1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of version 2 of the GNU General Public 8 * License as published by the Free Software Foundation. 9 */ 10 11 #include <endian.h> 12 #include <asm/types.h> 13 #include <linux/types.h> 14 #include <stdint.h> 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <unistd.h> 18 #include <errno.h> 19 #include <string.h> 20 #include <stddef.h> 21 #include <stdbool.h> 22 #include <sched.h> 23 24 #include <sys/capability.h> 25 #include <sys/resource.h> 26 27 #include <linux/unistd.h> 28 #include <linux/filter.h> 29 #include <linux/bpf_perf_event.h> 30 #include <linux/bpf.h> 31 32 #include <bpf/bpf.h> 33 34 #ifdef HAVE_GENHDR 35 # include "autoconf.h" 36 #else 37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 39 # endif 40 #endif 41 42 #include "../../../include/linux/filter.h" 43 44 #ifndef ARRAY_SIZE 45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 46 #endif 47 48 #define MAX_INSNS 512 49 #define MAX_FIXUPS 8 50 #define MAX_NR_MAPS 4 51 52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 54 55 struct bpf_test { 56 const char *descr; 57 struct bpf_insn insns[MAX_INSNS]; 58 int fixup_map1[MAX_FIXUPS]; 59 int fixup_map2[MAX_FIXUPS]; 60 int fixup_prog[MAX_FIXUPS]; 61 int fixup_map_in_map[MAX_FIXUPS]; 62 const char *errstr; 63 const char *errstr_unpriv; 64 enum { 65 UNDEF, 66 ACCEPT, 67 REJECT 68 } result, result_unpriv; 69 enum bpf_prog_type prog_type; 70 uint8_t flags; 71 }; 72 73 /* Note we want this to be 64 bit aligned so that the end of our array is 74 * actually the end of the structure. 75 */ 76 #define MAX_ENTRIES 11 77 78 struct test_val { 79 unsigned int index; 80 int foo[MAX_ENTRIES]; 81 }; 82 83 static struct bpf_test tests[] = { 84 { 85 "add+sub+mul", 86 .insns = { 87 BPF_MOV64_IMM(BPF_REG_1, 1), 88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 89 BPF_MOV64_IMM(BPF_REG_2, 3), 90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 94 BPF_EXIT_INSN(), 95 }, 96 .result = ACCEPT, 97 }, 98 { 99 "unreachable", 100 .insns = { 101 BPF_EXIT_INSN(), 102 BPF_EXIT_INSN(), 103 }, 104 .errstr = "unreachable", 105 .result = REJECT, 106 }, 107 { 108 "unreachable2", 109 .insns = { 110 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 111 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 112 BPF_EXIT_INSN(), 113 }, 114 .errstr = "unreachable", 115 .result = REJECT, 116 }, 117 { 118 "out of range jump", 119 .insns = { 120 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 121 BPF_EXIT_INSN(), 122 }, 123 .errstr = "jump out of range", 124 .result = REJECT, 125 }, 126 { 127 "out of range jump2", 128 .insns = { 129 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 130 BPF_EXIT_INSN(), 131 }, 132 .errstr = "jump out of range", 133 .result = REJECT, 134 }, 135 { 136 "test1 ld_imm64", 137 .insns = { 138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 139 BPF_LD_IMM64(BPF_REG_0, 0), 140 BPF_LD_IMM64(BPF_REG_0, 0), 141 BPF_LD_IMM64(BPF_REG_0, 1), 142 BPF_LD_IMM64(BPF_REG_0, 1), 143 BPF_MOV64_IMM(BPF_REG_0, 2), 144 BPF_EXIT_INSN(), 145 }, 146 .errstr = "invalid BPF_LD_IMM insn", 147 .errstr_unpriv = "R1 pointer comparison", 148 .result = REJECT, 149 }, 150 { 151 "test2 ld_imm64", 152 .insns = { 153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 154 BPF_LD_IMM64(BPF_REG_0, 0), 155 BPF_LD_IMM64(BPF_REG_0, 0), 156 BPF_LD_IMM64(BPF_REG_0, 1), 157 BPF_LD_IMM64(BPF_REG_0, 1), 158 BPF_EXIT_INSN(), 159 }, 160 .errstr = "invalid BPF_LD_IMM insn", 161 .errstr_unpriv = "R1 pointer comparison", 162 .result = REJECT, 163 }, 164 { 165 "test3 ld_imm64", 166 .insns = { 167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 169 BPF_LD_IMM64(BPF_REG_0, 0), 170 BPF_LD_IMM64(BPF_REG_0, 0), 171 BPF_LD_IMM64(BPF_REG_0, 1), 172 BPF_LD_IMM64(BPF_REG_0, 1), 173 BPF_EXIT_INSN(), 174 }, 175 .errstr = "invalid bpf_ld_imm64 insn", 176 .result = REJECT, 177 }, 178 { 179 "test4 ld_imm64", 180 .insns = { 181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 182 BPF_EXIT_INSN(), 183 }, 184 .errstr = "invalid bpf_ld_imm64 insn", 185 .result = REJECT, 186 }, 187 { 188 "test5 ld_imm64", 189 .insns = { 190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 191 }, 192 .errstr = "invalid bpf_ld_imm64 insn", 193 .result = REJECT, 194 }, 195 { 196 "test6 ld_imm64", 197 .insns = { 198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 199 BPF_RAW_INSN(0, 0, 0, 0, 0), 200 BPF_EXIT_INSN(), 201 }, 202 .result = ACCEPT, 203 }, 204 { 205 "test7 ld_imm64", 206 .insns = { 207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 208 BPF_RAW_INSN(0, 0, 0, 0, 1), 209 BPF_EXIT_INSN(), 210 }, 211 .result = ACCEPT, 212 }, 213 { 214 "test8 ld_imm64", 215 .insns = { 216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1), 217 BPF_RAW_INSN(0, 0, 0, 0, 1), 218 BPF_EXIT_INSN(), 219 }, 220 .errstr = "uses reserved fields", 221 .result = REJECT, 222 }, 223 { 224 "test9 ld_imm64", 225 .insns = { 226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 227 BPF_RAW_INSN(0, 0, 0, 1, 1), 228 BPF_EXIT_INSN(), 229 }, 230 .errstr = "invalid bpf_ld_imm64 insn", 231 .result = REJECT, 232 }, 233 { 234 "test10 ld_imm64", 235 .insns = { 236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1), 238 BPF_EXIT_INSN(), 239 }, 240 .errstr = "invalid bpf_ld_imm64 insn", 241 .result = REJECT, 242 }, 243 { 244 "test11 ld_imm64", 245 .insns = { 246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 248 BPF_EXIT_INSN(), 249 }, 250 .errstr = "invalid bpf_ld_imm64 insn", 251 .result = REJECT, 252 }, 253 { 254 "test12 ld_imm64", 255 .insns = { 256 BPF_MOV64_IMM(BPF_REG_1, 0), 257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 258 BPF_RAW_INSN(0, 0, 0, 0, 1), 259 BPF_EXIT_INSN(), 260 }, 261 .errstr = "not pointing to valid bpf_map", 262 .result = REJECT, 263 }, 264 { 265 "test13 ld_imm64", 266 .insns = { 267 BPF_MOV64_IMM(BPF_REG_1, 0), 268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 270 BPF_EXIT_INSN(), 271 }, 272 .errstr = "invalid bpf_ld_imm64 insn", 273 .result = REJECT, 274 }, 275 { 276 "no bpf_exit", 277 .insns = { 278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 279 }, 280 .errstr = "jump out of range", 281 .result = REJECT, 282 }, 283 { 284 "loop (back-edge)", 285 .insns = { 286 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 287 BPF_EXIT_INSN(), 288 }, 289 .errstr = "back-edge", 290 .result = REJECT, 291 }, 292 { 293 "loop2 (back-edge)", 294 .insns = { 295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 298 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 299 BPF_EXIT_INSN(), 300 }, 301 .errstr = "back-edge", 302 .result = REJECT, 303 }, 304 { 305 "conditional loop", 306 .insns = { 307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 311 BPF_EXIT_INSN(), 312 }, 313 .errstr = "back-edge", 314 .result = REJECT, 315 }, 316 { 317 "read uninitialized register", 318 .insns = { 319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 320 BPF_EXIT_INSN(), 321 }, 322 .errstr = "R2 !read_ok", 323 .result = REJECT, 324 }, 325 { 326 "read invalid register", 327 .insns = { 328 BPF_MOV64_REG(BPF_REG_0, -1), 329 BPF_EXIT_INSN(), 330 }, 331 .errstr = "R15 is invalid", 332 .result = REJECT, 333 }, 334 { 335 "program doesn't init R0 before exit", 336 .insns = { 337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 338 BPF_EXIT_INSN(), 339 }, 340 .errstr = "R0 !read_ok", 341 .result = REJECT, 342 }, 343 { 344 "program doesn't init R0 before exit in all branches", 345 .insns = { 346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 347 BPF_MOV64_IMM(BPF_REG_0, 1), 348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 349 BPF_EXIT_INSN(), 350 }, 351 .errstr = "R0 !read_ok", 352 .errstr_unpriv = "R1 pointer comparison", 353 .result = REJECT, 354 }, 355 { 356 "stack out of bounds", 357 .insns = { 358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 359 BPF_EXIT_INSN(), 360 }, 361 .errstr = "invalid stack", 362 .result = REJECT, 363 }, 364 { 365 "invalid call insn1", 366 .insns = { 367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 368 BPF_EXIT_INSN(), 369 }, 370 .errstr = "BPF_CALL uses reserved", 371 .result = REJECT, 372 }, 373 { 374 "invalid call insn2", 375 .insns = { 376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 377 BPF_EXIT_INSN(), 378 }, 379 .errstr = "BPF_CALL uses reserved", 380 .result = REJECT, 381 }, 382 { 383 "invalid function call", 384 .insns = { 385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 386 BPF_EXIT_INSN(), 387 }, 388 .errstr = "invalid func unknown#1234567", 389 .result = REJECT, 390 }, 391 { 392 "uninitialized stack1", 393 .insns = { 394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 396 BPF_LD_MAP_FD(BPF_REG_1, 0), 397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 398 BPF_FUNC_map_lookup_elem), 399 BPF_EXIT_INSN(), 400 }, 401 .fixup_map1 = { 2 }, 402 .errstr = "invalid indirect read from stack", 403 .result = REJECT, 404 }, 405 { 406 "uninitialized stack2", 407 .insns = { 408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 410 BPF_EXIT_INSN(), 411 }, 412 .errstr = "invalid read from stack", 413 .result = REJECT, 414 }, 415 { 416 "invalid fp arithmetic", 417 /* If this gets ever changed, make sure JITs can deal with it. */ 418 .insns = { 419 BPF_MOV64_IMM(BPF_REG_0, 0), 420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8), 422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 423 BPF_EXIT_INSN(), 424 }, 425 .errstr_unpriv = "R1 subtraction from stack pointer", 426 .result_unpriv = REJECT, 427 .errstr = "R1 invalid mem access", 428 .result = REJECT, 429 }, 430 { 431 "non-invalid fp arithmetic", 432 .insns = { 433 BPF_MOV64_IMM(BPF_REG_0, 0), 434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 435 BPF_EXIT_INSN(), 436 }, 437 .result = ACCEPT, 438 }, 439 { 440 "invalid argument register", 441 .insns = { 442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 443 BPF_FUNC_get_cgroup_classid), 444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 445 BPF_FUNC_get_cgroup_classid), 446 BPF_EXIT_INSN(), 447 }, 448 .errstr = "R1 !read_ok", 449 .result = REJECT, 450 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 451 }, 452 { 453 "non-invalid argument register", 454 .insns = { 455 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 457 BPF_FUNC_get_cgroup_classid), 458 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 460 BPF_FUNC_get_cgroup_classid), 461 BPF_EXIT_INSN(), 462 }, 463 .result = ACCEPT, 464 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 465 }, 466 { 467 "check valid spill/fill", 468 .insns = { 469 /* spill R1(ctx) into stack */ 470 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 471 /* fill it back into R2 */ 472 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 473 /* should be able to access R0 = *(R2 + 8) */ 474 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 476 BPF_EXIT_INSN(), 477 }, 478 .errstr_unpriv = "R0 leaks addr", 479 .result = ACCEPT, 480 .result_unpriv = REJECT, 481 }, 482 { 483 "check valid spill/fill, skb mark", 484 .insns = { 485 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 489 offsetof(struct __sk_buff, mark)), 490 BPF_EXIT_INSN(), 491 }, 492 .result = ACCEPT, 493 .result_unpriv = ACCEPT, 494 }, 495 { 496 "check corrupted spill/fill", 497 .insns = { 498 /* spill R1(ctx) into stack */ 499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 500 /* mess up with R1 pointer on stack */ 501 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 502 /* fill back into R0 should fail */ 503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 504 BPF_EXIT_INSN(), 505 }, 506 .errstr_unpriv = "attempt to corrupt spilled", 507 .errstr = "corrupted spill", 508 .result = REJECT, 509 }, 510 { 511 "invalid src register in STX", 512 .insns = { 513 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 514 BPF_EXIT_INSN(), 515 }, 516 .errstr = "R15 is invalid", 517 .result = REJECT, 518 }, 519 { 520 "invalid dst register in STX", 521 .insns = { 522 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 523 BPF_EXIT_INSN(), 524 }, 525 .errstr = "R14 is invalid", 526 .result = REJECT, 527 }, 528 { 529 "invalid dst register in ST", 530 .insns = { 531 BPF_ST_MEM(BPF_B, 14, -1, -1), 532 BPF_EXIT_INSN(), 533 }, 534 .errstr = "R14 is invalid", 535 .result = REJECT, 536 }, 537 { 538 "invalid src register in LDX", 539 .insns = { 540 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 541 BPF_EXIT_INSN(), 542 }, 543 .errstr = "R12 is invalid", 544 .result = REJECT, 545 }, 546 { 547 "invalid dst register in LDX", 548 .insns = { 549 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 550 BPF_EXIT_INSN(), 551 }, 552 .errstr = "R11 is invalid", 553 .result = REJECT, 554 }, 555 { 556 "junk insn", 557 .insns = { 558 BPF_RAW_INSN(0, 0, 0, 0, 0), 559 BPF_EXIT_INSN(), 560 }, 561 .errstr = "invalid BPF_LD_IMM", 562 .result = REJECT, 563 }, 564 { 565 "junk insn2", 566 .insns = { 567 BPF_RAW_INSN(1, 0, 0, 0, 0), 568 BPF_EXIT_INSN(), 569 }, 570 .errstr = "BPF_LDX uses reserved fields", 571 .result = REJECT, 572 }, 573 { 574 "junk insn3", 575 .insns = { 576 BPF_RAW_INSN(-1, 0, 0, 0, 0), 577 BPF_EXIT_INSN(), 578 }, 579 .errstr = "invalid BPF_ALU opcode f0", 580 .result = REJECT, 581 }, 582 { 583 "junk insn4", 584 .insns = { 585 BPF_RAW_INSN(-1, -1, -1, -1, -1), 586 BPF_EXIT_INSN(), 587 }, 588 .errstr = "invalid BPF_ALU opcode f0", 589 .result = REJECT, 590 }, 591 { 592 "junk insn5", 593 .insns = { 594 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 595 BPF_EXIT_INSN(), 596 }, 597 .errstr = "BPF_ALU uses reserved fields", 598 .result = REJECT, 599 }, 600 { 601 "misaligned read from stack", 602 .insns = { 603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 604 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 605 BPF_EXIT_INSN(), 606 }, 607 .errstr = "misaligned stack access", 608 .result = REJECT, 609 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 610 }, 611 { 612 "invalid map_fd for function call", 613 .insns = { 614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 615 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 617 BPF_LD_MAP_FD(BPF_REG_1, 0), 618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 619 BPF_FUNC_map_delete_elem), 620 BPF_EXIT_INSN(), 621 }, 622 .errstr = "fd 0 is not pointing to valid bpf_map", 623 .result = REJECT, 624 }, 625 { 626 "don't check return value before access", 627 .insns = { 628 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 631 BPF_LD_MAP_FD(BPF_REG_1, 0), 632 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 633 BPF_FUNC_map_lookup_elem), 634 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 635 BPF_EXIT_INSN(), 636 }, 637 .fixup_map1 = { 3 }, 638 .errstr = "R0 invalid mem access 'map_value_or_null'", 639 .result = REJECT, 640 }, 641 { 642 "access memory with incorrect alignment", 643 .insns = { 644 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 647 BPF_LD_MAP_FD(BPF_REG_1, 0), 648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 649 BPF_FUNC_map_lookup_elem), 650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 651 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 652 BPF_EXIT_INSN(), 653 }, 654 .fixup_map1 = { 3 }, 655 .errstr = "misaligned value access", 656 .result = REJECT, 657 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 658 }, 659 { 660 "sometimes access memory with incorrect alignment", 661 .insns = { 662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 665 BPF_LD_MAP_FD(BPF_REG_1, 0), 666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 667 BPF_FUNC_map_lookup_elem), 668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 669 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 670 BPF_EXIT_INSN(), 671 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 672 BPF_EXIT_INSN(), 673 }, 674 .fixup_map1 = { 3 }, 675 .errstr = "R0 invalid mem access", 676 .errstr_unpriv = "R0 leaks addr", 677 .result = REJECT, 678 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 679 }, 680 { 681 "jump test 1", 682 .insns = { 683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 684 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 694 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 695 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 696 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 697 BPF_MOV64_IMM(BPF_REG_0, 0), 698 BPF_EXIT_INSN(), 699 }, 700 .errstr_unpriv = "R1 pointer comparison", 701 .result_unpriv = REJECT, 702 .result = ACCEPT, 703 }, 704 { 705 "jump test 2", 706 .insns = { 707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 710 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 713 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 716 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 719 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 722 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 724 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 725 BPF_MOV64_IMM(BPF_REG_0, 0), 726 BPF_EXIT_INSN(), 727 }, 728 .errstr_unpriv = "R1 pointer comparison", 729 .result_unpriv = REJECT, 730 .result = ACCEPT, 731 }, 732 { 733 "jump test 3", 734 .insns = { 735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 739 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 743 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 747 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 751 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 755 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 757 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 759 BPF_LD_MAP_FD(BPF_REG_1, 0), 760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 761 BPF_FUNC_map_delete_elem), 762 BPF_EXIT_INSN(), 763 }, 764 .fixup_map1 = { 24 }, 765 .errstr_unpriv = "R1 pointer comparison", 766 .result_unpriv = REJECT, 767 .result = ACCEPT, 768 }, 769 { 770 "jump test 4", 771 .insns = { 772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 812 BPF_MOV64_IMM(BPF_REG_0, 0), 813 BPF_EXIT_INSN(), 814 }, 815 .errstr_unpriv = "R1 pointer comparison", 816 .result_unpriv = REJECT, 817 .result = ACCEPT, 818 }, 819 { 820 "jump test 5", 821 .insns = { 822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 823 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 824 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 825 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 826 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 828 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 829 BPF_MOV64_IMM(BPF_REG_0, 0), 830 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 831 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 832 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 834 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 835 BPF_MOV64_IMM(BPF_REG_0, 0), 836 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 837 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 838 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 840 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 841 BPF_MOV64_IMM(BPF_REG_0, 0), 842 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 843 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 844 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 846 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 847 BPF_MOV64_IMM(BPF_REG_0, 0), 848 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 849 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 850 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 851 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 852 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 853 BPF_MOV64_IMM(BPF_REG_0, 0), 854 BPF_EXIT_INSN(), 855 }, 856 .errstr_unpriv = "R1 pointer comparison", 857 .result_unpriv = REJECT, 858 .result = ACCEPT, 859 }, 860 { 861 "access skb fields ok", 862 .insns = { 863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 864 offsetof(struct __sk_buff, len)), 865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 867 offsetof(struct __sk_buff, mark)), 868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 870 offsetof(struct __sk_buff, pkt_type)), 871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 873 offsetof(struct __sk_buff, queue_mapping)), 874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 876 offsetof(struct __sk_buff, protocol)), 877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 879 offsetof(struct __sk_buff, vlan_present)), 880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 882 offsetof(struct __sk_buff, vlan_tci)), 883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 885 offsetof(struct __sk_buff, napi_id)), 886 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 887 BPF_EXIT_INSN(), 888 }, 889 .result = ACCEPT, 890 }, 891 { 892 "access skb fields bad1", 893 .insns = { 894 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 895 BPF_EXIT_INSN(), 896 }, 897 .errstr = "invalid bpf_context access", 898 .result = REJECT, 899 }, 900 { 901 "access skb fields bad2", 902 .insns = { 903 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 904 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 907 BPF_LD_MAP_FD(BPF_REG_1, 0), 908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 909 BPF_FUNC_map_lookup_elem), 910 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 911 BPF_EXIT_INSN(), 912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 913 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 914 offsetof(struct __sk_buff, pkt_type)), 915 BPF_EXIT_INSN(), 916 }, 917 .fixup_map1 = { 4 }, 918 .errstr = "different pointers", 919 .errstr_unpriv = "R1 pointer comparison", 920 .result = REJECT, 921 }, 922 { 923 "access skb fields bad3", 924 .insns = { 925 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 926 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 927 offsetof(struct __sk_buff, pkt_type)), 928 BPF_EXIT_INSN(), 929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 932 BPF_LD_MAP_FD(BPF_REG_1, 0), 933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 934 BPF_FUNC_map_lookup_elem), 935 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 936 BPF_EXIT_INSN(), 937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 938 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 939 }, 940 .fixup_map1 = { 6 }, 941 .errstr = "different pointers", 942 .errstr_unpriv = "R1 pointer comparison", 943 .result = REJECT, 944 }, 945 { 946 "access skb fields bad4", 947 .insns = { 948 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 949 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 950 offsetof(struct __sk_buff, len)), 951 BPF_MOV64_IMM(BPF_REG_0, 0), 952 BPF_EXIT_INSN(), 953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 956 BPF_LD_MAP_FD(BPF_REG_1, 0), 957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 958 BPF_FUNC_map_lookup_elem), 959 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 960 BPF_EXIT_INSN(), 961 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 962 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 963 }, 964 .fixup_map1 = { 7 }, 965 .errstr = "different pointers", 966 .errstr_unpriv = "R1 pointer comparison", 967 .result = REJECT, 968 }, 969 { 970 "invalid access __sk_buff family", 971 .insns = { 972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 973 offsetof(struct __sk_buff, family)), 974 BPF_EXIT_INSN(), 975 }, 976 .errstr = "invalid bpf_context access", 977 .result = REJECT, 978 }, 979 { 980 "invalid access __sk_buff remote_ip4", 981 .insns = { 982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 983 offsetof(struct __sk_buff, remote_ip4)), 984 BPF_EXIT_INSN(), 985 }, 986 .errstr = "invalid bpf_context access", 987 .result = REJECT, 988 }, 989 { 990 "invalid access __sk_buff local_ip4", 991 .insns = { 992 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 993 offsetof(struct __sk_buff, local_ip4)), 994 BPF_EXIT_INSN(), 995 }, 996 .errstr = "invalid bpf_context access", 997 .result = REJECT, 998 }, 999 { 1000 "invalid access __sk_buff remote_ip6", 1001 .insns = { 1002 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1003 offsetof(struct __sk_buff, remote_ip6)), 1004 BPF_EXIT_INSN(), 1005 }, 1006 .errstr = "invalid bpf_context access", 1007 .result = REJECT, 1008 }, 1009 { 1010 "invalid access __sk_buff local_ip6", 1011 .insns = { 1012 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1013 offsetof(struct __sk_buff, local_ip6)), 1014 BPF_EXIT_INSN(), 1015 }, 1016 .errstr = "invalid bpf_context access", 1017 .result = REJECT, 1018 }, 1019 { 1020 "invalid access __sk_buff remote_port", 1021 .insns = { 1022 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1023 offsetof(struct __sk_buff, remote_port)), 1024 BPF_EXIT_INSN(), 1025 }, 1026 .errstr = "invalid bpf_context access", 1027 .result = REJECT, 1028 }, 1029 { 1030 "invalid access __sk_buff remote_port", 1031 .insns = { 1032 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1033 offsetof(struct __sk_buff, local_port)), 1034 BPF_EXIT_INSN(), 1035 }, 1036 .errstr = "invalid bpf_context access", 1037 .result = REJECT, 1038 }, 1039 { 1040 "valid access __sk_buff family", 1041 .insns = { 1042 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1043 offsetof(struct __sk_buff, family)), 1044 BPF_EXIT_INSN(), 1045 }, 1046 .result = ACCEPT, 1047 .prog_type = BPF_PROG_TYPE_SK_SKB, 1048 }, 1049 { 1050 "valid access __sk_buff remote_ip4", 1051 .insns = { 1052 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1053 offsetof(struct __sk_buff, remote_ip4)), 1054 BPF_EXIT_INSN(), 1055 }, 1056 .result = ACCEPT, 1057 .prog_type = BPF_PROG_TYPE_SK_SKB, 1058 }, 1059 { 1060 "valid access __sk_buff local_ip4", 1061 .insns = { 1062 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1063 offsetof(struct __sk_buff, local_ip4)), 1064 BPF_EXIT_INSN(), 1065 }, 1066 .result = ACCEPT, 1067 .prog_type = BPF_PROG_TYPE_SK_SKB, 1068 }, 1069 { 1070 "valid access __sk_buff remote_ip6", 1071 .insns = { 1072 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1073 offsetof(struct __sk_buff, remote_ip6[0])), 1074 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1075 offsetof(struct __sk_buff, remote_ip6[1])), 1076 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1077 offsetof(struct __sk_buff, remote_ip6[2])), 1078 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1079 offsetof(struct __sk_buff, remote_ip6[3])), 1080 BPF_EXIT_INSN(), 1081 }, 1082 .result = ACCEPT, 1083 .prog_type = BPF_PROG_TYPE_SK_SKB, 1084 }, 1085 { 1086 "valid access __sk_buff local_ip6", 1087 .insns = { 1088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1089 offsetof(struct __sk_buff, local_ip6[0])), 1090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1091 offsetof(struct __sk_buff, local_ip6[1])), 1092 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1093 offsetof(struct __sk_buff, local_ip6[2])), 1094 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1095 offsetof(struct __sk_buff, local_ip6[3])), 1096 BPF_EXIT_INSN(), 1097 }, 1098 .result = ACCEPT, 1099 .prog_type = BPF_PROG_TYPE_SK_SKB, 1100 }, 1101 { 1102 "valid access __sk_buff remote_port", 1103 .insns = { 1104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1105 offsetof(struct __sk_buff, remote_port)), 1106 BPF_EXIT_INSN(), 1107 }, 1108 .result = ACCEPT, 1109 .prog_type = BPF_PROG_TYPE_SK_SKB, 1110 }, 1111 { 1112 "valid access __sk_buff remote_port", 1113 .insns = { 1114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1115 offsetof(struct __sk_buff, local_port)), 1116 BPF_EXIT_INSN(), 1117 }, 1118 .result = ACCEPT, 1119 .prog_type = BPF_PROG_TYPE_SK_SKB, 1120 }, 1121 { 1122 "invalid access of tc_classid for SK_SKB", 1123 .insns = { 1124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1125 offsetof(struct __sk_buff, tc_classid)), 1126 BPF_EXIT_INSN(), 1127 }, 1128 .result = REJECT, 1129 .prog_type = BPF_PROG_TYPE_SK_SKB, 1130 .errstr = "invalid bpf_context access", 1131 }, 1132 { 1133 "invalid access of skb->mark for SK_SKB", 1134 .insns = { 1135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1136 offsetof(struct __sk_buff, mark)), 1137 BPF_EXIT_INSN(), 1138 }, 1139 .result = REJECT, 1140 .prog_type = BPF_PROG_TYPE_SK_SKB, 1141 .errstr = "invalid bpf_context access", 1142 }, 1143 { 1144 "check skb->mark is not writeable by SK_SKB", 1145 .insns = { 1146 BPF_MOV64_IMM(BPF_REG_0, 0), 1147 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1148 offsetof(struct __sk_buff, mark)), 1149 BPF_EXIT_INSN(), 1150 }, 1151 .result = REJECT, 1152 .prog_type = BPF_PROG_TYPE_SK_SKB, 1153 .errstr = "invalid bpf_context access", 1154 }, 1155 { 1156 "check skb->tc_index is writeable by SK_SKB", 1157 .insns = { 1158 BPF_MOV64_IMM(BPF_REG_0, 0), 1159 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1160 offsetof(struct __sk_buff, tc_index)), 1161 BPF_EXIT_INSN(), 1162 }, 1163 .result = ACCEPT, 1164 .prog_type = BPF_PROG_TYPE_SK_SKB, 1165 }, 1166 { 1167 "check skb->priority is writeable by SK_SKB", 1168 .insns = { 1169 BPF_MOV64_IMM(BPF_REG_0, 0), 1170 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1171 offsetof(struct __sk_buff, priority)), 1172 BPF_EXIT_INSN(), 1173 }, 1174 .result = ACCEPT, 1175 .prog_type = BPF_PROG_TYPE_SK_SKB, 1176 }, 1177 { 1178 "direct packet read for SK_SKB", 1179 .insns = { 1180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1181 offsetof(struct __sk_buff, data)), 1182 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1183 offsetof(struct __sk_buff, data_end)), 1184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 1188 BPF_MOV64_IMM(BPF_REG_0, 0), 1189 BPF_EXIT_INSN(), 1190 }, 1191 .result = ACCEPT, 1192 .prog_type = BPF_PROG_TYPE_SK_SKB, 1193 }, 1194 { 1195 "direct packet write for SK_SKB", 1196 .insns = { 1197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1198 offsetof(struct __sk_buff, data)), 1199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1200 offsetof(struct __sk_buff, data_end)), 1201 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1203 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1204 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 1205 BPF_MOV64_IMM(BPF_REG_0, 0), 1206 BPF_EXIT_INSN(), 1207 }, 1208 .result = ACCEPT, 1209 .prog_type = BPF_PROG_TYPE_SK_SKB, 1210 }, 1211 { 1212 "overlapping checks for direct packet access SK_SKB", 1213 .insns = { 1214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1215 offsetof(struct __sk_buff, data)), 1216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1217 offsetof(struct __sk_buff, data_end)), 1218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1220 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 1221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 1223 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 1224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 1225 BPF_MOV64_IMM(BPF_REG_0, 0), 1226 BPF_EXIT_INSN(), 1227 }, 1228 .result = ACCEPT, 1229 .prog_type = BPF_PROG_TYPE_SK_SKB, 1230 }, 1231 { 1232 "check skb->mark is not writeable by sockets", 1233 .insns = { 1234 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1235 offsetof(struct __sk_buff, mark)), 1236 BPF_EXIT_INSN(), 1237 }, 1238 .errstr = "invalid bpf_context access", 1239 .errstr_unpriv = "R1 leaks addr", 1240 .result = REJECT, 1241 }, 1242 { 1243 "check skb->tc_index is not writeable by sockets", 1244 .insns = { 1245 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1246 offsetof(struct __sk_buff, tc_index)), 1247 BPF_EXIT_INSN(), 1248 }, 1249 .errstr = "invalid bpf_context access", 1250 .errstr_unpriv = "R1 leaks addr", 1251 .result = REJECT, 1252 }, 1253 { 1254 "check cb access: byte", 1255 .insns = { 1256 BPF_MOV64_IMM(BPF_REG_0, 0), 1257 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1258 offsetof(struct __sk_buff, cb[0])), 1259 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1260 offsetof(struct __sk_buff, cb[0]) + 1), 1261 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1262 offsetof(struct __sk_buff, cb[0]) + 2), 1263 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1264 offsetof(struct __sk_buff, cb[0]) + 3), 1265 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1266 offsetof(struct __sk_buff, cb[1])), 1267 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1268 offsetof(struct __sk_buff, cb[1]) + 1), 1269 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1270 offsetof(struct __sk_buff, cb[1]) + 2), 1271 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1272 offsetof(struct __sk_buff, cb[1]) + 3), 1273 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1274 offsetof(struct __sk_buff, cb[2])), 1275 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1276 offsetof(struct __sk_buff, cb[2]) + 1), 1277 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1278 offsetof(struct __sk_buff, cb[2]) + 2), 1279 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1280 offsetof(struct __sk_buff, cb[2]) + 3), 1281 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1282 offsetof(struct __sk_buff, cb[3])), 1283 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1284 offsetof(struct __sk_buff, cb[3]) + 1), 1285 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1286 offsetof(struct __sk_buff, cb[3]) + 2), 1287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1288 offsetof(struct __sk_buff, cb[3]) + 3), 1289 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1290 offsetof(struct __sk_buff, cb[4])), 1291 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1292 offsetof(struct __sk_buff, cb[4]) + 1), 1293 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1294 offsetof(struct __sk_buff, cb[4]) + 2), 1295 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1296 offsetof(struct __sk_buff, cb[4]) + 3), 1297 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1298 offsetof(struct __sk_buff, cb[0])), 1299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1300 offsetof(struct __sk_buff, cb[0]) + 1), 1301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1302 offsetof(struct __sk_buff, cb[0]) + 2), 1303 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1304 offsetof(struct __sk_buff, cb[0]) + 3), 1305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1306 offsetof(struct __sk_buff, cb[1])), 1307 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1308 offsetof(struct __sk_buff, cb[1]) + 1), 1309 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1310 offsetof(struct __sk_buff, cb[1]) + 2), 1311 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1312 offsetof(struct __sk_buff, cb[1]) + 3), 1313 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1314 offsetof(struct __sk_buff, cb[2])), 1315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1316 offsetof(struct __sk_buff, cb[2]) + 1), 1317 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1318 offsetof(struct __sk_buff, cb[2]) + 2), 1319 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1320 offsetof(struct __sk_buff, cb[2]) + 3), 1321 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1322 offsetof(struct __sk_buff, cb[3])), 1323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1324 offsetof(struct __sk_buff, cb[3]) + 1), 1325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1326 offsetof(struct __sk_buff, cb[3]) + 2), 1327 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1328 offsetof(struct __sk_buff, cb[3]) + 3), 1329 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1330 offsetof(struct __sk_buff, cb[4])), 1331 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1332 offsetof(struct __sk_buff, cb[4]) + 1), 1333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1334 offsetof(struct __sk_buff, cb[4]) + 2), 1335 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1336 offsetof(struct __sk_buff, cb[4]) + 3), 1337 BPF_EXIT_INSN(), 1338 }, 1339 .result = ACCEPT, 1340 }, 1341 { 1342 "__sk_buff->hash, offset 0, byte store not permitted", 1343 .insns = { 1344 BPF_MOV64_IMM(BPF_REG_0, 0), 1345 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1346 offsetof(struct __sk_buff, hash)), 1347 BPF_EXIT_INSN(), 1348 }, 1349 .errstr = "invalid bpf_context access", 1350 .result = REJECT, 1351 }, 1352 { 1353 "__sk_buff->tc_index, offset 3, byte store not permitted", 1354 .insns = { 1355 BPF_MOV64_IMM(BPF_REG_0, 0), 1356 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1357 offsetof(struct __sk_buff, tc_index) + 3), 1358 BPF_EXIT_INSN(), 1359 }, 1360 .errstr = "invalid bpf_context access", 1361 .result = REJECT, 1362 }, 1363 { 1364 "check skb->hash byte load permitted", 1365 .insns = { 1366 BPF_MOV64_IMM(BPF_REG_0, 0), 1367 #if __BYTE_ORDER == __LITTLE_ENDIAN 1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1369 offsetof(struct __sk_buff, hash)), 1370 #else 1371 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1372 offsetof(struct __sk_buff, hash) + 3), 1373 #endif 1374 BPF_EXIT_INSN(), 1375 }, 1376 .result = ACCEPT, 1377 }, 1378 { 1379 "check skb->hash byte load not permitted 1", 1380 .insns = { 1381 BPF_MOV64_IMM(BPF_REG_0, 0), 1382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1383 offsetof(struct __sk_buff, hash) + 1), 1384 BPF_EXIT_INSN(), 1385 }, 1386 .errstr = "invalid bpf_context access", 1387 .result = REJECT, 1388 }, 1389 { 1390 "check skb->hash byte load not permitted 2", 1391 .insns = { 1392 BPF_MOV64_IMM(BPF_REG_0, 0), 1393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1394 offsetof(struct __sk_buff, hash) + 2), 1395 BPF_EXIT_INSN(), 1396 }, 1397 .errstr = "invalid bpf_context access", 1398 .result = REJECT, 1399 }, 1400 { 1401 "check skb->hash byte load not permitted 3", 1402 .insns = { 1403 BPF_MOV64_IMM(BPF_REG_0, 0), 1404 #if __BYTE_ORDER == __LITTLE_ENDIAN 1405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1406 offsetof(struct __sk_buff, hash) + 3), 1407 #else 1408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1409 offsetof(struct __sk_buff, hash)), 1410 #endif 1411 BPF_EXIT_INSN(), 1412 }, 1413 .errstr = "invalid bpf_context access", 1414 .result = REJECT, 1415 }, 1416 { 1417 "check cb access: byte, wrong type", 1418 .insns = { 1419 BPF_MOV64_IMM(BPF_REG_0, 0), 1420 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1421 offsetof(struct __sk_buff, cb[0])), 1422 BPF_EXIT_INSN(), 1423 }, 1424 .errstr = "invalid bpf_context access", 1425 .result = REJECT, 1426 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1427 }, 1428 { 1429 "check cb access: half", 1430 .insns = { 1431 BPF_MOV64_IMM(BPF_REG_0, 0), 1432 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1433 offsetof(struct __sk_buff, cb[0])), 1434 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1435 offsetof(struct __sk_buff, cb[0]) + 2), 1436 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1437 offsetof(struct __sk_buff, cb[1])), 1438 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1439 offsetof(struct __sk_buff, cb[1]) + 2), 1440 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1441 offsetof(struct __sk_buff, cb[2])), 1442 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1443 offsetof(struct __sk_buff, cb[2]) + 2), 1444 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1445 offsetof(struct __sk_buff, cb[3])), 1446 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1447 offsetof(struct __sk_buff, cb[3]) + 2), 1448 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1449 offsetof(struct __sk_buff, cb[4])), 1450 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1451 offsetof(struct __sk_buff, cb[4]) + 2), 1452 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1453 offsetof(struct __sk_buff, cb[0])), 1454 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1455 offsetof(struct __sk_buff, cb[0]) + 2), 1456 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1457 offsetof(struct __sk_buff, cb[1])), 1458 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1459 offsetof(struct __sk_buff, cb[1]) + 2), 1460 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1461 offsetof(struct __sk_buff, cb[2])), 1462 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1463 offsetof(struct __sk_buff, cb[2]) + 2), 1464 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1465 offsetof(struct __sk_buff, cb[3])), 1466 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1467 offsetof(struct __sk_buff, cb[3]) + 2), 1468 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1469 offsetof(struct __sk_buff, cb[4])), 1470 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1471 offsetof(struct __sk_buff, cb[4]) + 2), 1472 BPF_EXIT_INSN(), 1473 }, 1474 .result = ACCEPT, 1475 }, 1476 { 1477 "check cb access: half, unaligned", 1478 .insns = { 1479 BPF_MOV64_IMM(BPF_REG_0, 0), 1480 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1481 offsetof(struct __sk_buff, cb[0]) + 1), 1482 BPF_EXIT_INSN(), 1483 }, 1484 .errstr = "misaligned context access", 1485 .result = REJECT, 1486 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1487 }, 1488 { 1489 "check __sk_buff->hash, offset 0, half store not permitted", 1490 .insns = { 1491 BPF_MOV64_IMM(BPF_REG_0, 0), 1492 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1493 offsetof(struct __sk_buff, hash)), 1494 BPF_EXIT_INSN(), 1495 }, 1496 .errstr = "invalid bpf_context access", 1497 .result = REJECT, 1498 }, 1499 { 1500 "check __sk_buff->tc_index, offset 2, half store not permitted", 1501 .insns = { 1502 BPF_MOV64_IMM(BPF_REG_0, 0), 1503 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1504 offsetof(struct __sk_buff, tc_index) + 2), 1505 BPF_EXIT_INSN(), 1506 }, 1507 .errstr = "invalid bpf_context access", 1508 .result = REJECT, 1509 }, 1510 { 1511 "check skb->hash half load permitted", 1512 .insns = { 1513 BPF_MOV64_IMM(BPF_REG_0, 0), 1514 #if __BYTE_ORDER == __LITTLE_ENDIAN 1515 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1516 offsetof(struct __sk_buff, hash)), 1517 #else 1518 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1519 offsetof(struct __sk_buff, hash) + 2), 1520 #endif 1521 BPF_EXIT_INSN(), 1522 }, 1523 .result = ACCEPT, 1524 }, 1525 { 1526 "check skb->hash half load not permitted", 1527 .insns = { 1528 BPF_MOV64_IMM(BPF_REG_0, 0), 1529 #if __BYTE_ORDER == __LITTLE_ENDIAN 1530 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1531 offsetof(struct __sk_buff, hash) + 2), 1532 #else 1533 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1534 offsetof(struct __sk_buff, hash)), 1535 #endif 1536 BPF_EXIT_INSN(), 1537 }, 1538 .errstr = "invalid bpf_context access", 1539 .result = REJECT, 1540 }, 1541 { 1542 "check cb access: half, wrong type", 1543 .insns = { 1544 BPF_MOV64_IMM(BPF_REG_0, 0), 1545 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1546 offsetof(struct __sk_buff, cb[0])), 1547 BPF_EXIT_INSN(), 1548 }, 1549 .errstr = "invalid bpf_context access", 1550 .result = REJECT, 1551 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1552 }, 1553 { 1554 "check cb access: word", 1555 .insns = { 1556 BPF_MOV64_IMM(BPF_REG_0, 0), 1557 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1558 offsetof(struct __sk_buff, cb[0])), 1559 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1560 offsetof(struct __sk_buff, cb[1])), 1561 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1562 offsetof(struct __sk_buff, cb[2])), 1563 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1564 offsetof(struct __sk_buff, cb[3])), 1565 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1566 offsetof(struct __sk_buff, cb[4])), 1567 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1568 offsetof(struct __sk_buff, cb[0])), 1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1570 offsetof(struct __sk_buff, cb[1])), 1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1572 offsetof(struct __sk_buff, cb[2])), 1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1574 offsetof(struct __sk_buff, cb[3])), 1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1576 offsetof(struct __sk_buff, cb[4])), 1577 BPF_EXIT_INSN(), 1578 }, 1579 .result = ACCEPT, 1580 }, 1581 { 1582 "check cb access: word, unaligned 1", 1583 .insns = { 1584 BPF_MOV64_IMM(BPF_REG_0, 0), 1585 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1586 offsetof(struct __sk_buff, cb[0]) + 2), 1587 BPF_EXIT_INSN(), 1588 }, 1589 .errstr = "misaligned context access", 1590 .result = REJECT, 1591 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1592 }, 1593 { 1594 "check cb access: word, unaligned 2", 1595 .insns = { 1596 BPF_MOV64_IMM(BPF_REG_0, 0), 1597 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1598 offsetof(struct __sk_buff, cb[4]) + 1), 1599 BPF_EXIT_INSN(), 1600 }, 1601 .errstr = "misaligned context access", 1602 .result = REJECT, 1603 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1604 }, 1605 { 1606 "check cb access: word, unaligned 3", 1607 .insns = { 1608 BPF_MOV64_IMM(BPF_REG_0, 0), 1609 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1610 offsetof(struct __sk_buff, cb[4]) + 2), 1611 BPF_EXIT_INSN(), 1612 }, 1613 .errstr = "misaligned context access", 1614 .result = REJECT, 1615 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1616 }, 1617 { 1618 "check cb access: word, unaligned 4", 1619 .insns = { 1620 BPF_MOV64_IMM(BPF_REG_0, 0), 1621 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1622 offsetof(struct __sk_buff, cb[4]) + 3), 1623 BPF_EXIT_INSN(), 1624 }, 1625 .errstr = "misaligned context access", 1626 .result = REJECT, 1627 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1628 }, 1629 { 1630 "check cb access: double", 1631 .insns = { 1632 BPF_MOV64_IMM(BPF_REG_0, 0), 1633 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1634 offsetof(struct __sk_buff, cb[0])), 1635 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1636 offsetof(struct __sk_buff, cb[2])), 1637 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1638 offsetof(struct __sk_buff, cb[0])), 1639 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1640 offsetof(struct __sk_buff, cb[2])), 1641 BPF_EXIT_INSN(), 1642 }, 1643 .result = ACCEPT, 1644 }, 1645 { 1646 "check cb access: double, unaligned 1", 1647 .insns = { 1648 BPF_MOV64_IMM(BPF_REG_0, 0), 1649 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1650 offsetof(struct __sk_buff, cb[1])), 1651 BPF_EXIT_INSN(), 1652 }, 1653 .errstr = "misaligned context access", 1654 .result = REJECT, 1655 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1656 }, 1657 { 1658 "check cb access: double, unaligned 2", 1659 .insns = { 1660 BPF_MOV64_IMM(BPF_REG_0, 0), 1661 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1662 offsetof(struct __sk_buff, cb[3])), 1663 BPF_EXIT_INSN(), 1664 }, 1665 .errstr = "misaligned context access", 1666 .result = REJECT, 1667 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1668 }, 1669 { 1670 "check cb access: double, oob 1", 1671 .insns = { 1672 BPF_MOV64_IMM(BPF_REG_0, 0), 1673 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1674 offsetof(struct __sk_buff, cb[4])), 1675 BPF_EXIT_INSN(), 1676 }, 1677 .errstr = "invalid bpf_context access", 1678 .result = REJECT, 1679 }, 1680 { 1681 "check cb access: double, oob 2", 1682 .insns = { 1683 BPF_MOV64_IMM(BPF_REG_0, 0), 1684 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1685 offsetof(struct __sk_buff, cb[4])), 1686 BPF_EXIT_INSN(), 1687 }, 1688 .errstr = "invalid bpf_context access", 1689 .result = REJECT, 1690 }, 1691 { 1692 "check __sk_buff->ifindex dw store not permitted", 1693 .insns = { 1694 BPF_MOV64_IMM(BPF_REG_0, 0), 1695 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1696 offsetof(struct __sk_buff, ifindex)), 1697 BPF_EXIT_INSN(), 1698 }, 1699 .errstr = "invalid bpf_context access", 1700 .result = REJECT, 1701 }, 1702 { 1703 "check __sk_buff->ifindex dw load not permitted", 1704 .insns = { 1705 BPF_MOV64_IMM(BPF_REG_0, 0), 1706 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1707 offsetof(struct __sk_buff, ifindex)), 1708 BPF_EXIT_INSN(), 1709 }, 1710 .errstr = "invalid bpf_context access", 1711 .result = REJECT, 1712 }, 1713 { 1714 "check cb access: double, wrong type", 1715 .insns = { 1716 BPF_MOV64_IMM(BPF_REG_0, 0), 1717 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1718 offsetof(struct __sk_buff, cb[0])), 1719 BPF_EXIT_INSN(), 1720 }, 1721 .errstr = "invalid bpf_context access", 1722 .result = REJECT, 1723 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1724 }, 1725 { 1726 "check out of range skb->cb access", 1727 .insns = { 1728 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1729 offsetof(struct __sk_buff, cb[0]) + 256), 1730 BPF_EXIT_INSN(), 1731 }, 1732 .errstr = "invalid bpf_context access", 1733 .errstr_unpriv = "", 1734 .result = REJECT, 1735 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 1736 }, 1737 { 1738 "write skb fields from socket prog", 1739 .insns = { 1740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1741 offsetof(struct __sk_buff, cb[4])), 1742 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1744 offsetof(struct __sk_buff, mark)), 1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1746 offsetof(struct __sk_buff, tc_index)), 1747 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1748 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1749 offsetof(struct __sk_buff, cb[0])), 1750 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1751 offsetof(struct __sk_buff, cb[2])), 1752 BPF_EXIT_INSN(), 1753 }, 1754 .result = ACCEPT, 1755 .errstr_unpriv = "R1 leaks addr", 1756 .result_unpriv = REJECT, 1757 }, 1758 { 1759 "write skb fields from tc_cls_act prog", 1760 .insns = { 1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1762 offsetof(struct __sk_buff, cb[0])), 1763 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1764 offsetof(struct __sk_buff, mark)), 1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1766 offsetof(struct __sk_buff, tc_index)), 1767 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1768 offsetof(struct __sk_buff, tc_index)), 1769 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1770 offsetof(struct __sk_buff, cb[3])), 1771 BPF_EXIT_INSN(), 1772 }, 1773 .errstr_unpriv = "", 1774 .result_unpriv = REJECT, 1775 .result = ACCEPT, 1776 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1777 }, 1778 { 1779 "PTR_TO_STACK store/load", 1780 .insns = { 1781 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1783 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1784 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1785 BPF_EXIT_INSN(), 1786 }, 1787 .result = ACCEPT, 1788 }, 1789 { 1790 "PTR_TO_STACK store/load - bad alignment on off", 1791 .insns = { 1792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1794 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1795 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1796 BPF_EXIT_INSN(), 1797 }, 1798 .result = REJECT, 1799 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8", 1800 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1801 }, 1802 { 1803 "PTR_TO_STACK store/load - bad alignment on reg", 1804 .insns = { 1805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1807 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1809 BPF_EXIT_INSN(), 1810 }, 1811 .result = REJECT, 1812 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8", 1813 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1814 }, 1815 { 1816 "PTR_TO_STACK store/load - out of bounds low", 1817 .insns = { 1818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 1820 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1821 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1822 BPF_EXIT_INSN(), 1823 }, 1824 .result = REJECT, 1825 .errstr = "invalid stack off=-79992 size=8", 1826 }, 1827 { 1828 "PTR_TO_STACK store/load - out of bounds high", 1829 .insns = { 1830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1832 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1833 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1834 BPF_EXIT_INSN(), 1835 }, 1836 .result = REJECT, 1837 .errstr = "invalid stack off=0 size=8", 1838 }, 1839 { 1840 "unpriv: return pointer", 1841 .insns = { 1842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 1843 BPF_EXIT_INSN(), 1844 }, 1845 .result = ACCEPT, 1846 .result_unpriv = REJECT, 1847 .errstr_unpriv = "R0 leaks addr", 1848 }, 1849 { 1850 "unpriv: add const to pointer", 1851 .insns = { 1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 1853 BPF_MOV64_IMM(BPF_REG_0, 0), 1854 BPF_EXIT_INSN(), 1855 }, 1856 .result = ACCEPT, 1857 }, 1858 { 1859 "unpriv: add pointer to pointer", 1860 .insns = { 1861 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1862 BPF_MOV64_IMM(BPF_REG_0, 0), 1863 BPF_EXIT_INSN(), 1864 }, 1865 .result = ACCEPT, 1866 .result_unpriv = REJECT, 1867 .errstr_unpriv = "R1 pointer += pointer", 1868 }, 1869 { 1870 "unpriv: neg pointer", 1871 .insns = { 1872 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 1873 BPF_MOV64_IMM(BPF_REG_0, 0), 1874 BPF_EXIT_INSN(), 1875 }, 1876 .result = ACCEPT, 1877 .result_unpriv = REJECT, 1878 .errstr_unpriv = "R1 pointer arithmetic", 1879 }, 1880 { 1881 "unpriv: cmp pointer with const", 1882 .insns = { 1883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1884 BPF_MOV64_IMM(BPF_REG_0, 0), 1885 BPF_EXIT_INSN(), 1886 }, 1887 .result = ACCEPT, 1888 .result_unpriv = REJECT, 1889 .errstr_unpriv = "R1 pointer comparison", 1890 }, 1891 { 1892 "unpriv: cmp pointer with pointer", 1893 .insns = { 1894 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1895 BPF_MOV64_IMM(BPF_REG_0, 0), 1896 BPF_EXIT_INSN(), 1897 }, 1898 .result = ACCEPT, 1899 .result_unpriv = REJECT, 1900 .errstr_unpriv = "R10 pointer comparison", 1901 }, 1902 { 1903 "unpriv: check that printk is disallowed", 1904 .insns = { 1905 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1908 BPF_MOV64_IMM(BPF_REG_2, 8), 1909 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1911 BPF_FUNC_trace_printk), 1912 BPF_MOV64_IMM(BPF_REG_0, 0), 1913 BPF_EXIT_INSN(), 1914 }, 1915 .errstr_unpriv = "unknown func bpf_trace_printk#6", 1916 .result_unpriv = REJECT, 1917 .result = ACCEPT, 1918 }, 1919 { 1920 "unpriv: pass pointer to helper function", 1921 .insns = { 1922 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1925 BPF_LD_MAP_FD(BPF_REG_1, 0), 1926 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1927 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 1928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1929 BPF_FUNC_map_update_elem), 1930 BPF_MOV64_IMM(BPF_REG_0, 0), 1931 BPF_EXIT_INSN(), 1932 }, 1933 .fixup_map1 = { 3 }, 1934 .errstr_unpriv = "R4 leaks addr", 1935 .result_unpriv = REJECT, 1936 .result = ACCEPT, 1937 }, 1938 { 1939 "unpriv: indirectly pass pointer on stack to helper function", 1940 .insns = { 1941 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1944 BPF_LD_MAP_FD(BPF_REG_1, 0), 1945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1946 BPF_FUNC_map_lookup_elem), 1947 BPF_MOV64_IMM(BPF_REG_0, 0), 1948 BPF_EXIT_INSN(), 1949 }, 1950 .fixup_map1 = { 3 }, 1951 .errstr = "invalid indirect read from stack off -8+0 size 8", 1952 .result = REJECT, 1953 }, 1954 { 1955 "unpriv: mangle pointer on stack 1", 1956 .insns = { 1957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1958 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 1959 BPF_MOV64_IMM(BPF_REG_0, 0), 1960 BPF_EXIT_INSN(), 1961 }, 1962 .errstr_unpriv = "attempt to corrupt spilled", 1963 .result_unpriv = REJECT, 1964 .result = ACCEPT, 1965 }, 1966 { 1967 "unpriv: mangle pointer on stack 2", 1968 .insns = { 1969 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1970 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 1971 BPF_MOV64_IMM(BPF_REG_0, 0), 1972 BPF_EXIT_INSN(), 1973 }, 1974 .errstr_unpriv = "attempt to corrupt spilled", 1975 .result_unpriv = REJECT, 1976 .result = ACCEPT, 1977 }, 1978 { 1979 "unpriv: read pointer from stack in small chunks", 1980 .insns = { 1981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 1983 BPF_MOV64_IMM(BPF_REG_0, 0), 1984 BPF_EXIT_INSN(), 1985 }, 1986 .errstr = "invalid size", 1987 .result = REJECT, 1988 }, 1989 { 1990 "unpriv: write pointer into ctx", 1991 .insns = { 1992 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 1993 BPF_MOV64_IMM(BPF_REG_0, 0), 1994 BPF_EXIT_INSN(), 1995 }, 1996 .errstr_unpriv = "R1 leaks addr", 1997 .result_unpriv = REJECT, 1998 .errstr = "invalid bpf_context access", 1999 .result = REJECT, 2000 }, 2001 { 2002 "unpriv: spill/fill of ctx", 2003 .insns = { 2004 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2006 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2007 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2008 BPF_MOV64_IMM(BPF_REG_0, 0), 2009 BPF_EXIT_INSN(), 2010 }, 2011 .result = ACCEPT, 2012 }, 2013 { 2014 "unpriv: spill/fill of ctx 2", 2015 .insns = { 2016 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2018 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2019 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2021 BPF_FUNC_get_hash_recalc), 2022 BPF_EXIT_INSN(), 2023 }, 2024 .result = ACCEPT, 2025 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2026 }, 2027 { 2028 "unpriv: spill/fill of ctx 3", 2029 .insns = { 2030 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2032 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2033 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 2034 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2036 BPF_FUNC_get_hash_recalc), 2037 BPF_EXIT_INSN(), 2038 }, 2039 .result = REJECT, 2040 .errstr = "R1 type=fp expected=ctx", 2041 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2042 }, 2043 { 2044 "unpriv: spill/fill of ctx 4", 2045 .insns = { 2046 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2048 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2049 BPF_MOV64_IMM(BPF_REG_0, 1), 2050 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 2051 BPF_REG_0, -8, 0), 2052 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2053 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2054 BPF_FUNC_get_hash_recalc), 2055 BPF_EXIT_INSN(), 2056 }, 2057 .result = REJECT, 2058 .errstr = "R1 type=inv expected=ctx", 2059 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2060 }, 2061 { 2062 "unpriv: spill/fill of different pointers stx", 2063 .insns = { 2064 BPF_MOV64_IMM(BPF_REG_3, 42), 2065 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 2068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 2070 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 2071 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 2072 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2073 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2074 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 2075 offsetof(struct __sk_buff, mark)), 2076 BPF_MOV64_IMM(BPF_REG_0, 0), 2077 BPF_EXIT_INSN(), 2078 }, 2079 .result = REJECT, 2080 .errstr = "same insn cannot be used with different pointers", 2081 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2082 }, 2083 { 2084 "unpriv: spill/fill of different pointers ldx", 2085 .insns = { 2086 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 2089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 2091 -(__s32)offsetof(struct bpf_perf_event_data, 2092 sample_period) - 8), 2093 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 2094 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 2095 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2096 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2097 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 2098 offsetof(struct bpf_perf_event_data, 2099 sample_period)), 2100 BPF_MOV64_IMM(BPF_REG_0, 0), 2101 BPF_EXIT_INSN(), 2102 }, 2103 .result = REJECT, 2104 .errstr = "same insn cannot be used with different pointers", 2105 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 2106 }, 2107 { 2108 "unpriv: write pointer into map elem value", 2109 .insns = { 2110 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2111 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2113 BPF_LD_MAP_FD(BPF_REG_1, 0), 2114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2115 BPF_FUNC_map_lookup_elem), 2116 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 2117 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 2118 BPF_EXIT_INSN(), 2119 }, 2120 .fixup_map1 = { 3 }, 2121 .errstr_unpriv = "R0 leaks addr", 2122 .result_unpriv = REJECT, 2123 .result = ACCEPT, 2124 }, 2125 { 2126 "unpriv: partial copy of pointer", 2127 .insns = { 2128 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 2129 BPF_MOV64_IMM(BPF_REG_0, 0), 2130 BPF_EXIT_INSN(), 2131 }, 2132 .errstr_unpriv = "R10 partial copy", 2133 .result_unpriv = REJECT, 2134 .result = ACCEPT, 2135 }, 2136 { 2137 "unpriv: pass pointer to tail_call", 2138 .insns = { 2139 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 2140 BPF_LD_MAP_FD(BPF_REG_2, 0), 2141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2142 BPF_FUNC_tail_call), 2143 BPF_MOV64_IMM(BPF_REG_0, 0), 2144 BPF_EXIT_INSN(), 2145 }, 2146 .fixup_prog = { 1 }, 2147 .errstr_unpriv = "R3 leaks addr into helper", 2148 .result_unpriv = REJECT, 2149 .result = ACCEPT, 2150 }, 2151 { 2152 "unpriv: cmp map pointer with zero", 2153 .insns = { 2154 BPF_MOV64_IMM(BPF_REG_1, 0), 2155 BPF_LD_MAP_FD(BPF_REG_1, 0), 2156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 2157 BPF_MOV64_IMM(BPF_REG_0, 0), 2158 BPF_EXIT_INSN(), 2159 }, 2160 .fixup_map1 = { 1 }, 2161 .errstr_unpriv = "R1 pointer comparison", 2162 .result_unpriv = REJECT, 2163 .result = ACCEPT, 2164 }, 2165 { 2166 "unpriv: write into frame pointer", 2167 .insns = { 2168 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 2169 BPF_MOV64_IMM(BPF_REG_0, 0), 2170 BPF_EXIT_INSN(), 2171 }, 2172 .errstr = "frame pointer is read only", 2173 .result = REJECT, 2174 }, 2175 { 2176 "unpriv: spill/fill frame pointer", 2177 .insns = { 2178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2180 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 2181 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 2182 BPF_MOV64_IMM(BPF_REG_0, 0), 2183 BPF_EXIT_INSN(), 2184 }, 2185 .errstr = "frame pointer is read only", 2186 .result = REJECT, 2187 }, 2188 { 2189 "unpriv: cmp of frame pointer", 2190 .insns = { 2191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 2192 BPF_MOV64_IMM(BPF_REG_0, 0), 2193 BPF_EXIT_INSN(), 2194 }, 2195 .errstr_unpriv = "R10 pointer comparison", 2196 .result_unpriv = REJECT, 2197 .result = ACCEPT, 2198 }, 2199 { 2200 "unpriv: adding of fp", 2201 .insns = { 2202 BPF_MOV64_IMM(BPF_REG_0, 0), 2203 BPF_MOV64_IMM(BPF_REG_1, 0), 2204 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 2205 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 2206 BPF_EXIT_INSN(), 2207 }, 2208 .result = ACCEPT, 2209 }, 2210 { 2211 "unpriv: cmp of stack pointer", 2212 .insns = { 2213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 2216 BPF_MOV64_IMM(BPF_REG_0, 0), 2217 BPF_EXIT_INSN(), 2218 }, 2219 .errstr_unpriv = "R2 pointer comparison", 2220 .result_unpriv = REJECT, 2221 .result = ACCEPT, 2222 }, 2223 { 2224 "stack pointer arithmetic", 2225 .insns = { 2226 BPF_MOV64_IMM(BPF_REG_1, 4), 2227 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 2228 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 2230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 2231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 2232 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 2233 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 2234 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 2235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2236 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 2237 BPF_MOV64_IMM(BPF_REG_0, 0), 2238 BPF_EXIT_INSN(), 2239 }, 2240 .result = ACCEPT, 2241 }, 2242 { 2243 "raw_stack: no skb_load_bytes", 2244 .insns = { 2245 BPF_MOV64_IMM(BPF_REG_2, 4), 2246 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2248 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2249 BPF_MOV64_IMM(BPF_REG_4, 8), 2250 /* Call to skb_load_bytes() omitted. */ 2251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2252 BPF_EXIT_INSN(), 2253 }, 2254 .result = REJECT, 2255 .errstr = "invalid read from stack off -8+0 size 8", 2256 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2257 }, 2258 { 2259 "raw_stack: skb_load_bytes, negative len", 2260 .insns = { 2261 BPF_MOV64_IMM(BPF_REG_2, 4), 2262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2265 BPF_MOV64_IMM(BPF_REG_4, -8), 2266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2267 BPF_FUNC_skb_load_bytes), 2268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2269 BPF_EXIT_INSN(), 2270 }, 2271 .result = REJECT, 2272 .errstr = "R4 min value is negative", 2273 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2274 }, 2275 { 2276 "raw_stack: skb_load_bytes, negative len 2", 2277 .insns = { 2278 BPF_MOV64_IMM(BPF_REG_2, 4), 2279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2282 BPF_MOV64_IMM(BPF_REG_4, ~0), 2283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2284 BPF_FUNC_skb_load_bytes), 2285 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2286 BPF_EXIT_INSN(), 2287 }, 2288 .result = REJECT, 2289 .errstr = "R4 min value is negative", 2290 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2291 }, 2292 { 2293 "raw_stack: skb_load_bytes, zero len", 2294 .insns = { 2295 BPF_MOV64_IMM(BPF_REG_2, 4), 2296 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2298 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2299 BPF_MOV64_IMM(BPF_REG_4, 0), 2300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2301 BPF_FUNC_skb_load_bytes), 2302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2303 BPF_EXIT_INSN(), 2304 }, 2305 .result = REJECT, 2306 .errstr = "invalid stack type R3", 2307 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2308 }, 2309 { 2310 "raw_stack: skb_load_bytes, no init", 2311 .insns = { 2312 BPF_MOV64_IMM(BPF_REG_2, 4), 2313 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2315 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2316 BPF_MOV64_IMM(BPF_REG_4, 8), 2317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2318 BPF_FUNC_skb_load_bytes), 2319 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2320 BPF_EXIT_INSN(), 2321 }, 2322 .result = ACCEPT, 2323 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2324 }, 2325 { 2326 "raw_stack: skb_load_bytes, init", 2327 .insns = { 2328 BPF_MOV64_IMM(BPF_REG_2, 4), 2329 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2331 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 2332 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2333 BPF_MOV64_IMM(BPF_REG_4, 8), 2334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2335 BPF_FUNC_skb_load_bytes), 2336 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2337 BPF_EXIT_INSN(), 2338 }, 2339 .result = ACCEPT, 2340 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2341 }, 2342 { 2343 "raw_stack: skb_load_bytes, spilled regs around bounds", 2344 .insns = { 2345 BPF_MOV64_IMM(BPF_REG_2, 4), 2346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2348 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2349 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2351 BPF_MOV64_IMM(BPF_REG_4, 8), 2352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2353 BPF_FUNC_skb_load_bytes), 2354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2355 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2357 offsetof(struct __sk_buff, mark)), 2358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2359 offsetof(struct __sk_buff, priority)), 2360 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2361 BPF_EXIT_INSN(), 2362 }, 2363 .result = ACCEPT, 2364 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2365 }, 2366 { 2367 "raw_stack: skb_load_bytes, spilled regs corruption", 2368 .insns = { 2369 BPF_MOV64_IMM(BPF_REG_2, 4), 2370 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2372 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2373 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2374 BPF_MOV64_IMM(BPF_REG_4, 8), 2375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2376 BPF_FUNC_skb_load_bytes), 2377 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2379 offsetof(struct __sk_buff, mark)), 2380 BPF_EXIT_INSN(), 2381 }, 2382 .result = REJECT, 2383 .errstr = "R0 invalid mem access 'inv'", 2384 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2385 }, 2386 { 2387 "raw_stack: skb_load_bytes, spilled regs corruption 2", 2388 .insns = { 2389 BPF_MOV64_IMM(BPF_REG_2, 4), 2390 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2392 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2393 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2394 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2395 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2396 BPF_MOV64_IMM(BPF_REG_4, 8), 2397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2398 BPF_FUNC_skb_load_bytes), 2399 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2400 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2401 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2402 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2403 offsetof(struct __sk_buff, mark)), 2404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2405 offsetof(struct __sk_buff, priority)), 2406 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 2408 offsetof(struct __sk_buff, pkt_type)), 2409 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2410 BPF_EXIT_INSN(), 2411 }, 2412 .result = REJECT, 2413 .errstr = "R3 invalid mem access 'inv'", 2414 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2415 }, 2416 { 2417 "raw_stack: skb_load_bytes, spilled regs + data", 2418 .insns = { 2419 BPF_MOV64_IMM(BPF_REG_2, 4), 2420 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2422 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2423 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2424 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2425 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2426 BPF_MOV64_IMM(BPF_REG_4, 8), 2427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2428 BPF_FUNC_skb_load_bytes), 2429 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2430 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2431 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2432 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2433 offsetof(struct __sk_buff, mark)), 2434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2435 offsetof(struct __sk_buff, priority)), 2436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2438 BPF_EXIT_INSN(), 2439 }, 2440 .result = ACCEPT, 2441 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2442 }, 2443 { 2444 "raw_stack: skb_load_bytes, invalid access 1", 2445 .insns = { 2446 BPF_MOV64_IMM(BPF_REG_2, 4), 2447 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 2449 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2450 BPF_MOV64_IMM(BPF_REG_4, 8), 2451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2452 BPF_FUNC_skb_load_bytes), 2453 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2454 BPF_EXIT_INSN(), 2455 }, 2456 .result = REJECT, 2457 .errstr = "invalid stack type R3 off=-513 access_size=8", 2458 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2459 }, 2460 { 2461 "raw_stack: skb_load_bytes, invalid access 2", 2462 .insns = { 2463 BPF_MOV64_IMM(BPF_REG_2, 4), 2464 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2466 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2467 BPF_MOV64_IMM(BPF_REG_4, 8), 2468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2469 BPF_FUNC_skb_load_bytes), 2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2471 BPF_EXIT_INSN(), 2472 }, 2473 .result = REJECT, 2474 .errstr = "invalid stack type R3 off=-1 access_size=8", 2475 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2476 }, 2477 { 2478 "raw_stack: skb_load_bytes, invalid access 3", 2479 .insns = { 2480 BPF_MOV64_IMM(BPF_REG_2, 4), 2481 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 2483 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2484 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2485 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2486 BPF_FUNC_skb_load_bytes), 2487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2488 BPF_EXIT_INSN(), 2489 }, 2490 .result = REJECT, 2491 .errstr = "R4 min value is negative", 2492 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2493 }, 2494 { 2495 "raw_stack: skb_load_bytes, invalid access 4", 2496 .insns = { 2497 BPF_MOV64_IMM(BPF_REG_2, 4), 2498 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2500 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2501 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2503 BPF_FUNC_skb_load_bytes), 2504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2505 BPF_EXIT_INSN(), 2506 }, 2507 .result = REJECT, 2508 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 2509 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2510 }, 2511 { 2512 "raw_stack: skb_load_bytes, invalid access 5", 2513 .insns = { 2514 BPF_MOV64_IMM(BPF_REG_2, 4), 2515 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2517 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2518 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2520 BPF_FUNC_skb_load_bytes), 2521 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2522 BPF_EXIT_INSN(), 2523 }, 2524 .result = REJECT, 2525 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 2526 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2527 }, 2528 { 2529 "raw_stack: skb_load_bytes, invalid access 6", 2530 .insns = { 2531 BPF_MOV64_IMM(BPF_REG_2, 4), 2532 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2535 BPF_MOV64_IMM(BPF_REG_4, 0), 2536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2537 BPF_FUNC_skb_load_bytes), 2538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2539 BPF_EXIT_INSN(), 2540 }, 2541 .result = REJECT, 2542 .errstr = "invalid stack type R3 off=-512 access_size=0", 2543 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2544 }, 2545 { 2546 "raw_stack: skb_load_bytes, large access", 2547 .insns = { 2548 BPF_MOV64_IMM(BPF_REG_2, 4), 2549 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2551 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2552 BPF_MOV64_IMM(BPF_REG_4, 512), 2553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2554 BPF_FUNC_skb_load_bytes), 2555 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2556 BPF_EXIT_INSN(), 2557 }, 2558 .result = ACCEPT, 2559 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2560 }, 2561 { 2562 "direct packet access: test1", 2563 .insns = { 2564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2565 offsetof(struct __sk_buff, data)), 2566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2567 offsetof(struct __sk_buff, data_end)), 2568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2572 BPF_MOV64_IMM(BPF_REG_0, 0), 2573 BPF_EXIT_INSN(), 2574 }, 2575 .result = ACCEPT, 2576 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2577 }, 2578 { 2579 "direct packet access: test2", 2580 .insns = { 2581 BPF_MOV64_IMM(BPF_REG_0, 1), 2582 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 2583 offsetof(struct __sk_buff, data_end)), 2584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2585 offsetof(struct __sk_buff, data)), 2586 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 2588 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 2589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 2590 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 2591 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 2592 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2593 offsetof(struct __sk_buff, data)), 2594 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2596 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49), 2597 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49), 2598 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 2599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 2600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2601 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2602 offsetof(struct __sk_buff, data_end)), 2603 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 2604 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 2605 BPF_MOV64_IMM(BPF_REG_0, 0), 2606 BPF_EXIT_INSN(), 2607 }, 2608 .result = ACCEPT, 2609 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2610 }, 2611 { 2612 "direct packet access: test3", 2613 .insns = { 2614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2615 offsetof(struct __sk_buff, data)), 2616 BPF_MOV64_IMM(BPF_REG_0, 0), 2617 BPF_EXIT_INSN(), 2618 }, 2619 .errstr = "invalid bpf_context access off=76", 2620 .result = REJECT, 2621 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 2622 }, 2623 { 2624 "direct packet access: test4 (write)", 2625 .insns = { 2626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2627 offsetof(struct __sk_buff, data)), 2628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2629 offsetof(struct __sk_buff, data_end)), 2630 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2632 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2633 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2634 BPF_MOV64_IMM(BPF_REG_0, 0), 2635 BPF_EXIT_INSN(), 2636 }, 2637 .result = ACCEPT, 2638 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2639 }, 2640 { 2641 "direct packet access: test5 (pkt_end >= reg, good access)", 2642 .insns = { 2643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2644 offsetof(struct __sk_buff, data)), 2645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2646 offsetof(struct __sk_buff, data_end)), 2647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2649 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2650 BPF_MOV64_IMM(BPF_REG_0, 1), 2651 BPF_EXIT_INSN(), 2652 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2653 BPF_MOV64_IMM(BPF_REG_0, 0), 2654 BPF_EXIT_INSN(), 2655 }, 2656 .result = ACCEPT, 2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2658 }, 2659 { 2660 "direct packet access: test6 (pkt_end >= reg, bad access)", 2661 .insns = { 2662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2663 offsetof(struct __sk_buff, data)), 2664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2665 offsetof(struct __sk_buff, data_end)), 2666 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2668 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2670 BPF_MOV64_IMM(BPF_REG_0, 1), 2671 BPF_EXIT_INSN(), 2672 BPF_MOV64_IMM(BPF_REG_0, 0), 2673 BPF_EXIT_INSN(), 2674 }, 2675 .errstr = "invalid access to packet", 2676 .result = REJECT, 2677 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2678 }, 2679 { 2680 "direct packet access: test7 (pkt_end >= reg, both accesses)", 2681 .insns = { 2682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2683 offsetof(struct __sk_buff, data)), 2684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2685 offsetof(struct __sk_buff, data_end)), 2686 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2688 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2689 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2690 BPF_MOV64_IMM(BPF_REG_0, 1), 2691 BPF_EXIT_INSN(), 2692 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2693 BPF_MOV64_IMM(BPF_REG_0, 0), 2694 BPF_EXIT_INSN(), 2695 }, 2696 .errstr = "invalid access to packet", 2697 .result = REJECT, 2698 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2699 }, 2700 { 2701 "direct packet access: test8 (double test, variant 1)", 2702 .insns = { 2703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2704 offsetof(struct __sk_buff, data)), 2705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2706 offsetof(struct __sk_buff, data_end)), 2707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2709 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 2710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2711 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2712 BPF_MOV64_IMM(BPF_REG_0, 1), 2713 BPF_EXIT_INSN(), 2714 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2715 BPF_MOV64_IMM(BPF_REG_0, 0), 2716 BPF_EXIT_INSN(), 2717 }, 2718 .result = ACCEPT, 2719 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2720 }, 2721 { 2722 "direct packet access: test9 (double test, variant 2)", 2723 .insns = { 2724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2725 offsetof(struct __sk_buff, data)), 2726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2727 offsetof(struct __sk_buff, data_end)), 2728 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2730 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2731 BPF_MOV64_IMM(BPF_REG_0, 1), 2732 BPF_EXIT_INSN(), 2733 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2734 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2736 BPF_MOV64_IMM(BPF_REG_0, 0), 2737 BPF_EXIT_INSN(), 2738 }, 2739 .result = ACCEPT, 2740 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2741 }, 2742 { 2743 "direct packet access: test10 (write invalid)", 2744 .insns = { 2745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2746 offsetof(struct __sk_buff, data)), 2747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2748 offsetof(struct __sk_buff, data_end)), 2749 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2751 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 2752 BPF_MOV64_IMM(BPF_REG_0, 0), 2753 BPF_EXIT_INSN(), 2754 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2755 BPF_MOV64_IMM(BPF_REG_0, 0), 2756 BPF_EXIT_INSN(), 2757 }, 2758 .errstr = "invalid access to packet", 2759 .result = REJECT, 2760 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2761 }, 2762 { 2763 "direct packet access: test11 (shift, good access)", 2764 .insns = { 2765 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2766 offsetof(struct __sk_buff, data)), 2767 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2768 offsetof(struct __sk_buff, data_end)), 2769 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2771 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2772 BPF_MOV64_IMM(BPF_REG_3, 144), 2773 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2775 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 2776 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2777 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2778 BPF_MOV64_IMM(BPF_REG_0, 1), 2779 BPF_EXIT_INSN(), 2780 BPF_MOV64_IMM(BPF_REG_0, 0), 2781 BPF_EXIT_INSN(), 2782 }, 2783 .result = ACCEPT, 2784 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2785 }, 2786 { 2787 "direct packet access: test12 (and, good access)", 2788 .insns = { 2789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2790 offsetof(struct __sk_buff, data)), 2791 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2792 offsetof(struct __sk_buff, data_end)), 2793 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2795 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2796 BPF_MOV64_IMM(BPF_REG_3, 144), 2797 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2799 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2800 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2801 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2802 BPF_MOV64_IMM(BPF_REG_0, 1), 2803 BPF_EXIT_INSN(), 2804 BPF_MOV64_IMM(BPF_REG_0, 0), 2805 BPF_EXIT_INSN(), 2806 }, 2807 .result = ACCEPT, 2808 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2809 }, 2810 { 2811 "direct packet access: test13 (branches, good access)", 2812 .insns = { 2813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2814 offsetof(struct __sk_buff, data)), 2815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2816 offsetof(struct __sk_buff, data_end)), 2817 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2819 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2821 offsetof(struct __sk_buff, mark)), 2822 BPF_MOV64_IMM(BPF_REG_4, 1), 2823 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 2824 BPF_MOV64_IMM(BPF_REG_3, 14), 2825 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 2826 BPF_MOV64_IMM(BPF_REG_3, 24), 2827 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2829 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2830 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2831 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2832 BPF_MOV64_IMM(BPF_REG_0, 1), 2833 BPF_EXIT_INSN(), 2834 BPF_MOV64_IMM(BPF_REG_0, 0), 2835 BPF_EXIT_INSN(), 2836 }, 2837 .result = ACCEPT, 2838 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2839 }, 2840 { 2841 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 2842 .insns = { 2843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2844 offsetof(struct __sk_buff, data)), 2845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2846 offsetof(struct __sk_buff, data_end)), 2847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 2850 BPF_MOV64_IMM(BPF_REG_5, 12), 2851 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 2852 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2853 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2854 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 2855 BPF_MOV64_IMM(BPF_REG_0, 1), 2856 BPF_EXIT_INSN(), 2857 BPF_MOV64_IMM(BPF_REG_0, 0), 2858 BPF_EXIT_INSN(), 2859 }, 2860 .result = ACCEPT, 2861 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2862 }, 2863 { 2864 "direct packet access: test15 (spill with xadd)", 2865 .insns = { 2866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2867 offsetof(struct __sk_buff, data)), 2868 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2869 offsetof(struct __sk_buff, data_end)), 2870 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2872 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2873 BPF_MOV64_IMM(BPF_REG_5, 4096), 2874 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 2875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 2876 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 2877 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 2878 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 2879 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0), 2880 BPF_MOV64_IMM(BPF_REG_0, 0), 2881 BPF_EXIT_INSN(), 2882 }, 2883 .errstr = "R2 invalid mem access 'inv'", 2884 .result = REJECT, 2885 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2886 }, 2887 { 2888 "direct packet access: test16 (arith on data_end)", 2889 .insns = { 2890 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2891 offsetof(struct __sk_buff, data)), 2892 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2893 offsetof(struct __sk_buff, data_end)), 2894 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16), 2897 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2898 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2899 BPF_MOV64_IMM(BPF_REG_0, 0), 2900 BPF_EXIT_INSN(), 2901 }, 2902 .errstr = "invalid access to packet", 2903 .result = REJECT, 2904 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2905 }, 2906 { 2907 "direct packet access: test17 (pruning, alignment)", 2908 .insns = { 2909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2910 offsetof(struct __sk_buff, data)), 2911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2912 offsetof(struct __sk_buff, data_end)), 2913 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2914 offsetof(struct __sk_buff, mark)), 2915 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14), 2917 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4), 2918 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2919 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4), 2920 BPF_MOV64_IMM(BPF_REG_0, 0), 2921 BPF_EXIT_INSN(), 2922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1), 2923 BPF_JMP_A(-6), 2924 }, 2925 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4", 2926 .result = REJECT, 2927 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2928 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2929 }, 2930 { 2931 "direct packet access: test18 (imm += pkt_ptr, 1)", 2932 .insns = { 2933 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2934 offsetof(struct __sk_buff, data)), 2935 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2936 offsetof(struct __sk_buff, data_end)), 2937 BPF_MOV64_IMM(BPF_REG_0, 8), 2938 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2939 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2940 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2941 BPF_MOV64_IMM(BPF_REG_0, 0), 2942 BPF_EXIT_INSN(), 2943 }, 2944 .result = ACCEPT, 2945 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2946 }, 2947 { 2948 "direct packet access: test19 (imm += pkt_ptr, 2)", 2949 .insns = { 2950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2951 offsetof(struct __sk_buff, data)), 2952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2953 offsetof(struct __sk_buff, data_end)), 2954 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2956 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 2957 BPF_MOV64_IMM(BPF_REG_4, 4), 2958 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 2959 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0), 2960 BPF_MOV64_IMM(BPF_REG_0, 0), 2961 BPF_EXIT_INSN(), 2962 }, 2963 .result = ACCEPT, 2964 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2965 }, 2966 { 2967 "direct packet access: test20 (x += pkt_ptr, 1)", 2968 .insns = { 2969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2970 offsetof(struct __sk_buff, data)), 2971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2972 offsetof(struct __sk_buff, data_end)), 2973 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 2974 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 2975 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 2976 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff), 2977 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 2978 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 2979 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1), 2981 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 2982 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 2983 BPF_MOV64_IMM(BPF_REG_0, 0), 2984 BPF_EXIT_INSN(), 2985 }, 2986 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2987 .result = ACCEPT, 2988 }, 2989 { 2990 "direct packet access: test21 (x += pkt_ptr, 2)", 2991 .insns = { 2992 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2993 offsetof(struct __sk_buff, data)), 2994 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2995 offsetof(struct __sk_buff, data_end)), 2996 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2998 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9), 2999 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 3000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8), 3001 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 3002 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff), 3003 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3004 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1), 3006 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 3007 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 3008 BPF_MOV64_IMM(BPF_REG_0, 0), 3009 BPF_EXIT_INSN(), 3010 }, 3011 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3012 .result = ACCEPT, 3013 }, 3014 { 3015 "direct packet access: test22 (x += pkt_ptr, 3)", 3016 .insns = { 3017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3018 offsetof(struct __sk_buff, data)), 3019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3020 offsetof(struct __sk_buff, data_end)), 3021 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3023 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8), 3024 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16), 3025 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16), 3026 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11), 3027 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 3028 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 3029 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8), 3030 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 3031 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49), 3032 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 3034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 3035 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 3036 BPF_MOV64_IMM(BPF_REG_2, 1), 3037 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0), 3038 BPF_MOV64_IMM(BPF_REG_0, 0), 3039 BPF_EXIT_INSN(), 3040 }, 3041 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3042 .result = ACCEPT, 3043 }, 3044 { 3045 "direct packet access: test23 (x += pkt_ptr, 4)", 3046 .insns = { 3047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3048 offsetof(struct __sk_buff, data)), 3049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3050 offsetof(struct __sk_buff, data_end)), 3051 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3052 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3053 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3054 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff), 3055 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3056 BPF_MOV64_IMM(BPF_REG_0, 31), 3057 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), 3058 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3059 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1), 3061 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3062 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0), 3063 BPF_MOV64_IMM(BPF_REG_0, 0), 3064 BPF_EXIT_INSN(), 3065 }, 3066 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3067 .result = REJECT, 3068 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)", 3069 }, 3070 { 3071 "direct packet access: test24 (x += pkt_ptr, 5)", 3072 .insns = { 3073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3074 offsetof(struct __sk_buff, data)), 3075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3076 offsetof(struct __sk_buff, data_end)), 3077 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3078 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3079 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3080 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff), 3081 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3082 BPF_MOV64_IMM(BPF_REG_0, 64), 3083 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), 3084 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3085 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1), 3087 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3088 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0), 3089 BPF_MOV64_IMM(BPF_REG_0, 0), 3090 BPF_EXIT_INSN(), 3091 }, 3092 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3093 .result = ACCEPT, 3094 }, 3095 { 3096 "direct packet access: test25 (marking on <, good access)", 3097 .insns = { 3098 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3099 offsetof(struct __sk_buff, data)), 3100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3101 offsetof(struct __sk_buff, data_end)), 3102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3104 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2), 3105 BPF_MOV64_IMM(BPF_REG_0, 0), 3106 BPF_EXIT_INSN(), 3107 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3108 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 3109 }, 3110 .result = ACCEPT, 3111 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3112 }, 3113 { 3114 "direct packet access: test26 (marking on <, bad access)", 3115 .insns = { 3116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3117 offsetof(struct __sk_buff, data)), 3118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3119 offsetof(struct __sk_buff, data_end)), 3120 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3122 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3), 3123 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3124 BPF_MOV64_IMM(BPF_REG_0, 0), 3125 BPF_EXIT_INSN(), 3126 BPF_JMP_IMM(BPF_JA, 0, 0, -3), 3127 }, 3128 .result = REJECT, 3129 .errstr = "invalid access to packet", 3130 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3131 }, 3132 { 3133 "direct packet access: test27 (marking on <=, good access)", 3134 .insns = { 3135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3136 offsetof(struct __sk_buff, data)), 3137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3138 offsetof(struct __sk_buff, data_end)), 3139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3141 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1), 3142 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3143 BPF_MOV64_IMM(BPF_REG_0, 1), 3144 BPF_EXIT_INSN(), 3145 }, 3146 .result = ACCEPT, 3147 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3148 }, 3149 { 3150 "direct packet access: test28 (marking on <=, bad access)", 3151 .insns = { 3152 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3153 offsetof(struct __sk_buff, data)), 3154 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3155 offsetof(struct __sk_buff, data_end)), 3156 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3158 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2), 3159 BPF_MOV64_IMM(BPF_REG_0, 1), 3160 BPF_EXIT_INSN(), 3161 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3162 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 3163 }, 3164 .result = REJECT, 3165 .errstr = "invalid access to packet", 3166 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3167 }, 3168 { 3169 "helper access to packet: test1, valid packet_ptr range", 3170 .insns = { 3171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3172 offsetof(struct xdp_md, data)), 3173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3174 offsetof(struct xdp_md, data_end)), 3175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 3177 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 3178 BPF_LD_MAP_FD(BPF_REG_1, 0), 3179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 3180 BPF_MOV64_IMM(BPF_REG_4, 0), 3181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3182 BPF_FUNC_map_update_elem), 3183 BPF_MOV64_IMM(BPF_REG_0, 0), 3184 BPF_EXIT_INSN(), 3185 }, 3186 .fixup_map1 = { 5 }, 3187 .result_unpriv = ACCEPT, 3188 .result = ACCEPT, 3189 .prog_type = BPF_PROG_TYPE_XDP, 3190 }, 3191 { 3192 "helper access to packet: test2, unchecked packet_ptr", 3193 .insns = { 3194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3195 offsetof(struct xdp_md, data)), 3196 BPF_LD_MAP_FD(BPF_REG_1, 0), 3197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3198 BPF_FUNC_map_lookup_elem), 3199 BPF_MOV64_IMM(BPF_REG_0, 0), 3200 BPF_EXIT_INSN(), 3201 }, 3202 .fixup_map1 = { 1 }, 3203 .result = REJECT, 3204 .errstr = "invalid access to packet", 3205 .prog_type = BPF_PROG_TYPE_XDP, 3206 }, 3207 { 3208 "helper access to packet: test3, variable add", 3209 .insns = { 3210 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3211 offsetof(struct xdp_md, data)), 3212 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3213 offsetof(struct xdp_md, data_end)), 3214 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 3216 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 3217 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 3218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3219 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 3220 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 3222 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 3223 BPF_LD_MAP_FD(BPF_REG_1, 0), 3224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 3225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3226 BPF_FUNC_map_lookup_elem), 3227 BPF_MOV64_IMM(BPF_REG_0, 0), 3228 BPF_EXIT_INSN(), 3229 }, 3230 .fixup_map1 = { 11 }, 3231 .result = ACCEPT, 3232 .prog_type = BPF_PROG_TYPE_XDP, 3233 }, 3234 { 3235 "helper access to packet: test4, packet_ptr with bad range", 3236 .insns = { 3237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3238 offsetof(struct xdp_md, data)), 3239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3240 offsetof(struct xdp_md, data_end)), 3241 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 3243 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 3244 BPF_MOV64_IMM(BPF_REG_0, 0), 3245 BPF_EXIT_INSN(), 3246 BPF_LD_MAP_FD(BPF_REG_1, 0), 3247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3248 BPF_FUNC_map_lookup_elem), 3249 BPF_MOV64_IMM(BPF_REG_0, 0), 3250 BPF_EXIT_INSN(), 3251 }, 3252 .fixup_map1 = { 7 }, 3253 .result = REJECT, 3254 .errstr = "invalid access to packet", 3255 .prog_type = BPF_PROG_TYPE_XDP, 3256 }, 3257 { 3258 "helper access to packet: test5, packet_ptr with too short range", 3259 .insns = { 3260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3261 offsetof(struct xdp_md, data)), 3262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3263 offsetof(struct xdp_md, data_end)), 3264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 3265 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 3267 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 3268 BPF_LD_MAP_FD(BPF_REG_1, 0), 3269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3270 BPF_FUNC_map_lookup_elem), 3271 BPF_MOV64_IMM(BPF_REG_0, 0), 3272 BPF_EXIT_INSN(), 3273 }, 3274 .fixup_map1 = { 6 }, 3275 .result = REJECT, 3276 .errstr = "invalid access to packet", 3277 .prog_type = BPF_PROG_TYPE_XDP, 3278 }, 3279 { 3280 "helper access to packet: test6, cls valid packet_ptr range", 3281 .insns = { 3282 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3283 offsetof(struct __sk_buff, data)), 3284 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3285 offsetof(struct __sk_buff, data_end)), 3286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 3288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 3289 BPF_LD_MAP_FD(BPF_REG_1, 0), 3290 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 3291 BPF_MOV64_IMM(BPF_REG_4, 0), 3292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3293 BPF_FUNC_map_update_elem), 3294 BPF_MOV64_IMM(BPF_REG_0, 0), 3295 BPF_EXIT_INSN(), 3296 }, 3297 .fixup_map1 = { 5 }, 3298 .result = ACCEPT, 3299 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3300 }, 3301 { 3302 "helper access to packet: test7, cls unchecked packet_ptr", 3303 .insns = { 3304 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3305 offsetof(struct __sk_buff, data)), 3306 BPF_LD_MAP_FD(BPF_REG_1, 0), 3307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3308 BPF_FUNC_map_lookup_elem), 3309 BPF_MOV64_IMM(BPF_REG_0, 0), 3310 BPF_EXIT_INSN(), 3311 }, 3312 .fixup_map1 = { 1 }, 3313 .result = REJECT, 3314 .errstr = "invalid access to packet", 3315 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3316 }, 3317 { 3318 "helper access to packet: test8, cls variable add", 3319 .insns = { 3320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3321 offsetof(struct __sk_buff, data)), 3322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3323 offsetof(struct __sk_buff, data_end)), 3324 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 3326 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 3327 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 3328 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3329 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 3330 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 3332 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 3333 BPF_LD_MAP_FD(BPF_REG_1, 0), 3334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 3335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3336 BPF_FUNC_map_lookup_elem), 3337 BPF_MOV64_IMM(BPF_REG_0, 0), 3338 BPF_EXIT_INSN(), 3339 }, 3340 .fixup_map1 = { 11 }, 3341 .result = ACCEPT, 3342 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3343 }, 3344 { 3345 "helper access to packet: test9, cls packet_ptr with bad range", 3346 .insns = { 3347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3348 offsetof(struct __sk_buff, data)), 3349 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3350 offsetof(struct __sk_buff, data_end)), 3351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 3353 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 3354 BPF_MOV64_IMM(BPF_REG_0, 0), 3355 BPF_EXIT_INSN(), 3356 BPF_LD_MAP_FD(BPF_REG_1, 0), 3357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3358 BPF_FUNC_map_lookup_elem), 3359 BPF_MOV64_IMM(BPF_REG_0, 0), 3360 BPF_EXIT_INSN(), 3361 }, 3362 .fixup_map1 = { 7 }, 3363 .result = REJECT, 3364 .errstr = "invalid access to packet", 3365 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3366 }, 3367 { 3368 "helper access to packet: test10, cls packet_ptr with too short range", 3369 .insns = { 3370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3371 offsetof(struct __sk_buff, data)), 3372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3373 offsetof(struct __sk_buff, data_end)), 3374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 3375 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 3377 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 3378 BPF_LD_MAP_FD(BPF_REG_1, 0), 3379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3380 BPF_FUNC_map_lookup_elem), 3381 BPF_MOV64_IMM(BPF_REG_0, 0), 3382 BPF_EXIT_INSN(), 3383 }, 3384 .fixup_map1 = { 6 }, 3385 .result = REJECT, 3386 .errstr = "invalid access to packet", 3387 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3388 }, 3389 { 3390 "helper access to packet: test11, cls unsuitable helper 1", 3391 .insns = { 3392 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3393 offsetof(struct __sk_buff, data)), 3394 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3395 offsetof(struct __sk_buff, data_end)), 3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3397 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 3399 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 3400 BPF_MOV64_IMM(BPF_REG_2, 0), 3401 BPF_MOV64_IMM(BPF_REG_4, 42), 3402 BPF_MOV64_IMM(BPF_REG_5, 0), 3403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3404 BPF_FUNC_skb_store_bytes), 3405 BPF_MOV64_IMM(BPF_REG_0, 0), 3406 BPF_EXIT_INSN(), 3407 }, 3408 .result = REJECT, 3409 .errstr = "helper access to the packet", 3410 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3411 }, 3412 { 3413 "helper access to packet: test12, cls unsuitable helper 2", 3414 .insns = { 3415 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3416 offsetof(struct __sk_buff, data)), 3417 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3418 offsetof(struct __sk_buff, data_end)), 3419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 3421 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 3422 BPF_MOV64_IMM(BPF_REG_2, 0), 3423 BPF_MOV64_IMM(BPF_REG_4, 4), 3424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3425 BPF_FUNC_skb_load_bytes), 3426 BPF_MOV64_IMM(BPF_REG_0, 0), 3427 BPF_EXIT_INSN(), 3428 }, 3429 .result = REJECT, 3430 .errstr = "helper access to the packet", 3431 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3432 }, 3433 { 3434 "helper access to packet: test13, cls helper ok", 3435 .insns = { 3436 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3437 offsetof(struct __sk_buff, data)), 3438 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3439 offsetof(struct __sk_buff, data_end)), 3440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3443 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3445 BPF_MOV64_IMM(BPF_REG_2, 4), 3446 BPF_MOV64_IMM(BPF_REG_3, 0), 3447 BPF_MOV64_IMM(BPF_REG_4, 0), 3448 BPF_MOV64_IMM(BPF_REG_5, 0), 3449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3450 BPF_FUNC_csum_diff), 3451 BPF_MOV64_IMM(BPF_REG_0, 0), 3452 BPF_EXIT_INSN(), 3453 }, 3454 .result = ACCEPT, 3455 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3456 }, 3457 { 3458 "helper access to packet: test14, cls helper ok sub", 3459 .insns = { 3460 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3461 offsetof(struct __sk_buff, data)), 3462 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3463 offsetof(struct __sk_buff, data_end)), 3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3467 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3468 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 3469 BPF_MOV64_IMM(BPF_REG_2, 4), 3470 BPF_MOV64_IMM(BPF_REG_3, 0), 3471 BPF_MOV64_IMM(BPF_REG_4, 0), 3472 BPF_MOV64_IMM(BPF_REG_5, 0), 3473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3474 BPF_FUNC_csum_diff), 3475 BPF_MOV64_IMM(BPF_REG_0, 0), 3476 BPF_EXIT_INSN(), 3477 }, 3478 .result = ACCEPT, 3479 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3480 }, 3481 { 3482 "helper access to packet: test15, cls helper fail sub", 3483 .insns = { 3484 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3485 offsetof(struct __sk_buff, data)), 3486 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3487 offsetof(struct __sk_buff, data_end)), 3488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3489 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3491 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3492 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12), 3493 BPF_MOV64_IMM(BPF_REG_2, 4), 3494 BPF_MOV64_IMM(BPF_REG_3, 0), 3495 BPF_MOV64_IMM(BPF_REG_4, 0), 3496 BPF_MOV64_IMM(BPF_REG_5, 0), 3497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3498 BPF_FUNC_csum_diff), 3499 BPF_MOV64_IMM(BPF_REG_0, 0), 3500 BPF_EXIT_INSN(), 3501 }, 3502 .result = REJECT, 3503 .errstr = "invalid access to packet", 3504 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3505 }, 3506 { 3507 "helper access to packet: test16, cls helper fail range 1", 3508 .insns = { 3509 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3510 offsetof(struct __sk_buff, data)), 3511 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3512 offsetof(struct __sk_buff, data_end)), 3513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3514 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3516 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3518 BPF_MOV64_IMM(BPF_REG_2, 8), 3519 BPF_MOV64_IMM(BPF_REG_3, 0), 3520 BPF_MOV64_IMM(BPF_REG_4, 0), 3521 BPF_MOV64_IMM(BPF_REG_5, 0), 3522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3523 BPF_FUNC_csum_diff), 3524 BPF_MOV64_IMM(BPF_REG_0, 0), 3525 BPF_EXIT_INSN(), 3526 }, 3527 .result = REJECT, 3528 .errstr = "invalid access to packet", 3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3530 }, 3531 { 3532 "helper access to packet: test17, cls helper fail range 2", 3533 .insns = { 3534 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3535 offsetof(struct __sk_buff, data)), 3536 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3537 offsetof(struct __sk_buff, data_end)), 3538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3541 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3543 BPF_MOV64_IMM(BPF_REG_2, -9), 3544 BPF_MOV64_IMM(BPF_REG_3, 0), 3545 BPF_MOV64_IMM(BPF_REG_4, 0), 3546 BPF_MOV64_IMM(BPF_REG_5, 0), 3547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3548 BPF_FUNC_csum_diff), 3549 BPF_MOV64_IMM(BPF_REG_0, 0), 3550 BPF_EXIT_INSN(), 3551 }, 3552 .result = REJECT, 3553 .errstr = "R2 min value is negative", 3554 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3555 }, 3556 { 3557 "helper access to packet: test18, cls helper fail range 3", 3558 .insns = { 3559 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3560 offsetof(struct __sk_buff, data)), 3561 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3562 offsetof(struct __sk_buff, data_end)), 3563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3566 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3567 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3568 BPF_MOV64_IMM(BPF_REG_2, ~0), 3569 BPF_MOV64_IMM(BPF_REG_3, 0), 3570 BPF_MOV64_IMM(BPF_REG_4, 0), 3571 BPF_MOV64_IMM(BPF_REG_5, 0), 3572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3573 BPF_FUNC_csum_diff), 3574 BPF_MOV64_IMM(BPF_REG_0, 0), 3575 BPF_EXIT_INSN(), 3576 }, 3577 .result = REJECT, 3578 .errstr = "R2 min value is negative", 3579 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3580 }, 3581 { 3582 "helper access to packet: test19, cls helper range zero", 3583 .insns = { 3584 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3585 offsetof(struct __sk_buff, data)), 3586 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3587 offsetof(struct __sk_buff, data_end)), 3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3593 BPF_MOV64_IMM(BPF_REG_2, 0), 3594 BPF_MOV64_IMM(BPF_REG_3, 0), 3595 BPF_MOV64_IMM(BPF_REG_4, 0), 3596 BPF_MOV64_IMM(BPF_REG_5, 0), 3597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3598 BPF_FUNC_csum_diff), 3599 BPF_MOV64_IMM(BPF_REG_0, 0), 3600 BPF_EXIT_INSN(), 3601 }, 3602 .result = ACCEPT, 3603 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3604 }, 3605 { 3606 "helper access to packet: test20, pkt end as input", 3607 .insns = { 3608 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3609 offsetof(struct __sk_buff, data)), 3610 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3611 offsetof(struct __sk_buff, data_end)), 3612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3613 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3615 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3616 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 3617 BPF_MOV64_IMM(BPF_REG_2, 4), 3618 BPF_MOV64_IMM(BPF_REG_3, 0), 3619 BPF_MOV64_IMM(BPF_REG_4, 0), 3620 BPF_MOV64_IMM(BPF_REG_5, 0), 3621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3622 BPF_FUNC_csum_diff), 3623 BPF_MOV64_IMM(BPF_REG_0, 0), 3624 BPF_EXIT_INSN(), 3625 }, 3626 .result = REJECT, 3627 .errstr = "R1 type=pkt_end expected=fp", 3628 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3629 }, 3630 { 3631 "helper access to packet: test21, wrong reg", 3632 .insns = { 3633 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3634 offsetof(struct __sk_buff, data)), 3635 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3636 offsetof(struct __sk_buff, data_end)), 3637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3638 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3640 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3641 BPF_MOV64_IMM(BPF_REG_2, 4), 3642 BPF_MOV64_IMM(BPF_REG_3, 0), 3643 BPF_MOV64_IMM(BPF_REG_4, 0), 3644 BPF_MOV64_IMM(BPF_REG_5, 0), 3645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3646 BPF_FUNC_csum_diff), 3647 BPF_MOV64_IMM(BPF_REG_0, 0), 3648 BPF_EXIT_INSN(), 3649 }, 3650 .result = REJECT, 3651 .errstr = "invalid access to packet", 3652 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3653 }, 3654 { 3655 "valid map access into an array with a constant", 3656 .insns = { 3657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3658 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3660 BPF_LD_MAP_FD(BPF_REG_1, 0), 3661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3662 BPF_FUNC_map_lookup_elem), 3663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3664 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3665 offsetof(struct test_val, foo)), 3666 BPF_EXIT_INSN(), 3667 }, 3668 .fixup_map2 = { 3 }, 3669 .errstr_unpriv = "R0 leaks addr", 3670 .result_unpriv = REJECT, 3671 .result = ACCEPT, 3672 }, 3673 { 3674 "valid map access into an array with a register", 3675 .insns = { 3676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3679 BPF_LD_MAP_FD(BPF_REG_1, 0), 3680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3681 BPF_FUNC_map_lookup_elem), 3682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3683 BPF_MOV64_IMM(BPF_REG_1, 4), 3684 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3685 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3686 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3687 offsetof(struct test_val, foo)), 3688 BPF_EXIT_INSN(), 3689 }, 3690 .fixup_map2 = { 3 }, 3691 .errstr_unpriv = "R0 leaks addr", 3692 .result_unpriv = REJECT, 3693 .result = ACCEPT, 3694 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3695 }, 3696 { 3697 "valid map access into an array with a variable", 3698 .insns = { 3699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3702 BPF_LD_MAP_FD(BPF_REG_1, 0), 3703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3704 BPF_FUNC_map_lookup_elem), 3705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3706 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3707 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 3708 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3710 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3711 offsetof(struct test_val, foo)), 3712 BPF_EXIT_INSN(), 3713 }, 3714 .fixup_map2 = { 3 }, 3715 .errstr_unpriv = "R0 leaks addr", 3716 .result_unpriv = REJECT, 3717 .result = ACCEPT, 3718 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3719 }, 3720 { 3721 "valid map access into an array with a signed variable", 3722 .insns = { 3723 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3724 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3726 BPF_LD_MAP_FD(BPF_REG_1, 0), 3727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3728 BPF_FUNC_map_lookup_elem), 3729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 3730 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3731 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 3732 BPF_MOV32_IMM(BPF_REG_1, 0), 3733 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3734 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3735 BPF_MOV32_IMM(BPF_REG_1, 0), 3736 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3737 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3738 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3739 offsetof(struct test_val, foo)), 3740 BPF_EXIT_INSN(), 3741 }, 3742 .fixup_map2 = { 3 }, 3743 .errstr_unpriv = "R0 leaks addr", 3744 .result_unpriv = REJECT, 3745 .result = ACCEPT, 3746 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3747 }, 3748 { 3749 "invalid map access into an array with a constant", 3750 .insns = { 3751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3754 BPF_LD_MAP_FD(BPF_REG_1, 0), 3755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3756 BPF_FUNC_map_lookup_elem), 3757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3758 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 3759 offsetof(struct test_val, foo)), 3760 BPF_EXIT_INSN(), 3761 }, 3762 .fixup_map2 = { 3 }, 3763 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 3764 .result = REJECT, 3765 }, 3766 { 3767 "invalid map access into an array with a register", 3768 .insns = { 3769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3772 BPF_LD_MAP_FD(BPF_REG_1, 0), 3773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3774 BPF_FUNC_map_lookup_elem), 3775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3776 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 3777 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3778 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3779 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3780 offsetof(struct test_val, foo)), 3781 BPF_EXIT_INSN(), 3782 }, 3783 .fixup_map2 = { 3 }, 3784 .errstr = "R0 min value is outside of the array range", 3785 .result = REJECT, 3786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3787 }, 3788 { 3789 "invalid map access into an array with a variable", 3790 .insns = { 3791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3794 BPF_LD_MAP_FD(BPF_REG_1, 0), 3795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3796 BPF_FUNC_map_lookup_elem), 3797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3798 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3799 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3800 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3802 offsetof(struct test_val, foo)), 3803 BPF_EXIT_INSN(), 3804 }, 3805 .fixup_map2 = { 3 }, 3806 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 3807 .result = REJECT, 3808 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3809 }, 3810 { 3811 "invalid map access into an array with no floor check", 3812 .insns = { 3813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3816 BPF_LD_MAP_FD(BPF_REG_1, 0), 3817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3818 BPF_FUNC_map_lookup_elem), 3819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3820 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 3821 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3822 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3823 BPF_MOV32_IMM(BPF_REG_1, 0), 3824 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3826 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3827 offsetof(struct test_val, foo)), 3828 BPF_EXIT_INSN(), 3829 }, 3830 .fixup_map2 = { 3 }, 3831 .errstr_unpriv = "R0 leaks addr", 3832 .errstr = "R0 unbounded memory access", 3833 .result_unpriv = REJECT, 3834 .result = REJECT, 3835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3836 }, 3837 { 3838 "invalid map access into an array with a invalid max check", 3839 .insns = { 3840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3843 BPF_LD_MAP_FD(BPF_REG_1, 0), 3844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3845 BPF_FUNC_map_lookup_elem), 3846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3847 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3848 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 3849 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3850 BPF_MOV32_IMM(BPF_REG_1, 0), 3851 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3853 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3854 offsetof(struct test_val, foo)), 3855 BPF_EXIT_INSN(), 3856 }, 3857 .fixup_map2 = { 3 }, 3858 .errstr_unpriv = "R0 leaks addr", 3859 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 3860 .result_unpriv = REJECT, 3861 .result = REJECT, 3862 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3863 }, 3864 { 3865 "invalid map access into an array with a invalid max check", 3866 .insns = { 3867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3870 BPF_LD_MAP_FD(BPF_REG_1, 0), 3871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3872 BPF_FUNC_map_lookup_elem), 3873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 3874 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 3875 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3878 BPF_LD_MAP_FD(BPF_REG_1, 0), 3879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3880 BPF_FUNC_map_lookup_elem), 3881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 3883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3884 offsetof(struct test_val, foo)), 3885 BPF_EXIT_INSN(), 3886 }, 3887 .fixup_map2 = { 3, 11 }, 3888 .errstr_unpriv = "R0 pointer += pointer", 3889 .errstr = "R0 invalid mem access 'inv'", 3890 .result_unpriv = REJECT, 3891 .result = REJECT, 3892 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3893 }, 3894 { 3895 "multiple registers share map_lookup_elem result", 3896 .insns = { 3897 BPF_MOV64_IMM(BPF_REG_1, 10), 3898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3901 BPF_LD_MAP_FD(BPF_REG_1, 0), 3902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3903 BPF_FUNC_map_lookup_elem), 3904 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3906 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3907 BPF_EXIT_INSN(), 3908 }, 3909 .fixup_map1 = { 4 }, 3910 .result = ACCEPT, 3911 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3912 }, 3913 { 3914 "alu ops on ptr_to_map_value_or_null, 1", 3915 .insns = { 3916 BPF_MOV64_IMM(BPF_REG_1, 10), 3917 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3920 BPF_LD_MAP_FD(BPF_REG_1, 0), 3921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3922 BPF_FUNC_map_lookup_elem), 3923 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2), 3925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2), 3926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3927 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3928 BPF_EXIT_INSN(), 3929 }, 3930 .fixup_map1 = { 4 }, 3931 .errstr = "R4 invalid mem access", 3932 .result = REJECT, 3933 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3934 }, 3935 { 3936 "alu ops on ptr_to_map_value_or_null, 2", 3937 .insns = { 3938 BPF_MOV64_IMM(BPF_REG_1, 10), 3939 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3942 BPF_LD_MAP_FD(BPF_REG_1, 0), 3943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3944 BPF_FUNC_map_lookup_elem), 3945 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3946 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1), 3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3948 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3949 BPF_EXIT_INSN(), 3950 }, 3951 .fixup_map1 = { 4 }, 3952 .errstr = "R4 invalid mem access", 3953 .result = REJECT, 3954 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3955 }, 3956 { 3957 "alu ops on ptr_to_map_value_or_null, 3", 3958 .insns = { 3959 BPF_MOV64_IMM(BPF_REG_1, 10), 3960 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3963 BPF_LD_MAP_FD(BPF_REG_1, 0), 3964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3965 BPF_FUNC_map_lookup_elem), 3966 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3967 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1), 3968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3969 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3970 BPF_EXIT_INSN(), 3971 }, 3972 .fixup_map1 = { 4 }, 3973 .errstr = "R4 invalid mem access", 3974 .result = REJECT, 3975 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3976 }, 3977 { 3978 "invalid memory access with multiple map_lookup_elem calls", 3979 .insns = { 3980 BPF_MOV64_IMM(BPF_REG_1, 10), 3981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3984 BPF_LD_MAP_FD(BPF_REG_1, 0), 3985 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3986 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3988 BPF_FUNC_map_lookup_elem), 3989 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3993 BPF_FUNC_map_lookup_elem), 3994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3995 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3996 BPF_EXIT_INSN(), 3997 }, 3998 .fixup_map1 = { 4 }, 3999 .result = REJECT, 4000 .errstr = "R4 !read_ok", 4001 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4002 }, 4003 { 4004 "valid indirect map_lookup_elem access with 2nd lookup in branch", 4005 .insns = { 4006 BPF_MOV64_IMM(BPF_REG_1, 10), 4007 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4010 BPF_LD_MAP_FD(BPF_REG_1, 0), 4011 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 4012 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 4013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4014 BPF_FUNC_map_lookup_elem), 4015 BPF_MOV64_IMM(BPF_REG_2, 10), 4016 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 4017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 4018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 4019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4020 BPF_FUNC_map_lookup_elem), 4021 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4022 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4023 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4024 BPF_EXIT_INSN(), 4025 }, 4026 .fixup_map1 = { 4 }, 4027 .result = ACCEPT, 4028 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4029 }, 4030 { 4031 "invalid map access from else condition", 4032 .insns = { 4033 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4036 BPF_LD_MAP_FD(BPF_REG_1, 0), 4037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4039 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4040 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 4041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 4042 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4043 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4044 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 4045 BPF_EXIT_INSN(), 4046 }, 4047 .fixup_map2 = { 3 }, 4048 .errstr = "R0 unbounded memory access", 4049 .result = REJECT, 4050 .errstr_unpriv = "R0 leaks addr", 4051 .result_unpriv = REJECT, 4052 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4053 }, 4054 { 4055 "constant register |= constant should keep constant type", 4056 .insns = { 4057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4059 BPF_MOV64_IMM(BPF_REG_2, 34), 4060 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 4061 BPF_MOV64_IMM(BPF_REG_3, 0), 4062 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4063 BPF_EXIT_INSN(), 4064 }, 4065 .result = ACCEPT, 4066 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4067 }, 4068 { 4069 "constant register |= constant should not bypass stack boundary checks", 4070 .insns = { 4071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4073 BPF_MOV64_IMM(BPF_REG_2, 34), 4074 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 4075 BPF_MOV64_IMM(BPF_REG_3, 0), 4076 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4077 BPF_EXIT_INSN(), 4078 }, 4079 .errstr = "invalid stack type R1 off=-48 access_size=58", 4080 .result = REJECT, 4081 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4082 }, 4083 { 4084 "constant register |= constant register should keep constant type", 4085 .insns = { 4086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4088 BPF_MOV64_IMM(BPF_REG_2, 34), 4089 BPF_MOV64_IMM(BPF_REG_4, 13), 4090 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 4091 BPF_MOV64_IMM(BPF_REG_3, 0), 4092 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4093 BPF_EXIT_INSN(), 4094 }, 4095 .result = ACCEPT, 4096 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4097 }, 4098 { 4099 "constant register |= constant register should not bypass stack boundary checks", 4100 .insns = { 4101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4103 BPF_MOV64_IMM(BPF_REG_2, 34), 4104 BPF_MOV64_IMM(BPF_REG_4, 24), 4105 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 4106 BPF_MOV64_IMM(BPF_REG_3, 0), 4107 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4108 BPF_EXIT_INSN(), 4109 }, 4110 .errstr = "invalid stack type R1 off=-48 access_size=58", 4111 .result = REJECT, 4112 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4113 }, 4114 { 4115 "invalid direct packet write for LWT_IN", 4116 .insns = { 4117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4118 offsetof(struct __sk_buff, data)), 4119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4120 offsetof(struct __sk_buff, data_end)), 4121 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4123 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4124 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4125 BPF_MOV64_IMM(BPF_REG_0, 0), 4126 BPF_EXIT_INSN(), 4127 }, 4128 .errstr = "cannot write into packet", 4129 .result = REJECT, 4130 .prog_type = BPF_PROG_TYPE_LWT_IN, 4131 }, 4132 { 4133 "invalid direct packet write for LWT_OUT", 4134 .insns = { 4135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4136 offsetof(struct __sk_buff, data)), 4137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4138 offsetof(struct __sk_buff, data_end)), 4139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4141 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4142 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4143 BPF_MOV64_IMM(BPF_REG_0, 0), 4144 BPF_EXIT_INSN(), 4145 }, 4146 .errstr = "cannot write into packet", 4147 .result = REJECT, 4148 .prog_type = BPF_PROG_TYPE_LWT_OUT, 4149 }, 4150 { 4151 "direct packet write for LWT_XMIT", 4152 .insns = { 4153 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4154 offsetof(struct __sk_buff, data)), 4155 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4156 offsetof(struct __sk_buff, data_end)), 4157 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4159 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4160 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4161 BPF_MOV64_IMM(BPF_REG_0, 0), 4162 BPF_EXIT_INSN(), 4163 }, 4164 .result = ACCEPT, 4165 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4166 }, 4167 { 4168 "direct packet read for LWT_IN", 4169 .insns = { 4170 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4171 offsetof(struct __sk_buff, data)), 4172 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4173 offsetof(struct __sk_buff, data_end)), 4174 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4176 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4177 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4178 BPF_MOV64_IMM(BPF_REG_0, 0), 4179 BPF_EXIT_INSN(), 4180 }, 4181 .result = ACCEPT, 4182 .prog_type = BPF_PROG_TYPE_LWT_IN, 4183 }, 4184 { 4185 "direct packet read for LWT_OUT", 4186 .insns = { 4187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4188 offsetof(struct __sk_buff, data)), 4189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4190 offsetof(struct __sk_buff, data_end)), 4191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4193 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4194 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4195 BPF_MOV64_IMM(BPF_REG_0, 0), 4196 BPF_EXIT_INSN(), 4197 }, 4198 .result = ACCEPT, 4199 .prog_type = BPF_PROG_TYPE_LWT_OUT, 4200 }, 4201 { 4202 "direct packet read for LWT_XMIT", 4203 .insns = { 4204 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4205 offsetof(struct __sk_buff, data)), 4206 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4207 offsetof(struct __sk_buff, data_end)), 4208 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4210 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4211 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4212 BPF_MOV64_IMM(BPF_REG_0, 0), 4213 BPF_EXIT_INSN(), 4214 }, 4215 .result = ACCEPT, 4216 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4217 }, 4218 { 4219 "overlapping checks for direct packet access", 4220 .insns = { 4221 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4222 offsetof(struct __sk_buff, data)), 4223 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4224 offsetof(struct __sk_buff, data_end)), 4225 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4227 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 4228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 4230 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 4231 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 4232 BPF_MOV64_IMM(BPF_REG_0, 0), 4233 BPF_EXIT_INSN(), 4234 }, 4235 .result = ACCEPT, 4236 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4237 }, 4238 { 4239 "invalid access of tc_classid for LWT_IN", 4240 .insns = { 4241 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4242 offsetof(struct __sk_buff, tc_classid)), 4243 BPF_EXIT_INSN(), 4244 }, 4245 .result = REJECT, 4246 .errstr = "invalid bpf_context access", 4247 }, 4248 { 4249 "invalid access of tc_classid for LWT_OUT", 4250 .insns = { 4251 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4252 offsetof(struct __sk_buff, tc_classid)), 4253 BPF_EXIT_INSN(), 4254 }, 4255 .result = REJECT, 4256 .errstr = "invalid bpf_context access", 4257 }, 4258 { 4259 "invalid access of tc_classid for LWT_XMIT", 4260 .insns = { 4261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4262 offsetof(struct __sk_buff, tc_classid)), 4263 BPF_EXIT_INSN(), 4264 }, 4265 .result = REJECT, 4266 .errstr = "invalid bpf_context access", 4267 }, 4268 { 4269 "leak pointer into ctx 1", 4270 .insns = { 4271 BPF_MOV64_IMM(BPF_REG_0, 0), 4272 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 4273 offsetof(struct __sk_buff, cb[0])), 4274 BPF_LD_MAP_FD(BPF_REG_2, 0), 4275 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2, 4276 offsetof(struct __sk_buff, cb[0])), 4277 BPF_EXIT_INSN(), 4278 }, 4279 .fixup_map1 = { 2 }, 4280 .errstr_unpriv = "R2 leaks addr into mem", 4281 .result_unpriv = REJECT, 4282 .result = ACCEPT, 4283 }, 4284 { 4285 "leak pointer into ctx 2", 4286 .insns = { 4287 BPF_MOV64_IMM(BPF_REG_0, 0), 4288 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 4289 offsetof(struct __sk_buff, cb[0])), 4290 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10, 4291 offsetof(struct __sk_buff, cb[0])), 4292 BPF_EXIT_INSN(), 4293 }, 4294 .errstr_unpriv = "R10 leaks addr into mem", 4295 .result_unpriv = REJECT, 4296 .result = ACCEPT, 4297 }, 4298 { 4299 "leak pointer into ctx 3", 4300 .insns = { 4301 BPF_MOV64_IMM(BPF_REG_0, 0), 4302 BPF_LD_MAP_FD(BPF_REG_2, 0), 4303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 4304 offsetof(struct __sk_buff, cb[0])), 4305 BPF_EXIT_INSN(), 4306 }, 4307 .fixup_map1 = { 1 }, 4308 .errstr_unpriv = "R2 leaks addr into ctx", 4309 .result_unpriv = REJECT, 4310 .result = ACCEPT, 4311 }, 4312 { 4313 "leak pointer into map val", 4314 .insns = { 4315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 4316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4319 BPF_LD_MAP_FD(BPF_REG_1, 0), 4320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4321 BPF_FUNC_map_lookup_elem), 4322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 4323 BPF_MOV64_IMM(BPF_REG_3, 0), 4324 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 4325 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 4326 BPF_MOV64_IMM(BPF_REG_0, 0), 4327 BPF_EXIT_INSN(), 4328 }, 4329 .fixup_map1 = { 4 }, 4330 .errstr_unpriv = "R6 leaks addr into mem", 4331 .result_unpriv = REJECT, 4332 .result = ACCEPT, 4333 }, 4334 { 4335 "helper access to map: full range", 4336 .insns = { 4337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4339 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4340 BPF_LD_MAP_FD(BPF_REG_1, 0), 4341 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4344 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4345 BPF_MOV64_IMM(BPF_REG_3, 0), 4346 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4347 BPF_EXIT_INSN(), 4348 }, 4349 .fixup_map2 = { 3 }, 4350 .result = ACCEPT, 4351 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4352 }, 4353 { 4354 "helper access to map: partial range", 4355 .insns = { 4356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4358 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4359 BPF_LD_MAP_FD(BPF_REG_1, 0), 4360 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4361 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4363 BPF_MOV64_IMM(BPF_REG_2, 8), 4364 BPF_MOV64_IMM(BPF_REG_3, 0), 4365 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4366 BPF_EXIT_INSN(), 4367 }, 4368 .fixup_map2 = { 3 }, 4369 .result = ACCEPT, 4370 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4371 }, 4372 { 4373 "helper access to map: empty range", 4374 .insns = { 4375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4378 BPF_LD_MAP_FD(BPF_REG_1, 0), 4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 4381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4382 BPF_MOV64_IMM(BPF_REG_2, 0), 4383 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4384 BPF_EXIT_INSN(), 4385 }, 4386 .fixup_map2 = { 3 }, 4387 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 4388 .result = REJECT, 4389 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4390 }, 4391 { 4392 "helper access to map: out-of-bound range", 4393 .insns = { 4394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4396 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4397 BPF_LD_MAP_FD(BPF_REG_1, 0), 4398 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4400 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4401 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 4402 BPF_MOV64_IMM(BPF_REG_3, 0), 4403 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4404 BPF_EXIT_INSN(), 4405 }, 4406 .fixup_map2 = { 3 }, 4407 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 4408 .result = REJECT, 4409 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4410 }, 4411 { 4412 "helper access to map: negative range", 4413 .insns = { 4414 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4416 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4417 BPF_LD_MAP_FD(BPF_REG_1, 0), 4418 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4421 BPF_MOV64_IMM(BPF_REG_2, -8), 4422 BPF_MOV64_IMM(BPF_REG_3, 0), 4423 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4424 BPF_EXIT_INSN(), 4425 }, 4426 .fixup_map2 = { 3 }, 4427 .errstr = "R2 min value is negative", 4428 .result = REJECT, 4429 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4430 }, 4431 { 4432 "helper access to adjusted map (via const imm): full range", 4433 .insns = { 4434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4436 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4437 BPF_LD_MAP_FD(BPF_REG_1, 0), 4438 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4442 offsetof(struct test_val, foo)), 4443 BPF_MOV64_IMM(BPF_REG_2, 4444 sizeof(struct test_val) - 4445 offsetof(struct test_val, foo)), 4446 BPF_MOV64_IMM(BPF_REG_3, 0), 4447 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4448 BPF_EXIT_INSN(), 4449 }, 4450 .fixup_map2 = { 3 }, 4451 .result = ACCEPT, 4452 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4453 }, 4454 { 4455 "helper access to adjusted map (via const imm): partial range", 4456 .insns = { 4457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4459 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4460 BPF_LD_MAP_FD(BPF_REG_1, 0), 4461 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4462 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4465 offsetof(struct test_val, foo)), 4466 BPF_MOV64_IMM(BPF_REG_2, 8), 4467 BPF_MOV64_IMM(BPF_REG_3, 0), 4468 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4469 BPF_EXIT_INSN(), 4470 }, 4471 .fixup_map2 = { 3 }, 4472 .result = ACCEPT, 4473 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4474 }, 4475 { 4476 "helper access to adjusted map (via const imm): empty range", 4477 .insns = { 4478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4480 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4481 BPF_LD_MAP_FD(BPF_REG_1, 0), 4482 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4486 offsetof(struct test_val, foo)), 4487 BPF_MOV64_IMM(BPF_REG_2, 0), 4488 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4489 BPF_EXIT_INSN(), 4490 }, 4491 .fixup_map2 = { 3 }, 4492 .errstr = "invalid access to map value, value_size=48 off=4 size=0", 4493 .result = REJECT, 4494 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4495 }, 4496 { 4497 "helper access to adjusted map (via const imm): out-of-bound range", 4498 .insns = { 4499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4501 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4502 BPF_LD_MAP_FD(BPF_REG_1, 0), 4503 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4507 offsetof(struct test_val, foo)), 4508 BPF_MOV64_IMM(BPF_REG_2, 4509 sizeof(struct test_val) - 4510 offsetof(struct test_val, foo) + 8), 4511 BPF_MOV64_IMM(BPF_REG_3, 0), 4512 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4513 BPF_EXIT_INSN(), 4514 }, 4515 .fixup_map2 = { 3 }, 4516 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4517 .result = REJECT, 4518 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4519 }, 4520 { 4521 "helper access to adjusted map (via const imm): negative range (> adjustment)", 4522 .insns = { 4523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4525 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4526 BPF_LD_MAP_FD(BPF_REG_1, 0), 4527 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4528 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4529 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4531 offsetof(struct test_val, foo)), 4532 BPF_MOV64_IMM(BPF_REG_2, -8), 4533 BPF_MOV64_IMM(BPF_REG_3, 0), 4534 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4535 BPF_EXIT_INSN(), 4536 }, 4537 .fixup_map2 = { 3 }, 4538 .errstr = "R2 min value is negative", 4539 .result = REJECT, 4540 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4541 }, 4542 { 4543 "helper access to adjusted map (via const imm): negative range (< adjustment)", 4544 .insns = { 4545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4547 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4548 BPF_LD_MAP_FD(BPF_REG_1, 0), 4549 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4553 offsetof(struct test_val, foo)), 4554 BPF_MOV64_IMM(BPF_REG_2, -1), 4555 BPF_MOV64_IMM(BPF_REG_3, 0), 4556 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4557 BPF_EXIT_INSN(), 4558 }, 4559 .fixup_map2 = { 3 }, 4560 .errstr = "R2 min value is negative", 4561 .result = REJECT, 4562 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4563 }, 4564 { 4565 "helper access to adjusted map (via const reg): full range", 4566 .insns = { 4567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4570 BPF_LD_MAP_FD(BPF_REG_1, 0), 4571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4574 BPF_MOV64_IMM(BPF_REG_3, 4575 offsetof(struct test_val, foo)), 4576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4577 BPF_MOV64_IMM(BPF_REG_2, 4578 sizeof(struct test_val) - 4579 offsetof(struct test_val, foo)), 4580 BPF_MOV64_IMM(BPF_REG_3, 0), 4581 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4582 BPF_EXIT_INSN(), 4583 }, 4584 .fixup_map2 = { 3 }, 4585 .result = ACCEPT, 4586 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4587 }, 4588 { 4589 "helper access to adjusted map (via const reg): partial range", 4590 .insns = { 4591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4593 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4594 BPF_LD_MAP_FD(BPF_REG_1, 0), 4595 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4597 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4598 BPF_MOV64_IMM(BPF_REG_3, 4599 offsetof(struct test_val, foo)), 4600 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4601 BPF_MOV64_IMM(BPF_REG_2, 8), 4602 BPF_MOV64_IMM(BPF_REG_3, 0), 4603 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4604 BPF_EXIT_INSN(), 4605 }, 4606 .fixup_map2 = { 3 }, 4607 .result = ACCEPT, 4608 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4609 }, 4610 { 4611 "helper access to adjusted map (via const reg): empty range", 4612 .insns = { 4613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4615 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4616 BPF_LD_MAP_FD(BPF_REG_1, 0), 4617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4619 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4620 BPF_MOV64_IMM(BPF_REG_3, 0), 4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4622 BPF_MOV64_IMM(BPF_REG_2, 0), 4623 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4624 BPF_EXIT_INSN(), 4625 }, 4626 .fixup_map2 = { 3 }, 4627 .errstr = "R1 min value is outside of the array range", 4628 .result = REJECT, 4629 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4630 }, 4631 { 4632 "helper access to adjusted map (via const reg): out-of-bound range", 4633 .insns = { 4634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4636 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4637 BPF_LD_MAP_FD(BPF_REG_1, 0), 4638 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4641 BPF_MOV64_IMM(BPF_REG_3, 4642 offsetof(struct test_val, foo)), 4643 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4644 BPF_MOV64_IMM(BPF_REG_2, 4645 sizeof(struct test_val) - 4646 offsetof(struct test_val, foo) + 8), 4647 BPF_MOV64_IMM(BPF_REG_3, 0), 4648 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4649 BPF_EXIT_INSN(), 4650 }, 4651 .fixup_map2 = { 3 }, 4652 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4653 .result = REJECT, 4654 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4655 }, 4656 { 4657 "helper access to adjusted map (via const reg): negative range (> adjustment)", 4658 .insns = { 4659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4662 BPF_LD_MAP_FD(BPF_REG_1, 0), 4663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4666 BPF_MOV64_IMM(BPF_REG_3, 4667 offsetof(struct test_val, foo)), 4668 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4669 BPF_MOV64_IMM(BPF_REG_2, -8), 4670 BPF_MOV64_IMM(BPF_REG_3, 0), 4671 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4672 BPF_EXIT_INSN(), 4673 }, 4674 .fixup_map2 = { 3 }, 4675 .errstr = "R2 min value is negative", 4676 .result = REJECT, 4677 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4678 }, 4679 { 4680 "helper access to adjusted map (via const reg): negative range (< adjustment)", 4681 .insns = { 4682 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4684 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4685 BPF_LD_MAP_FD(BPF_REG_1, 0), 4686 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4688 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4689 BPF_MOV64_IMM(BPF_REG_3, 4690 offsetof(struct test_val, foo)), 4691 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4692 BPF_MOV64_IMM(BPF_REG_2, -1), 4693 BPF_MOV64_IMM(BPF_REG_3, 0), 4694 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4695 BPF_EXIT_INSN(), 4696 }, 4697 .fixup_map2 = { 3 }, 4698 .errstr = "R2 min value is negative", 4699 .result = REJECT, 4700 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4701 }, 4702 { 4703 "helper access to adjusted map (via variable): full range", 4704 .insns = { 4705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4707 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4708 BPF_LD_MAP_FD(BPF_REG_1, 0), 4709 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4712 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4713 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4714 offsetof(struct test_val, foo), 4), 4715 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4716 BPF_MOV64_IMM(BPF_REG_2, 4717 sizeof(struct test_val) - 4718 offsetof(struct test_val, foo)), 4719 BPF_MOV64_IMM(BPF_REG_3, 0), 4720 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4721 BPF_EXIT_INSN(), 4722 }, 4723 .fixup_map2 = { 3 }, 4724 .result = ACCEPT, 4725 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4726 }, 4727 { 4728 "helper access to adjusted map (via variable): partial range", 4729 .insns = { 4730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4733 BPF_LD_MAP_FD(BPF_REG_1, 0), 4734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4738 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4739 offsetof(struct test_val, foo), 4), 4740 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4741 BPF_MOV64_IMM(BPF_REG_2, 8), 4742 BPF_MOV64_IMM(BPF_REG_3, 0), 4743 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4744 BPF_EXIT_INSN(), 4745 }, 4746 .fixup_map2 = { 3 }, 4747 .result = ACCEPT, 4748 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4749 }, 4750 { 4751 "helper access to adjusted map (via variable): empty range", 4752 .insns = { 4753 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4756 BPF_LD_MAP_FD(BPF_REG_1, 0), 4757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4761 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4762 offsetof(struct test_val, foo), 3), 4763 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4764 BPF_MOV64_IMM(BPF_REG_2, 0), 4765 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4766 BPF_EXIT_INSN(), 4767 }, 4768 .fixup_map2 = { 3 }, 4769 .errstr = "R1 min value is outside of the array range", 4770 .result = REJECT, 4771 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4772 }, 4773 { 4774 "helper access to adjusted map (via variable): no max check", 4775 .insns = { 4776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4779 BPF_LD_MAP_FD(BPF_REG_1, 0), 4780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4783 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4784 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4785 BPF_MOV64_IMM(BPF_REG_2, 1), 4786 BPF_MOV64_IMM(BPF_REG_3, 0), 4787 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4788 BPF_EXIT_INSN(), 4789 }, 4790 .fixup_map2 = { 3 }, 4791 .errstr = "R1 unbounded memory access", 4792 .result = REJECT, 4793 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4794 }, 4795 { 4796 "helper access to adjusted map (via variable): wrong max check", 4797 .insns = { 4798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4800 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4801 BPF_LD_MAP_FD(BPF_REG_1, 0), 4802 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4806 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4807 offsetof(struct test_val, foo), 4), 4808 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4809 BPF_MOV64_IMM(BPF_REG_2, 4810 sizeof(struct test_val) - 4811 offsetof(struct test_val, foo) + 1), 4812 BPF_MOV64_IMM(BPF_REG_3, 0), 4813 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4814 BPF_EXIT_INSN(), 4815 }, 4816 .fixup_map2 = { 3 }, 4817 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 4818 .result = REJECT, 4819 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4820 }, 4821 { 4822 "helper access to map: bounds check using <, good access", 4823 .insns = { 4824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4826 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4827 BPF_LD_MAP_FD(BPF_REG_1, 0), 4828 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4831 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4832 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2), 4833 BPF_MOV64_IMM(BPF_REG_0, 0), 4834 BPF_EXIT_INSN(), 4835 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4836 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4837 BPF_MOV64_IMM(BPF_REG_0, 0), 4838 BPF_EXIT_INSN(), 4839 }, 4840 .fixup_map2 = { 3 }, 4841 .result = ACCEPT, 4842 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4843 }, 4844 { 4845 "helper access to map: bounds check using <, bad access", 4846 .insns = { 4847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4849 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4850 BPF_LD_MAP_FD(BPF_REG_1, 0), 4851 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4855 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4), 4856 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4857 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4858 BPF_MOV64_IMM(BPF_REG_0, 0), 4859 BPF_EXIT_INSN(), 4860 BPF_MOV64_IMM(BPF_REG_0, 0), 4861 BPF_EXIT_INSN(), 4862 }, 4863 .fixup_map2 = { 3 }, 4864 .result = REJECT, 4865 .errstr = "R1 unbounded memory access", 4866 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4867 }, 4868 { 4869 "helper access to map: bounds check using <=, good access", 4870 .insns = { 4871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4873 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4874 BPF_LD_MAP_FD(BPF_REG_1, 0), 4875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4879 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2), 4880 BPF_MOV64_IMM(BPF_REG_0, 0), 4881 BPF_EXIT_INSN(), 4882 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4883 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4884 BPF_MOV64_IMM(BPF_REG_0, 0), 4885 BPF_EXIT_INSN(), 4886 }, 4887 .fixup_map2 = { 3 }, 4888 .result = ACCEPT, 4889 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4890 }, 4891 { 4892 "helper access to map: bounds check using <=, bad access", 4893 .insns = { 4894 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4896 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4897 BPF_LD_MAP_FD(BPF_REG_1, 0), 4898 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4901 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4902 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4), 4903 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4904 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4905 BPF_MOV64_IMM(BPF_REG_0, 0), 4906 BPF_EXIT_INSN(), 4907 BPF_MOV64_IMM(BPF_REG_0, 0), 4908 BPF_EXIT_INSN(), 4909 }, 4910 .fixup_map2 = { 3 }, 4911 .result = REJECT, 4912 .errstr = "R1 unbounded memory access", 4913 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4914 }, 4915 { 4916 "helper access to map: bounds check using s<, good access", 4917 .insns = { 4918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4920 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4921 BPF_LD_MAP_FD(BPF_REG_1, 0), 4922 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4925 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4926 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 4927 BPF_MOV64_IMM(BPF_REG_0, 0), 4928 BPF_EXIT_INSN(), 4929 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3), 4930 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4931 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4932 BPF_MOV64_IMM(BPF_REG_0, 0), 4933 BPF_EXIT_INSN(), 4934 }, 4935 .fixup_map2 = { 3 }, 4936 .result = ACCEPT, 4937 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4938 }, 4939 { 4940 "helper access to map: bounds check using s<, good access 2", 4941 .insns = { 4942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4944 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4945 BPF_LD_MAP_FD(BPF_REG_1, 0), 4946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4950 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 4951 BPF_MOV64_IMM(BPF_REG_0, 0), 4952 BPF_EXIT_INSN(), 4953 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 4954 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4955 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4956 BPF_MOV64_IMM(BPF_REG_0, 0), 4957 BPF_EXIT_INSN(), 4958 }, 4959 .fixup_map2 = { 3 }, 4960 .result = ACCEPT, 4961 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4962 }, 4963 { 4964 "helper access to map: bounds check using s<, bad access", 4965 .insns = { 4966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4968 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4969 BPF_LD_MAP_FD(BPF_REG_1, 0), 4970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4973 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 4974 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 4975 BPF_MOV64_IMM(BPF_REG_0, 0), 4976 BPF_EXIT_INSN(), 4977 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 4978 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4979 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4980 BPF_MOV64_IMM(BPF_REG_0, 0), 4981 BPF_EXIT_INSN(), 4982 }, 4983 .fixup_map2 = { 3 }, 4984 .result = REJECT, 4985 .errstr = "R1 min value is negative", 4986 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4987 }, 4988 { 4989 "helper access to map: bounds check using s<=, good access", 4990 .insns = { 4991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4993 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4994 BPF_LD_MAP_FD(BPF_REG_1, 0), 4995 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4998 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4999 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5000 BPF_MOV64_IMM(BPF_REG_0, 0), 5001 BPF_EXIT_INSN(), 5002 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3), 5003 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5004 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5005 BPF_MOV64_IMM(BPF_REG_0, 0), 5006 BPF_EXIT_INSN(), 5007 }, 5008 .fixup_map2 = { 3 }, 5009 .result = ACCEPT, 5010 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5011 }, 5012 { 5013 "helper access to map: bounds check using s<=, good access 2", 5014 .insns = { 5015 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5017 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5018 BPF_LD_MAP_FD(BPF_REG_1, 0), 5019 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5020 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5023 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5024 BPF_MOV64_IMM(BPF_REG_0, 0), 5025 BPF_EXIT_INSN(), 5026 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 5027 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5028 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5029 BPF_MOV64_IMM(BPF_REG_0, 0), 5030 BPF_EXIT_INSN(), 5031 }, 5032 .fixup_map2 = { 3 }, 5033 .result = ACCEPT, 5034 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5035 }, 5036 { 5037 "helper access to map: bounds check using s<=, bad access", 5038 .insns = { 5039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5041 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5042 BPF_LD_MAP_FD(BPF_REG_1, 0), 5043 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5044 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5045 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5046 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 5047 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5048 BPF_MOV64_IMM(BPF_REG_0, 0), 5049 BPF_EXIT_INSN(), 5050 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 5051 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5052 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5053 BPF_MOV64_IMM(BPF_REG_0, 0), 5054 BPF_EXIT_INSN(), 5055 }, 5056 .fixup_map2 = { 3 }, 5057 .result = REJECT, 5058 .errstr = "R1 min value is negative", 5059 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5060 }, 5061 { 5062 "map element value is preserved across register spilling", 5063 .insns = { 5064 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5066 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5067 BPF_LD_MAP_FD(BPF_REG_1, 0), 5068 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5070 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 5071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 5073 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 5074 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 5075 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 5076 BPF_EXIT_INSN(), 5077 }, 5078 .fixup_map2 = { 3 }, 5079 .errstr_unpriv = "R0 leaks addr", 5080 .result = ACCEPT, 5081 .result_unpriv = REJECT, 5082 }, 5083 { 5084 "map element value or null is marked on register spilling", 5085 .insns = { 5086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5088 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5089 BPF_LD_MAP_FD(BPF_REG_1, 0), 5090 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), 5093 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 5094 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5095 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 5096 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 5097 BPF_EXIT_INSN(), 5098 }, 5099 .fixup_map2 = { 3 }, 5100 .errstr_unpriv = "R0 leaks addr", 5101 .result = ACCEPT, 5102 .result_unpriv = REJECT, 5103 }, 5104 { 5105 "map element value store of cleared call register", 5106 .insns = { 5107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5109 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5110 BPF_LD_MAP_FD(BPF_REG_1, 0), 5111 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 5113 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 5114 BPF_EXIT_INSN(), 5115 }, 5116 .fixup_map2 = { 3 }, 5117 .errstr_unpriv = "R1 !read_ok", 5118 .errstr = "R1 !read_ok", 5119 .result = REJECT, 5120 .result_unpriv = REJECT, 5121 }, 5122 { 5123 "map element value with unaligned store", 5124 .insns = { 5125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5127 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5128 BPF_LD_MAP_FD(BPF_REG_1, 0), 5129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17), 5131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 5132 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 5133 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43), 5134 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44), 5135 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 5136 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32), 5137 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33), 5138 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34), 5139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5), 5140 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22), 5141 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23), 5142 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24), 5143 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), 5144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3), 5145 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22), 5146 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23), 5147 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24), 5148 BPF_EXIT_INSN(), 5149 }, 5150 .fixup_map2 = { 3 }, 5151 .errstr_unpriv = "R0 leaks addr", 5152 .result = ACCEPT, 5153 .result_unpriv = REJECT, 5154 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5155 }, 5156 { 5157 "map element value with unaligned load", 5158 .insns = { 5159 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5161 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5162 BPF_LD_MAP_FD(BPF_REG_1, 0), 5163 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 5165 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 5166 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9), 5167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 5168 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 5169 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2), 5170 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 5171 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 5172 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2), 5173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5), 5174 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 5175 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4), 5176 BPF_EXIT_INSN(), 5177 }, 5178 .fixup_map2 = { 3 }, 5179 .errstr_unpriv = "R0 leaks addr", 5180 .result = ACCEPT, 5181 .result_unpriv = REJECT, 5182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5183 }, 5184 { 5185 "map element value illegal alu op, 1", 5186 .insns = { 5187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5189 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5190 BPF_LD_MAP_FD(BPF_REG_1, 0), 5191 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5193 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8), 5194 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5195 BPF_EXIT_INSN(), 5196 }, 5197 .fixup_map2 = { 3 }, 5198 .errstr_unpriv = "R0 bitwise operator &= on pointer", 5199 .errstr = "invalid mem access 'inv'", 5200 .result = REJECT, 5201 .result_unpriv = REJECT, 5202 }, 5203 { 5204 "map element value illegal alu op, 2", 5205 .insns = { 5206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5208 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5209 BPF_LD_MAP_FD(BPF_REG_1, 0), 5210 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5211 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5212 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0), 5213 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5214 BPF_EXIT_INSN(), 5215 }, 5216 .fixup_map2 = { 3 }, 5217 .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited", 5218 .errstr = "invalid mem access 'inv'", 5219 .result = REJECT, 5220 .result_unpriv = REJECT, 5221 }, 5222 { 5223 "map element value illegal alu op, 3", 5224 .insns = { 5225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5227 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5228 BPF_LD_MAP_FD(BPF_REG_1, 0), 5229 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5231 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42), 5232 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5233 BPF_EXIT_INSN(), 5234 }, 5235 .fixup_map2 = { 3 }, 5236 .errstr_unpriv = "R0 pointer arithmetic with /= operator", 5237 .errstr = "invalid mem access 'inv'", 5238 .result = REJECT, 5239 .result_unpriv = REJECT, 5240 }, 5241 { 5242 "map element value illegal alu op, 4", 5243 .insns = { 5244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5246 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5247 BPF_LD_MAP_FD(BPF_REG_1, 0), 5248 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5250 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64), 5251 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5252 BPF_EXIT_INSN(), 5253 }, 5254 .fixup_map2 = { 3 }, 5255 .errstr_unpriv = "R0 pointer arithmetic prohibited", 5256 .errstr = "invalid mem access 'inv'", 5257 .result = REJECT, 5258 .result_unpriv = REJECT, 5259 }, 5260 { 5261 "map element value illegal alu op, 5", 5262 .insns = { 5263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5265 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5266 BPF_LD_MAP_FD(BPF_REG_1, 0), 5267 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5269 BPF_MOV64_IMM(BPF_REG_3, 4096), 5270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5272 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5273 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0), 5274 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 5275 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5276 BPF_EXIT_INSN(), 5277 }, 5278 .fixup_map2 = { 3 }, 5279 .errstr = "R0 invalid mem access 'inv'", 5280 .result = REJECT, 5281 }, 5282 { 5283 "map element value is preserved across register spilling", 5284 .insns = { 5285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5288 BPF_LD_MAP_FD(BPF_REG_1, 0), 5289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5292 offsetof(struct test_val, foo)), 5293 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 5294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 5296 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 5297 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 5298 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 5299 BPF_EXIT_INSN(), 5300 }, 5301 .fixup_map2 = { 3 }, 5302 .errstr_unpriv = "R0 leaks addr", 5303 .result = ACCEPT, 5304 .result_unpriv = REJECT, 5305 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5306 }, 5307 { 5308 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 5309 .insns = { 5310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5312 BPF_MOV64_IMM(BPF_REG_0, 0), 5313 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5314 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5316 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5318 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5319 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5320 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5321 BPF_MOV64_IMM(BPF_REG_2, 16), 5322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5323 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5324 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 5325 BPF_MOV64_IMM(BPF_REG_4, 0), 5326 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5327 BPF_MOV64_IMM(BPF_REG_3, 0), 5328 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5329 BPF_MOV64_IMM(BPF_REG_0, 0), 5330 BPF_EXIT_INSN(), 5331 }, 5332 .result = ACCEPT, 5333 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5334 }, 5335 { 5336 "helper access to variable memory: stack, bitwise AND, zero included", 5337 .insns = { 5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5340 BPF_MOV64_IMM(BPF_REG_2, 16), 5341 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5342 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5343 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 5344 BPF_MOV64_IMM(BPF_REG_3, 0), 5345 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5346 BPF_EXIT_INSN(), 5347 }, 5348 .errstr = "invalid indirect read from stack off -64+0 size 64", 5349 .result = REJECT, 5350 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5351 }, 5352 { 5353 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 5354 .insns = { 5355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5357 BPF_MOV64_IMM(BPF_REG_2, 16), 5358 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5359 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5360 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 5361 BPF_MOV64_IMM(BPF_REG_4, 0), 5362 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5363 BPF_MOV64_IMM(BPF_REG_3, 0), 5364 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5365 BPF_MOV64_IMM(BPF_REG_0, 0), 5366 BPF_EXIT_INSN(), 5367 }, 5368 .errstr = "invalid stack type R1 off=-64 access_size=65", 5369 .result = REJECT, 5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5371 }, 5372 { 5373 "helper access to variable memory: stack, JMP, correct bounds", 5374 .insns = { 5375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5377 BPF_MOV64_IMM(BPF_REG_0, 0), 5378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5379 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5381 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5386 BPF_MOV64_IMM(BPF_REG_2, 16), 5387 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5388 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5389 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 5390 BPF_MOV64_IMM(BPF_REG_4, 0), 5391 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5392 BPF_MOV64_IMM(BPF_REG_3, 0), 5393 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5394 BPF_MOV64_IMM(BPF_REG_0, 0), 5395 BPF_EXIT_INSN(), 5396 }, 5397 .result = ACCEPT, 5398 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5399 }, 5400 { 5401 "helper access to variable memory: stack, JMP (signed), correct bounds", 5402 .insns = { 5403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5405 BPF_MOV64_IMM(BPF_REG_0, 0), 5406 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5408 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5414 BPF_MOV64_IMM(BPF_REG_2, 16), 5415 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5416 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5417 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 5418 BPF_MOV64_IMM(BPF_REG_4, 0), 5419 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5420 BPF_MOV64_IMM(BPF_REG_3, 0), 5421 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5422 BPF_MOV64_IMM(BPF_REG_0, 0), 5423 BPF_EXIT_INSN(), 5424 }, 5425 .result = ACCEPT, 5426 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5427 }, 5428 { 5429 "helper access to variable memory: stack, JMP, bounds + offset", 5430 .insns = { 5431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5433 BPF_MOV64_IMM(BPF_REG_2, 16), 5434 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5435 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5436 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 5437 BPF_MOV64_IMM(BPF_REG_4, 0), 5438 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 5439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 5440 BPF_MOV64_IMM(BPF_REG_3, 0), 5441 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5442 BPF_MOV64_IMM(BPF_REG_0, 0), 5443 BPF_EXIT_INSN(), 5444 }, 5445 .errstr = "invalid stack type R1 off=-64 access_size=65", 5446 .result = REJECT, 5447 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5448 }, 5449 { 5450 "helper access to variable memory: stack, JMP, wrong max", 5451 .insns = { 5452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5454 BPF_MOV64_IMM(BPF_REG_2, 16), 5455 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5457 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 5458 BPF_MOV64_IMM(BPF_REG_4, 0), 5459 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5460 BPF_MOV64_IMM(BPF_REG_3, 0), 5461 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5462 BPF_MOV64_IMM(BPF_REG_0, 0), 5463 BPF_EXIT_INSN(), 5464 }, 5465 .errstr = "invalid stack type R1 off=-64 access_size=65", 5466 .result = REJECT, 5467 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5468 }, 5469 { 5470 "helper access to variable memory: stack, JMP, no max check", 5471 .insns = { 5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5474 BPF_MOV64_IMM(BPF_REG_2, 16), 5475 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5477 BPF_MOV64_IMM(BPF_REG_4, 0), 5478 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5479 BPF_MOV64_IMM(BPF_REG_3, 0), 5480 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5481 BPF_MOV64_IMM(BPF_REG_0, 0), 5482 BPF_EXIT_INSN(), 5483 }, 5484 /* because max wasn't checked, signed min is negative */ 5485 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'", 5486 .result = REJECT, 5487 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5488 }, 5489 { 5490 "helper access to variable memory: stack, JMP, no min check", 5491 .insns = { 5492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5494 BPF_MOV64_IMM(BPF_REG_2, 16), 5495 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5496 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5497 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 5498 BPF_MOV64_IMM(BPF_REG_3, 0), 5499 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5500 BPF_MOV64_IMM(BPF_REG_0, 0), 5501 BPF_EXIT_INSN(), 5502 }, 5503 .errstr = "invalid indirect read from stack off -64+0 size 64", 5504 .result = REJECT, 5505 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5506 }, 5507 { 5508 "helper access to variable memory: stack, JMP (signed), no min check", 5509 .insns = { 5510 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5512 BPF_MOV64_IMM(BPF_REG_2, 16), 5513 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5514 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5515 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 5516 BPF_MOV64_IMM(BPF_REG_3, 0), 5517 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5518 BPF_MOV64_IMM(BPF_REG_0, 0), 5519 BPF_EXIT_INSN(), 5520 }, 5521 .errstr = "R2 min value is negative", 5522 .result = REJECT, 5523 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5524 }, 5525 { 5526 "helper access to variable memory: map, JMP, correct bounds", 5527 .insns = { 5528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5530 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5531 BPF_LD_MAP_FD(BPF_REG_1, 0), 5532 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5533 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 5534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5535 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5536 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5537 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5539 sizeof(struct test_val), 4), 5540 BPF_MOV64_IMM(BPF_REG_4, 0), 5541 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5542 BPF_MOV64_IMM(BPF_REG_3, 0), 5543 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5544 BPF_MOV64_IMM(BPF_REG_0, 0), 5545 BPF_EXIT_INSN(), 5546 }, 5547 .fixup_map2 = { 3 }, 5548 .result = ACCEPT, 5549 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5550 }, 5551 { 5552 "helper access to variable memory: map, JMP, wrong max", 5553 .insns = { 5554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5556 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5557 BPF_LD_MAP_FD(BPF_REG_1, 0), 5558 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 5560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5561 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5562 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5563 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5564 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5565 sizeof(struct test_val) + 1, 4), 5566 BPF_MOV64_IMM(BPF_REG_4, 0), 5567 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5568 BPF_MOV64_IMM(BPF_REG_3, 0), 5569 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5570 BPF_MOV64_IMM(BPF_REG_0, 0), 5571 BPF_EXIT_INSN(), 5572 }, 5573 .fixup_map2 = { 3 }, 5574 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 5575 .result = REJECT, 5576 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5577 }, 5578 { 5579 "helper access to variable memory: map adjusted, JMP, correct bounds", 5580 .insns = { 5581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5583 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5584 BPF_LD_MAP_FD(BPF_REG_1, 0), 5585 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 5587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 5589 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5591 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5592 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5593 sizeof(struct test_val) - 20, 4), 5594 BPF_MOV64_IMM(BPF_REG_4, 0), 5595 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5596 BPF_MOV64_IMM(BPF_REG_3, 0), 5597 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5598 BPF_MOV64_IMM(BPF_REG_0, 0), 5599 BPF_EXIT_INSN(), 5600 }, 5601 .fixup_map2 = { 3 }, 5602 .result = ACCEPT, 5603 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5604 }, 5605 { 5606 "helper access to variable memory: map adjusted, JMP, wrong max", 5607 .insns = { 5608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5610 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5611 BPF_LD_MAP_FD(BPF_REG_1, 0), 5612 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 5614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 5616 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5617 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5620 sizeof(struct test_val) - 19, 4), 5621 BPF_MOV64_IMM(BPF_REG_4, 0), 5622 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5623 BPF_MOV64_IMM(BPF_REG_3, 0), 5624 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5625 BPF_MOV64_IMM(BPF_REG_0, 0), 5626 BPF_EXIT_INSN(), 5627 }, 5628 .fixup_map2 = { 3 }, 5629 .errstr = "R1 min value is outside of the array range", 5630 .result = REJECT, 5631 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5632 }, 5633 { 5634 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 5635 .insns = { 5636 BPF_MOV64_IMM(BPF_REG_1, 0), 5637 BPF_MOV64_IMM(BPF_REG_2, 0), 5638 BPF_MOV64_IMM(BPF_REG_3, 0), 5639 BPF_MOV64_IMM(BPF_REG_4, 0), 5640 BPF_MOV64_IMM(BPF_REG_5, 0), 5641 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5642 BPF_EXIT_INSN(), 5643 }, 5644 .result = ACCEPT, 5645 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5646 }, 5647 { 5648 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 5649 .insns = { 5650 BPF_MOV64_IMM(BPF_REG_1, 0), 5651 BPF_MOV64_IMM(BPF_REG_2, 0), 5652 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5653 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5654 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 5655 BPF_MOV64_IMM(BPF_REG_3, 0), 5656 BPF_MOV64_IMM(BPF_REG_4, 0), 5657 BPF_MOV64_IMM(BPF_REG_5, 0), 5658 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5659 BPF_EXIT_INSN(), 5660 }, 5661 .errstr = "R1 type=inv expected=fp", 5662 .result = REJECT, 5663 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5664 }, 5665 { 5666 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 5667 .insns = { 5668 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5670 BPF_MOV64_IMM(BPF_REG_2, 0), 5671 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 5672 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 5673 BPF_MOV64_IMM(BPF_REG_3, 0), 5674 BPF_MOV64_IMM(BPF_REG_4, 0), 5675 BPF_MOV64_IMM(BPF_REG_5, 0), 5676 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5677 BPF_EXIT_INSN(), 5678 }, 5679 .result = ACCEPT, 5680 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5681 }, 5682 { 5683 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 5684 .insns = { 5685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5688 BPF_LD_MAP_FD(BPF_REG_1, 0), 5689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5690 BPF_FUNC_map_lookup_elem), 5691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5693 BPF_MOV64_IMM(BPF_REG_2, 0), 5694 BPF_MOV64_IMM(BPF_REG_3, 0), 5695 BPF_MOV64_IMM(BPF_REG_4, 0), 5696 BPF_MOV64_IMM(BPF_REG_5, 0), 5697 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5698 BPF_EXIT_INSN(), 5699 }, 5700 .fixup_map1 = { 3 }, 5701 .result = ACCEPT, 5702 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5703 }, 5704 { 5705 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 5706 .insns = { 5707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5710 BPF_LD_MAP_FD(BPF_REG_1, 0), 5711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5712 BPF_FUNC_map_lookup_elem), 5713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 5714 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5715 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7), 5716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5718 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 5719 BPF_MOV64_IMM(BPF_REG_3, 0), 5720 BPF_MOV64_IMM(BPF_REG_4, 0), 5721 BPF_MOV64_IMM(BPF_REG_5, 0), 5722 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5723 BPF_EXIT_INSN(), 5724 }, 5725 .fixup_map1 = { 3 }, 5726 .result = ACCEPT, 5727 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5728 }, 5729 { 5730 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 5731 .insns = { 5732 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5735 BPF_LD_MAP_FD(BPF_REG_1, 0), 5736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5737 BPF_FUNC_map_lookup_elem), 5738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5740 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5741 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 5742 BPF_MOV64_IMM(BPF_REG_3, 0), 5743 BPF_MOV64_IMM(BPF_REG_4, 0), 5744 BPF_MOV64_IMM(BPF_REG_5, 0), 5745 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5746 BPF_EXIT_INSN(), 5747 }, 5748 .fixup_map1 = { 3 }, 5749 .result = ACCEPT, 5750 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5751 }, 5752 { 5753 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)", 5754 .insns = { 5755 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 5756 offsetof(struct __sk_buff, data)), 5757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 5758 offsetof(struct __sk_buff, data_end)), 5759 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), 5760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 5761 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5763 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0), 5764 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 5765 BPF_MOV64_IMM(BPF_REG_3, 0), 5766 BPF_MOV64_IMM(BPF_REG_4, 0), 5767 BPF_MOV64_IMM(BPF_REG_5, 0), 5768 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5769 BPF_EXIT_INSN(), 5770 }, 5771 .result = ACCEPT, 5772 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5773 }, 5774 { 5775 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 5776 .insns = { 5777 BPF_MOV64_IMM(BPF_REG_1, 0), 5778 BPF_MOV64_IMM(BPF_REG_2, 0), 5779 BPF_MOV64_IMM(BPF_REG_3, 0), 5780 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5781 BPF_EXIT_INSN(), 5782 }, 5783 .errstr = "R1 type=inv expected=fp", 5784 .result = REJECT, 5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5786 }, 5787 { 5788 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 5789 .insns = { 5790 BPF_MOV64_IMM(BPF_REG_1, 0), 5791 BPF_MOV64_IMM(BPF_REG_2, 1), 5792 BPF_MOV64_IMM(BPF_REG_3, 0), 5793 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5794 BPF_EXIT_INSN(), 5795 }, 5796 .errstr = "R1 type=inv expected=fp", 5797 .result = REJECT, 5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5799 }, 5800 { 5801 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5802 .insns = { 5803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5805 BPF_MOV64_IMM(BPF_REG_2, 0), 5806 BPF_MOV64_IMM(BPF_REG_3, 0), 5807 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5808 BPF_EXIT_INSN(), 5809 }, 5810 .result = ACCEPT, 5811 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5812 }, 5813 { 5814 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5815 .insns = { 5816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5819 BPF_LD_MAP_FD(BPF_REG_1, 0), 5820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5823 BPF_MOV64_IMM(BPF_REG_2, 0), 5824 BPF_MOV64_IMM(BPF_REG_3, 0), 5825 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5826 BPF_EXIT_INSN(), 5827 }, 5828 .fixup_map1 = { 3 }, 5829 .result = ACCEPT, 5830 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5831 }, 5832 { 5833 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5834 .insns = { 5835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5838 BPF_LD_MAP_FD(BPF_REG_1, 0), 5839 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5841 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5842 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 5843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5845 BPF_MOV64_IMM(BPF_REG_3, 0), 5846 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5847 BPF_EXIT_INSN(), 5848 }, 5849 .fixup_map1 = { 3 }, 5850 .result = ACCEPT, 5851 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5852 }, 5853 { 5854 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5855 .insns = { 5856 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5859 BPF_LD_MAP_FD(BPF_REG_1, 0), 5860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5863 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5864 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2), 5865 BPF_MOV64_IMM(BPF_REG_3, 0), 5866 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5867 BPF_EXIT_INSN(), 5868 }, 5869 .fixup_map1 = { 3 }, 5870 .result = ACCEPT, 5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5872 }, 5873 { 5874 "helper access to variable memory: 8 bytes leak", 5875 .insns = { 5876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5878 BPF_MOV64_IMM(BPF_REG_0, 0), 5879 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5880 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5882 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5886 BPF_MOV64_IMM(BPF_REG_2, 0), 5887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5889 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 5890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 5891 BPF_MOV64_IMM(BPF_REG_3, 0), 5892 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 5894 BPF_EXIT_INSN(), 5895 }, 5896 .errstr = "invalid indirect read from stack off -64+32 size 64", 5897 .result = REJECT, 5898 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5899 }, 5900 { 5901 "helper access to variable memory: 8 bytes no leak (init memory)", 5902 .insns = { 5903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5904 BPF_MOV64_IMM(BPF_REG_0, 0), 5905 BPF_MOV64_IMM(BPF_REG_0, 0), 5906 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5911 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5912 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5913 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5915 BPF_MOV64_IMM(BPF_REG_2, 0), 5916 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 5917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 5918 BPF_MOV64_IMM(BPF_REG_3, 0), 5919 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5920 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 5921 BPF_EXIT_INSN(), 5922 }, 5923 .result = ACCEPT, 5924 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5925 }, 5926 { 5927 "invalid and of negative number", 5928 .insns = { 5929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5932 BPF_LD_MAP_FD(BPF_REG_1, 0), 5933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5934 BPF_FUNC_map_lookup_elem), 5935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5936 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 5937 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 5938 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 5939 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 5940 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 5941 offsetof(struct test_val, foo)), 5942 BPF_EXIT_INSN(), 5943 }, 5944 .fixup_map2 = { 3 }, 5945 .errstr = "R0 max value is outside of the array range", 5946 .result = REJECT, 5947 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5948 }, 5949 { 5950 "invalid range check", 5951 .insns = { 5952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5955 BPF_LD_MAP_FD(BPF_REG_1, 0), 5956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5957 BPF_FUNC_map_lookup_elem), 5958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 5959 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 5960 BPF_MOV64_IMM(BPF_REG_9, 1), 5961 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 5962 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 5963 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 5964 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 5965 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 5966 BPF_MOV32_IMM(BPF_REG_3, 1), 5967 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 5968 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 5969 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 5970 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 5971 BPF_MOV64_REG(BPF_REG_0, 0), 5972 BPF_EXIT_INSN(), 5973 }, 5974 .fixup_map2 = { 3 }, 5975 .errstr = "R0 max value is outside of the array range", 5976 .result = REJECT, 5977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5978 }, 5979 { 5980 "map in map access", 5981 .insns = { 5982 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5985 BPF_LD_MAP_FD(BPF_REG_1, 0), 5986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5987 BPF_FUNC_map_lookup_elem), 5988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5989 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5994 BPF_FUNC_map_lookup_elem), 5995 BPF_MOV64_REG(BPF_REG_0, 0), 5996 BPF_EXIT_INSN(), 5997 }, 5998 .fixup_map_in_map = { 3 }, 5999 .result = ACCEPT, 6000 }, 6001 { 6002 "invalid inner map pointer", 6003 .insns = { 6004 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6007 BPF_LD_MAP_FD(BPF_REG_1, 0), 6008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6009 BPF_FUNC_map_lookup_elem), 6010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6011 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 6016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6017 BPF_FUNC_map_lookup_elem), 6018 BPF_MOV64_REG(BPF_REG_0, 0), 6019 BPF_EXIT_INSN(), 6020 }, 6021 .fixup_map_in_map = { 3 }, 6022 .errstr = "R1 type=inv expected=map_ptr", 6023 .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", 6024 .result = REJECT, 6025 }, 6026 { 6027 "forgot null checking on the inner map pointer", 6028 .insns = { 6029 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6032 BPF_LD_MAP_FD(BPF_REG_1, 0), 6033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6034 BPF_FUNC_map_lookup_elem), 6035 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6040 BPF_FUNC_map_lookup_elem), 6041 BPF_MOV64_REG(BPF_REG_0, 0), 6042 BPF_EXIT_INSN(), 6043 }, 6044 .fixup_map_in_map = { 3 }, 6045 .errstr = "R1 type=map_value_or_null expected=map_ptr", 6046 .result = REJECT, 6047 }, 6048 { 6049 "ld_abs: check calling conv, r1", 6050 .insns = { 6051 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6052 BPF_MOV64_IMM(BPF_REG_1, 0), 6053 BPF_LD_ABS(BPF_W, -0x200000), 6054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 6055 BPF_EXIT_INSN(), 6056 }, 6057 .errstr = "R1 !read_ok", 6058 .result = REJECT, 6059 }, 6060 { 6061 "ld_abs: check calling conv, r2", 6062 .insns = { 6063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6064 BPF_MOV64_IMM(BPF_REG_2, 0), 6065 BPF_LD_ABS(BPF_W, -0x200000), 6066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6067 BPF_EXIT_INSN(), 6068 }, 6069 .errstr = "R2 !read_ok", 6070 .result = REJECT, 6071 }, 6072 { 6073 "ld_abs: check calling conv, r3", 6074 .insns = { 6075 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6076 BPF_MOV64_IMM(BPF_REG_3, 0), 6077 BPF_LD_ABS(BPF_W, -0x200000), 6078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6079 BPF_EXIT_INSN(), 6080 }, 6081 .errstr = "R3 !read_ok", 6082 .result = REJECT, 6083 }, 6084 { 6085 "ld_abs: check calling conv, r4", 6086 .insns = { 6087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6088 BPF_MOV64_IMM(BPF_REG_4, 0), 6089 BPF_LD_ABS(BPF_W, -0x200000), 6090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 6091 BPF_EXIT_INSN(), 6092 }, 6093 .errstr = "R4 !read_ok", 6094 .result = REJECT, 6095 }, 6096 { 6097 "ld_abs: check calling conv, r5", 6098 .insns = { 6099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6100 BPF_MOV64_IMM(BPF_REG_5, 0), 6101 BPF_LD_ABS(BPF_W, -0x200000), 6102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 6103 BPF_EXIT_INSN(), 6104 }, 6105 .errstr = "R5 !read_ok", 6106 .result = REJECT, 6107 }, 6108 { 6109 "ld_abs: check calling conv, r7", 6110 .insns = { 6111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6112 BPF_MOV64_IMM(BPF_REG_7, 0), 6113 BPF_LD_ABS(BPF_W, -0x200000), 6114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 6115 BPF_EXIT_INSN(), 6116 }, 6117 .result = ACCEPT, 6118 }, 6119 { 6120 "ld_ind: check calling conv, r1", 6121 .insns = { 6122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6123 BPF_MOV64_IMM(BPF_REG_1, 1), 6124 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000), 6125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 6126 BPF_EXIT_INSN(), 6127 }, 6128 .errstr = "R1 !read_ok", 6129 .result = REJECT, 6130 }, 6131 { 6132 "ld_ind: check calling conv, r2", 6133 .insns = { 6134 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6135 BPF_MOV64_IMM(BPF_REG_2, 1), 6136 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000), 6137 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6138 BPF_EXIT_INSN(), 6139 }, 6140 .errstr = "R2 !read_ok", 6141 .result = REJECT, 6142 }, 6143 { 6144 "ld_ind: check calling conv, r3", 6145 .insns = { 6146 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6147 BPF_MOV64_IMM(BPF_REG_3, 1), 6148 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000), 6149 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6150 BPF_EXIT_INSN(), 6151 }, 6152 .errstr = "R3 !read_ok", 6153 .result = REJECT, 6154 }, 6155 { 6156 "ld_ind: check calling conv, r4", 6157 .insns = { 6158 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6159 BPF_MOV64_IMM(BPF_REG_4, 1), 6160 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000), 6161 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 6162 BPF_EXIT_INSN(), 6163 }, 6164 .errstr = "R4 !read_ok", 6165 .result = REJECT, 6166 }, 6167 { 6168 "ld_ind: check calling conv, r5", 6169 .insns = { 6170 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6171 BPF_MOV64_IMM(BPF_REG_5, 1), 6172 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000), 6173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 6174 BPF_EXIT_INSN(), 6175 }, 6176 .errstr = "R5 !read_ok", 6177 .result = REJECT, 6178 }, 6179 { 6180 "ld_ind: check calling conv, r7", 6181 .insns = { 6182 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6183 BPF_MOV64_IMM(BPF_REG_7, 1), 6184 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 6185 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 6186 BPF_EXIT_INSN(), 6187 }, 6188 .result = ACCEPT, 6189 }, 6190 { 6191 "check bpf_perf_event_data->sample_period byte load permitted", 6192 .insns = { 6193 BPF_MOV64_IMM(BPF_REG_0, 0), 6194 #if __BYTE_ORDER == __LITTLE_ENDIAN 6195 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 6196 offsetof(struct bpf_perf_event_data, sample_period)), 6197 #else 6198 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 6199 offsetof(struct bpf_perf_event_data, sample_period) + 7), 6200 #endif 6201 BPF_EXIT_INSN(), 6202 }, 6203 .result = ACCEPT, 6204 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6205 }, 6206 { 6207 "check bpf_perf_event_data->sample_period half load permitted", 6208 .insns = { 6209 BPF_MOV64_IMM(BPF_REG_0, 0), 6210 #if __BYTE_ORDER == __LITTLE_ENDIAN 6211 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6212 offsetof(struct bpf_perf_event_data, sample_period)), 6213 #else 6214 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6215 offsetof(struct bpf_perf_event_data, sample_period) + 6), 6216 #endif 6217 BPF_EXIT_INSN(), 6218 }, 6219 .result = ACCEPT, 6220 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6221 }, 6222 { 6223 "check bpf_perf_event_data->sample_period word load permitted", 6224 .insns = { 6225 BPF_MOV64_IMM(BPF_REG_0, 0), 6226 #if __BYTE_ORDER == __LITTLE_ENDIAN 6227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 6228 offsetof(struct bpf_perf_event_data, sample_period)), 6229 #else 6230 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 6231 offsetof(struct bpf_perf_event_data, sample_period) + 4), 6232 #endif 6233 BPF_EXIT_INSN(), 6234 }, 6235 .result = ACCEPT, 6236 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6237 }, 6238 { 6239 "check bpf_perf_event_data->sample_period dword load permitted", 6240 .insns = { 6241 BPF_MOV64_IMM(BPF_REG_0, 0), 6242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 6243 offsetof(struct bpf_perf_event_data, sample_period)), 6244 BPF_EXIT_INSN(), 6245 }, 6246 .result = ACCEPT, 6247 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6248 }, 6249 { 6250 "check skb->data half load not permitted", 6251 .insns = { 6252 BPF_MOV64_IMM(BPF_REG_0, 0), 6253 #if __BYTE_ORDER == __LITTLE_ENDIAN 6254 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6255 offsetof(struct __sk_buff, data)), 6256 #else 6257 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6258 offsetof(struct __sk_buff, data) + 2), 6259 #endif 6260 BPF_EXIT_INSN(), 6261 }, 6262 .result = REJECT, 6263 .errstr = "invalid bpf_context access", 6264 }, 6265 { 6266 "check skb->tc_classid half load not permitted for lwt prog", 6267 .insns = { 6268 BPF_MOV64_IMM(BPF_REG_0, 0), 6269 #if __BYTE_ORDER == __LITTLE_ENDIAN 6270 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6271 offsetof(struct __sk_buff, tc_classid)), 6272 #else 6273 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6274 offsetof(struct __sk_buff, tc_classid) + 2), 6275 #endif 6276 BPF_EXIT_INSN(), 6277 }, 6278 .result = REJECT, 6279 .errstr = "invalid bpf_context access", 6280 .prog_type = BPF_PROG_TYPE_LWT_IN, 6281 }, 6282 { 6283 "bounds checks mixing signed and unsigned, positive bounds", 6284 .insns = { 6285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6288 BPF_LD_MAP_FD(BPF_REG_1, 0), 6289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6290 BPF_FUNC_map_lookup_elem), 6291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6292 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6293 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6294 BPF_MOV64_IMM(BPF_REG_2, 2), 6295 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3), 6296 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2), 6297 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6298 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6299 BPF_MOV64_IMM(BPF_REG_0, 0), 6300 BPF_EXIT_INSN(), 6301 }, 6302 .fixup_map1 = { 3 }, 6303 .errstr = "R0 min value is negative", 6304 .result = REJECT, 6305 }, 6306 { 6307 "bounds checks mixing signed and unsigned", 6308 .insns = { 6309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6312 BPF_LD_MAP_FD(BPF_REG_1, 0), 6313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6314 BPF_FUNC_map_lookup_elem), 6315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6317 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6318 BPF_MOV64_IMM(BPF_REG_2, -1), 6319 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), 6320 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6321 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6322 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6323 BPF_MOV64_IMM(BPF_REG_0, 0), 6324 BPF_EXIT_INSN(), 6325 }, 6326 .fixup_map1 = { 3 }, 6327 .errstr = "R0 min value is negative", 6328 .result = REJECT, 6329 }, 6330 { 6331 "bounds checks mixing signed and unsigned, variant 2", 6332 .insns = { 6333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6336 BPF_LD_MAP_FD(BPF_REG_1, 0), 6337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6338 BPF_FUNC_map_lookup_elem), 6339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6340 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6342 BPF_MOV64_IMM(BPF_REG_2, -1), 6343 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), 6344 BPF_MOV64_IMM(BPF_REG_8, 0), 6345 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1), 6346 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), 6347 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 6348 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), 6349 BPF_MOV64_IMM(BPF_REG_0, 0), 6350 BPF_EXIT_INSN(), 6351 }, 6352 .fixup_map1 = { 3 }, 6353 .errstr = "R8 invalid mem access 'inv'", 6354 .result = REJECT, 6355 }, 6356 { 6357 "bounds checks mixing signed and unsigned, variant 3", 6358 .insns = { 6359 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6362 BPF_LD_MAP_FD(BPF_REG_1, 0), 6363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6364 BPF_FUNC_map_lookup_elem), 6365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6366 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6367 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6368 BPF_MOV64_IMM(BPF_REG_2, -1), 6369 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4), 6370 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 6371 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), 6372 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 6373 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), 6374 BPF_MOV64_IMM(BPF_REG_0, 0), 6375 BPF_EXIT_INSN(), 6376 }, 6377 .fixup_map1 = { 3 }, 6378 .errstr = "R8 invalid mem access 'inv'", 6379 .result = REJECT, 6380 }, 6381 { 6382 "bounds checks mixing signed and unsigned, variant 4", 6383 .insns = { 6384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6387 BPF_LD_MAP_FD(BPF_REG_1, 0), 6388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6389 BPF_FUNC_map_lookup_elem), 6390 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6391 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6392 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6393 BPF_MOV64_IMM(BPF_REG_2, 1), 6394 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2), 6395 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6396 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6397 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6398 BPF_MOV64_IMM(BPF_REG_0, 0), 6399 BPF_EXIT_INSN(), 6400 }, 6401 .fixup_map1 = { 3 }, 6402 .result = ACCEPT, 6403 }, 6404 { 6405 "bounds checks mixing signed and unsigned, variant 5", 6406 .insns = { 6407 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6410 BPF_LD_MAP_FD(BPF_REG_1, 0), 6411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6412 BPF_FUNC_map_lookup_elem), 6413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6414 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6415 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6416 BPF_MOV64_IMM(BPF_REG_2, -1), 6417 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), 6418 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4), 6419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4), 6420 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 6421 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6422 BPF_MOV64_IMM(BPF_REG_0, 0), 6423 BPF_EXIT_INSN(), 6424 }, 6425 .fixup_map1 = { 3 }, 6426 .errstr = "R0 min value is negative", 6427 .result = REJECT, 6428 }, 6429 { 6430 "bounds checks mixing signed and unsigned, variant 6", 6431 .insns = { 6432 BPF_MOV64_IMM(BPF_REG_2, 0), 6433 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 6434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512), 6435 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6436 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16), 6437 BPF_MOV64_IMM(BPF_REG_6, -1), 6438 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5), 6439 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4), 6440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), 6441 BPF_MOV64_IMM(BPF_REG_5, 0), 6442 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0), 6443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6444 BPF_FUNC_skb_load_bytes), 6445 BPF_MOV64_IMM(BPF_REG_0, 0), 6446 BPF_EXIT_INSN(), 6447 }, 6448 .errstr = "R4 min value is negative, either use unsigned", 6449 .result = REJECT, 6450 }, 6451 { 6452 "bounds checks mixing signed and unsigned, variant 7", 6453 .insns = { 6454 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6455 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6457 BPF_LD_MAP_FD(BPF_REG_1, 0), 6458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6459 BPF_FUNC_map_lookup_elem), 6460 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6461 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6462 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6463 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024), 6464 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), 6465 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6466 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6467 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6468 BPF_MOV64_IMM(BPF_REG_0, 0), 6469 BPF_EXIT_INSN(), 6470 }, 6471 .fixup_map1 = { 3 }, 6472 .result = ACCEPT, 6473 }, 6474 { 6475 "bounds checks mixing signed and unsigned, variant 8", 6476 .insns = { 6477 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6480 BPF_LD_MAP_FD(BPF_REG_1, 0), 6481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6482 BPF_FUNC_map_lookup_elem), 6483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6484 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6485 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6486 BPF_MOV64_IMM(BPF_REG_2, -1), 6487 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 6488 BPF_MOV64_IMM(BPF_REG_0, 0), 6489 BPF_EXIT_INSN(), 6490 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6491 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6492 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6493 BPF_MOV64_IMM(BPF_REG_0, 0), 6494 BPF_EXIT_INSN(), 6495 }, 6496 .fixup_map1 = { 3 }, 6497 .errstr = "R0 min value is negative", 6498 .result = REJECT, 6499 }, 6500 { 6501 "bounds checks mixing signed and unsigned, variant 9", 6502 .insns = { 6503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6506 BPF_LD_MAP_FD(BPF_REG_1, 0), 6507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6508 BPF_FUNC_map_lookup_elem), 6509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 6510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6511 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6512 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL), 6513 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 6514 BPF_MOV64_IMM(BPF_REG_0, 0), 6515 BPF_EXIT_INSN(), 6516 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6517 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6518 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6519 BPF_MOV64_IMM(BPF_REG_0, 0), 6520 BPF_EXIT_INSN(), 6521 }, 6522 .fixup_map1 = { 3 }, 6523 .result = ACCEPT, 6524 }, 6525 { 6526 "bounds checks mixing signed and unsigned, variant 10", 6527 .insns = { 6528 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6529 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6531 BPF_LD_MAP_FD(BPF_REG_1, 0), 6532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6533 BPF_FUNC_map_lookup_elem), 6534 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6535 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6536 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6537 BPF_MOV64_IMM(BPF_REG_2, 0), 6538 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 6539 BPF_MOV64_IMM(BPF_REG_0, 0), 6540 BPF_EXIT_INSN(), 6541 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6542 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6543 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6544 BPF_MOV64_IMM(BPF_REG_0, 0), 6545 BPF_EXIT_INSN(), 6546 }, 6547 .fixup_map1 = { 3 }, 6548 .errstr = "R0 min value is negative", 6549 .result = REJECT, 6550 }, 6551 { 6552 "bounds checks mixing signed and unsigned, variant 11", 6553 .insns = { 6554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6557 BPF_LD_MAP_FD(BPF_REG_1, 0), 6558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6559 BPF_FUNC_map_lookup_elem), 6560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6562 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6563 BPF_MOV64_IMM(BPF_REG_2, -1), 6564 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6565 /* Dead branch. */ 6566 BPF_MOV64_IMM(BPF_REG_0, 0), 6567 BPF_EXIT_INSN(), 6568 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6569 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6570 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6571 BPF_MOV64_IMM(BPF_REG_0, 0), 6572 BPF_EXIT_INSN(), 6573 }, 6574 .fixup_map1 = { 3 }, 6575 .errstr = "R0 min value is negative", 6576 .result = REJECT, 6577 }, 6578 { 6579 "bounds checks mixing signed and unsigned, variant 12", 6580 .insns = { 6581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6584 BPF_LD_MAP_FD(BPF_REG_1, 0), 6585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6586 BPF_FUNC_map_lookup_elem), 6587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6588 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6589 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6590 BPF_MOV64_IMM(BPF_REG_2, -6), 6591 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6592 BPF_MOV64_IMM(BPF_REG_0, 0), 6593 BPF_EXIT_INSN(), 6594 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6595 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6596 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6597 BPF_MOV64_IMM(BPF_REG_0, 0), 6598 BPF_EXIT_INSN(), 6599 }, 6600 .fixup_map1 = { 3 }, 6601 .errstr = "R0 min value is negative", 6602 .result = REJECT, 6603 }, 6604 { 6605 "bounds checks mixing signed and unsigned, variant 13", 6606 .insns = { 6607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6610 BPF_LD_MAP_FD(BPF_REG_1, 0), 6611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6612 BPF_FUNC_map_lookup_elem), 6613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6615 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6616 BPF_MOV64_IMM(BPF_REG_2, 2), 6617 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6618 BPF_MOV64_IMM(BPF_REG_7, 1), 6619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2), 6620 BPF_MOV64_IMM(BPF_REG_0, 0), 6621 BPF_EXIT_INSN(), 6622 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1), 6623 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2), 6624 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7), 6625 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6626 BPF_MOV64_IMM(BPF_REG_0, 0), 6627 BPF_EXIT_INSN(), 6628 }, 6629 .fixup_map1 = { 3 }, 6630 .errstr = "R0 min value is negative", 6631 .result = REJECT, 6632 }, 6633 { 6634 "bounds checks mixing signed and unsigned, variant 14", 6635 .insns = { 6636 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, 6637 offsetof(struct __sk_buff, mark)), 6638 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6641 BPF_LD_MAP_FD(BPF_REG_1, 0), 6642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6643 BPF_FUNC_map_lookup_elem), 6644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6645 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6646 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6647 BPF_MOV64_IMM(BPF_REG_2, -1), 6648 BPF_MOV64_IMM(BPF_REG_8, 2), 6649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6), 6650 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3), 6651 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6653 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6654 BPF_MOV64_IMM(BPF_REG_0, 0), 6655 BPF_EXIT_INSN(), 6656 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3), 6657 BPF_JMP_IMM(BPF_JA, 0, 0, -7), 6658 }, 6659 .fixup_map1 = { 4 }, 6660 .errstr = "R0 min value is negative", 6661 .result = REJECT, 6662 }, 6663 { 6664 "bounds checks mixing signed and unsigned, variant 15", 6665 .insns = { 6666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6667 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6669 BPF_LD_MAP_FD(BPF_REG_1, 0), 6670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6671 BPF_FUNC_map_lookup_elem), 6672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6673 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6674 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6675 BPF_MOV64_IMM(BPF_REG_2, -6), 6676 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6677 BPF_MOV64_IMM(BPF_REG_0, 0), 6678 BPF_EXIT_INSN(), 6679 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6680 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2), 6681 BPF_MOV64_IMM(BPF_REG_0, 0), 6682 BPF_EXIT_INSN(), 6683 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6684 BPF_MOV64_IMM(BPF_REG_0, 0), 6685 BPF_EXIT_INSN(), 6686 }, 6687 .fixup_map1 = { 3 }, 6688 .errstr_unpriv = "R0 pointer comparison prohibited", 6689 .errstr = "R0 min value is negative", 6690 .result = REJECT, 6691 .result_unpriv = REJECT, 6692 }, 6693 { 6694 "subtraction bounds (map value) variant 1", 6695 .insns = { 6696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6699 BPF_LD_MAP_FD(BPF_REG_1, 0), 6700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6701 BPF_FUNC_map_lookup_elem), 6702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6703 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6704 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), 6705 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 6706 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), 6707 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 6708 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), 6709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6710 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6711 BPF_EXIT_INSN(), 6712 BPF_MOV64_IMM(BPF_REG_0, 0), 6713 BPF_EXIT_INSN(), 6714 }, 6715 .fixup_map1 = { 3 }, 6716 .errstr = "R0 max value is outside of the array range", 6717 .result = REJECT, 6718 }, 6719 { 6720 "subtraction bounds (map value) variant 2", 6721 .insns = { 6722 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6725 BPF_LD_MAP_FD(BPF_REG_1, 0), 6726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6727 BPF_FUNC_map_lookup_elem), 6728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6729 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6730 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6), 6731 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 6732 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4), 6733 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 6734 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6736 BPF_EXIT_INSN(), 6737 BPF_MOV64_IMM(BPF_REG_0, 0), 6738 BPF_EXIT_INSN(), 6739 }, 6740 .fixup_map1 = { 3 }, 6741 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 6742 .result = REJECT, 6743 }, 6744 { 6745 "variable-offset ctx access", 6746 .insns = { 6747 /* Get an unknown value */ 6748 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 6749 /* Make it small and 4-byte aligned */ 6750 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 6751 /* add it to skb. We now have either &skb->len or 6752 * &skb->pkt_type, but we don't know which 6753 */ 6754 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 6755 /* dereference it */ 6756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 6757 BPF_EXIT_INSN(), 6758 }, 6759 .errstr = "variable ctx access var_off=(0x0; 0x4)", 6760 .result = REJECT, 6761 .prog_type = BPF_PROG_TYPE_LWT_IN, 6762 }, 6763 { 6764 "variable-offset stack access", 6765 .insns = { 6766 /* Fill the top 8 bytes of the stack */ 6767 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6768 /* Get an unknown value */ 6769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 6770 /* Make it small and 4-byte aligned */ 6771 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 6772 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8), 6773 /* add it to fp. We now have either fp-4 or fp-8, but 6774 * we don't know which 6775 */ 6776 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), 6777 /* dereference it */ 6778 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), 6779 BPF_EXIT_INSN(), 6780 }, 6781 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)", 6782 .result = REJECT, 6783 .prog_type = BPF_PROG_TYPE_LWT_IN, 6784 }, 6785 { 6786 "liveness pruning and write screening", 6787 .insns = { 6788 /* Get an unknown value */ 6789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 6790 /* branch conditions teach us nothing about R2 */ 6791 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 6792 BPF_MOV64_IMM(BPF_REG_0, 0), 6793 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 6794 BPF_MOV64_IMM(BPF_REG_0, 0), 6795 BPF_EXIT_INSN(), 6796 }, 6797 .errstr = "R0 !read_ok", 6798 .result = REJECT, 6799 .prog_type = BPF_PROG_TYPE_LWT_IN, 6800 }, 6801 { 6802 "varlen_map_value_access pruning", 6803 .insns = { 6804 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6807 BPF_LD_MAP_FD(BPF_REG_1, 0), 6808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6809 BPF_FUNC_map_lookup_elem), 6810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6811 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6812 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 6813 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 6814 BPF_MOV32_IMM(BPF_REG_1, 0), 6815 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 6816 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6817 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 6818 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 6819 offsetof(struct test_val, foo)), 6820 BPF_EXIT_INSN(), 6821 }, 6822 .fixup_map2 = { 3 }, 6823 .errstr_unpriv = "R0 leaks addr", 6824 .errstr = "R0 unbounded memory access", 6825 .result_unpriv = REJECT, 6826 .result = REJECT, 6827 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 6828 }, 6829 { 6830 "invalid 64-bit BPF_END", 6831 .insns = { 6832 BPF_MOV32_IMM(BPF_REG_0, 0), 6833 { 6834 .code = BPF_ALU64 | BPF_END | BPF_TO_LE, 6835 .dst_reg = BPF_REG_0, 6836 .src_reg = 0, 6837 .off = 0, 6838 .imm = 32, 6839 }, 6840 BPF_EXIT_INSN(), 6841 }, 6842 .errstr = "BPF_END uses reserved fields", 6843 .result = REJECT, 6844 }, 6845 { 6846 "meta access, test1", 6847 .insns = { 6848 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6849 offsetof(struct xdp_md, data_meta)), 6850 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6851 offsetof(struct xdp_md, data)), 6852 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6854 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 6855 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 6856 BPF_MOV64_IMM(BPF_REG_0, 0), 6857 BPF_EXIT_INSN(), 6858 }, 6859 .result = ACCEPT, 6860 .prog_type = BPF_PROG_TYPE_XDP, 6861 }, 6862 { 6863 "meta access, test2", 6864 .insns = { 6865 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6866 offsetof(struct xdp_md, data_meta)), 6867 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6868 offsetof(struct xdp_md, data)), 6869 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6870 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8), 6871 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 6872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 6873 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 6874 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6875 BPF_MOV64_IMM(BPF_REG_0, 0), 6876 BPF_EXIT_INSN(), 6877 }, 6878 .result = REJECT, 6879 .errstr = "invalid access to packet, off=-8", 6880 .prog_type = BPF_PROG_TYPE_XDP, 6881 }, 6882 { 6883 "meta access, test3", 6884 .insns = { 6885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6886 offsetof(struct xdp_md, data_meta)), 6887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6888 offsetof(struct xdp_md, data_end)), 6889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 6892 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 6893 BPF_MOV64_IMM(BPF_REG_0, 0), 6894 BPF_EXIT_INSN(), 6895 }, 6896 .result = REJECT, 6897 .errstr = "invalid access to packet", 6898 .prog_type = BPF_PROG_TYPE_XDP, 6899 }, 6900 { 6901 "meta access, test4", 6902 .insns = { 6903 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6904 offsetof(struct xdp_md, data_meta)), 6905 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6906 offsetof(struct xdp_md, data_end)), 6907 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 6908 offsetof(struct xdp_md, data)), 6909 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 6910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6911 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 6912 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 6913 BPF_MOV64_IMM(BPF_REG_0, 0), 6914 BPF_EXIT_INSN(), 6915 }, 6916 .result = REJECT, 6917 .errstr = "invalid access to packet", 6918 .prog_type = BPF_PROG_TYPE_XDP, 6919 }, 6920 { 6921 "meta access, test5", 6922 .insns = { 6923 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6924 offsetof(struct xdp_md, data_meta)), 6925 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 6926 offsetof(struct xdp_md, data)), 6927 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6929 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3), 6930 BPF_MOV64_IMM(BPF_REG_2, -8), 6931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6932 BPF_FUNC_xdp_adjust_meta), 6933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0), 6934 BPF_MOV64_IMM(BPF_REG_0, 0), 6935 BPF_EXIT_INSN(), 6936 }, 6937 .result = REJECT, 6938 .errstr = "R3 !read_ok", 6939 .prog_type = BPF_PROG_TYPE_XDP, 6940 }, 6941 { 6942 "meta access, test6", 6943 .insns = { 6944 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6945 offsetof(struct xdp_md, data_meta)), 6946 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6947 offsetof(struct xdp_md, data)), 6948 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6950 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 6951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 6952 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1), 6953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 6954 BPF_MOV64_IMM(BPF_REG_0, 0), 6955 BPF_EXIT_INSN(), 6956 }, 6957 .result = REJECT, 6958 .errstr = "invalid access to packet", 6959 .prog_type = BPF_PROG_TYPE_XDP, 6960 }, 6961 { 6962 "meta access, test7", 6963 .insns = { 6964 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6965 offsetof(struct xdp_md, data_meta)), 6966 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6967 offsetof(struct xdp_md, data)), 6968 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6970 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 6972 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 6973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 6974 BPF_MOV64_IMM(BPF_REG_0, 0), 6975 BPF_EXIT_INSN(), 6976 }, 6977 .result = ACCEPT, 6978 .prog_type = BPF_PROG_TYPE_XDP, 6979 }, 6980 { 6981 "meta access, test8", 6982 .insns = { 6983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6984 offsetof(struct xdp_md, data_meta)), 6985 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6986 offsetof(struct xdp_md, data)), 6987 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 6988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF), 6989 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 6990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 6991 BPF_MOV64_IMM(BPF_REG_0, 0), 6992 BPF_EXIT_INSN(), 6993 }, 6994 .result = ACCEPT, 6995 .prog_type = BPF_PROG_TYPE_XDP, 6996 }, 6997 { 6998 "meta access, test9", 6999 .insns = { 7000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7001 offsetof(struct xdp_md, data_meta)), 7002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7003 offsetof(struct xdp_md, data)), 7004 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 7005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF), 7006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), 7007 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 7008 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7009 BPF_MOV64_IMM(BPF_REG_0, 0), 7010 BPF_EXIT_INSN(), 7011 }, 7012 .result = REJECT, 7013 .errstr = "invalid access to packet", 7014 .prog_type = BPF_PROG_TYPE_XDP, 7015 }, 7016 { 7017 "meta access, test10", 7018 .insns = { 7019 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7020 offsetof(struct xdp_md, data_meta)), 7021 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7022 offsetof(struct xdp_md, data)), 7023 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 7024 offsetof(struct xdp_md, data_end)), 7025 BPF_MOV64_IMM(BPF_REG_5, 42), 7026 BPF_MOV64_IMM(BPF_REG_6, 24), 7027 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8), 7028 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 7029 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8), 7030 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6), 7031 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5), 7032 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 7033 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 7034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 7035 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1), 7036 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 7037 BPF_MOV64_IMM(BPF_REG_0, 0), 7038 BPF_EXIT_INSN(), 7039 }, 7040 .result = REJECT, 7041 .errstr = "invalid access to packet", 7042 .prog_type = BPF_PROG_TYPE_XDP, 7043 }, 7044 { 7045 "meta access, test11", 7046 .insns = { 7047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7048 offsetof(struct xdp_md, data_meta)), 7049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7050 offsetof(struct xdp_md, data)), 7051 BPF_MOV64_IMM(BPF_REG_5, 42), 7052 BPF_MOV64_IMM(BPF_REG_6, 24), 7053 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8), 7054 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 7055 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8), 7056 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6), 7057 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5), 7058 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), 7059 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 7060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 7061 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1), 7062 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0), 7063 BPF_MOV64_IMM(BPF_REG_0, 0), 7064 BPF_EXIT_INSN(), 7065 }, 7066 .result = ACCEPT, 7067 .prog_type = BPF_PROG_TYPE_XDP, 7068 }, 7069 { 7070 "meta access, test12", 7071 .insns = { 7072 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7073 offsetof(struct xdp_md, data_meta)), 7074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7075 offsetof(struct xdp_md, data)), 7076 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 7077 offsetof(struct xdp_md, data_end)), 7078 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 7079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16), 7080 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5), 7081 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0), 7082 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), 7083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16), 7084 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1), 7085 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7086 BPF_MOV64_IMM(BPF_REG_0, 0), 7087 BPF_EXIT_INSN(), 7088 }, 7089 .result = ACCEPT, 7090 .prog_type = BPF_PROG_TYPE_XDP, 7091 }, 7092 { 7093 "arithmetic ops make PTR_TO_CTX unusable", 7094 .insns = { 7095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7096 offsetof(struct __sk_buff, data) - 7097 offsetof(struct __sk_buff, mark)), 7098 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 7099 offsetof(struct __sk_buff, mark)), 7100 BPF_EXIT_INSN(), 7101 }, 7102 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not", 7103 .result = REJECT, 7104 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7105 }, 7106 { 7107 "XDP pkt read, pkt_end mangling, bad access 1", 7108 .insns = { 7109 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7110 offsetof(struct xdp_md, data)), 7111 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7112 offsetof(struct xdp_md, data_end)), 7113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8), 7116 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7117 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7118 BPF_MOV64_IMM(BPF_REG_0, 0), 7119 BPF_EXIT_INSN(), 7120 }, 7121 .errstr = "R1 offset is outside of the packet", 7122 .result = REJECT, 7123 .prog_type = BPF_PROG_TYPE_XDP, 7124 }, 7125 { 7126 "XDP pkt read, pkt_end mangling, bad access 2", 7127 .insns = { 7128 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7129 offsetof(struct xdp_md, data)), 7130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7131 offsetof(struct xdp_md, data_end)), 7132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7134 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8), 7135 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7136 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7137 BPF_MOV64_IMM(BPF_REG_0, 0), 7138 BPF_EXIT_INSN(), 7139 }, 7140 .errstr = "R1 offset is outside of the packet", 7141 .result = REJECT, 7142 .prog_type = BPF_PROG_TYPE_XDP, 7143 }, 7144 { 7145 "XDP pkt read, pkt_data' > pkt_end, good access", 7146 .insns = { 7147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7148 offsetof(struct xdp_md, data)), 7149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7150 offsetof(struct xdp_md, data_end)), 7151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7153 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7154 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7155 BPF_MOV64_IMM(BPF_REG_0, 0), 7156 BPF_EXIT_INSN(), 7157 }, 7158 .result = ACCEPT, 7159 .prog_type = BPF_PROG_TYPE_XDP, 7160 }, 7161 { 7162 "XDP pkt read, pkt_data' > pkt_end, bad access 1", 7163 .insns = { 7164 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7165 offsetof(struct xdp_md, data)), 7166 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7167 offsetof(struct xdp_md, data_end)), 7168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7170 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7171 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7172 BPF_MOV64_IMM(BPF_REG_0, 0), 7173 BPF_EXIT_INSN(), 7174 }, 7175 .errstr = "R1 offset is outside of the packet", 7176 .result = REJECT, 7177 .prog_type = BPF_PROG_TYPE_XDP, 7178 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7179 }, 7180 { 7181 "XDP pkt read, pkt_data' > pkt_end, bad access 2", 7182 .insns = { 7183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7184 offsetof(struct xdp_md, data)), 7185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7186 offsetof(struct xdp_md, data_end)), 7187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7189 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0), 7190 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7191 BPF_MOV64_IMM(BPF_REG_0, 0), 7192 BPF_EXIT_INSN(), 7193 }, 7194 .errstr = "R1 offset is outside of the packet", 7195 .result = REJECT, 7196 .prog_type = BPF_PROG_TYPE_XDP, 7197 }, 7198 { 7199 "XDP pkt read, pkt_end > pkt_data', good access", 7200 .insns = { 7201 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7202 offsetof(struct xdp_md, data)), 7203 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7204 offsetof(struct xdp_md, data_end)), 7205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7207 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7208 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7209 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7210 BPF_MOV64_IMM(BPF_REG_0, 0), 7211 BPF_EXIT_INSN(), 7212 }, 7213 .result = ACCEPT, 7214 .prog_type = BPF_PROG_TYPE_XDP, 7215 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7216 }, 7217 { 7218 "XDP pkt read, pkt_end > pkt_data', bad access 1", 7219 .insns = { 7220 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7221 offsetof(struct xdp_md, data)), 7222 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7223 offsetof(struct xdp_md, data_end)), 7224 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7226 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7227 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7228 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7229 BPF_MOV64_IMM(BPF_REG_0, 0), 7230 BPF_EXIT_INSN(), 7231 }, 7232 .errstr = "R1 offset is outside of the packet", 7233 .result = REJECT, 7234 .prog_type = BPF_PROG_TYPE_XDP, 7235 }, 7236 { 7237 "XDP pkt read, pkt_end > pkt_data', bad access 2", 7238 .insns = { 7239 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7240 offsetof(struct xdp_md, data)), 7241 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7242 offsetof(struct xdp_md, data_end)), 7243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7245 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7246 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7247 BPF_MOV64_IMM(BPF_REG_0, 0), 7248 BPF_EXIT_INSN(), 7249 }, 7250 .errstr = "R1 offset is outside of the packet", 7251 .result = REJECT, 7252 .prog_type = BPF_PROG_TYPE_XDP, 7253 }, 7254 { 7255 "XDP pkt read, pkt_data' < pkt_end, good access", 7256 .insns = { 7257 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7258 offsetof(struct xdp_md, data)), 7259 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7260 offsetof(struct xdp_md, data_end)), 7261 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7263 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7264 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7265 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7266 BPF_MOV64_IMM(BPF_REG_0, 0), 7267 BPF_EXIT_INSN(), 7268 }, 7269 .result = ACCEPT, 7270 .prog_type = BPF_PROG_TYPE_XDP, 7271 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7272 }, 7273 { 7274 "XDP pkt read, pkt_data' < pkt_end, bad access 1", 7275 .insns = { 7276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7277 offsetof(struct xdp_md, data)), 7278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7279 offsetof(struct xdp_md, data_end)), 7280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7282 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7283 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7285 BPF_MOV64_IMM(BPF_REG_0, 0), 7286 BPF_EXIT_INSN(), 7287 }, 7288 .errstr = "R1 offset is outside of the packet", 7289 .result = REJECT, 7290 .prog_type = BPF_PROG_TYPE_XDP, 7291 }, 7292 { 7293 "XDP pkt read, pkt_data' < pkt_end, bad access 2", 7294 .insns = { 7295 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7296 offsetof(struct xdp_md, data)), 7297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7298 offsetof(struct xdp_md, data_end)), 7299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7301 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7303 BPF_MOV64_IMM(BPF_REG_0, 0), 7304 BPF_EXIT_INSN(), 7305 }, 7306 .errstr = "R1 offset is outside of the packet", 7307 .result = REJECT, 7308 .prog_type = BPF_PROG_TYPE_XDP, 7309 }, 7310 { 7311 "XDP pkt read, pkt_end < pkt_data', good access", 7312 .insns = { 7313 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7314 offsetof(struct xdp_md, data)), 7315 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7316 offsetof(struct xdp_md, data_end)), 7317 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7319 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 7320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7321 BPF_MOV64_IMM(BPF_REG_0, 0), 7322 BPF_EXIT_INSN(), 7323 }, 7324 .result = ACCEPT, 7325 .prog_type = BPF_PROG_TYPE_XDP, 7326 }, 7327 { 7328 "XDP pkt read, pkt_end < pkt_data', bad access 1", 7329 .insns = { 7330 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7331 offsetof(struct xdp_md, data)), 7332 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7333 offsetof(struct xdp_md, data_end)), 7334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7336 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 7337 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7338 BPF_MOV64_IMM(BPF_REG_0, 0), 7339 BPF_EXIT_INSN(), 7340 }, 7341 .errstr = "R1 offset is outside of the packet", 7342 .result = REJECT, 7343 .prog_type = BPF_PROG_TYPE_XDP, 7344 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7345 }, 7346 { 7347 "XDP pkt read, pkt_end < pkt_data', bad access 2", 7348 .insns = { 7349 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7350 offsetof(struct xdp_md, data)), 7351 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7352 offsetof(struct xdp_md, data_end)), 7353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7355 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0), 7356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7357 BPF_MOV64_IMM(BPF_REG_0, 0), 7358 BPF_EXIT_INSN(), 7359 }, 7360 .errstr = "R1 offset is outside of the packet", 7361 .result = REJECT, 7362 .prog_type = BPF_PROG_TYPE_XDP, 7363 }, 7364 { 7365 "XDP pkt read, pkt_data' >= pkt_end, good access", 7366 .insns = { 7367 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7368 offsetof(struct xdp_md, data)), 7369 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7370 offsetof(struct xdp_md, data_end)), 7371 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7373 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 7374 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7375 BPF_MOV64_IMM(BPF_REG_0, 0), 7376 BPF_EXIT_INSN(), 7377 }, 7378 .result = ACCEPT, 7379 .prog_type = BPF_PROG_TYPE_XDP, 7380 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7381 }, 7382 { 7383 "XDP pkt read, pkt_data' >= pkt_end, bad access 1", 7384 .insns = { 7385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7386 offsetof(struct xdp_md, data)), 7387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7388 offsetof(struct xdp_md, data_end)), 7389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7391 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 7392 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7393 BPF_MOV64_IMM(BPF_REG_0, 0), 7394 BPF_EXIT_INSN(), 7395 }, 7396 .errstr = "R1 offset is outside of the packet", 7397 .result = REJECT, 7398 .prog_type = BPF_PROG_TYPE_XDP, 7399 }, 7400 { 7401 "XDP pkt read, pkt_data' >= pkt_end, bad access 2", 7402 .insns = { 7403 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7404 offsetof(struct xdp_md, data)), 7405 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7406 offsetof(struct xdp_md, data_end)), 7407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7409 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0), 7410 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7411 BPF_MOV64_IMM(BPF_REG_0, 0), 7412 BPF_EXIT_INSN(), 7413 }, 7414 .errstr = "R1 offset is outside of the packet", 7415 .result = REJECT, 7416 .prog_type = BPF_PROG_TYPE_XDP, 7417 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7418 }, 7419 { 7420 "XDP pkt read, pkt_end >= pkt_data', good access", 7421 .insns = { 7422 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7423 offsetof(struct xdp_md, data)), 7424 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7425 offsetof(struct xdp_md, data_end)), 7426 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7428 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7429 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7430 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7431 BPF_MOV64_IMM(BPF_REG_0, 0), 7432 BPF_EXIT_INSN(), 7433 }, 7434 .result = ACCEPT, 7435 .prog_type = BPF_PROG_TYPE_XDP, 7436 }, 7437 { 7438 "XDP pkt read, pkt_end >= pkt_data', bad access 1", 7439 .insns = { 7440 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7441 offsetof(struct xdp_md, data)), 7442 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7443 offsetof(struct xdp_md, data_end)), 7444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7446 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7447 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7448 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7449 BPF_MOV64_IMM(BPF_REG_0, 0), 7450 BPF_EXIT_INSN(), 7451 }, 7452 .errstr = "R1 offset is outside of the packet", 7453 .result = REJECT, 7454 .prog_type = BPF_PROG_TYPE_XDP, 7455 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7456 }, 7457 { 7458 "XDP pkt read, pkt_end >= pkt_data', bad access 2", 7459 .insns = { 7460 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7461 offsetof(struct xdp_md, data)), 7462 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7463 offsetof(struct xdp_md, data_end)), 7464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7466 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7467 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7468 BPF_MOV64_IMM(BPF_REG_0, 0), 7469 BPF_EXIT_INSN(), 7470 }, 7471 .errstr = "R1 offset is outside of the packet", 7472 .result = REJECT, 7473 .prog_type = BPF_PROG_TYPE_XDP, 7474 }, 7475 { 7476 "XDP pkt read, pkt_data' <= pkt_end, good access", 7477 .insns = { 7478 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7479 offsetof(struct xdp_md, data)), 7480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7481 offsetof(struct xdp_md, data_end)), 7482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7484 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 7485 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7487 BPF_MOV64_IMM(BPF_REG_0, 0), 7488 BPF_EXIT_INSN(), 7489 }, 7490 .result = ACCEPT, 7491 .prog_type = BPF_PROG_TYPE_XDP, 7492 }, 7493 { 7494 "XDP pkt read, pkt_data' <= pkt_end, bad access 1", 7495 .insns = { 7496 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7497 offsetof(struct xdp_md, data)), 7498 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7499 offsetof(struct xdp_md, data_end)), 7500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7502 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 7503 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7505 BPF_MOV64_IMM(BPF_REG_0, 0), 7506 BPF_EXIT_INSN(), 7507 }, 7508 .errstr = "R1 offset is outside of the packet", 7509 .result = REJECT, 7510 .prog_type = BPF_PROG_TYPE_XDP, 7511 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7512 }, 7513 { 7514 "XDP pkt read, pkt_data' <= pkt_end, bad access 2", 7515 .insns = { 7516 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7517 offsetof(struct xdp_md, data)), 7518 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7519 offsetof(struct xdp_md, data_end)), 7520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7522 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 7523 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7524 BPF_MOV64_IMM(BPF_REG_0, 0), 7525 BPF_EXIT_INSN(), 7526 }, 7527 .errstr = "R1 offset is outside of the packet", 7528 .result = REJECT, 7529 .prog_type = BPF_PROG_TYPE_XDP, 7530 }, 7531 { 7532 "XDP pkt read, pkt_end <= pkt_data', good access", 7533 .insns = { 7534 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7535 offsetof(struct xdp_md, data)), 7536 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7537 offsetof(struct xdp_md, data_end)), 7538 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7540 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 7541 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7542 BPF_MOV64_IMM(BPF_REG_0, 0), 7543 BPF_EXIT_INSN(), 7544 }, 7545 .result = ACCEPT, 7546 .prog_type = BPF_PROG_TYPE_XDP, 7547 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7548 }, 7549 { 7550 "XDP pkt read, pkt_end <= pkt_data', bad access 1", 7551 .insns = { 7552 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7553 offsetof(struct xdp_md, data)), 7554 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7555 offsetof(struct xdp_md, data_end)), 7556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7558 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 7559 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7560 BPF_MOV64_IMM(BPF_REG_0, 0), 7561 BPF_EXIT_INSN(), 7562 }, 7563 .errstr = "R1 offset is outside of the packet", 7564 .result = REJECT, 7565 .prog_type = BPF_PROG_TYPE_XDP, 7566 }, 7567 { 7568 "XDP pkt read, pkt_end <= pkt_data', bad access 2", 7569 .insns = { 7570 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7571 offsetof(struct xdp_md, data)), 7572 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7573 offsetof(struct xdp_md, data_end)), 7574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7576 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0), 7577 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7578 BPF_MOV64_IMM(BPF_REG_0, 0), 7579 BPF_EXIT_INSN(), 7580 }, 7581 .errstr = "R1 offset is outside of the packet", 7582 .result = REJECT, 7583 .prog_type = BPF_PROG_TYPE_XDP, 7584 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7585 }, 7586 { 7587 "XDP pkt read, pkt_meta' > pkt_data, good access", 7588 .insns = { 7589 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7590 offsetof(struct xdp_md, data_meta)), 7591 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7592 offsetof(struct xdp_md, data)), 7593 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7595 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7596 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7597 BPF_MOV64_IMM(BPF_REG_0, 0), 7598 BPF_EXIT_INSN(), 7599 }, 7600 .result = ACCEPT, 7601 .prog_type = BPF_PROG_TYPE_XDP, 7602 }, 7603 { 7604 "XDP pkt read, pkt_meta' > pkt_data, bad access 1", 7605 .insns = { 7606 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7607 offsetof(struct xdp_md, data_meta)), 7608 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7609 offsetof(struct xdp_md, data)), 7610 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7612 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7613 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7614 BPF_MOV64_IMM(BPF_REG_0, 0), 7615 BPF_EXIT_INSN(), 7616 }, 7617 .errstr = "R1 offset is outside of the packet", 7618 .result = REJECT, 7619 .prog_type = BPF_PROG_TYPE_XDP, 7620 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7621 }, 7622 { 7623 "XDP pkt read, pkt_meta' > pkt_data, bad access 2", 7624 .insns = { 7625 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7626 offsetof(struct xdp_md, data_meta)), 7627 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7628 offsetof(struct xdp_md, data)), 7629 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7631 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0), 7632 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7633 BPF_MOV64_IMM(BPF_REG_0, 0), 7634 BPF_EXIT_INSN(), 7635 }, 7636 .errstr = "R1 offset is outside of the packet", 7637 .result = REJECT, 7638 .prog_type = BPF_PROG_TYPE_XDP, 7639 }, 7640 { 7641 "XDP pkt read, pkt_data > pkt_meta', good access", 7642 .insns = { 7643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7644 offsetof(struct xdp_md, data_meta)), 7645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7646 offsetof(struct xdp_md, data)), 7647 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7649 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7650 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7651 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7652 BPF_MOV64_IMM(BPF_REG_0, 0), 7653 BPF_EXIT_INSN(), 7654 }, 7655 .result = ACCEPT, 7656 .prog_type = BPF_PROG_TYPE_XDP, 7657 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7658 }, 7659 { 7660 "XDP pkt read, pkt_data > pkt_meta', bad access 1", 7661 .insns = { 7662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7663 offsetof(struct xdp_md, data_meta)), 7664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7665 offsetof(struct xdp_md, data)), 7666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7668 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7669 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7670 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7671 BPF_MOV64_IMM(BPF_REG_0, 0), 7672 BPF_EXIT_INSN(), 7673 }, 7674 .errstr = "R1 offset is outside of the packet", 7675 .result = REJECT, 7676 .prog_type = BPF_PROG_TYPE_XDP, 7677 }, 7678 { 7679 "XDP pkt read, pkt_data > pkt_meta', bad access 2", 7680 .insns = { 7681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7682 offsetof(struct xdp_md, data_meta)), 7683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7684 offsetof(struct xdp_md, data)), 7685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7687 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7688 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7689 BPF_MOV64_IMM(BPF_REG_0, 0), 7690 BPF_EXIT_INSN(), 7691 }, 7692 .errstr = "R1 offset is outside of the packet", 7693 .result = REJECT, 7694 .prog_type = BPF_PROG_TYPE_XDP, 7695 }, 7696 { 7697 "XDP pkt read, pkt_meta' < pkt_data, good access", 7698 .insns = { 7699 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7700 offsetof(struct xdp_md, data_meta)), 7701 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7702 offsetof(struct xdp_md, data)), 7703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7705 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7706 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7707 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7708 BPF_MOV64_IMM(BPF_REG_0, 0), 7709 BPF_EXIT_INSN(), 7710 }, 7711 .result = ACCEPT, 7712 .prog_type = BPF_PROG_TYPE_XDP, 7713 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7714 }, 7715 { 7716 "XDP pkt read, pkt_meta' < pkt_data, bad access 1", 7717 .insns = { 7718 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7719 offsetof(struct xdp_md, data_meta)), 7720 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7721 offsetof(struct xdp_md, data)), 7722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7724 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7725 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7726 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7727 BPF_MOV64_IMM(BPF_REG_0, 0), 7728 BPF_EXIT_INSN(), 7729 }, 7730 .errstr = "R1 offset is outside of the packet", 7731 .result = REJECT, 7732 .prog_type = BPF_PROG_TYPE_XDP, 7733 }, 7734 { 7735 "XDP pkt read, pkt_meta' < pkt_data, bad access 2", 7736 .insns = { 7737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7738 offsetof(struct xdp_md, data_meta)), 7739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7740 offsetof(struct xdp_md, data)), 7741 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7743 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7744 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7745 BPF_MOV64_IMM(BPF_REG_0, 0), 7746 BPF_EXIT_INSN(), 7747 }, 7748 .errstr = "R1 offset is outside of the packet", 7749 .result = REJECT, 7750 .prog_type = BPF_PROG_TYPE_XDP, 7751 }, 7752 { 7753 "XDP pkt read, pkt_data < pkt_meta', good access", 7754 .insns = { 7755 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7756 offsetof(struct xdp_md, data_meta)), 7757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7758 offsetof(struct xdp_md, data)), 7759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7761 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 7762 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7763 BPF_MOV64_IMM(BPF_REG_0, 0), 7764 BPF_EXIT_INSN(), 7765 }, 7766 .result = ACCEPT, 7767 .prog_type = BPF_PROG_TYPE_XDP, 7768 }, 7769 { 7770 "XDP pkt read, pkt_data < pkt_meta', bad access 1", 7771 .insns = { 7772 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7773 offsetof(struct xdp_md, data_meta)), 7774 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7775 offsetof(struct xdp_md, data)), 7776 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7778 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 7779 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7780 BPF_MOV64_IMM(BPF_REG_0, 0), 7781 BPF_EXIT_INSN(), 7782 }, 7783 .errstr = "R1 offset is outside of the packet", 7784 .result = REJECT, 7785 .prog_type = BPF_PROG_TYPE_XDP, 7786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7787 }, 7788 { 7789 "XDP pkt read, pkt_data < pkt_meta', bad access 2", 7790 .insns = { 7791 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7792 offsetof(struct xdp_md, data_meta)), 7793 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7794 offsetof(struct xdp_md, data)), 7795 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7797 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0), 7798 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7799 BPF_MOV64_IMM(BPF_REG_0, 0), 7800 BPF_EXIT_INSN(), 7801 }, 7802 .errstr = "R1 offset is outside of the packet", 7803 .result = REJECT, 7804 .prog_type = BPF_PROG_TYPE_XDP, 7805 }, 7806 { 7807 "XDP pkt read, pkt_meta' >= pkt_data, good access", 7808 .insns = { 7809 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7810 offsetof(struct xdp_md, data_meta)), 7811 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7812 offsetof(struct xdp_md, data)), 7813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7815 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 7816 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7817 BPF_MOV64_IMM(BPF_REG_0, 0), 7818 BPF_EXIT_INSN(), 7819 }, 7820 .result = ACCEPT, 7821 .prog_type = BPF_PROG_TYPE_XDP, 7822 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7823 }, 7824 { 7825 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1", 7826 .insns = { 7827 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7828 offsetof(struct xdp_md, data_meta)), 7829 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7830 offsetof(struct xdp_md, data)), 7831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7833 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 7834 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7835 BPF_MOV64_IMM(BPF_REG_0, 0), 7836 BPF_EXIT_INSN(), 7837 }, 7838 .errstr = "R1 offset is outside of the packet", 7839 .result = REJECT, 7840 .prog_type = BPF_PROG_TYPE_XDP, 7841 }, 7842 { 7843 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2", 7844 .insns = { 7845 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7846 offsetof(struct xdp_md, data_meta)), 7847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7848 offsetof(struct xdp_md, data)), 7849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7851 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0), 7852 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7853 BPF_MOV64_IMM(BPF_REG_0, 0), 7854 BPF_EXIT_INSN(), 7855 }, 7856 .errstr = "R1 offset is outside of the packet", 7857 .result = REJECT, 7858 .prog_type = BPF_PROG_TYPE_XDP, 7859 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7860 }, 7861 { 7862 "XDP pkt read, pkt_data >= pkt_meta', good access", 7863 .insns = { 7864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7865 offsetof(struct xdp_md, data_meta)), 7866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7867 offsetof(struct xdp_md, data)), 7868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7870 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7871 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7872 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7873 BPF_MOV64_IMM(BPF_REG_0, 0), 7874 BPF_EXIT_INSN(), 7875 }, 7876 .result = ACCEPT, 7877 .prog_type = BPF_PROG_TYPE_XDP, 7878 }, 7879 { 7880 "XDP pkt read, pkt_data >= pkt_meta', bad access 1", 7881 .insns = { 7882 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7883 offsetof(struct xdp_md, data_meta)), 7884 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7885 offsetof(struct xdp_md, data)), 7886 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7888 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7889 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7890 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7891 BPF_MOV64_IMM(BPF_REG_0, 0), 7892 BPF_EXIT_INSN(), 7893 }, 7894 .errstr = "R1 offset is outside of the packet", 7895 .result = REJECT, 7896 .prog_type = BPF_PROG_TYPE_XDP, 7897 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7898 }, 7899 { 7900 "XDP pkt read, pkt_data >= pkt_meta', bad access 2", 7901 .insns = { 7902 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7903 offsetof(struct xdp_md, data_meta)), 7904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7905 offsetof(struct xdp_md, data)), 7906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7908 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7909 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7910 BPF_MOV64_IMM(BPF_REG_0, 0), 7911 BPF_EXIT_INSN(), 7912 }, 7913 .errstr = "R1 offset is outside of the packet", 7914 .result = REJECT, 7915 .prog_type = BPF_PROG_TYPE_XDP, 7916 }, 7917 { 7918 "XDP pkt read, pkt_meta' <= pkt_data, good access", 7919 .insns = { 7920 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7921 offsetof(struct xdp_md, data_meta)), 7922 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7923 offsetof(struct xdp_md, data)), 7924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7926 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 7927 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7928 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7929 BPF_MOV64_IMM(BPF_REG_0, 0), 7930 BPF_EXIT_INSN(), 7931 }, 7932 .result = ACCEPT, 7933 .prog_type = BPF_PROG_TYPE_XDP, 7934 }, 7935 { 7936 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1", 7937 .insns = { 7938 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7939 offsetof(struct xdp_md, data_meta)), 7940 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7941 offsetof(struct xdp_md, data)), 7942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7944 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 7945 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7947 BPF_MOV64_IMM(BPF_REG_0, 0), 7948 BPF_EXIT_INSN(), 7949 }, 7950 .errstr = "R1 offset is outside of the packet", 7951 .result = REJECT, 7952 .prog_type = BPF_PROG_TYPE_XDP, 7953 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7954 }, 7955 { 7956 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2", 7957 .insns = { 7958 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7959 offsetof(struct xdp_md, data_meta)), 7960 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7961 offsetof(struct xdp_md, data)), 7962 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7964 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 7965 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7966 BPF_MOV64_IMM(BPF_REG_0, 0), 7967 BPF_EXIT_INSN(), 7968 }, 7969 .errstr = "R1 offset is outside of the packet", 7970 .result = REJECT, 7971 .prog_type = BPF_PROG_TYPE_XDP, 7972 }, 7973 { 7974 "XDP pkt read, pkt_data <= pkt_meta', good access", 7975 .insns = { 7976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7977 offsetof(struct xdp_md, data_meta)), 7978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7979 offsetof(struct xdp_md, data)), 7980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7982 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 7983 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7984 BPF_MOV64_IMM(BPF_REG_0, 0), 7985 BPF_EXIT_INSN(), 7986 }, 7987 .result = ACCEPT, 7988 .prog_type = BPF_PROG_TYPE_XDP, 7989 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7990 }, 7991 { 7992 "XDP pkt read, pkt_data <= pkt_meta', bad access 1", 7993 .insns = { 7994 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7995 offsetof(struct xdp_md, data_meta)), 7996 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7997 offsetof(struct xdp_md, data)), 7998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8000 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 8001 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8002 BPF_MOV64_IMM(BPF_REG_0, 0), 8003 BPF_EXIT_INSN(), 8004 }, 8005 .errstr = "R1 offset is outside of the packet", 8006 .result = REJECT, 8007 .prog_type = BPF_PROG_TYPE_XDP, 8008 }, 8009 { 8010 "XDP pkt read, pkt_data <= pkt_meta', bad access 2", 8011 .insns = { 8012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8013 offsetof(struct xdp_md, data_meta)), 8014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8015 offsetof(struct xdp_md, data)), 8016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8018 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0), 8019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8020 BPF_MOV64_IMM(BPF_REG_0, 0), 8021 BPF_EXIT_INSN(), 8022 }, 8023 .errstr = "R1 offset is outside of the packet", 8024 .result = REJECT, 8025 .prog_type = BPF_PROG_TYPE_XDP, 8026 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8027 }, 8028 { 8029 "bpf_exit with invalid return code. test1", 8030 .insns = { 8031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8032 BPF_EXIT_INSN(), 8033 }, 8034 .errstr = "R0 has value (0x0; 0xffffffff)", 8035 .result = REJECT, 8036 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8037 }, 8038 { 8039 "bpf_exit with invalid return code. test2", 8040 .insns = { 8041 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8042 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 8043 BPF_EXIT_INSN(), 8044 }, 8045 .result = ACCEPT, 8046 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8047 }, 8048 { 8049 "bpf_exit with invalid return code. test3", 8050 .insns = { 8051 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8052 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3), 8053 BPF_EXIT_INSN(), 8054 }, 8055 .errstr = "R0 has value (0x0; 0x3)", 8056 .result = REJECT, 8057 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8058 }, 8059 { 8060 "bpf_exit with invalid return code. test4", 8061 .insns = { 8062 BPF_MOV64_IMM(BPF_REG_0, 1), 8063 BPF_EXIT_INSN(), 8064 }, 8065 .result = ACCEPT, 8066 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8067 }, 8068 { 8069 "bpf_exit with invalid return code. test5", 8070 .insns = { 8071 BPF_MOV64_IMM(BPF_REG_0, 2), 8072 BPF_EXIT_INSN(), 8073 }, 8074 .errstr = "R0 has value (0x2; 0x0)", 8075 .result = REJECT, 8076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8077 }, 8078 { 8079 "bpf_exit with invalid return code. test6", 8080 .insns = { 8081 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 8082 BPF_EXIT_INSN(), 8083 }, 8084 .errstr = "R0 is not a known value (ctx)", 8085 .result = REJECT, 8086 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8087 }, 8088 { 8089 "bpf_exit with invalid return code. test7", 8090 .insns = { 8091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4), 8093 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2), 8094 BPF_EXIT_INSN(), 8095 }, 8096 .errstr = "R0 has unknown scalar value", 8097 .result = REJECT, 8098 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8099 }, 8100 }; 8101 8102 static int probe_filter_length(const struct bpf_insn *fp) 8103 { 8104 int len; 8105 8106 for (len = MAX_INSNS - 1; len > 0; --len) 8107 if (fp[len].code != 0 || fp[len].imm != 0) 8108 break; 8109 return len + 1; 8110 } 8111 8112 static int create_map(uint32_t size_value, uint32_t max_elem) 8113 { 8114 int fd; 8115 8116 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 8117 size_value, max_elem, BPF_F_NO_PREALLOC); 8118 if (fd < 0) 8119 printf("Failed to create hash map '%s'!\n", strerror(errno)); 8120 8121 return fd; 8122 } 8123 8124 static int create_prog_array(void) 8125 { 8126 int fd; 8127 8128 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 8129 sizeof(int), 4, 0); 8130 if (fd < 0) 8131 printf("Failed to create prog array '%s'!\n", strerror(errno)); 8132 8133 return fd; 8134 } 8135 8136 static int create_map_in_map(void) 8137 { 8138 int inner_map_fd, outer_map_fd; 8139 8140 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 8141 sizeof(int), 1, 0); 8142 if (inner_map_fd < 0) { 8143 printf("Failed to create array '%s'!\n", strerror(errno)); 8144 return inner_map_fd; 8145 } 8146 8147 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL, 8148 sizeof(int), inner_map_fd, 1, 0); 8149 if (outer_map_fd < 0) 8150 printf("Failed to create array of maps '%s'!\n", 8151 strerror(errno)); 8152 8153 close(inner_map_fd); 8154 8155 return outer_map_fd; 8156 } 8157 8158 static char bpf_vlog[32768]; 8159 8160 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 8161 int *map_fds) 8162 { 8163 int *fixup_map1 = test->fixup_map1; 8164 int *fixup_map2 = test->fixup_map2; 8165 int *fixup_prog = test->fixup_prog; 8166 int *fixup_map_in_map = test->fixup_map_in_map; 8167 8168 /* Allocating HTs with 1 elem is fine here, since we only test 8169 * for verifier and not do a runtime lookup, so the only thing 8170 * that really matters is value size in this case. 8171 */ 8172 if (*fixup_map1) { 8173 map_fds[0] = create_map(sizeof(long long), 1); 8174 do { 8175 prog[*fixup_map1].imm = map_fds[0]; 8176 fixup_map1++; 8177 } while (*fixup_map1); 8178 } 8179 8180 if (*fixup_map2) { 8181 map_fds[1] = create_map(sizeof(struct test_val), 1); 8182 do { 8183 prog[*fixup_map2].imm = map_fds[1]; 8184 fixup_map2++; 8185 } while (*fixup_map2); 8186 } 8187 8188 if (*fixup_prog) { 8189 map_fds[2] = create_prog_array(); 8190 do { 8191 prog[*fixup_prog].imm = map_fds[2]; 8192 fixup_prog++; 8193 } while (*fixup_prog); 8194 } 8195 8196 if (*fixup_map_in_map) { 8197 map_fds[3] = create_map_in_map(); 8198 do { 8199 prog[*fixup_map_in_map].imm = map_fds[3]; 8200 fixup_map_in_map++; 8201 } while (*fixup_map_in_map); 8202 } 8203 } 8204 8205 static void do_test_single(struct bpf_test *test, bool unpriv, 8206 int *passes, int *errors) 8207 { 8208 int fd_prog, expected_ret, reject_from_alignment; 8209 struct bpf_insn *prog = test->insns; 8210 int prog_len = probe_filter_length(prog); 8211 int prog_type = test->prog_type; 8212 int map_fds[MAX_NR_MAPS]; 8213 const char *expected_err; 8214 int i; 8215 8216 for (i = 0; i < MAX_NR_MAPS; i++) 8217 map_fds[i] = -1; 8218 8219 do_test_fixup(test, prog, map_fds); 8220 8221 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 8222 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT, 8223 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1); 8224 8225 expected_ret = unpriv && test->result_unpriv != UNDEF ? 8226 test->result_unpriv : test->result; 8227 expected_err = unpriv && test->errstr_unpriv ? 8228 test->errstr_unpriv : test->errstr; 8229 8230 reject_from_alignment = fd_prog < 0 && 8231 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) && 8232 strstr(bpf_vlog, "Unknown alignment."); 8233 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 8234 if (reject_from_alignment) { 8235 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n", 8236 strerror(errno)); 8237 goto fail_log; 8238 } 8239 #endif 8240 if (expected_ret == ACCEPT) { 8241 if (fd_prog < 0 && !reject_from_alignment) { 8242 printf("FAIL\nFailed to load prog '%s'!\n", 8243 strerror(errno)); 8244 goto fail_log; 8245 } 8246 } else { 8247 if (fd_prog >= 0) { 8248 printf("FAIL\nUnexpected success to load!\n"); 8249 goto fail_log; 8250 } 8251 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) { 8252 printf("FAIL\nUnexpected error message!\n"); 8253 goto fail_log; 8254 } 8255 } 8256 8257 (*passes)++; 8258 printf("OK%s\n", reject_from_alignment ? 8259 " (NOTE: reject due to unknown alignment)" : ""); 8260 close_fds: 8261 close(fd_prog); 8262 for (i = 0; i < MAX_NR_MAPS; i++) 8263 close(map_fds[i]); 8264 sched_yield(); 8265 return; 8266 fail_log: 8267 (*errors)++; 8268 printf("%s", bpf_vlog); 8269 goto close_fds; 8270 } 8271 8272 static bool is_admin(void) 8273 { 8274 cap_t caps; 8275 cap_flag_value_t sysadmin = CAP_CLEAR; 8276 const cap_value_t cap_val = CAP_SYS_ADMIN; 8277 8278 #ifdef CAP_IS_SUPPORTED 8279 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 8280 perror("cap_get_flag"); 8281 return false; 8282 } 8283 #endif 8284 caps = cap_get_proc(); 8285 if (!caps) { 8286 perror("cap_get_proc"); 8287 return false; 8288 } 8289 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 8290 perror("cap_get_flag"); 8291 if (cap_free(caps)) 8292 perror("cap_free"); 8293 return (sysadmin == CAP_SET); 8294 } 8295 8296 static int set_admin(bool admin) 8297 { 8298 cap_t caps; 8299 const cap_value_t cap_val = CAP_SYS_ADMIN; 8300 int ret = -1; 8301 8302 caps = cap_get_proc(); 8303 if (!caps) { 8304 perror("cap_get_proc"); 8305 return -1; 8306 } 8307 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 8308 admin ? CAP_SET : CAP_CLEAR)) { 8309 perror("cap_set_flag"); 8310 goto out; 8311 } 8312 if (cap_set_proc(caps)) { 8313 perror("cap_set_proc"); 8314 goto out; 8315 } 8316 ret = 0; 8317 out: 8318 if (cap_free(caps)) 8319 perror("cap_free"); 8320 return ret; 8321 } 8322 8323 static int do_test(bool unpriv, unsigned int from, unsigned int to) 8324 { 8325 int i, passes = 0, errors = 0; 8326 8327 for (i = from; i < to; i++) { 8328 struct bpf_test *test = &tests[i]; 8329 8330 /* Program types that are not supported by non-root we 8331 * skip right away. 8332 */ 8333 if (!test->prog_type) { 8334 if (!unpriv) 8335 set_admin(false); 8336 printf("#%d/u %s ", i, test->descr); 8337 do_test_single(test, true, &passes, &errors); 8338 if (!unpriv) 8339 set_admin(true); 8340 } 8341 8342 if (!unpriv) { 8343 printf("#%d/p %s ", i, test->descr); 8344 do_test_single(test, false, &passes, &errors); 8345 } 8346 } 8347 8348 printf("Summary: %d PASSED, %d FAILED\n", passes, errors); 8349 return errors ? EXIT_FAILURE : EXIT_SUCCESS; 8350 } 8351 8352 int main(int argc, char **argv) 8353 { 8354 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY }; 8355 struct rlimit rlim = { 1 << 20, 1 << 20 }; 8356 unsigned int from = 0, to = ARRAY_SIZE(tests); 8357 bool unpriv = !is_admin(); 8358 8359 if (argc == 3) { 8360 unsigned int l = atoi(argv[argc - 2]); 8361 unsigned int u = atoi(argv[argc - 1]); 8362 8363 if (l < to && u < to) { 8364 from = l; 8365 to = u + 1; 8366 } 8367 } else if (argc == 2) { 8368 unsigned int t = atoi(argv[argc - 1]); 8369 8370 if (t < to) { 8371 from = t; 8372 to = t + 1; 8373 } 8374 } 8375 8376 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf); 8377 return do_test(unpriv, from, to); 8378 } 8379