1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of version 2 of the GNU General Public 8 * License as published by the Free Software Foundation. 9 */ 10 11 #include <endian.h> 12 #include <asm/types.h> 13 #include <linux/types.h> 14 #include <stdint.h> 15 #include <stdio.h> 16 #include <stdlib.h> 17 #include <unistd.h> 18 #include <errno.h> 19 #include <string.h> 20 #include <stddef.h> 21 #include <stdbool.h> 22 #include <sched.h> 23 24 #include <sys/capability.h> 25 #include <sys/resource.h> 26 27 #include <linux/unistd.h> 28 #include <linux/filter.h> 29 #include <linux/bpf_perf_event.h> 30 #include <linux/bpf.h> 31 32 #include <bpf/bpf.h> 33 34 #ifdef HAVE_GENHDR 35 # include "autoconf.h" 36 #else 37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 39 # endif 40 #endif 41 42 #include "../../../include/linux/filter.h" 43 44 #ifndef ARRAY_SIZE 45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 46 #endif 47 48 #define MAX_INSNS 512 49 #define MAX_FIXUPS 8 50 #define MAX_NR_MAPS 4 51 52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 54 55 struct bpf_test { 56 const char *descr; 57 struct bpf_insn insns[MAX_INSNS]; 58 int fixup_map1[MAX_FIXUPS]; 59 int fixup_map2[MAX_FIXUPS]; 60 int fixup_prog[MAX_FIXUPS]; 61 int fixup_map_in_map[MAX_FIXUPS]; 62 const char *errstr; 63 const char *errstr_unpriv; 64 enum { 65 UNDEF, 66 ACCEPT, 67 REJECT 68 } result, result_unpriv; 69 enum bpf_prog_type prog_type; 70 uint8_t flags; 71 }; 72 73 /* Note we want this to be 64 bit aligned so that the end of our array is 74 * actually the end of the structure. 75 */ 76 #define MAX_ENTRIES 11 77 78 struct test_val { 79 unsigned int index; 80 int foo[MAX_ENTRIES]; 81 }; 82 83 static struct bpf_test tests[] = { 84 { 85 "add+sub+mul", 86 .insns = { 87 BPF_MOV64_IMM(BPF_REG_1, 1), 88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 89 BPF_MOV64_IMM(BPF_REG_2, 3), 90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 94 BPF_EXIT_INSN(), 95 }, 96 .result = ACCEPT, 97 }, 98 { 99 "unreachable", 100 .insns = { 101 BPF_EXIT_INSN(), 102 BPF_EXIT_INSN(), 103 }, 104 .errstr = "unreachable", 105 .result = REJECT, 106 }, 107 { 108 "unreachable2", 109 .insns = { 110 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 111 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 112 BPF_EXIT_INSN(), 113 }, 114 .errstr = "unreachable", 115 .result = REJECT, 116 }, 117 { 118 "out of range jump", 119 .insns = { 120 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 121 BPF_EXIT_INSN(), 122 }, 123 .errstr = "jump out of range", 124 .result = REJECT, 125 }, 126 { 127 "out of range jump2", 128 .insns = { 129 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 130 BPF_EXIT_INSN(), 131 }, 132 .errstr = "jump out of range", 133 .result = REJECT, 134 }, 135 { 136 "test1 ld_imm64", 137 .insns = { 138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 139 BPF_LD_IMM64(BPF_REG_0, 0), 140 BPF_LD_IMM64(BPF_REG_0, 0), 141 BPF_LD_IMM64(BPF_REG_0, 1), 142 BPF_LD_IMM64(BPF_REG_0, 1), 143 BPF_MOV64_IMM(BPF_REG_0, 2), 144 BPF_EXIT_INSN(), 145 }, 146 .errstr = "invalid BPF_LD_IMM insn", 147 .errstr_unpriv = "R1 pointer comparison", 148 .result = REJECT, 149 }, 150 { 151 "test2 ld_imm64", 152 .insns = { 153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 154 BPF_LD_IMM64(BPF_REG_0, 0), 155 BPF_LD_IMM64(BPF_REG_0, 0), 156 BPF_LD_IMM64(BPF_REG_0, 1), 157 BPF_LD_IMM64(BPF_REG_0, 1), 158 BPF_EXIT_INSN(), 159 }, 160 .errstr = "invalid BPF_LD_IMM insn", 161 .errstr_unpriv = "R1 pointer comparison", 162 .result = REJECT, 163 }, 164 { 165 "test3 ld_imm64", 166 .insns = { 167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 169 BPF_LD_IMM64(BPF_REG_0, 0), 170 BPF_LD_IMM64(BPF_REG_0, 0), 171 BPF_LD_IMM64(BPF_REG_0, 1), 172 BPF_LD_IMM64(BPF_REG_0, 1), 173 BPF_EXIT_INSN(), 174 }, 175 .errstr = "invalid bpf_ld_imm64 insn", 176 .result = REJECT, 177 }, 178 { 179 "test4 ld_imm64", 180 .insns = { 181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 182 BPF_EXIT_INSN(), 183 }, 184 .errstr = "invalid bpf_ld_imm64 insn", 185 .result = REJECT, 186 }, 187 { 188 "test5 ld_imm64", 189 .insns = { 190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 191 }, 192 .errstr = "invalid bpf_ld_imm64 insn", 193 .result = REJECT, 194 }, 195 { 196 "test6 ld_imm64", 197 .insns = { 198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 199 BPF_RAW_INSN(0, 0, 0, 0, 0), 200 BPF_EXIT_INSN(), 201 }, 202 .result = ACCEPT, 203 }, 204 { 205 "test7 ld_imm64", 206 .insns = { 207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 208 BPF_RAW_INSN(0, 0, 0, 0, 1), 209 BPF_EXIT_INSN(), 210 }, 211 .result = ACCEPT, 212 }, 213 { 214 "test8 ld_imm64", 215 .insns = { 216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1), 217 BPF_RAW_INSN(0, 0, 0, 0, 1), 218 BPF_EXIT_INSN(), 219 }, 220 .errstr = "uses reserved fields", 221 .result = REJECT, 222 }, 223 { 224 "test9 ld_imm64", 225 .insns = { 226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 227 BPF_RAW_INSN(0, 0, 0, 1, 1), 228 BPF_EXIT_INSN(), 229 }, 230 .errstr = "invalid bpf_ld_imm64 insn", 231 .result = REJECT, 232 }, 233 { 234 "test10 ld_imm64", 235 .insns = { 236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1), 238 BPF_EXIT_INSN(), 239 }, 240 .errstr = "invalid bpf_ld_imm64 insn", 241 .result = REJECT, 242 }, 243 { 244 "test11 ld_imm64", 245 .insns = { 246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 248 BPF_EXIT_INSN(), 249 }, 250 .errstr = "invalid bpf_ld_imm64 insn", 251 .result = REJECT, 252 }, 253 { 254 "test12 ld_imm64", 255 .insns = { 256 BPF_MOV64_IMM(BPF_REG_1, 0), 257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 258 BPF_RAW_INSN(0, 0, 0, 0, 1), 259 BPF_EXIT_INSN(), 260 }, 261 .errstr = "not pointing to valid bpf_map", 262 .result = REJECT, 263 }, 264 { 265 "test13 ld_imm64", 266 .insns = { 267 BPF_MOV64_IMM(BPF_REG_1, 0), 268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 270 BPF_EXIT_INSN(), 271 }, 272 .errstr = "invalid bpf_ld_imm64 insn", 273 .result = REJECT, 274 }, 275 { 276 "no bpf_exit", 277 .insns = { 278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 279 }, 280 .errstr = "jump out of range", 281 .result = REJECT, 282 }, 283 { 284 "loop (back-edge)", 285 .insns = { 286 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 287 BPF_EXIT_INSN(), 288 }, 289 .errstr = "back-edge", 290 .result = REJECT, 291 }, 292 { 293 "loop2 (back-edge)", 294 .insns = { 295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 298 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 299 BPF_EXIT_INSN(), 300 }, 301 .errstr = "back-edge", 302 .result = REJECT, 303 }, 304 { 305 "conditional loop", 306 .insns = { 307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 311 BPF_EXIT_INSN(), 312 }, 313 .errstr = "back-edge", 314 .result = REJECT, 315 }, 316 { 317 "read uninitialized register", 318 .insns = { 319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 320 BPF_EXIT_INSN(), 321 }, 322 .errstr = "R2 !read_ok", 323 .result = REJECT, 324 }, 325 { 326 "read invalid register", 327 .insns = { 328 BPF_MOV64_REG(BPF_REG_0, -1), 329 BPF_EXIT_INSN(), 330 }, 331 .errstr = "R15 is invalid", 332 .result = REJECT, 333 }, 334 { 335 "program doesn't init R0 before exit", 336 .insns = { 337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 338 BPF_EXIT_INSN(), 339 }, 340 .errstr = "R0 !read_ok", 341 .result = REJECT, 342 }, 343 { 344 "program doesn't init R0 before exit in all branches", 345 .insns = { 346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 347 BPF_MOV64_IMM(BPF_REG_0, 1), 348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 349 BPF_EXIT_INSN(), 350 }, 351 .errstr = "R0 !read_ok", 352 .errstr_unpriv = "R1 pointer comparison", 353 .result = REJECT, 354 }, 355 { 356 "stack out of bounds", 357 .insns = { 358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 359 BPF_EXIT_INSN(), 360 }, 361 .errstr = "invalid stack", 362 .result = REJECT, 363 }, 364 { 365 "invalid call insn1", 366 .insns = { 367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 368 BPF_EXIT_INSN(), 369 }, 370 .errstr = "BPF_CALL uses reserved", 371 .result = REJECT, 372 }, 373 { 374 "invalid call insn2", 375 .insns = { 376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 377 BPF_EXIT_INSN(), 378 }, 379 .errstr = "BPF_CALL uses reserved", 380 .result = REJECT, 381 }, 382 { 383 "invalid function call", 384 .insns = { 385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 386 BPF_EXIT_INSN(), 387 }, 388 .errstr = "invalid func unknown#1234567", 389 .result = REJECT, 390 }, 391 { 392 "uninitialized stack1", 393 .insns = { 394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 396 BPF_LD_MAP_FD(BPF_REG_1, 0), 397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 398 BPF_FUNC_map_lookup_elem), 399 BPF_EXIT_INSN(), 400 }, 401 .fixup_map1 = { 2 }, 402 .errstr = "invalid indirect read from stack", 403 .result = REJECT, 404 }, 405 { 406 "uninitialized stack2", 407 .insns = { 408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 410 BPF_EXIT_INSN(), 411 }, 412 .errstr = "invalid read from stack", 413 .result = REJECT, 414 }, 415 { 416 "invalid fp arithmetic", 417 /* If this gets ever changed, make sure JITs can deal with it. */ 418 .insns = { 419 BPF_MOV64_IMM(BPF_REG_0, 0), 420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8), 422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 423 BPF_EXIT_INSN(), 424 }, 425 .errstr = "R1 subtraction from stack pointer", 426 .result = REJECT, 427 }, 428 { 429 "non-invalid fp arithmetic", 430 .insns = { 431 BPF_MOV64_IMM(BPF_REG_0, 0), 432 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 433 BPF_EXIT_INSN(), 434 }, 435 .result = ACCEPT, 436 }, 437 { 438 "invalid argument register", 439 .insns = { 440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 441 BPF_FUNC_get_cgroup_classid), 442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 443 BPF_FUNC_get_cgroup_classid), 444 BPF_EXIT_INSN(), 445 }, 446 .errstr = "R1 !read_ok", 447 .result = REJECT, 448 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 449 }, 450 { 451 "non-invalid argument register", 452 .insns = { 453 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 455 BPF_FUNC_get_cgroup_classid), 456 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 458 BPF_FUNC_get_cgroup_classid), 459 BPF_EXIT_INSN(), 460 }, 461 .result = ACCEPT, 462 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 463 }, 464 { 465 "check valid spill/fill", 466 .insns = { 467 /* spill R1(ctx) into stack */ 468 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 469 /* fill it back into R2 */ 470 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 471 /* should be able to access R0 = *(R2 + 8) */ 472 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 473 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 474 BPF_EXIT_INSN(), 475 }, 476 .errstr_unpriv = "R0 leaks addr", 477 .result = ACCEPT, 478 .result_unpriv = REJECT, 479 }, 480 { 481 "check valid spill/fill, skb mark", 482 .insns = { 483 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 484 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 485 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 486 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 487 offsetof(struct __sk_buff, mark)), 488 BPF_EXIT_INSN(), 489 }, 490 .result = ACCEPT, 491 .result_unpriv = ACCEPT, 492 }, 493 { 494 "check corrupted spill/fill", 495 .insns = { 496 /* spill R1(ctx) into stack */ 497 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 498 /* mess up with R1 pointer on stack */ 499 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 500 /* fill back into R0 should fail */ 501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 502 BPF_EXIT_INSN(), 503 }, 504 .errstr_unpriv = "attempt to corrupt spilled", 505 .errstr = "corrupted spill", 506 .result = REJECT, 507 }, 508 { 509 "invalid src register in STX", 510 .insns = { 511 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 512 BPF_EXIT_INSN(), 513 }, 514 .errstr = "R15 is invalid", 515 .result = REJECT, 516 }, 517 { 518 "invalid dst register in STX", 519 .insns = { 520 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 521 BPF_EXIT_INSN(), 522 }, 523 .errstr = "R14 is invalid", 524 .result = REJECT, 525 }, 526 { 527 "invalid dst register in ST", 528 .insns = { 529 BPF_ST_MEM(BPF_B, 14, -1, -1), 530 BPF_EXIT_INSN(), 531 }, 532 .errstr = "R14 is invalid", 533 .result = REJECT, 534 }, 535 { 536 "invalid src register in LDX", 537 .insns = { 538 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 539 BPF_EXIT_INSN(), 540 }, 541 .errstr = "R12 is invalid", 542 .result = REJECT, 543 }, 544 { 545 "invalid dst register in LDX", 546 .insns = { 547 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 548 BPF_EXIT_INSN(), 549 }, 550 .errstr = "R11 is invalid", 551 .result = REJECT, 552 }, 553 { 554 "junk insn", 555 .insns = { 556 BPF_RAW_INSN(0, 0, 0, 0, 0), 557 BPF_EXIT_INSN(), 558 }, 559 .errstr = "invalid BPF_LD_IMM", 560 .result = REJECT, 561 }, 562 { 563 "junk insn2", 564 .insns = { 565 BPF_RAW_INSN(1, 0, 0, 0, 0), 566 BPF_EXIT_INSN(), 567 }, 568 .errstr = "BPF_LDX uses reserved fields", 569 .result = REJECT, 570 }, 571 { 572 "junk insn3", 573 .insns = { 574 BPF_RAW_INSN(-1, 0, 0, 0, 0), 575 BPF_EXIT_INSN(), 576 }, 577 .errstr = "invalid BPF_ALU opcode f0", 578 .result = REJECT, 579 }, 580 { 581 "junk insn4", 582 .insns = { 583 BPF_RAW_INSN(-1, -1, -1, -1, -1), 584 BPF_EXIT_INSN(), 585 }, 586 .errstr = "invalid BPF_ALU opcode f0", 587 .result = REJECT, 588 }, 589 { 590 "junk insn5", 591 .insns = { 592 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 593 BPF_EXIT_INSN(), 594 }, 595 .errstr = "BPF_ALU uses reserved fields", 596 .result = REJECT, 597 }, 598 { 599 "misaligned read from stack", 600 .insns = { 601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 602 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 603 BPF_EXIT_INSN(), 604 }, 605 .errstr = "misaligned stack access", 606 .result = REJECT, 607 }, 608 { 609 "invalid map_fd for function call", 610 .insns = { 611 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 612 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 614 BPF_LD_MAP_FD(BPF_REG_1, 0), 615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 616 BPF_FUNC_map_delete_elem), 617 BPF_EXIT_INSN(), 618 }, 619 .errstr = "fd 0 is not pointing to valid bpf_map", 620 .result = REJECT, 621 }, 622 { 623 "don't check return value before access", 624 .insns = { 625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 628 BPF_LD_MAP_FD(BPF_REG_1, 0), 629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 630 BPF_FUNC_map_lookup_elem), 631 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 632 BPF_EXIT_INSN(), 633 }, 634 .fixup_map1 = { 3 }, 635 .errstr = "R0 invalid mem access 'map_value_or_null'", 636 .result = REJECT, 637 }, 638 { 639 "access memory with incorrect alignment", 640 .insns = { 641 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 642 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 644 BPF_LD_MAP_FD(BPF_REG_1, 0), 645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 646 BPF_FUNC_map_lookup_elem), 647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 648 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 649 BPF_EXIT_INSN(), 650 }, 651 .fixup_map1 = { 3 }, 652 .errstr = "misaligned value access", 653 .result = REJECT, 654 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 655 }, 656 { 657 "sometimes access memory with incorrect alignment", 658 .insns = { 659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 662 BPF_LD_MAP_FD(BPF_REG_1, 0), 663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 664 BPF_FUNC_map_lookup_elem), 665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 667 BPF_EXIT_INSN(), 668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 669 BPF_EXIT_INSN(), 670 }, 671 .fixup_map1 = { 3 }, 672 .errstr = "R0 invalid mem access", 673 .errstr_unpriv = "R0 leaks addr", 674 .result = REJECT, 675 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 676 }, 677 { 678 "jump test 1", 679 .insns = { 680 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 681 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 683 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 685 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 687 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 689 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 691 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 693 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 694 BPF_MOV64_IMM(BPF_REG_0, 0), 695 BPF_EXIT_INSN(), 696 }, 697 .errstr_unpriv = "R1 pointer comparison", 698 .result_unpriv = REJECT, 699 .result = ACCEPT, 700 }, 701 { 702 "jump test 2", 703 .insns = { 704 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 706 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 707 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 710 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 713 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 716 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 719 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 722 BPF_MOV64_IMM(BPF_REG_0, 0), 723 BPF_EXIT_INSN(), 724 }, 725 .errstr_unpriv = "R1 pointer comparison", 726 .result_unpriv = REJECT, 727 .result = ACCEPT, 728 }, 729 { 730 "jump test 3", 731 .insns = { 732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 734 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 736 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 738 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 740 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 741 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 742 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 744 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 745 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 746 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 748 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 750 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 752 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 754 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 756 BPF_LD_MAP_FD(BPF_REG_1, 0), 757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 758 BPF_FUNC_map_delete_elem), 759 BPF_EXIT_INSN(), 760 }, 761 .fixup_map1 = { 24 }, 762 .errstr_unpriv = "R1 pointer comparison", 763 .result_unpriv = REJECT, 764 .result = ACCEPT, 765 }, 766 { 767 "jump test 4", 768 .insns = { 769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 809 BPF_MOV64_IMM(BPF_REG_0, 0), 810 BPF_EXIT_INSN(), 811 }, 812 .errstr_unpriv = "R1 pointer comparison", 813 .result_unpriv = REJECT, 814 .result = ACCEPT, 815 }, 816 { 817 "jump test 5", 818 .insns = { 819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 820 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 821 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 822 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 823 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 824 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 825 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 826 BPF_MOV64_IMM(BPF_REG_0, 0), 827 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 828 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 829 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 830 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 831 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 832 BPF_MOV64_IMM(BPF_REG_0, 0), 833 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 834 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 835 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 836 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 837 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 838 BPF_MOV64_IMM(BPF_REG_0, 0), 839 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 840 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 841 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 842 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 843 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 844 BPF_MOV64_IMM(BPF_REG_0, 0), 845 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 846 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 847 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 848 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 849 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 850 BPF_MOV64_IMM(BPF_REG_0, 0), 851 BPF_EXIT_INSN(), 852 }, 853 .errstr_unpriv = "R1 pointer comparison", 854 .result_unpriv = REJECT, 855 .result = ACCEPT, 856 }, 857 { 858 "access skb fields ok", 859 .insns = { 860 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 861 offsetof(struct __sk_buff, len)), 862 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 864 offsetof(struct __sk_buff, mark)), 865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 867 offsetof(struct __sk_buff, pkt_type)), 868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 870 offsetof(struct __sk_buff, queue_mapping)), 871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 873 offsetof(struct __sk_buff, protocol)), 874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 876 offsetof(struct __sk_buff, vlan_present)), 877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 879 offsetof(struct __sk_buff, vlan_tci)), 880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 882 offsetof(struct __sk_buff, napi_id)), 883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 884 BPF_EXIT_INSN(), 885 }, 886 .result = ACCEPT, 887 }, 888 { 889 "access skb fields bad1", 890 .insns = { 891 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 892 BPF_EXIT_INSN(), 893 }, 894 .errstr = "invalid bpf_context access", 895 .result = REJECT, 896 }, 897 { 898 "access skb fields bad2", 899 .insns = { 900 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 901 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 902 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 904 BPF_LD_MAP_FD(BPF_REG_1, 0), 905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 906 BPF_FUNC_map_lookup_elem), 907 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 908 BPF_EXIT_INSN(), 909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 910 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 911 offsetof(struct __sk_buff, pkt_type)), 912 BPF_EXIT_INSN(), 913 }, 914 .fixup_map1 = { 4 }, 915 .errstr = "different pointers", 916 .errstr_unpriv = "R1 pointer comparison", 917 .result = REJECT, 918 }, 919 { 920 "access skb fields bad3", 921 .insns = { 922 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 923 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 924 offsetof(struct __sk_buff, pkt_type)), 925 BPF_EXIT_INSN(), 926 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 929 BPF_LD_MAP_FD(BPF_REG_1, 0), 930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 931 BPF_FUNC_map_lookup_elem), 932 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 933 BPF_EXIT_INSN(), 934 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 935 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 936 }, 937 .fixup_map1 = { 6 }, 938 .errstr = "different pointers", 939 .errstr_unpriv = "R1 pointer comparison", 940 .result = REJECT, 941 }, 942 { 943 "access skb fields bad4", 944 .insns = { 945 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 947 offsetof(struct __sk_buff, len)), 948 BPF_MOV64_IMM(BPF_REG_0, 0), 949 BPF_EXIT_INSN(), 950 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 953 BPF_LD_MAP_FD(BPF_REG_1, 0), 954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 955 BPF_FUNC_map_lookup_elem), 956 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 957 BPF_EXIT_INSN(), 958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 959 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 960 }, 961 .fixup_map1 = { 7 }, 962 .errstr = "different pointers", 963 .errstr_unpriv = "R1 pointer comparison", 964 .result = REJECT, 965 }, 966 { 967 "invalid access __sk_buff family", 968 .insns = { 969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 970 offsetof(struct __sk_buff, family)), 971 BPF_EXIT_INSN(), 972 }, 973 .errstr = "invalid bpf_context access", 974 .result = REJECT, 975 }, 976 { 977 "invalid access __sk_buff remote_ip4", 978 .insns = { 979 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 980 offsetof(struct __sk_buff, remote_ip4)), 981 BPF_EXIT_INSN(), 982 }, 983 .errstr = "invalid bpf_context access", 984 .result = REJECT, 985 }, 986 { 987 "invalid access __sk_buff local_ip4", 988 .insns = { 989 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 990 offsetof(struct __sk_buff, local_ip4)), 991 BPF_EXIT_INSN(), 992 }, 993 .errstr = "invalid bpf_context access", 994 .result = REJECT, 995 }, 996 { 997 "invalid access __sk_buff remote_ip6", 998 .insns = { 999 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1000 offsetof(struct __sk_buff, remote_ip6)), 1001 BPF_EXIT_INSN(), 1002 }, 1003 .errstr = "invalid bpf_context access", 1004 .result = REJECT, 1005 }, 1006 { 1007 "invalid access __sk_buff local_ip6", 1008 .insns = { 1009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1010 offsetof(struct __sk_buff, local_ip6)), 1011 BPF_EXIT_INSN(), 1012 }, 1013 .errstr = "invalid bpf_context access", 1014 .result = REJECT, 1015 }, 1016 { 1017 "invalid access __sk_buff remote_port", 1018 .insns = { 1019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1020 offsetof(struct __sk_buff, remote_port)), 1021 BPF_EXIT_INSN(), 1022 }, 1023 .errstr = "invalid bpf_context access", 1024 .result = REJECT, 1025 }, 1026 { 1027 "invalid access __sk_buff remote_port", 1028 .insns = { 1029 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1030 offsetof(struct __sk_buff, local_port)), 1031 BPF_EXIT_INSN(), 1032 }, 1033 .errstr = "invalid bpf_context access", 1034 .result = REJECT, 1035 }, 1036 { 1037 "valid access __sk_buff family", 1038 .insns = { 1039 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1040 offsetof(struct __sk_buff, family)), 1041 BPF_EXIT_INSN(), 1042 }, 1043 .result = ACCEPT, 1044 .prog_type = BPF_PROG_TYPE_SK_SKB, 1045 }, 1046 { 1047 "valid access __sk_buff remote_ip4", 1048 .insns = { 1049 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1050 offsetof(struct __sk_buff, remote_ip4)), 1051 BPF_EXIT_INSN(), 1052 }, 1053 .result = ACCEPT, 1054 .prog_type = BPF_PROG_TYPE_SK_SKB, 1055 }, 1056 { 1057 "valid access __sk_buff local_ip4", 1058 .insns = { 1059 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1060 offsetof(struct __sk_buff, local_ip4)), 1061 BPF_EXIT_INSN(), 1062 }, 1063 .result = ACCEPT, 1064 .prog_type = BPF_PROG_TYPE_SK_SKB, 1065 }, 1066 { 1067 "valid access __sk_buff remote_ip6", 1068 .insns = { 1069 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1070 offsetof(struct __sk_buff, remote_ip6[0])), 1071 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1072 offsetof(struct __sk_buff, remote_ip6[1])), 1073 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1074 offsetof(struct __sk_buff, remote_ip6[2])), 1075 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1076 offsetof(struct __sk_buff, remote_ip6[3])), 1077 BPF_EXIT_INSN(), 1078 }, 1079 .result = ACCEPT, 1080 .prog_type = BPF_PROG_TYPE_SK_SKB, 1081 }, 1082 { 1083 "valid access __sk_buff local_ip6", 1084 .insns = { 1085 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1086 offsetof(struct __sk_buff, local_ip6[0])), 1087 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1088 offsetof(struct __sk_buff, local_ip6[1])), 1089 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1090 offsetof(struct __sk_buff, local_ip6[2])), 1091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1092 offsetof(struct __sk_buff, local_ip6[3])), 1093 BPF_EXIT_INSN(), 1094 }, 1095 .result = ACCEPT, 1096 .prog_type = BPF_PROG_TYPE_SK_SKB, 1097 }, 1098 { 1099 "valid access __sk_buff remote_port", 1100 .insns = { 1101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1102 offsetof(struct __sk_buff, remote_port)), 1103 BPF_EXIT_INSN(), 1104 }, 1105 .result = ACCEPT, 1106 .prog_type = BPF_PROG_TYPE_SK_SKB, 1107 }, 1108 { 1109 "valid access __sk_buff remote_port", 1110 .insns = { 1111 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1112 offsetof(struct __sk_buff, local_port)), 1113 BPF_EXIT_INSN(), 1114 }, 1115 .result = ACCEPT, 1116 .prog_type = BPF_PROG_TYPE_SK_SKB, 1117 }, 1118 { 1119 "invalid access of tc_classid for SK_SKB", 1120 .insns = { 1121 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1122 offsetof(struct __sk_buff, tc_classid)), 1123 BPF_EXIT_INSN(), 1124 }, 1125 .result = REJECT, 1126 .prog_type = BPF_PROG_TYPE_SK_SKB, 1127 .errstr = "invalid bpf_context access", 1128 }, 1129 { 1130 "invalid access of skb->mark for SK_SKB", 1131 .insns = { 1132 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1133 offsetof(struct __sk_buff, mark)), 1134 BPF_EXIT_INSN(), 1135 }, 1136 .result = REJECT, 1137 .prog_type = BPF_PROG_TYPE_SK_SKB, 1138 .errstr = "invalid bpf_context access", 1139 }, 1140 { 1141 "check skb->mark is not writeable by SK_SKB", 1142 .insns = { 1143 BPF_MOV64_IMM(BPF_REG_0, 0), 1144 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1145 offsetof(struct __sk_buff, mark)), 1146 BPF_EXIT_INSN(), 1147 }, 1148 .result = REJECT, 1149 .prog_type = BPF_PROG_TYPE_SK_SKB, 1150 .errstr = "invalid bpf_context access", 1151 }, 1152 { 1153 "check skb->tc_index is writeable by SK_SKB", 1154 .insns = { 1155 BPF_MOV64_IMM(BPF_REG_0, 0), 1156 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1157 offsetof(struct __sk_buff, tc_index)), 1158 BPF_EXIT_INSN(), 1159 }, 1160 .result = ACCEPT, 1161 .prog_type = BPF_PROG_TYPE_SK_SKB, 1162 }, 1163 { 1164 "check skb->priority is writeable by SK_SKB", 1165 .insns = { 1166 BPF_MOV64_IMM(BPF_REG_0, 0), 1167 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1168 offsetof(struct __sk_buff, priority)), 1169 BPF_EXIT_INSN(), 1170 }, 1171 .result = ACCEPT, 1172 .prog_type = BPF_PROG_TYPE_SK_SKB, 1173 }, 1174 { 1175 "direct packet read for SK_SKB", 1176 .insns = { 1177 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1178 offsetof(struct __sk_buff, data)), 1179 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1180 offsetof(struct __sk_buff, data_end)), 1181 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1183 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 1185 BPF_MOV64_IMM(BPF_REG_0, 0), 1186 BPF_EXIT_INSN(), 1187 }, 1188 .result = ACCEPT, 1189 .prog_type = BPF_PROG_TYPE_SK_SKB, 1190 }, 1191 { 1192 "direct packet write for SK_SKB", 1193 .insns = { 1194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1195 offsetof(struct __sk_buff, data)), 1196 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1197 offsetof(struct __sk_buff, data_end)), 1198 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1200 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1201 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 1202 BPF_MOV64_IMM(BPF_REG_0, 0), 1203 BPF_EXIT_INSN(), 1204 }, 1205 .result = ACCEPT, 1206 .prog_type = BPF_PROG_TYPE_SK_SKB, 1207 }, 1208 { 1209 "overlapping checks for direct packet access SK_SKB", 1210 .insns = { 1211 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1212 offsetof(struct __sk_buff, data)), 1213 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1214 offsetof(struct __sk_buff, data_end)), 1215 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1217 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 1218 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 1219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 1220 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 1221 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 1222 BPF_MOV64_IMM(BPF_REG_0, 0), 1223 BPF_EXIT_INSN(), 1224 }, 1225 .result = ACCEPT, 1226 .prog_type = BPF_PROG_TYPE_SK_SKB, 1227 }, 1228 { 1229 "check skb->mark is not writeable by sockets", 1230 .insns = { 1231 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1232 offsetof(struct __sk_buff, mark)), 1233 BPF_EXIT_INSN(), 1234 }, 1235 .errstr = "invalid bpf_context access", 1236 .errstr_unpriv = "R1 leaks addr", 1237 .result = REJECT, 1238 }, 1239 { 1240 "check skb->tc_index is not writeable by sockets", 1241 .insns = { 1242 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1243 offsetof(struct __sk_buff, tc_index)), 1244 BPF_EXIT_INSN(), 1245 }, 1246 .errstr = "invalid bpf_context access", 1247 .errstr_unpriv = "R1 leaks addr", 1248 .result = REJECT, 1249 }, 1250 { 1251 "check cb access: byte", 1252 .insns = { 1253 BPF_MOV64_IMM(BPF_REG_0, 0), 1254 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1255 offsetof(struct __sk_buff, cb[0])), 1256 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1257 offsetof(struct __sk_buff, cb[0]) + 1), 1258 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1259 offsetof(struct __sk_buff, cb[0]) + 2), 1260 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1261 offsetof(struct __sk_buff, cb[0]) + 3), 1262 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1263 offsetof(struct __sk_buff, cb[1])), 1264 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1265 offsetof(struct __sk_buff, cb[1]) + 1), 1266 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1267 offsetof(struct __sk_buff, cb[1]) + 2), 1268 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1269 offsetof(struct __sk_buff, cb[1]) + 3), 1270 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1271 offsetof(struct __sk_buff, cb[2])), 1272 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1273 offsetof(struct __sk_buff, cb[2]) + 1), 1274 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1275 offsetof(struct __sk_buff, cb[2]) + 2), 1276 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1277 offsetof(struct __sk_buff, cb[2]) + 3), 1278 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1279 offsetof(struct __sk_buff, cb[3])), 1280 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1281 offsetof(struct __sk_buff, cb[3]) + 1), 1282 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1283 offsetof(struct __sk_buff, cb[3]) + 2), 1284 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1285 offsetof(struct __sk_buff, cb[3]) + 3), 1286 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1287 offsetof(struct __sk_buff, cb[4])), 1288 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1289 offsetof(struct __sk_buff, cb[4]) + 1), 1290 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1291 offsetof(struct __sk_buff, cb[4]) + 2), 1292 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1293 offsetof(struct __sk_buff, cb[4]) + 3), 1294 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1295 offsetof(struct __sk_buff, cb[0])), 1296 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1297 offsetof(struct __sk_buff, cb[0]) + 1), 1298 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1299 offsetof(struct __sk_buff, cb[0]) + 2), 1300 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1301 offsetof(struct __sk_buff, cb[0]) + 3), 1302 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1303 offsetof(struct __sk_buff, cb[1])), 1304 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1305 offsetof(struct __sk_buff, cb[1]) + 1), 1306 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1307 offsetof(struct __sk_buff, cb[1]) + 2), 1308 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1309 offsetof(struct __sk_buff, cb[1]) + 3), 1310 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1311 offsetof(struct __sk_buff, cb[2])), 1312 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1313 offsetof(struct __sk_buff, cb[2]) + 1), 1314 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1315 offsetof(struct __sk_buff, cb[2]) + 2), 1316 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1317 offsetof(struct __sk_buff, cb[2]) + 3), 1318 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1319 offsetof(struct __sk_buff, cb[3])), 1320 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1321 offsetof(struct __sk_buff, cb[3]) + 1), 1322 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1323 offsetof(struct __sk_buff, cb[3]) + 2), 1324 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1325 offsetof(struct __sk_buff, cb[3]) + 3), 1326 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1327 offsetof(struct __sk_buff, cb[4])), 1328 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1329 offsetof(struct __sk_buff, cb[4]) + 1), 1330 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1331 offsetof(struct __sk_buff, cb[4]) + 2), 1332 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1333 offsetof(struct __sk_buff, cb[4]) + 3), 1334 BPF_EXIT_INSN(), 1335 }, 1336 .result = ACCEPT, 1337 }, 1338 { 1339 "__sk_buff->hash, offset 0, byte store not permitted", 1340 .insns = { 1341 BPF_MOV64_IMM(BPF_REG_0, 0), 1342 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1343 offsetof(struct __sk_buff, hash)), 1344 BPF_EXIT_INSN(), 1345 }, 1346 .errstr = "invalid bpf_context access", 1347 .result = REJECT, 1348 }, 1349 { 1350 "__sk_buff->tc_index, offset 3, byte store not permitted", 1351 .insns = { 1352 BPF_MOV64_IMM(BPF_REG_0, 0), 1353 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1354 offsetof(struct __sk_buff, tc_index) + 3), 1355 BPF_EXIT_INSN(), 1356 }, 1357 .errstr = "invalid bpf_context access", 1358 .result = REJECT, 1359 }, 1360 { 1361 "check skb->hash byte load permitted", 1362 .insns = { 1363 BPF_MOV64_IMM(BPF_REG_0, 0), 1364 #if __BYTE_ORDER == __LITTLE_ENDIAN 1365 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1366 offsetof(struct __sk_buff, hash)), 1367 #else 1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1369 offsetof(struct __sk_buff, hash) + 3), 1370 #endif 1371 BPF_EXIT_INSN(), 1372 }, 1373 .result = ACCEPT, 1374 }, 1375 { 1376 "check skb->hash byte load not permitted 1", 1377 .insns = { 1378 BPF_MOV64_IMM(BPF_REG_0, 0), 1379 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1380 offsetof(struct __sk_buff, hash) + 1), 1381 BPF_EXIT_INSN(), 1382 }, 1383 .errstr = "invalid bpf_context access", 1384 .result = REJECT, 1385 }, 1386 { 1387 "check skb->hash byte load not permitted 2", 1388 .insns = { 1389 BPF_MOV64_IMM(BPF_REG_0, 0), 1390 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1391 offsetof(struct __sk_buff, hash) + 2), 1392 BPF_EXIT_INSN(), 1393 }, 1394 .errstr = "invalid bpf_context access", 1395 .result = REJECT, 1396 }, 1397 { 1398 "check skb->hash byte load not permitted 3", 1399 .insns = { 1400 BPF_MOV64_IMM(BPF_REG_0, 0), 1401 #if __BYTE_ORDER == __LITTLE_ENDIAN 1402 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1403 offsetof(struct __sk_buff, hash) + 3), 1404 #else 1405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1406 offsetof(struct __sk_buff, hash)), 1407 #endif 1408 BPF_EXIT_INSN(), 1409 }, 1410 .errstr = "invalid bpf_context access", 1411 .result = REJECT, 1412 }, 1413 { 1414 "check cb access: byte, wrong type", 1415 .insns = { 1416 BPF_MOV64_IMM(BPF_REG_0, 0), 1417 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1418 offsetof(struct __sk_buff, cb[0])), 1419 BPF_EXIT_INSN(), 1420 }, 1421 .errstr = "invalid bpf_context access", 1422 .result = REJECT, 1423 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1424 }, 1425 { 1426 "check cb access: half", 1427 .insns = { 1428 BPF_MOV64_IMM(BPF_REG_0, 0), 1429 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1430 offsetof(struct __sk_buff, cb[0])), 1431 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1432 offsetof(struct __sk_buff, cb[0]) + 2), 1433 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1434 offsetof(struct __sk_buff, cb[1])), 1435 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1436 offsetof(struct __sk_buff, cb[1]) + 2), 1437 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1438 offsetof(struct __sk_buff, cb[2])), 1439 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1440 offsetof(struct __sk_buff, cb[2]) + 2), 1441 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1442 offsetof(struct __sk_buff, cb[3])), 1443 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1444 offsetof(struct __sk_buff, cb[3]) + 2), 1445 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1446 offsetof(struct __sk_buff, cb[4])), 1447 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1448 offsetof(struct __sk_buff, cb[4]) + 2), 1449 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1450 offsetof(struct __sk_buff, cb[0])), 1451 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1452 offsetof(struct __sk_buff, cb[0]) + 2), 1453 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1454 offsetof(struct __sk_buff, cb[1])), 1455 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1456 offsetof(struct __sk_buff, cb[1]) + 2), 1457 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1458 offsetof(struct __sk_buff, cb[2])), 1459 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1460 offsetof(struct __sk_buff, cb[2]) + 2), 1461 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1462 offsetof(struct __sk_buff, cb[3])), 1463 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1464 offsetof(struct __sk_buff, cb[3]) + 2), 1465 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1466 offsetof(struct __sk_buff, cb[4])), 1467 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1468 offsetof(struct __sk_buff, cb[4]) + 2), 1469 BPF_EXIT_INSN(), 1470 }, 1471 .result = ACCEPT, 1472 }, 1473 { 1474 "check cb access: half, unaligned", 1475 .insns = { 1476 BPF_MOV64_IMM(BPF_REG_0, 0), 1477 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1478 offsetof(struct __sk_buff, cb[0]) + 1), 1479 BPF_EXIT_INSN(), 1480 }, 1481 .errstr = "misaligned context access", 1482 .result = REJECT, 1483 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1484 }, 1485 { 1486 "check __sk_buff->hash, offset 0, half store not permitted", 1487 .insns = { 1488 BPF_MOV64_IMM(BPF_REG_0, 0), 1489 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1490 offsetof(struct __sk_buff, hash)), 1491 BPF_EXIT_INSN(), 1492 }, 1493 .errstr = "invalid bpf_context access", 1494 .result = REJECT, 1495 }, 1496 { 1497 "check __sk_buff->tc_index, offset 2, half store not permitted", 1498 .insns = { 1499 BPF_MOV64_IMM(BPF_REG_0, 0), 1500 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1501 offsetof(struct __sk_buff, tc_index) + 2), 1502 BPF_EXIT_INSN(), 1503 }, 1504 .errstr = "invalid bpf_context access", 1505 .result = REJECT, 1506 }, 1507 { 1508 "check skb->hash half load permitted", 1509 .insns = { 1510 BPF_MOV64_IMM(BPF_REG_0, 0), 1511 #if __BYTE_ORDER == __LITTLE_ENDIAN 1512 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1513 offsetof(struct __sk_buff, hash)), 1514 #else 1515 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1516 offsetof(struct __sk_buff, hash) + 2), 1517 #endif 1518 BPF_EXIT_INSN(), 1519 }, 1520 .result = ACCEPT, 1521 }, 1522 { 1523 "check skb->hash half load not permitted", 1524 .insns = { 1525 BPF_MOV64_IMM(BPF_REG_0, 0), 1526 #if __BYTE_ORDER == __LITTLE_ENDIAN 1527 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1528 offsetof(struct __sk_buff, hash) + 2), 1529 #else 1530 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1531 offsetof(struct __sk_buff, hash)), 1532 #endif 1533 BPF_EXIT_INSN(), 1534 }, 1535 .errstr = "invalid bpf_context access", 1536 .result = REJECT, 1537 }, 1538 { 1539 "check cb access: half, wrong type", 1540 .insns = { 1541 BPF_MOV64_IMM(BPF_REG_0, 0), 1542 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1543 offsetof(struct __sk_buff, cb[0])), 1544 BPF_EXIT_INSN(), 1545 }, 1546 .errstr = "invalid bpf_context access", 1547 .result = REJECT, 1548 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1549 }, 1550 { 1551 "check cb access: word", 1552 .insns = { 1553 BPF_MOV64_IMM(BPF_REG_0, 0), 1554 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1555 offsetof(struct __sk_buff, cb[0])), 1556 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1557 offsetof(struct __sk_buff, cb[1])), 1558 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1559 offsetof(struct __sk_buff, cb[2])), 1560 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1561 offsetof(struct __sk_buff, cb[3])), 1562 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1563 offsetof(struct __sk_buff, cb[4])), 1564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1565 offsetof(struct __sk_buff, cb[0])), 1566 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1567 offsetof(struct __sk_buff, cb[1])), 1568 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1569 offsetof(struct __sk_buff, cb[2])), 1570 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1571 offsetof(struct __sk_buff, cb[3])), 1572 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1573 offsetof(struct __sk_buff, cb[4])), 1574 BPF_EXIT_INSN(), 1575 }, 1576 .result = ACCEPT, 1577 }, 1578 { 1579 "check cb access: word, unaligned 1", 1580 .insns = { 1581 BPF_MOV64_IMM(BPF_REG_0, 0), 1582 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1583 offsetof(struct __sk_buff, cb[0]) + 2), 1584 BPF_EXIT_INSN(), 1585 }, 1586 .errstr = "misaligned context access", 1587 .result = REJECT, 1588 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1589 }, 1590 { 1591 "check cb access: word, unaligned 2", 1592 .insns = { 1593 BPF_MOV64_IMM(BPF_REG_0, 0), 1594 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1595 offsetof(struct __sk_buff, cb[4]) + 1), 1596 BPF_EXIT_INSN(), 1597 }, 1598 .errstr = "misaligned context access", 1599 .result = REJECT, 1600 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1601 }, 1602 { 1603 "check cb access: word, unaligned 3", 1604 .insns = { 1605 BPF_MOV64_IMM(BPF_REG_0, 0), 1606 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1607 offsetof(struct __sk_buff, cb[4]) + 2), 1608 BPF_EXIT_INSN(), 1609 }, 1610 .errstr = "misaligned context access", 1611 .result = REJECT, 1612 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1613 }, 1614 { 1615 "check cb access: word, unaligned 4", 1616 .insns = { 1617 BPF_MOV64_IMM(BPF_REG_0, 0), 1618 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1619 offsetof(struct __sk_buff, cb[4]) + 3), 1620 BPF_EXIT_INSN(), 1621 }, 1622 .errstr = "misaligned context access", 1623 .result = REJECT, 1624 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1625 }, 1626 { 1627 "check cb access: double", 1628 .insns = { 1629 BPF_MOV64_IMM(BPF_REG_0, 0), 1630 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1631 offsetof(struct __sk_buff, cb[0])), 1632 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1633 offsetof(struct __sk_buff, cb[2])), 1634 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1635 offsetof(struct __sk_buff, cb[0])), 1636 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1637 offsetof(struct __sk_buff, cb[2])), 1638 BPF_EXIT_INSN(), 1639 }, 1640 .result = ACCEPT, 1641 }, 1642 { 1643 "check cb access: double, unaligned 1", 1644 .insns = { 1645 BPF_MOV64_IMM(BPF_REG_0, 0), 1646 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1647 offsetof(struct __sk_buff, cb[1])), 1648 BPF_EXIT_INSN(), 1649 }, 1650 .errstr = "misaligned context access", 1651 .result = REJECT, 1652 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1653 }, 1654 { 1655 "check cb access: double, unaligned 2", 1656 .insns = { 1657 BPF_MOV64_IMM(BPF_REG_0, 0), 1658 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1659 offsetof(struct __sk_buff, cb[3])), 1660 BPF_EXIT_INSN(), 1661 }, 1662 .errstr = "misaligned context access", 1663 .result = REJECT, 1664 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1665 }, 1666 { 1667 "check cb access: double, oob 1", 1668 .insns = { 1669 BPF_MOV64_IMM(BPF_REG_0, 0), 1670 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1671 offsetof(struct __sk_buff, cb[4])), 1672 BPF_EXIT_INSN(), 1673 }, 1674 .errstr = "invalid bpf_context access", 1675 .result = REJECT, 1676 }, 1677 { 1678 "check cb access: double, oob 2", 1679 .insns = { 1680 BPF_MOV64_IMM(BPF_REG_0, 0), 1681 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1682 offsetof(struct __sk_buff, cb[4])), 1683 BPF_EXIT_INSN(), 1684 }, 1685 .errstr = "invalid bpf_context access", 1686 .result = REJECT, 1687 }, 1688 { 1689 "check __sk_buff->ifindex dw store not permitted", 1690 .insns = { 1691 BPF_MOV64_IMM(BPF_REG_0, 0), 1692 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1693 offsetof(struct __sk_buff, ifindex)), 1694 BPF_EXIT_INSN(), 1695 }, 1696 .errstr = "invalid bpf_context access", 1697 .result = REJECT, 1698 }, 1699 { 1700 "check __sk_buff->ifindex dw load not permitted", 1701 .insns = { 1702 BPF_MOV64_IMM(BPF_REG_0, 0), 1703 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1704 offsetof(struct __sk_buff, ifindex)), 1705 BPF_EXIT_INSN(), 1706 }, 1707 .errstr = "invalid bpf_context access", 1708 .result = REJECT, 1709 }, 1710 { 1711 "check cb access: double, wrong type", 1712 .insns = { 1713 BPF_MOV64_IMM(BPF_REG_0, 0), 1714 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1715 offsetof(struct __sk_buff, cb[0])), 1716 BPF_EXIT_INSN(), 1717 }, 1718 .errstr = "invalid bpf_context access", 1719 .result = REJECT, 1720 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1721 }, 1722 { 1723 "check out of range skb->cb access", 1724 .insns = { 1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1726 offsetof(struct __sk_buff, cb[0]) + 256), 1727 BPF_EXIT_INSN(), 1728 }, 1729 .errstr = "invalid bpf_context access", 1730 .errstr_unpriv = "", 1731 .result = REJECT, 1732 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 1733 }, 1734 { 1735 "write skb fields from socket prog", 1736 .insns = { 1737 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1738 offsetof(struct __sk_buff, cb[4])), 1739 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1741 offsetof(struct __sk_buff, mark)), 1742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1743 offsetof(struct __sk_buff, tc_index)), 1744 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1745 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1746 offsetof(struct __sk_buff, cb[0])), 1747 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1748 offsetof(struct __sk_buff, cb[2])), 1749 BPF_EXIT_INSN(), 1750 }, 1751 .result = ACCEPT, 1752 .errstr_unpriv = "R1 leaks addr", 1753 .result_unpriv = REJECT, 1754 }, 1755 { 1756 "write skb fields from tc_cls_act prog", 1757 .insns = { 1758 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1759 offsetof(struct __sk_buff, cb[0])), 1760 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1761 offsetof(struct __sk_buff, mark)), 1762 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1763 offsetof(struct __sk_buff, tc_index)), 1764 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1765 offsetof(struct __sk_buff, tc_index)), 1766 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1767 offsetof(struct __sk_buff, cb[3])), 1768 BPF_EXIT_INSN(), 1769 }, 1770 .errstr_unpriv = "", 1771 .result_unpriv = REJECT, 1772 .result = ACCEPT, 1773 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1774 }, 1775 { 1776 "PTR_TO_STACK store/load", 1777 .insns = { 1778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1780 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1781 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1782 BPF_EXIT_INSN(), 1783 }, 1784 .result = ACCEPT, 1785 }, 1786 { 1787 "PTR_TO_STACK store/load - bad alignment on off", 1788 .insns = { 1789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1791 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1792 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1793 BPF_EXIT_INSN(), 1794 }, 1795 .result = REJECT, 1796 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8", 1797 }, 1798 { 1799 "PTR_TO_STACK store/load - bad alignment on reg", 1800 .insns = { 1801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1803 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1804 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1805 BPF_EXIT_INSN(), 1806 }, 1807 .result = REJECT, 1808 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8", 1809 }, 1810 { 1811 "PTR_TO_STACK store/load - out of bounds low", 1812 .insns = { 1813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 1815 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1816 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1817 BPF_EXIT_INSN(), 1818 }, 1819 .result = REJECT, 1820 .errstr = "invalid stack off=-79992 size=8", 1821 }, 1822 { 1823 "PTR_TO_STACK store/load - out of bounds high", 1824 .insns = { 1825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1827 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1828 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1829 BPF_EXIT_INSN(), 1830 }, 1831 .result = REJECT, 1832 .errstr = "invalid stack off=0 size=8", 1833 }, 1834 { 1835 "unpriv: return pointer", 1836 .insns = { 1837 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 1838 BPF_EXIT_INSN(), 1839 }, 1840 .result = ACCEPT, 1841 .result_unpriv = REJECT, 1842 .errstr_unpriv = "R0 leaks addr", 1843 }, 1844 { 1845 "unpriv: add const to pointer", 1846 .insns = { 1847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 1848 BPF_MOV64_IMM(BPF_REG_0, 0), 1849 BPF_EXIT_INSN(), 1850 }, 1851 .result = ACCEPT, 1852 }, 1853 { 1854 "unpriv: add pointer to pointer", 1855 .insns = { 1856 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1857 BPF_MOV64_IMM(BPF_REG_0, 0), 1858 BPF_EXIT_INSN(), 1859 }, 1860 .result = REJECT, 1861 .errstr = "R1 pointer += pointer", 1862 }, 1863 { 1864 "unpriv: neg pointer", 1865 .insns = { 1866 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 1867 BPF_MOV64_IMM(BPF_REG_0, 0), 1868 BPF_EXIT_INSN(), 1869 }, 1870 .result = ACCEPT, 1871 .result_unpriv = REJECT, 1872 .errstr_unpriv = "R1 pointer arithmetic", 1873 }, 1874 { 1875 "unpriv: cmp pointer with const", 1876 .insns = { 1877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1878 BPF_MOV64_IMM(BPF_REG_0, 0), 1879 BPF_EXIT_INSN(), 1880 }, 1881 .result = ACCEPT, 1882 .result_unpriv = REJECT, 1883 .errstr_unpriv = "R1 pointer comparison", 1884 }, 1885 { 1886 "unpriv: cmp pointer with pointer", 1887 .insns = { 1888 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1889 BPF_MOV64_IMM(BPF_REG_0, 0), 1890 BPF_EXIT_INSN(), 1891 }, 1892 .result = ACCEPT, 1893 .result_unpriv = REJECT, 1894 .errstr_unpriv = "R10 pointer comparison", 1895 }, 1896 { 1897 "unpriv: check that printk is disallowed", 1898 .insns = { 1899 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1902 BPF_MOV64_IMM(BPF_REG_2, 8), 1903 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1905 BPF_FUNC_trace_printk), 1906 BPF_MOV64_IMM(BPF_REG_0, 0), 1907 BPF_EXIT_INSN(), 1908 }, 1909 .errstr_unpriv = "unknown func bpf_trace_printk#6", 1910 .result_unpriv = REJECT, 1911 .result = ACCEPT, 1912 }, 1913 { 1914 "unpriv: pass pointer to helper function", 1915 .insns = { 1916 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1919 BPF_LD_MAP_FD(BPF_REG_1, 0), 1920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1921 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 1922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1923 BPF_FUNC_map_update_elem), 1924 BPF_MOV64_IMM(BPF_REG_0, 0), 1925 BPF_EXIT_INSN(), 1926 }, 1927 .fixup_map1 = { 3 }, 1928 .errstr_unpriv = "R4 leaks addr", 1929 .result_unpriv = REJECT, 1930 .result = ACCEPT, 1931 }, 1932 { 1933 "unpriv: indirectly pass pointer on stack to helper function", 1934 .insns = { 1935 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1938 BPF_LD_MAP_FD(BPF_REG_1, 0), 1939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1940 BPF_FUNC_map_lookup_elem), 1941 BPF_MOV64_IMM(BPF_REG_0, 0), 1942 BPF_EXIT_INSN(), 1943 }, 1944 .fixup_map1 = { 3 }, 1945 .errstr = "invalid indirect read from stack off -8+0 size 8", 1946 .result = REJECT, 1947 }, 1948 { 1949 "unpriv: mangle pointer on stack 1", 1950 .insns = { 1951 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1952 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 1953 BPF_MOV64_IMM(BPF_REG_0, 0), 1954 BPF_EXIT_INSN(), 1955 }, 1956 .errstr_unpriv = "attempt to corrupt spilled", 1957 .result_unpriv = REJECT, 1958 .result = ACCEPT, 1959 }, 1960 { 1961 "unpriv: mangle pointer on stack 2", 1962 .insns = { 1963 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1964 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 1965 BPF_MOV64_IMM(BPF_REG_0, 0), 1966 BPF_EXIT_INSN(), 1967 }, 1968 .errstr_unpriv = "attempt to corrupt spilled", 1969 .result_unpriv = REJECT, 1970 .result = ACCEPT, 1971 }, 1972 { 1973 "unpriv: read pointer from stack in small chunks", 1974 .insns = { 1975 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1976 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 1977 BPF_MOV64_IMM(BPF_REG_0, 0), 1978 BPF_EXIT_INSN(), 1979 }, 1980 .errstr = "invalid size", 1981 .result = REJECT, 1982 }, 1983 { 1984 "unpriv: write pointer into ctx", 1985 .insns = { 1986 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 1987 BPF_MOV64_IMM(BPF_REG_0, 0), 1988 BPF_EXIT_INSN(), 1989 }, 1990 .errstr_unpriv = "R1 leaks addr", 1991 .result_unpriv = REJECT, 1992 .errstr = "invalid bpf_context access", 1993 .result = REJECT, 1994 }, 1995 { 1996 "unpriv: spill/fill of ctx", 1997 .insns = { 1998 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2000 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2001 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2002 BPF_MOV64_IMM(BPF_REG_0, 0), 2003 BPF_EXIT_INSN(), 2004 }, 2005 .result = ACCEPT, 2006 }, 2007 { 2008 "unpriv: spill/fill of ctx 2", 2009 .insns = { 2010 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2012 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2013 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2015 BPF_FUNC_get_hash_recalc), 2016 BPF_EXIT_INSN(), 2017 }, 2018 .result = ACCEPT, 2019 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2020 }, 2021 { 2022 "unpriv: spill/fill of ctx 3", 2023 .insns = { 2024 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2026 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2027 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 2028 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2030 BPF_FUNC_get_hash_recalc), 2031 BPF_EXIT_INSN(), 2032 }, 2033 .result = REJECT, 2034 .errstr = "R1 type=fp expected=ctx", 2035 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2036 }, 2037 { 2038 "unpriv: spill/fill of ctx 4", 2039 .insns = { 2040 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2042 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2043 BPF_MOV64_IMM(BPF_REG_0, 1), 2044 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 2045 BPF_REG_0, -8, 0), 2046 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2048 BPF_FUNC_get_hash_recalc), 2049 BPF_EXIT_INSN(), 2050 }, 2051 .result = REJECT, 2052 .errstr = "R1 type=inv expected=ctx", 2053 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2054 }, 2055 { 2056 "unpriv: spill/fill of different pointers stx", 2057 .insns = { 2058 BPF_MOV64_IMM(BPF_REG_3, 42), 2059 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 2062 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 2064 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 2065 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 2066 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2067 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2068 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 2069 offsetof(struct __sk_buff, mark)), 2070 BPF_MOV64_IMM(BPF_REG_0, 0), 2071 BPF_EXIT_INSN(), 2072 }, 2073 .result = REJECT, 2074 .errstr = "same insn cannot be used with different pointers", 2075 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2076 }, 2077 { 2078 "unpriv: spill/fill of different pointers ldx", 2079 .insns = { 2080 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2082 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 2083 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 2085 -(__s32)offsetof(struct bpf_perf_event_data, 2086 sample_period) - 8), 2087 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 2088 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 2089 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2090 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2091 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 2092 offsetof(struct bpf_perf_event_data, 2093 sample_period)), 2094 BPF_MOV64_IMM(BPF_REG_0, 0), 2095 BPF_EXIT_INSN(), 2096 }, 2097 .result = REJECT, 2098 .errstr = "same insn cannot be used with different pointers", 2099 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 2100 }, 2101 { 2102 "unpriv: write pointer into map elem value", 2103 .insns = { 2104 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2107 BPF_LD_MAP_FD(BPF_REG_1, 0), 2108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2109 BPF_FUNC_map_lookup_elem), 2110 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 2111 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 2112 BPF_EXIT_INSN(), 2113 }, 2114 .fixup_map1 = { 3 }, 2115 .errstr_unpriv = "R0 leaks addr", 2116 .result_unpriv = REJECT, 2117 .result = ACCEPT, 2118 }, 2119 { 2120 "unpriv: partial copy of pointer", 2121 .insns = { 2122 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 2123 BPF_MOV64_IMM(BPF_REG_0, 0), 2124 BPF_EXIT_INSN(), 2125 }, 2126 .errstr_unpriv = "R10 partial copy", 2127 .result_unpriv = REJECT, 2128 .result = ACCEPT, 2129 }, 2130 { 2131 "unpriv: pass pointer to tail_call", 2132 .insns = { 2133 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 2134 BPF_LD_MAP_FD(BPF_REG_2, 0), 2135 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2136 BPF_FUNC_tail_call), 2137 BPF_MOV64_IMM(BPF_REG_0, 0), 2138 BPF_EXIT_INSN(), 2139 }, 2140 .fixup_prog = { 1 }, 2141 .errstr_unpriv = "R3 leaks addr into helper", 2142 .result_unpriv = REJECT, 2143 .result = ACCEPT, 2144 }, 2145 { 2146 "unpriv: cmp map pointer with zero", 2147 .insns = { 2148 BPF_MOV64_IMM(BPF_REG_1, 0), 2149 BPF_LD_MAP_FD(BPF_REG_1, 0), 2150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 2151 BPF_MOV64_IMM(BPF_REG_0, 0), 2152 BPF_EXIT_INSN(), 2153 }, 2154 .fixup_map1 = { 1 }, 2155 .errstr_unpriv = "R1 pointer comparison", 2156 .result_unpriv = REJECT, 2157 .result = ACCEPT, 2158 }, 2159 { 2160 "unpriv: write into frame pointer", 2161 .insns = { 2162 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 2163 BPF_MOV64_IMM(BPF_REG_0, 0), 2164 BPF_EXIT_INSN(), 2165 }, 2166 .errstr = "frame pointer is read only", 2167 .result = REJECT, 2168 }, 2169 { 2170 "unpriv: spill/fill frame pointer", 2171 .insns = { 2172 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2174 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 2175 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 2176 BPF_MOV64_IMM(BPF_REG_0, 0), 2177 BPF_EXIT_INSN(), 2178 }, 2179 .errstr = "frame pointer is read only", 2180 .result = REJECT, 2181 }, 2182 { 2183 "unpriv: cmp of frame pointer", 2184 .insns = { 2185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 2186 BPF_MOV64_IMM(BPF_REG_0, 0), 2187 BPF_EXIT_INSN(), 2188 }, 2189 .errstr_unpriv = "R10 pointer comparison", 2190 .result_unpriv = REJECT, 2191 .result = ACCEPT, 2192 }, 2193 { 2194 "unpriv: adding of fp", 2195 .insns = { 2196 BPF_MOV64_IMM(BPF_REG_0, 0), 2197 BPF_MOV64_IMM(BPF_REG_1, 0), 2198 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 2199 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 2200 BPF_EXIT_INSN(), 2201 }, 2202 .result = ACCEPT, 2203 }, 2204 { 2205 "unpriv: cmp of stack pointer", 2206 .insns = { 2207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 2210 BPF_MOV64_IMM(BPF_REG_0, 0), 2211 BPF_EXIT_INSN(), 2212 }, 2213 .errstr_unpriv = "R2 pointer comparison", 2214 .result_unpriv = REJECT, 2215 .result = ACCEPT, 2216 }, 2217 { 2218 "stack pointer arithmetic", 2219 .insns = { 2220 BPF_MOV64_IMM(BPF_REG_1, 4), 2221 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 2222 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 2223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 2224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 2225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 2226 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 2227 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 2228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2230 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 2231 BPF_MOV64_IMM(BPF_REG_0, 0), 2232 BPF_EXIT_INSN(), 2233 }, 2234 .result = ACCEPT, 2235 }, 2236 { 2237 "raw_stack: no skb_load_bytes", 2238 .insns = { 2239 BPF_MOV64_IMM(BPF_REG_2, 4), 2240 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2242 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2243 BPF_MOV64_IMM(BPF_REG_4, 8), 2244 /* Call to skb_load_bytes() omitted. */ 2245 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2246 BPF_EXIT_INSN(), 2247 }, 2248 .result = REJECT, 2249 .errstr = "invalid read from stack off -8+0 size 8", 2250 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2251 }, 2252 { 2253 "raw_stack: skb_load_bytes, negative len", 2254 .insns = { 2255 BPF_MOV64_IMM(BPF_REG_2, 4), 2256 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2258 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2259 BPF_MOV64_IMM(BPF_REG_4, -8), 2260 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2261 BPF_FUNC_skb_load_bytes), 2262 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2263 BPF_EXIT_INSN(), 2264 }, 2265 .result = REJECT, 2266 .errstr = "R4 min value is negative", 2267 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2268 }, 2269 { 2270 "raw_stack: skb_load_bytes, negative len 2", 2271 .insns = { 2272 BPF_MOV64_IMM(BPF_REG_2, 4), 2273 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2275 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2276 BPF_MOV64_IMM(BPF_REG_4, ~0), 2277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2278 BPF_FUNC_skb_load_bytes), 2279 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2280 BPF_EXIT_INSN(), 2281 }, 2282 .result = REJECT, 2283 .errstr = "R4 min value is negative", 2284 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2285 }, 2286 { 2287 "raw_stack: skb_load_bytes, zero len", 2288 .insns = { 2289 BPF_MOV64_IMM(BPF_REG_2, 4), 2290 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2292 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2293 BPF_MOV64_IMM(BPF_REG_4, 0), 2294 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2295 BPF_FUNC_skb_load_bytes), 2296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2297 BPF_EXIT_INSN(), 2298 }, 2299 .result = REJECT, 2300 .errstr = "invalid stack type R3", 2301 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2302 }, 2303 { 2304 "raw_stack: skb_load_bytes, no init", 2305 .insns = { 2306 BPF_MOV64_IMM(BPF_REG_2, 4), 2307 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2310 BPF_MOV64_IMM(BPF_REG_4, 8), 2311 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2312 BPF_FUNC_skb_load_bytes), 2313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2314 BPF_EXIT_INSN(), 2315 }, 2316 .result = ACCEPT, 2317 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2318 }, 2319 { 2320 "raw_stack: skb_load_bytes, init", 2321 .insns = { 2322 BPF_MOV64_IMM(BPF_REG_2, 4), 2323 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2325 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 2326 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2327 BPF_MOV64_IMM(BPF_REG_4, 8), 2328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2329 BPF_FUNC_skb_load_bytes), 2330 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2331 BPF_EXIT_INSN(), 2332 }, 2333 .result = ACCEPT, 2334 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2335 }, 2336 { 2337 "raw_stack: skb_load_bytes, spilled regs around bounds", 2338 .insns = { 2339 BPF_MOV64_IMM(BPF_REG_2, 4), 2340 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2342 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2343 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2344 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2345 BPF_MOV64_IMM(BPF_REG_4, 8), 2346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2347 BPF_FUNC_skb_load_bytes), 2348 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2349 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2351 offsetof(struct __sk_buff, mark)), 2352 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2353 offsetof(struct __sk_buff, priority)), 2354 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2355 BPF_EXIT_INSN(), 2356 }, 2357 .result = ACCEPT, 2358 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2359 }, 2360 { 2361 "raw_stack: skb_load_bytes, spilled regs corruption", 2362 .insns = { 2363 BPF_MOV64_IMM(BPF_REG_2, 4), 2364 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2366 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2367 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2368 BPF_MOV64_IMM(BPF_REG_4, 8), 2369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2370 BPF_FUNC_skb_load_bytes), 2371 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2373 offsetof(struct __sk_buff, mark)), 2374 BPF_EXIT_INSN(), 2375 }, 2376 .result = REJECT, 2377 .errstr = "R0 invalid mem access 'inv'", 2378 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2379 }, 2380 { 2381 "raw_stack: skb_load_bytes, spilled regs corruption 2", 2382 .insns = { 2383 BPF_MOV64_IMM(BPF_REG_2, 4), 2384 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2386 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2387 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2388 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2389 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2390 BPF_MOV64_IMM(BPF_REG_4, 8), 2391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2392 BPF_FUNC_skb_load_bytes), 2393 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2394 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2395 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2396 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2397 offsetof(struct __sk_buff, mark)), 2398 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2399 offsetof(struct __sk_buff, priority)), 2400 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 2402 offsetof(struct __sk_buff, pkt_type)), 2403 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2404 BPF_EXIT_INSN(), 2405 }, 2406 .result = REJECT, 2407 .errstr = "R3 invalid mem access 'inv'", 2408 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2409 }, 2410 { 2411 "raw_stack: skb_load_bytes, spilled regs + data", 2412 .insns = { 2413 BPF_MOV64_IMM(BPF_REG_2, 4), 2414 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2416 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2417 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2418 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2420 BPF_MOV64_IMM(BPF_REG_4, 8), 2421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2422 BPF_FUNC_skb_load_bytes), 2423 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2424 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2425 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2426 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2427 offsetof(struct __sk_buff, mark)), 2428 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2429 offsetof(struct __sk_buff, priority)), 2430 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2431 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2432 BPF_EXIT_INSN(), 2433 }, 2434 .result = ACCEPT, 2435 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2436 }, 2437 { 2438 "raw_stack: skb_load_bytes, invalid access 1", 2439 .insns = { 2440 BPF_MOV64_IMM(BPF_REG_2, 4), 2441 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 2443 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2444 BPF_MOV64_IMM(BPF_REG_4, 8), 2445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2446 BPF_FUNC_skb_load_bytes), 2447 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2448 BPF_EXIT_INSN(), 2449 }, 2450 .result = REJECT, 2451 .errstr = "invalid stack type R3 off=-513 access_size=8", 2452 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2453 }, 2454 { 2455 "raw_stack: skb_load_bytes, invalid access 2", 2456 .insns = { 2457 BPF_MOV64_IMM(BPF_REG_2, 4), 2458 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2460 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2461 BPF_MOV64_IMM(BPF_REG_4, 8), 2462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2463 BPF_FUNC_skb_load_bytes), 2464 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2465 BPF_EXIT_INSN(), 2466 }, 2467 .result = REJECT, 2468 .errstr = "invalid stack type R3 off=-1 access_size=8", 2469 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2470 }, 2471 { 2472 "raw_stack: skb_load_bytes, invalid access 3", 2473 .insns = { 2474 BPF_MOV64_IMM(BPF_REG_2, 4), 2475 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 2477 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2478 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2480 BPF_FUNC_skb_load_bytes), 2481 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2482 BPF_EXIT_INSN(), 2483 }, 2484 .result = REJECT, 2485 .errstr = "R4 min value is negative", 2486 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2487 }, 2488 { 2489 "raw_stack: skb_load_bytes, invalid access 4", 2490 .insns = { 2491 BPF_MOV64_IMM(BPF_REG_2, 4), 2492 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2494 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2495 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2497 BPF_FUNC_skb_load_bytes), 2498 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2499 BPF_EXIT_INSN(), 2500 }, 2501 .result = REJECT, 2502 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 2503 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2504 }, 2505 { 2506 "raw_stack: skb_load_bytes, invalid access 5", 2507 .insns = { 2508 BPF_MOV64_IMM(BPF_REG_2, 4), 2509 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2511 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2512 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2513 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2514 BPF_FUNC_skb_load_bytes), 2515 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2516 BPF_EXIT_INSN(), 2517 }, 2518 .result = REJECT, 2519 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 2520 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2521 }, 2522 { 2523 "raw_stack: skb_load_bytes, invalid access 6", 2524 .insns = { 2525 BPF_MOV64_IMM(BPF_REG_2, 4), 2526 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2528 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2529 BPF_MOV64_IMM(BPF_REG_4, 0), 2530 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2531 BPF_FUNC_skb_load_bytes), 2532 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2533 BPF_EXIT_INSN(), 2534 }, 2535 .result = REJECT, 2536 .errstr = "invalid stack type R3 off=-512 access_size=0", 2537 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2538 }, 2539 { 2540 "raw_stack: skb_load_bytes, large access", 2541 .insns = { 2542 BPF_MOV64_IMM(BPF_REG_2, 4), 2543 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2545 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2546 BPF_MOV64_IMM(BPF_REG_4, 512), 2547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2548 BPF_FUNC_skb_load_bytes), 2549 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2550 BPF_EXIT_INSN(), 2551 }, 2552 .result = ACCEPT, 2553 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2554 }, 2555 { 2556 "direct packet access: test1", 2557 .insns = { 2558 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2559 offsetof(struct __sk_buff, data)), 2560 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2561 offsetof(struct __sk_buff, data_end)), 2562 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2564 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2565 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2566 BPF_MOV64_IMM(BPF_REG_0, 0), 2567 BPF_EXIT_INSN(), 2568 }, 2569 .result = ACCEPT, 2570 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2571 }, 2572 { 2573 "direct packet access: test2", 2574 .insns = { 2575 BPF_MOV64_IMM(BPF_REG_0, 1), 2576 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 2577 offsetof(struct __sk_buff, data_end)), 2578 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2579 offsetof(struct __sk_buff, data)), 2580 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 2582 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 2583 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 2584 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 2585 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 2586 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2587 offsetof(struct __sk_buff, data)), 2588 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2589 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2590 offsetof(struct __sk_buff, len)), 2591 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49), 2592 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49), 2593 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 2594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 2595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2596 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2597 offsetof(struct __sk_buff, data_end)), 2598 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 2599 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 2600 BPF_MOV64_IMM(BPF_REG_0, 0), 2601 BPF_EXIT_INSN(), 2602 }, 2603 .result = ACCEPT, 2604 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2605 }, 2606 { 2607 "direct packet access: test3", 2608 .insns = { 2609 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2610 offsetof(struct __sk_buff, data)), 2611 BPF_MOV64_IMM(BPF_REG_0, 0), 2612 BPF_EXIT_INSN(), 2613 }, 2614 .errstr = "invalid bpf_context access off=76", 2615 .result = REJECT, 2616 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 2617 }, 2618 { 2619 "direct packet access: test4 (write)", 2620 .insns = { 2621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2622 offsetof(struct __sk_buff, data)), 2623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2624 offsetof(struct __sk_buff, data_end)), 2625 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2627 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2628 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2629 BPF_MOV64_IMM(BPF_REG_0, 0), 2630 BPF_EXIT_INSN(), 2631 }, 2632 .result = ACCEPT, 2633 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2634 }, 2635 { 2636 "direct packet access: test5 (pkt_end >= reg, good access)", 2637 .insns = { 2638 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2639 offsetof(struct __sk_buff, data)), 2640 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2641 offsetof(struct __sk_buff, data_end)), 2642 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2644 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2645 BPF_MOV64_IMM(BPF_REG_0, 1), 2646 BPF_EXIT_INSN(), 2647 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2648 BPF_MOV64_IMM(BPF_REG_0, 0), 2649 BPF_EXIT_INSN(), 2650 }, 2651 .result = ACCEPT, 2652 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2653 }, 2654 { 2655 "direct packet access: test6 (pkt_end >= reg, bad access)", 2656 .insns = { 2657 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2658 offsetof(struct __sk_buff, data)), 2659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2660 offsetof(struct __sk_buff, data_end)), 2661 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2663 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2664 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2665 BPF_MOV64_IMM(BPF_REG_0, 1), 2666 BPF_EXIT_INSN(), 2667 BPF_MOV64_IMM(BPF_REG_0, 0), 2668 BPF_EXIT_INSN(), 2669 }, 2670 .errstr = "invalid access to packet", 2671 .result = REJECT, 2672 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2673 }, 2674 { 2675 "direct packet access: test7 (pkt_end >= reg, both accesses)", 2676 .insns = { 2677 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2678 offsetof(struct __sk_buff, data)), 2679 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2680 offsetof(struct __sk_buff, data_end)), 2681 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2683 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2684 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2685 BPF_MOV64_IMM(BPF_REG_0, 1), 2686 BPF_EXIT_INSN(), 2687 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2688 BPF_MOV64_IMM(BPF_REG_0, 0), 2689 BPF_EXIT_INSN(), 2690 }, 2691 .errstr = "invalid access to packet", 2692 .result = REJECT, 2693 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2694 }, 2695 { 2696 "direct packet access: test8 (double test, variant 1)", 2697 .insns = { 2698 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2699 offsetof(struct __sk_buff, data)), 2700 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2701 offsetof(struct __sk_buff, data_end)), 2702 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2704 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 2705 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2706 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2707 BPF_MOV64_IMM(BPF_REG_0, 1), 2708 BPF_EXIT_INSN(), 2709 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2710 BPF_MOV64_IMM(BPF_REG_0, 0), 2711 BPF_EXIT_INSN(), 2712 }, 2713 .result = ACCEPT, 2714 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2715 }, 2716 { 2717 "direct packet access: test9 (double test, variant 2)", 2718 .insns = { 2719 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2720 offsetof(struct __sk_buff, data)), 2721 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2722 offsetof(struct __sk_buff, data_end)), 2723 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2725 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2726 BPF_MOV64_IMM(BPF_REG_0, 1), 2727 BPF_EXIT_INSN(), 2728 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2729 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2730 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2731 BPF_MOV64_IMM(BPF_REG_0, 0), 2732 BPF_EXIT_INSN(), 2733 }, 2734 .result = ACCEPT, 2735 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2736 }, 2737 { 2738 "direct packet access: test10 (write invalid)", 2739 .insns = { 2740 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2741 offsetof(struct __sk_buff, data)), 2742 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2743 offsetof(struct __sk_buff, data_end)), 2744 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2746 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 2747 BPF_MOV64_IMM(BPF_REG_0, 0), 2748 BPF_EXIT_INSN(), 2749 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2750 BPF_MOV64_IMM(BPF_REG_0, 0), 2751 BPF_EXIT_INSN(), 2752 }, 2753 .errstr = "invalid access to packet", 2754 .result = REJECT, 2755 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2756 }, 2757 { 2758 "direct packet access: test11 (shift, good access)", 2759 .insns = { 2760 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2761 offsetof(struct __sk_buff, data)), 2762 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2763 offsetof(struct __sk_buff, data_end)), 2764 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2766 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2767 BPF_MOV64_IMM(BPF_REG_3, 144), 2768 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2770 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 2771 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2772 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2773 BPF_MOV64_IMM(BPF_REG_0, 1), 2774 BPF_EXIT_INSN(), 2775 BPF_MOV64_IMM(BPF_REG_0, 0), 2776 BPF_EXIT_INSN(), 2777 }, 2778 .result = ACCEPT, 2779 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2780 }, 2781 { 2782 "direct packet access: test12 (and, good access)", 2783 .insns = { 2784 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2785 offsetof(struct __sk_buff, data)), 2786 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2787 offsetof(struct __sk_buff, data_end)), 2788 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2790 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2791 BPF_MOV64_IMM(BPF_REG_3, 144), 2792 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2794 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2795 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2796 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2797 BPF_MOV64_IMM(BPF_REG_0, 1), 2798 BPF_EXIT_INSN(), 2799 BPF_MOV64_IMM(BPF_REG_0, 0), 2800 BPF_EXIT_INSN(), 2801 }, 2802 .result = ACCEPT, 2803 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2804 }, 2805 { 2806 "direct packet access: test13 (branches, good access)", 2807 .insns = { 2808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2809 offsetof(struct __sk_buff, data)), 2810 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2811 offsetof(struct __sk_buff, data_end)), 2812 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2814 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 2815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2816 offsetof(struct __sk_buff, mark)), 2817 BPF_MOV64_IMM(BPF_REG_4, 1), 2818 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 2819 BPF_MOV64_IMM(BPF_REG_3, 14), 2820 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 2821 BPF_MOV64_IMM(BPF_REG_3, 24), 2822 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2824 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2825 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2826 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2827 BPF_MOV64_IMM(BPF_REG_0, 1), 2828 BPF_EXIT_INSN(), 2829 BPF_MOV64_IMM(BPF_REG_0, 0), 2830 BPF_EXIT_INSN(), 2831 }, 2832 .result = ACCEPT, 2833 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2834 }, 2835 { 2836 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 2837 .insns = { 2838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2839 offsetof(struct __sk_buff, data)), 2840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2841 offsetof(struct __sk_buff, data_end)), 2842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2844 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 2845 BPF_MOV64_IMM(BPF_REG_5, 12), 2846 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 2847 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2848 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2849 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 2850 BPF_MOV64_IMM(BPF_REG_0, 1), 2851 BPF_EXIT_INSN(), 2852 BPF_MOV64_IMM(BPF_REG_0, 0), 2853 BPF_EXIT_INSN(), 2854 }, 2855 .result = ACCEPT, 2856 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2857 }, 2858 { 2859 "direct packet access: test15 (spill with xadd)", 2860 .insns = { 2861 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2862 offsetof(struct __sk_buff, data)), 2863 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2864 offsetof(struct __sk_buff, data_end)), 2865 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2867 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2868 BPF_MOV64_IMM(BPF_REG_5, 4096), 2869 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 2870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 2871 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 2872 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 2873 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 2874 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0), 2875 BPF_MOV64_IMM(BPF_REG_0, 0), 2876 BPF_EXIT_INSN(), 2877 }, 2878 .errstr = "R2 invalid mem access 'inv'", 2879 .result = REJECT, 2880 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2881 }, 2882 { 2883 "direct packet access: test16 (arith on data_end)", 2884 .insns = { 2885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2886 offsetof(struct __sk_buff, data)), 2887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2888 offsetof(struct __sk_buff, data_end)), 2889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16), 2892 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2893 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2894 BPF_MOV64_IMM(BPF_REG_0, 0), 2895 BPF_EXIT_INSN(), 2896 }, 2897 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 2898 .result = REJECT, 2899 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2900 }, 2901 { 2902 "direct packet access: test17 (pruning, alignment)", 2903 .insns = { 2904 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2905 offsetof(struct __sk_buff, data)), 2906 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2907 offsetof(struct __sk_buff, data_end)), 2908 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2909 offsetof(struct __sk_buff, mark)), 2910 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14), 2912 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4), 2913 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2914 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4), 2915 BPF_MOV64_IMM(BPF_REG_0, 0), 2916 BPF_EXIT_INSN(), 2917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1), 2918 BPF_JMP_A(-6), 2919 }, 2920 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4", 2921 .result = REJECT, 2922 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2923 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2924 }, 2925 { 2926 "direct packet access: test18 (imm += pkt_ptr, 1)", 2927 .insns = { 2928 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2929 offsetof(struct __sk_buff, data)), 2930 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2931 offsetof(struct __sk_buff, data_end)), 2932 BPF_MOV64_IMM(BPF_REG_0, 8), 2933 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2934 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2935 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2936 BPF_MOV64_IMM(BPF_REG_0, 0), 2937 BPF_EXIT_INSN(), 2938 }, 2939 .result = ACCEPT, 2940 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2941 }, 2942 { 2943 "direct packet access: test19 (imm += pkt_ptr, 2)", 2944 .insns = { 2945 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2946 offsetof(struct __sk_buff, data)), 2947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2948 offsetof(struct __sk_buff, data_end)), 2949 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2951 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 2952 BPF_MOV64_IMM(BPF_REG_4, 4), 2953 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 2954 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0), 2955 BPF_MOV64_IMM(BPF_REG_0, 0), 2956 BPF_EXIT_INSN(), 2957 }, 2958 .result = ACCEPT, 2959 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2960 }, 2961 { 2962 "direct packet access: test20 (x += pkt_ptr, 1)", 2963 .insns = { 2964 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2965 offsetof(struct __sk_buff, data)), 2966 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2967 offsetof(struct __sk_buff, data_end)), 2968 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 2969 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 2970 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 2971 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff), 2972 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 2973 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 2974 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1), 2976 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 2977 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 2978 BPF_MOV64_IMM(BPF_REG_0, 0), 2979 BPF_EXIT_INSN(), 2980 }, 2981 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2982 .result = ACCEPT, 2983 }, 2984 { 2985 "direct packet access: test21 (x += pkt_ptr, 2)", 2986 .insns = { 2987 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2988 offsetof(struct __sk_buff, data)), 2989 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2990 offsetof(struct __sk_buff, data_end)), 2991 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2993 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9), 2994 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2995 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8), 2996 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 2997 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff), 2998 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 2999 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1), 3001 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 3002 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 3003 BPF_MOV64_IMM(BPF_REG_0, 0), 3004 BPF_EXIT_INSN(), 3005 }, 3006 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3007 .result = ACCEPT, 3008 }, 3009 { 3010 "direct packet access: test22 (x += pkt_ptr, 3)", 3011 .insns = { 3012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3013 offsetof(struct __sk_buff, data)), 3014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3015 offsetof(struct __sk_buff, data_end)), 3016 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3018 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8), 3019 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16), 3020 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16), 3021 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11), 3022 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 3023 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 3024 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8), 3025 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 3026 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49), 3027 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3028 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 3029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 3030 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 3031 BPF_MOV64_IMM(BPF_REG_2, 1), 3032 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0), 3033 BPF_MOV64_IMM(BPF_REG_0, 0), 3034 BPF_EXIT_INSN(), 3035 }, 3036 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3037 .result = ACCEPT, 3038 }, 3039 { 3040 "direct packet access: test23 (x += pkt_ptr, 4)", 3041 .insns = { 3042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3043 offsetof(struct __sk_buff, data)), 3044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3045 offsetof(struct __sk_buff, data_end)), 3046 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3047 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3049 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff), 3050 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3051 BPF_MOV64_IMM(BPF_REG_0, 31), 3052 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), 3053 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3054 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1), 3056 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3057 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0), 3058 BPF_MOV64_IMM(BPF_REG_0, 0), 3059 BPF_EXIT_INSN(), 3060 }, 3061 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3062 .result = REJECT, 3063 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)", 3064 }, 3065 { 3066 "direct packet access: test24 (x += pkt_ptr, 5)", 3067 .insns = { 3068 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3069 offsetof(struct __sk_buff, data)), 3070 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3071 offsetof(struct __sk_buff, data_end)), 3072 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3073 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3074 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3075 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff), 3076 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3077 BPF_MOV64_IMM(BPF_REG_0, 64), 3078 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), 3079 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3080 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1), 3082 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3083 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0), 3084 BPF_MOV64_IMM(BPF_REG_0, 0), 3085 BPF_EXIT_INSN(), 3086 }, 3087 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3088 .result = ACCEPT, 3089 }, 3090 { 3091 "direct packet access: test25 (marking on <, good access)", 3092 .insns = { 3093 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3094 offsetof(struct __sk_buff, data)), 3095 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3096 offsetof(struct __sk_buff, data_end)), 3097 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3099 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2), 3100 BPF_MOV64_IMM(BPF_REG_0, 0), 3101 BPF_EXIT_INSN(), 3102 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3103 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 3104 }, 3105 .result = ACCEPT, 3106 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3107 }, 3108 { 3109 "direct packet access: test26 (marking on <, bad access)", 3110 .insns = { 3111 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3112 offsetof(struct __sk_buff, data)), 3113 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3114 offsetof(struct __sk_buff, data_end)), 3115 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3117 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3), 3118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3119 BPF_MOV64_IMM(BPF_REG_0, 0), 3120 BPF_EXIT_INSN(), 3121 BPF_JMP_IMM(BPF_JA, 0, 0, -3), 3122 }, 3123 .result = REJECT, 3124 .errstr = "invalid access to packet", 3125 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3126 }, 3127 { 3128 "direct packet access: test27 (marking on <=, good access)", 3129 .insns = { 3130 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3131 offsetof(struct __sk_buff, data)), 3132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3133 offsetof(struct __sk_buff, data_end)), 3134 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3136 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1), 3137 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3138 BPF_MOV64_IMM(BPF_REG_0, 1), 3139 BPF_EXIT_INSN(), 3140 }, 3141 .result = ACCEPT, 3142 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3143 }, 3144 { 3145 "direct packet access: test28 (marking on <=, bad access)", 3146 .insns = { 3147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3148 offsetof(struct __sk_buff, data)), 3149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3150 offsetof(struct __sk_buff, data_end)), 3151 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3153 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2), 3154 BPF_MOV64_IMM(BPF_REG_0, 1), 3155 BPF_EXIT_INSN(), 3156 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3157 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 3158 }, 3159 .result = REJECT, 3160 .errstr = "invalid access to packet", 3161 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3162 }, 3163 { 3164 "helper access to packet: test1, valid packet_ptr range", 3165 .insns = { 3166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3167 offsetof(struct xdp_md, data)), 3168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3169 offsetof(struct xdp_md, data_end)), 3170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 3172 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 3173 BPF_LD_MAP_FD(BPF_REG_1, 0), 3174 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 3175 BPF_MOV64_IMM(BPF_REG_4, 0), 3176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3177 BPF_FUNC_map_update_elem), 3178 BPF_MOV64_IMM(BPF_REG_0, 0), 3179 BPF_EXIT_INSN(), 3180 }, 3181 .fixup_map1 = { 5 }, 3182 .result_unpriv = ACCEPT, 3183 .result = ACCEPT, 3184 .prog_type = BPF_PROG_TYPE_XDP, 3185 }, 3186 { 3187 "helper access to packet: test2, unchecked packet_ptr", 3188 .insns = { 3189 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3190 offsetof(struct xdp_md, data)), 3191 BPF_LD_MAP_FD(BPF_REG_1, 0), 3192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3193 BPF_FUNC_map_lookup_elem), 3194 BPF_MOV64_IMM(BPF_REG_0, 0), 3195 BPF_EXIT_INSN(), 3196 }, 3197 .fixup_map1 = { 1 }, 3198 .result = REJECT, 3199 .errstr = "invalid access to packet", 3200 .prog_type = BPF_PROG_TYPE_XDP, 3201 }, 3202 { 3203 "helper access to packet: test3, variable add", 3204 .insns = { 3205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3206 offsetof(struct xdp_md, data)), 3207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3208 offsetof(struct xdp_md, data_end)), 3209 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 3211 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 3212 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 3213 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3214 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 3215 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 3217 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 3218 BPF_LD_MAP_FD(BPF_REG_1, 0), 3219 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 3220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3221 BPF_FUNC_map_lookup_elem), 3222 BPF_MOV64_IMM(BPF_REG_0, 0), 3223 BPF_EXIT_INSN(), 3224 }, 3225 .fixup_map1 = { 11 }, 3226 .result = ACCEPT, 3227 .prog_type = BPF_PROG_TYPE_XDP, 3228 }, 3229 { 3230 "helper access to packet: test4, packet_ptr with bad range", 3231 .insns = { 3232 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3233 offsetof(struct xdp_md, data)), 3234 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3235 offsetof(struct xdp_md, data_end)), 3236 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 3238 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 3239 BPF_MOV64_IMM(BPF_REG_0, 0), 3240 BPF_EXIT_INSN(), 3241 BPF_LD_MAP_FD(BPF_REG_1, 0), 3242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3243 BPF_FUNC_map_lookup_elem), 3244 BPF_MOV64_IMM(BPF_REG_0, 0), 3245 BPF_EXIT_INSN(), 3246 }, 3247 .fixup_map1 = { 7 }, 3248 .result = REJECT, 3249 .errstr = "invalid access to packet", 3250 .prog_type = BPF_PROG_TYPE_XDP, 3251 }, 3252 { 3253 "helper access to packet: test5, packet_ptr with too short range", 3254 .insns = { 3255 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3256 offsetof(struct xdp_md, data)), 3257 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3258 offsetof(struct xdp_md, data_end)), 3259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 3260 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 3262 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 3263 BPF_LD_MAP_FD(BPF_REG_1, 0), 3264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3265 BPF_FUNC_map_lookup_elem), 3266 BPF_MOV64_IMM(BPF_REG_0, 0), 3267 BPF_EXIT_INSN(), 3268 }, 3269 .fixup_map1 = { 6 }, 3270 .result = REJECT, 3271 .errstr = "invalid access to packet", 3272 .prog_type = BPF_PROG_TYPE_XDP, 3273 }, 3274 { 3275 "helper access to packet: test6, cls valid packet_ptr range", 3276 .insns = { 3277 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3278 offsetof(struct __sk_buff, data)), 3279 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3280 offsetof(struct __sk_buff, data_end)), 3281 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 3283 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 3284 BPF_LD_MAP_FD(BPF_REG_1, 0), 3285 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 3286 BPF_MOV64_IMM(BPF_REG_4, 0), 3287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3288 BPF_FUNC_map_update_elem), 3289 BPF_MOV64_IMM(BPF_REG_0, 0), 3290 BPF_EXIT_INSN(), 3291 }, 3292 .fixup_map1 = { 5 }, 3293 .result = ACCEPT, 3294 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3295 }, 3296 { 3297 "helper access to packet: test7, cls unchecked packet_ptr", 3298 .insns = { 3299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3300 offsetof(struct __sk_buff, data)), 3301 BPF_LD_MAP_FD(BPF_REG_1, 0), 3302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3303 BPF_FUNC_map_lookup_elem), 3304 BPF_MOV64_IMM(BPF_REG_0, 0), 3305 BPF_EXIT_INSN(), 3306 }, 3307 .fixup_map1 = { 1 }, 3308 .result = REJECT, 3309 .errstr = "invalid access to packet", 3310 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3311 }, 3312 { 3313 "helper access to packet: test8, cls variable add", 3314 .insns = { 3315 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3316 offsetof(struct __sk_buff, data)), 3317 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3318 offsetof(struct __sk_buff, data_end)), 3319 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 3321 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 3322 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 3323 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3324 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 3325 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 3327 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 3328 BPF_LD_MAP_FD(BPF_REG_1, 0), 3329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 3330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3331 BPF_FUNC_map_lookup_elem), 3332 BPF_MOV64_IMM(BPF_REG_0, 0), 3333 BPF_EXIT_INSN(), 3334 }, 3335 .fixup_map1 = { 11 }, 3336 .result = ACCEPT, 3337 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3338 }, 3339 { 3340 "helper access to packet: test9, cls packet_ptr with bad range", 3341 .insns = { 3342 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3343 offsetof(struct __sk_buff, data)), 3344 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3345 offsetof(struct __sk_buff, data_end)), 3346 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 3348 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 3349 BPF_MOV64_IMM(BPF_REG_0, 0), 3350 BPF_EXIT_INSN(), 3351 BPF_LD_MAP_FD(BPF_REG_1, 0), 3352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3353 BPF_FUNC_map_lookup_elem), 3354 BPF_MOV64_IMM(BPF_REG_0, 0), 3355 BPF_EXIT_INSN(), 3356 }, 3357 .fixup_map1 = { 7 }, 3358 .result = REJECT, 3359 .errstr = "invalid access to packet", 3360 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3361 }, 3362 { 3363 "helper access to packet: test10, cls packet_ptr with too short range", 3364 .insns = { 3365 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3366 offsetof(struct __sk_buff, data)), 3367 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3368 offsetof(struct __sk_buff, data_end)), 3369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 3370 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 3372 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 3373 BPF_LD_MAP_FD(BPF_REG_1, 0), 3374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3375 BPF_FUNC_map_lookup_elem), 3376 BPF_MOV64_IMM(BPF_REG_0, 0), 3377 BPF_EXIT_INSN(), 3378 }, 3379 .fixup_map1 = { 6 }, 3380 .result = REJECT, 3381 .errstr = "invalid access to packet", 3382 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3383 }, 3384 { 3385 "helper access to packet: test11, cls unsuitable helper 1", 3386 .insns = { 3387 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3388 offsetof(struct __sk_buff, data)), 3389 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3390 offsetof(struct __sk_buff, data_end)), 3391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3392 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 3394 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 3395 BPF_MOV64_IMM(BPF_REG_2, 0), 3396 BPF_MOV64_IMM(BPF_REG_4, 42), 3397 BPF_MOV64_IMM(BPF_REG_5, 0), 3398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3399 BPF_FUNC_skb_store_bytes), 3400 BPF_MOV64_IMM(BPF_REG_0, 0), 3401 BPF_EXIT_INSN(), 3402 }, 3403 .result = REJECT, 3404 .errstr = "helper access to the packet", 3405 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3406 }, 3407 { 3408 "helper access to packet: test12, cls unsuitable helper 2", 3409 .insns = { 3410 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3411 offsetof(struct __sk_buff, data)), 3412 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3413 offsetof(struct __sk_buff, data_end)), 3414 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 3416 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 3417 BPF_MOV64_IMM(BPF_REG_2, 0), 3418 BPF_MOV64_IMM(BPF_REG_4, 4), 3419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3420 BPF_FUNC_skb_load_bytes), 3421 BPF_MOV64_IMM(BPF_REG_0, 0), 3422 BPF_EXIT_INSN(), 3423 }, 3424 .result = REJECT, 3425 .errstr = "helper access to the packet", 3426 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3427 }, 3428 { 3429 "helper access to packet: test13, cls helper ok", 3430 .insns = { 3431 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3432 offsetof(struct __sk_buff, data)), 3433 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3434 offsetof(struct __sk_buff, data_end)), 3435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3436 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3438 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3440 BPF_MOV64_IMM(BPF_REG_2, 4), 3441 BPF_MOV64_IMM(BPF_REG_3, 0), 3442 BPF_MOV64_IMM(BPF_REG_4, 0), 3443 BPF_MOV64_IMM(BPF_REG_5, 0), 3444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3445 BPF_FUNC_csum_diff), 3446 BPF_MOV64_IMM(BPF_REG_0, 0), 3447 BPF_EXIT_INSN(), 3448 }, 3449 .result = ACCEPT, 3450 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3451 }, 3452 { 3453 "helper access to packet: test14, cls helper ok sub", 3454 .insns = { 3455 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3456 offsetof(struct __sk_buff, data)), 3457 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3458 offsetof(struct __sk_buff, data_end)), 3459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3462 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3463 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 3464 BPF_MOV64_IMM(BPF_REG_2, 4), 3465 BPF_MOV64_IMM(BPF_REG_3, 0), 3466 BPF_MOV64_IMM(BPF_REG_4, 0), 3467 BPF_MOV64_IMM(BPF_REG_5, 0), 3468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3469 BPF_FUNC_csum_diff), 3470 BPF_MOV64_IMM(BPF_REG_0, 0), 3471 BPF_EXIT_INSN(), 3472 }, 3473 .result = ACCEPT, 3474 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3475 }, 3476 { 3477 "helper access to packet: test15, cls helper fail sub", 3478 .insns = { 3479 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3480 offsetof(struct __sk_buff, data)), 3481 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3482 offsetof(struct __sk_buff, data_end)), 3483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3486 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3487 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12), 3488 BPF_MOV64_IMM(BPF_REG_2, 4), 3489 BPF_MOV64_IMM(BPF_REG_3, 0), 3490 BPF_MOV64_IMM(BPF_REG_4, 0), 3491 BPF_MOV64_IMM(BPF_REG_5, 0), 3492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3493 BPF_FUNC_csum_diff), 3494 BPF_MOV64_IMM(BPF_REG_0, 0), 3495 BPF_EXIT_INSN(), 3496 }, 3497 .result = REJECT, 3498 .errstr = "invalid access to packet", 3499 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3500 }, 3501 { 3502 "helper access to packet: test16, cls helper fail range 1", 3503 .insns = { 3504 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3505 offsetof(struct __sk_buff, data)), 3506 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3507 offsetof(struct __sk_buff, data_end)), 3508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3511 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3513 BPF_MOV64_IMM(BPF_REG_2, 8), 3514 BPF_MOV64_IMM(BPF_REG_3, 0), 3515 BPF_MOV64_IMM(BPF_REG_4, 0), 3516 BPF_MOV64_IMM(BPF_REG_5, 0), 3517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3518 BPF_FUNC_csum_diff), 3519 BPF_MOV64_IMM(BPF_REG_0, 0), 3520 BPF_EXIT_INSN(), 3521 }, 3522 .result = REJECT, 3523 .errstr = "invalid access to packet", 3524 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3525 }, 3526 { 3527 "helper access to packet: test17, cls helper fail range 2", 3528 .insns = { 3529 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3530 offsetof(struct __sk_buff, data)), 3531 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3532 offsetof(struct __sk_buff, data_end)), 3533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3536 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3538 BPF_MOV64_IMM(BPF_REG_2, -9), 3539 BPF_MOV64_IMM(BPF_REG_3, 0), 3540 BPF_MOV64_IMM(BPF_REG_4, 0), 3541 BPF_MOV64_IMM(BPF_REG_5, 0), 3542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3543 BPF_FUNC_csum_diff), 3544 BPF_MOV64_IMM(BPF_REG_0, 0), 3545 BPF_EXIT_INSN(), 3546 }, 3547 .result = REJECT, 3548 .errstr = "R2 min value is negative", 3549 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3550 }, 3551 { 3552 "helper access to packet: test18, cls helper fail range 3", 3553 .insns = { 3554 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3555 offsetof(struct __sk_buff, data)), 3556 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3557 offsetof(struct __sk_buff, data_end)), 3558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3561 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3562 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3563 BPF_MOV64_IMM(BPF_REG_2, ~0), 3564 BPF_MOV64_IMM(BPF_REG_3, 0), 3565 BPF_MOV64_IMM(BPF_REG_4, 0), 3566 BPF_MOV64_IMM(BPF_REG_5, 0), 3567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3568 BPF_FUNC_csum_diff), 3569 BPF_MOV64_IMM(BPF_REG_0, 0), 3570 BPF_EXIT_INSN(), 3571 }, 3572 .result = REJECT, 3573 .errstr = "R2 min value is negative", 3574 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3575 }, 3576 { 3577 "helper access to packet: test19, cls helper range zero", 3578 .insns = { 3579 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3580 offsetof(struct __sk_buff, data)), 3581 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3582 offsetof(struct __sk_buff, data_end)), 3583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3584 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3586 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3588 BPF_MOV64_IMM(BPF_REG_2, 0), 3589 BPF_MOV64_IMM(BPF_REG_3, 0), 3590 BPF_MOV64_IMM(BPF_REG_4, 0), 3591 BPF_MOV64_IMM(BPF_REG_5, 0), 3592 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3593 BPF_FUNC_csum_diff), 3594 BPF_MOV64_IMM(BPF_REG_0, 0), 3595 BPF_EXIT_INSN(), 3596 }, 3597 .result = ACCEPT, 3598 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3599 }, 3600 { 3601 "helper access to packet: test20, pkt end as input", 3602 .insns = { 3603 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3604 offsetof(struct __sk_buff, data)), 3605 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3606 offsetof(struct __sk_buff, data_end)), 3607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3610 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 3612 BPF_MOV64_IMM(BPF_REG_2, 4), 3613 BPF_MOV64_IMM(BPF_REG_3, 0), 3614 BPF_MOV64_IMM(BPF_REG_4, 0), 3615 BPF_MOV64_IMM(BPF_REG_5, 0), 3616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3617 BPF_FUNC_csum_diff), 3618 BPF_MOV64_IMM(BPF_REG_0, 0), 3619 BPF_EXIT_INSN(), 3620 }, 3621 .result = REJECT, 3622 .errstr = "R1 type=pkt_end expected=fp", 3623 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3624 }, 3625 { 3626 "helper access to packet: test21, wrong reg", 3627 .insns = { 3628 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3629 offsetof(struct __sk_buff, data)), 3630 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3631 offsetof(struct __sk_buff, data_end)), 3632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3635 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3636 BPF_MOV64_IMM(BPF_REG_2, 4), 3637 BPF_MOV64_IMM(BPF_REG_3, 0), 3638 BPF_MOV64_IMM(BPF_REG_4, 0), 3639 BPF_MOV64_IMM(BPF_REG_5, 0), 3640 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3641 BPF_FUNC_csum_diff), 3642 BPF_MOV64_IMM(BPF_REG_0, 0), 3643 BPF_EXIT_INSN(), 3644 }, 3645 .result = REJECT, 3646 .errstr = "invalid access to packet", 3647 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3648 }, 3649 { 3650 "valid map access into an array with a constant", 3651 .insns = { 3652 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3653 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3655 BPF_LD_MAP_FD(BPF_REG_1, 0), 3656 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3657 BPF_FUNC_map_lookup_elem), 3658 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3659 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3660 offsetof(struct test_val, foo)), 3661 BPF_EXIT_INSN(), 3662 }, 3663 .fixup_map2 = { 3 }, 3664 .errstr_unpriv = "R0 leaks addr", 3665 .result_unpriv = REJECT, 3666 .result = ACCEPT, 3667 }, 3668 { 3669 "valid map access into an array with a register", 3670 .insns = { 3671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3674 BPF_LD_MAP_FD(BPF_REG_1, 0), 3675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3676 BPF_FUNC_map_lookup_elem), 3677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3678 BPF_MOV64_IMM(BPF_REG_1, 4), 3679 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3680 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3681 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3682 offsetof(struct test_val, foo)), 3683 BPF_EXIT_INSN(), 3684 }, 3685 .fixup_map2 = { 3 }, 3686 .errstr_unpriv = "R0 leaks addr", 3687 .result_unpriv = REJECT, 3688 .result = ACCEPT, 3689 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3690 }, 3691 { 3692 "valid map access into an array with a variable", 3693 .insns = { 3694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3697 BPF_LD_MAP_FD(BPF_REG_1, 0), 3698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3699 BPF_FUNC_map_lookup_elem), 3700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3701 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3702 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 3703 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3704 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3705 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3706 offsetof(struct test_val, foo)), 3707 BPF_EXIT_INSN(), 3708 }, 3709 .fixup_map2 = { 3 }, 3710 .errstr_unpriv = "R0 leaks addr", 3711 .result_unpriv = REJECT, 3712 .result = ACCEPT, 3713 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3714 }, 3715 { 3716 "valid map access into an array with a signed variable", 3717 .insns = { 3718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3721 BPF_LD_MAP_FD(BPF_REG_1, 0), 3722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3723 BPF_FUNC_map_lookup_elem), 3724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 3725 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3726 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 3727 BPF_MOV32_IMM(BPF_REG_1, 0), 3728 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3729 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3730 BPF_MOV32_IMM(BPF_REG_1, 0), 3731 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3732 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3733 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3734 offsetof(struct test_val, foo)), 3735 BPF_EXIT_INSN(), 3736 }, 3737 .fixup_map2 = { 3 }, 3738 .errstr_unpriv = "R0 leaks addr", 3739 .result_unpriv = REJECT, 3740 .result = ACCEPT, 3741 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3742 }, 3743 { 3744 "invalid map access into an array with a constant", 3745 .insns = { 3746 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3747 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3749 BPF_LD_MAP_FD(BPF_REG_1, 0), 3750 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3751 BPF_FUNC_map_lookup_elem), 3752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3753 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 3754 offsetof(struct test_val, foo)), 3755 BPF_EXIT_INSN(), 3756 }, 3757 .fixup_map2 = { 3 }, 3758 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 3759 .result = REJECT, 3760 }, 3761 { 3762 "invalid map access into an array with a register", 3763 .insns = { 3764 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3765 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3767 BPF_LD_MAP_FD(BPF_REG_1, 0), 3768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3769 BPF_FUNC_map_lookup_elem), 3770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3771 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 3772 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3773 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3774 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3775 offsetof(struct test_val, foo)), 3776 BPF_EXIT_INSN(), 3777 }, 3778 .fixup_map2 = { 3 }, 3779 .errstr = "R0 min value is outside of the array range", 3780 .result = REJECT, 3781 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3782 }, 3783 { 3784 "invalid map access into an array with a variable", 3785 .insns = { 3786 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3789 BPF_LD_MAP_FD(BPF_REG_1, 0), 3790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3791 BPF_FUNC_map_lookup_elem), 3792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3793 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3794 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3796 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3797 offsetof(struct test_val, foo)), 3798 BPF_EXIT_INSN(), 3799 }, 3800 .fixup_map2 = { 3 }, 3801 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 3802 .result = REJECT, 3803 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3804 }, 3805 { 3806 "invalid map access into an array with no floor check", 3807 .insns = { 3808 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3809 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3811 BPF_LD_MAP_FD(BPF_REG_1, 0), 3812 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3813 BPF_FUNC_map_lookup_elem), 3814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3815 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 3816 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3817 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3818 BPF_MOV32_IMM(BPF_REG_1, 0), 3819 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3820 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3821 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3822 offsetof(struct test_val, foo)), 3823 BPF_EXIT_INSN(), 3824 }, 3825 .fixup_map2 = { 3 }, 3826 .errstr_unpriv = "R0 leaks addr", 3827 .errstr = "R0 unbounded memory access", 3828 .result_unpriv = REJECT, 3829 .result = REJECT, 3830 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3831 }, 3832 { 3833 "invalid map access into an array with a invalid max check", 3834 .insns = { 3835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3838 BPF_LD_MAP_FD(BPF_REG_1, 0), 3839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3840 BPF_FUNC_map_lookup_elem), 3841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3842 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3843 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 3844 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3845 BPF_MOV32_IMM(BPF_REG_1, 0), 3846 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3847 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3848 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3849 offsetof(struct test_val, foo)), 3850 BPF_EXIT_INSN(), 3851 }, 3852 .fixup_map2 = { 3 }, 3853 .errstr_unpriv = "R0 leaks addr", 3854 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 3855 .result_unpriv = REJECT, 3856 .result = REJECT, 3857 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3858 }, 3859 { 3860 "invalid map access into an array with a invalid max check", 3861 .insns = { 3862 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3865 BPF_LD_MAP_FD(BPF_REG_1, 0), 3866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3867 BPF_FUNC_map_lookup_elem), 3868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 3869 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 3870 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3873 BPF_LD_MAP_FD(BPF_REG_1, 0), 3874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3875 BPF_FUNC_map_lookup_elem), 3876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3877 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 3878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3879 offsetof(struct test_val, foo)), 3880 BPF_EXIT_INSN(), 3881 }, 3882 .fixup_map2 = { 3, 11 }, 3883 .errstr = "R0 pointer += pointer", 3884 .result = REJECT, 3885 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3886 }, 3887 { 3888 "multiple registers share map_lookup_elem result", 3889 .insns = { 3890 BPF_MOV64_IMM(BPF_REG_1, 10), 3891 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3894 BPF_LD_MAP_FD(BPF_REG_1, 0), 3895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3896 BPF_FUNC_map_lookup_elem), 3897 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3899 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3900 BPF_EXIT_INSN(), 3901 }, 3902 .fixup_map1 = { 4 }, 3903 .result = ACCEPT, 3904 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3905 }, 3906 { 3907 "alu ops on ptr_to_map_value_or_null, 1", 3908 .insns = { 3909 BPF_MOV64_IMM(BPF_REG_1, 10), 3910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3913 BPF_LD_MAP_FD(BPF_REG_1, 0), 3914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3915 BPF_FUNC_map_lookup_elem), 3916 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2), 3918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2), 3919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3920 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3921 BPF_EXIT_INSN(), 3922 }, 3923 .fixup_map1 = { 4 }, 3924 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 3925 .result = REJECT, 3926 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3927 }, 3928 { 3929 "alu ops on ptr_to_map_value_or_null, 2", 3930 .insns = { 3931 BPF_MOV64_IMM(BPF_REG_1, 10), 3932 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3933 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3935 BPF_LD_MAP_FD(BPF_REG_1, 0), 3936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3937 BPF_FUNC_map_lookup_elem), 3938 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3939 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1), 3940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3941 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3942 BPF_EXIT_INSN(), 3943 }, 3944 .fixup_map1 = { 4 }, 3945 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 3946 .result = REJECT, 3947 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3948 }, 3949 { 3950 "alu ops on ptr_to_map_value_or_null, 3", 3951 .insns = { 3952 BPF_MOV64_IMM(BPF_REG_1, 10), 3953 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3956 BPF_LD_MAP_FD(BPF_REG_1, 0), 3957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3958 BPF_FUNC_map_lookup_elem), 3959 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3960 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1), 3961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3962 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3963 BPF_EXIT_INSN(), 3964 }, 3965 .fixup_map1 = { 4 }, 3966 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 3967 .result = REJECT, 3968 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3969 }, 3970 { 3971 "invalid memory access with multiple map_lookup_elem calls", 3972 .insns = { 3973 BPF_MOV64_IMM(BPF_REG_1, 10), 3974 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3977 BPF_LD_MAP_FD(BPF_REG_1, 0), 3978 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3979 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3981 BPF_FUNC_map_lookup_elem), 3982 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3983 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3986 BPF_FUNC_map_lookup_elem), 3987 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3988 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3989 BPF_EXIT_INSN(), 3990 }, 3991 .fixup_map1 = { 4 }, 3992 .result = REJECT, 3993 .errstr = "R4 !read_ok", 3994 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3995 }, 3996 { 3997 "valid indirect map_lookup_elem access with 2nd lookup in branch", 3998 .insns = { 3999 BPF_MOV64_IMM(BPF_REG_1, 10), 4000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4003 BPF_LD_MAP_FD(BPF_REG_1, 0), 4004 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 4005 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 4006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4007 BPF_FUNC_map_lookup_elem), 4008 BPF_MOV64_IMM(BPF_REG_2, 10), 4009 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 4010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 4011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 4012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4013 BPF_FUNC_map_lookup_elem), 4014 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4016 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4017 BPF_EXIT_INSN(), 4018 }, 4019 .fixup_map1 = { 4 }, 4020 .result = ACCEPT, 4021 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4022 }, 4023 { 4024 "invalid map access from else condition", 4025 .insns = { 4026 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4029 BPF_LD_MAP_FD(BPF_REG_1, 0), 4030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4031 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4032 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4033 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 4034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 4035 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4036 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4037 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 4038 BPF_EXIT_INSN(), 4039 }, 4040 .fixup_map2 = { 3 }, 4041 .errstr = "R0 unbounded memory access", 4042 .result = REJECT, 4043 .errstr_unpriv = "R0 leaks addr", 4044 .result_unpriv = REJECT, 4045 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4046 }, 4047 { 4048 "constant register |= constant should keep constant type", 4049 .insns = { 4050 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4052 BPF_MOV64_IMM(BPF_REG_2, 34), 4053 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 4054 BPF_MOV64_IMM(BPF_REG_3, 0), 4055 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4056 BPF_EXIT_INSN(), 4057 }, 4058 .result = ACCEPT, 4059 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4060 }, 4061 { 4062 "constant register |= constant should not bypass stack boundary checks", 4063 .insns = { 4064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4066 BPF_MOV64_IMM(BPF_REG_2, 34), 4067 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 4068 BPF_MOV64_IMM(BPF_REG_3, 0), 4069 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4070 BPF_EXIT_INSN(), 4071 }, 4072 .errstr = "invalid stack type R1 off=-48 access_size=58", 4073 .result = REJECT, 4074 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4075 }, 4076 { 4077 "constant register |= constant register should keep constant type", 4078 .insns = { 4079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4081 BPF_MOV64_IMM(BPF_REG_2, 34), 4082 BPF_MOV64_IMM(BPF_REG_4, 13), 4083 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 4084 BPF_MOV64_IMM(BPF_REG_3, 0), 4085 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4086 BPF_EXIT_INSN(), 4087 }, 4088 .result = ACCEPT, 4089 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4090 }, 4091 { 4092 "constant register |= constant register should not bypass stack boundary checks", 4093 .insns = { 4094 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4096 BPF_MOV64_IMM(BPF_REG_2, 34), 4097 BPF_MOV64_IMM(BPF_REG_4, 24), 4098 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 4099 BPF_MOV64_IMM(BPF_REG_3, 0), 4100 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4101 BPF_EXIT_INSN(), 4102 }, 4103 .errstr = "invalid stack type R1 off=-48 access_size=58", 4104 .result = REJECT, 4105 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4106 }, 4107 { 4108 "invalid direct packet write for LWT_IN", 4109 .insns = { 4110 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4111 offsetof(struct __sk_buff, data)), 4112 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4113 offsetof(struct __sk_buff, data_end)), 4114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4116 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4117 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4118 BPF_MOV64_IMM(BPF_REG_0, 0), 4119 BPF_EXIT_INSN(), 4120 }, 4121 .errstr = "cannot write into packet", 4122 .result = REJECT, 4123 .prog_type = BPF_PROG_TYPE_LWT_IN, 4124 }, 4125 { 4126 "invalid direct packet write for LWT_OUT", 4127 .insns = { 4128 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4129 offsetof(struct __sk_buff, data)), 4130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4131 offsetof(struct __sk_buff, data_end)), 4132 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4134 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4135 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4136 BPF_MOV64_IMM(BPF_REG_0, 0), 4137 BPF_EXIT_INSN(), 4138 }, 4139 .errstr = "cannot write into packet", 4140 .result = REJECT, 4141 .prog_type = BPF_PROG_TYPE_LWT_OUT, 4142 }, 4143 { 4144 "direct packet write for LWT_XMIT", 4145 .insns = { 4146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4147 offsetof(struct __sk_buff, data)), 4148 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4149 offsetof(struct __sk_buff, data_end)), 4150 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4152 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4153 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4154 BPF_MOV64_IMM(BPF_REG_0, 0), 4155 BPF_EXIT_INSN(), 4156 }, 4157 .result = ACCEPT, 4158 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4159 }, 4160 { 4161 "direct packet read for LWT_IN", 4162 .insns = { 4163 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4164 offsetof(struct __sk_buff, data)), 4165 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4166 offsetof(struct __sk_buff, data_end)), 4167 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4169 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4170 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4171 BPF_MOV64_IMM(BPF_REG_0, 0), 4172 BPF_EXIT_INSN(), 4173 }, 4174 .result = ACCEPT, 4175 .prog_type = BPF_PROG_TYPE_LWT_IN, 4176 }, 4177 { 4178 "direct packet read for LWT_OUT", 4179 .insns = { 4180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4181 offsetof(struct __sk_buff, data)), 4182 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4183 offsetof(struct __sk_buff, data_end)), 4184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4188 BPF_MOV64_IMM(BPF_REG_0, 0), 4189 BPF_EXIT_INSN(), 4190 }, 4191 .result = ACCEPT, 4192 .prog_type = BPF_PROG_TYPE_LWT_OUT, 4193 }, 4194 { 4195 "direct packet read for LWT_XMIT", 4196 .insns = { 4197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4198 offsetof(struct __sk_buff, data)), 4199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4200 offsetof(struct __sk_buff, data_end)), 4201 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4203 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4204 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4205 BPF_MOV64_IMM(BPF_REG_0, 0), 4206 BPF_EXIT_INSN(), 4207 }, 4208 .result = ACCEPT, 4209 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4210 }, 4211 { 4212 "overlapping checks for direct packet access", 4213 .insns = { 4214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4215 offsetof(struct __sk_buff, data)), 4216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4217 offsetof(struct __sk_buff, data_end)), 4218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4220 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 4221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 4222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 4223 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 4224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 4225 BPF_MOV64_IMM(BPF_REG_0, 0), 4226 BPF_EXIT_INSN(), 4227 }, 4228 .result = ACCEPT, 4229 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4230 }, 4231 { 4232 "invalid access of tc_classid for LWT_IN", 4233 .insns = { 4234 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4235 offsetof(struct __sk_buff, tc_classid)), 4236 BPF_EXIT_INSN(), 4237 }, 4238 .result = REJECT, 4239 .errstr = "invalid bpf_context access", 4240 }, 4241 { 4242 "invalid access of tc_classid for LWT_OUT", 4243 .insns = { 4244 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4245 offsetof(struct __sk_buff, tc_classid)), 4246 BPF_EXIT_INSN(), 4247 }, 4248 .result = REJECT, 4249 .errstr = "invalid bpf_context access", 4250 }, 4251 { 4252 "invalid access of tc_classid for LWT_XMIT", 4253 .insns = { 4254 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4255 offsetof(struct __sk_buff, tc_classid)), 4256 BPF_EXIT_INSN(), 4257 }, 4258 .result = REJECT, 4259 .errstr = "invalid bpf_context access", 4260 }, 4261 { 4262 "leak pointer into ctx 1", 4263 .insns = { 4264 BPF_MOV64_IMM(BPF_REG_0, 0), 4265 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 4266 offsetof(struct __sk_buff, cb[0])), 4267 BPF_LD_MAP_FD(BPF_REG_2, 0), 4268 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2, 4269 offsetof(struct __sk_buff, cb[0])), 4270 BPF_EXIT_INSN(), 4271 }, 4272 .fixup_map1 = { 2 }, 4273 .errstr_unpriv = "R2 leaks addr into mem", 4274 .result_unpriv = REJECT, 4275 .result = ACCEPT, 4276 }, 4277 { 4278 "leak pointer into ctx 2", 4279 .insns = { 4280 BPF_MOV64_IMM(BPF_REG_0, 0), 4281 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 4282 offsetof(struct __sk_buff, cb[0])), 4283 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10, 4284 offsetof(struct __sk_buff, cb[0])), 4285 BPF_EXIT_INSN(), 4286 }, 4287 .errstr_unpriv = "R10 leaks addr into mem", 4288 .result_unpriv = REJECT, 4289 .result = ACCEPT, 4290 }, 4291 { 4292 "leak pointer into ctx 3", 4293 .insns = { 4294 BPF_MOV64_IMM(BPF_REG_0, 0), 4295 BPF_LD_MAP_FD(BPF_REG_2, 0), 4296 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 4297 offsetof(struct __sk_buff, cb[0])), 4298 BPF_EXIT_INSN(), 4299 }, 4300 .fixup_map1 = { 1 }, 4301 .errstr_unpriv = "R2 leaks addr into ctx", 4302 .result_unpriv = REJECT, 4303 .result = ACCEPT, 4304 }, 4305 { 4306 "leak pointer into map val", 4307 .insns = { 4308 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 4309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4312 BPF_LD_MAP_FD(BPF_REG_1, 0), 4313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4314 BPF_FUNC_map_lookup_elem), 4315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 4316 BPF_MOV64_IMM(BPF_REG_3, 0), 4317 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 4318 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 4319 BPF_MOV64_IMM(BPF_REG_0, 0), 4320 BPF_EXIT_INSN(), 4321 }, 4322 .fixup_map1 = { 4 }, 4323 .errstr_unpriv = "R6 leaks addr into mem", 4324 .result_unpriv = REJECT, 4325 .result = ACCEPT, 4326 }, 4327 { 4328 "helper access to map: full range", 4329 .insns = { 4330 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4332 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4333 BPF_LD_MAP_FD(BPF_REG_1, 0), 4334 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4335 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4336 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4337 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4338 BPF_MOV64_IMM(BPF_REG_3, 0), 4339 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4340 BPF_EXIT_INSN(), 4341 }, 4342 .fixup_map2 = { 3 }, 4343 .result = ACCEPT, 4344 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4345 }, 4346 { 4347 "helper access to map: partial range", 4348 .insns = { 4349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4351 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4352 BPF_LD_MAP_FD(BPF_REG_1, 0), 4353 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4356 BPF_MOV64_IMM(BPF_REG_2, 8), 4357 BPF_MOV64_IMM(BPF_REG_3, 0), 4358 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4359 BPF_EXIT_INSN(), 4360 }, 4361 .fixup_map2 = { 3 }, 4362 .result = ACCEPT, 4363 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4364 }, 4365 { 4366 "helper access to map: empty range", 4367 .insns = { 4368 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4370 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4371 BPF_LD_MAP_FD(BPF_REG_1, 0), 4372 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4373 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 4374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4375 BPF_MOV64_IMM(BPF_REG_2, 0), 4376 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4377 BPF_EXIT_INSN(), 4378 }, 4379 .fixup_map2 = { 3 }, 4380 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 4381 .result = REJECT, 4382 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4383 }, 4384 { 4385 "helper access to map: out-of-bound range", 4386 .insns = { 4387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4389 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4390 BPF_LD_MAP_FD(BPF_REG_1, 0), 4391 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4394 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 4395 BPF_MOV64_IMM(BPF_REG_3, 0), 4396 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4397 BPF_EXIT_INSN(), 4398 }, 4399 .fixup_map2 = { 3 }, 4400 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 4401 .result = REJECT, 4402 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4403 }, 4404 { 4405 "helper access to map: negative range", 4406 .insns = { 4407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4409 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4410 BPF_LD_MAP_FD(BPF_REG_1, 0), 4411 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4412 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4414 BPF_MOV64_IMM(BPF_REG_2, -8), 4415 BPF_MOV64_IMM(BPF_REG_3, 0), 4416 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4417 BPF_EXIT_INSN(), 4418 }, 4419 .fixup_map2 = { 3 }, 4420 .errstr = "R2 min value is negative", 4421 .result = REJECT, 4422 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4423 }, 4424 { 4425 "helper access to adjusted map (via const imm): full range", 4426 .insns = { 4427 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4429 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4430 BPF_LD_MAP_FD(BPF_REG_1, 0), 4431 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4432 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4435 offsetof(struct test_val, foo)), 4436 BPF_MOV64_IMM(BPF_REG_2, 4437 sizeof(struct test_val) - 4438 offsetof(struct test_val, foo)), 4439 BPF_MOV64_IMM(BPF_REG_3, 0), 4440 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4441 BPF_EXIT_INSN(), 4442 }, 4443 .fixup_map2 = { 3 }, 4444 .result = ACCEPT, 4445 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4446 }, 4447 { 4448 "helper access to adjusted map (via const imm): partial range", 4449 .insns = { 4450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4452 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4453 BPF_LD_MAP_FD(BPF_REG_1, 0), 4454 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4456 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4458 offsetof(struct test_val, foo)), 4459 BPF_MOV64_IMM(BPF_REG_2, 8), 4460 BPF_MOV64_IMM(BPF_REG_3, 0), 4461 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4462 BPF_EXIT_INSN(), 4463 }, 4464 .fixup_map2 = { 3 }, 4465 .result = ACCEPT, 4466 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4467 }, 4468 { 4469 "helper access to adjusted map (via const imm): empty range", 4470 .insns = { 4471 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4473 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4474 BPF_LD_MAP_FD(BPF_REG_1, 0), 4475 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4479 offsetof(struct test_val, foo)), 4480 BPF_MOV64_IMM(BPF_REG_2, 0), 4481 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4482 BPF_EXIT_INSN(), 4483 }, 4484 .fixup_map2 = { 3 }, 4485 .errstr = "invalid access to map value, value_size=48 off=4 size=0", 4486 .result = REJECT, 4487 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4488 }, 4489 { 4490 "helper access to adjusted map (via const imm): out-of-bound range", 4491 .insns = { 4492 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4494 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4495 BPF_LD_MAP_FD(BPF_REG_1, 0), 4496 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4498 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4500 offsetof(struct test_val, foo)), 4501 BPF_MOV64_IMM(BPF_REG_2, 4502 sizeof(struct test_val) - 4503 offsetof(struct test_val, foo) + 8), 4504 BPF_MOV64_IMM(BPF_REG_3, 0), 4505 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4506 BPF_EXIT_INSN(), 4507 }, 4508 .fixup_map2 = { 3 }, 4509 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4510 .result = REJECT, 4511 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4512 }, 4513 { 4514 "helper access to adjusted map (via const imm): negative range (> adjustment)", 4515 .insns = { 4516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4518 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4519 BPF_LD_MAP_FD(BPF_REG_1, 0), 4520 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4524 offsetof(struct test_val, foo)), 4525 BPF_MOV64_IMM(BPF_REG_2, -8), 4526 BPF_MOV64_IMM(BPF_REG_3, 0), 4527 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4528 BPF_EXIT_INSN(), 4529 }, 4530 .fixup_map2 = { 3 }, 4531 .errstr = "R2 min value is negative", 4532 .result = REJECT, 4533 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4534 }, 4535 { 4536 "helper access to adjusted map (via const imm): negative range (< adjustment)", 4537 .insns = { 4538 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4540 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4541 BPF_LD_MAP_FD(BPF_REG_1, 0), 4542 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4546 offsetof(struct test_val, foo)), 4547 BPF_MOV64_IMM(BPF_REG_2, -1), 4548 BPF_MOV64_IMM(BPF_REG_3, 0), 4549 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4550 BPF_EXIT_INSN(), 4551 }, 4552 .fixup_map2 = { 3 }, 4553 .errstr = "R2 min value is negative", 4554 .result = REJECT, 4555 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4556 }, 4557 { 4558 "helper access to adjusted map (via const reg): full range", 4559 .insns = { 4560 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4562 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4563 BPF_LD_MAP_FD(BPF_REG_1, 0), 4564 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4565 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4567 BPF_MOV64_IMM(BPF_REG_3, 4568 offsetof(struct test_val, foo)), 4569 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4570 BPF_MOV64_IMM(BPF_REG_2, 4571 sizeof(struct test_val) - 4572 offsetof(struct test_val, foo)), 4573 BPF_MOV64_IMM(BPF_REG_3, 0), 4574 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4575 BPF_EXIT_INSN(), 4576 }, 4577 .fixup_map2 = { 3 }, 4578 .result = ACCEPT, 4579 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4580 }, 4581 { 4582 "helper access to adjusted map (via const reg): partial range", 4583 .insns = { 4584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4586 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4587 BPF_LD_MAP_FD(BPF_REG_1, 0), 4588 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4590 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4591 BPF_MOV64_IMM(BPF_REG_3, 4592 offsetof(struct test_val, foo)), 4593 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4594 BPF_MOV64_IMM(BPF_REG_2, 8), 4595 BPF_MOV64_IMM(BPF_REG_3, 0), 4596 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4597 BPF_EXIT_INSN(), 4598 }, 4599 .fixup_map2 = { 3 }, 4600 .result = ACCEPT, 4601 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4602 }, 4603 { 4604 "helper access to adjusted map (via const reg): empty range", 4605 .insns = { 4606 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4608 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4609 BPF_LD_MAP_FD(BPF_REG_1, 0), 4610 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4611 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4612 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4613 BPF_MOV64_IMM(BPF_REG_3, 0), 4614 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4615 BPF_MOV64_IMM(BPF_REG_2, 0), 4616 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4617 BPF_EXIT_INSN(), 4618 }, 4619 .fixup_map2 = { 3 }, 4620 .errstr = "R1 min value is outside of the array range", 4621 .result = REJECT, 4622 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4623 }, 4624 { 4625 "helper access to adjusted map (via const reg): out-of-bound range", 4626 .insns = { 4627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4629 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4630 BPF_LD_MAP_FD(BPF_REG_1, 0), 4631 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4632 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4634 BPF_MOV64_IMM(BPF_REG_3, 4635 offsetof(struct test_val, foo)), 4636 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4637 BPF_MOV64_IMM(BPF_REG_2, 4638 sizeof(struct test_val) - 4639 offsetof(struct test_val, foo) + 8), 4640 BPF_MOV64_IMM(BPF_REG_3, 0), 4641 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4642 BPF_EXIT_INSN(), 4643 }, 4644 .fixup_map2 = { 3 }, 4645 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4646 .result = REJECT, 4647 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4648 }, 4649 { 4650 "helper access to adjusted map (via const reg): negative range (> adjustment)", 4651 .insns = { 4652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4654 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4655 BPF_LD_MAP_FD(BPF_REG_1, 0), 4656 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4659 BPF_MOV64_IMM(BPF_REG_3, 4660 offsetof(struct test_val, foo)), 4661 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4662 BPF_MOV64_IMM(BPF_REG_2, -8), 4663 BPF_MOV64_IMM(BPF_REG_3, 0), 4664 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4665 BPF_EXIT_INSN(), 4666 }, 4667 .fixup_map2 = { 3 }, 4668 .errstr = "R2 min value is negative", 4669 .result = REJECT, 4670 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4671 }, 4672 { 4673 "helper access to adjusted map (via const reg): negative range (< adjustment)", 4674 .insns = { 4675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4677 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4678 BPF_LD_MAP_FD(BPF_REG_1, 0), 4679 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4681 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4682 BPF_MOV64_IMM(BPF_REG_3, 4683 offsetof(struct test_val, foo)), 4684 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4685 BPF_MOV64_IMM(BPF_REG_2, -1), 4686 BPF_MOV64_IMM(BPF_REG_3, 0), 4687 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4688 BPF_EXIT_INSN(), 4689 }, 4690 .fixup_map2 = { 3 }, 4691 .errstr = "R2 min value is negative", 4692 .result = REJECT, 4693 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4694 }, 4695 { 4696 "helper access to adjusted map (via variable): full range", 4697 .insns = { 4698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4700 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4701 BPF_LD_MAP_FD(BPF_REG_1, 0), 4702 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4703 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4706 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4707 offsetof(struct test_val, foo), 4), 4708 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4709 BPF_MOV64_IMM(BPF_REG_2, 4710 sizeof(struct test_val) - 4711 offsetof(struct test_val, foo)), 4712 BPF_MOV64_IMM(BPF_REG_3, 0), 4713 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4714 BPF_EXIT_INSN(), 4715 }, 4716 .fixup_map2 = { 3 }, 4717 .result = ACCEPT, 4718 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4719 }, 4720 { 4721 "helper access to adjusted map (via variable): partial range", 4722 .insns = { 4723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4725 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4726 BPF_LD_MAP_FD(BPF_REG_1, 0), 4727 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4730 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4731 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4732 offsetof(struct test_val, foo), 4), 4733 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4734 BPF_MOV64_IMM(BPF_REG_2, 8), 4735 BPF_MOV64_IMM(BPF_REG_3, 0), 4736 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4737 BPF_EXIT_INSN(), 4738 }, 4739 .fixup_map2 = { 3 }, 4740 .result = ACCEPT, 4741 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4742 }, 4743 { 4744 "helper access to adjusted map (via variable): empty range", 4745 .insns = { 4746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4748 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4749 BPF_LD_MAP_FD(BPF_REG_1, 0), 4750 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4754 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4755 offsetof(struct test_val, foo), 3), 4756 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4757 BPF_MOV64_IMM(BPF_REG_2, 0), 4758 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 4759 BPF_EXIT_INSN(), 4760 }, 4761 .fixup_map2 = { 3 }, 4762 .errstr = "R1 min value is outside of the array range", 4763 .result = REJECT, 4764 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4765 }, 4766 { 4767 "helper access to adjusted map (via variable): no max check", 4768 .insns = { 4769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4771 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4772 BPF_LD_MAP_FD(BPF_REG_1, 0), 4773 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4775 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4776 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4777 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4778 BPF_MOV64_IMM(BPF_REG_2, 1), 4779 BPF_MOV64_IMM(BPF_REG_3, 0), 4780 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4781 BPF_EXIT_INSN(), 4782 }, 4783 .fixup_map2 = { 3 }, 4784 .errstr = "R1 unbounded memory access", 4785 .result = REJECT, 4786 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4787 }, 4788 { 4789 "helper access to adjusted map (via variable): wrong max check", 4790 .insns = { 4791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4793 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4794 BPF_LD_MAP_FD(BPF_REG_1, 0), 4795 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4798 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4799 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4800 offsetof(struct test_val, foo), 4), 4801 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4802 BPF_MOV64_IMM(BPF_REG_2, 4803 sizeof(struct test_val) - 4804 offsetof(struct test_val, foo) + 1), 4805 BPF_MOV64_IMM(BPF_REG_3, 0), 4806 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4807 BPF_EXIT_INSN(), 4808 }, 4809 .fixup_map2 = { 3 }, 4810 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 4811 .result = REJECT, 4812 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4813 }, 4814 { 4815 "helper access to map: bounds check using <, good access", 4816 .insns = { 4817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4819 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4820 BPF_LD_MAP_FD(BPF_REG_1, 0), 4821 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4824 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4825 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2), 4826 BPF_MOV64_IMM(BPF_REG_0, 0), 4827 BPF_EXIT_INSN(), 4828 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4829 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4830 BPF_MOV64_IMM(BPF_REG_0, 0), 4831 BPF_EXIT_INSN(), 4832 }, 4833 .fixup_map2 = { 3 }, 4834 .result = ACCEPT, 4835 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4836 }, 4837 { 4838 "helper access to map: bounds check using <, bad access", 4839 .insns = { 4840 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4842 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4843 BPF_LD_MAP_FD(BPF_REG_1, 0), 4844 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4845 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4848 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4), 4849 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4850 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4851 BPF_MOV64_IMM(BPF_REG_0, 0), 4852 BPF_EXIT_INSN(), 4853 BPF_MOV64_IMM(BPF_REG_0, 0), 4854 BPF_EXIT_INSN(), 4855 }, 4856 .fixup_map2 = { 3 }, 4857 .result = REJECT, 4858 .errstr = "R1 unbounded memory access", 4859 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4860 }, 4861 { 4862 "helper access to map: bounds check using <=, good access", 4863 .insns = { 4864 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4866 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4867 BPF_LD_MAP_FD(BPF_REG_1, 0), 4868 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4869 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4870 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4871 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4872 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2), 4873 BPF_MOV64_IMM(BPF_REG_0, 0), 4874 BPF_EXIT_INSN(), 4875 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4876 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4877 BPF_MOV64_IMM(BPF_REG_0, 0), 4878 BPF_EXIT_INSN(), 4879 }, 4880 .fixup_map2 = { 3 }, 4881 .result = ACCEPT, 4882 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4883 }, 4884 { 4885 "helper access to map: bounds check using <=, bad access", 4886 .insns = { 4887 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4889 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4890 BPF_LD_MAP_FD(BPF_REG_1, 0), 4891 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4892 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4895 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4), 4896 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4897 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4898 BPF_MOV64_IMM(BPF_REG_0, 0), 4899 BPF_EXIT_INSN(), 4900 BPF_MOV64_IMM(BPF_REG_0, 0), 4901 BPF_EXIT_INSN(), 4902 }, 4903 .fixup_map2 = { 3 }, 4904 .result = REJECT, 4905 .errstr = "R1 unbounded memory access", 4906 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4907 }, 4908 { 4909 "helper access to map: bounds check using s<, good access", 4910 .insns = { 4911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4913 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4914 BPF_LD_MAP_FD(BPF_REG_1, 0), 4915 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4918 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4919 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 4920 BPF_MOV64_IMM(BPF_REG_0, 0), 4921 BPF_EXIT_INSN(), 4922 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3), 4923 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4924 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4925 BPF_MOV64_IMM(BPF_REG_0, 0), 4926 BPF_EXIT_INSN(), 4927 }, 4928 .fixup_map2 = { 3 }, 4929 .result = ACCEPT, 4930 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4931 }, 4932 { 4933 "helper access to map: bounds check using s<, good access 2", 4934 .insns = { 4935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4937 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4938 BPF_LD_MAP_FD(BPF_REG_1, 0), 4939 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4943 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 4944 BPF_MOV64_IMM(BPF_REG_0, 0), 4945 BPF_EXIT_INSN(), 4946 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 4947 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4948 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4949 BPF_MOV64_IMM(BPF_REG_0, 0), 4950 BPF_EXIT_INSN(), 4951 }, 4952 .fixup_map2 = { 3 }, 4953 .result = ACCEPT, 4954 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4955 }, 4956 { 4957 "helper access to map: bounds check using s<, bad access", 4958 .insns = { 4959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4961 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4962 BPF_LD_MAP_FD(BPF_REG_1, 0), 4963 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4966 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 4967 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 4968 BPF_MOV64_IMM(BPF_REG_0, 0), 4969 BPF_EXIT_INSN(), 4970 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 4971 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4972 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4973 BPF_MOV64_IMM(BPF_REG_0, 0), 4974 BPF_EXIT_INSN(), 4975 }, 4976 .fixup_map2 = { 3 }, 4977 .result = REJECT, 4978 .errstr = "R1 min value is negative", 4979 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4980 }, 4981 { 4982 "helper access to map: bounds check using s<=, good access", 4983 .insns = { 4984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4986 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4987 BPF_LD_MAP_FD(BPF_REG_1, 0), 4988 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4989 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4991 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4992 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 4993 BPF_MOV64_IMM(BPF_REG_0, 0), 4994 BPF_EXIT_INSN(), 4995 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3), 4996 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4997 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 4998 BPF_MOV64_IMM(BPF_REG_0, 0), 4999 BPF_EXIT_INSN(), 5000 }, 5001 .fixup_map2 = { 3 }, 5002 .result = ACCEPT, 5003 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5004 }, 5005 { 5006 "helper access to map: bounds check using s<=, good access 2", 5007 .insns = { 5008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5010 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5011 BPF_LD_MAP_FD(BPF_REG_1, 0), 5012 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5013 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5015 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5016 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5017 BPF_MOV64_IMM(BPF_REG_0, 0), 5018 BPF_EXIT_INSN(), 5019 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 5020 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5021 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5022 BPF_MOV64_IMM(BPF_REG_0, 0), 5023 BPF_EXIT_INSN(), 5024 }, 5025 .fixup_map2 = { 3 }, 5026 .result = ACCEPT, 5027 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5028 }, 5029 { 5030 "helper access to map: bounds check using s<=, bad access", 5031 .insns = { 5032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5034 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5035 BPF_LD_MAP_FD(BPF_REG_1, 0), 5036 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5037 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5039 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 5040 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5041 BPF_MOV64_IMM(BPF_REG_0, 0), 5042 BPF_EXIT_INSN(), 5043 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 5044 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5045 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5046 BPF_MOV64_IMM(BPF_REG_0, 0), 5047 BPF_EXIT_INSN(), 5048 }, 5049 .fixup_map2 = { 3 }, 5050 .result = REJECT, 5051 .errstr = "R1 min value is negative", 5052 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5053 }, 5054 { 5055 "map element value is preserved across register spilling", 5056 .insns = { 5057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5059 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5060 BPF_LD_MAP_FD(BPF_REG_1, 0), 5061 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5063 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 5064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 5066 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 5067 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 5068 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 5069 BPF_EXIT_INSN(), 5070 }, 5071 .fixup_map2 = { 3 }, 5072 .errstr_unpriv = "R0 leaks addr", 5073 .result = ACCEPT, 5074 .result_unpriv = REJECT, 5075 }, 5076 { 5077 "map element value or null is marked on register spilling", 5078 .insns = { 5079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5081 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5082 BPF_LD_MAP_FD(BPF_REG_1, 0), 5083 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), 5086 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 5087 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5088 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 5089 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 5090 BPF_EXIT_INSN(), 5091 }, 5092 .fixup_map2 = { 3 }, 5093 .errstr_unpriv = "R0 leaks addr", 5094 .result = ACCEPT, 5095 .result_unpriv = REJECT, 5096 }, 5097 { 5098 "map element value store of cleared call register", 5099 .insns = { 5100 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5102 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5103 BPF_LD_MAP_FD(BPF_REG_1, 0), 5104 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5105 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 5106 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 5107 BPF_EXIT_INSN(), 5108 }, 5109 .fixup_map2 = { 3 }, 5110 .errstr_unpriv = "R1 !read_ok", 5111 .errstr = "R1 !read_ok", 5112 .result = REJECT, 5113 .result_unpriv = REJECT, 5114 }, 5115 { 5116 "map element value with unaligned store", 5117 .insns = { 5118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5120 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5121 BPF_LD_MAP_FD(BPF_REG_1, 0), 5122 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17), 5124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 5125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 5126 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43), 5127 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44), 5128 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 5129 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32), 5130 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33), 5131 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34), 5132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5), 5133 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22), 5134 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23), 5135 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24), 5136 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), 5137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3), 5138 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22), 5139 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23), 5140 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24), 5141 BPF_EXIT_INSN(), 5142 }, 5143 .fixup_map2 = { 3 }, 5144 .errstr_unpriv = "R0 leaks addr", 5145 .result = ACCEPT, 5146 .result_unpriv = REJECT, 5147 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5148 }, 5149 { 5150 "map element value with unaligned load", 5151 .insns = { 5152 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5154 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5155 BPF_LD_MAP_FD(BPF_REG_1, 0), 5156 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5157 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 5158 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 5159 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9), 5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 5161 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 5162 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2), 5163 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 5164 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 5165 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2), 5166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5), 5167 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 5168 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4), 5169 BPF_EXIT_INSN(), 5170 }, 5171 .fixup_map2 = { 3 }, 5172 .errstr_unpriv = "R0 leaks addr", 5173 .result = ACCEPT, 5174 .result_unpriv = REJECT, 5175 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5176 }, 5177 { 5178 "map element value illegal alu op, 1", 5179 .insns = { 5180 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5182 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5183 BPF_LD_MAP_FD(BPF_REG_1, 0), 5184 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5186 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8), 5187 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5188 BPF_EXIT_INSN(), 5189 }, 5190 .fixup_map2 = { 3 }, 5191 .errstr = "R0 bitwise operator &= on pointer", 5192 .result = REJECT, 5193 }, 5194 { 5195 "map element value illegal alu op, 2", 5196 .insns = { 5197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5199 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5200 BPF_LD_MAP_FD(BPF_REG_1, 0), 5201 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5203 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0), 5204 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5205 BPF_EXIT_INSN(), 5206 }, 5207 .fixup_map2 = { 3 }, 5208 .errstr = "R0 32-bit pointer arithmetic prohibited", 5209 .result = REJECT, 5210 }, 5211 { 5212 "map element value illegal alu op, 3", 5213 .insns = { 5214 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5216 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5217 BPF_LD_MAP_FD(BPF_REG_1, 0), 5218 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5219 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5220 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42), 5221 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5222 BPF_EXIT_INSN(), 5223 }, 5224 .fixup_map2 = { 3 }, 5225 .errstr = "R0 pointer arithmetic with /= operator", 5226 .result = REJECT, 5227 }, 5228 { 5229 "map element value illegal alu op, 4", 5230 .insns = { 5231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5233 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5234 BPF_LD_MAP_FD(BPF_REG_1, 0), 5235 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5237 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64), 5238 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5239 BPF_EXIT_INSN(), 5240 }, 5241 .fixup_map2 = { 3 }, 5242 .errstr_unpriv = "R0 pointer arithmetic prohibited", 5243 .errstr = "invalid mem access 'inv'", 5244 .result = REJECT, 5245 .result_unpriv = REJECT, 5246 }, 5247 { 5248 "map element value illegal alu op, 5", 5249 .insns = { 5250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5252 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5253 BPF_LD_MAP_FD(BPF_REG_1, 0), 5254 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5256 BPF_MOV64_IMM(BPF_REG_3, 4096), 5257 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5259 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5260 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0), 5261 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 5262 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 5263 BPF_EXIT_INSN(), 5264 }, 5265 .fixup_map2 = { 3 }, 5266 .errstr = "R0 invalid mem access 'inv'", 5267 .result = REJECT, 5268 }, 5269 { 5270 "map element value is preserved across register spilling", 5271 .insns = { 5272 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5274 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5275 BPF_LD_MAP_FD(BPF_REG_1, 0), 5276 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5279 offsetof(struct test_val, foo)), 5280 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 5281 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 5283 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 5284 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 5285 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 5286 BPF_EXIT_INSN(), 5287 }, 5288 .fixup_map2 = { 3 }, 5289 .errstr_unpriv = "R0 leaks addr", 5290 .result = ACCEPT, 5291 .result_unpriv = REJECT, 5292 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5293 }, 5294 { 5295 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 5296 .insns = { 5297 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5299 BPF_MOV64_IMM(BPF_REG_0, 0), 5300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5307 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5308 BPF_MOV64_IMM(BPF_REG_2, 16), 5309 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5310 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5311 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 5312 BPF_MOV64_IMM(BPF_REG_4, 0), 5313 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5314 BPF_MOV64_IMM(BPF_REG_3, 0), 5315 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5316 BPF_MOV64_IMM(BPF_REG_0, 0), 5317 BPF_EXIT_INSN(), 5318 }, 5319 .result = ACCEPT, 5320 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5321 }, 5322 { 5323 "helper access to variable memory: stack, bitwise AND, zero included", 5324 .insns = { 5325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5327 BPF_MOV64_IMM(BPF_REG_2, 16), 5328 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5329 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5330 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 5331 BPF_MOV64_IMM(BPF_REG_3, 0), 5332 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5333 BPF_EXIT_INSN(), 5334 }, 5335 .errstr = "invalid indirect read from stack off -64+0 size 64", 5336 .result = REJECT, 5337 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5338 }, 5339 { 5340 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 5341 .insns = { 5342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5344 BPF_MOV64_IMM(BPF_REG_2, 16), 5345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5346 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5347 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 5348 BPF_MOV64_IMM(BPF_REG_4, 0), 5349 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5350 BPF_MOV64_IMM(BPF_REG_3, 0), 5351 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5352 BPF_MOV64_IMM(BPF_REG_0, 0), 5353 BPF_EXIT_INSN(), 5354 }, 5355 .errstr = "invalid stack type R1 off=-64 access_size=65", 5356 .result = REJECT, 5357 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5358 }, 5359 { 5360 "helper access to variable memory: stack, JMP, correct bounds", 5361 .insns = { 5362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5364 BPF_MOV64_IMM(BPF_REG_0, 0), 5365 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5366 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5367 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5368 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5369 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5370 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5371 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5372 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5373 BPF_MOV64_IMM(BPF_REG_2, 16), 5374 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5375 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5376 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 5377 BPF_MOV64_IMM(BPF_REG_4, 0), 5378 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5379 BPF_MOV64_IMM(BPF_REG_3, 0), 5380 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5381 BPF_MOV64_IMM(BPF_REG_0, 0), 5382 BPF_EXIT_INSN(), 5383 }, 5384 .result = ACCEPT, 5385 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5386 }, 5387 { 5388 "helper access to variable memory: stack, JMP (signed), correct bounds", 5389 .insns = { 5390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5392 BPF_MOV64_IMM(BPF_REG_0, 0), 5393 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5395 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5396 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5397 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5398 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5399 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5400 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5401 BPF_MOV64_IMM(BPF_REG_2, 16), 5402 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5403 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5404 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 5405 BPF_MOV64_IMM(BPF_REG_4, 0), 5406 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5407 BPF_MOV64_IMM(BPF_REG_3, 0), 5408 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5409 BPF_MOV64_IMM(BPF_REG_0, 0), 5410 BPF_EXIT_INSN(), 5411 }, 5412 .result = ACCEPT, 5413 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5414 }, 5415 { 5416 "helper access to variable memory: stack, JMP, bounds + offset", 5417 .insns = { 5418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5420 BPF_MOV64_IMM(BPF_REG_2, 16), 5421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5422 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5423 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 5424 BPF_MOV64_IMM(BPF_REG_4, 0), 5425 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 5426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 5427 BPF_MOV64_IMM(BPF_REG_3, 0), 5428 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5429 BPF_MOV64_IMM(BPF_REG_0, 0), 5430 BPF_EXIT_INSN(), 5431 }, 5432 .errstr = "invalid stack type R1 off=-64 access_size=65", 5433 .result = REJECT, 5434 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5435 }, 5436 { 5437 "helper access to variable memory: stack, JMP, wrong max", 5438 .insns = { 5439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5441 BPF_MOV64_IMM(BPF_REG_2, 16), 5442 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5443 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5444 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 5445 BPF_MOV64_IMM(BPF_REG_4, 0), 5446 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5447 BPF_MOV64_IMM(BPF_REG_3, 0), 5448 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5449 BPF_MOV64_IMM(BPF_REG_0, 0), 5450 BPF_EXIT_INSN(), 5451 }, 5452 .errstr = "invalid stack type R1 off=-64 access_size=65", 5453 .result = REJECT, 5454 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5455 }, 5456 { 5457 "helper access to variable memory: stack, JMP, no max check", 5458 .insns = { 5459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5461 BPF_MOV64_IMM(BPF_REG_2, 16), 5462 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5463 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5464 BPF_MOV64_IMM(BPF_REG_4, 0), 5465 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 5466 BPF_MOV64_IMM(BPF_REG_3, 0), 5467 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5468 BPF_MOV64_IMM(BPF_REG_0, 0), 5469 BPF_EXIT_INSN(), 5470 }, 5471 /* because max wasn't checked, signed min is negative */ 5472 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'", 5473 .result = REJECT, 5474 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5475 }, 5476 { 5477 "helper access to variable memory: stack, JMP, no min check", 5478 .insns = { 5479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5481 BPF_MOV64_IMM(BPF_REG_2, 16), 5482 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5483 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5484 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 5485 BPF_MOV64_IMM(BPF_REG_3, 0), 5486 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5487 BPF_MOV64_IMM(BPF_REG_0, 0), 5488 BPF_EXIT_INSN(), 5489 }, 5490 .errstr = "invalid indirect read from stack off -64+0 size 64", 5491 .result = REJECT, 5492 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5493 }, 5494 { 5495 "helper access to variable memory: stack, JMP (signed), no min check", 5496 .insns = { 5497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5499 BPF_MOV64_IMM(BPF_REG_2, 16), 5500 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 5501 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 5502 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 5503 BPF_MOV64_IMM(BPF_REG_3, 0), 5504 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5505 BPF_MOV64_IMM(BPF_REG_0, 0), 5506 BPF_EXIT_INSN(), 5507 }, 5508 .errstr = "R2 min value is negative", 5509 .result = REJECT, 5510 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5511 }, 5512 { 5513 "helper access to variable memory: map, JMP, correct bounds", 5514 .insns = { 5515 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5517 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5518 BPF_LD_MAP_FD(BPF_REG_1, 0), 5519 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5520 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 5521 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5522 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5523 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5524 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5525 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5526 sizeof(struct test_val), 4), 5527 BPF_MOV64_IMM(BPF_REG_4, 0), 5528 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5529 BPF_MOV64_IMM(BPF_REG_3, 0), 5530 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5531 BPF_MOV64_IMM(BPF_REG_0, 0), 5532 BPF_EXIT_INSN(), 5533 }, 5534 .fixup_map2 = { 3 }, 5535 .result = ACCEPT, 5536 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5537 }, 5538 { 5539 "helper access to variable memory: map, JMP, wrong max", 5540 .insns = { 5541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5543 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5544 BPF_LD_MAP_FD(BPF_REG_1, 0), 5545 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 5547 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5548 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5549 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5550 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5551 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5552 sizeof(struct test_val) + 1, 4), 5553 BPF_MOV64_IMM(BPF_REG_4, 0), 5554 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5555 BPF_MOV64_IMM(BPF_REG_3, 0), 5556 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5557 BPF_MOV64_IMM(BPF_REG_0, 0), 5558 BPF_EXIT_INSN(), 5559 }, 5560 .fixup_map2 = { 3 }, 5561 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 5562 .result = REJECT, 5563 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5564 }, 5565 { 5566 "helper access to variable memory: map adjusted, JMP, correct bounds", 5567 .insns = { 5568 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5570 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5571 BPF_LD_MAP_FD(BPF_REG_1, 0), 5572 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5573 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 5574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 5576 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5578 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5579 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5580 sizeof(struct test_val) - 20, 4), 5581 BPF_MOV64_IMM(BPF_REG_4, 0), 5582 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5583 BPF_MOV64_IMM(BPF_REG_3, 0), 5584 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5585 BPF_MOV64_IMM(BPF_REG_0, 0), 5586 BPF_EXIT_INSN(), 5587 }, 5588 .fixup_map2 = { 3 }, 5589 .result = ACCEPT, 5590 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5591 }, 5592 { 5593 "helper access to variable memory: map adjusted, JMP, wrong max", 5594 .insns = { 5595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5597 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5598 BPF_LD_MAP_FD(BPF_REG_1, 0), 5599 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5600 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 5601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 5603 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5604 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5605 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5606 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 5607 sizeof(struct test_val) - 19, 4), 5608 BPF_MOV64_IMM(BPF_REG_4, 0), 5609 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 5610 BPF_MOV64_IMM(BPF_REG_3, 0), 5611 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5612 BPF_MOV64_IMM(BPF_REG_0, 0), 5613 BPF_EXIT_INSN(), 5614 }, 5615 .fixup_map2 = { 3 }, 5616 .errstr = "R1 min value is outside of the array range", 5617 .result = REJECT, 5618 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5619 }, 5620 { 5621 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 5622 .insns = { 5623 BPF_MOV64_IMM(BPF_REG_1, 0), 5624 BPF_MOV64_IMM(BPF_REG_2, 0), 5625 BPF_MOV64_IMM(BPF_REG_3, 0), 5626 BPF_MOV64_IMM(BPF_REG_4, 0), 5627 BPF_MOV64_IMM(BPF_REG_5, 0), 5628 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5629 BPF_EXIT_INSN(), 5630 }, 5631 .result = ACCEPT, 5632 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5633 }, 5634 { 5635 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 5636 .insns = { 5637 BPF_MOV64_IMM(BPF_REG_1, 0), 5638 BPF_MOV64_IMM(BPF_REG_2, 0), 5639 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5640 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5641 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 5642 BPF_MOV64_IMM(BPF_REG_3, 0), 5643 BPF_MOV64_IMM(BPF_REG_4, 0), 5644 BPF_MOV64_IMM(BPF_REG_5, 0), 5645 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5646 BPF_EXIT_INSN(), 5647 }, 5648 .errstr = "R1 type=inv expected=fp", 5649 .result = REJECT, 5650 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5651 }, 5652 { 5653 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 5654 .insns = { 5655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5657 BPF_MOV64_IMM(BPF_REG_2, 0), 5658 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 5659 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 5660 BPF_MOV64_IMM(BPF_REG_3, 0), 5661 BPF_MOV64_IMM(BPF_REG_4, 0), 5662 BPF_MOV64_IMM(BPF_REG_5, 0), 5663 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5664 BPF_EXIT_INSN(), 5665 }, 5666 .result = ACCEPT, 5667 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5668 }, 5669 { 5670 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 5671 .insns = { 5672 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5675 BPF_LD_MAP_FD(BPF_REG_1, 0), 5676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5677 BPF_FUNC_map_lookup_elem), 5678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5680 BPF_MOV64_IMM(BPF_REG_2, 0), 5681 BPF_MOV64_IMM(BPF_REG_3, 0), 5682 BPF_MOV64_IMM(BPF_REG_4, 0), 5683 BPF_MOV64_IMM(BPF_REG_5, 0), 5684 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5685 BPF_EXIT_INSN(), 5686 }, 5687 .fixup_map1 = { 3 }, 5688 .result = ACCEPT, 5689 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5690 }, 5691 { 5692 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 5693 .insns = { 5694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5697 BPF_LD_MAP_FD(BPF_REG_1, 0), 5698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5699 BPF_FUNC_map_lookup_elem), 5700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 5701 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5702 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7), 5703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5705 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 5706 BPF_MOV64_IMM(BPF_REG_3, 0), 5707 BPF_MOV64_IMM(BPF_REG_4, 0), 5708 BPF_MOV64_IMM(BPF_REG_5, 0), 5709 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5710 BPF_EXIT_INSN(), 5711 }, 5712 .fixup_map1 = { 3 }, 5713 .result = ACCEPT, 5714 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5715 }, 5716 { 5717 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 5718 .insns = { 5719 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5720 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5722 BPF_LD_MAP_FD(BPF_REG_1, 0), 5723 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5724 BPF_FUNC_map_lookup_elem), 5725 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5727 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5728 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 5729 BPF_MOV64_IMM(BPF_REG_3, 0), 5730 BPF_MOV64_IMM(BPF_REG_4, 0), 5731 BPF_MOV64_IMM(BPF_REG_5, 0), 5732 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5733 BPF_EXIT_INSN(), 5734 }, 5735 .fixup_map1 = { 3 }, 5736 .result = ACCEPT, 5737 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5738 }, 5739 { 5740 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)", 5741 .insns = { 5742 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 5743 offsetof(struct __sk_buff, data)), 5744 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 5745 offsetof(struct __sk_buff, data_end)), 5746 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), 5747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 5748 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 5749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5750 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0), 5751 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 5752 BPF_MOV64_IMM(BPF_REG_3, 0), 5753 BPF_MOV64_IMM(BPF_REG_4, 0), 5754 BPF_MOV64_IMM(BPF_REG_5, 0), 5755 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 5756 BPF_EXIT_INSN(), 5757 }, 5758 .result = ACCEPT, 5759 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5760 }, 5761 { 5762 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 5763 .insns = { 5764 BPF_MOV64_IMM(BPF_REG_1, 0), 5765 BPF_MOV64_IMM(BPF_REG_2, 0), 5766 BPF_MOV64_IMM(BPF_REG_3, 0), 5767 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5768 BPF_EXIT_INSN(), 5769 }, 5770 .errstr = "R1 type=inv expected=fp", 5771 .result = REJECT, 5772 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5773 }, 5774 { 5775 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 5776 .insns = { 5777 BPF_MOV64_IMM(BPF_REG_1, 0), 5778 BPF_MOV64_IMM(BPF_REG_2, 1), 5779 BPF_MOV64_IMM(BPF_REG_3, 0), 5780 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5781 BPF_EXIT_INSN(), 5782 }, 5783 .errstr = "R1 type=inv expected=fp", 5784 .result = REJECT, 5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5786 }, 5787 { 5788 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5789 .insns = { 5790 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5792 BPF_MOV64_IMM(BPF_REG_2, 0), 5793 BPF_MOV64_IMM(BPF_REG_3, 0), 5794 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5795 BPF_EXIT_INSN(), 5796 }, 5797 .result = ACCEPT, 5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5799 }, 5800 { 5801 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5802 .insns = { 5803 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5806 BPF_LD_MAP_FD(BPF_REG_1, 0), 5807 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5810 BPF_MOV64_IMM(BPF_REG_2, 0), 5811 BPF_MOV64_IMM(BPF_REG_3, 0), 5812 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5813 BPF_EXIT_INSN(), 5814 }, 5815 .fixup_map1 = { 3 }, 5816 .result = ACCEPT, 5817 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5818 }, 5819 { 5820 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5821 .insns = { 5822 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5825 BPF_LD_MAP_FD(BPF_REG_1, 0), 5826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5828 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5829 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 5830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5832 BPF_MOV64_IMM(BPF_REG_3, 0), 5833 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5834 BPF_EXIT_INSN(), 5835 }, 5836 .fixup_map1 = { 3 }, 5837 .result = ACCEPT, 5838 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5839 }, 5840 { 5841 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 5842 .insns = { 5843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5846 BPF_LD_MAP_FD(BPF_REG_1, 0), 5847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5850 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 5851 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2), 5852 BPF_MOV64_IMM(BPF_REG_3, 0), 5853 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5854 BPF_EXIT_INSN(), 5855 }, 5856 .fixup_map1 = { 3 }, 5857 .result = ACCEPT, 5858 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5859 }, 5860 { 5861 "helper access to variable memory: 8 bytes leak", 5862 .insns = { 5863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5865 BPF_MOV64_IMM(BPF_REG_0, 0), 5866 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5868 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5870 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5871 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5872 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5873 BPF_MOV64_IMM(BPF_REG_2, 0), 5874 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 5875 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 5876 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 5878 BPF_MOV64_IMM(BPF_REG_3, 0), 5879 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5880 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 5881 BPF_EXIT_INSN(), 5882 }, 5883 .errstr = "invalid indirect read from stack off -64+32 size 64", 5884 .result = REJECT, 5885 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5886 }, 5887 { 5888 "helper access to variable memory: 8 bytes no leak (init memory)", 5889 .insns = { 5890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5891 BPF_MOV64_IMM(BPF_REG_0, 0), 5892 BPF_MOV64_IMM(BPF_REG_0, 0), 5893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 5894 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 5895 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 5896 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 5897 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 5898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 5899 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 5900 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 5901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 5902 BPF_MOV64_IMM(BPF_REG_2, 0), 5903 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 5904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 5905 BPF_MOV64_IMM(BPF_REG_3, 0), 5906 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5907 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 5908 BPF_EXIT_INSN(), 5909 }, 5910 .result = ACCEPT, 5911 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5912 }, 5913 { 5914 "invalid and of negative number", 5915 .insns = { 5916 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5919 BPF_LD_MAP_FD(BPF_REG_1, 0), 5920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5921 BPF_FUNC_map_lookup_elem), 5922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5923 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 5924 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 5925 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 5926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 5927 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 5928 offsetof(struct test_val, foo)), 5929 BPF_EXIT_INSN(), 5930 }, 5931 .fixup_map2 = { 3 }, 5932 .errstr = "R0 max value is outside of the array range", 5933 .result = REJECT, 5934 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5935 }, 5936 { 5937 "invalid range check", 5938 .insns = { 5939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5942 BPF_LD_MAP_FD(BPF_REG_1, 0), 5943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5944 BPF_FUNC_map_lookup_elem), 5945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 5946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 5947 BPF_MOV64_IMM(BPF_REG_9, 1), 5948 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 5949 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 5950 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 5951 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 5952 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 5953 BPF_MOV32_IMM(BPF_REG_3, 1), 5954 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 5955 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 5956 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 5957 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 5958 BPF_MOV64_REG(BPF_REG_0, 0), 5959 BPF_EXIT_INSN(), 5960 }, 5961 .fixup_map2 = { 3 }, 5962 .errstr = "R0 max value is outside of the array range", 5963 .result = REJECT, 5964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5965 }, 5966 { 5967 "map in map access", 5968 .insns = { 5969 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5970 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5972 BPF_LD_MAP_FD(BPF_REG_1, 0), 5973 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5974 BPF_FUNC_map_lookup_elem), 5975 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5976 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5981 BPF_FUNC_map_lookup_elem), 5982 BPF_MOV64_REG(BPF_REG_0, 0), 5983 BPF_EXIT_INSN(), 5984 }, 5985 .fixup_map_in_map = { 3 }, 5986 .result = ACCEPT, 5987 }, 5988 { 5989 "invalid inner map pointer", 5990 .insns = { 5991 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5994 BPF_LD_MAP_FD(BPF_REG_1, 0), 5995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5996 BPF_FUNC_map_lookup_elem), 5997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5998 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 6003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6004 BPF_FUNC_map_lookup_elem), 6005 BPF_MOV64_REG(BPF_REG_0, 0), 6006 BPF_EXIT_INSN(), 6007 }, 6008 .fixup_map_in_map = { 3 }, 6009 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", 6010 .result = REJECT, 6011 }, 6012 { 6013 "forgot null checking on the inner map pointer", 6014 .insns = { 6015 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6018 BPF_LD_MAP_FD(BPF_REG_1, 0), 6019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6020 BPF_FUNC_map_lookup_elem), 6021 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6026 BPF_FUNC_map_lookup_elem), 6027 BPF_MOV64_REG(BPF_REG_0, 0), 6028 BPF_EXIT_INSN(), 6029 }, 6030 .fixup_map_in_map = { 3 }, 6031 .errstr = "R1 type=map_value_or_null expected=map_ptr", 6032 .result = REJECT, 6033 }, 6034 { 6035 "ld_abs: check calling conv, r1", 6036 .insns = { 6037 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6038 BPF_MOV64_IMM(BPF_REG_1, 0), 6039 BPF_LD_ABS(BPF_W, -0x200000), 6040 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 6041 BPF_EXIT_INSN(), 6042 }, 6043 .errstr = "R1 !read_ok", 6044 .result = REJECT, 6045 }, 6046 { 6047 "ld_abs: check calling conv, r2", 6048 .insns = { 6049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6050 BPF_MOV64_IMM(BPF_REG_2, 0), 6051 BPF_LD_ABS(BPF_W, -0x200000), 6052 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6053 BPF_EXIT_INSN(), 6054 }, 6055 .errstr = "R2 !read_ok", 6056 .result = REJECT, 6057 }, 6058 { 6059 "ld_abs: check calling conv, r3", 6060 .insns = { 6061 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6062 BPF_MOV64_IMM(BPF_REG_3, 0), 6063 BPF_LD_ABS(BPF_W, -0x200000), 6064 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6065 BPF_EXIT_INSN(), 6066 }, 6067 .errstr = "R3 !read_ok", 6068 .result = REJECT, 6069 }, 6070 { 6071 "ld_abs: check calling conv, r4", 6072 .insns = { 6073 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6074 BPF_MOV64_IMM(BPF_REG_4, 0), 6075 BPF_LD_ABS(BPF_W, -0x200000), 6076 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 6077 BPF_EXIT_INSN(), 6078 }, 6079 .errstr = "R4 !read_ok", 6080 .result = REJECT, 6081 }, 6082 { 6083 "ld_abs: check calling conv, r5", 6084 .insns = { 6085 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6086 BPF_MOV64_IMM(BPF_REG_5, 0), 6087 BPF_LD_ABS(BPF_W, -0x200000), 6088 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 6089 BPF_EXIT_INSN(), 6090 }, 6091 .errstr = "R5 !read_ok", 6092 .result = REJECT, 6093 }, 6094 { 6095 "ld_abs: check calling conv, r7", 6096 .insns = { 6097 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6098 BPF_MOV64_IMM(BPF_REG_7, 0), 6099 BPF_LD_ABS(BPF_W, -0x200000), 6100 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 6101 BPF_EXIT_INSN(), 6102 }, 6103 .result = ACCEPT, 6104 }, 6105 { 6106 "ld_abs: tests on r6 and skb data reload helper", 6107 .insns = { 6108 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6109 BPF_LD_ABS(BPF_B, 0), 6110 BPF_LD_ABS(BPF_H, 0), 6111 BPF_LD_ABS(BPF_W, 0), 6112 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6), 6113 BPF_MOV64_IMM(BPF_REG_6, 0), 6114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 6115 BPF_MOV64_IMM(BPF_REG_2, 1), 6116 BPF_MOV64_IMM(BPF_REG_3, 2), 6117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6118 BPF_FUNC_skb_vlan_push), 6119 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 6120 BPF_LD_ABS(BPF_B, 0), 6121 BPF_LD_ABS(BPF_H, 0), 6122 BPF_LD_ABS(BPF_W, 0), 6123 BPF_MOV64_IMM(BPF_REG_0, 42), 6124 BPF_EXIT_INSN(), 6125 }, 6126 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6127 .result = ACCEPT, 6128 }, 6129 { 6130 "ld_ind: check calling conv, r1", 6131 .insns = { 6132 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6133 BPF_MOV64_IMM(BPF_REG_1, 1), 6134 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000), 6135 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 6136 BPF_EXIT_INSN(), 6137 }, 6138 .errstr = "R1 !read_ok", 6139 .result = REJECT, 6140 }, 6141 { 6142 "ld_ind: check calling conv, r2", 6143 .insns = { 6144 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6145 BPF_MOV64_IMM(BPF_REG_2, 1), 6146 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000), 6147 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6148 BPF_EXIT_INSN(), 6149 }, 6150 .errstr = "R2 !read_ok", 6151 .result = REJECT, 6152 }, 6153 { 6154 "ld_ind: check calling conv, r3", 6155 .insns = { 6156 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6157 BPF_MOV64_IMM(BPF_REG_3, 1), 6158 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000), 6159 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 6160 BPF_EXIT_INSN(), 6161 }, 6162 .errstr = "R3 !read_ok", 6163 .result = REJECT, 6164 }, 6165 { 6166 "ld_ind: check calling conv, r4", 6167 .insns = { 6168 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6169 BPF_MOV64_IMM(BPF_REG_4, 1), 6170 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000), 6171 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 6172 BPF_EXIT_INSN(), 6173 }, 6174 .errstr = "R4 !read_ok", 6175 .result = REJECT, 6176 }, 6177 { 6178 "ld_ind: check calling conv, r5", 6179 .insns = { 6180 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6181 BPF_MOV64_IMM(BPF_REG_5, 1), 6182 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000), 6183 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 6184 BPF_EXIT_INSN(), 6185 }, 6186 .errstr = "R5 !read_ok", 6187 .result = REJECT, 6188 }, 6189 { 6190 "ld_ind: check calling conv, r7", 6191 .insns = { 6192 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 6193 BPF_MOV64_IMM(BPF_REG_7, 1), 6194 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 6195 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 6196 BPF_EXIT_INSN(), 6197 }, 6198 .result = ACCEPT, 6199 }, 6200 { 6201 "check bpf_perf_event_data->sample_period byte load permitted", 6202 .insns = { 6203 BPF_MOV64_IMM(BPF_REG_0, 0), 6204 #if __BYTE_ORDER == __LITTLE_ENDIAN 6205 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 6206 offsetof(struct bpf_perf_event_data, sample_period)), 6207 #else 6208 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 6209 offsetof(struct bpf_perf_event_data, sample_period) + 7), 6210 #endif 6211 BPF_EXIT_INSN(), 6212 }, 6213 .result = ACCEPT, 6214 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6215 }, 6216 { 6217 "check bpf_perf_event_data->sample_period half load permitted", 6218 .insns = { 6219 BPF_MOV64_IMM(BPF_REG_0, 0), 6220 #if __BYTE_ORDER == __LITTLE_ENDIAN 6221 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6222 offsetof(struct bpf_perf_event_data, sample_period)), 6223 #else 6224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6225 offsetof(struct bpf_perf_event_data, sample_period) + 6), 6226 #endif 6227 BPF_EXIT_INSN(), 6228 }, 6229 .result = ACCEPT, 6230 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6231 }, 6232 { 6233 "check bpf_perf_event_data->sample_period word load permitted", 6234 .insns = { 6235 BPF_MOV64_IMM(BPF_REG_0, 0), 6236 #if __BYTE_ORDER == __LITTLE_ENDIAN 6237 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 6238 offsetof(struct bpf_perf_event_data, sample_period)), 6239 #else 6240 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 6241 offsetof(struct bpf_perf_event_data, sample_period) + 4), 6242 #endif 6243 BPF_EXIT_INSN(), 6244 }, 6245 .result = ACCEPT, 6246 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6247 }, 6248 { 6249 "check bpf_perf_event_data->sample_period dword load permitted", 6250 .insns = { 6251 BPF_MOV64_IMM(BPF_REG_0, 0), 6252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 6253 offsetof(struct bpf_perf_event_data, sample_period)), 6254 BPF_EXIT_INSN(), 6255 }, 6256 .result = ACCEPT, 6257 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 6258 }, 6259 { 6260 "check skb->data half load not permitted", 6261 .insns = { 6262 BPF_MOV64_IMM(BPF_REG_0, 0), 6263 #if __BYTE_ORDER == __LITTLE_ENDIAN 6264 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6265 offsetof(struct __sk_buff, data)), 6266 #else 6267 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6268 offsetof(struct __sk_buff, data) + 2), 6269 #endif 6270 BPF_EXIT_INSN(), 6271 }, 6272 .result = REJECT, 6273 .errstr = "invalid bpf_context access", 6274 }, 6275 { 6276 "check skb->tc_classid half load not permitted for lwt prog", 6277 .insns = { 6278 BPF_MOV64_IMM(BPF_REG_0, 0), 6279 #if __BYTE_ORDER == __LITTLE_ENDIAN 6280 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6281 offsetof(struct __sk_buff, tc_classid)), 6282 #else 6283 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 6284 offsetof(struct __sk_buff, tc_classid) + 2), 6285 #endif 6286 BPF_EXIT_INSN(), 6287 }, 6288 .result = REJECT, 6289 .errstr = "invalid bpf_context access", 6290 .prog_type = BPF_PROG_TYPE_LWT_IN, 6291 }, 6292 { 6293 "bounds checks mixing signed and unsigned, positive bounds", 6294 .insns = { 6295 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6298 BPF_LD_MAP_FD(BPF_REG_1, 0), 6299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6300 BPF_FUNC_map_lookup_elem), 6301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6302 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6303 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6304 BPF_MOV64_IMM(BPF_REG_2, 2), 6305 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3), 6306 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2), 6307 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6308 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6309 BPF_MOV64_IMM(BPF_REG_0, 0), 6310 BPF_EXIT_INSN(), 6311 }, 6312 .fixup_map1 = { 3 }, 6313 .errstr = "unbounded min value", 6314 .result = REJECT, 6315 }, 6316 { 6317 "bounds checks mixing signed and unsigned", 6318 .insns = { 6319 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6320 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6322 BPF_LD_MAP_FD(BPF_REG_1, 0), 6323 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6324 BPF_FUNC_map_lookup_elem), 6325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6327 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6328 BPF_MOV64_IMM(BPF_REG_2, -1), 6329 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), 6330 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6331 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6332 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6333 BPF_MOV64_IMM(BPF_REG_0, 0), 6334 BPF_EXIT_INSN(), 6335 }, 6336 .fixup_map1 = { 3 }, 6337 .errstr = "unbounded min value", 6338 .result = REJECT, 6339 }, 6340 { 6341 "bounds checks mixing signed and unsigned, variant 2", 6342 .insns = { 6343 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6346 BPF_LD_MAP_FD(BPF_REG_1, 0), 6347 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6348 BPF_FUNC_map_lookup_elem), 6349 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6350 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6351 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6352 BPF_MOV64_IMM(BPF_REG_2, -1), 6353 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), 6354 BPF_MOV64_IMM(BPF_REG_8, 0), 6355 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1), 6356 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), 6357 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 6358 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), 6359 BPF_MOV64_IMM(BPF_REG_0, 0), 6360 BPF_EXIT_INSN(), 6361 }, 6362 .fixup_map1 = { 3 }, 6363 .errstr = "unbounded min value", 6364 .result = REJECT, 6365 }, 6366 { 6367 "bounds checks mixing signed and unsigned, variant 3", 6368 .insns = { 6369 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6370 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6372 BPF_LD_MAP_FD(BPF_REG_1, 0), 6373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6374 BPF_FUNC_map_lookup_elem), 6375 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6376 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6377 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6378 BPF_MOV64_IMM(BPF_REG_2, -1), 6379 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4), 6380 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 6381 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), 6382 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 6383 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), 6384 BPF_MOV64_IMM(BPF_REG_0, 0), 6385 BPF_EXIT_INSN(), 6386 }, 6387 .fixup_map1 = { 3 }, 6388 .errstr = "unbounded min value", 6389 .result = REJECT, 6390 }, 6391 { 6392 "bounds checks mixing signed and unsigned, variant 4", 6393 .insns = { 6394 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6397 BPF_LD_MAP_FD(BPF_REG_1, 0), 6398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6399 BPF_FUNC_map_lookup_elem), 6400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6401 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6402 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6403 BPF_MOV64_IMM(BPF_REG_2, 1), 6404 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2), 6405 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6406 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6407 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6408 BPF_MOV64_IMM(BPF_REG_0, 0), 6409 BPF_EXIT_INSN(), 6410 }, 6411 .fixup_map1 = { 3 }, 6412 .result = ACCEPT, 6413 }, 6414 { 6415 "bounds checks mixing signed and unsigned, variant 5", 6416 .insns = { 6417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6420 BPF_LD_MAP_FD(BPF_REG_1, 0), 6421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6422 BPF_FUNC_map_lookup_elem), 6423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6424 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6425 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6426 BPF_MOV64_IMM(BPF_REG_2, -1), 6427 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), 6428 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4), 6429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4), 6430 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 6431 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6432 BPF_MOV64_IMM(BPF_REG_0, 0), 6433 BPF_EXIT_INSN(), 6434 }, 6435 .fixup_map1 = { 3 }, 6436 .errstr = "unbounded min value", 6437 .result = REJECT, 6438 }, 6439 { 6440 "bounds checks mixing signed and unsigned, variant 6", 6441 .insns = { 6442 BPF_MOV64_IMM(BPF_REG_2, 0), 6443 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 6444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512), 6445 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6446 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16), 6447 BPF_MOV64_IMM(BPF_REG_6, -1), 6448 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5), 6449 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4), 6450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), 6451 BPF_MOV64_IMM(BPF_REG_5, 0), 6452 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0), 6453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6454 BPF_FUNC_skb_load_bytes), 6455 BPF_MOV64_IMM(BPF_REG_0, 0), 6456 BPF_EXIT_INSN(), 6457 }, 6458 .errstr = "R4 min value is negative, either use unsigned", 6459 .result = REJECT, 6460 }, 6461 { 6462 "bounds checks mixing signed and unsigned, variant 7", 6463 .insns = { 6464 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6465 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6467 BPF_LD_MAP_FD(BPF_REG_1, 0), 6468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6469 BPF_FUNC_map_lookup_elem), 6470 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6471 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6472 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6473 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024), 6474 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), 6475 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6476 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6477 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6478 BPF_MOV64_IMM(BPF_REG_0, 0), 6479 BPF_EXIT_INSN(), 6480 }, 6481 .fixup_map1 = { 3 }, 6482 .result = ACCEPT, 6483 }, 6484 { 6485 "bounds checks mixing signed and unsigned, variant 8", 6486 .insns = { 6487 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6490 BPF_LD_MAP_FD(BPF_REG_1, 0), 6491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6492 BPF_FUNC_map_lookup_elem), 6493 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6494 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6495 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6496 BPF_MOV64_IMM(BPF_REG_2, -1), 6497 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 6498 BPF_MOV64_IMM(BPF_REG_0, 0), 6499 BPF_EXIT_INSN(), 6500 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6501 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6502 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6503 BPF_MOV64_IMM(BPF_REG_0, 0), 6504 BPF_EXIT_INSN(), 6505 }, 6506 .fixup_map1 = { 3 }, 6507 .errstr = "unbounded min value", 6508 .result = REJECT, 6509 }, 6510 { 6511 "bounds checks mixing signed and unsigned, variant 9", 6512 .insns = { 6513 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6514 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6516 BPF_LD_MAP_FD(BPF_REG_1, 0), 6517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6518 BPF_FUNC_map_lookup_elem), 6519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 6520 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6521 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6522 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL), 6523 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 6524 BPF_MOV64_IMM(BPF_REG_0, 0), 6525 BPF_EXIT_INSN(), 6526 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6527 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6528 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6529 BPF_MOV64_IMM(BPF_REG_0, 0), 6530 BPF_EXIT_INSN(), 6531 }, 6532 .fixup_map1 = { 3 }, 6533 .result = ACCEPT, 6534 }, 6535 { 6536 "bounds checks mixing signed and unsigned, variant 10", 6537 .insns = { 6538 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6541 BPF_LD_MAP_FD(BPF_REG_1, 0), 6542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6543 BPF_FUNC_map_lookup_elem), 6544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6545 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6546 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6547 BPF_MOV64_IMM(BPF_REG_2, 0), 6548 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 6549 BPF_MOV64_IMM(BPF_REG_0, 0), 6550 BPF_EXIT_INSN(), 6551 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6552 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6553 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6554 BPF_MOV64_IMM(BPF_REG_0, 0), 6555 BPF_EXIT_INSN(), 6556 }, 6557 .fixup_map1 = { 3 }, 6558 .errstr = "unbounded min value", 6559 .result = REJECT, 6560 }, 6561 { 6562 "bounds checks mixing signed and unsigned, variant 11", 6563 .insns = { 6564 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6565 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6567 BPF_LD_MAP_FD(BPF_REG_1, 0), 6568 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6569 BPF_FUNC_map_lookup_elem), 6570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6572 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6573 BPF_MOV64_IMM(BPF_REG_2, -1), 6574 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6575 /* Dead branch. */ 6576 BPF_MOV64_IMM(BPF_REG_0, 0), 6577 BPF_EXIT_INSN(), 6578 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6579 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6580 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6581 BPF_MOV64_IMM(BPF_REG_0, 0), 6582 BPF_EXIT_INSN(), 6583 }, 6584 .fixup_map1 = { 3 }, 6585 .errstr = "unbounded min value", 6586 .result = REJECT, 6587 }, 6588 { 6589 "bounds checks mixing signed and unsigned, variant 12", 6590 .insns = { 6591 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6592 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6594 BPF_LD_MAP_FD(BPF_REG_1, 0), 6595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6596 BPF_FUNC_map_lookup_elem), 6597 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6598 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6599 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6600 BPF_MOV64_IMM(BPF_REG_2, -6), 6601 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6602 BPF_MOV64_IMM(BPF_REG_0, 0), 6603 BPF_EXIT_INSN(), 6604 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6605 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6606 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6607 BPF_MOV64_IMM(BPF_REG_0, 0), 6608 BPF_EXIT_INSN(), 6609 }, 6610 .fixup_map1 = { 3 }, 6611 .errstr = "unbounded min value", 6612 .result = REJECT, 6613 }, 6614 { 6615 "bounds checks mixing signed and unsigned, variant 13", 6616 .insns = { 6617 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6620 BPF_LD_MAP_FD(BPF_REG_1, 0), 6621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6622 BPF_FUNC_map_lookup_elem), 6623 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6624 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6625 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6626 BPF_MOV64_IMM(BPF_REG_2, 2), 6627 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6628 BPF_MOV64_IMM(BPF_REG_7, 1), 6629 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2), 6630 BPF_MOV64_IMM(BPF_REG_0, 0), 6631 BPF_EXIT_INSN(), 6632 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1), 6633 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2), 6634 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7), 6635 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6636 BPF_MOV64_IMM(BPF_REG_0, 0), 6637 BPF_EXIT_INSN(), 6638 }, 6639 .fixup_map1 = { 3 }, 6640 .errstr = "unbounded min value", 6641 .result = REJECT, 6642 }, 6643 { 6644 "bounds checks mixing signed and unsigned, variant 14", 6645 .insns = { 6646 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, 6647 offsetof(struct __sk_buff, mark)), 6648 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6649 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6651 BPF_LD_MAP_FD(BPF_REG_1, 0), 6652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6653 BPF_FUNC_map_lookup_elem), 6654 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6655 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6657 BPF_MOV64_IMM(BPF_REG_2, -1), 6658 BPF_MOV64_IMM(BPF_REG_8, 2), 6659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6), 6660 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3), 6661 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 6662 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6663 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6664 BPF_MOV64_IMM(BPF_REG_0, 0), 6665 BPF_EXIT_INSN(), 6666 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3), 6667 BPF_JMP_IMM(BPF_JA, 0, 0, -7), 6668 }, 6669 .fixup_map1 = { 4 }, 6670 .errstr = "unbounded min value", 6671 .result = REJECT, 6672 }, 6673 { 6674 "bounds checks mixing signed and unsigned, variant 15", 6675 .insns = { 6676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6679 BPF_LD_MAP_FD(BPF_REG_1, 0), 6680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6681 BPF_FUNC_map_lookup_elem), 6682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6683 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 6684 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6685 BPF_MOV64_IMM(BPF_REG_2, -6), 6686 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 6687 BPF_MOV64_IMM(BPF_REG_0, 0), 6688 BPF_EXIT_INSN(), 6689 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6690 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2), 6691 BPF_MOV64_IMM(BPF_REG_0, 0), 6692 BPF_EXIT_INSN(), 6693 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 6694 BPF_MOV64_IMM(BPF_REG_0, 0), 6695 BPF_EXIT_INSN(), 6696 }, 6697 .fixup_map1 = { 3 }, 6698 .errstr = "unbounded min value", 6699 .result = REJECT, 6700 .result_unpriv = REJECT, 6701 }, 6702 { 6703 "subtraction bounds (map value) variant 1", 6704 .insns = { 6705 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6706 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6708 BPF_LD_MAP_FD(BPF_REG_1, 0), 6709 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6710 BPF_FUNC_map_lookup_elem), 6711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6712 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6713 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), 6714 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 6715 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), 6716 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 6717 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), 6718 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6719 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6720 BPF_EXIT_INSN(), 6721 BPF_MOV64_IMM(BPF_REG_0, 0), 6722 BPF_EXIT_INSN(), 6723 }, 6724 .fixup_map1 = { 3 }, 6725 .errstr = "R0 max value is outside of the array range", 6726 .result = REJECT, 6727 }, 6728 { 6729 "subtraction bounds (map value) variant 2", 6730 .insns = { 6731 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6734 BPF_LD_MAP_FD(BPF_REG_1, 0), 6735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6736 BPF_FUNC_map_lookup_elem), 6737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 6738 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6739 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6), 6740 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 6741 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4), 6742 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 6743 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6744 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6745 BPF_EXIT_INSN(), 6746 BPF_MOV64_IMM(BPF_REG_0, 0), 6747 BPF_EXIT_INSN(), 6748 }, 6749 .fixup_map1 = { 3 }, 6750 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 6751 .result = REJECT, 6752 }, 6753 { 6754 "bounds check based on zero-extended MOV", 6755 .insns = { 6756 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6757 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6759 BPF_LD_MAP_FD(BPF_REG_1, 0), 6760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6761 BPF_FUNC_map_lookup_elem), 6762 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6763 /* r2 = 0x0000'0000'ffff'ffff */ 6764 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff), 6765 /* r2 = 0 */ 6766 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 6767 /* no-op */ 6768 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 6769 /* access at offset 0 */ 6770 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6771 /* exit */ 6772 BPF_MOV64_IMM(BPF_REG_0, 0), 6773 BPF_EXIT_INSN(), 6774 }, 6775 .fixup_map1 = { 3 }, 6776 .result = ACCEPT 6777 }, 6778 { 6779 "bounds check based on sign-extended MOV. test1", 6780 .insns = { 6781 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6782 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6784 BPF_LD_MAP_FD(BPF_REG_1, 0), 6785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6786 BPF_FUNC_map_lookup_elem), 6787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6788 /* r2 = 0xffff'ffff'ffff'ffff */ 6789 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 6790 /* r2 = 0xffff'ffff */ 6791 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 6792 /* r0 = <oob pointer> */ 6793 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 6794 /* access to OOB pointer */ 6795 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6796 /* exit */ 6797 BPF_MOV64_IMM(BPF_REG_0, 0), 6798 BPF_EXIT_INSN(), 6799 }, 6800 .fixup_map1 = { 3 }, 6801 .errstr = "map_value pointer and 4294967295", 6802 .result = REJECT 6803 }, 6804 { 6805 "bounds check based on sign-extended MOV. test2", 6806 .insns = { 6807 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6810 BPF_LD_MAP_FD(BPF_REG_1, 0), 6811 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6812 BPF_FUNC_map_lookup_elem), 6813 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6814 /* r2 = 0xffff'ffff'ffff'ffff */ 6815 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 6816 /* r2 = 0xfff'ffff */ 6817 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36), 6818 /* r0 = <oob pointer> */ 6819 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 6820 /* access to OOB pointer */ 6821 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6822 /* exit */ 6823 BPF_MOV64_IMM(BPF_REG_0, 0), 6824 BPF_EXIT_INSN(), 6825 }, 6826 .fixup_map1 = { 3 }, 6827 .errstr = "R0 min value is outside of the array range", 6828 .result = REJECT 6829 }, 6830 { 6831 "bounds check based on reg_off + var_off + insn_off. test1", 6832 .insns = { 6833 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 6834 offsetof(struct __sk_buff, mark)), 6835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6838 BPF_LD_MAP_FD(BPF_REG_1, 0), 6839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6840 BPF_FUNC_map_lookup_elem), 6841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6842 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 6843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1), 6844 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 6845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 6846 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 6847 BPF_MOV64_IMM(BPF_REG_0, 0), 6848 BPF_EXIT_INSN(), 6849 }, 6850 .fixup_map1 = { 4 }, 6851 .errstr = "value_size=8 off=1073741825", 6852 .result = REJECT, 6853 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6854 }, 6855 { 6856 "bounds check based on reg_off + var_off + insn_off. test2", 6857 .insns = { 6858 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 6859 offsetof(struct __sk_buff, mark)), 6860 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6861 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6863 BPF_LD_MAP_FD(BPF_REG_1, 0), 6864 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6865 BPF_FUNC_map_lookup_elem), 6866 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6867 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 6868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1), 6869 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 6870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 6871 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 6872 BPF_MOV64_IMM(BPF_REG_0, 0), 6873 BPF_EXIT_INSN(), 6874 }, 6875 .fixup_map1 = { 4 }, 6876 .errstr = "value 1073741823", 6877 .result = REJECT, 6878 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6879 }, 6880 { 6881 "bounds check after truncation of non-boundary-crossing range", 6882 .insns = { 6883 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6884 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6886 BPF_LD_MAP_FD(BPF_REG_1, 0), 6887 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6888 BPF_FUNC_map_lookup_elem), 6889 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6890 /* r1 = [0x00, 0xff] */ 6891 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6892 BPF_MOV64_IMM(BPF_REG_2, 1), 6893 /* r2 = 0x10'0000'0000 */ 6894 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36), 6895 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */ 6896 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 6897 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */ 6898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 6899 /* r1 = [0x00, 0xff] */ 6900 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff), 6901 /* r1 = 0 */ 6902 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 6903 /* no-op */ 6904 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6905 /* access at offset 0 */ 6906 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6907 /* exit */ 6908 BPF_MOV64_IMM(BPF_REG_0, 0), 6909 BPF_EXIT_INSN(), 6910 }, 6911 .fixup_map1 = { 3 }, 6912 .result = ACCEPT 6913 }, 6914 { 6915 "bounds check after truncation of boundary-crossing range (1)", 6916 .insns = { 6917 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6920 BPF_LD_MAP_FD(BPF_REG_1, 0), 6921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6922 BPF_FUNC_map_lookup_elem), 6923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6924 /* r1 = [0x00, 0xff] */ 6925 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6927 /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 6928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6929 /* r1 = [0xffff'ff80, 0xffff'ffff] or 6930 * [0x0000'0000, 0x0000'007f] 6931 */ 6932 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0), 6933 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6934 /* r1 = [0x00, 0xff] or 6935 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 6936 */ 6937 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6938 /* r1 = 0 or 6939 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff] 6940 */ 6941 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 6942 /* no-op or OOB pointer computation */ 6943 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6944 /* potentially OOB access */ 6945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6946 /* exit */ 6947 BPF_MOV64_IMM(BPF_REG_0, 0), 6948 BPF_EXIT_INSN(), 6949 }, 6950 .fixup_map1 = { 3 }, 6951 /* not actually fully unbounded, but the bound is very high */ 6952 .errstr = "R0 unbounded memory access", 6953 .result = REJECT 6954 }, 6955 { 6956 "bounds check after truncation of boundary-crossing range (2)", 6957 .insns = { 6958 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6961 BPF_LD_MAP_FD(BPF_REG_1, 0), 6962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6963 BPF_FUNC_map_lookup_elem), 6964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6965 /* r1 = [0x00, 0xff] */ 6966 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6968 /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 6969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 6970 /* r1 = [0xffff'ff80, 0xffff'ffff] or 6971 * [0x0000'0000, 0x0000'007f] 6972 * difference to previous test: truncation via MOV32 6973 * instead of ALU32. 6974 */ 6975 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), 6976 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6977 /* r1 = [0x00, 0xff] or 6978 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 6979 */ 6980 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 6981 /* r1 = 0 or 6982 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff] 6983 */ 6984 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 6985 /* no-op or OOB pointer computation */ 6986 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6987 /* potentially OOB access */ 6988 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 6989 /* exit */ 6990 BPF_MOV64_IMM(BPF_REG_0, 0), 6991 BPF_EXIT_INSN(), 6992 }, 6993 .fixup_map1 = { 3 }, 6994 /* not actually fully unbounded, but the bound is very high */ 6995 .errstr = "R0 unbounded memory access", 6996 .result = REJECT 6997 }, 6998 { 6999 "bounds check after wrapping 32-bit addition", 7000 .insns = { 7001 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7002 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7004 BPF_LD_MAP_FD(BPF_REG_1, 0), 7005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7006 BPF_FUNC_map_lookup_elem), 7007 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 7008 /* r1 = 0x7fff'ffff */ 7009 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff), 7010 /* r1 = 0xffff'fffe */ 7011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 7012 /* r1 = 0 */ 7013 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2), 7014 /* no-op */ 7015 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7016 /* access at offset 0 */ 7017 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7018 /* exit */ 7019 BPF_MOV64_IMM(BPF_REG_0, 0), 7020 BPF_EXIT_INSN(), 7021 }, 7022 .fixup_map1 = { 3 }, 7023 .result = ACCEPT 7024 }, 7025 { 7026 "bounds check after shift with oversized count operand", 7027 .insns = { 7028 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7029 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7031 BPF_LD_MAP_FD(BPF_REG_1, 0), 7032 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7033 BPF_FUNC_map_lookup_elem), 7034 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 7035 BPF_MOV64_IMM(BPF_REG_2, 32), 7036 BPF_MOV64_IMM(BPF_REG_1, 1), 7037 /* r1 = (u32)1 << (u32)32 = ? */ 7038 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2), 7039 /* r1 = [0x0000, 0xffff] */ 7040 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff), 7041 /* computes unknown pointer, potentially OOB */ 7042 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7043 /* potentially OOB access */ 7044 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7045 /* exit */ 7046 BPF_MOV64_IMM(BPF_REG_0, 0), 7047 BPF_EXIT_INSN(), 7048 }, 7049 .fixup_map1 = { 3 }, 7050 .errstr = "R0 max value is outside of the array range", 7051 .result = REJECT 7052 }, 7053 { 7054 "bounds check after right shift of maybe-negative number", 7055 .insns = { 7056 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7059 BPF_LD_MAP_FD(BPF_REG_1, 0), 7060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7061 BPF_FUNC_map_lookup_elem), 7062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 7063 /* r1 = [0x00, 0xff] */ 7064 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7065 /* r1 = [-0x01, 0xfe] */ 7066 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1), 7067 /* r1 = 0 or 0xff'ffff'ffff'ffff */ 7068 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7069 /* r1 = 0 or 0xffff'ffff'ffff */ 7070 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7071 /* computes unknown pointer, potentially OOB */ 7072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7073 /* potentially OOB access */ 7074 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7075 /* exit */ 7076 BPF_MOV64_IMM(BPF_REG_0, 0), 7077 BPF_EXIT_INSN(), 7078 }, 7079 .fixup_map1 = { 3 }, 7080 .errstr = "R0 unbounded memory access", 7081 .result = REJECT 7082 }, 7083 { 7084 "bounds check map access with off+size signed 32bit overflow. test1", 7085 .insns = { 7086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7089 BPF_LD_MAP_FD(BPF_REG_1, 0), 7090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7091 BPF_FUNC_map_lookup_elem), 7092 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7093 BPF_EXIT_INSN(), 7094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe), 7095 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7096 BPF_JMP_A(0), 7097 BPF_EXIT_INSN(), 7098 }, 7099 .fixup_map1 = { 3 }, 7100 .errstr = "map_value pointer and 2147483646", 7101 .result = REJECT 7102 }, 7103 { 7104 "bounds check map access with off+size signed 32bit overflow. test2", 7105 .insns = { 7106 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7109 BPF_LD_MAP_FD(BPF_REG_1, 0), 7110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7111 BPF_FUNC_map_lookup_elem), 7112 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7113 BPF_EXIT_INSN(), 7114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 7115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 7116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 7117 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7118 BPF_JMP_A(0), 7119 BPF_EXIT_INSN(), 7120 }, 7121 .fixup_map1 = { 3 }, 7122 .errstr = "pointer offset 1073741822", 7123 .result = REJECT 7124 }, 7125 { 7126 "bounds check map access with off+size signed 32bit overflow. test3", 7127 .insns = { 7128 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7131 BPF_LD_MAP_FD(BPF_REG_1, 0), 7132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7133 BPF_FUNC_map_lookup_elem), 7134 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7135 BPF_EXIT_INSN(), 7136 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 7137 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 7138 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 7139 BPF_JMP_A(0), 7140 BPF_EXIT_INSN(), 7141 }, 7142 .fixup_map1 = { 3 }, 7143 .errstr = "pointer offset -1073741822", 7144 .result = REJECT 7145 }, 7146 { 7147 "bounds check map access with off+size signed 32bit overflow. test4", 7148 .insns = { 7149 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7150 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7152 BPF_LD_MAP_FD(BPF_REG_1, 0), 7153 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7154 BPF_FUNC_map_lookup_elem), 7155 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7156 BPF_EXIT_INSN(), 7157 BPF_MOV64_IMM(BPF_REG_1, 1000000), 7158 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000), 7159 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 7161 BPF_JMP_A(0), 7162 BPF_EXIT_INSN(), 7163 }, 7164 .fixup_map1 = { 3 }, 7165 .errstr = "map_value pointer and 1000000000000", 7166 .result = REJECT 7167 }, 7168 { 7169 "pointer/scalar confusion in state equality check (way 1)", 7170 .insns = { 7171 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7172 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7174 BPF_LD_MAP_FD(BPF_REG_1, 0), 7175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7176 BPF_FUNC_map_lookup_elem), 7177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 7178 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7179 BPF_JMP_A(1), 7180 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 7181 BPF_JMP_A(0), 7182 BPF_EXIT_INSN(), 7183 }, 7184 .fixup_map1 = { 3 }, 7185 .result = ACCEPT, 7186 .result_unpriv = REJECT, 7187 .errstr_unpriv = "R0 leaks addr as return value" 7188 }, 7189 { 7190 "pointer/scalar confusion in state equality check (way 2)", 7191 .insns = { 7192 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7195 BPF_LD_MAP_FD(BPF_REG_1, 0), 7196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7197 BPF_FUNC_map_lookup_elem), 7198 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 7199 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 7200 BPF_JMP_A(1), 7201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 7202 BPF_EXIT_INSN(), 7203 }, 7204 .fixup_map1 = { 3 }, 7205 .result = ACCEPT, 7206 .result_unpriv = REJECT, 7207 .errstr_unpriv = "R0 leaks addr as return value" 7208 }, 7209 { 7210 "variable-offset ctx access", 7211 .insns = { 7212 /* Get an unknown value */ 7213 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 7214 /* Make it small and 4-byte aligned */ 7215 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 7216 /* add it to skb. We now have either &skb->len or 7217 * &skb->pkt_type, but we don't know which 7218 */ 7219 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 7220 /* dereference it */ 7221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 7222 BPF_EXIT_INSN(), 7223 }, 7224 .errstr = "variable ctx access var_off=(0x0; 0x4)", 7225 .result = REJECT, 7226 .prog_type = BPF_PROG_TYPE_LWT_IN, 7227 }, 7228 { 7229 "variable-offset stack access", 7230 .insns = { 7231 /* Fill the top 8 bytes of the stack */ 7232 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7233 /* Get an unknown value */ 7234 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 7235 /* Make it small and 4-byte aligned */ 7236 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 7237 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8), 7238 /* add it to fp. We now have either fp-4 or fp-8, but 7239 * we don't know which 7240 */ 7241 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), 7242 /* dereference it */ 7243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), 7244 BPF_EXIT_INSN(), 7245 }, 7246 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)", 7247 .result = REJECT, 7248 .prog_type = BPF_PROG_TYPE_LWT_IN, 7249 }, 7250 { 7251 "indirect variable-offset stack access", 7252 .insns = { 7253 /* Fill the top 8 bytes of the stack */ 7254 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7255 /* Get an unknown value */ 7256 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 7257 /* Make it small and 4-byte aligned */ 7258 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 7259 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8), 7260 /* add it to fp. We now have either fp-4 or fp-8, but 7261 * we don't know which 7262 */ 7263 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), 7264 /* dereference it indirectly */ 7265 BPF_LD_MAP_FD(BPF_REG_1, 0), 7266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7267 BPF_FUNC_map_lookup_elem), 7268 BPF_MOV64_IMM(BPF_REG_0, 0), 7269 BPF_EXIT_INSN(), 7270 }, 7271 .fixup_map1 = { 5 }, 7272 .errstr = "variable stack read R2", 7273 .result = REJECT, 7274 .prog_type = BPF_PROG_TYPE_LWT_IN, 7275 }, 7276 { 7277 "direct stack access with 32-bit wraparound. test1", 7278 .insns = { 7279 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 7280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 7281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 7282 BPF_MOV32_IMM(BPF_REG_0, 0), 7283 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7284 BPF_EXIT_INSN() 7285 }, 7286 .errstr = "fp pointer and 2147483647", 7287 .result = REJECT 7288 }, 7289 { 7290 "direct stack access with 32-bit wraparound. test2", 7291 .insns = { 7292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 7293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff), 7294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff), 7295 BPF_MOV32_IMM(BPF_REG_0, 0), 7296 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7297 BPF_EXIT_INSN() 7298 }, 7299 .errstr = "fp pointer and 1073741823", 7300 .result = REJECT 7301 }, 7302 { 7303 "direct stack access with 32-bit wraparound. test3", 7304 .insns = { 7305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 7306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff), 7307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff), 7308 BPF_MOV32_IMM(BPF_REG_0, 0), 7309 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7310 BPF_EXIT_INSN() 7311 }, 7312 .errstr = "fp pointer offset 1073741822", 7313 .result = REJECT 7314 }, 7315 { 7316 "liveness pruning and write screening", 7317 .insns = { 7318 /* Get an unknown value */ 7319 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 7320 /* branch conditions teach us nothing about R2 */ 7321 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 7322 BPF_MOV64_IMM(BPF_REG_0, 0), 7323 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 7324 BPF_MOV64_IMM(BPF_REG_0, 0), 7325 BPF_EXIT_INSN(), 7326 }, 7327 .errstr = "R0 !read_ok", 7328 .result = REJECT, 7329 .prog_type = BPF_PROG_TYPE_LWT_IN, 7330 }, 7331 { 7332 "varlen_map_value_access pruning", 7333 .insns = { 7334 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7337 BPF_LD_MAP_FD(BPF_REG_1, 0), 7338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7339 BPF_FUNC_map_lookup_elem), 7340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 7341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 7342 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 7343 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 7344 BPF_MOV32_IMM(BPF_REG_1, 0), 7345 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 7346 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7347 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 7348 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 7349 offsetof(struct test_val, foo)), 7350 BPF_EXIT_INSN(), 7351 }, 7352 .fixup_map2 = { 3 }, 7353 .errstr_unpriv = "R0 leaks addr", 7354 .errstr = "R0 unbounded memory access", 7355 .result_unpriv = REJECT, 7356 .result = REJECT, 7357 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7358 }, 7359 { 7360 "invalid 64-bit BPF_END", 7361 .insns = { 7362 BPF_MOV32_IMM(BPF_REG_0, 0), 7363 { 7364 .code = BPF_ALU64 | BPF_END | BPF_TO_LE, 7365 .dst_reg = BPF_REG_0, 7366 .src_reg = 0, 7367 .off = 0, 7368 .imm = 32, 7369 }, 7370 BPF_EXIT_INSN(), 7371 }, 7372 .errstr = "BPF_END uses reserved fields", 7373 .result = REJECT, 7374 }, 7375 { 7376 "meta access, test1", 7377 .insns = { 7378 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7379 offsetof(struct xdp_md, data_meta)), 7380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7381 offsetof(struct xdp_md, data)), 7382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 7383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 7384 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 7385 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7386 BPF_MOV64_IMM(BPF_REG_0, 0), 7387 BPF_EXIT_INSN(), 7388 }, 7389 .result = ACCEPT, 7390 .prog_type = BPF_PROG_TYPE_XDP, 7391 }, 7392 { 7393 "meta access, test2", 7394 .insns = { 7395 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7396 offsetof(struct xdp_md, data_meta)), 7397 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7398 offsetof(struct xdp_md, data)), 7399 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 7400 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8), 7401 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 7402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 7403 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 7404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7405 BPF_MOV64_IMM(BPF_REG_0, 0), 7406 BPF_EXIT_INSN(), 7407 }, 7408 .result = REJECT, 7409 .errstr = "invalid access to packet, off=-8", 7410 .prog_type = BPF_PROG_TYPE_XDP, 7411 }, 7412 { 7413 "meta access, test3", 7414 .insns = { 7415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7416 offsetof(struct xdp_md, data_meta)), 7417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7418 offsetof(struct xdp_md, data_end)), 7419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 7420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 7421 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 7422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7423 BPF_MOV64_IMM(BPF_REG_0, 0), 7424 BPF_EXIT_INSN(), 7425 }, 7426 .result = REJECT, 7427 .errstr = "invalid access to packet", 7428 .prog_type = BPF_PROG_TYPE_XDP, 7429 }, 7430 { 7431 "meta access, test4", 7432 .insns = { 7433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7434 offsetof(struct xdp_md, data_meta)), 7435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7436 offsetof(struct xdp_md, data_end)), 7437 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 7438 offsetof(struct xdp_md, data)), 7439 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 7440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 7441 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 7442 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7443 BPF_MOV64_IMM(BPF_REG_0, 0), 7444 BPF_EXIT_INSN(), 7445 }, 7446 .result = REJECT, 7447 .errstr = "invalid access to packet", 7448 .prog_type = BPF_PROG_TYPE_XDP, 7449 }, 7450 { 7451 "meta access, test5", 7452 .insns = { 7453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7454 offsetof(struct xdp_md, data_meta)), 7455 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 7456 offsetof(struct xdp_md, data)), 7457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 7458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 7459 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3), 7460 BPF_MOV64_IMM(BPF_REG_2, -8), 7461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7462 BPF_FUNC_xdp_adjust_meta), 7463 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0), 7464 BPF_MOV64_IMM(BPF_REG_0, 0), 7465 BPF_EXIT_INSN(), 7466 }, 7467 .result = REJECT, 7468 .errstr = "R3 !read_ok", 7469 .prog_type = BPF_PROG_TYPE_XDP, 7470 }, 7471 { 7472 "meta access, test6", 7473 .insns = { 7474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7475 offsetof(struct xdp_md, data_meta)), 7476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7477 offsetof(struct xdp_md, data)), 7478 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 7479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 7480 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 7481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 7482 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1), 7483 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7484 BPF_MOV64_IMM(BPF_REG_0, 0), 7485 BPF_EXIT_INSN(), 7486 }, 7487 .result = REJECT, 7488 .errstr = "invalid access to packet", 7489 .prog_type = BPF_PROG_TYPE_XDP, 7490 }, 7491 { 7492 "meta access, test7", 7493 .insns = { 7494 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7495 offsetof(struct xdp_md, data_meta)), 7496 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7497 offsetof(struct xdp_md, data)), 7498 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 7499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 7500 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 7501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 7502 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 7503 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7504 BPF_MOV64_IMM(BPF_REG_0, 0), 7505 BPF_EXIT_INSN(), 7506 }, 7507 .result = ACCEPT, 7508 .prog_type = BPF_PROG_TYPE_XDP, 7509 }, 7510 { 7511 "meta access, test8", 7512 .insns = { 7513 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7514 offsetof(struct xdp_md, data_meta)), 7515 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7516 offsetof(struct xdp_md, data)), 7517 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 7518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF), 7519 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 7520 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7521 BPF_MOV64_IMM(BPF_REG_0, 0), 7522 BPF_EXIT_INSN(), 7523 }, 7524 .result = ACCEPT, 7525 .prog_type = BPF_PROG_TYPE_XDP, 7526 }, 7527 { 7528 "meta access, test9", 7529 .insns = { 7530 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7531 offsetof(struct xdp_md, data_meta)), 7532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7533 offsetof(struct xdp_md, data)), 7534 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 7535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF), 7536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), 7537 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 7538 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7539 BPF_MOV64_IMM(BPF_REG_0, 0), 7540 BPF_EXIT_INSN(), 7541 }, 7542 .result = REJECT, 7543 .errstr = "invalid access to packet", 7544 .prog_type = BPF_PROG_TYPE_XDP, 7545 }, 7546 { 7547 "meta access, test10", 7548 .insns = { 7549 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7550 offsetof(struct xdp_md, data_meta)), 7551 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7552 offsetof(struct xdp_md, data)), 7553 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 7554 offsetof(struct xdp_md, data_end)), 7555 BPF_MOV64_IMM(BPF_REG_5, 42), 7556 BPF_MOV64_IMM(BPF_REG_6, 24), 7557 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8), 7558 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 7559 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8), 7560 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6), 7561 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5), 7562 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 7563 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 7564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 7565 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1), 7566 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 7567 BPF_MOV64_IMM(BPF_REG_0, 0), 7568 BPF_EXIT_INSN(), 7569 }, 7570 .result = REJECT, 7571 .errstr = "invalid access to packet", 7572 .prog_type = BPF_PROG_TYPE_XDP, 7573 }, 7574 { 7575 "meta access, test11", 7576 .insns = { 7577 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7578 offsetof(struct xdp_md, data_meta)), 7579 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7580 offsetof(struct xdp_md, data)), 7581 BPF_MOV64_IMM(BPF_REG_5, 42), 7582 BPF_MOV64_IMM(BPF_REG_6, 24), 7583 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8), 7584 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 7585 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8), 7586 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6), 7587 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5), 7588 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), 7589 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 7590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 7591 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1), 7592 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0), 7593 BPF_MOV64_IMM(BPF_REG_0, 0), 7594 BPF_EXIT_INSN(), 7595 }, 7596 .result = ACCEPT, 7597 .prog_type = BPF_PROG_TYPE_XDP, 7598 }, 7599 { 7600 "meta access, test12", 7601 .insns = { 7602 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7603 offsetof(struct xdp_md, data_meta)), 7604 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7605 offsetof(struct xdp_md, data)), 7606 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 7607 offsetof(struct xdp_md, data_end)), 7608 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 7609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16), 7610 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5), 7611 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0), 7612 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), 7613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16), 7614 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1), 7615 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 7616 BPF_MOV64_IMM(BPF_REG_0, 0), 7617 BPF_EXIT_INSN(), 7618 }, 7619 .result = ACCEPT, 7620 .prog_type = BPF_PROG_TYPE_XDP, 7621 }, 7622 { 7623 "arithmetic ops make PTR_TO_CTX unusable", 7624 .insns = { 7625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7626 offsetof(struct __sk_buff, data) - 7627 offsetof(struct __sk_buff, mark)), 7628 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 7629 offsetof(struct __sk_buff, mark)), 7630 BPF_EXIT_INSN(), 7631 }, 7632 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not", 7633 .result = REJECT, 7634 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7635 }, 7636 { 7637 "pkt_end - pkt_start is allowed", 7638 .insns = { 7639 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 7640 offsetof(struct __sk_buff, data_end)), 7641 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7642 offsetof(struct __sk_buff, data)), 7643 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2), 7644 BPF_EXIT_INSN(), 7645 }, 7646 .result = ACCEPT, 7647 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7648 }, 7649 { 7650 "XDP pkt read, pkt_end mangling, bad access 1", 7651 .insns = { 7652 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7653 offsetof(struct xdp_md, data)), 7654 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7655 offsetof(struct xdp_md, data_end)), 7656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8), 7659 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7660 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7661 BPF_MOV64_IMM(BPF_REG_0, 0), 7662 BPF_EXIT_INSN(), 7663 }, 7664 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 7665 .result = REJECT, 7666 .prog_type = BPF_PROG_TYPE_XDP, 7667 }, 7668 { 7669 "XDP pkt read, pkt_end mangling, bad access 2", 7670 .insns = { 7671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7672 offsetof(struct xdp_md, data)), 7673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7674 offsetof(struct xdp_md, data_end)), 7675 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7677 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8), 7678 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7679 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7680 BPF_MOV64_IMM(BPF_REG_0, 0), 7681 BPF_EXIT_INSN(), 7682 }, 7683 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 7684 .result = REJECT, 7685 .prog_type = BPF_PROG_TYPE_XDP, 7686 }, 7687 { 7688 "XDP pkt read, pkt_data' > pkt_end, good access", 7689 .insns = { 7690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7691 offsetof(struct xdp_md, data)), 7692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7693 offsetof(struct xdp_md, data_end)), 7694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7696 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7697 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7698 BPF_MOV64_IMM(BPF_REG_0, 0), 7699 BPF_EXIT_INSN(), 7700 }, 7701 .result = ACCEPT, 7702 .prog_type = BPF_PROG_TYPE_XDP, 7703 }, 7704 { 7705 "XDP pkt read, pkt_data' > pkt_end, bad access 1", 7706 .insns = { 7707 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7708 offsetof(struct xdp_md, data)), 7709 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7710 offsetof(struct xdp_md, data_end)), 7711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7713 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 7714 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7715 BPF_MOV64_IMM(BPF_REG_0, 0), 7716 BPF_EXIT_INSN(), 7717 }, 7718 .errstr = "R1 offset is outside of the packet", 7719 .result = REJECT, 7720 .prog_type = BPF_PROG_TYPE_XDP, 7721 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7722 }, 7723 { 7724 "XDP pkt read, pkt_data' > pkt_end, bad access 2", 7725 .insns = { 7726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7727 offsetof(struct xdp_md, data)), 7728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7729 offsetof(struct xdp_md, data_end)), 7730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7732 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0), 7733 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7734 BPF_MOV64_IMM(BPF_REG_0, 0), 7735 BPF_EXIT_INSN(), 7736 }, 7737 .errstr = "R1 offset is outside of the packet", 7738 .result = REJECT, 7739 .prog_type = BPF_PROG_TYPE_XDP, 7740 }, 7741 { 7742 "XDP pkt read, pkt_end > pkt_data', good access", 7743 .insns = { 7744 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7745 offsetof(struct xdp_md, data)), 7746 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7747 offsetof(struct xdp_md, data_end)), 7748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7750 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7751 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7752 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7753 BPF_MOV64_IMM(BPF_REG_0, 0), 7754 BPF_EXIT_INSN(), 7755 }, 7756 .result = ACCEPT, 7757 .prog_type = BPF_PROG_TYPE_XDP, 7758 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7759 }, 7760 { 7761 "XDP pkt read, pkt_end > pkt_data', bad access 1", 7762 .insns = { 7763 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7764 offsetof(struct xdp_md, data)), 7765 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7766 offsetof(struct xdp_md, data_end)), 7767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7769 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7770 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7771 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7772 BPF_MOV64_IMM(BPF_REG_0, 0), 7773 BPF_EXIT_INSN(), 7774 }, 7775 .errstr = "R1 offset is outside of the packet", 7776 .result = REJECT, 7777 .prog_type = BPF_PROG_TYPE_XDP, 7778 }, 7779 { 7780 "XDP pkt read, pkt_end > pkt_data', bad access 2", 7781 .insns = { 7782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7783 offsetof(struct xdp_md, data)), 7784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7785 offsetof(struct xdp_md, data_end)), 7786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7788 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 7789 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7790 BPF_MOV64_IMM(BPF_REG_0, 0), 7791 BPF_EXIT_INSN(), 7792 }, 7793 .errstr = "R1 offset is outside of the packet", 7794 .result = REJECT, 7795 .prog_type = BPF_PROG_TYPE_XDP, 7796 }, 7797 { 7798 "XDP pkt read, pkt_data' < pkt_end, good access", 7799 .insns = { 7800 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7801 offsetof(struct xdp_md, data)), 7802 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7803 offsetof(struct xdp_md, data_end)), 7804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7806 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7807 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7808 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7809 BPF_MOV64_IMM(BPF_REG_0, 0), 7810 BPF_EXIT_INSN(), 7811 }, 7812 .result = ACCEPT, 7813 .prog_type = BPF_PROG_TYPE_XDP, 7814 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7815 }, 7816 { 7817 "XDP pkt read, pkt_data' < pkt_end, bad access 1", 7818 .insns = { 7819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7820 offsetof(struct xdp_md, data)), 7821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7822 offsetof(struct xdp_md, data_end)), 7823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7825 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7826 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7827 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7828 BPF_MOV64_IMM(BPF_REG_0, 0), 7829 BPF_EXIT_INSN(), 7830 }, 7831 .errstr = "R1 offset is outside of the packet", 7832 .result = REJECT, 7833 .prog_type = BPF_PROG_TYPE_XDP, 7834 }, 7835 { 7836 "XDP pkt read, pkt_data' < pkt_end, bad access 2", 7837 .insns = { 7838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7839 offsetof(struct xdp_md, data)), 7840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7841 offsetof(struct xdp_md, data_end)), 7842 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7844 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 7845 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7846 BPF_MOV64_IMM(BPF_REG_0, 0), 7847 BPF_EXIT_INSN(), 7848 }, 7849 .errstr = "R1 offset is outside of the packet", 7850 .result = REJECT, 7851 .prog_type = BPF_PROG_TYPE_XDP, 7852 }, 7853 { 7854 "XDP pkt read, pkt_end < pkt_data', good access", 7855 .insns = { 7856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7857 offsetof(struct xdp_md, data)), 7858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7859 offsetof(struct xdp_md, data_end)), 7860 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7862 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 7863 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7864 BPF_MOV64_IMM(BPF_REG_0, 0), 7865 BPF_EXIT_INSN(), 7866 }, 7867 .result = ACCEPT, 7868 .prog_type = BPF_PROG_TYPE_XDP, 7869 }, 7870 { 7871 "XDP pkt read, pkt_end < pkt_data', bad access 1", 7872 .insns = { 7873 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7874 offsetof(struct xdp_md, data)), 7875 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7876 offsetof(struct xdp_md, data_end)), 7877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7879 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 7880 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7881 BPF_MOV64_IMM(BPF_REG_0, 0), 7882 BPF_EXIT_INSN(), 7883 }, 7884 .errstr = "R1 offset is outside of the packet", 7885 .result = REJECT, 7886 .prog_type = BPF_PROG_TYPE_XDP, 7887 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7888 }, 7889 { 7890 "XDP pkt read, pkt_end < pkt_data', bad access 2", 7891 .insns = { 7892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7893 offsetof(struct xdp_md, data)), 7894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7895 offsetof(struct xdp_md, data_end)), 7896 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7898 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0), 7899 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7900 BPF_MOV64_IMM(BPF_REG_0, 0), 7901 BPF_EXIT_INSN(), 7902 }, 7903 .errstr = "R1 offset is outside of the packet", 7904 .result = REJECT, 7905 .prog_type = BPF_PROG_TYPE_XDP, 7906 }, 7907 { 7908 "XDP pkt read, pkt_data' >= pkt_end, good access", 7909 .insns = { 7910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7911 offsetof(struct xdp_md, data)), 7912 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7913 offsetof(struct xdp_md, data_end)), 7914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7916 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 7917 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7918 BPF_MOV64_IMM(BPF_REG_0, 0), 7919 BPF_EXIT_INSN(), 7920 }, 7921 .result = ACCEPT, 7922 .prog_type = BPF_PROG_TYPE_XDP, 7923 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7924 }, 7925 { 7926 "XDP pkt read, pkt_data' >= pkt_end, bad access 1", 7927 .insns = { 7928 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7929 offsetof(struct xdp_md, data)), 7930 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7931 offsetof(struct xdp_md, data_end)), 7932 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7933 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7934 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 7935 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7936 BPF_MOV64_IMM(BPF_REG_0, 0), 7937 BPF_EXIT_INSN(), 7938 }, 7939 .errstr = "R1 offset is outside of the packet", 7940 .result = REJECT, 7941 .prog_type = BPF_PROG_TYPE_XDP, 7942 }, 7943 { 7944 "XDP pkt read, pkt_data' >= pkt_end, bad access 2", 7945 .insns = { 7946 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7947 offsetof(struct xdp_md, data)), 7948 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7949 offsetof(struct xdp_md, data_end)), 7950 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7952 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0), 7953 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 7954 BPF_MOV64_IMM(BPF_REG_0, 0), 7955 BPF_EXIT_INSN(), 7956 }, 7957 .errstr = "R1 offset is outside of the packet", 7958 .result = REJECT, 7959 .prog_type = BPF_PROG_TYPE_XDP, 7960 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7961 }, 7962 { 7963 "XDP pkt read, pkt_end >= pkt_data', good access", 7964 .insns = { 7965 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7966 offsetof(struct xdp_md, data)), 7967 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7968 offsetof(struct xdp_md, data_end)), 7969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7971 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7972 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7973 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 7974 BPF_MOV64_IMM(BPF_REG_0, 0), 7975 BPF_EXIT_INSN(), 7976 }, 7977 .result = ACCEPT, 7978 .prog_type = BPF_PROG_TYPE_XDP, 7979 }, 7980 { 7981 "XDP pkt read, pkt_end >= pkt_data', bad access 1", 7982 .insns = { 7983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 7984 offsetof(struct xdp_md, data)), 7985 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7986 offsetof(struct xdp_md, data_end)), 7987 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 7988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7989 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 7990 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 7991 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 7992 BPF_MOV64_IMM(BPF_REG_0, 0), 7993 BPF_EXIT_INSN(), 7994 }, 7995 .errstr = "R1 offset is outside of the packet", 7996 .result = REJECT, 7997 .prog_type = BPF_PROG_TYPE_XDP, 7998 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 7999 }, 8000 { 8001 "XDP pkt read, pkt_end >= pkt_data', bad access 2", 8002 .insns = { 8003 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8004 offsetof(struct xdp_md, data)), 8005 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8006 offsetof(struct xdp_md, data_end)), 8007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8009 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 8010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8011 BPF_MOV64_IMM(BPF_REG_0, 0), 8012 BPF_EXIT_INSN(), 8013 }, 8014 .errstr = "R1 offset is outside of the packet", 8015 .result = REJECT, 8016 .prog_type = BPF_PROG_TYPE_XDP, 8017 }, 8018 { 8019 "XDP pkt read, pkt_data' <= pkt_end, good access", 8020 .insns = { 8021 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8022 offsetof(struct xdp_md, data)), 8023 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8024 offsetof(struct xdp_md, data_end)), 8025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8027 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 8028 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8029 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8030 BPF_MOV64_IMM(BPF_REG_0, 0), 8031 BPF_EXIT_INSN(), 8032 }, 8033 .result = ACCEPT, 8034 .prog_type = BPF_PROG_TYPE_XDP, 8035 }, 8036 { 8037 "XDP pkt read, pkt_data' <= pkt_end, bad access 1", 8038 .insns = { 8039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8040 offsetof(struct xdp_md, data)), 8041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8042 offsetof(struct xdp_md, data_end)), 8043 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8045 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 8046 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8048 BPF_MOV64_IMM(BPF_REG_0, 0), 8049 BPF_EXIT_INSN(), 8050 }, 8051 .errstr = "R1 offset is outside of the packet", 8052 .result = REJECT, 8053 .prog_type = BPF_PROG_TYPE_XDP, 8054 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8055 }, 8056 { 8057 "XDP pkt read, pkt_data' <= pkt_end, bad access 2", 8058 .insns = { 8059 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8060 offsetof(struct xdp_md, data)), 8061 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8062 offsetof(struct xdp_md, data_end)), 8063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8065 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 8066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8067 BPF_MOV64_IMM(BPF_REG_0, 0), 8068 BPF_EXIT_INSN(), 8069 }, 8070 .errstr = "R1 offset is outside of the packet", 8071 .result = REJECT, 8072 .prog_type = BPF_PROG_TYPE_XDP, 8073 }, 8074 { 8075 "XDP pkt read, pkt_end <= pkt_data', good access", 8076 .insns = { 8077 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8078 offsetof(struct xdp_md, data)), 8079 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8080 offsetof(struct xdp_md, data_end)), 8081 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8083 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 8084 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8085 BPF_MOV64_IMM(BPF_REG_0, 0), 8086 BPF_EXIT_INSN(), 8087 }, 8088 .result = ACCEPT, 8089 .prog_type = BPF_PROG_TYPE_XDP, 8090 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8091 }, 8092 { 8093 "XDP pkt read, pkt_end <= pkt_data', bad access 1", 8094 .insns = { 8095 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8096 offsetof(struct xdp_md, data)), 8097 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8098 offsetof(struct xdp_md, data_end)), 8099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8101 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 8102 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8103 BPF_MOV64_IMM(BPF_REG_0, 0), 8104 BPF_EXIT_INSN(), 8105 }, 8106 .errstr = "R1 offset is outside of the packet", 8107 .result = REJECT, 8108 .prog_type = BPF_PROG_TYPE_XDP, 8109 }, 8110 { 8111 "XDP pkt read, pkt_end <= pkt_data', bad access 2", 8112 .insns = { 8113 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8114 offsetof(struct xdp_md, data)), 8115 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8116 offsetof(struct xdp_md, data_end)), 8117 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8119 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0), 8120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8121 BPF_MOV64_IMM(BPF_REG_0, 0), 8122 BPF_EXIT_INSN(), 8123 }, 8124 .errstr = "R1 offset is outside of the packet", 8125 .result = REJECT, 8126 .prog_type = BPF_PROG_TYPE_XDP, 8127 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8128 }, 8129 { 8130 "XDP pkt read, pkt_meta' > pkt_data, good access", 8131 .insns = { 8132 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8133 offsetof(struct xdp_md, data_meta)), 8134 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8135 offsetof(struct xdp_md, data)), 8136 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8138 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 8139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8140 BPF_MOV64_IMM(BPF_REG_0, 0), 8141 BPF_EXIT_INSN(), 8142 }, 8143 .result = ACCEPT, 8144 .prog_type = BPF_PROG_TYPE_XDP, 8145 }, 8146 { 8147 "XDP pkt read, pkt_meta' > pkt_data, bad access 1", 8148 .insns = { 8149 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8150 offsetof(struct xdp_md, data_meta)), 8151 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8152 offsetof(struct xdp_md, data)), 8153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8155 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 8156 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8157 BPF_MOV64_IMM(BPF_REG_0, 0), 8158 BPF_EXIT_INSN(), 8159 }, 8160 .errstr = "R1 offset is outside of the packet", 8161 .result = REJECT, 8162 .prog_type = BPF_PROG_TYPE_XDP, 8163 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8164 }, 8165 { 8166 "XDP pkt read, pkt_meta' > pkt_data, bad access 2", 8167 .insns = { 8168 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8169 offsetof(struct xdp_md, data_meta)), 8170 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8171 offsetof(struct xdp_md, data)), 8172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8174 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0), 8175 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8176 BPF_MOV64_IMM(BPF_REG_0, 0), 8177 BPF_EXIT_INSN(), 8178 }, 8179 .errstr = "R1 offset is outside of the packet", 8180 .result = REJECT, 8181 .prog_type = BPF_PROG_TYPE_XDP, 8182 }, 8183 { 8184 "XDP pkt read, pkt_data > pkt_meta', good access", 8185 .insns = { 8186 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8187 offsetof(struct xdp_md, data_meta)), 8188 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8189 offsetof(struct xdp_md, data)), 8190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8192 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 8193 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8194 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8195 BPF_MOV64_IMM(BPF_REG_0, 0), 8196 BPF_EXIT_INSN(), 8197 }, 8198 .result = ACCEPT, 8199 .prog_type = BPF_PROG_TYPE_XDP, 8200 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8201 }, 8202 { 8203 "XDP pkt read, pkt_data > pkt_meta', bad access 1", 8204 .insns = { 8205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8206 offsetof(struct xdp_md, data_meta)), 8207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8208 offsetof(struct xdp_md, data)), 8209 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8211 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 8212 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8213 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8214 BPF_MOV64_IMM(BPF_REG_0, 0), 8215 BPF_EXIT_INSN(), 8216 }, 8217 .errstr = "R1 offset is outside of the packet", 8218 .result = REJECT, 8219 .prog_type = BPF_PROG_TYPE_XDP, 8220 }, 8221 { 8222 "XDP pkt read, pkt_data > pkt_meta', bad access 2", 8223 .insns = { 8224 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8225 offsetof(struct xdp_md, data_meta)), 8226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8227 offsetof(struct xdp_md, data)), 8228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8230 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 8231 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8232 BPF_MOV64_IMM(BPF_REG_0, 0), 8233 BPF_EXIT_INSN(), 8234 }, 8235 .errstr = "R1 offset is outside of the packet", 8236 .result = REJECT, 8237 .prog_type = BPF_PROG_TYPE_XDP, 8238 }, 8239 { 8240 "XDP pkt read, pkt_meta' < pkt_data, good access", 8241 .insns = { 8242 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8243 offsetof(struct xdp_md, data_meta)), 8244 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8245 offsetof(struct xdp_md, data)), 8246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8248 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 8249 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8250 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8251 BPF_MOV64_IMM(BPF_REG_0, 0), 8252 BPF_EXIT_INSN(), 8253 }, 8254 .result = ACCEPT, 8255 .prog_type = BPF_PROG_TYPE_XDP, 8256 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8257 }, 8258 { 8259 "XDP pkt read, pkt_meta' < pkt_data, bad access 1", 8260 .insns = { 8261 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8262 offsetof(struct xdp_md, data_meta)), 8263 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8264 offsetof(struct xdp_md, data)), 8265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8267 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 8268 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8269 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8270 BPF_MOV64_IMM(BPF_REG_0, 0), 8271 BPF_EXIT_INSN(), 8272 }, 8273 .errstr = "R1 offset is outside of the packet", 8274 .result = REJECT, 8275 .prog_type = BPF_PROG_TYPE_XDP, 8276 }, 8277 { 8278 "XDP pkt read, pkt_meta' < pkt_data, bad access 2", 8279 .insns = { 8280 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8281 offsetof(struct xdp_md, data_meta)), 8282 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8283 offsetof(struct xdp_md, data)), 8284 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8286 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 8287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8288 BPF_MOV64_IMM(BPF_REG_0, 0), 8289 BPF_EXIT_INSN(), 8290 }, 8291 .errstr = "R1 offset is outside of the packet", 8292 .result = REJECT, 8293 .prog_type = BPF_PROG_TYPE_XDP, 8294 }, 8295 { 8296 "XDP pkt read, pkt_data < pkt_meta', good access", 8297 .insns = { 8298 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8299 offsetof(struct xdp_md, data_meta)), 8300 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8301 offsetof(struct xdp_md, data)), 8302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8304 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 8305 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8306 BPF_MOV64_IMM(BPF_REG_0, 0), 8307 BPF_EXIT_INSN(), 8308 }, 8309 .result = ACCEPT, 8310 .prog_type = BPF_PROG_TYPE_XDP, 8311 }, 8312 { 8313 "XDP pkt read, pkt_data < pkt_meta', bad access 1", 8314 .insns = { 8315 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8316 offsetof(struct xdp_md, data_meta)), 8317 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8318 offsetof(struct xdp_md, data)), 8319 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8321 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 8322 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8323 BPF_MOV64_IMM(BPF_REG_0, 0), 8324 BPF_EXIT_INSN(), 8325 }, 8326 .errstr = "R1 offset is outside of the packet", 8327 .result = REJECT, 8328 .prog_type = BPF_PROG_TYPE_XDP, 8329 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8330 }, 8331 { 8332 "XDP pkt read, pkt_data < pkt_meta', bad access 2", 8333 .insns = { 8334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8335 offsetof(struct xdp_md, data_meta)), 8336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8337 offsetof(struct xdp_md, data)), 8338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8340 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0), 8341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8342 BPF_MOV64_IMM(BPF_REG_0, 0), 8343 BPF_EXIT_INSN(), 8344 }, 8345 .errstr = "R1 offset is outside of the packet", 8346 .result = REJECT, 8347 .prog_type = BPF_PROG_TYPE_XDP, 8348 }, 8349 { 8350 "XDP pkt read, pkt_meta' >= pkt_data, good access", 8351 .insns = { 8352 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8353 offsetof(struct xdp_md, data_meta)), 8354 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8355 offsetof(struct xdp_md, data)), 8356 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8358 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 8359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8360 BPF_MOV64_IMM(BPF_REG_0, 0), 8361 BPF_EXIT_INSN(), 8362 }, 8363 .result = ACCEPT, 8364 .prog_type = BPF_PROG_TYPE_XDP, 8365 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8366 }, 8367 { 8368 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1", 8369 .insns = { 8370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8371 offsetof(struct xdp_md, data_meta)), 8372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8373 offsetof(struct xdp_md, data)), 8374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8376 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 8377 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8378 BPF_MOV64_IMM(BPF_REG_0, 0), 8379 BPF_EXIT_INSN(), 8380 }, 8381 .errstr = "R1 offset is outside of the packet", 8382 .result = REJECT, 8383 .prog_type = BPF_PROG_TYPE_XDP, 8384 }, 8385 { 8386 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2", 8387 .insns = { 8388 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8389 offsetof(struct xdp_md, data_meta)), 8390 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8391 offsetof(struct xdp_md, data)), 8392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8394 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0), 8395 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8396 BPF_MOV64_IMM(BPF_REG_0, 0), 8397 BPF_EXIT_INSN(), 8398 }, 8399 .errstr = "R1 offset is outside of the packet", 8400 .result = REJECT, 8401 .prog_type = BPF_PROG_TYPE_XDP, 8402 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8403 }, 8404 { 8405 "XDP pkt read, pkt_data >= pkt_meta', good access", 8406 .insns = { 8407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8408 offsetof(struct xdp_md, data_meta)), 8409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8410 offsetof(struct xdp_md, data)), 8411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8413 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 8414 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8415 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8416 BPF_MOV64_IMM(BPF_REG_0, 0), 8417 BPF_EXIT_INSN(), 8418 }, 8419 .result = ACCEPT, 8420 .prog_type = BPF_PROG_TYPE_XDP, 8421 }, 8422 { 8423 "XDP pkt read, pkt_data >= pkt_meta', bad access 1", 8424 .insns = { 8425 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8426 offsetof(struct xdp_md, data_meta)), 8427 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8428 offsetof(struct xdp_md, data)), 8429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8431 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 8432 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8433 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8434 BPF_MOV64_IMM(BPF_REG_0, 0), 8435 BPF_EXIT_INSN(), 8436 }, 8437 .errstr = "R1 offset is outside of the packet", 8438 .result = REJECT, 8439 .prog_type = BPF_PROG_TYPE_XDP, 8440 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8441 }, 8442 { 8443 "XDP pkt read, pkt_data >= pkt_meta', bad access 2", 8444 .insns = { 8445 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8446 offsetof(struct xdp_md, data_meta)), 8447 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8448 offsetof(struct xdp_md, data)), 8449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8451 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 8452 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8453 BPF_MOV64_IMM(BPF_REG_0, 0), 8454 BPF_EXIT_INSN(), 8455 }, 8456 .errstr = "R1 offset is outside of the packet", 8457 .result = REJECT, 8458 .prog_type = BPF_PROG_TYPE_XDP, 8459 }, 8460 { 8461 "XDP pkt read, pkt_meta' <= pkt_data, good access", 8462 .insns = { 8463 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8464 offsetof(struct xdp_md, data_meta)), 8465 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8466 offsetof(struct xdp_md, data)), 8467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8469 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 8470 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8471 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8472 BPF_MOV64_IMM(BPF_REG_0, 0), 8473 BPF_EXIT_INSN(), 8474 }, 8475 .result = ACCEPT, 8476 .prog_type = BPF_PROG_TYPE_XDP, 8477 }, 8478 { 8479 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1", 8480 .insns = { 8481 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8482 offsetof(struct xdp_md, data_meta)), 8483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8484 offsetof(struct xdp_md, data)), 8485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8487 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 8488 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8489 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8490 BPF_MOV64_IMM(BPF_REG_0, 0), 8491 BPF_EXIT_INSN(), 8492 }, 8493 .errstr = "R1 offset is outside of the packet", 8494 .result = REJECT, 8495 .prog_type = BPF_PROG_TYPE_XDP, 8496 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8497 }, 8498 { 8499 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2", 8500 .insns = { 8501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8502 offsetof(struct xdp_md, data_meta)), 8503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8504 offsetof(struct xdp_md, data)), 8505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8507 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 8508 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8509 BPF_MOV64_IMM(BPF_REG_0, 0), 8510 BPF_EXIT_INSN(), 8511 }, 8512 .errstr = "R1 offset is outside of the packet", 8513 .result = REJECT, 8514 .prog_type = BPF_PROG_TYPE_XDP, 8515 }, 8516 { 8517 "XDP pkt read, pkt_data <= pkt_meta', good access", 8518 .insns = { 8519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8520 offsetof(struct xdp_md, data_meta)), 8521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8522 offsetof(struct xdp_md, data)), 8523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8525 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 8526 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8527 BPF_MOV64_IMM(BPF_REG_0, 0), 8528 BPF_EXIT_INSN(), 8529 }, 8530 .result = ACCEPT, 8531 .prog_type = BPF_PROG_TYPE_XDP, 8532 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8533 }, 8534 { 8535 "XDP pkt read, pkt_data <= pkt_meta', bad access 1", 8536 .insns = { 8537 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8538 offsetof(struct xdp_md, data_meta)), 8539 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8540 offsetof(struct xdp_md, data)), 8541 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8543 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 8544 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8545 BPF_MOV64_IMM(BPF_REG_0, 0), 8546 BPF_EXIT_INSN(), 8547 }, 8548 .errstr = "R1 offset is outside of the packet", 8549 .result = REJECT, 8550 .prog_type = BPF_PROG_TYPE_XDP, 8551 }, 8552 { 8553 "XDP pkt read, pkt_data <= pkt_meta', bad access 2", 8554 .insns = { 8555 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8556 offsetof(struct xdp_md, data_meta)), 8557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8558 offsetof(struct xdp_md, data)), 8559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8561 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0), 8562 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8563 BPF_MOV64_IMM(BPF_REG_0, 0), 8564 BPF_EXIT_INSN(), 8565 }, 8566 .errstr = "R1 offset is outside of the packet", 8567 .result = REJECT, 8568 .prog_type = BPF_PROG_TYPE_XDP, 8569 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8570 }, 8571 { 8572 "bpf_exit with invalid return code. test1", 8573 .insns = { 8574 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8575 BPF_EXIT_INSN(), 8576 }, 8577 .errstr = "R0 has value (0x0; 0xffffffff)", 8578 .result = REJECT, 8579 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8580 }, 8581 { 8582 "bpf_exit with invalid return code. test2", 8583 .insns = { 8584 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8585 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 8586 BPF_EXIT_INSN(), 8587 }, 8588 .result = ACCEPT, 8589 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8590 }, 8591 { 8592 "bpf_exit with invalid return code. test3", 8593 .insns = { 8594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8595 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3), 8596 BPF_EXIT_INSN(), 8597 }, 8598 .errstr = "R0 has value (0x0; 0x3)", 8599 .result = REJECT, 8600 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8601 }, 8602 { 8603 "bpf_exit with invalid return code. test4", 8604 .insns = { 8605 BPF_MOV64_IMM(BPF_REG_0, 1), 8606 BPF_EXIT_INSN(), 8607 }, 8608 .result = ACCEPT, 8609 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8610 }, 8611 { 8612 "bpf_exit with invalid return code. test5", 8613 .insns = { 8614 BPF_MOV64_IMM(BPF_REG_0, 2), 8615 BPF_EXIT_INSN(), 8616 }, 8617 .errstr = "R0 has value (0x2; 0x0)", 8618 .result = REJECT, 8619 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8620 }, 8621 { 8622 "bpf_exit with invalid return code. test6", 8623 .insns = { 8624 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 8625 BPF_EXIT_INSN(), 8626 }, 8627 .errstr = "R0 is not a known value (ctx)", 8628 .result = REJECT, 8629 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8630 }, 8631 { 8632 "bpf_exit with invalid return code. test7", 8633 .insns = { 8634 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8635 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4), 8636 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2), 8637 BPF_EXIT_INSN(), 8638 }, 8639 .errstr = "R0 has unknown scalar value", 8640 .result = REJECT, 8641 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 8642 }, 8643 }; 8644 8645 static int probe_filter_length(const struct bpf_insn *fp) 8646 { 8647 int len; 8648 8649 for (len = MAX_INSNS - 1; len > 0; --len) 8650 if (fp[len].code != 0 || fp[len].imm != 0) 8651 break; 8652 return len + 1; 8653 } 8654 8655 static int create_map(uint32_t size_value, uint32_t max_elem) 8656 { 8657 int fd; 8658 8659 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 8660 size_value, max_elem, BPF_F_NO_PREALLOC); 8661 if (fd < 0) 8662 printf("Failed to create hash map '%s'!\n", strerror(errno)); 8663 8664 return fd; 8665 } 8666 8667 static int create_prog_array(void) 8668 { 8669 int fd; 8670 8671 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 8672 sizeof(int), 4, 0); 8673 if (fd < 0) 8674 printf("Failed to create prog array '%s'!\n", strerror(errno)); 8675 8676 return fd; 8677 } 8678 8679 static int create_map_in_map(void) 8680 { 8681 int inner_map_fd, outer_map_fd; 8682 8683 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 8684 sizeof(int), 1, 0); 8685 if (inner_map_fd < 0) { 8686 printf("Failed to create array '%s'!\n", strerror(errno)); 8687 return inner_map_fd; 8688 } 8689 8690 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL, 8691 sizeof(int), inner_map_fd, 1, 0); 8692 if (outer_map_fd < 0) 8693 printf("Failed to create array of maps '%s'!\n", 8694 strerror(errno)); 8695 8696 close(inner_map_fd); 8697 8698 return outer_map_fd; 8699 } 8700 8701 static char bpf_vlog[32768]; 8702 8703 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 8704 int *map_fds) 8705 { 8706 int *fixup_map1 = test->fixup_map1; 8707 int *fixup_map2 = test->fixup_map2; 8708 int *fixup_prog = test->fixup_prog; 8709 int *fixup_map_in_map = test->fixup_map_in_map; 8710 8711 /* Allocating HTs with 1 elem is fine here, since we only test 8712 * for verifier and not do a runtime lookup, so the only thing 8713 * that really matters is value size in this case. 8714 */ 8715 if (*fixup_map1) { 8716 map_fds[0] = create_map(sizeof(long long), 1); 8717 do { 8718 prog[*fixup_map1].imm = map_fds[0]; 8719 fixup_map1++; 8720 } while (*fixup_map1); 8721 } 8722 8723 if (*fixup_map2) { 8724 map_fds[1] = create_map(sizeof(struct test_val), 1); 8725 do { 8726 prog[*fixup_map2].imm = map_fds[1]; 8727 fixup_map2++; 8728 } while (*fixup_map2); 8729 } 8730 8731 if (*fixup_prog) { 8732 map_fds[2] = create_prog_array(); 8733 do { 8734 prog[*fixup_prog].imm = map_fds[2]; 8735 fixup_prog++; 8736 } while (*fixup_prog); 8737 } 8738 8739 if (*fixup_map_in_map) { 8740 map_fds[3] = create_map_in_map(); 8741 do { 8742 prog[*fixup_map_in_map].imm = map_fds[3]; 8743 fixup_map_in_map++; 8744 } while (*fixup_map_in_map); 8745 } 8746 } 8747 8748 static void do_test_single(struct bpf_test *test, bool unpriv, 8749 int *passes, int *errors) 8750 { 8751 int fd_prog, expected_ret, reject_from_alignment; 8752 struct bpf_insn *prog = test->insns; 8753 int prog_len = probe_filter_length(prog); 8754 int prog_type = test->prog_type; 8755 int map_fds[MAX_NR_MAPS]; 8756 const char *expected_err; 8757 int i; 8758 8759 for (i = 0; i < MAX_NR_MAPS; i++) 8760 map_fds[i] = -1; 8761 8762 do_test_fixup(test, prog, map_fds); 8763 8764 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 8765 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT, 8766 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1); 8767 8768 expected_ret = unpriv && test->result_unpriv != UNDEF ? 8769 test->result_unpriv : test->result; 8770 expected_err = unpriv && test->errstr_unpriv ? 8771 test->errstr_unpriv : test->errstr; 8772 8773 reject_from_alignment = fd_prog < 0 && 8774 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) && 8775 strstr(bpf_vlog, "Unknown alignment."); 8776 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 8777 if (reject_from_alignment) { 8778 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n", 8779 strerror(errno)); 8780 goto fail_log; 8781 } 8782 #endif 8783 if (expected_ret == ACCEPT) { 8784 if (fd_prog < 0 && !reject_from_alignment) { 8785 printf("FAIL\nFailed to load prog '%s'!\n", 8786 strerror(errno)); 8787 goto fail_log; 8788 } 8789 } else { 8790 if (fd_prog >= 0) { 8791 printf("FAIL\nUnexpected success to load!\n"); 8792 goto fail_log; 8793 } 8794 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) { 8795 printf("FAIL\nUnexpected error message!\n"); 8796 goto fail_log; 8797 } 8798 } 8799 8800 (*passes)++; 8801 printf("OK%s\n", reject_from_alignment ? 8802 " (NOTE: reject due to unknown alignment)" : ""); 8803 close_fds: 8804 close(fd_prog); 8805 for (i = 0; i < MAX_NR_MAPS; i++) 8806 close(map_fds[i]); 8807 sched_yield(); 8808 return; 8809 fail_log: 8810 (*errors)++; 8811 printf("%s", bpf_vlog); 8812 goto close_fds; 8813 } 8814 8815 static bool is_admin(void) 8816 { 8817 cap_t caps; 8818 cap_flag_value_t sysadmin = CAP_CLEAR; 8819 const cap_value_t cap_val = CAP_SYS_ADMIN; 8820 8821 #ifdef CAP_IS_SUPPORTED 8822 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 8823 perror("cap_get_flag"); 8824 return false; 8825 } 8826 #endif 8827 caps = cap_get_proc(); 8828 if (!caps) { 8829 perror("cap_get_proc"); 8830 return false; 8831 } 8832 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 8833 perror("cap_get_flag"); 8834 if (cap_free(caps)) 8835 perror("cap_free"); 8836 return (sysadmin == CAP_SET); 8837 } 8838 8839 static int set_admin(bool admin) 8840 { 8841 cap_t caps; 8842 const cap_value_t cap_val = CAP_SYS_ADMIN; 8843 int ret = -1; 8844 8845 caps = cap_get_proc(); 8846 if (!caps) { 8847 perror("cap_get_proc"); 8848 return -1; 8849 } 8850 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 8851 admin ? CAP_SET : CAP_CLEAR)) { 8852 perror("cap_set_flag"); 8853 goto out; 8854 } 8855 if (cap_set_proc(caps)) { 8856 perror("cap_set_proc"); 8857 goto out; 8858 } 8859 ret = 0; 8860 out: 8861 if (cap_free(caps)) 8862 perror("cap_free"); 8863 return ret; 8864 } 8865 8866 static int do_test(bool unpriv, unsigned int from, unsigned int to) 8867 { 8868 int i, passes = 0, errors = 0; 8869 8870 for (i = from; i < to; i++) { 8871 struct bpf_test *test = &tests[i]; 8872 8873 /* Program types that are not supported by non-root we 8874 * skip right away. 8875 */ 8876 if (!test->prog_type) { 8877 if (!unpriv) 8878 set_admin(false); 8879 printf("#%d/u %s ", i, test->descr); 8880 do_test_single(test, true, &passes, &errors); 8881 if (!unpriv) 8882 set_admin(true); 8883 } 8884 8885 if (!unpriv) { 8886 printf("#%d/p %s ", i, test->descr); 8887 do_test_single(test, false, &passes, &errors); 8888 } 8889 } 8890 8891 printf("Summary: %d PASSED, %d FAILED\n", passes, errors); 8892 return errors ? EXIT_FAILURE : EXIT_SUCCESS; 8893 } 8894 8895 int main(int argc, char **argv) 8896 { 8897 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY }; 8898 struct rlimit rlim = { 1 << 20, 1 << 20 }; 8899 unsigned int from = 0, to = ARRAY_SIZE(tests); 8900 bool unpriv = !is_admin(); 8901 8902 if (argc == 3) { 8903 unsigned int l = atoi(argv[argc - 2]); 8904 unsigned int u = atoi(argv[argc - 1]); 8905 8906 if (l < to && u < to) { 8907 from = l; 8908 to = u + 1; 8909 } 8910 } else if (argc == 2) { 8911 unsigned int t = atoi(argv[argc - 1]); 8912 8913 if (t < to) { 8914 from = t; 8915 to = t + 1; 8916 } 8917 } 8918 8919 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf); 8920 return do_test(unpriv, from, to); 8921 } 8922