1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of version 2 of the GNU General Public 8 * License as published by the Free Software Foundation. 9 */ 10 11 #include <asm/types.h> 12 #include <linux/types.h> 13 #include <stdint.h> 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <unistd.h> 17 #include <errno.h> 18 #include <string.h> 19 #include <stddef.h> 20 #include <stdbool.h> 21 #include <sched.h> 22 23 #include <sys/capability.h> 24 #include <sys/resource.h> 25 26 #include <linux/unistd.h> 27 #include <linux/filter.h> 28 #include <linux/bpf_perf_event.h> 29 #include <linux/bpf.h> 30 31 #include <bpf/bpf.h> 32 33 #ifdef HAVE_GENHDR 34 # include "autoconf.h" 35 #else 36 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 37 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 38 # endif 39 #endif 40 41 #include "../../../include/linux/filter.h" 42 43 #ifndef ARRAY_SIZE 44 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 45 #endif 46 47 #define MAX_INSNS 512 48 #define MAX_FIXUPS 8 49 #define MAX_NR_MAPS 4 50 51 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 52 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 53 54 struct bpf_test { 55 const char *descr; 56 struct bpf_insn insns[MAX_INSNS]; 57 int fixup_map1[MAX_FIXUPS]; 58 int fixup_map2[MAX_FIXUPS]; 59 int fixup_prog[MAX_FIXUPS]; 60 int fixup_map_in_map[MAX_FIXUPS]; 61 const char *errstr; 62 const char *errstr_unpriv; 63 enum { 64 UNDEF, 65 ACCEPT, 66 REJECT 67 } result, result_unpriv; 68 enum bpf_prog_type prog_type; 69 uint8_t flags; 70 }; 71 72 /* Note we want this to be 64 bit aligned so that the end of our array is 73 * actually the end of the structure. 74 */ 75 #define MAX_ENTRIES 11 76 77 struct test_val { 78 unsigned int index; 79 int foo[MAX_ENTRIES]; 80 }; 81 82 static struct bpf_test tests[] = { 83 { 84 "add+sub+mul", 85 .insns = { 86 BPF_MOV64_IMM(BPF_REG_1, 1), 87 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 88 BPF_MOV64_IMM(BPF_REG_2, 3), 89 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 90 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 91 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 92 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 93 BPF_EXIT_INSN(), 94 }, 95 .result = ACCEPT, 96 }, 97 { 98 "unreachable", 99 .insns = { 100 BPF_EXIT_INSN(), 101 BPF_EXIT_INSN(), 102 }, 103 .errstr = "unreachable", 104 .result = REJECT, 105 }, 106 { 107 "unreachable2", 108 .insns = { 109 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 110 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 111 BPF_EXIT_INSN(), 112 }, 113 .errstr = "unreachable", 114 .result = REJECT, 115 }, 116 { 117 "out of range jump", 118 .insns = { 119 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 120 BPF_EXIT_INSN(), 121 }, 122 .errstr = "jump out of range", 123 .result = REJECT, 124 }, 125 { 126 "out of range jump2", 127 .insns = { 128 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 129 BPF_EXIT_INSN(), 130 }, 131 .errstr = "jump out of range", 132 .result = REJECT, 133 }, 134 { 135 "test1 ld_imm64", 136 .insns = { 137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 138 BPF_LD_IMM64(BPF_REG_0, 0), 139 BPF_LD_IMM64(BPF_REG_0, 0), 140 BPF_LD_IMM64(BPF_REG_0, 1), 141 BPF_LD_IMM64(BPF_REG_0, 1), 142 BPF_MOV64_IMM(BPF_REG_0, 2), 143 BPF_EXIT_INSN(), 144 }, 145 .errstr = "invalid BPF_LD_IMM insn", 146 .errstr_unpriv = "R1 pointer comparison", 147 .result = REJECT, 148 }, 149 { 150 "test2 ld_imm64", 151 .insns = { 152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 153 BPF_LD_IMM64(BPF_REG_0, 0), 154 BPF_LD_IMM64(BPF_REG_0, 0), 155 BPF_LD_IMM64(BPF_REG_0, 1), 156 BPF_LD_IMM64(BPF_REG_0, 1), 157 BPF_EXIT_INSN(), 158 }, 159 .errstr = "invalid BPF_LD_IMM insn", 160 .errstr_unpriv = "R1 pointer comparison", 161 .result = REJECT, 162 }, 163 { 164 "test3 ld_imm64", 165 .insns = { 166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 167 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 168 BPF_LD_IMM64(BPF_REG_0, 0), 169 BPF_LD_IMM64(BPF_REG_0, 0), 170 BPF_LD_IMM64(BPF_REG_0, 1), 171 BPF_LD_IMM64(BPF_REG_0, 1), 172 BPF_EXIT_INSN(), 173 }, 174 .errstr = "invalid bpf_ld_imm64 insn", 175 .result = REJECT, 176 }, 177 { 178 "test4 ld_imm64", 179 .insns = { 180 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 181 BPF_EXIT_INSN(), 182 }, 183 .errstr = "invalid bpf_ld_imm64 insn", 184 .result = REJECT, 185 }, 186 { 187 "test5 ld_imm64", 188 .insns = { 189 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 190 }, 191 .errstr = "invalid bpf_ld_imm64 insn", 192 .result = REJECT, 193 }, 194 { 195 "test6 ld_imm64", 196 .insns = { 197 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 198 BPF_RAW_INSN(0, 0, 0, 0, 0), 199 BPF_EXIT_INSN(), 200 }, 201 .result = ACCEPT, 202 }, 203 { 204 "test7 ld_imm64", 205 .insns = { 206 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 207 BPF_RAW_INSN(0, 0, 0, 0, 1), 208 BPF_EXIT_INSN(), 209 }, 210 .result = ACCEPT, 211 }, 212 { 213 "test8 ld_imm64", 214 .insns = { 215 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1), 216 BPF_RAW_INSN(0, 0, 0, 0, 1), 217 BPF_EXIT_INSN(), 218 }, 219 .errstr = "uses reserved fields", 220 .result = REJECT, 221 }, 222 { 223 "test9 ld_imm64", 224 .insns = { 225 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 226 BPF_RAW_INSN(0, 0, 0, 1, 1), 227 BPF_EXIT_INSN(), 228 }, 229 .errstr = "invalid bpf_ld_imm64 insn", 230 .result = REJECT, 231 }, 232 { 233 "test10 ld_imm64", 234 .insns = { 235 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 236 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1), 237 BPF_EXIT_INSN(), 238 }, 239 .errstr = "invalid bpf_ld_imm64 insn", 240 .result = REJECT, 241 }, 242 { 243 "test11 ld_imm64", 244 .insns = { 245 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 246 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 247 BPF_EXIT_INSN(), 248 }, 249 .errstr = "invalid bpf_ld_imm64 insn", 250 .result = REJECT, 251 }, 252 { 253 "test12 ld_imm64", 254 .insns = { 255 BPF_MOV64_IMM(BPF_REG_1, 0), 256 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 257 BPF_RAW_INSN(0, 0, 0, 0, 1), 258 BPF_EXIT_INSN(), 259 }, 260 .errstr = "not pointing to valid bpf_map", 261 .result = REJECT, 262 }, 263 { 264 "test13 ld_imm64", 265 .insns = { 266 BPF_MOV64_IMM(BPF_REG_1, 0), 267 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 268 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 269 BPF_EXIT_INSN(), 270 }, 271 .errstr = "invalid bpf_ld_imm64 insn", 272 .result = REJECT, 273 }, 274 { 275 "no bpf_exit", 276 .insns = { 277 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 278 }, 279 .errstr = "jump out of range", 280 .result = REJECT, 281 }, 282 { 283 "loop (back-edge)", 284 .insns = { 285 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 286 BPF_EXIT_INSN(), 287 }, 288 .errstr = "back-edge", 289 .result = REJECT, 290 }, 291 { 292 "loop2 (back-edge)", 293 .insns = { 294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 296 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 297 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 298 BPF_EXIT_INSN(), 299 }, 300 .errstr = "back-edge", 301 .result = REJECT, 302 }, 303 { 304 "conditional loop", 305 .insns = { 306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 308 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 310 BPF_EXIT_INSN(), 311 }, 312 .errstr = "back-edge", 313 .result = REJECT, 314 }, 315 { 316 "read uninitialized register", 317 .insns = { 318 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 319 BPF_EXIT_INSN(), 320 }, 321 .errstr = "R2 !read_ok", 322 .result = REJECT, 323 }, 324 { 325 "read invalid register", 326 .insns = { 327 BPF_MOV64_REG(BPF_REG_0, -1), 328 BPF_EXIT_INSN(), 329 }, 330 .errstr = "R15 is invalid", 331 .result = REJECT, 332 }, 333 { 334 "program doesn't init R0 before exit", 335 .insns = { 336 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 337 BPF_EXIT_INSN(), 338 }, 339 .errstr = "R0 !read_ok", 340 .result = REJECT, 341 }, 342 { 343 "program doesn't init R0 before exit in all branches", 344 .insns = { 345 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 346 BPF_MOV64_IMM(BPF_REG_0, 1), 347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 348 BPF_EXIT_INSN(), 349 }, 350 .errstr = "R0 !read_ok", 351 .errstr_unpriv = "R1 pointer comparison", 352 .result = REJECT, 353 }, 354 { 355 "stack out of bounds", 356 .insns = { 357 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 358 BPF_EXIT_INSN(), 359 }, 360 .errstr = "invalid stack", 361 .result = REJECT, 362 }, 363 { 364 "invalid call insn1", 365 .insns = { 366 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 367 BPF_EXIT_INSN(), 368 }, 369 .errstr = "BPF_CALL uses reserved", 370 .result = REJECT, 371 }, 372 { 373 "invalid call insn2", 374 .insns = { 375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 376 BPF_EXIT_INSN(), 377 }, 378 .errstr = "BPF_CALL uses reserved", 379 .result = REJECT, 380 }, 381 { 382 "invalid function call", 383 .insns = { 384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 385 BPF_EXIT_INSN(), 386 }, 387 .errstr = "invalid func unknown#1234567", 388 .result = REJECT, 389 }, 390 { 391 "uninitialized stack1", 392 .insns = { 393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 395 BPF_LD_MAP_FD(BPF_REG_1, 0), 396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 397 BPF_FUNC_map_lookup_elem), 398 BPF_EXIT_INSN(), 399 }, 400 .fixup_map1 = { 2 }, 401 .errstr = "invalid indirect read from stack", 402 .result = REJECT, 403 }, 404 { 405 "uninitialized stack2", 406 .insns = { 407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 409 BPF_EXIT_INSN(), 410 }, 411 .errstr = "invalid read from stack", 412 .result = REJECT, 413 }, 414 { 415 "invalid fp arithmetic", 416 /* If this gets ever changed, make sure JITs can deal with it. */ 417 .insns = { 418 BPF_MOV64_IMM(BPF_REG_0, 0), 419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 420 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8), 421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 422 BPF_EXIT_INSN(), 423 }, 424 .errstr_unpriv = "R1 pointer arithmetic", 425 .result_unpriv = REJECT, 426 .errstr = "R1 invalid mem access", 427 .result = REJECT, 428 }, 429 { 430 "non-invalid fp arithmetic", 431 .insns = { 432 BPF_MOV64_IMM(BPF_REG_0, 0), 433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 434 BPF_EXIT_INSN(), 435 }, 436 .result = ACCEPT, 437 }, 438 { 439 "invalid argument register", 440 .insns = { 441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 442 BPF_FUNC_get_cgroup_classid), 443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 444 BPF_FUNC_get_cgroup_classid), 445 BPF_EXIT_INSN(), 446 }, 447 .errstr = "R1 !read_ok", 448 .result = REJECT, 449 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 450 }, 451 { 452 "non-invalid argument register", 453 .insns = { 454 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 456 BPF_FUNC_get_cgroup_classid), 457 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 459 BPF_FUNC_get_cgroup_classid), 460 BPF_EXIT_INSN(), 461 }, 462 .result = ACCEPT, 463 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 464 }, 465 { 466 "check valid spill/fill", 467 .insns = { 468 /* spill R1(ctx) into stack */ 469 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 470 /* fill it back into R2 */ 471 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 472 /* should be able to access R0 = *(R2 + 8) */ 473 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 475 BPF_EXIT_INSN(), 476 }, 477 .errstr_unpriv = "R0 leaks addr", 478 .result = ACCEPT, 479 .result_unpriv = REJECT, 480 }, 481 { 482 "check valid spill/fill, skb mark", 483 .insns = { 484 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 485 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 487 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 488 offsetof(struct __sk_buff, mark)), 489 BPF_EXIT_INSN(), 490 }, 491 .result = ACCEPT, 492 .result_unpriv = ACCEPT, 493 }, 494 { 495 "check corrupted spill/fill", 496 .insns = { 497 /* spill R1(ctx) into stack */ 498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 499 /* mess up with R1 pointer on stack */ 500 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 501 /* fill back into R0 should fail */ 502 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 503 BPF_EXIT_INSN(), 504 }, 505 .errstr_unpriv = "attempt to corrupt spilled", 506 .errstr = "corrupted spill", 507 .result = REJECT, 508 }, 509 { 510 "invalid src register in STX", 511 .insns = { 512 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 513 BPF_EXIT_INSN(), 514 }, 515 .errstr = "R15 is invalid", 516 .result = REJECT, 517 }, 518 { 519 "invalid dst register in STX", 520 .insns = { 521 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 522 BPF_EXIT_INSN(), 523 }, 524 .errstr = "R14 is invalid", 525 .result = REJECT, 526 }, 527 { 528 "invalid dst register in ST", 529 .insns = { 530 BPF_ST_MEM(BPF_B, 14, -1, -1), 531 BPF_EXIT_INSN(), 532 }, 533 .errstr = "R14 is invalid", 534 .result = REJECT, 535 }, 536 { 537 "invalid src register in LDX", 538 .insns = { 539 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 540 BPF_EXIT_INSN(), 541 }, 542 .errstr = "R12 is invalid", 543 .result = REJECT, 544 }, 545 { 546 "invalid dst register in LDX", 547 .insns = { 548 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 549 BPF_EXIT_INSN(), 550 }, 551 .errstr = "R11 is invalid", 552 .result = REJECT, 553 }, 554 { 555 "junk insn", 556 .insns = { 557 BPF_RAW_INSN(0, 0, 0, 0, 0), 558 BPF_EXIT_INSN(), 559 }, 560 .errstr = "invalid BPF_LD_IMM", 561 .result = REJECT, 562 }, 563 { 564 "junk insn2", 565 .insns = { 566 BPF_RAW_INSN(1, 0, 0, 0, 0), 567 BPF_EXIT_INSN(), 568 }, 569 .errstr = "BPF_LDX uses reserved fields", 570 .result = REJECT, 571 }, 572 { 573 "junk insn3", 574 .insns = { 575 BPF_RAW_INSN(-1, 0, 0, 0, 0), 576 BPF_EXIT_INSN(), 577 }, 578 .errstr = "invalid BPF_ALU opcode f0", 579 .result = REJECT, 580 }, 581 { 582 "junk insn4", 583 .insns = { 584 BPF_RAW_INSN(-1, -1, -1, -1, -1), 585 BPF_EXIT_INSN(), 586 }, 587 .errstr = "invalid BPF_ALU opcode f0", 588 .result = REJECT, 589 }, 590 { 591 "junk insn5", 592 .insns = { 593 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 594 BPF_EXIT_INSN(), 595 }, 596 .errstr = "BPF_ALU uses reserved fields", 597 .result = REJECT, 598 }, 599 { 600 "misaligned read from stack", 601 .insns = { 602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 604 BPF_EXIT_INSN(), 605 }, 606 .errstr = "misaligned access", 607 .result = REJECT, 608 }, 609 { 610 "invalid map_fd for function call", 611 .insns = { 612 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 613 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 615 BPF_LD_MAP_FD(BPF_REG_1, 0), 616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 617 BPF_FUNC_map_delete_elem), 618 BPF_EXIT_INSN(), 619 }, 620 .errstr = "fd 0 is not pointing to valid bpf_map", 621 .result = REJECT, 622 }, 623 { 624 "don't check return value before access", 625 .insns = { 626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 629 BPF_LD_MAP_FD(BPF_REG_1, 0), 630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 631 BPF_FUNC_map_lookup_elem), 632 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 633 BPF_EXIT_INSN(), 634 }, 635 .fixup_map1 = { 3 }, 636 .errstr = "R0 invalid mem access 'map_value_or_null'", 637 .result = REJECT, 638 }, 639 { 640 "access memory with incorrect alignment", 641 .insns = { 642 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 643 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 645 BPF_LD_MAP_FD(BPF_REG_1, 0), 646 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 647 BPF_FUNC_map_lookup_elem), 648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 649 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 650 BPF_EXIT_INSN(), 651 }, 652 .fixup_map1 = { 3 }, 653 .errstr = "misaligned access", 654 .result = REJECT, 655 }, 656 { 657 "sometimes access memory with incorrect alignment", 658 .insns = { 659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 662 BPF_LD_MAP_FD(BPF_REG_1, 0), 663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 664 BPF_FUNC_map_lookup_elem), 665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 667 BPF_EXIT_INSN(), 668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 669 BPF_EXIT_INSN(), 670 }, 671 .fixup_map1 = { 3 }, 672 .errstr = "R0 invalid mem access", 673 .errstr_unpriv = "R0 leaks addr", 674 .result = REJECT, 675 }, 676 { 677 "jump test 1", 678 .insns = { 679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 680 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 681 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 682 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 684 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 693 BPF_MOV64_IMM(BPF_REG_0, 0), 694 BPF_EXIT_INSN(), 695 }, 696 .errstr_unpriv = "R1 pointer comparison", 697 .result_unpriv = REJECT, 698 .result = ACCEPT, 699 }, 700 { 701 "jump test 2", 702 .insns = { 703 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 705 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 706 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 708 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 709 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 711 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 712 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 714 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 715 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 717 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 718 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 720 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 721 BPF_MOV64_IMM(BPF_REG_0, 0), 722 BPF_EXIT_INSN(), 723 }, 724 .errstr_unpriv = "R1 pointer comparison", 725 .result_unpriv = REJECT, 726 .result = ACCEPT, 727 }, 728 { 729 "jump test 3", 730 .insns = { 731 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 733 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 735 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 739 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 743 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 747 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 751 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 755 BPF_LD_MAP_FD(BPF_REG_1, 0), 756 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 757 BPF_FUNC_map_delete_elem), 758 BPF_EXIT_INSN(), 759 }, 760 .fixup_map1 = { 24 }, 761 .errstr_unpriv = "R1 pointer comparison", 762 .result_unpriv = REJECT, 763 .result = ACCEPT, 764 }, 765 { 766 "jump test 4", 767 .insns = { 768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 808 BPF_MOV64_IMM(BPF_REG_0, 0), 809 BPF_EXIT_INSN(), 810 }, 811 .errstr_unpriv = "R1 pointer comparison", 812 .result_unpriv = REJECT, 813 .result = ACCEPT, 814 }, 815 { 816 "jump test 5", 817 .insns = { 818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 819 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 820 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 821 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 822 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 823 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 824 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 825 BPF_MOV64_IMM(BPF_REG_0, 0), 826 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 828 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 829 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 830 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 831 BPF_MOV64_IMM(BPF_REG_0, 0), 832 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 834 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 835 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 836 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 837 BPF_MOV64_IMM(BPF_REG_0, 0), 838 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 840 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 841 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 842 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 843 BPF_MOV64_IMM(BPF_REG_0, 0), 844 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 846 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 847 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 848 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 849 BPF_MOV64_IMM(BPF_REG_0, 0), 850 BPF_EXIT_INSN(), 851 }, 852 .errstr_unpriv = "R1 pointer comparison", 853 .result_unpriv = REJECT, 854 .result = ACCEPT, 855 }, 856 { 857 "access skb fields ok", 858 .insns = { 859 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 860 offsetof(struct __sk_buff, len)), 861 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 862 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 863 offsetof(struct __sk_buff, mark)), 864 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 866 offsetof(struct __sk_buff, pkt_type)), 867 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 868 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 869 offsetof(struct __sk_buff, queue_mapping)), 870 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 871 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 872 offsetof(struct __sk_buff, protocol)), 873 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 874 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 875 offsetof(struct __sk_buff, vlan_present)), 876 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 877 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 878 offsetof(struct __sk_buff, vlan_tci)), 879 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 880 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 881 offsetof(struct __sk_buff, napi_id)), 882 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 883 BPF_EXIT_INSN(), 884 }, 885 .result = ACCEPT, 886 }, 887 { 888 "access skb fields bad1", 889 .insns = { 890 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 891 BPF_EXIT_INSN(), 892 }, 893 .errstr = "invalid bpf_context access", 894 .result = REJECT, 895 }, 896 { 897 "access skb fields bad2", 898 .insns = { 899 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 900 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 903 BPF_LD_MAP_FD(BPF_REG_1, 0), 904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 905 BPF_FUNC_map_lookup_elem), 906 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 907 BPF_EXIT_INSN(), 908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 910 offsetof(struct __sk_buff, pkt_type)), 911 BPF_EXIT_INSN(), 912 }, 913 .fixup_map1 = { 4 }, 914 .errstr = "different pointers", 915 .errstr_unpriv = "R1 pointer comparison", 916 .result = REJECT, 917 }, 918 { 919 "access skb fields bad3", 920 .insns = { 921 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 922 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 923 offsetof(struct __sk_buff, pkt_type)), 924 BPF_EXIT_INSN(), 925 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 928 BPF_LD_MAP_FD(BPF_REG_1, 0), 929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 930 BPF_FUNC_map_lookup_elem), 931 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 932 BPF_EXIT_INSN(), 933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 934 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 935 }, 936 .fixup_map1 = { 6 }, 937 .errstr = "different pointers", 938 .errstr_unpriv = "R1 pointer comparison", 939 .result = REJECT, 940 }, 941 { 942 "access skb fields bad4", 943 .insns = { 944 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 945 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 946 offsetof(struct __sk_buff, len)), 947 BPF_MOV64_IMM(BPF_REG_0, 0), 948 BPF_EXIT_INSN(), 949 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 952 BPF_LD_MAP_FD(BPF_REG_1, 0), 953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 954 BPF_FUNC_map_lookup_elem), 955 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 956 BPF_EXIT_INSN(), 957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 958 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 959 }, 960 .fixup_map1 = { 7 }, 961 .errstr = "different pointers", 962 .errstr_unpriv = "R1 pointer comparison", 963 .result = REJECT, 964 }, 965 { 966 "check skb->mark is not writeable by sockets", 967 .insns = { 968 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 969 offsetof(struct __sk_buff, mark)), 970 BPF_EXIT_INSN(), 971 }, 972 .errstr = "invalid bpf_context access", 973 .errstr_unpriv = "R1 leaks addr", 974 .result = REJECT, 975 }, 976 { 977 "check skb->tc_index is not writeable by sockets", 978 .insns = { 979 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 980 offsetof(struct __sk_buff, tc_index)), 981 BPF_EXIT_INSN(), 982 }, 983 .errstr = "invalid bpf_context access", 984 .errstr_unpriv = "R1 leaks addr", 985 .result = REJECT, 986 }, 987 { 988 "check cb access: byte", 989 .insns = { 990 BPF_MOV64_IMM(BPF_REG_0, 0), 991 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 992 offsetof(struct __sk_buff, cb[0])), 993 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 994 offsetof(struct __sk_buff, cb[0]) + 1), 995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 996 offsetof(struct __sk_buff, cb[0]) + 2), 997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 998 offsetof(struct __sk_buff, cb[0]) + 3), 999 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1000 offsetof(struct __sk_buff, cb[1])), 1001 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1002 offsetof(struct __sk_buff, cb[1]) + 1), 1003 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1004 offsetof(struct __sk_buff, cb[1]) + 2), 1005 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1006 offsetof(struct __sk_buff, cb[1]) + 3), 1007 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1008 offsetof(struct __sk_buff, cb[2])), 1009 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1010 offsetof(struct __sk_buff, cb[2]) + 1), 1011 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1012 offsetof(struct __sk_buff, cb[2]) + 2), 1013 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1014 offsetof(struct __sk_buff, cb[2]) + 3), 1015 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1016 offsetof(struct __sk_buff, cb[3])), 1017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1018 offsetof(struct __sk_buff, cb[3]) + 1), 1019 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1020 offsetof(struct __sk_buff, cb[3]) + 2), 1021 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1022 offsetof(struct __sk_buff, cb[3]) + 3), 1023 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1024 offsetof(struct __sk_buff, cb[4])), 1025 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1026 offsetof(struct __sk_buff, cb[4]) + 1), 1027 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1028 offsetof(struct __sk_buff, cb[4]) + 2), 1029 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1030 offsetof(struct __sk_buff, cb[4]) + 3), 1031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1032 offsetof(struct __sk_buff, cb[0])), 1033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1034 offsetof(struct __sk_buff, cb[0]) + 1), 1035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1036 offsetof(struct __sk_buff, cb[0]) + 2), 1037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1038 offsetof(struct __sk_buff, cb[0]) + 3), 1039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1040 offsetof(struct __sk_buff, cb[1])), 1041 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1042 offsetof(struct __sk_buff, cb[1]) + 1), 1043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1044 offsetof(struct __sk_buff, cb[1]) + 2), 1045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1046 offsetof(struct __sk_buff, cb[1]) + 3), 1047 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1048 offsetof(struct __sk_buff, cb[2])), 1049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1050 offsetof(struct __sk_buff, cb[2]) + 1), 1051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1052 offsetof(struct __sk_buff, cb[2]) + 2), 1053 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1054 offsetof(struct __sk_buff, cb[2]) + 3), 1055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1056 offsetof(struct __sk_buff, cb[3])), 1057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1058 offsetof(struct __sk_buff, cb[3]) + 1), 1059 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1060 offsetof(struct __sk_buff, cb[3]) + 2), 1061 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1062 offsetof(struct __sk_buff, cb[3]) + 3), 1063 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1064 offsetof(struct __sk_buff, cb[4])), 1065 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1066 offsetof(struct __sk_buff, cb[4]) + 1), 1067 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1068 offsetof(struct __sk_buff, cb[4]) + 2), 1069 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1070 offsetof(struct __sk_buff, cb[4]) + 3), 1071 BPF_EXIT_INSN(), 1072 }, 1073 .result = ACCEPT, 1074 }, 1075 { 1076 "check cb access: byte, oob 1", 1077 .insns = { 1078 BPF_MOV64_IMM(BPF_REG_0, 0), 1079 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1080 offsetof(struct __sk_buff, cb[4]) + 4), 1081 BPF_EXIT_INSN(), 1082 }, 1083 .errstr = "invalid bpf_context access", 1084 .result = REJECT, 1085 }, 1086 { 1087 "check cb access: byte, oob 2", 1088 .insns = { 1089 BPF_MOV64_IMM(BPF_REG_0, 0), 1090 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1091 offsetof(struct __sk_buff, cb[0]) - 1), 1092 BPF_EXIT_INSN(), 1093 }, 1094 .errstr = "invalid bpf_context access", 1095 .result = REJECT, 1096 }, 1097 { 1098 "check cb access: byte, oob 3", 1099 .insns = { 1100 BPF_MOV64_IMM(BPF_REG_0, 0), 1101 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1102 offsetof(struct __sk_buff, cb[4]) + 4), 1103 BPF_EXIT_INSN(), 1104 }, 1105 .errstr = "invalid bpf_context access", 1106 .result = REJECT, 1107 }, 1108 { 1109 "check cb access: byte, oob 4", 1110 .insns = { 1111 BPF_MOV64_IMM(BPF_REG_0, 0), 1112 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1113 offsetof(struct __sk_buff, cb[0]) - 1), 1114 BPF_EXIT_INSN(), 1115 }, 1116 .errstr = "invalid bpf_context access", 1117 .result = REJECT, 1118 }, 1119 { 1120 "check cb access: byte, wrong type", 1121 .insns = { 1122 BPF_MOV64_IMM(BPF_REG_0, 0), 1123 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1124 offsetof(struct __sk_buff, cb[0])), 1125 BPF_EXIT_INSN(), 1126 }, 1127 .errstr = "invalid bpf_context access", 1128 .result = REJECT, 1129 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1130 }, 1131 { 1132 "check cb access: half", 1133 .insns = { 1134 BPF_MOV64_IMM(BPF_REG_0, 0), 1135 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1136 offsetof(struct __sk_buff, cb[0])), 1137 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1138 offsetof(struct __sk_buff, cb[0]) + 2), 1139 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1140 offsetof(struct __sk_buff, cb[1])), 1141 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1142 offsetof(struct __sk_buff, cb[1]) + 2), 1143 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1144 offsetof(struct __sk_buff, cb[2])), 1145 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1146 offsetof(struct __sk_buff, cb[2]) + 2), 1147 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1148 offsetof(struct __sk_buff, cb[3])), 1149 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1150 offsetof(struct __sk_buff, cb[3]) + 2), 1151 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1152 offsetof(struct __sk_buff, cb[4])), 1153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1154 offsetof(struct __sk_buff, cb[4]) + 2), 1155 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1156 offsetof(struct __sk_buff, cb[0])), 1157 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1158 offsetof(struct __sk_buff, cb[0]) + 2), 1159 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1160 offsetof(struct __sk_buff, cb[1])), 1161 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1162 offsetof(struct __sk_buff, cb[1]) + 2), 1163 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1164 offsetof(struct __sk_buff, cb[2])), 1165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1166 offsetof(struct __sk_buff, cb[2]) + 2), 1167 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1168 offsetof(struct __sk_buff, cb[3])), 1169 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1170 offsetof(struct __sk_buff, cb[3]) + 2), 1171 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1172 offsetof(struct __sk_buff, cb[4])), 1173 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1174 offsetof(struct __sk_buff, cb[4]) + 2), 1175 BPF_EXIT_INSN(), 1176 }, 1177 .result = ACCEPT, 1178 }, 1179 { 1180 "check cb access: half, unaligned", 1181 .insns = { 1182 BPF_MOV64_IMM(BPF_REG_0, 0), 1183 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1184 offsetof(struct __sk_buff, cb[0]) + 1), 1185 BPF_EXIT_INSN(), 1186 }, 1187 .errstr = "misaligned access", 1188 .result = REJECT, 1189 }, 1190 { 1191 "check cb access: half, oob 1", 1192 .insns = { 1193 BPF_MOV64_IMM(BPF_REG_0, 0), 1194 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1195 offsetof(struct __sk_buff, cb[4]) + 4), 1196 BPF_EXIT_INSN(), 1197 }, 1198 .errstr = "invalid bpf_context access", 1199 .result = REJECT, 1200 }, 1201 { 1202 "check cb access: half, oob 2", 1203 .insns = { 1204 BPF_MOV64_IMM(BPF_REG_0, 0), 1205 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1206 offsetof(struct __sk_buff, cb[0]) - 2), 1207 BPF_EXIT_INSN(), 1208 }, 1209 .errstr = "invalid bpf_context access", 1210 .result = REJECT, 1211 }, 1212 { 1213 "check cb access: half, oob 3", 1214 .insns = { 1215 BPF_MOV64_IMM(BPF_REG_0, 0), 1216 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1217 offsetof(struct __sk_buff, cb[4]) + 4), 1218 BPF_EXIT_INSN(), 1219 }, 1220 .errstr = "invalid bpf_context access", 1221 .result = REJECT, 1222 }, 1223 { 1224 "check cb access: half, oob 4", 1225 .insns = { 1226 BPF_MOV64_IMM(BPF_REG_0, 0), 1227 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 1228 offsetof(struct __sk_buff, cb[0]) - 2), 1229 BPF_EXIT_INSN(), 1230 }, 1231 .errstr = "invalid bpf_context access", 1232 .result = REJECT, 1233 }, 1234 { 1235 "check cb access: half, wrong type", 1236 .insns = { 1237 BPF_MOV64_IMM(BPF_REG_0, 0), 1238 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 1239 offsetof(struct __sk_buff, cb[0])), 1240 BPF_EXIT_INSN(), 1241 }, 1242 .errstr = "invalid bpf_context access", 1243 .result = REJECT, 1244 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1245 }, 1246 { 1247 "check cb access: word", 1248 .insns = { 1249 BPF_MOV64_IMM(BPF_REG_0, 0), 1250 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1251 offsetof(struct __sk_buff, cb[0])), 1252 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1253 offsetof(struct __sk_buff, cb[1])), 1254 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1255 offsetof(struct __sk_buff, cb[2])), 1256 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1257 offsetof(struct __sk_buff, cb[3])), 1258 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1259 offsetof(struct __sk_buff, cb[4])), 1260 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1261 offsetof(struct __sk_buff, cb[0])), 1262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1263 offsetof(struct __sk_buff, cb[1])), 1264 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1265 offsetof(struct __sk_buff, cb[2])), 1266 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1267 offsetof(struct __sk_buff, cb[3])), 1268 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1269 offsetof(struct __sk_buff, cb[4])), 1270 BPF_EXIT_INSN(), 1271 }, 1272 .result = ACCEPT, 1273 }, 1274 { 1275 "check cb access: word, unaligned 1", 1276 .insns = { 1277 BPF_MOV64_IMM(BPF_REG_0, 0), 1278 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1279 offsetof(struct __sk_buff, cb[0]) + 2), 1280 BPF_EXIT_INSN(), 1281 }, 1282 .errstr = "misaligned access", 1283 .result = REJECT, 1284 }, 1285 { 1286 "check cb access: word, unaligned 2", 1287 .insns = { 1288 BPF_MOV64_IMM(BPF_REG_0, 0), 1289 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1290 offsetof(struct __sk_buff, cb[4]) + 1), 1291 BPF_EXIT_INSN(), 1292 }, 1293 .errstr = "misaligned access", 1294 .result = REJECT, 1295 }, 1296 { 1297 "check cb access: word, unaligned 3", 1298 .insns = { 1299 BPF_MOV64_IMM(BPF_REG_0, 0), 1300 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1301 offsetof(struct __sk_buff, cb[4]) + 2), 1302 BPF_EXIT_INSN(), 1303 }, 1304 .errstr = "misaligned access", 1305 .result = REJECT, 1306 }, 1307 { 1308 "check cb access: word, unaligned 4", 1309 .insns = { 1310 BPF_MOV64_IMM(BPF_REG_0, 0), 1311 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1312 offsetof(struct __sk_buff, cb[4]) + 3), 1313 BPF_EXIT_INSN(), 1314 }, 1315 .errstr = "misaligned access", 1316 .result = REJECT, 1317 }, 1318 { 1319 "check cb access: double", 1320 .insns = { 1321 BPF_MOV64_IMM(BPF_REG_0, 0), 1322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1323 offsetof(struct __sk_buff, cb[0])), 1324 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1325 offsetof(struct __sk_buff, cb[2])), 1326 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1327 offsetof(struct __sk_buff, cb[0])), 1328 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1329 offsetof(struct __sk_buff, cb[2])), 1330 BPF_EXIT_INSN(), 1331 }, 1332 .result = ACCEPT, 1333 }, 1334 { 1335 "check cb access: double, unaligned 1", 1336 .insns = { 1337 BPF_MOV64_IMM(BPF_REG_0, 0), 1338 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1339 offsetof(struct __sk_buff, cb[1])), 1340 BPF_EXIT_INSN(), 1341 }, 1342 .errstr = "misaligned access", 1343 .result = REJECT, 1344 }, 1345 { 1346 "check cb access: double, unaligned 2", 1347 .insns = { 1348 BPF_MOV64_IMM(BPF_REG_0, 0), 1349 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1350 offsetof(struct __sk_buff, cb[3])), 1351 BPF_EXIT_INSN(), 1352 }, 1353 .errstr = "misaligned access", 1354 .result = REJECT, 1355 }, 1356 { 1357 "check cb access: double, oob 1", 1358 .insns = { 1359 BPF_MOV64_IMM(BPF_REG_0, 0), 1360 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1361 offsetof(struct __sk_buff, cb[4])), 1362 BPF_EXIT_INSN(), 1363 }, 1364 .errstr = "invalid bpf_context access", 1365 .result = REJECT, 1366 }, 1367 { 1368 "check cb access: double, oob 2", 1369 .insns = { 1370 BPF_MOV64_IMM(BPF_REG_0, 0), 1371 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1372 offsetof(struct __sk_buff, cb[4]) + 8), 1373 BPF_EXIT_INSN(), 1374 }, 1375 .errstr = "invalid bpf_context access", 1376 .result = REJECT, 1377 }, 1378 { 1379 "check cb access: double, oob 3", 1380 .insns = { 1381 BPF_MOV64_IMM(BPF_REG_0, 0), 1382 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1383 offsetof(struct __sk_buff, cb[0]) - 8), 1384 BPF_EXIT_INSN(), 1385 }, 1386 .errstr = "invalid bpf_context access", 1387 .result = REJECT, 1388 }, 1389 { 1390 "check cb access: double, oob 4", 1391 .insns = { 1392 BPF_MOV64_IMM(BPF_REG_0, 0), 1393 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1394 offsetof(struct __sk_buff, cb[4])), 1395 BPF_EXIT_INSN(), 1396 }, 1397 .errstr = "invalid bpf_context access", 1398 .result = REJECT, 1399 }, 1400 { 1401 "check cb access: double, oob 5", 1402 .insns = { 1403 BPF_MOV64_IMM(BPF_REG_0, 0), 1404 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1405 offsetof(struct __sk_buff, cb[4]) + 8), 1406 BPF_EXIT_INSN(), 1407 }, 1408 .errstr = "invalid bpf_context access", 1409 .result = REJECT, 1410 }, 1411 { 1412 "check cb access: double, oob 6", 1413 .insns = { 1414 BPF_MOV64_IMM(BPF_REG_0, 0), 1415 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 1416 offsetof(struct __sk_buff, cb[0]) - 8), 1417 BPF_EXIT_INSN(), 1418 }, 1419 .errstr = "invalid bpf_context access", 1420 .result = REJECT, 1421 }, 1422 { 1423 "check cb access: double, wrong type", 1424 .insns = { 1425 BPF_MOV64_IMM(BPF_REG_0, 0), 1426 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 1427 offsetof(struct __sk_buff, cb[0])), 1428 BPF_EXIT_INSN(), 1429 }, 1430 .errstr = "invalid bpf_context access", 1431 .result = REJECT, 1432 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1433 }, 1434 { 1435 "check out of range skb->cb access", 1436 .insns = { 1437 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1438 offsetof(struct __sk_buff, cb[0]) + 256), 1439 BPF_EXIT_INSN(), 1440 }, 1441 .errstr = "invalid bpf_context access", 1442 .errstr_unpriv = "", 1443 .result = REJECT, 1444 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 1445 }, 1446 { 1447 "write skb fields from socket prog", 1448 .insns = { 1449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1450 offsetof(struct __sk_buff, cb[4])), 1451 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1452 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1453 offsetof(struct __sk_buff, mark)), 1454 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1455 offsetof(struct __sk_buff, tc_index)), 1456 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1457 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1458 offsetof(struct __sk_buff, cb[0])), 1459 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1460 offsetof(struct __sk_buff, cb[2])), 1461 BPF_EXIT_INSN(), 1462 }, 1463 .result = ACCEPT, 1464 .errstr_unpriv = "R1 leaks addr", 1465 .result_unpriv = REJECT, 1466 }, 1467 { 1468 "write skb fields from tc_cls_act prog", 1469 .insns = { 1470 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1471 offsetof(struct __sk_buff, cb[0])), 1472 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1473 offsetof(struct __sk_buff, mark)), 1474 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1475 offsetof(struct __sk_buff, tc_index)), 1476 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1477 offsetof(struct __sk_buff, tc_index)), 1478 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1479 offsetof(struct __sk_buff, cb[3])), 1480 BPF_EXIT_INSN(), 1481 }, 1482 .errstr_unpriv = "", 1483 .result_unpriv = REJECT, 1484 .result = ACCEPT, 1485 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1486 }, 1487 { 1488 "PTR_TO_STACK store/load", 1489 .insns = { 1490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1492 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1493 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1494 BPF_EXIT_INSN(), 1495 }, 1496 .result = ACCEPT, 1497 }, 1498 { 1499 "PTR_TO_STACK store/load - bad alignment on off", 1500 .insns = { 1501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1503 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 1504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 1505 BPF_EXIT_INSN(), 1506 }, 1507 .result = REJECT, 1508 .errstr = "misaligned access off -6 size 8", 1509 }, 1510 { 1511 "PTR_TO_STACK store/load - bad alignment on reg", 1512 .insns = { 1513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 1515 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1516 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1517 BPF_EXIT_INSN(), 1518 }, 1519 .result = REJECT, 1520 .errstr = "misaligned access off -2 size 8", 1521 }, 1522 { 1523 "PTR_TO_STACK store/load - out of bounds low", 1524 .insns = { 1525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 1527 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1529 BPF_EXIT_INSN(), 1530 }, 1531 .result = REJECT, 1532 .errstr = "invalid stack off=-79992 size=8", 1533 }, 1534 { 1535 "PTR_TO_STACK store/load - out of bounds high", 1536 .insns = { 1537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1539 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 1540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 1541 BPF_EXIT_INSN(), 1542 }, 1543 .result = REJECT, 1544 .errstr = "invalid stack off=0 size=8", 1545 }, 1546 { 1547 "unpriv: return pointer", 1548 .insns = { 1549 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 1550 BPF_EXIT_INSN(), 1551 }, 1552 .result = ACCEPT, 1553 .result_unpriv = REJECT, 1554 .errstr_unpriv = "R0 leaks addr", 1555 }, 1556 { 1557 "unpriv: add const to pointer", 1558 .insns = { 1559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 1560 BPF_MOV64_IMM(BPF_REG_0, 0), 1561 BPF_EXIT_INSN(), 1562 }, 1563 .result = ACCEPT, 1564 .result_unpriv = REJECT, 1565 .errstr_unpriv = "R1 pointer arithmetic", 1566 }, 1567 { 1568 "unpriv: add pointer to pointer", 1569 .insns = { 1570 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1571 BPF_MOV64_IMM(BPF_REG_0, 0), 1572 BPF_EXIT_INSN(), 1573 }, 1574 .result = ACCEPT, 1575 .result_unpriv = REJECT, 1576 .errstr_unpriv = "R1 pointer arithmetic", 1577 }, 1578 { 1579 "unpriv: neg pointer", 1580 .insns = { 1581 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 1582 BPF_MOV64_IMM(BPF_REG_0, 0), 1583 BPF_EXIT_INSN(), 1584 }, 1585 .result = ACCEPT, 1586 .result_unpriv = REJECT, 1587 .errstr_unpriv = "R1 pointer arithmetic", 1588 }, 1589 { 1590 "unpriv: cmp pointer with const", 1591 .insns = { 1592 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1593 BPF_MOV64_IMM(BPF_REG_0, 0), 1594 BPF_EXIT_INSN(), 1595 }, 1596 .result = ACCEPT, 1597 .result_unpriv = REJECT, 1598 .errstr_unpriv = "R1 pointer comparison", 1599 }, 1600 { 1601 "unpriv: cmp pointer with pointer", 1602 .insns = { 1603 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1604 BPF_MOV64_IMM(BPF_REG_0, 0), 1605 BPF_EXIT_INSN(), 1606 }, 1607 .result = ACCEPT, 1608 .result_unpriv = REJECT, 1609 .errstr_unpriv = "R10 pointer comparison", 1610 }, 1611 { 1612 "unpriv: check that printk is disallowed", 1613 .insns = { 1614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1615 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 1616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 1617 BPF_MOV64_IMM(BPF_REG_2, 8), 1618 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1620 BPF_FUNC_trace_printk), 1621 BPF_MOV64_IMM(BPF_REG_0, 0), 1622 BPF_EXIT_INSN(), 1623 }, 1624 .errstr_unpriv = "unknown func bpf_trace_printk#6", 1625 .result_unpriv = REJECT, 1626 .result = ACCEPT, 1627 }, 1628 { 1629 "unpriv: pass pointer to helper function", 1630 .insns = { 1631 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1634 BPF_LD_MAP_FD(BPF_REG_1, 0), 1635 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1636 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 1637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1638 BPF_FUNC_map_update_elem), 1639 BPF_MOV64_IMM(BPF_REG_0, 0), 1640 BPF_EXIT_INSN(), 1641 }, 1642 .fixup_map1 = { 3 }, 1643 .errstr_unpriv = "R4 leaks addr", 1644 .result_unpriv = REJECT, 1645 .result = ACCEPT, 1646 }, 1647 { 1648 "unpriv: indirectly pass pointer on stack to helper function", 1649 .insns = { 1650 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1653 BPF_LD_MAP_FD(BPF_REG_1, 0), 1654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1655 BPF_FUNC_map_lookup_elem), 1656 BPF_MOV64_IMM(BPF_REG_0, 0), 1657 BPF_EXIT_INSN(), 1658 }, 1659 .fixup_map1 = { 3 }, 1660 .errstr = "invalid indirect read from stack off -8+0 size 8", 1661 .result = REJECT, 1662 }, 1663 { 1664 "unpriv: mangle pointer on stack 1", 1665 .insns = { 1666 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1667 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 1668 BPF_MOV64_IMM(BPF_REG_0, 0), 1669 BPF_EXIT_INSN(), 1670 }, 1671 .errstr_unpriv = "attempt to corrupt spilled", 1672 .result_unpriv = REJECT, 1673 .result = ACCEPT, 1674 }, 1675 { 1676 "unpriv: mangle pointer on stack 2", 1677 .insns = { 1678 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1679 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 1680 BPF_MOV64_IMM(BPF_REG_0, 0), 1681 BPF_EXIT_INSN(), 1682 }, 1683 .errstr_unpriv = "attempt to corrupt spilled", 1684 .result_unpriv = REJECT, 1685 .result = ACCEPT, 1686 }, 1687 { 1688 "unpriv: read pointer from stack in small chunks", 1689 .insns = { 1690 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 1691 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 1692 BPF_MOV64_IMM(BPF_REG_0, 0), 1693 BPF_EXIT_INSN(), 1694 }, 1695 .errstr = "invalid size", 1696 .result = REJECT, 1697 }, 1698 { 1699 "unpriv: write pointer into ctx", 1700 .insns = { 1701 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 1702 BPF_MOV64_IMM(BPF_REG_0, 0), 1703 BPF_EXIT_INSN(), 1704 }, 1705 .errstr_unpriv = "R1 leaks addr", 1706 .result_unpriv = REJECT, 1707 .errstr = "invalid bpf_context access", 1708 .result = REJECT, 1709 }, 1710 { 1711 "unpriv: spill/fill of ctx", 1712 .insns = { 1713 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1715 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1716 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1717 BPF_MOV64_IMM(BPF_REG_0, 0), 1718 BPF_EXIT_INSN(), 1719 }, 1720 .result = ACCEPT, 1721 }, 1722 { 1723 "unpriv: spill/fill of ctx 2", 1724 .insns = { 1725 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1727 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1728 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1729 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1730 BPF_FUNC_get_hash_recalc), 1731 BPF_EXIT_INSN(), 1732 }, 1733 .result = ACCEPT, 1734 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1735 }, 1736 { 1737 "unpriv: spill/fill of ctx 3", 1738 .insns = { 1739 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1741 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1742 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1743 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1744 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1745 BPF_FUNC_get_hash_recalc), 1746 BPF_EXIT_INSN(), 1747 }, 1748 .result = REJECT, 1749 .errstr = "R1 type=fp expected=ctx", 1750 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1751 }, 1752 { 1753 "unpriv: spill/fill of ctx 4", 1754 .insns = { 1755 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1757 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1758 BPF_MOV64_IMM(BPF_REG_0, 1), 1759 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 1760 BPF_REG_0, -8, 0), 1761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1763 BPF_FUNC_get_hash_recalc), 1764 BPF_EXIT_INSN(), 1765 }, 1766 .result = REJECT, 1767 .errstr = "R1 type=inv expected=ctx", 1768 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1769 }, 1770 { 1771 "unpriv: spill/fill of different pointers stx", 1772 .insns = { 1773 BPF_MOV64_IMM(BPF_REG_3, 42), 1774 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1777 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 1779 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1780 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1781 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1782 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1783 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 1784 offsetof(struct __sk_buff, mark)), 1785 BPF_MOV64_IMM(BPF_REG_0, 0), 1786 BPF_EXIT_INSN(), 1787 }, 1788 .result = REJECT, 1789 .errstr = "same insn cannot be used with different pointers", 1790 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1791 }, 1792 { 1793 "unpriv: spill/fill of different pointers ldx", 1794 .insns = { 1795 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1800 -(__s32)offsetof(struct bpf_perf_event_data, 1801 sample_period) - 8), 1802 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 1803 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 1804 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 1805 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 1806 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 1807 offsetof(struct bpf_perf_event_data, 1808 sample_period)), 1809 BPF_MOV64_IMM(BPF_REG_0, 0), 1810 BPF_EXIT_INSN(), 1811 }, 1812 .result = REJECT, 1813 .errstr = "same insn cannot be used with different pointers", 1814 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 1815 }, 1816 { 1817 "unpriv: write pointer into map elem value", 1818 .insns = { 1819 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1820 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1822 BPF_LD_MAP_FD(BPF_REG_1, 0), 1823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1824 BPF_FUNC_map_lookup_elem), 1825 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1826 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 1827 BPF_EXIT_INSN(), 1828 }, 1829 .fixup_map1 = { 3 }, 1830 .errstr_unpriv = "R0 leaks addr", 1831 .result_unpriv = REJECT, 1832 .result = ACCEPT, 1833 }, 1834 { 1835 "unpriv: partial copy of pointer", 1836 .insns = { 1837 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 1838 BPF_MOV64_IMM(BPF_REG_0, 0), 1839 BPF_EXIT_INSN(), 1840 }, 1841 .errstr_unpriv = "R10 partial copy", 1842 .result_unpriv = REJECT, 1843 .result = ACCEPT, 1844 }, 1845 { 1846 "unpriv: pass pointer to tail_call", 1847 .insns = { 1848 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 1849 BPF_LD_MAP_FD(BPF_REG_2, 0), 1850 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1851 BPF_FUNC_tail_call), 1852 BPF_MOV64_IMM(BPF_REG_0, 0), 1853 BPF_EXIT_INSN(), 1854 }, 1855 .fixup_prog = { 1 }, 1856 .errstr_unpriv = "R3 leaks addr into helper", 1857 .result_unpriv = REJECT, 1858 .result = ACCEPT, 1859 }, 1860 { 1861 "unpriv: cmp map pointer with zero", 1862 .insns = { 1863 BPF_MOV64_IMM(BPF_REG_1, 0), 1864 BPF_LD_MAP_FD(BPF_REG_1, 0), 1865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 1866 BPF_MOV64_IMM(BPF_REG_0, 0), 1867 BPF_EXIT_INSN(), 1868 }, 1869 .fixup_map1 = { 1 }, 1870 .errstr_unpriv = "R1 pointer comparison", 1871 .result_unpriv = REJECT, 1872 .result = ACCEPT, 1873 }, 1874 { 1875 "unpriv: write into frame pointer", 1876 .insns = { 1877 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 1878 BPF_MOV64_IMM(BPF_REG_0, 0), 1879 BPF_EXIT_INSN(), 1880 }, 1881 .errstr = "frame pointer is read only", 1882 .result = REJECT, 1883 }, 1884 { 1885 "unpriv: spill/fill frame pointer", 1886 .insns = { 1887 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1889 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 1890 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 1891 BPF_MOV64_IMM(BPF_REG_0, 0), 1892 BPF_EXIT_INSN(), 1893 }, 1894 .errstr = "frame pointer is read only", 1895 .result = REJECT, 1896 }, 1897 { 1898 "unpriv: cmp of frame pointer", 1899 .insns = { 1900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 1901 BPF_MOV64_IMM(BPF_REG_0, 0), 1902 BPF_EXIT_INSN(), 1903 }, 1904 .errstr_unpriv = "R10 pointer comparison", 1905 .result_unpriv = REJECT, 1906 .result = ACCEPT, 1907 }, 1908 { 1909 "unpriv: adding of fp", 1910 .insns = { 1911 BPF_MOV64_IMM(BPF_REG_0, 0), 1912 BPF_MOV64_IMM(BPF_REG_1, 0), 1913 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 1914 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 1915 BPF_EXIT_INSN(), 1916 }, 1917 .errstr_unpriv = "pointer arithmetic prohibited", 1918 .result_unpriv = REJECT, 1919 .errstr = "R1 invalid mem access", 1920 .result = REJECT, 1921 }, 1922 { 1923 "unpriv: cmp of stack pointer", 1924 .insns = { 1925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1927 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 1928 BPF_MOV64_IMM(BPF_REG_0, 0), 1929 BPF_EXIT_INSN(), 1930 }, 1931 .errstr_unpriv = "R2 pointer comparison", 1932 .result_unpriv = REJECT, 1933 .result = ACCEPT, 1934 }, 1935 { 1936 "stack pointer arithmetic", 1937 .insns = { 1938 BPF_MOV64_IMM(BPF_REG_1, 4), 1939 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1940 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 1941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 1942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 1943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 1944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 1945 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 1946 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 1947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 1948 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 1949 BPF_MOV64_IMM(BPF_REG_0, 0), 1950 BPF_EXIT_INSN(), 1951 }, 1952 .result = ACCEPT, 1953 }, 1954 { 1955 "raw_stack: no skb_load_bytes", 1956 .insns = { 1957 BPF_MOV64_IMM(BPF_REG_2, 4), 1958 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1960 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1961 BPF_MOV64_IMM(BPF_REG_4, 8), 1962 /* Call to skb_load_bytes() omitted. */ 1963 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1964 BPF_EXIT_INSN(), 1965 }, 1966 .result = REJECT, 1967 .errstr = "invalid read from stack off -8+0 size 8", 1968 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1969 }, 1970 { 1971 "raw_stack: skb_load_bytes, negative len", 1972 .insns = { 1973 BPF_MOV64_IMM(BPF_REG_2, 4), 1974 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1976 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1977 BPF_MOV64_IMM(BPF_REG_4, -8), 1978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1979 BPF_FUNC_skb_load_bytes), 1980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1981 BPF_EXIT_INSN(), 1982 }, 1983 .result = REJECT, 1984 .errstr = "invalid stack type R3", 1985 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1986 }, 1987 { 1988 "raw_stack: skb_load_bytes, negative len 2", 1989 .insns = { 1990 BPF_MOV64_IMM(BPF_REG_2, 4), 1991 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 1992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 1993 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 1994 BPF_MOV64_IMM(BPF_REG_4, ~0), 1995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1996 BPF_FUNC_skb_load_bytes), 1997 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 1998 BPF_EXIT_INSN(), 1999 }, 2000 .result = REJECT, 2001 .errstr = "invalid stack type R3", 2002 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2003 }, 2004 { 2005 "raw_stack: skb_load_bytes, zero len", 2006 .insns = { 2007 BPF_MOV64_IMM(BPF_REG_2, 4), 2008 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2010 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2011 BPF_MOV64_IMM(BPF_REG_4, 0), 2012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2013 BPF_FUNC_skb_load_bytes), 2014 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2015 BPF_EXIT_INSN(), 2016 }, 2017 .result = REJECT, 2018 .errstr = "invalid stack type R3", 2019 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2020 }, 2021 { 2022 "raw_stack: skb_load_bytes, no init", 2023 .insns = { 2024 BPF_MOV64_IMM(BPF_REG_2, 4), 2025 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2027 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2028 BPF_MOV64_IMM(BPF_REG_4, 8), 2029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2030 BPF_FUNC_skb_load_bytes), 2031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2032 BPF_EXIT_INSN(), 2033 }, 2034 .result = ACCEPT, 2035 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2036 }, 2037 { 2038 "raw_stack: skb_load_bytes, init", 2039 .insns = { 2040 BPF_MOV64_IMM(BPF_REG_2, 4), 2041 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2043 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 2044 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2045 BPF_MOV64_IMM(BPF_REG_4, 8), 2046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2047 BPF_FUNC_skb_load_bytes), 2048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2049 BPF_EXIT_INSN(), 2050 }, 2051 .result = ACCEPT, 2052 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2053 }, 2054 { 2055 "raw_stack: skb_load_bytes, spilled regs around bounds", 2056 .insns = { 2057 BPF_MOV64_IMM(BPF_REG_2, 4), 2058 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2060 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2061 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2062 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2063 BPF_MOV64_IMM(BPF_REG_4, 8), 2064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2065 BPF_FUNC_skb_load_bytes), 2066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2067 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2068 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2069 offsetof(struct __sk_buff, mark)), 2070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2071 offsetof(struct __sk_buff, priority)), 2072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2073 BPF_EXIT_INSN(), 2074 }, 2075 .result = ACCEPT, 2076 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2077 }, 2078 { 2079 "raw_stack: skb_load_bytes, spilled regs corruption", 2080 .insns = { 2081 BPF_MOV64_IMM(BPF_REG_2, 4), 2082 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2084 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2085 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2086 BPF_MOV64_IMM(BPF_REG_4, 8), 2087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2088 BPF_FUNC_skb_load_bytes), 2089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2091 offsetof(struct __sk_buff, mark)), 2092 BPF_EXIT_INSN(), 2093 }, 2094 .result = REJECT, 2095 .errstr = "R0 invalid mem access 'inv'", 2096 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2097 }, 2098 { 2099 "raw_stack: skb_load_bytes, spilled regs corruption 2", 2100 .insns = { 2101 BPF_MOV64_IMM(BPF_REG_2, 4), 2102 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2106 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2107 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2108 BPF_MOV64_IMM(BPF_REG_4, 8), 2109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2110 BPF_FUNC_skb_load_bytes), 2111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2112 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2113 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2115 offsetof(struct __sk_buff, mark)), 2116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2117 offsetof(struct __sk_buff, priority)), 2118 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 2120 offsetof(struct __sk_buff, pkt_type)), 2121 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2122 BPF_EXIT_INSN(), 2123 }, 2124 .result = REJECT, 2125 .errstr = "R3 invalid mem access 'inv'", 2126 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2127 }, 2128 { 2129 "raw_stack: skb_load_bytes, spilled regs + data", 2130 .insns = { 2131 BPF_MOV64_IMM(BPF_REG_2, 4), 2132 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 2134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 2135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2136 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 2137 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2138 BPF_MOV64_IMM(BPF_REG_4, 8), 2139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2140 BPF_FUNC_skb_load_bytes), 2141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 2142 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 2143 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 2144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 2145 offsetof(struct __sk_buff, mark)), 2146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 2147 offsetof(struct __sk_buff, priority)), 2148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 2149 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 2150 BPF_EXIT_INSN(), 2151 }, 2152 .result = ACCEPT, 2153 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2154 }, 2155 { 2156 "raw_stack: skb_load_bytes, invalid access 1", 2157 .insns = { 2158 BPF_MOV64_IMM(BPF_REG_2, 4), 2159 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 2161 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2162 BPF_MOV64_IMM(BPF_REG_4, 8), 2163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2164 BPF_FUNC_skb_load_bytes), 2165 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2166 BPF_EXIT_INSN(), 2167 }, 2168 .result = REJECT, 2169 .errstr = "invalid stack type R3 off=-513 access_size=8", 2170 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2171 }, 2172 { 2173 "raw_stack: skb_load_bytes, invalid access 2", 2174 .insns = { 2175 BPF_MOV64_IMM(BPF_REG_2, 4), 2176 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2178 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2179 BPF_MOV64_IMM(BPF_REG_4, 8), 2180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2181 BPF_FUNC_skb_load_bytes), 2182 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2183 BPF_EXIT_INSN(), 2184 }, 2185 .result = REJECT, 2186 .errstr = "invalid stack type R3 off=-1 access_size=8", 2187 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2188 }, 2189 { 2190 "raw_stack: skb_load_bytes, invalid access 3", 2191 .insns = { 2192 BPF_MOV64_IMM(BPF_REG_2, 4), 2193 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 2195 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2196 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 2197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2198 BPF_FUNC_skb_load_bytes), 2199 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2200 BPF_EXIT_INSN(), 2201 }, 2202 .result = REJECT, 2203 .errstr = "invalid stack type R3 off=-1 access_size=-1", 2204 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2205 }, 2206 { 2207 "raw_stack: skb_load_bytes, invalid access 4", 2208 .insns = { 2209 BPF_MOV64_IMM(BPF_REG_2, 4), 2210 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 2212 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2213 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2215 BPF_FUNC_skb_load_bytes), 2216 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2217 BPF_EXIT_INSN(), 2218 }, 2219 .result = REJECT, 2220 .errstr = "invalid stack type R3 off=-1 access_size=2147483647", 2221 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2222 }, 2223 { 2224 "raw_stack: skb_load_bytes, invalid access 5", 2225 .insns = { 2226 BPF_MOV64_IMM(BPF_REG_2, 4), 2227 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2229 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2230 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 2231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2232 BPF_FUNC_skb_load_bytes), 2233 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2234 BPF_EXIT_INSN(), 2235 }, 2236 .result = REJECT, 2237 .errstr = "invalid stack type R3 off=-512 access_size=2147483647", 2238 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2239 }, 2240 { 2241 "raw_stack: skb_load_bytes, invalid access 6", 2242 .insns = { 2243 BPF_MOV64_IMM(BPF_REG_2, 4), 2244 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2246 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2247 BPF_MOV64_IMM(BPF_REG_4, 0), 2248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2249 BPF_FUNC_skb_load_bytes), 2250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2251 BPF_EXIT_INSN(), 2252 }, 2253 .result = REJECT, 2254 .errstr = "invalid stack type R3 off=-512 access_size=0", 2255 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2256 }, 2257 { 2258 "raw_stack: skb_load_bytes, large access", 2259 .insns = { 2260 BPF_MOV64_IMM(BPF_REG_2, 4), 2261 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 2263 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2264 BPF_MOV64_IMM(BPF_REG_4, 512), 2265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2266 BPF_FUNC_skb_load_bytes), 2267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2268 BPF_EXIT_INSN(), 2269 }, 2270 .result = ACCEPT, 2271 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2272 }, 2273 { 2274 "direct packet access: test1", 2275 .insns = { 2276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2277 offsetof(struct __sk_buff, data)), 2278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2279 offsetof(struct __sk_buff, data_end)), 2280 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2282 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2283 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2284 BPF_MOV64_IMM(BPF_REG_0, 0), 2285 BPF_EXIT_INSN(), 2286 }, 2287 .result = ACCEPT, 2288 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2289 }, 2290 { 2291 "direct packet access: test2", 2292 .insns = { 2293 BPF_MOV64_IMM(BPF_REG_0, 1), 2294 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 2295 offsetof(struct __sk_buff, data_end)), 2296 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2297 offsetof(struct __sk_buff, data)), 2298 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 2300 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 2301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 2302 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 2303 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 2304 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2305 offsetof(struct __sk_buff, data)), 2306 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 2307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2308 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48), 2309 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48), 2310 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 2311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 2312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2313 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2314 offsetof(struct __sk_buff, data_end)), 2315 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 2316 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 2317 BPF_MOV64_IMM(BPF_REG_0, 0), 2318 BPF_EXIT_INSN(), 2319 }, 2320 .result = ACCEPT, 2321 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2322 }, 2323 { 2324 "direct packet access: test3", 2325 .insns = { 2326 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2327 offsetof(struct __sk_buff, data)), 2328 BPF_MOV64_IMM(BPF_REG_0, 0), 2329 BPF_EXIT_INSN(), 2330 }, 2331 .errstr = "invalid bpf_context access off=76", 2332 .result = REJECT, 2333 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 2334 }, 2335 { 2336 "direct packet access: test4 (write)", 2337 .insns = { 2338 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2339 offsetof(struct __sk_buff, data)), 2340 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2341 offsetof(struct __sk_buff, data_end)), 2342 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2344 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2345 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2346 BPF_MOV64_IMM(BPF_REG_0, 0), 2347 BPF_EXIT_INSN(), 2348 }, 2349 .result = ACCEPT, 2350 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2351 }, 2352 { 2353 "direct packet access: test5 (pkt_end >= reg, good access)", 2354 .insns = { 2355 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2356 offsetof(struct __sk_buff, data)), 2357 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2358 offsetof(struct __sk_buff, data_end)), 2359 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2361 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2362 BPF_MOV64_IMM(BPF_REG_0, 1), 2363 BPF_EXIT_INSN(), 2364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2365 BPF_MOV64_IMM(BPF_REG_0, 0), 2366 BPF_EXIT_INSN(), 2367 }, 2368 .result = ACCEPT, 2369 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2370 }, 2371 { 2372 "direct packet access: test6 (pkt_end >= reg, bad access)", 2373 .insns = { 2374 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2375 offsetof(struct __sk_buff, data)), 2376 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2377 offsetof(struct __sk_buff, data_end)), 2378 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2380 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2381 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2382 BPF_MOV64_IMM(BPF_REG_0, 1), 2383 BPF_EXIT_INSN(), 2384 BPF_MOV64_IMM(BPF_REG_0, 0), 2385 BPF_EXIT_INSN(), 2386 }, 2387 .errstr = "invalid access to packet", 2388 .result = REJECT, 2389 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2390 }, 2391 { 2392 "direct packet access: test7 (pkt_end >= reg, both accesses)", 2393 .insns = { 2394 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2395 offsetof(struct __sk_buff, data)), 2396 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2397 offsetof(struct __sk_buff, data_end)), 2398 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2400 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 2401 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2402 BPF_MOV64_IMM(BPF_REG_0, 1), 2403 BPF_EXIT_INSN(), 2404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2405 BPF_MOV64_IMM(BPF_REG_0, 0), 2406 BPF_EXIT_INSN(), 2407 }, 2408 .errstr = "invalid access to packet", 2409 .result = REJECT, 2410 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2411 }, 2412 { 2413 "direct packet access: test8 (double test, variant 1)", 2414 .insns = { 2415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2416 offsetof(struct __sk_buff, data)), 2417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2418 offsetof(struct __sk_buff, data_end)), 2419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2421 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 2422 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2423 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2424 BPF_MOV64_IMM(BPF_REG_0, 1), 2425 BPF_EXIT_INSN(), 2426 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2427 BPF_MOV64_IMM(BPF_REG_0, 0), 2428 BPF_EXIT_INSN(), 2429 }, 2430 .result = ACCEPT, 2431 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2432 }, 2433 { 2434 "direct packet access: test9 (double test, variant 2)", 2435 .insns = { 2436 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2437 offsetof(struct __sk_buff, data)), 2438 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2439 offsetof(struct __sk_buff, data_end)), 2440 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2442 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 2443 BPF_MOV64_IMM(BPF_REG_0, 1), 2444 BPF_EXIT_INSN(), 2445 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2446 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 2448 BPF_MOV64_IMM(BPF_REG_0, 0), 2449 BPF_EXIT_INSN(), 2450 }, 2451 .result = ACCEPT, 2452 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2453 }, 2454 { 2455 "direct packet access: test10 (write invalid)", 2456 .insns = { 2457 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2458 offsetof(struct __sk_buff, data)), 2459 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2460 offsetof(struct __sk_buff, data_end)), 2461 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2463 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 2464 BPF_MOV64_IMM(BPF_REG_0, 0), 2465 BPF_EXIT_INSN(), 2466 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2467 BPF_MOV64_IMM(BPF_REG_0, 0), 2468 BPF_EXIT_INSN(), 2469 }, 2470 .errstr = "invalid access to packet", 2471 .result = REJECT, 2472 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2473 }, 2474 { 2475 "direct packet access: test11 (shift, good access)", 2476 .insns = { 2477 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2478 offsetof(struct __sk_buff, data)), 2479 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2480 offsetof(struct __sk_buff, data_end)), 2481 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2483 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2484 BPF_MOV64_IMM(BPF_REG_3, 144), 2485 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2487 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 2488 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2489 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2490 BPF_MOV64_IMM(BPF_REG_0, 1), 2491 BPF_EXIT_INSN(), 2492 BPF_MOV64_IMM(BPF_REG_0, 0), 2493 BPF_EXIT_INSN(), 2494 }, 2495 .result = ACCEPT, 2496 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2497 }, 2498 { 2499 "direct packet access: test12 (and, good access)", 2500 .insns = { 2501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2502 offsetof(struct __sk_buff, data)), 2503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2504 offsetof(struct __sk_buff, data_end)), 2505 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2507 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2508 BPF_MOV64_IMM(BPF_REG_3, 144), 2509 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2511 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2513 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2514 BPF_MOV64_IMM(BPF_REG_0, 1), 2515 BPF_EXIT_INSN(), 2516 BPF_MOV64_IMM(BPF_REG_0, 0), 2517 BPF_EXIT_INSN(), 2518 }, 2519 .result = ACCEPT, 2520 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2521 }, 2522 { 2523 "direct packet access: test13 (branches, good access)", 2524 .insns = { 2525 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2526 offsetof(struct __sk_buff, data)), 2527 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2528 offsetof(struct __sk_buff, data_end)), 2529 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2531 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 2532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2533 offsetof(struct __sk_buff, mark)), 2534 BPF_MOV64_IMM(BPF_REG_4, 1), 2535 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 2536 BPF_MOV64_IMM(BPF_REG_3, 14), 2537 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 2538 BPF_MOV64_IMM(BPF_REG_3, 24), 2539 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 2540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 2541 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 2542 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2543 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2544 BPF_MOV64_IMM(BPF_REG_0, 1), 2545 BPF_EXIT_INSN(), 2546 BPF_MOV64_IMM(BPF_REG_0, 0), 2547 BPF_EXIT_INSN(), 2548 }, 2549 .result = ACCEPT, 2550 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2551 }, 2552 { 2553 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 2554 .insns = { 2555 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2556 offsetof(struct __sk_buff, data)), 2557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2558 offsetof(struct __sk_buff, data_end)), 2559 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 2561 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 2562 BPF_MOV64_IMM(BPF_REG_5, 12), 2563 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 2564 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 2565 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 2566 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 2567 BPF_MOV64_IMM(BPF_REG_0, 1), 2568 BPF_EXIT_INSN(), 2569 BPF_MOV64_IMM(BPF_REG_0, 0), 2570 BPF_EXIT_INSN(), 2571 }, 2572 .result = ACCEPT, 2573 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2574 }, 2575 { 2576 "direct packet access: test15 (spill with xadd)", 2577 .insns = { 2578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2579 offsetof(struct __sk_buff, data)), 2580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2581 offsetof(struct __sk_buff, data_end)), 2582 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2584 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 2585 BPF_MOV64_IMM(BPF_REG_5, 4096), 2586 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 2588 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 2589 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 2590 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 2591 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0), 2592 BPF_MOV64_IMM(BPF_REG_0, 0), 2593 BPF_EXIT_INSN(), 2594 }, 2595 .errstr = "R2 invalid mem access 'inv'", 2596 .result = REJECT, 2597 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2598 }, 2599 { 2600 "direct packet access: test16 (arith on data_end)", 2601 .insns = { 2602 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2603 offsetof(struct __sk_buff, data)), 2604 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2605 offsetof(struct __sk_buff, data_end)), 2606 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 2608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16), 2609 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2610 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 2611 BPF_MOV64_IMM(BPF_REG_0, 0), 2612 BPF_EXIT_INSN(), 2613 }, 2614 .errstr = "invalid access to packet", 2615 .result = REJECT, 2616 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2617 }, 2618 { 2619 "direct packet access: test17 (pruning, alignment)", 2620 .insns = { 2621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2622 offsetof(struct __sk_buff, data)), 2623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2624 offsetof(struct __sk_buff, data_end)), 2625 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2626 offsetof(struct __sk_buff, mark)), 2627 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14), 2629 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4), 2630 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 2631 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4), 2632 BPF_MOV64_IMM(BPF_REG_0, 0), 2633 BPF_EXIT_INSN(), 2634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1), 2635 BPF_JMP_A(-6), 2636 }, 2637 .errstr = "misaligned packet access off 2+15+-4 size 4", 2638 .result = REJECT, 2639 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2640 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2641 }, 2642 { 2643 "helper access to packet: test1, valid packet_ptr range", 2644 .insns = { 2645 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2646 offsetof(struct xdp_md, data)), 2647 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2648 offsetof(struct xdp_md, data_end)), 2649 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2651 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2652 BPF_LD_MAP_FD(BPF_REG_1, 0), 2653 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2654 BPF_MOV64_IMM(BPF_REG_4, 0), 2655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2656 BPF_FUNC_map_update_elem), 2657 BPF_MOV64_IMM(BPF_REG_0, 0), 2658 BPF_EXIT_INSN(), 2659 }, 2660 .fixup_map1 = { 5 }, 2661 .result_unpriv = ACCEPT, 2662 .result = ACCEPT, 2663 .prog_type = BPF_PROG_TYPE_XDP, 2664 }, 2665 { 2666 "helper access to packet: test2, unchecked packet_ptr", 2667 .insns = { 2668 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2669 offsetof(struct xdp_md, data)), 2670 BPF_LD_MAP_FD(BPF_REG_1, 0), 2671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2672 BPF_FUNC_map_lookup_elem), 2673 BPF_MOV64_IMM(BPF_REG_0, 0), 2674 BPF_EXIT_INSN(), 2675 }, 2676 .fixup_map1 = { 1 }, 2677 .result = REJECT, 2678 .errstr = "invalid access to packet", 2679 .prog_type = BPF_PROG_TYPE_XDP, 2680 }, 2681 { 2682 "helper access to packet: test3, variable add", 2683 .insns = { 2684 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2685 offsetof(struct xdp_md, data)), 2686 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2687 offsetof(struct xdp_md, data_end)), 2688 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2690 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2691 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2692 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2693 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2694 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2696 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2697 BPF_LD_MAP_FD(BPF_REG_1, 0), 2698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2699 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2700 BPF_FUNC_map_lookup_elem), 2701 BPF_MOV64_IMM(BPF_REG_0, 0), 2702 BPF_EXIT_INSN(), 2703 }, 2704 .fixup_map1 = { 11 }, 2705 .result = ACCEPT, 2706 .prog_type = BPF_PROG_TYPE_XDP, 2707 }, 2708 { 2709 "helper access to packet: test4, packet_ptr with bad range", 2710 .insns = { 2711 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2712 offsetof(struct xdp_md, data)), 2713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2714 offsetof(struct xdp_md, data_end)), 2715 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2717 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2718 BPF_MOV64_IMM(BPF_REG_0, 0), 2719 BPF_EXIT_INSN(), 2720 BPF_LD_MAP_FD(BPF_REG_1, 0), 2721 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2722 BPF_FUNC_map_lookup_elem), 2723 BPF_MOV64_IMM(BPF_REG_0, 0), 2724 BPF_EXIT_INSN(), 2725 }, 2726 .fixup_map1 = { 7 }, 2727 .result = REJECT, 2728 .errstr = "invalid access to packet", 2729 .prog_type = BPF_PROG_TYPE_XDP, 2730 }, 2731 { 2732 "helper access to packet: test5, packet_ptr with too short range", 2733 .insns = { 2734 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2735 offsetof(struct xdp_md, data)), 2736 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2737 offsetof(struct xdp_md, data_end)), 2738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2739 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2741 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2742 BPF_LD_MAP_FD(BPF_REG_1, 0), 2743 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2744 BPF_FUNC_map_lookup_elem), 2745 BPF_MOV64_IMM(BPF_REG_0, 0), 2746 BPF_EXIT_INSN(), 2747 }, 2748 .fixup_map1 = { 6 }, 2749 .result = REJECT, 2750 .errstr = "invalid access to packet", 2751 .prog_type = BPF_PROG_TYPE_XDP, 2752 }, 2753 { 2754 "helper access to packet: test6, cls valid packet_ptr range", 2755 .insns = { 2756 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2757 offsetof(struct __sk_buff, data)), 2758 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2759 offsetof(struct __sk_buff, data_end)), 2760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 2761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2762 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 2763 BPF_LD_MAP_FD(BPF_REG_1, 0), 2764 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2765 BPF_MOV64_IMM(BPF_REG_4, 0), 2766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2767 BPF_FUNC_map_update_elem), 2768 BPF_MOV64_IMM(BPF_REG_0, 0), 2769 BPF_EXIT_INSN(), 2770 }, 2771 .fixup_map1 = { 5 }, 2772 .result = ACCEPT, 2773 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2774 }, 2775 { 2776 "helper access to packet: test7, cls unchecked packet_ptr", 2777 .insns = { 2778 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2779 offsetof(struct __sk_buff, data)), 2780 BPF_LD_MAP_FD(BPF_REG_1, 0), 2781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2782 BPF_FUNC_map_lookup_elem), 2783 BPF_MOV64_IMM(BPF_REG_0, 0), 2784 BPF_EXIT_INSN(), 2785 }, 2786 .fixup_map1 = { 1 }, 2787 .result = REJECT, 2788 .errstr = "invalid access to packet", 2789 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2790 }, 2791 { 2792 "helper access to packet: test8, cls variable add", 2793 .insns = { 2794 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2795 offsetof(struct __sk_buff, data)), 2796 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2797 offsetof(struct __sk_buff, data_end)), 2798 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 2800 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 2801 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 2802 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2803 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 2804 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 2805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 2806 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 2807 BPF_LD_MAP_FD(BPF_REG_1, 0), 2808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 2809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2810 BPF_FUNC_map_lookup_elem), 2811 BPF_MOV64_IMM(BPF_REG_0, 0), 2812 BPF_EXIT_INSN(), 2813 }, 2814 .fixup_map1 = { 11 }, 2815 .result = ACCEPT, 2816 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2817 }, 2818 { 2819 "helper access to packet: test9, cls packet_ptr with bad range", 2820 .insns = { 2821 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2822 offsetof(struct __sk_buff, data)), 2823 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2824 offsetof(struct __sk_buff, data_end)), 2825 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 2827 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 2828 BPF_MOV64_IMM(BPF_REG_0, 0), 2829 BPF_EXIT_INSN(), 2830 BPF_LD_MAP_FD(BPF_REG_1, 0), 2831 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2832 BPF_FUNC_map_lookup_elem), 2833 BPF_MOV64_IMM(BPF_REG_0, 0), 2834 BPF_EXIT_INSN(), 2835 }, 2836 .fixup_map1 = { 7 }, 2837 .result = REJECT, 2838 .errstr = "invalid access to packet", 2839 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2840 }, 2841 { 2842 "helper access to packet: test10, cls packet_ptr with too short range", 2843 .insns = { 2844 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2845 offsetof(struct __sk_buff, data)), 2846 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2847 offsetof(struct __sk_buff, data_end)), 2848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 2849 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 2851 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 2852 BPF_LD_MAP_FD(BPF_REG_1, 0), 2853 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2854 BPF_FUNC_map_lookup_elem), 2855 BPF_MOV64_IMM(BPF_REG_0, 0), 2856 BPF_EXIT_INSN(), 2857 }, 2858 .fixup_map1 = { 6 }, 2859 .result = REJECT, 2860 .errstr = "invalid access to packet", 2861 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2862 }, 2863 { 2864 "helper access to packet: test11, cls unsuitable helper 1", 2865 .insns = { 2866 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2867 offsetof(struct __sk_buff, data)), 2868 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2869 offsetof(struct __sk_buff, data_end)), 2870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2871 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 2873 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 2874 BPF_MOV64_IMM(BPF_REG_2, 0), 2875 BPF_MOV64_IMM(BPF_REG_4, 42), 2876 BPF_MOV64_IMM(BPF_REG_5, 0), 2877 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2878 BPF_FUNC_skb_store_bytes), 2879 BPF_MOV64_IMM(BPF_REG_0, 0), 2880 BPF_EXIT_INSN(), 2881 }, 2882 .result = REJECT, 2883 .errstr = "helper access to the packet", 2884 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2885 }, 2886 { 2887 "helper access to packet: test12, cls unsuitable helper 2", 2888 .insns = { 2889 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2890 offsetof(struct __sk_buff, data)), 2891 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2892 offsetof(struct __sk_buff, data_end)), 2893 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 2895 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 2896 BPF_MOV64_IMM(BPF_REG_2, 0), 2897 BPF_MOV64_IMM(BPF_REG_4, 4), 2898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2899 BPF_FUNC_skb_load_bytes), 2900 BPF_MOV64_IMM(BPF_REG_0, 0), 2901 BPF_EXIT_INSN(), 2902 }, 2903 .result = REJECT, 2904 .errstr = "helper access to the packet", 2905 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2906 }, 2907 { 2908 "helper access to packet: test13, cls helper ok", 2909 .insns = { 2910 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2911 offsetof(struct __sk_buff, data)), 2912 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2913 offsetof(struct __sk_buff, data_end)), 2914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2917 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2918 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2919 BPF_MOV64_IMM(BPF_REG_2, 4), 2920 BPF_MOV64_IMM(BPF_REG_3, 0), 2921 BPF_MOV64_IMM(BPF_REG_4, 0), 2922 BPF_MOV64_IMM(BPF_REG_5, 0), 2923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2924 BPF_FUNC_csum_diff), 2925 BPF_MOV64_IMM(BPF_REG_0, 0), 2926 BPF_EXIT_INSN(), 2927 }, 2928 .result = ACCEPT, 2929 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2930 }, 2931 { 2932 "helper access to packet: test14, cls helper fail sub", 2933 .insns = { 2934 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2935 offsetof(struct __sk_buff, data)), 2936 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2937 offsetof(struct __sk_buff, data_end)), 2938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2941 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2942 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 2943 BPF_MOV64_IMM(BPF_REG_2, 4), 2944 BPF_MOV64_IMM(BPF_REG_3, 0), 2945 BPF_MOV64_IMM(BPF_REG_4, 0), 2946 BPF_MOV64_IMM(BPF_REG_5, 0), 2947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2948 BPF_FUNC_csum_diff), 2949 BPF_MOV64_IMM(BPF_REG_0, 0), 2950 BPF_EXIT_INSN(), 2951 }, 2952 .result = REJECT, 2953 .errstr = "type=inv expected=fp", 2954 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2955 }, 2956 { 2957 "helper access to packet: test15, cls helper fail range 1", 2958 .insns = { 2959 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2960 offsetof(struct __sk_buff, data)), 2961 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2962 offsetof(struct __sk_buff, data_end)), 2963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2964 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2966 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2968 BPF_MOV64_IMM(BPF_REG_2, 8), 2969 BPF_MOV64_IMM(BPF_REG_3, 0), 2970 BPF_MOV64_IMM(BPF_REG_4, 0), 2971 BPF_MOV64_IMM(BPF_REG_5, 0), 2972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2973 BPF_FUNC_csum_diff), 2974 BPF_MOV64_IMM(BPF_REG_0, 0), 2975 BPF_EXIT_INSN(), 2976 }, 2977 .result = REJECT, 2978 .errstr = "invalid access to packet", 2979 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2980 }, 2981 { 2982 "helper access to packet: test16, cls helper fail range 2", 2983 .insns = { 2984 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 2985 offsetof(struct __sk_buff, data)), 2986 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 2987 offsetof(struct __sk_buff, data_end)), 2988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 2989 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 2991 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 2992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2993 BPF_MOV64_IMM(BPF_REG_2, -9), 2994 BPF_MOV64_IMM(BPF_REG_3, 0), 2995 BPF_MOV64_IMM(BPF_REG_4, 0), 2996 BPF_MOV64_IMM(BPF_REG_5, 0), 2997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2998 BPF_FUNC_csum_diff), 2999 BPF_MOV64_IMM(BPF_REG_0, 0), 3000 BPF_EXIT_INSN(), 3001 }, 3002 .result = REJECT, 3003 .errstr = "invalid access to packet", 3004 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3005 }, 3006 { 3007 "helper access to packet: test17, cls helper fail range 3", 3008 .insns = { 3009 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3010 offsetof(struct __sk_buff, data)), 3011 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3012 offsetof(struct __sk_buff, data_end)), 3013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3016 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3018 BPF_MOV64_IMM(BPF_REG_2, ~0), 3019 BPF_MOV64_IMM(BPF_REG_3, 0), 3020 BPF_MOV64_IMM(BPF_REG_4, 0), 3021 BPF_MOV64_IMM(BPF_REG_5, 0), 3022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3023 BPF_FUNC_csum_diff), 3024 BPF_MOV64_IMM(BPF_REG_0, 0), 3025 BPF_EXIT_INSN(), 3026 }, 3027 .result = REJECT, 3028 .errstr = "invalid access to packet", 3029 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3030 }, 3031 { 3032 "helper access to packet: test18, cls helper fail range zero", 3033 .insns = { 3034 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3035 offsetof(struct __sk_buff, data)), 3036 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3037 offsetof(struct __sk_buff, data_end)), 3038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3039 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3041 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3042 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3043 BPF_MOV64_IMM(BPF_REG_2, 0), 3044 BPF_MOV64_IMM(BPF_REG_3, 0), 3045 BPF_MOV64_IMM(BPF_REG_4, 0), 3046 BPF_MOV64_IMM(BPF_REG_5, 0), 3047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3048 BPF_FUNC_csum_diff), 3049 BPF_MOV64_IMM(BPF_REG_0, 0), 3050 BPF_EXIT_INSN(), 3051 }, 3052 .result = REJECT, 3053 .errstr = "invalid access to packet", 3054 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3055 }, 3056 { 3057 "helper access to packet: test19, pkt end as input", 3058 .insns = { 3059 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3060 offsetof(struct __sk_buff, data)), 3061 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3062 offsetof(struct __sk_buff, data_end)), 3063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3066 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 3068 BPF_MOV64_IMM(BPF_REG_2, 4), 3069 BPF_MOV64_IMM(BPF_REG_3, 0), 3070 BPF_MOV64_IMM(BPF_REG_4, 0), 3071 BPF_MOV64_IMM(BPF_REG_5, 0), 3072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3073 BPF_FUNC_csum_diff), 3074 BPF_MOV64_IMM(BPF_REG_0, 0), 3075 BPF_EXIT_INSN(), 3076 }, 3077 .result = REJECT, 3078 .errstr = "R1 type=pkt_end expected=fp", 3079 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3080 }, 3081 { 3082 "helper access to packet: test20, wrong reg", 3083 .insns = { 3084 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 3085 offsetof(struct __sk_buff, data)), 3086 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3087 offsetof(struct __sk_buff, data_end)), 3088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 3089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 3090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 3091 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 3092 BPF_MOV64_IMM(BPF_REG_2, 4), 3093 BPF_MOV64_IMM(BPF_REG_3, 0), 3094 BPF_MOV64_IMM(BPF_REG_4, 0), 3095 BPF_MOV64_IMM(BPF_REG_5, 0), 3096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3097 BPF_FUNC_csum_diff), 3098 BPF_MOV64_IMM(BPF_REG_0, 0), 3099 BPF_EXIT_INSN(), 3100 }, 3101 .result = REJECT, 3102 .errstr = "invalid access to packet", 3103 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3104 }, 3105 { 3106 "valid map access into an array with a constant", 3107 .insns = { 3108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3111 BPF_LD_MAP_FD(BPF_REG_1, 0), 3112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3113 BPF_FUNC_map_lookup_elem), 3114 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3115 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3116 offsetof(struct test_val, foo)), 3117 BPF_EXIT_INSN(), 3118 }, 3119 .fixup_map2 = { 3 }, 3120 .errstr_unpriv = "R0 leaks addr", 3121 .result_unpriv = REJECT, 3122 .result = ACCEPT, 3123 }, 3124 { 3125 "valid map access into an array with a register", 3126 .insns = { 3127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3130 BPF_LD_MAP_FD(BPF_REG_1, 0), 3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3132 BPF_FUNC_map_lookup_elem), 3133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3134 BPF_MOV64_IMM(BPF_REG_1, 4), 3135 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3136 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3137 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3138 offsetof(struct test_val, foo)), 3139 BPF_EXIT_INSN(), 3140 }, 3141 .fixup_map2 = { 3 }, 3142 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3143 .result_unpriv = REJECT, 3144 .result = ACCEPT, 3145 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3146 }, 3147 { 3148 "valid map access into an array with a variable", 3149 .insns = { 3150 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3153 BPF_LD_MAP_FD(BPF_REG_1, 0), 3154 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3155 BPF_FUNC_map_lookup_elem), 3156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3157 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3158 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 3159 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3160 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3161 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3162 offsetof(struct test_val, foo)), 3163 BPF_EXIT_INSN(), 3164 }, 3165 .fixup_map2 = { 3 }, 3166 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3167 .result_unpriv = REJECT, 3168 .result = ACCEPT, 3169 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3170 }, 3171 { 3172 "valid map access into an array with a signed variable", 3173 .insns = { 3174 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3175 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3177 BPF_LD_MAP_FD(BPF_REG_1, 0), 3178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3179 BPF_FUNC_map_lookup_elem), 3180 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 3181 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3182 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 3183 BPF_MOV32_IMM(BPF_REG_1, 0), 3184 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3185 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3186 BPF_MOV32_IMM(BPF_REG_1, 0), 3187 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3188 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3189 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3190 offsetof(struct test_val, foo)), 3191 BPF_EXIT_INSN(), 3192 }, 3193 .fixup_map2 = { 3 }, 3194 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3195 .result_unpriv = REJECT, 3196 .result = ACCEPT, 3197 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3198 }, 3199 { 3200 "invalid map access into an array with a constant", 3201 .insns = { 3202 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3205 BPF_LD_MAP_FD(BPF_REG_1, 0), 3206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3207 BPF_FUNC_map_lookup_elem), 3208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3209 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 3210 offsetof(struct test_val, foo)), 3211 BPF_EXIT_INSN(), 3212 }, 3213 .fixup_map2 = { 3 }, 3214 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 3215 .result = REJECT, 3216 }, 3217 { 3218 "invalid map access into an array with a register", 3219 .insns = { 3220 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3221 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3223 BPF_LD_MAP_FD(BPF_REG_1, 0), 3224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3225 BPF_FUNC_map_lookup_elem), 3226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3227 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 3228 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3229 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3230 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3231 offsetof(struct test_val, foo)), 3232 BPF_EXIT_INSN(), 3233 }, 3234 .fixup_map2 = { 3 }, 3235 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3236 .errstr = "R0 min value is outside of the array range", 3237 .result_unpriv = REJECT, 3238 .result = REJECT, 3239 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3240 }, 3241 { 3242 "invalid map access into an array with a variable", 3243 .insns = { 3244 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3245 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3247 BPF_LD_MAP_FD(BPF_REG_1, 0), 3248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3249 BPF_FUNC_map_lookup_elem), 3250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3251 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3252 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3253 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3254 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3255 offsetof(struct test_val, foo)), 3256 BPF_EXIT_INSN(), 3257 }, 3258 .fixup_map2 = { 3 }, 3259 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3260 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3261 .result_unpriv = REJECT, 3262 .result = REJECT, 3263 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3264 }, 3265 { 3266 "invalid map access into an array with no floor check", 3267 .insns = { 3268 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3271 BPF_LD_MAP_FD(BPF_REG_1, 0), 3272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3273 BPF_FUNC_map_lookup_elem), 3274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3275 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3276 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 3277 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 3278 BPF_MOV32_IMM(BPF_REG_1, 0), 3279 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3280 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3281 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3282 offsetof(struct test_val, foo)), 3283 BPF_EXIT_INSN(), 3284 }, 3285 .fixup_map2 = { 3 }, 3286 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3287 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3288 .result_unpriv = REJECT, 3289 .result = REJECT, 3290 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3291 }, 3292 { 3293 "invalid map access into an array with a invalid max check", 3294 .insns = { 3295 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3298 BPF_LD_MAP_FD(BPF_REG_1, 0), 3299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3300 BPF_FUNC_map_lookup_elem), 3301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 3302 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3303 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 3304 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3305 BPF_MOV32_IMM(BPF_REG_1, 0), 3306 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 3307 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3308 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 3309 offsetof(struct test_val, foo)), 3310 BPF_EXIT_INSN(), 3311 }, 3312 .fixup_map2 = { 3 }, 3313 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3314 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 3315 .result_unpriv = REJECT, 3316 .result = REJECT, 3317 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3318 }, 3319 { 3320 "invalid map access into an array with a invalid max check", 3321 .insns = { 3322 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3325 BPF_LD_MAP_FD(BPF_REG_1, 0), 3326 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3327 BPF_FUNC_map_lookup_elem), 3328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 3329 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 3330 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3331 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3333 BPF_LD_MAP_FD(BPF_REG_1, 0), 3334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3335 BPF_FUNC_map_lookup_elem), 3336 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3337 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 3338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3339 offsetof(struct test_val, foo)), 3340 BPF_EXIT_INSN(), 3341 }, 3342 .fixup_map2 = { 3, 11 }, 3343 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3344 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 3345 .result_unpriv = REJECT, 3346 .result = REJECT, 3347 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3348 }, 3349 { 3350 "multiple registers share map_lookup_elem result", 3351 .insns = { 3352 BPF_MOV64_IMM(BPF_REG_1, 10), 3353 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3354 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3356 BPF_LD_MAP_FD(BPF_REG_1, 0), 3357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3358 BPF_FUNC_map_lookup_elem), 3359 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3361 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3362 BPF_EXIT_INSN(), 3363 }, 3364 .fixup_map1 = { 4 }, 3365 .result = ACCEPT, 3366 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3367 }, 3368 { 3369 "alu ops on ptr_to_map_value_or_null, 1", 3370 .insns = { 3371 BPF_MOV64_IMM(BPF_REG_1, 10), 3372 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3373 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3375 BPF_LD_MAP_FD(BPF_REG_1, 0), 3376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3377 BPF_FUNC_map_lookup_elem), 3378 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2), 3380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2), 3381 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3382 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3383 BPF_EXIT_INSN(), 3384 }, 3385 .fixup_map1 = { 4 }, 3386 .errstr = "R4 invalid mem access", 3387 .result = REJECT, 3388 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3389 }, 3390 { 3391 "alu ops on ptr_to_map_value_or_null, 2", 3392 .insns = { 3393 BPF_MOV64_IMM(BPF_REG_1, 10), 3394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3397 BPF_LD_MAP_FD(BPF_REG_1, 0), 3398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3399 BPF_FUNC_map_lookup_elem), 3400 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3401 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1), 3402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3403 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3404 BPF_EXIT_INSN(), 3405 }, 3406 .fixup_map1 = { 4 }, 3407 .errstr = "R4 invalid mem access", 3408 .result = REJECT, 3409 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3410 }, 3411 { 3412 "alu ops on ptr_to_map_value_or_null, 3", 3413 .insns = { 3414 BPF_MOV64_IMM(BPF_REG_1, 10), 3415 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3416 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3418 BPF_LD_MAP_FD(BPF_REG_1, 0), 3419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3420 BPF_FUNC_map_lookup_elem), 3421 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3422 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1), 3423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3424 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3425 BPF_EXIT_INSN(), 3426 }, 3427 .fixup_map1 = { 4 }, 3428 .errstr = "R4 invalid mem access", 3429 .result = REJECT, 3430 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3431 }, 3432 { 3433 "invalid memory access with multiple map_lookup_elem calls", 3434 .insns = { 3435 BPF_MOV64_IMM(BPF_REG_1, 10), 3436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3437 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3439 BPF_LD_MAP_FD(BPF_REG_1, 0), 3440 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3441 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3443 BPF_FUNC_map_lookup_elem), 3444 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3445 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3447 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3448 BPF_FUNC_map_lookup_elem), 3449 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3450 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3451 BPF_EXIT_INSN(), 3452 }, 3453 .fixup_map1 = { 4 }, 3454 .result = REJECT, 3455 .errstr = "R4 !read_ok", 3456 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3457 }, 3458 { 3459 "valid indirect map_lookup_elem access with 2nd lookup in branch", 3460 .insns = { 3461 BPF_MOV64_IMM(BPF_REG_1, 10), 3462 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3465 BPF_LD_MAP_FD(BPF_REG_1, 0), 3466 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 3467 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 3468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3469 BPF_FUNC_map_lookup_elem), 3470 BPF_MOV64_IMM(BPF_REG_2, 10), 3471 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 3472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 3473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 3474 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3475 BPF_FUNC_map_lookup_elem), 3476 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3478 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 3479 BPF_EXIT_INSN(), 3480 }, 3481 .fixup_map1 = { 4 }, 3482 .result = ACCEPT, 3483 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3484 }, 3485 { 3486 "multiple registers share map_lookup_elem bad reg type", 3487 .insns = { 3488 BPF_MOV64_IMM(BPF_REG_1, 10), 3489 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 3490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3492 BPF_LD_MAP_FD(BPF_REG_1, 0), 3493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3494 BPF_FUNC_map_lookup_elem), 3495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 3496 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 3497 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3498 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3499 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3500 BPF_MOV64_IMM(BPF_REG_1, 1), 3501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3502 BPF_MOV64_IMM(BPF_REG_1, 2), 3503 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1), 3504 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0), 3505 BPF_MOV64_IMM(BPF_REG_1, 3), 3506 BPF_EXIT_INSN(), 3507 }, 3508 .fixup_map1 = { 4 }, 3509 .result = REJECT, 3510 .errstr = "R3 invalid mem access 'inv'", 3511 .prog_type = BPF_PROG_TYPE_SCHED_CLS 3512 }, 3513 { 3514 "invalid map access from else condition", 3515 .insns = { 3516 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3519 BPF_LD_MAP_FD(BPF_REG_1, 0), 3520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3522 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 3523 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 3524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 3525 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 3526 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3527 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 3528 BPF_EXIT_INSN(), 3529 }, 3530 .fixup_map2 = { 3 }, 3531 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 3532 .result = REJECT, 3533 .errstr_unpriv = "R0 pointer arithmetic prohibited", 3534 .result_unpriv = REJECT, 3535 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 3536 }, 3537 { 3538 "constant register |= constant should keep constant type", 3539 .insns = { 3540 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3542 BPF_MOV64_IMM(BPF_REG_2, 34), 3543 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 3544 BPF_MOV64_IMM(BPF_REG_3, 0), 3545 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3546 BPF_EXIT_INSN(), 3547 }, 3548 .result = ACCEPT, 3549 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3550 }, 3551 { 3552 "constant register |= constant should not bypass stack boundary checks", 3553 .insns = { 3554 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3556 BPF_MOV64_IMM(BPF_REG_2, 34), 3557 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 3558 BPF_MOV64_IMM(BPF_REG_3, 0), 3559 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3560 BPF_EXIT_INSN(), 3561 }, 3562 .errstr = "invalid stack type R1 off=-48 access_size=58", 3563 .result = REJECT, 3564 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3565 }, 3566 { 3567 "constant register |= constant register should keep constant type", 3568 .insns = { 3569 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3571 BPF_MOV64_IMM(BPF_REG_2, 34), 3572 BPF_MOV64_IMM(BPF_REG_4, 13), 3573 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3574 BPF_MOV64_IMM(BPF_REG_3, 0), 3575 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3576 BPF_EXIT_INSN(), 3577 }, 3578 .result = ACCEPT, 3579 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3580 }, 3581 { 3582 "constant register |= constant register should not bypass stack boundary checks", 3583 .insns = { 3584 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 3585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 3586 BPF_MOV64_IMM(BPF_REG_2, 34), 3587 BPF_MOV64_IMM(BPF_REG_4, 24), 3588 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 3589 BPF_MOV64_IMM(BPF_REG_3, 0), 3590 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3591 BPF_EXIT_INSN(), 3592 }, 3593 .errstr = "invalid stack type R1 off=-48 access_size=58", 3594 .result = REJECT, 3595 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3596 }, 3597 { 3598 "invalid direct packet write for LWT_IN", 3599 .insns = { 3600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3601 offsetof(struct __sk_buff, data)), 3602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3603 offsetof(struct __sk_buff, data_end)), 3604 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3606 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3607 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3608 BPF_MOV64_IMM(BPF_REG_0, 0), 3609 BPF_EXIT_INSN(), 3610 }, 3611 .errstr = "cannot write into packet", 3612 .result = REJECT, 3613 .prog_type = BPF_PROG_TYPE_LWT_IN, 3614 }, 3615 { 3616 "invalid direct packet write for LWT_OUT", 3617 .insns = { 3618 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3619 offsetof(struct __sk_buff, data)), 3620 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3621 offsetof(struct __sk_buff, data_end)), 3622 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3624 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3625 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3626 BPF_MOV64_IMM(BPF_REG_0, 0), 3627 BPF_EXIT_INSN(), 3628 }, 3629 .errstr = "cannot write into packet", 3630 .result = REJECT, 3631 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3632 }, 3633 { 3634 "direct packet write for LWT_XMIT", 3635 .insns = { 3636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3637 offsetof(struct __sk_buff, data)), 3638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3639 offsetof(struct __sk_buff, data_end)), 3640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3642 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3643 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3644 BPF_MOV64_IMM(BPF_REG_0, 0), 3645 BPF_EXIT_INSN(), 3646 }, 3647 .result = ACCEPT, 3648 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3649 }, 3650 { 3651 "direct packet read for LWT_IN", 3652 .insns = { 3653 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3654 offsetof(struct __sk_buff, data)), 3655 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3656 offsetof(struct __sk_buff, data_end)), 3657 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3659 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3660 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3661 BPF_MOV64_IMM(BPF_REG_0, 0), 3662 BPF_EXIT_INSN(), 3663 }, 3664 .result = ACCEPT, 3665 .prog_type = BPF_PROG_TYPE_LWT_IN, 3666 }, 3667 { 3668 "direct packet read for LWT_OUT", 3669 .insns = { 3670 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3671 offsetof(struct __sk_buff, data)), 3672 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3673 offsetof(struct __sk_buff, data_end)), 3674 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3676 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3677 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3678 BPF_MOV64_IMM(BPF_REG_0, 0), 3679 BPF_EXIT_INSN(), 3680 }, 3681 .result = ACCEPT, 3682 .prog_type = BPF_PROG_TYPE_LWT_OUT, 3683 }, 3684 { 3685 "direct packet read for LWT_XMIT", 3686 .insns = { 3687 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3688 offsetof(struct __sk_buff, data)), 3689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3690 offsetof(struct __sk_buff, data_end)), 3691 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3693 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3694 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3695 BPF_MOV64_IMM(BPF_REG_0, 0), 3696 BPF_EXIT_INSN(), 3697 }, 3698 .result = ACCEPT, 3699 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3700 }, 3701 { 3702 "overlapping checks for direct packet access", 3703 .insns = { 3704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3705 offsetof(struct __sk_buff, data)), 3706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3707 offsetof(struct __sk_buff, data_end)), 3708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 3711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 3713 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 3714 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 3715 BPF_MOV64_IMM(BPF_REG_0, 0), 3716 BPF_EXIT_INSN(), 3717 }, 3718 .result = ACCEPT, 3719 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 3720 }, 3721 { 3722 "invalid access of tc_classid for LWT_IN", 3723 .insns = { 3724 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3725 offsetof(struct __sk_buff, tc_classid)), 3726 BPF_EXIT_INSN(), 3727 }, 3728 .result = REJECT, 3729 .errstr = "invalid bpf_context access", 3730 }, 3731 { 3732 "invalid access of tc_classid for LWT_OUT", 3733 .insns = { 3734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3735 offsetof(struct __sk_buff, tc_classid)), 3736 BPF_EXIT_INSN(), 3737 }, 3738 .result = REJECT, 3739 .errstr = "invalid bpf_context access", 3740 }, 3741 { 3742 "invalid access of tc_classid for LWT_XMIT", 3743 .insns = { 3744 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 3745 offsetof(struct __sk_buff, tc_classid)), 3746 BPF_EXIT_INSN(), 3747 }, 3748 .result = REJECT, 3749 .errstr = "invalid bpf_context access", 3750 }, 3751 { 3752 "helper access to map: full range", 3753 .insns = { 3754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3756 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3757 BPF_LD_MAP_FD(BPF_REG_1, 0), 3758 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3761 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 3762 BPF_MOV64_IMM(BPF_REG_3, 0), 3763 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3764 BPF_EXIT_INSN(), 3765 }, 3766 .fixup_map2 = { 3 }, 3767 .result = ACCEPT, 3768 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3769 }, 3770 { 3771 "helper access to map: partial range", 3772 .insns = { 3773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3775 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3776 BPF_LD_MAP_FD(BPF_REG_1, 0), 3777 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3780 BPF_MOV64_IMM(BPF_REG_2, 8), 3781 BPF_MOV64_IMM(BPF_REG_3, 0), 3782 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3783 BPF_EXIT_INSN(), 3784 }, 3785 .fixup_map2 = { 3 }, 3786 .result = ACCEPT, 3787 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3788 }, 3789 { 3790 "helper access to map: empty range", 3791 .insns = { 3792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3794 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3795 BPF_LD_MAP_FD(BPF_REG_1, 0), 3796 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3799 BPF_MOV64_IMM(BPF_REG_2, 0), 3800 BPF_MOV64_IMM(BPF_REG_3, 0), 3801 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3802 BPF_EXIT_INSN(), 3803 }, 3804 .fixup_map2 = { 3 }, 3805 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 3806 .result = REJECT, 3807 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3808 }, 3809 { 3810 "helper access to map: out-of-bound range", 3811 .insns = { 3812 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3814 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3815 BPF_LD_MAP_FD(BPF_REG_1, 0), 3816 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3819 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 3820 BPF_MOV64_IMM(BPF_REG_3, 0), 3821 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3822 BPF_EXIT_INSN(), 3823 }, 3824 .fixup_map2 = { 3 }, 3825 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 3826 .result = REJECT, 3827 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3828 }, 3829 { 3830 "helper access to map: negative range", 3831 .insns = { 3832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3834 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3835 BPF_LD_MAP_FD(BPF_REG_1, 0), 3836 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3837 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 3838 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3839 BPF_MOV64_IMM(BPF_REG_2, -8), 3840 BPF_MOV64_IMM(BPF_REG_3, 0), 3841 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3842 BPF_EXIT_INSN(), 3843 }, 3844 .fixup_map2 = { 3 }, 3845 .errstr = "invalid access to map value, value_size=48 off=0 size=-8", 3846 .result = REJECT, 3847 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3848 }, 3849 { 3850 "helper access to adjusted map (via const imm): full range", 3851 .insns = { 3852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3854 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3855 BPF_LD_MAP_FD(BPF_REG_1, 0), 3856 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3858 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3860 offsetof(struct test_val, foo)), 3861 BPF_MOV64_IMM(BPF_REG_2, 3862 sizeof(struct test_val) - 3863 offsetof(struct test_val, foo)), 3864 BPF_MOV64_IMM(BPF_REG_3, 0), 3865 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3866 BPF_EXIT_INSN(), 3867 }, 3868 .fixup_map2 = { 3 }, 3869 .result = ACCEPT, 3870 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3871 }, 3872 { 3873 "helper access to adjusted map (via const imm): partial range", 3874 .insns = { 3875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3877 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3878 BPF_LD_MAP_FD(BPF_REG_1, 0), 3879 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3883 offsetof(struct test_val, foo)), 3884 BPF_MOV64_IMM(BPF_REG_2, 8), 3885 BPF_MOV64_IMM(BPF_REG_3, 0), 3886 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3887 BPF_EXIT_INSN(), 3888 }, 3889 .fixup_map2 = { 3 }, 3890 .result = ACCEPT, 3891 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3892 }, 3893 { 3894 "helper access to adjusted map (via const imm): empty range", 3895 .insns = { 3896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3898 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3899 BPF_LD_MAP_FD(BPF_REG_1, 0), 3900 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3901 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3904 offsetof(struct test_val, foo)), 3905 BPF_MOV64_IMM(BPF_REG_2, 0), 3906 BPF_MOV64_IMM(BPF_REG_3, 0), 3907 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3908 BPF_EXIT_INSN(), 3909 }, 3910 .fixup_map2 = { 3 }, 3911 .errstr = "R1 min value is outside of the array range", 3912 .result = REJECT, 3913 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3914 }, 3915 { 3916 "helper access to adjusted map (via const imm): out-of-bound range", 3917 .insns = { 3918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3920 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3921 BPF_LD_MAP_FD(BPF_REG_1, 0), 3922 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3926 offsetof(struct test_val, foo)), 3927 BPF_MOV64_IMM(BPF_REG_2, 3928 sizeof(struct test_val) - 3929 offsetof(struct test_val, foo) + 8), 3930 BPF_MOV64_IMM(BPF_REG_3, 0), 3931 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3932 BPF_EXIT_INSN(), 3933 }, 3934 .fixup_map2 = { 3 }, 3935 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 3936 .result = REJECT, 3937 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3938 }, 3939 { 3940 "helper access to adjusted map (via const imm): negative range (> adjustment)", 3941 .insns = { 3942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3944 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3945 BPF_LD_MAP_FD(BPF_REG_1, 0), 3946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3950 offsetof(struct test_val, foo)), 3951 BPF_MOV64_IMM(BPF_REG_2, -8), 3952 BPF_MOV64_IMM(BPF_REG_3, 0), 3953 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3954 BPF_EXIT_INSN(), 3955 }, 3956 .fixup_map2 = { 3 }, 3957 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 3958 .result = REJECT, 3959 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3960 }, 3961 { 3962 "helper access to adjusted map (via const imm): negative range (< adjustment)", 3963 .insns = { 3964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3966 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3967 BPF_LD_MAP_FD(BPF_REG_1, 0), 3968 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3969 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3970 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 3972 offsetof(struct test_val, foo)), 3973 BPF_MOV64_IMM(BPF_REG_2, -1), 3974 BPF_MOV64_IMM(BPF_REG_3, 0), 3975 BPF_EMIT_CALL(BPF_FUNC_probe_read), 3976 BPF_EXIT_INSN(), 3977 }, 3978 .fixup_map2 = { 3 }, 3979 .errstr = "R1 min value is outside of the array range", 3980 .result = REJECT, 3981 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 3982 }, 3983 { 3984 "helper access to adjusted map (via const reg): full range", 3985 .insns = { 3986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3988 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 3989 BPF_LD_MAP_FD(BPF_REG_1, 0), 3990 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 3991 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3993 BPF_MOV64_IMM(BPF_REG_3, 3994 offsetof(struct test_val, foo)), 3995 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 3996 BPF_MOV64_IMM(BPF_REG_2, 3997 sizeof(struct test_val) - 3998 offsetof(struct test_val, foo)), 3999 BPF_MOV64_IMM(BPF_REG_3, 0), 4000 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4001 BPF_EXIT_INSN(), 4002 }, 4003 .fixup_map2 = { 3 }, 4004 .result = ACCEPT, 4005 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4006 }, 4007 { 4008 "helper access to adjusted map (via const reg): partial range", 4009 .insns = { 4010 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4012 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4013 BPF_LD_MAP_FD(BPF_REG_1, 0), 4014 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4017 BPF_MOV64_IMM(BPF_REG_3, 4018 offsetof(struct test_val, foo)), 4019 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4020 BPF_MOV64_IMM(BPF_REG_2, 8), 4021 BPF_MOV64_IMM(BPF_REG_3, 0), 4022 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4023 BPF_EXIT_INSN(), 4024 }, 4025 .fixup_map2 = { 3 }, 4026 .result = ACCEPT, 4027 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4028 }, 4029 { 4030 "helper access to adjusted map (via const reg): empty range", 4031 .insns = { 4032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4034 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4035 BPF_LD_MAP_FD(BPF_REG_1, 0), 4036 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4037 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4039 BPF_MOV64_IMM(BPF_REG_3, 0), 4040 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4041 BPF_MOV64_IMM(BPF_REG_2, 0), 4042 BPF_MOV64_IMM(BPF_REG_3, 0), 4043 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4044 BPF_EXIT_INSN(), 4045 }, 4046 .fixup_map2 = { 3 }, 4047 .errstr = "R1 min value is outside of the array range", 4048 .result = REJECT, 4049 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4050 }, 4051 { 4052 "helper access to adjusted map (via const reg): out-of-bound range", 4053 .insns = { 4054 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4056 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4057 BPF_LD_MAP_FD(BPF_REG_1, 0), 4058 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4059 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4060 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4061 BPF_MOV64_IMM(BPF_REG_3, 4062 offsetof(struct test_val, foo)), 4063 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4064 BPF_MOV64_IMM(BPF_REG_2, 4065 sizeof(struct test_val) - 4066 offsetof(struct test_val, foo) + 8), 4067 BPF_MOV64_IMM(BPF_REG_3, 0), 4068 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4069 BPF_EXIT_INSN(), 4070 }, 4071 .fixup_map2 = { 3 }, 4072 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 4073 .result = REJECT, 4074 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4075 }, 4076 { 4077 "helper access to adjusted map (via const reg): negative range (> adjustment)", 4078 .insns = { 4079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4081 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4082 BPF_LD_MAP_FD(BPF_REG_1, 0), 4083 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4084 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4085 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4086 BPF_MOV64_IMM(BPF_REG_3, 4087 offsetof(struct test_val, foo)), 4088 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4089 BPF_MOV64_IMM(BPF_REG_2, -8), 4090 BPF_MOV64_IMM(BPF_REG_3, 0), 4091 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4092 BPF_EXIT_INSN(), 4093 }, 4094 .fixup_map2 = { 3 }, 4095 .errstr = "invalid access to map value, value_size=48 off=4 size=-8", 4096 .result = REJECT, 4097 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4098 }, 4099 { 4100 "helper access to adjusted map (via const reg): negative range (< adjustment)", 4101 .insns = { 4102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4104 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4105 BPF_LD_MAP_FD(BPF_REG_1, 0), 4106 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4108 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4109 BPF_MOV64_IMM(BPF_REG_3, 4110 offsetof(struct test_val, foo)), 4111 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4112 BPF_MOV64_IMM(BPF_REG_2, -1), 4113 BPF_MOV64_IMM(BPF_REG_3, 0), 4114 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4115 BPF_EXIT_INSN(), 4116 }, 4117 .fixup_map2 = { 3 }, 4118 .errstr = "R1 min value is outside of the array range", 4119 .result = REJECT, 4120 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4121 }, 4122 { 4123 "helper access to adjusted map (via variable): full range", 4124 .insns = { 4125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4127 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4128 BPF_LD_MAP_FD(BPF_REG_1, 0), 4129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4131 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4133 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4134 offsetof(struct test_val, foo), 4), 4135 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4136 BPF_MOV64_IMM(BPF_REG_2, 4137 sizeof(struct test_val) - 4138 offsetof(struct test_val, foo)), 4139 BPF_MOV64_IMM(BPF_REG_3, 0), 4140 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4141 BPF_EXIT_INSN(), 4142 }, 4143 .fixup_map2 = { 3 }, 4144 .result = ACCEPT, 4145 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4146 }, 4147 { 4148 "helper access to adjusted map (via variable): partial range", 4149 .insns = { 4150 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4152 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4153 BPF_LD_MAP_FD(BPF_REG_1, 0), 4154 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4155 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4156 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4157 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4158 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4159 offsetof(struct test_val, foo), 4), 4160 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4161 BPF_MOV64_IMM(BPF_REG_2, 8), 4162 BPF_MOV64_IMM(BPF_REG_3, 0), 4163 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4164 BPF_EXIT_INSN(), 4165 }, 4166 .fixup_map2 = { 3 }, 4167 .result = ACCEPT, 4168 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4169 }, 4170 { 4171 "helper access to adjusted map (via variable): empty range", 4172 .insns = { 4173 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4175 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4176 BPF_LD_MAP_FD(BPF_REG_1, 0), 4177 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4179 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4180 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4181 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4182 offsetof(struct test_val, foo), 4), 4183 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4184 BPF_MOV64_IMM(BPF_REG_2, 0), 4185 BPF_MOV64_IMM(BPF_REG_3, 0), 4186 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4187 BPF_EXIT_INSN(), 4188 }, 4189 .fixup_map2 = { 3 }, 4190 .errstr = "R1 min value is outside of the array range", 4191 .result = REJECT, 4192 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4193 }, 4194 { 4195 "helper access to adjusted map (via variable): no max check", 4196 .insns = { 4197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4199 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4200 BPF_LD_MAP_FD(BPF_REG_1, 0), 4201 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4204 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4205 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4206 BPF_MOV64_IMM(BPF_REG_2, 0), 4207 BPF_MOV64_IMM(BPF_REG_3, 0), 4208 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4209 BPF_EXIT_INSN(), 4210 }, 4211 .fixup_map2 = { 3 }, 4212 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check", 4213 .result = REJECT, 4214 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4215 }, 4216 { 4217 "helper access to adjusted map (via variable): wrong max check", 4218 .insns = { 4219 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4221 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4222 BPF_LD_MAP_FD(BPF_REG_1, 0), 4223 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4225 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4227 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4228 offsetof(struct test_val, foo), 4), 4229 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4230 BPF_MOV64_IMM(BPF_REG_2, 4231 sizeof(struct test_val) - 4232 offsetof(struct test_val, foo) + 1), 4233 BPF_MOV64_IMM(BPF_REG_3, 0), 4234 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4235 BPF_EXIT_INSN(), 4236 }, 4237 .fixup_map2 = { 3 }, 4238 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 4239 .result = REJECT, 4240 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4241 }, 4242 { 4243 "map element value is preserved across register spilling", 4244 .insns = { 4245 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4247 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4248 BPF_LD_MAP_FD(BPF_REG_1, 0), 4249 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4251 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 4254 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4255 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4256 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4257 BPF_EXIT_INSN(), 4258 }, 4259 .fixup_map2 = { 3 }, 4260 .errstr_unpriv = "R0 leaks addr", 4261 .result = ACCEPT, 4262 .result_unpriv = REJECT, 4263 }, 4264 { 4265 "map element value or null is marked on register spilling", 4266 .insns = { 4267 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4269 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4270 BPF_LD_MAP_FD(BPF_REG_1, 0), 4271 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4272 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), 4274 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4276 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4277 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4278 BPF_EXIT_INSN(), 4279 }, 4280 .fixup_map2 = { 3 }, 4281 .errstr_unpriv = "R0 leaks addr", 4282 .result = ACCEPT, 4283 .result_unpriv = REJECT, 4284 }, 4285 { 4286 "map element value store of cleared call register", 4287 .insns = { 4288 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4289 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4290 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4291 BPF_LD_MAP_FD(BPF_REG_1, 0), 4292 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4294 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 4295 BPF_EXIT_INSN(), 4296 }, 4297 .fixup_map2 = { 3 }, 4298 .errstr_unpriv = "R1 !read_ok", 4299 .errstr = "R1 !read_ok", 4300 .result = REJECT, 4301 .result_unpriv = REJECT, 4302 }, 4303 { 4304 "map element value with unaligned store", 4305 .insns = { 4306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4308 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4309 BPF_LD_MAP_FD(BPF_REG_1, 0), 4310 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17), 4312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 4313 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4314 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43), 4315 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44), 4316 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4317 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32), 4318 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33), 4319 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34), 4320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5), 4321 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22), 4322 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23), 4323 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24), 4324 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), 4325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3), 4326 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22), 4327 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23), 4328 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24), 4329 BPF_EXIT_INSN(), 4330 }, 4331 .fixup_map2 = { 3 }, 4332 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4333 .result = ACCEPT, 4334 .result_unpriv = REJECT, 4335 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4336 }, 4337 { 4338 "map element value with unaligned load", 4339 .insns = { 4340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4342 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4343 BPF_LD_MAP_FD(BPF_REG_1, 0), 4344 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4346 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4347 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9), 4348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 4349 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 4350 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2), 4351 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4352 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 4353 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2), 4354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5), 4355 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 4356 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4), 4357 BPF_EXIT_INSN(), 4358 }, 4359 .fixup_map2 = { 3 }, 4360 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4361 .result = ACCEPT, 4362 .result_unpriv = REJECT, 4363 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4364 }, 4365 { 4366 "map element value illegal alu op, 1", 4367 .insns = { 4368 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4370 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4371 BPF_LD_MAP_FD(BPF_REG_1, 0), 4372 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4373 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4374 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8), 4375 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4376 BPF_EXIT_INSN(), 4377 }, 4378 .fixup_map2 = { 3 }, 4379 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4380 .errstr = "invalid mem access 'inv'", 4381 .result = REJECT, 4382 .result_unpriv = REJECT, 4383 }, 4384 { 4385 "map element value illegal alu op, 2", 4386 .insns = { 4387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4389 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4390 BPF_LD_MAP_FD(BPF_REG_1, 0), 4391 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4393 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0), 4394 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4395 BPF_EXIT_INSN(), 4396 }, 4397 .fixup_map2 = { 3 }, 4398 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4399 .errstr = "invalid mem access 'inv'", 4400 .result = REJECT, 4401 .result_unpriv = REJECT, 4402 }, 4403 { 4404 "map element value illegal alu op, 3", 4405 .insns = { 4406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4408 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4409 BPF_LD_MAP_FD(BPF_REG_1, 0), 4410 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4412 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42), 4413 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4414 BPF_EXIT_INSN(), 4415 }, 4416 .fixup_map2 = { 3 }, 4417 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4418 .errstr = "invalid mem access 'inv'", 4419 .result = REJECT, 4420 .result_unpriv = REJECT, 4421 }, 4422 { 4423 "map element value illegal alu op, 4", 4424 .insns = { 4425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4427 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4428 BPF_LD_MAP_FD(BPF_REG_1, 0), 4429 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4430 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4431 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64), 4432 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4433 BPF_EXIT_INSN(), 4434 }, 4435 .fixup_map2 = { 3 }, 4436 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4437 .errstr = "invalid mem access 'inv'", 4438 .result = REJECT, 4439 .result_unpriv = REJECT, 4440 }, 4441 { 4442 "map element value illegal alu op, 5", 4443 .insns = { 4444 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4446 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4447 BPF_LD_MAP_FD(BPF_REG_1, 0), 4448 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4449 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4450 BPF_MOV64_IMM(BPF_REG_3, 4096), 4451 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4453 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 4454 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0), 4455 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 4456 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 4457 BPF_EXIT_INSN(), 4458 }, 4459 .fixup_map2 = { 3 }, 4460 .errstr_unpriv = "R0 invalid mem access 'inv'", 4461 .errstr = "R0 invalid mem access 'inv'", 4462 .result = REJECT, 4463 .result_unpriv = REJECT, 4464 }, 4465 { 4466 "map element value is preserved across register spilling", 4467 .insns = { 4468 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4470 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4471 BPF_LD_MAP_FD(BPF_REG_1, 0), 4472 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4473 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4475 offsetof(struct test_val, foo)), 4476 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 4477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 4479 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4480 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 4481 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 4482 BPF_EXIT_INSN(), 4483 }, 4484 .fixup_map2 = { 3 }, 4485 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4486 .result = ACCEPT, 4487 .result_unpriv = REJECT, 4488 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4489 }, 4490 { 4491 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 4492 .insns = { 4493 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4495 BPF_MOV64_IMM(BPF_REG_0, 0), 4496 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4497 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4500 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4501 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4502 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4503 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4504 BPF_MOV64_IMM(BPF_REG_2, 16), 4505 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4506 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4507 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4508 BPF_MOV64_IMM(BPF_REG_4, 0), 4509 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4510 BPF_MOV64_IMM(BPF_REG_3, 0), 4511 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4512 BPF_MOV64_IMM(BPF_REG_0, 0), 4513 BPF_EXIT_INSN(), 4514 }, 4515 .result = ACCEPT, 4516 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4517 }, 4518 { 4519 "helper access to variable memory: stack, bitwise AND, zero included", 4520 .insns = { 4521 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4523 BPF_MOV64_IMM(BPF_REG_2, 16), 4524 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4525 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4526 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4527 BPF_MOV64_IMM(BPF_REG_3, 0), 4528 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4529 BPF_EXIT_INSN(), 4530 }, 4531 .errstr = "invalid stack type R1 off=-64 access_size=0", 4532 .result = REJECT, 4533 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4534 }, 4535 { 4536 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 4537 .insns = { 4538 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4540 BPF_MOV64_IMM(BPF_REG_2, 16), 4541 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4542 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4543 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 4544 BPF_MOV64_IMM(BPF_REG_4, 0), 4545 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4546 BPF_MOV64_IMM(BPF_REG_3, 0), 4547 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4548 BPF_MOV64_IMM(BPF_REG_0, 0), 4549 BPF_EXIT_INSN(), 4550 }, 4551 .errstr = "invalid stack type R1 off=-64 access_size=65", 4552 .result = REJECT, 4553 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4554 }, 4555 { 4556 "helper access to variable memory: stack, JMP, correct bounds", 4557 .insns = { 4558 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4560 BPF_MOV64_IMM(BPF_REG_0, 0), 4561 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4562 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4563 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4564 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4565 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4566 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4567 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4568 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4569 BPF_MOV64_IMM(BPF_REG_2, 16), 4570 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4571 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4572 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 4573 BPF_MOV64_IMM(BPF_REG_4, 0), 4574 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4575 BPF_MOV64_IMM(BPF_REG_3, 0), 4576 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4577 BPF_MOV64_IMM(BPF_REG_0, 0), 4578 BPF_EXIT_INSN(), 4579 }, 4580 .result = ACCEPT, 4581 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4582 }, 4583 { 4584 "helper access to variable memory: stack, JMP (signed), correct bounds", 4585 .insns = { 4586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4588 BPF_MOV64_IMM(BPF_REG_0, 0), 4589 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4591 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4592 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4593 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4594 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4595 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4596 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4597 BPF_MOV64_IMM(BPF_REG_2, 16), 4598 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4599 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4600 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 4601 BPF_MOV64_IMM(BPF_REG_4, 0), 4602 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 4603 BPF_MOV64_IMM(BPF_REG_3, 0), 4604 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4605 BPF_MOV64_IMM(BPF_REG_0, 0), 4606 BPF_EXIT_INSN(), 4607 }, 4608 .result = ACCEPT, 4609 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4610 }, 4611 { 4612 "helper access to variable memory: stack, JMP, bounds + offset", 4613 .insns = { 4614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4616 BPF_MOV64_IMM(BPF_REG_2, 16), 4617 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4619 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 4620 BPF_MOV64_IMM(BPF_REG_4, 0), 4621 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 4622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4623 BPF_MOV64_IMM(BPF_REG_3, 0), 4624 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4625 BPF_MOV64_IMM(BPF_REG_0, 0), 4626 BPF_EXIT_INSN(), 4627 }, 4628 .errstr = "invalid stack type R1 off=-64 access_size=65", 4629 .result = REJECT, 4630 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4631 }, 4632 { 4633 "helper access to variable memory: stack, JMP, wrong max", 4634 .insns = { 4635 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4637 BPF_MOV64_IMM(BPF_REG_2, 16), 4638 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4639 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4640 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 4641 BPF_MOV64_IMM(BPF_REG_4, 0), 4642 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4643 BPF_MOV64_IMM(BPF_REG_3, 0), 4644 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4645 BPF_MOV64_IMM(BPF_REG_0, 0), 4646 BPF_EXIT_INSN(), 4647 }, 4648 .errstr = "invalid stack type R1 off=-64 access_size=65", 4649 .result = REJECT, 4650 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4651 }, 4652 { 4653 "helper access to variable memory: stack, JMP, no max check", 4654 .insns = { 4655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4657 BPF_MOV64_IMM(BPF_REG_2, 16), 4658 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4659 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4660 BPF_MOV64_IMM(BPF_REG_4, 0), 4661 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4662 BPF_MOV64_IMM(BPF_REG_3, 0), 4663 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4664 BPF_MOV64_IMM(BPF_REG_0, 0), 4665 BPF_EXIT_INSN(), 4666 }, 4667 .errstr = "R2 unbounded memory access", 4668 .result = REJECT, 4669 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4670 }, 4671 { 4672 "helper access to variable memory: stack, JMP, no min check", 4673 .insns = { 4674 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4676 BPF_MOV64_IMM(BPF_REG_2, 16), 4677 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4678 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4679 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 4680 BPF_MOV64_IMM(BPF_REG_3, 0), 4681 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4682 BPF_MOV64_IMM(BPF_REG_0, 0), 4683 BPF_EXIT_INSN(), 4684 }, 4685 .errstr = "invalid stack type R1 off=-64 access_size=0", 4686 .result = REJECT, 4687 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4688 }, 4689 { 4690 "helper access to variable memory: stack, JMP (signed), no min check", 4691 .insns = { 4692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4694 BPF_MOV64_IMM(BPF_REG_2, 16), 4695 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 4696 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 4697 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 4698 BPF_MOV64_IMM(BPF_REG_3, 0), 4699 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4700 BPF_MOV64_IMM(BPF_REG_0, 0), 4701 BPF_EXIT_INSN(), 4702 }, 4703 .errstr = "R2 min value is negative", 4704 .result = REJECT, 4705 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4706 }, 4707 { 4708 "helper access to variable memory: map, JMP, correct bounds", 4709 .insns = { 4710 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4712 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4713 BPF_LD_MAP_FD(BPF_REG_1, 0), 4714 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4717 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4718 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4719 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4720 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4721 sizeof(struct test_val), 4), 4722 BPF_MOV64_IMM(BPF_REG_4, 0), 4723 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4724 BPF_MOV64_IMM(BPF_REG_3, 0), 4725 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4726 BPF_MOV64_IMM(BPF_REG_0, 0), 4727 BPF_EXIT_INSN(), 4728 }, 4729 .fixup_map2 = { 3 }, 4730 .result = ACCEPT, 4731 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4732 }, 4733 { 4734 "helper access to variable memory: map, JMP, wrong max", 4735 .insns = { 4736 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4738 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4739 BPF_LD_MAP_FD(BPF_REG_1, 0), 4740 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4741 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4742 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4743 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4744 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4745 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4746 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4747 sizeof(struct test_val) + 1, 4), 4748 BPF_MOV64_IMM(BPF_REG_4, 0), 4749 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4750 BPF_MOV64_IMM(BPF_REG_3, 0), 4751 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4752 BPF_MOV64_IMM(BPF_REG_0, 0), 4753 BPF_EXIT_INSN(), 4754 }, 4755 .fixup_map2 = { 3 }, 4756 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 4757 .result = REJECT, 4758 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4759 }, 4760 { 4761 "helper access to variable memory: map adjusted, JMP, correct bounds", 4762 .insns = { 4763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4765 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4766 BPF_LD_MAP_FD(BPF_REG_1, 0), 4767 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4769 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4771 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4772 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4774 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4775 sizeof(struct test_val) - 20, 4), 4776 BPF_MOV64_IMM(BPF_REG_4, 0), 4777 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4778 BPF_MOV64_IMM(BPF_REG_3, 0), 4779 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4780 BPF_MOV64_IMM(BPF_REG_0, 0), 4781 BPF_EXIT_INSN(), 4782 }, 4783 .fixup_map2 = { 3 }, 4784 .result = ACCEPT, 4785 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4786 }, 4787 { 4788 "helper access to variable memory: map adjusted, JMP, wrong max", 4789 .insns = { 4790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4792 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4793 BPF_LD_MAP_FD(BPF_REG_1, 0), 4794 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 4796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 4798 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 4799 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4800 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4801 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 4802 sizeof(struct test_val) - 19, 4), 4803 BPF_MOV64_IMM(BPF_REG_4, 0), 4804 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 4805 BPF_MOV64_IMM(BPF_REG_3, 0), 4806 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4807 BPF_MOV64_IMM(BPF_REG_0, 0), 4808 BPF_EXIT_INSN(), 4809 }, 4810 .fixup_map2 = { 3 }, 4811 .errstr = "R1 min value is outside of the array range", 4812 .result = REJECT, 4813 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4814 }, 4815 { 4816 "helper access to variable memory: size > 0 not allowed on NULL", 4817 .insns = { 4818 BPF_MOV64_IMM(BPF_REG_1, 0), 4819 BPF_MOV64_IMM(BPF_REG_2, 0), 4820 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4821 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4822 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 4823 BPF_MOV64_IMM(BPF_REG_3, 0), 4824 BPF_MOV64_IMM(BPF_REG_4, 0), 4825 BPF_MOV64_IMM(BPF_REG_5, 0), 4826 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4827 BPF_EXIT_INSN(), 4828 }, 4829 .errstr = "R1 type=imm expected=fp", 4830 .result = REJECT, 4831 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4832 }, 4833 { 4834 "helper access to variable memory: size = 0 not allowed on != NULL", 4835 .insns = { 4836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 4838 BPF_MOV64_IMM(BPF_REG_2, 0), 4839 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 4840 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 4841 BPF_MOV64_IMM(BPF_REG_3, 0), 4842 BPF_MOV64_IMM(BPF_REG_4, 0), 4843 BPF_MOV64_IMM(BPF_REG_5, 0), 4844 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 4845 BPF_EXIT_INSN(), 4846 }, 4847 .errstr = "invalid stack type R1 off=-8 access_size=0", 4848 .result = REJECT, 4849 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4850 }, 4851 { 4852 "helper access to variable memory: 8 bytes leak", 4853 .insns = { 4854 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4856 BPF_MOV64_IMM(BPF_REG_0, 0), 4857 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4858 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4859 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4860 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4861 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4862 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4863 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4864 BPF_MOV64_IMM(BPF_REG_2, 0), 4865 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 4866 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 4867 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 4868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4869 BPF_MOV64_IMM(BPF_REG_3, 0), 4870 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4871 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4872 BPF_EXIT_INSN(), 4873 }, 4874 .errstr = "invalid indirect read from stack off -64+32 size 64", 4875 .result = REJECT, 4876 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4877 }, 4878 { 4879 "helper access to variable memory: 8 bytes no leak (init memory)", 4880 .insns = { 4881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4882 BPF_MOV64_IMM(BPF_REG_0, 0), 4883 BPF_MOV64_IMM(BPF_REG_0, 0), 4884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 4885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 4886 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 4887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 4888 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 4889 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 4890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 4891 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 4892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 4893 BPF_MOV64_IMM(BPF_REG_2, 0), 4894 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 4895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 4896 BPF_MOV64_IMM(BPF_REG_3, 0), 4897 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4898 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 4899 BPF_EXIT_INSN(), 4900 }, 4901 .result = ACCEPT, 4902 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4903 }, 4904 { 4905 "invalid and of negative number", 4906 .insns = { 4907 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4908 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4910 BPF_LD_MAP_FD(BPF_REG_1, 0), 4911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4912 BPF_FUNC_map_lookup_elem), 4913 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4914 BPF_MOV64_IMM(BPF_REG_1, 6), 4915 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 4916 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4917 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4918 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4919 offsetof(struct test_val, foo)), 4920 BPF_EXIT_INSN(), 4921 }, 4922 .fixup_map2 = { 3 }, 4923 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4924 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4925 .result = REJECT, 4926 .result_unpriv = REJECT, 4927 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4928 }, 4929 { 4930 "invalid range check", 4931 .insns = { 4932 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4933 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4935 BPF_LD_MAP_FD(BPF_REG_1, 0), 4936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4937 BPF_FUNC_map_lookup_elem), 4938 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 4939 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4940 BPF_MOV64_IMM(BPF_REG_9, 1), 4941 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 4942 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 4943 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 4944 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 4945 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 4946 BPF_MOV32_IMM(BPF_REG_3, 1), 4947 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 4948 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 4949 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 4950 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 4951 BPF_MOV64_REG(BPF_REG_0, 0), 4952 BPF_EXIT_INSN(), 4953 }, 4954 .fixup_map2 = { 3 }, 4955 .errstr_unpriv = "R0 pointer arithmetic prohibited", 4956 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 4957 .result = REJECT, 4958 .result_unpriv = REJECT, 4959 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4960 }, 4961 { 4962 "map in map access", 4963 .insns = { 4964 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4967 BPF_LD_MAP_FD(BPF_REG_1, 0), 4968 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4969 BPF_FUNC_map_lookup_elem), 4970 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4971 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4972 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4974 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4975 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4976 BPF_FUNC_map_lookup_elem), 4977 BPF_MOV64_REG(BPF_REG_0, 0), 4978 BPF_EXIT_INSN(), 4979 }, 4980 .fixup_map_in_map = { 3 }, 4981 .result = ACCEPT, 4982 }, 4983 { 4984 "invalid inner map pointer", 4985 .insns = { 4986 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4987 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4989 BPF_LD_MAP_FD(BPF_REG_1, 0), 4990 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4991 BPF_FUNC_map_lookup_elem), 4992 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4993 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 4994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 4996 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 4998 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4999 BPF_FUNC_map_lookup_elem), 5000 BPF_MOV64_REG(BPF_REG_0, 0), 5001 BPF_EXIT_INSN(), 5002 }, 5003 .fixup_map_in_map = { 3 }, 5004 .errstr = "R1 type=inv expected=map_ptr", 5005 .errstr_unpriv = "R1 pointer arithmetic prohibited", 5006 .result = REJECT, 5007 }, 5008 { 5009 "forgot null checking on the inner map pointer", 5010 .insns = { 5011 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5014 BPF_LD_MAP_FD(BPF_REG_1, 0), 5015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5016 BPF_FUNC_map_lookup_elem), 5017 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 5018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5020 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5022 BPF_FUNC_map_lookup_elem), 5023 BPF_MOV64_REG(BPF_REG_0, 0), 5024 BPF_EXIT_INSN(), 5025 }, 5026 .fixup_map_in_map = { 3 }, 5027 .errstr = "R1 type=map_value_or_null expected=map_ptr", 5028 .result = REJECT, 5029 }, 5030 { 5031 "ld_abs: check calling conv, r1", 5032 .insns = { 5033 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5034 BPF_MOV64_IMM(BPF_REG_1, 0), 5035 BPF_LD_ABS(BPF_W, -0x200000), 5036 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 5037 BPF_EXIT_INSN(), 5038 }, 5039 .errstr = "R1 !read_ok", 5040 .result = REJECT, 5041 }, 5042 { 5043 "ld_abs: check calling conv, r2", 5044 .insns = { 5045 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5046 BPF_MOV64_IMM(BPF_REG_2, 0), 5047 BPF_LD_ABS(BPF_W, -0x200000), 5048 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 5049 BPF_EXIT_INSN(), 5050 }, 5051 .errstr = "R2 !read_ok", 5052 .result = REJECT, 5053 }, 5054 { 5055 "ld_abs: check calling conv, r3", 5056 .insns = { 5057 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5058 BPF_MOV64_IMM(BPF_REG_3, 0), 5059 BPF_LD_ABS(BPF_W, -0x200000), 5060 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 5061 BPF_EXIT_INSN(), 5062 }, 5063 .errstr = "R3 !read_ok", 5064 .result = REJECT, 5065 }, 5066 { 5067 "ld_abs: check calling conv, r4", 5068 .insns = { 5069 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5070 BPF_MOV64_IMM(BPF_REG_4, 0), 5071 BPF_LD_ABS(BPF_W, -0x200000), 5072 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 5073 BPF_EXIT_INSN(), 5074 }, 5075 .errstr = "R4 !read_ok", 5076 .result = REJECT, 5077 }, 5078 { 5079 "ld_abs: check calling conv, r5", 5080 .insns = { 5081 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5082 BPF_MOV64_IMM(BPF_REG_5, 0), 5083 BPF_LD_ABS(BPF_W, -0x200000), 5084 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 5085 BPF_EXIT_INSN(), 5086 }, 5087 .errstr = "R5 !read_ok", 5088 .result = REJECT, 5089 }, 5090 { 5091 "ld_abs: check calling conv, r7", 5092 .insns = { 5093 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5094 BPF_MOV64_IMM(BPF_REG_7, 0), 5095 BPF_LD_ABS(BPF_W, -0x200000), 5096 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 5097 BPF_EXIT_INSN(), 5098 }, 5099 .result = ACCEPT, 5100 }, 5101 { 5102 "ld_ind: check calling conv, r1", 5103 .insns = { 5104 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5105 BPF_MOV64_IMM(BPF_REG_1, 1), 5106 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000), 5107 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 5108 BPF_EXIT_INSN(), 5109 }, 5110 .errstr = "R1 !read_ok", 5111 .result = REJECT, 5112 }, 5113 { 5114 "ld_ind: check calling conv, r2", 5115 .insns = { 5116 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5117 BPF_MOV64_IMM(BPF_REG_2, 1), 5118 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000), 5119 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 5120 BPF_EXIT_INSN(), 5121 }, 5122 .errstr = "R2 !read_ok", 5123 .result = REJECT, 5124 }, 5125 { 5126 "ld_ind: check calling conv, r3", 5127 .insns = { 5128 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5129 BPF_MOV64_IMM(BPF_REG_3, 1), 5130 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000), 5131 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 5132 BPF_EXIT_INSN(), 5133 }, 5134 .errstr = "R3 !read_ok", 5135 .result = REJECT, 5136 }, 5137 { 5138 "ld_ind: check calling conv, r4", 5139 .insns = { 5140 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5141 BPF_MOV64_IMM(BPF_REG_4, 1), 5142 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000), 5143 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 5144 BPF_EXIT_INSN(), 5145 }, 5146 .errstr = "R4 !read_ok", 5147 .result = REJECT, 5148 }, 5149 { 5150 "ld_ind: check calling conv, r5", 5151 .insns = { 5152 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5153 BPF_MOV64_IMM(BPF_REG_5, 1), 5154 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000), 5155 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 5156 BPF_EXIT_INSN(), 5157 }, 5158 .errstr = "R5 !read_ok", 5159 .result = REJECT, 5160 }, 5161 { 5162 "ld_ind: check calling conv, r7", 5163 .insns = { 5164 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5165 BPF_MOV64_IMM(BPF_REG_7, 1), 5166 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 5167 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 5168 BPF_EXIT_INSN(), 5169 }, 5170 .result = ACCEPT, 5171 }, 5172 }; 5173 5174 static int probe_filter_length(const struct bpf_insn *fp) 5175 { 5176 int len; 5177 5178 for (len = MAX_INSNS - 1; len > 0; --len) 5179 if (fp[len].code != 0 || fp[len].imm != 0) 5180 break; 5181 return len + 1; 5182 } 5183 5184 static int create_map(uint32_t size_value, uint32_t max_elem) 5185 { 5186 int fd; 5187 5188 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 5189 size_value, max_elem, BPF_F_NO_PREALLOC); 5190 if (fd < 0) 5191 printf("Failed to create hash map '%s'!\n", strerror(errno)); 5192 5193 return fd; 5194 } 5195 5196 static int create_prog_array(void) 5197 { 5198 int fd; 5199 5200 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 5201 sizeof(int), 4, 0); 5202 if (fd < 0) 5203 printf("Failed to create prog array '%s'!\n", strerror(errno)); 5204 5205 return fd; 5206 } 5207 5208 static int create_map_in_map(void) 5209 { 5210 int inner_map_fd, outer_map_fd; 5211 5212 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 5213 sizeof(int), 1, 0); 5214 if (inner_map_fd < 0) { 5215 printf("Failed to create array '%s'!\n", strerror(errno)); 5216 return inner_map_fd; 5217 } 5218 5219 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, 5220 sizeof(int), inner_map_fd, 1, 0); 5221 if (outer_map_fd < 0) 5222 printf("Failed to create array of maps '%s'!\n", 5223 strerror(errno)); 5224 5225 close(inner_map_fd); 5226 5227 return outer_map_fd; 5228 } 5229 5230 static char bpf_vlog[32768]; 5231 5232 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 5233 int *map_fds) 5234 { 5235 int *fixup_map1 = test->fixup_map1; 5236 int *fixup_map2 = test->fixup_map2; 5237 int *fixup_prog = test->fixup_prog; 5238 int *fixup_map_in_map = test->fixup_map_in_map; 5239 5240 /* Allocating HTs with 1 elem is fine here, since we only test 5241 * for verifier and not do a runtime lookup, so the only thing 5242 * that really matters is value size in this case. 5243 */ 5244 if (*fixup_map1) { 5245 map_fds[0] = create_map(sizeof(long long), 1); 5246 do { 5247 prog[*fixup_map1].imm = map_fds[0]; 5248 fixup_map1++; 5249 } while (*fixup_map1); 5250 } 5251 5252 if (*fixup_map2) { 5253 map_fds[1] = create_map(sizeof(struct test_val), 1); 5254 do { 5255 prog[*fixup_map2].imm = map_fds[1]; 5256 fixup_map2++; 5257 } while (*fixup_map2); 5258 } 5259 5260 if (*fixup_prog) { 5261 map_fds[2] = create_prog_array(); 5262 do { 5263 prog[*fixup_prog].imm = map_fds[2]; 5264 fixup_prog++; 5265 } while (*fixup_prog); 5266 } 5267 5268 if (*fixup_map_in_map) { 5269 map_fds[3] = create_map_in_map(); 5270 do { 5271 prog[*fixup_map_in_map].imm = map_fds[3]; 5272 fixup_map_in_map++; 5273 } while (*fixup_map_in_map); 5274 } 5275 } 5276 5277 static void do_test_single(struct bpf_test *test, bool unpriv, 5278 int *passes, int *errors) 5279 { 5280 int fd_prog, expected_ret, reject_from_alignment; 5281 struct bpf_insn *prog = test->insns; 5282 int prog_len = probe_filter_length(prog); 5283 int prog_type = test->prog_type; 5284 int map_fds[MAX_NR_MAPS]; 5285 const char *expected_err; 5286 int i; 5287 5288 for (i = 0; i < MAX_NR_MAPS; i++) 5289 map_fds[i] = -1; 5290 5291 do_test_fixup(test, prog, map_fds); 5292 5293 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 5294 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT, 5295 "GPL", 0, bpf_vlog, sizeof(bpf_vlog)); 5296 5297 expected_ret = unpriv && test->result_unpriv != UNDEF ? 5298 test->result_unpriv : test->result; 5299 expected_err = unpriv && test->errstr_unpriv ? 5300 test->errstr_unpriv : test->errstr; 5301 5302 reject_from_alignment = fd_prog < 0 && 5303 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) && 5304 strstr(bpf_vlog, "Unknown alignment."); 5305 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 5306 if (reject_from_alignment) { 5307 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n", 5308 strerror(errno)); 5309 goto fail_log; 5310 } 5311 #endif 5312 if (expected_ret == ACCEPT) { 5313 if (fd_prog < 0 && !reject_from_alignment) { 5314 printf("FAIL\nFailed to load prog '%s'!\n", 5315 strerror(errno)); 5316 goto fail_log; 5317 } 5318 } else { 5319 if (fd_prog >= 0) { 5320 printf("FAIL\nUnexpected success to load!\n"); 5321 goto fail_log; 5322 } 5323 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) { 5324 printf("FAIL\nUnexpected error message!\n"); 5325 goto fail_log; 5326 } 5327 } 5328 5329 (*passes)++; 5330 printf("OK%s\n", reject_from_alignment ? 5331 " (NOTE: reject due to unknown alignment)" : ""); 5332 close_fds: 5333 close(fd_prog); 5334 for (i = 0; i < MAX_NR_MAPS; i++) 5335 close(map_fds[i]); 5336 sched_yield(); 5337 return; 5338 fail_log: 5339 (*errors)++; 5340 printf("%s", bpf_vlog); 5341 goto close_fds; 5342 } 5343 5344 static bool is_admin(void) 5345 { 5346 cap_t caps; 5347 cap_flag_value_t sysadmin = CAP_CLEAR; 5348 const cap_value_t cap_val = CAP_SYS_ADMIN; 5349 5350 #ifdef CAP_IS_SUPPORTED 5351 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 5352 perror("cap_get_flag"); 5353 return false; 5354 } 5355 #endif 5356 caps = cap_get_proc(); 5357 if (!caps) { 5358 perror("cap_get_proc"); 5359 return false; 5360 } 5361 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 5362 perror("cap_get_flag"); 5363 if (cap_free(caps)) 5364 perror("cap_free"); 5365 return (sysadmin == CAP_SET); 5366 } 5367 5368 static int set_admin(bool admin) 5369 { 5370 cap_t caps; 5371 const cap_value_t cap_val = CAP_SYS_ADMIN; 5372 int ret = -1; 5373 5374 caps = cap_get_proc(); 5375 if (!caps) { 5376 perror("cap_get_proc"); 5377 return -1; 5378 } 5379 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 5380 admin ? CAP_SET : CAP_CLEAR)) { 5381 perror("cap_set_flag"); 5382 goto out; 5383 } 5384 if (cap_set_proc(caps)) { 5385 perror("cap_set_proc"); 5386 goto out; 5387 } 5388 ret = 0; 5389 out: 5390 if (cap_free(caps)) 5391 perror("cap_free"); 5392 return ret; 5393 } 5394 5395 static int do_test(bool unpriv, unsigned int from, unsigned int to) 5396 { 5397 int i, passes = 0, errors = 0; 5398 5399 for (i = from; i < to; i++) { 5400 struct bpf_test *test = &tests[i]; 5401 5402 /* Program types that are not supported by non-root we 5403 * skip right away. 5404 */ 5405 if (!test->prog_type) { 5406 if (!unpriv) 5407 set_admin(false); 5408 printf("#%d/u %s ", i, test->descr); 5409 do_test_single(test, true, &passes, &errors); 5410 if (!unpriv) 5411 set_admin(true); 5412 } 5413 5414 if (!unpriv) { 5415 printf("#%d/p %s ", i, test->descr); 5416 do_test_single(test, false, &passes, &errors); 5417 } 5418 } 5419 5420 printf("Summary: %d PASSED, %d FAILED\n", passes, errors); 5421 return errors ? -errors : 0; 5422 } 5423 5424 int main(int argc, char **argv) 5425 { 5426 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY }; 5427 struct rlimit rlim = { 1 << 20, 1 << 20 }; 5428 unsigned int from = 0, to = ARRAY_SIZE(tests); 5429 bool unpriv = !is_admin(); 5430 5431 if (argc == 3) { 5432 unsigned int l = atoi(argv[argc - 2]); 5433 unsigned int u = atoi(argv[argc - 1]); 5434 5435 if (l < to && u < to) { 5436 from = l; 5437 to = u + 1; 5438 } 5439 } else if (argc == 2) { 5440 unsigned int t = atoi(argv[argc - 1]); 5441 5442 if (t < to) { 5443 from = t; 5444 to = t + 1; 5445 } 5446 } 5447 5448 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf); 5449 return do_test(unpriv, from, to); 5450 } 5451