetof(struct __sk_buff, tc_classid)), 3637 BPF_EXIT_INSN(), 3638 }, 3639 .result = REJECT, 3640 .errstr = "invalid bpf_context access", 3641 }, 3642 { 3643 "invalid access of tc_classid for LWT_OUT", 3644 .insns = { 3645 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3646 offsetof(struct __sk_buff, tc_classid)), 3647 BPF_EXIT_INSN(), 3648 }, 3649 .result = REJECT, 3650 .errstr = "invalid bpf_context access", 3651 }, 3652 { 3653 "invalid access of tc_classid for LWT_XMIT", 3654 .insns = { 3655 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3656 offsetof(struct __sk_buff, tc_classid)), 3657 BPF_EXIT_INSN(), 3658 }, 3659 .result = REJECT, 3660 .errstr = "invalid bpf_context access", 3661 }, 3662 { 3663 "helper access to map: full range", 3664 .insns = { 3665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3667 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3668 BPF_LD_MAP_FD(BPF_REG_1, 0), 3669 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3670 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3671 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3672 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 3673 BPF_MOV64_IMM(BPF_REG_3, 0), 3674 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3675 BPF_EXIT_INSN(), 3676 }, 3677 .fixup_map2 = { 3 }, 3678 .result = ACCEPT, 3679 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3680 }, 3681 { 3682 "helper access to map: partial range", 3683 .insns = { 3684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3686 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3687 BPF_LD_MAP_FD(BPF_REG_1, 0), 3688 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3690 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3691 BPF_MOV64_IMM(BPF_REG_2, 8), 3692 BPF_MOV64_IMM(BPF_REG_3, 0), 3693 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3694 BPF_EXIT_INSN(), 3695 }, 3696 .fixup_map2 = { 3 }, 3697 .result = ACCEPT, 3698 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3699 }, 3700 { 3701 "helper access to map: empty range", 3702 .insns = { 3703 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3705 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3706 BPF_LD_MAP_FD(BPF_REG_1, 0), 3707 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3709 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3710 BPF_MOV64_IMM(BPF_REG_2, 0), 3711 BPF_MOV64_IMM(BPF_REG_3, 0), 3712 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3713 BPF_EXIT_INSN(), 3714 }, 3715 .fixup_map2 = { 3 }, 3716 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 3717 .result = REJECT, 3718 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3719 }, 3720 { 3721 "helper access to map: out-of-bound range", 3722 .insns = { 3723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3725 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3726 BPF_LD_MAP_FD(BPF_REG_1, 0), 3727 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3730 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 3731 BPF_MOV64_IMM(BPF_REG_3, 0), 3732 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3733 BPF_EXIT_INSN(), 3734 }, 3735 .fixup_map2 = { 3 }, 3736 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 3737 .result = REJECT, 3738 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3739 }, 3740 { 3741 "helper access to map: negative range", 3742 .insns = { 3743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3745 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3746 BPF_LD_MAP_FD(BPF_REG_1, 0), 3747 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3750 BPF_MOV64_IMM(BPF_REG_2, -8), 3751 BPF_MOV64_IMM(BPF_REG_3, 0), 3752 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3753 BPF_EXIT_INSN(), 3754 }, 3755 .fixup_map2 = { 3 }, 3756 .errstr = "invalid access to map value, value_size=48 off=0 size=-8", 3757 .result = REJECT, 3758 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3759 }, 3760 { 3761 "helper access to adjusted map (via const imm): full range", 3762 .insns = { 3763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3765 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3766 BPF_LD_MAP_FD(BPF_REG_1, 0), 3767 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3769 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3771 offsetof(struct test_val, foo)), 3772 BPF_MOV64_IMM(BPF_REG_2, 3773 sizeof(struct test_val) - 3774 offsetof(struct test_val, foo)), 3775 BPF_MOV64_IMM(BPF_REG_3, 0), 3776 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3777 BPF_EXIT_INSN(), 3778 }, 3779 .fixup_map2 = { 3 }, 3780 .result = ACCEPT, 3781 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3782 }, 3783 { 3784 "helper access to adjusted map (via const imm): partial range", 3785 .insns = { 3786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3788 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3789 BPF_LD_MAP_FD(BPF_REG_1, 0), 3790 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3794 offsetof(struct test_val, foo)), 3795 BPF_MOV64_IMM(BPF_REG_2, 8), 3796 BPF_MOV64_IMM(BPF_REG_3, 0), 3797 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3798 BPF_EXIT_INSN(), 3799 }, 3800 .fixup_map2 = { 3 }, 3801 .result = ACCEPT, 3802 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3803 }, 3804 { 3805 "helper access to adjusted map (via const imm): empty range", 3806 .insns = { 3807 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3809 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3810 BPF_LD_MAP_FD(BPF_REG_1, 0), 3811 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3812 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3815 offsetof(struct test_val, foo)), 3816 BPF_MOV64_IMM(BPF_REG_2, 0), 3817 BPF_MOV64_IMM(BPF_REG_3, 0), 3818 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3819 BPF_EXIT_INSN(), 3820 }, 3821 .fixup_map2 = { 3 }, 3822 .errstr = "R1 min value is outside of the array range", 3823 .result = REJECT, 3824 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3825 }, 3826 { 3827 "helper access to adjusted map (via const imm): out-of-bound range", 3828 .insns = { 3829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3831 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3832 BPF_LD_MAP_FD(BPF_REG_1, 0), 3833 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3835 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3836 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3837 offsetof(struct test_val, foo)), 3838 BPF_MOV64_IMM(BPF_REG_2, 3839 sizeof(struct test_val) - 3840 offsetof(struct test_val, foo) + 8), 3841 BPF_MOV64_IMM(BPF_REG_3, 0), 3842 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3843 BPF_EXIT_INSN(), 3844 }, 3845 .fixup_map2 = { 3 }, 3846 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 3847 .result = REJECT, 3848 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3849 }, 3850 { 3851 "helper access to adjusted map (via const imm): negative range (> adjustment)", 3852 .insns = { 3853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3855 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3856 BPF_LD_MAP_FD(BPF_REG_1, 0), 3857 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3861 offsetof(struct test_val, foo)), 3862 BPF_MOV64_IMM(BPF_REG_2, -8), 3863 BPF_MOV64_IMM(BPF_REG_3, 0), 3864 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3865 BPF_EXIT_INSN(), 3866 }, 3867 .fixup_map2 = { 3 }, 3868 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 3869 .result = REJECT, 3870 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3871 }, 3872 { 3873 "helper access to adjusted map (via const imm): negative range (< adjustment)", 3874 .insns = { 3875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3877 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3878 BPF_LD_MAP_FD(BPF_REG_1, 0), 3879 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3883 offsetof(struct test_val, foo)), 3884 BPF_MOV64_IMM(BPF_REG_2, -1), 3885 BPF_MOV64_IMM(BPF_REG_3, 0), 3886 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3887 BPF_EXIT_INSN(), 3888 }, 3889 .fixup_map2 = { 3 }, 3890 .errstr = "R1 min value is outside of the array range", 3891 .result = REJECT, 3892 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3893 }, 3894 { 3895 "helper access to adjusted map (via const reg): full range", 3896 .insns = { 3897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3899 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3900 BPF_LD_MAP_FD(BPF_REG_1, 0), 3901 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3904 BPF_MOV64_IMM(BPF_REG_3, 3905 offsetof(struct test_val, foo)), 3906 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3907 BPF_MOV64_IMM(BPF_REG_2, 3908 sizeof(struct test_val) - 3909 offsetof(struct test_val, foo)), 3910 BPF_MOV64_IMM(BPF_REG_3, 0), 3911 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3912 BPF_EXIT_INSN(), 3913 }, 3914 .fixup_map2 = { 3 }, 3915 .result = ACCEPT, 3916 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3917 }, 3918 { 3919 "helper access to adjusted map (via const reg): partial range", 3920 .insns = { 3921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3923 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3924 BPF_LD_MAP_FD(BPF_REG_1, 0), 3925 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3928 BPF_MOV64_IMM(BPF_REG_3, 3929 offsetof(struct test_val, foo)), 3930 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3931 BPF_MOV64_IMM(BPF_REG_2, 8), 3932 BPF_MOV64_IMM(BPF_REG_3, 0), 3933 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3934 BPF_EXIT_INSN(), 3935 }, 3936 .fixup_map2 = { 3 }, 3937 .result = ACCEPT, 3938 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3939 }, 3940 { 3941 "helper access to adjusted map (via const reg): empty range", 3942 .insns = { 3943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3945 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3946 BPF_LD_MAP_FD(BPF_REG_1, 0), 3947 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3948 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3950 BPF_MOV64_IMM(BPF_REG_3, 0), 3951 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3952 BPF_MOV64_IMM(BPF_REG_2, 0), 3953 BPF_MOV64_IMM(BPF_REG_3, 0), 3954 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3955 BPF_EXIT_INSN(), 3956 }, 3957 .fixup_map2 = { 3 }, 3958 .errstr = "R1 min value is outside of the array range", 3959 .result = REJECT, 3960 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3961 }, 3962 { 3963 "helper access to adjusted map (via const reg): out-of-bound range", 3964 .insns = { 3965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3967 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3968 BPF_LD_MAP_FD(BPF_REG_1, 0), 3969 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3970 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3972 BPF_MOV64_IMM(BPF_REG_3, 3973 offsetof(struct test_val, foo)), 3974 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3975 BPF_MOV64_IMM(BPF_REG_2, 3976 sizeof(struct test_val) - 3977 offsetof(struct test_val, foo) + 8), 3978 BPF_MOV64_IMM(BPF_REG_3, 0), 3979 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3980 BPF_EXIT_INSN(), 3981 }, 3982 .fixup_map2 = { 3 }, 3983 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 3984 .result = REJECT, 3985 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3986 }, 3987 { 3988 "helper access to adjusted map (via const reg): negative range (> adjustment)", 3989 .insns = { 3990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3992 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3993 BPF_LD_MAP_FD(BPF_REG_1, 0), 3994 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3995 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3996 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3997 BPF_MOV64_IMM(BPF_REG_3, 3998 offsetof(struct test_val, foo)), 3999 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4000 BPF_MOV64_IMM(BPF_REG_2, -8), 4001 BPF_MOV64_IMM(BPF_REG_3, 0), 4002 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4003 BPF_EXIT_INSN(), 4004 }, 4005 .fixup_map2 = { 3 }, 4006 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 4007 .result = REJECT, 4008 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4009 }, 4010 { 4011 "helper access to adjusted map (via const reg): negative range (< adjustment)", 4012 .insns = { 4013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4015 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4016 BPF_LD_MAP_FD(BPF_REG_1, 0), 4017 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4018 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4019 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4020 BPF_MOV64_IMM(BPF_REG_3, 4021 offsetof(struct test_val, foo)), 4022 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4023 BPF_MOV64_IMM(BPF_REG_2, -1), 4024 BPF_MOV64_IMM(BPF_REG_3, 0), 4025 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4026 BPF_EXIT_INSN(), 4027 }, 4028 .fixup_map2 = { 3 }, 4029 .errstr = "R1 min value is outside of the array range", 4030 .result = REJECT, 4031 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4032 }, 4033 { 4034 "helper access to adjusted map (via variable): full range", 4035 .insns = { 4036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4038 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4039 BPF_LD_MAP_FD(BPF_REG_1, 0), 4040 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4041 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4042 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4043 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4044 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4045 offsetof(struct test_val, foo), 4), 4046 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4047 BPF_MOV64_IMM(BPF_REG_2, 4048 sizeof(struct test_val) - 4049 offsetof(struct test_val, foo)), 4050 BPF_MOV64_IMM(BPF_REG_3, 0), 4051 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4052 BPF_EXIT_INSN(), 4053 }, 4054 .fixup_map2 = { 3 }, 4055 .result = ACCEPT, 4056 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4057 }, 4058 { 4059 "helper access to adjusted map (via variable): partial range", 4060 .insns = { 4061 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4063 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4064 BPF_LD_MAP_FD(BPF_REG_1, 0), 4065 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4066 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4068 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4069 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4070 offsetof(struct test_val, foo), 4), 4071 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4072 BPF_MOV64_IMM(BPF_REG_2, 8), 4073 BPF_MOV64_IMM(BPF_REG_3, 0), 4074 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4075 BPF_EXIT_INSN(), 4076 }, 4077 .fixup_map2 = { 3 }, 4078 .result = ACCEPT, 4079 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4080 }, 4081 { 4082 "helper access to adjusted map (via variable): empty range", 4083 .insns = { 4084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4086 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4087 BPF_LD_MAP_FD(BPF_REG_1, 0), 4088 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4090 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4091 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4092 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4093 offsetof(struct test_val, foo), 4), 4094 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4095 BPF_MOV64_IMM(BPF_REG_2, 0), 4096 BPF_MOV64_IMM(BPF_REG_3, 0), 4097 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4098 BPF_EXIT_INSN(), 4099 }, 4100 .fixup_map2 = { 3 }, 4101 .errstr = "R1 min value is outside of the array range", 4102 .result = REJECT, 4103 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4104 }, 4105 { 4106 "helper access to adjusted map (via variable): no max check", 4107 .insns = { 4108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4110 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4111 BPF_LD_MAP_FD(BPF_REG_1, 0), 4112 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4113 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4115 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4116 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4117 BPF_MOV64_IMM(BPF_REG_2, 0), 4118 BPF_MOV64_IMM(BPF_REG_3, 0), 4119 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4120 BPF_EXIT_INSN(), 4121 }, 4122 .fixup_map2 = { 3 }, 4123 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check", 4124 .result = REJECT, 4125 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4126 }, 4127 { 4128 "helper access to adjusted map (via variable): wrong max check", 4129 .insns = { 4130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4132 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4133 BPF_LD_MAP_FD(BPF_REG_1, 0), 4134 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4135 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4136 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4138 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4139 offsetof(struct test_val, foo), 4), 4140 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4141 BPF_MOV64_IMM(BPF_REG_2, 4142 sizeof(struct test_val) - 4143 offsetof(struct test_val, foo) + 1), 4144 BPF_MOV64_IMM(BPF_REG_3, 0), 4145 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4146 BPF_EXIT_INSN(), 4147 }, 4148 .fixup_map2 = { 3 }, 4149 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 4150 .result = REJECT, 4151 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4152 }, 4153 { 4154 "map element value is preserved across register spilling", 4155 .insns = { 4156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4158 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4159 BPF_LD_MAP_FD(BPF_REG_1, 0), 4160 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4162 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4163 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 4165 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4166 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4167 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4168 BPF_EXIT_INSN(), 4169 }, 4170 .fixup_map2 = { 3 }, 4171 .errstr_unpriv = "R0 leaks addr", 4172 .result = ACCEPT, 4173 .result_unpriv = REJECT, 4174 }, 4175 { 4176 "map element value or null is marked on register spilling", 4177 .insns = { 4178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4180 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4181 BPF_LD_MAP_FD(BPF_REG_1, 0), 4182 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4183 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), 4185 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4186 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4187 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4188 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4189 BPF_EXIT_INSN(), 4190 }, 4191 .fixup_map2 = { 3 }, 4192 .errstr_unpriv = "R0 leaks addr", 4193 .result = ACCEPT, 4194 .result_unpriv = REJECT, 4195 }, 4196 { 4197 "map element value store of cleared call register", 4198 .insns = { 4199 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4200 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4201 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4202 BPF_LD_MAP_FD(BPF_REG_1, 0), 4203 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4205 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 4206 BPF_EXIT_INSN(), 4207 }, 4208 .fixup_map2 = { 3 }, 4209 .errstr_unpriv = "R1 !read_ok", 4210 .errstr = "R1 !read_ok", 4211 .result = REJECT, 4212 .result_unpriv = REJECT, 4213 }, 4214 { 4215 "map element value with unaligned store", 4216 .insns = { 4217 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4219 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4220 BPF_LD_MAP_FD(BPF_REG_1, 0), 4221 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4222 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17), 4223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 4224 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4225 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43), 4226 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44), 4227 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4228 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32), 4229 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33), 4230 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34), 4231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5), 4232 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22), 4233 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23), 4234 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24), 4235 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), 4236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3), 4237 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22), 4238 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23), 4239 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24), 4240 BPF_EXIT_INSN(), 4241 }, 4242 .fixup_map2 = { 3 }, 4243 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4244 .result = ACCEPT, 4245 .result_unpriv = REJECT, 4246 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4247 }, 4248 { 4249 "map element value with unaligned load", 4250 .insns = { 4251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4253 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4254 BPF_LD_MAP_FD(BPF_REG_1, 0), 4255 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4257 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4258 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9), 4259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 4260 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 4261 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2), 4262 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4263 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 4264 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2), 4265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5), 4266 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 4267 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4), 4268 BPF_EXIT_INSN(), 4269 }, 4270 .fixup_map2 = { 3 }, 4271 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4272 .result = ACCEPT, 4273 .result_unpriv = REJECT, 4274 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4275 }, 4276 { 4277 "map element value illegal alu op, 1", 4278 .insns = { 4279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4281 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4282 BPF_LD_MAP_FD(BPF_REG_1, 0), 4283 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4285 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8), 4286 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4287 BPF_EXIT_INSN(), 4288 }, 4289 .fixup_map2 = { 3 }, 4290 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4291 .errstr = "invalid mem access 'inv'", 4292 .result = REJECT, 4293 .result_unpriv = REJECT, 4294 }, 4295 { 4296 "map element value illegal alu op, 2", 4297 .insns = { 4298 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4300 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4301 BPF_LD_MAP_FD(BPF_REG_1, 0), 4302 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4304 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0), 4305 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4306 BPF_EXIT_INSN(), 4307 }, 4308 .fixup_map2 = { 3 }, 4309 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4310 .errstr = "invalid mem access 'inv'", 4311 .result = REJECT, 4312 .result_unpriv = REJECT, 4313 }, 4314 { 4315 "map element value illegal alu op, 3", 4316 .insns = { 4317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4319 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4320 BPF_LD_MAP_FD(BPF_REG_1, 0), 4321 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4323 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42), 4324 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4325 BPF_EXIT_INSN(), 4326 }, 4327 .fixup_map2 = { 3 }, 4328 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4329 .errstr = "invalid mem access 'inv'", 4330 .result = REJECT, 4331 .result_unpriv = REJECT, 4332 }, 4333 { 4334 "map element value illegal alu op, 4", 4335 .insns = { 4336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4338 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4339 BPF_LD_MAP_FD(BPF_REG_1, 0), 4340 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4342 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64), 4343 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4344 BPF_EXIT_INSN(), 4345 }, 4346 .fixup_map2 = { 3 }, 4347 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4348 .errstr = "invalid mem access 'inv'", 4349 .result = REJECT, 4350 .result_unpriv = REJECT, 4351 }, 4352 { 4353 "map element value illegal alu op, 5", 4354 .insns = { 4355 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4357 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4358 BPF_LD_MAP_FD(BPF_REG_1, 0), 4359 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4361 BPF_MOV64_IMM(BPF_REG_3, 4096), 4362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4364 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 4365 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0), 4366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 4367 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4368 BPF_EXIT_INSN(), 4369 }, 4370 .fixup_map2 = { 3 }, 4371 .errstr_unpriv = "R0 invalid mem access 'inv'", 4372 .errstr = "R0 invalid mem access 'inv'", 4373 .result = REJECT, 4374 .result_unpriv = REJECT, 4375 }, 4376 { 4377 "map element value is preserved across register spilling", 4378 .insns = { 4379 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4381 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4382 BPF_LD_MAP_FD(BPF_REG_1, 0), 4383 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4384 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4386 offsetof(struct test_val, foo)), 4387 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4388 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 4390 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4391 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4392 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4393 BPF_EXIT_INSN(), 4394 }, 4395 .fixup_map2 = { 3 }, 4396 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4397 .result = ACCEPT, 4398 .result_unpriv = REJECT, 4399 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4400 }, 4401 { 4402 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 4403 .insns = { 4404 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4406 BPF_MOV64_IMM(BPF_REG_0, 0), 4407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4408 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4414 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4415 BPF_MOV64_IMM(BPF_REG_2, 16), 4416 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4417 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4418 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4419 BPF_MOV64_IMM(BPF_REG_4, 0), 4420 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4421 BPF_MOV64_IMM(BPF_REG_3, 0), 4422 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4423 BPF_MOV64_IMM(BPF_REG_0, 0), 4424 BPF_EXIT_INSN(), 4425 }, 4426 .result = ACCEPT, 4427 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4428 }, 4429 { 4430 "helper access to variable memory: stack, bitwise AND, zero included", 4431 .insns = { 4432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4434 BPF_MOV64_IMM(BPF_REG_2, 16), 4435 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4436 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4437 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4438 BPF_MOV64_IMM(BPF_REG_3, 0), 4439 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4440 BPF_EXIT_INSN(), 4441 }, 4442 .errstr = "invalid stack type R1 off=-64 access_size=0", 4443 .result = REJECT, 4444 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4445 }, 4446 { 4447 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 4448 .insns = { 4449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4451 BPF_MOV64_IMM(BPF_REG_2, 16), 4452 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4453 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4454 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 4455 BPF_MOV64_IMM(BPF_REG_4, 0), 4456 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4457 BPF_MOV64_IMM(BPF_REG_3, 0), 4458 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4459 BPF_MOV64_IMM(BPF_REG_0, 0), 4460 BPF_EXIT_INSN(), 4461 }, 4462 .errstr = "invalid stack type R1 off=-64 access_size=65", 4463 .result = REJECT, 4464 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4465 }, 4466 { 4467 "helper access to variable memory: stack, JMP, correct bounds", 4468 .insns = { 4469 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4471 BPF_MOV64_IMM(BPF_REG_0, 0), 4472 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4473 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4474 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4475 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4476 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4477 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4478 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4479 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4480 BPF_MOV64_IMM(BPF_REG_2, 16), 4481 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4482 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4483 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 4484 BPF_MOV64_IMM(BPF_REG_4, 0), 4485 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4486 BPF_MOV64_IMM(BPF_REG_3, 0), 4487 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4488 BPF_MOV64_IMM(BPF_REG_0, 0), 4489 BPF_EXIT_INSN(), 4490 }, 4491 .result = ACCEPT, 4492 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4493 }, 4494 { 4495 "helper access to variable memory: stack, JMP (signed), correct bounds", 4496 .insns = { 4497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4499 BPF_MOV64_IMM(BPF_REG_0, 0), 4500 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4501 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4502 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4503 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4504 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4505 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4506 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4507 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4508 BPF_MOV64_IMM(BPF_REG_2, 16), 4509 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4510 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4511 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 4512 BPF_MOV64_IMM(BPF_REG_4, 0), 4513 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 4514 BPF_MOV64_IMM(BPF_REG_3, 0), 4515 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4516 BPF_MOV64_IMM(BPF_REG_0, 0), 4517 BPF_EXIT_INSN(), 4518 }, 4519 .result = ACCEPT, 4520 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4521 }, 4522 { 4523 "helper access to variable memory: stack, JMP, bounds + offset", 4524 .insns = { 4525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4527 BPF_MOV64_IMM(BPF_REG_2, 16), 4528 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4529 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4530 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 4531 BPF_MOV64_IMM(BPF_REG_4, 0), 4532 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 4533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4534 BPF_MOV64_IMM(BPF_REG_3, 0), 4535 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4536 BPF_MOV64_IMM(BPF_REG_0, 0), 4537 BPF_EXIT_INSN(), 4538 }, 4539 .errstr = "invalid stack type R1 off=-64 access_size=65", 4540 .result = REJECT, 4541 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4542 }, 4543 { 4544 "helper access to variable memory: stack, JMP, wrong max", 4545 .insns = { 4546 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4547 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4548 BPF_MOV64_IMM(BPF_REG_2, 16), 4549 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4550 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4551 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 4552 BPF_MOV64_IMM(BPF_REG_4, 0), 4553 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4554 BPF_MOV64_IMM(BPF_REG_3, 0), 4555 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4556 BPF_MOV64_IMM(BPF_REG_0, 0), 4557 BPF_EXIT_INSN(), 4558 }, 4559 .errstr = "invalid stack type R1 off=-64 access_size=65", 4560 .result = REJECT, 4561 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4562 }, 4563 { 4564 "helper access to variable memory: stack, JMP, no max check", 4565 .insns = { 4566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4568 BPF_MOV64_IMM(BPF_REG_2, 16), 4569 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4570 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4571 BPF_MOV64_IMM(BPF_REG_4, 0), 4572 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4573 BPF_MOV64_IMM(BPF_REG_3, 0), 4574 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4575 BPF_MOV64_IMM(BPF_REG_0, 0), 4576 BPF_EXIT_INSN(), 4577 }, 4578 .errstr = "R2 unbounded memory access", 4579 .result = REJECT, 4580 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4581 }, 4582 { 4583 "helper access to variable memory: stack, JMP, no min check", 4584 .insns = { 4585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4587 BPF_MOV64_IMM(BPF_REG_2, 16), 4588 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4589 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4590 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 4591 BPF_MOV64_IMM(BPF_REG_3, 0), 4592 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4593 BPF_MOV64_IMM(BPF_REG_0, 0), 4594 BPF_EXIT_INSN(), 4595 }, 4596 .errstr = "invalid stack type R1 off=-64 access_size=0", 4597 .result = REJECT, 4598 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4599 }, 4600 { 4601 "helper access to variable memory: stack, JMP (signed), no min check", 4602 .insns = { 4603 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4605 BPF_MOV64_IMM(BPF_REG_2, 16), 4606 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4607 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4608 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 4609 BPF_MOV64_IMM(BPF_REG_3, 0), 4610 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4611 BPF_MOV64_IMM(BPF_REG_0, 0), 4612 BPF_EXIT_INSN(), 4613 }, 4614 .errstr = "R2 min value is negative", 4615 .result = REJECT, 4616 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4617 }, 4618 { 4619 "helper access to variable memory: map, JMP, correct bounds", 4620 .insns = { 4621 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4623 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4624 BPF_LD_MAP_FD(BPF_REG_1, 0), 4625 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4626 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4627 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4628 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4629 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4630 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4631 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4632 sizeof(struct test_val), 4), 4633 BPF_MOV64_IMM(BPF_REG_4, 0), 4634 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4635 BPF_MOV64_IMM(BPF_REG_3, 0), 4636 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4637 BPF_MOV64_IMM(BPF_REG_0, 0), 4638 BPF_EXIT_INSN(), 4639 }, 4640 .fixup_map2 = { 3 }, 4641 .result = ACCEPT, 4642 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4643 }, 4644 { 4645 "helper access to variable memory: map, JMP, wrong max", 4646 .insns = { 4647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4649 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4650 BPF_LD_MAP_FD(BPF_REG_1, 0), 4651 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4654 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4655 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4656 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4657 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4658 sizeof(struct test_val) + 1, 4), 4659 BPF_MOV64_IMM(BPF_REG_4, 0), 4660 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4661 BPF_MOV64_IMM(BPF_REG_3, 0), 4662 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4663 BPF_MOV64_IMM(BPF_REG_0, 0), 4664 BPF_EXIT_INSN(), 4665 }, 4666 .fixup_map2 = { 3 }, 4667 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 4668 .result = REJECT, 4669 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4670 }, 4671 { 4672 "helper access to variable memory: map adjusted, JMP, correct bounds", 4673 .insns = { 4674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4676 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4677 BPF_LD_MAP_FD(BPF_REG_1, 0), 4678 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4682 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4683 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4684 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4685 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4686 sizeof(struct test_val) - 20, 4), 4687 BPF_MOV64_IMM(BPF_REG_4, 0), 4688 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4689 BPF_MOV64_IMM(BPF_REG_3, 0), 4690 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4691 BPF_MOV64_IMM(BPF_REG_0, 0), 4692 BPF_EXIT_INSN(), 4693 }, 4694 .fixup_map2 = { 3 }, 4695 .result = ACCEPT, 4696 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4697 }, 4698 { 4699 "helper access to variable memory: map adjusted, JMP, wrong max", 4700 .insns = { 4701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4703 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4704 BPF_LD_MAP_FD(BPF_REG_1, 0), 4705 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4706 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4707 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4709 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4710 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4711 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4712 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4713 sizeof(struct test_val) - 19, 4), 4714 BPF_MOV64_IMM(BPF_REG_4, 0), 4715 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4716 BPF_MOV64_IMM(BPF_REG_3, 0), 4717 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4718 BPF_MOV64_IMM(BPF_REG_0, 0), 4719 BPF_EXIT_INSN(), 4720 }, 4721 .fixup_map2 = { 3 }, 4722 .errstr = "R1 min value is outside of the array range", 4723 .result = REJECT, 4724 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4725 }, 4726 { 4727 "helper access to variable memory: size > 0 not allowed on NULL", 4728 .insns = { 4729 BPF_MOV64_IMM(BPF_REG_1, 0), 4730 BPF_MOV64_IMM(BPF_REG_2, 0), 4731 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4732 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4733 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4734 BPF_MOV64_IMM(BPF_REG_3, 0), 4735 BPF_MOV64_IMM(BPF_REG_4, 0), 4736 BPF_MOV64_IMM(BPF_REG_5, 0), 4737 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4738 BPF_EXIT_INSN(), 4739 }, 4740 .errstr = "R1 type=imm expected=fp", 4741 .result = REJECT, 4742 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4743 }, 4744 { 4745 "helper access to variable memory: size = 0 not allowed on != NULL", 4746 .insns = { 4747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 4749 BPF_MOV64_IMM(BPF_REG_2, 0), 4750 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 4751 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 4752 BPF_MOV64_IMM(BPF_REG_3, 0), 4753 BPF_MOV64_IMM(BPF_REG_4, 0), 4754 BPF_MOV64_IMM(BPF_REG_5, 0), 4755 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4756 BPF_EXIT_INSN(), 4757 }, 4758 .errstr = "invalid stack type R1 off=-8 access_size=0", 4759 .result = REJECT, 4760 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4761 }, 4762 { 4763 "helper access to variable memory: 8 bytes leak", 4764 .insns = { 4765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4767 BPF_MOV64_IMM(BPF_REG_0, 0), 4768 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4769 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4770 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4771 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4772 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4773 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4774 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4775 BPF_MOV64_IMM(BPF_REG_2, 0), 4776 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4777 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4778 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 4779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4780 BPF_MOV64_IMM(BPF_REG_3, 0), 4781 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4782 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4783 BPF_EXIT_INSN(), 4784 }, 4785 .errstr = "invalid indirect read from stack off -64+32 size 64", 4786 .result = REJECT, 4787 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4788 }, 4789 { 4790 "helper access to variable memory: 8 bytes no leak (init memory)", 4791 .insns = { 4792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4793 BPF_MOV64_IMM(BPF_REG_0, 0), 4794 BPF_MOV64_IMM(BPF_REG_0, 0), 4795 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4796 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4797 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4798 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4799 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4800 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4801 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4802 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4804 BPF_MOV64_IMM(BPF_REG_2, 0), 4805 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 4806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 4807 BPF_MOV64_IMM(BPF_REG_3, 0), 4808 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4809 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4810 BPF_EXIT_INSN(), 4811 }, 4812 .result = ACCEPT, 4813 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4814 }, 4815 { 4816 "invalid and of negative number", 4817 .insns = { 4818 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4821 BPF_LD_MAP_FD(BPF_REG_1, 0), 4822 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4823 BPF_FUNC_map_lookup_elem), 4824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4825 BPF_MOV64_IMM(BPF_REG_1, 6), 4826 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 4827 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4828 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4829 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4830 offsetof(struct test_val, foo)), 4831 BPF_EXIT_INSN(), 4832 }, 4833 .fixup_map2 = { 3 }, 4834 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4835 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4836 .result = REJECT, 4837 .result_unpriv = REJECT, 4838 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4839 }, 4840 { 4841 "invalid range check", 4842 .insns = { 4843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4846 BPF_LD_MAP_FD(BPF_REG_1, 0), 4847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4848 BPF_FUNC_map_lookup_elem), 4849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 4850 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4851 BPF_MOV64_IMM(BPF_REG_9, 1), 4852 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 4853 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 4854 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 4855 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 4856 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 4857 BPF_MOV32_IMM(BPF_REG_3, 1), 4858 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 4859 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 4860 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 4861 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 4862 BPF_MOV64_REG(BPF_REG_0, 0), 4863 BPF_EXIT_INSN(), 4864 }, 4865 .fixup_map2 = { 3 }, 4866 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4867 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4868 .result = REJECT, 4869 .result_unpriv = REJECT, 4870 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4871 }, 4872 { 4873 "map in map access", 4874 .insns = { 4875 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4878 BPF_LD_MAP_FD(BPF_REG_1, 0), 4879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4880 BPF_FUNC_map_lookup_elem), 4881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4882 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4883 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4885 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4887 BPF_FUNC_map_lookup_elem), 4888 BPF_MOV64_REG(BPF_REG_0, 0), 4889 BPF_EXIT_INSN(), 4890 }, 4891 .fixup_map_in_map = { 3 }, 4892 .result = ACCEPT, 4893 }, 4894 { 4895 "invalid inner map pointer", 4896 .insns = { 4897 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4898 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4900 BPF_LD_MAP_FD(BPF_REG_1, 0), 4901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4902 BPF_FUNC_map_lookup_elem), 4903 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4904 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4907 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4908 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 4909 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4910 BPF_FUNC_map_lookup_elem), 4911 BPF_MOV64_REG(BPF_REG_0, 0), 4912 BPF_EXIT_INSN(), 4913 }, 4914 .fixup_map_in_map = { 3 }, 4915 .errstr = "R1 type=inv expected=map_ptr", 4916 .errstr_unpriv = "R1 pointer arithmetic prohibited", 4917 .result = REJECT, 4918 }, 4919 { 4920 "forgot null checking on the inner map pointer", 4921 .insns = { 4922 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4925 BPF_LD_MAP_FD(BPF_REG_1, 0), 4926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4927 BPF_FUNC_map_lookup_elem), 4928 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4931 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4932 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4933 BPF_FUNC_map_lookup_elem), 4934 BPF_MOV64_REG(BPF_REG_0, 0), 4935 BPF_EXIT_INSN(), 4936 }, 4937 .fixup_map_in_map = { 3 }, 4938 .errstr = "R1 type=map_value_or_null expected=map_ptr", 4939 .result = REJECT, 4940 } 4941 }; 4942 4943 static int probe_filter_length(const struct bpf_insn *fp) 4944 { 4945 int len; 4946 4947 for (len = MAX_INSNS - 1; len > 0; --len) 4948 if (fp[len].code != 0 || fp[len].imm != 0) 4949 break; 4950 return len + 1; 4951 } 4952 4953 static int create_map(uint32_t size_value, uint32_t max_elem) 4954 { 4955 int fd; 4956 4957 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 4958 size_value, max_elem, BPF_F_NO_PREALLOC); 4959 if (fd < 0) 4960 printf("Failed to create hash map '%s'!\n", strerror(errno)); 4961 4962 return fd; 4963 } 4964 4965 static int create_prog_array(void) 4966 { 4967 int fd; 4968 4969 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 4970 sizeof(int), 4, 0); 4971 if (fd < 0) 4972 printf("Failed to create prog array '%s'!\n", strerror(errno)); 4973 4974 return fd; 4975 } 4976 4977 static int create_map_in_map(void) 4978 { 4979 int inner_map_fd, outer_map_fd; 4980 4981 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 4982 sizeof(int), 1, 0); 4983 if (inner_map_fd < 0) { 4984 printf("Failed to create array '%s'!\n", strerror(errno)); 4985 return inner_map_fd; 4986 } 4987 4988 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, 4989 sizeof(int), inner_map_fd, 1, 0); 4990 if (outer_map_fd < 0) 4991 printf("Failed to create array of maps '%s'!\n", 4992 strerror(errno)); 4993 4994 close(inner_map_fd); 4995 4996 return outer_map_fd; 4997 } 4998 4999 static char bpf_vlog[32768]; 5000 5001 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 5002 int *map_fds) 5003 { 5004 int *fixup_map1 = test->fixup_map1; 5005 int *fixup_map2 = test->fixup_map2; 5006 int *fixup_prog = test->fixup_prog; 5007 int *fixup_map_in_map = test->fixup_map_in_map; 5008 5009 /* Allocating HTs with 1 elem is fine here, since we only test 5010 * for verifier and not do a runtime lookup, so the only thing 5011 * that really matters is value size in this case. 5012 */ 5013 if (*fixup_map1) { 5014 map_fds[0] = create_map(sizeof(long long), 1); 5015 do { 5016 prog[*fixup_map1].imm = map_fds[0]; 5017 fixup_map1++; 5018 } while (*fixup_map1); 5019 } 5020 5021 if (*fixup_map2) { 5022 map_fds[1] = create_map(sizeof(struct test_val), 1); 5023 do { 5024 prog[*fixup_map2].imm = map_fds[1]; 5025 fixup_map2++; 5026 } while (*fixup_map2); 5027 } 5028 5029 if (*fixup_prog) { 5030 map_fds[2] = create_prog_array(); 5031 do { 5032 prog[*fixup_prog].imm = map_fds[2]; 5033 fixup_prog++; 5034 } while (*fixup_prog); 5035 } 5036 5037 if (*fixup_map_in_map) { 5038 map_fds[3] = create_map_in_map(); 5039 do { 5040 prog[*fixup_map_in_map].imm = map_fds[3]; 5041 fixup_map_in_map++; 5042 } while (*fixup_map_in_map); 5043 } 5044 } 5045 5046 static void do_test_single(struct bpf_test *test, bool unpriv, 5047 int *passes, int *errors) 5048 { 5049 int fd_prog, expected_ret, reject_from_alignment; 5050 struct bpf_insn *prog = test->insns; 5051 int prog_len = probe_filter_length(prog); 5052 int prog_type = test->prog_type; 5053 int map_fds[MAX_NR_MAPS]; 5054 const char *expected_err; 5055 int i; 5056 5057 for (i = 0; i < MAX_NR_MAPS; i++) 5058 map_fds[i] = -1; 5059 5060 do_test_fixup(test, prog, map_fds); 5061 5062 fd_prog = bpf_load_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 5063 prog, prog_len, "GPL", 0, bpf_vlog, 5064 sizeof(bpf_vlog)); 5065 5066 expected_ret = unpriv && test->result_unpriv != UNDEF ? 5067 test->result_unpriv : test->result; 5068 expected_err = unpriv && test->errstr_unpriv ? 5069 test->errstr_unpriv : test->errstr; 5070 5071 reject_from_alignment = fd_prog < 0 && 5072 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) && 5073 strstr(bpf_vlog, "Unknown alignment."); 5074 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 5075 if (reject_from_alignment) { 5076 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n", 5077 strerror(errno)); 5078 goto fail_log; 5079 } 5080 #endif 5081 if (expected_ret == ACCEPT) { 5082 if (fd_prog < 0 && !reject_from_alignment) { 5083 printf("FAIL\nFailed to load prog '%s'!\n", 5084 strerror(errno)); 5085 goto fail_log; 5086 } 5087 } else { 5088 if (fd_prog >= 0) { 5089 printf("FAIL\nUnexpected success to load!\n"); 5090 goto fail_log; 5091 } 5092 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) { 5093 printf("FAIL\nUnexpected error message!\n"); 5094 goto fail_log; 5095 } 5096 } 5097 5098 (*passes)++; 5099 printf("OK%s\n", reject_from_alignment ? 5100 " (NOTE: reject due to unknown alignment)" : ""); 5101 close_fds: 5102 close(fd_prog); 5103 for (i = 0; i < MAX_NR_MAPS; i++) 5104 close(map_fds[i]); 5105 sched_yield(); 5106 return; 5107 fail_log: 5108 (*errors)++; 5109 printf("%s", bpf_vlog); 5110 goto close_fds; 5111 } 5112 5113 static bool is_admin(void) 5114 { 5115 cap_t caps; 5116 cap_flag_value_t sysadmin = CAP_CLEAR; 5117 const cap_value_t cap_val = CAP_SYS_ADMIN; 5118 5119 #ifdef CAP_IS_SUPPORTED 5120 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 5121 perror("cap_get_flag"); 5122 return false; 5123 } 5124 #endif 5125 caps = cap_get_proc(); 5126 if (!caps) { 5127 perror("cap_get_proc"); 5128 return false; 5129 } 5130 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 5131 perror("cap_get_flag"); 5132 if (cap_free(caps)) 5133 perror("cap_free"); 5134 return (sysadmin == CAP_SET); 5135 } 5136 5137 static int set_admin(bool admin) 5138 { 5139 cap_t caps; 5140 const cap_value_t cap_val = CAP_SYS_ADMIN; 5141 int ret = -1; 5142 5143 caps = cap_get_proc(); 5144 if (!caps) { 5145 perror("cap_get_proc"); 5146 return -1; 5147 } 5148 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 5149 admin ? CAP_SET : CAP_CLEAR)) { 5150 perror("cap_set_flag"); 5151 goto out; 5152 } 5153 if (cap_set_proc(caps)) { 5154 perror("cap_set_proc"); 5155 goto out; 5156 } 5157 ret = 0; 5158 out: 5159 if (cap_free(caps)) 5160 perror("cap_free"); 5161 return ret; 5162 } 5163 5164 static int do_test(bool unpriv, unsigned int from, unsigned int to) 5165 { 5166 int i, passes = 0, errors = 0; 5167 5168 for (i = from; i < to; i++) { 5169 struct bpf_test *test = &tests[i]; 5170 5171 /* Program types that are not supported by non-root we 5172 * skip right away. 5173 */ 5174 if (!test->prog_type) { 5175 if (!unpriv) 5176 set_admin(false); 5177 printf("#%d/u %s ", i, test->descr); 5178 do_test_single(test, true, &passes, &errors); 5179 if (!unpriv) 5180 set_admin(true); 5181 } 5182 5183 if (!unpriv) { 5184 printf("#%d/p %s ", i, test->descr); 5185 do_test_single(test, false, &passes, &errors); 5186 } 5187 } 5188 5189 printf("Summary: %d PASSED, %d FAILED\n", passes, errors); 5190 return errors ? -errors : 0; 5191 } 5192 5193 int main(int argc, char **argv) 5194 { 5195 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY }; 5196 struct rlimit rlim = { 1 << 20, 1 << 20 }; 5197 unsigned int from = 0, to = ARRAY_SIZE(tests); 5198 bool unpriv = !is_admin(); 5199 5200 if (argc == 3) { 5201 unsigned int l = atoi(argv[argc - 2]); 5202 unsigned int u = atoi(argv[argc - 1]); 5203 5204 if (l < to && u < to) { 5205 from = l; 5206 to = u + 1; 5207 } 5208 } else if (argc == 2) { 5209 unsigned int t = atoi(argv[argc - 1]); 5210 5211 if (t < to) { 5212 from = t; 5213 to = t + 1; 5214 } 5215 } 5216 5217 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf); 5218 return do_test(unpriv, from, to); 5219 } 5220