1 { 2 "precise: test 1", 3 .insns = { 4 BPF_MOV64_IMM(BPF_REG_0, 1), 5 BPF_LD_MAP_FD(BPF_REG_6, 0), 6 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), 8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 9 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0), 10 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 11 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 12 BPF_EXIT_INSN(), 13 14 BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), 15 16 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 17 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), 18 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 19 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 20 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 21 BPF_EXIT_INSN(), 22 23 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 24 25 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */ 26 BPF_MOV64_REG(BPF_REG_2, BPF_REG_9), 27 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1), 28 BPF_EXIT_INSN(), 29 30 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */ 31 BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP), 32 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 33 BPF_MOV64_IMM(BPF_REG_3, 0), 34 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 35 BPF_EXIT_INSN(), 36 }, 37 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 38 .fixup_map_array_48b = { 1 }, 39 .result = VERBOSE_ACCEPT, 40 .errstr = 41 "26: (85) call bpf_probe_read_kernel#113\ 42 last_idx 26 first_idx 20\ 43 regs=4 stack=0 before 25\ 44 regs=4 stack=0 before 24\ 45 regs=4 stack=0 before 23\ 46 regs=4 stack=0 before 22\ 47 regs=4 stack=0 before 20\ 48 parent didn't have regs=4 stack=0 marks\ 49 last_idx 19 first_idx 10\ 50 regs=4 stack=0 before 19\ 51 regs=200 stack=0 before 18\ 52 regs=300 stack=0 before 17\ 53 regs=201 stack=0 before 15\ 54 regs=201 stack=0 before 14\ 55 regs=200 stack=0 before 13\ 56 regs=200 stack=0 before 12\ 57 regs=200 stack=0 before 11\ 58 regs=200 stack=0 before 10\ 59 parent already had regs=0 stack=0 marks", 60 }, 61 { 62 "precise: test 2", 63 .insns = { 64 BPF_MOV64_IMM(BPF_REG_0, 1), 65 BPF_LD_MAP_FD(BPF_REG_6, 0), 66 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 67 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), 68 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 69 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -8, 0), 70 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 71 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 72 BPF_EXIT_INSN(), 73 74 BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), 75 76 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 77 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), 78 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 79 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 80 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 81 BPF_EXIT_INSN(), 82 83 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 84 85 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), /* map_value_ptr -= map_value_ptr */ 86 BPF_MOV64_REG(BPF_REG_2, BPF_REG_9), 87 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 8, 1), 88 BPF_EXIT_INSN(), 89 90 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), /* R2=scalar(umin=1, umax=8) */ 91 BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP), 92 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 93 BPF_MOV64_IMM(BPF_REG_3, 0), 94 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 95 BPF_EXIT_INSN(), 96 }, 97 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 98 .fixup_map_array_48b = { 1 }, 99 .result = VERBOSE_ACCEPT, 100 .flags = BPF_F_TEST_STATE_FREQ, 101 .errstr = 102 "26: (85) call bpf_probe_read_kernel#113\ 103 last_idx 26 first_idx 22\ 104 regs=4 stack=0 before 25\ 105 regs=4 stack=0 before 24\ 106 regs=4 stack=0 before 23\ 107 regs=4 stack=0 before 22\ 108 parent didn't have regs=4 stack=0 marks\ 109 last_idx 20 first_idx 20\ 110 regs=4 stack=0 before 20\ 111 parent didn't have regs=4 stack=0 marks\ 112 last_idx 19 first_idx 17\ 113 regs=4 stack=0 before 19\ 114 regs=200 stack=0 before 18\ 115 regs=300 stack=0 before 17\ 116 parent already had regs=0 stack=0 marks", 117 }, 118 { 119 "precise: cross frame pruning", 120 .insns = { 121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), 122 BPF_MOV64_IMM(BPF_REG_8, 0), 123 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 124 BPF_MOV64_IMM(BPF_REG_8, 1), 125 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), 126 BPF_MOV64_IMM(BPF_REG_9, 0), 127 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 128 BPF_MOV64_IMM(BPF_REG_9, 1), 129 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 130 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 131 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1), 132 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0), 133 BPF_MOV64_IMM(BPF_REG_0, 0), 134 BPF_EXIT_INSN(), 135 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 136 BPF_EXIT_INSN(), 137 }, 138 .prog_type = BPF_PROG_TYPE_XDP, 139 .flags = BPF_F_TEST_STATE_FREQ, 140 .errstr = "!read_ok", 141 .result = REJECT, 142 }, 143 { 144 "precise: ST insn causing spi > allocated_stack", 145 .insns = { 146 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 147 BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0), 148 BPF_ST_MEM(BPF_DW, BPF_REG_3, -8, 0), 149 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 150 BPF_MOV64_IMM(BPF_REG_0, -1), 151 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0), 152 BPF_EXIT_INSN(), 153 }, 154 .prog_type = BPF_PROG_TYPE_XDP, 155 .flags = BPF_F_TEST_STATE_FREQ, 156 .errstr = "5: (2d) if r4 > r0 goto pc+0\ 157 last_idx 5 first_idx 5\ 158 parent didn't have regs=10 stack=0 marks\ 159 last_idx 4 first_idx 2\ 160 regs=10 stack=0 before 4\ 161 regs=10 stack=0 before 3\ 162 regs=0 stack=1 before 2\ 163 last_idx 5 first_idx 5\ 164 parent didn't have regs=1 stack=0 marks", 165 .result = VERBOSE_ACCEPT, 166 .retval = -1, 167 }, 168 { 169 "precise: STX insn causing spi > allocated_stack", 170 .insns = { 171 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), 172 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 173 BPF_JMP_IMM(BPF_JNE, BPF_REG_3, 123, 0), 174 BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, -8), 175 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 176 BPF_MOV64_IMM(BPF_REG_0, -1), 177 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 0), 178 BPF_EXIT_INSN(), 179 }, 180 .prog_type = BPF_PROG_TYPE_XDP, 181 .flags = BPF_F_TEST_STATE_FREQ, 182 .errstr = "last_idx 6 first_idx 6\ 183 parent didn't have regs=10 stack=0 marks\ 184 last_idx 5 first_idx 3\ 185 regs=10 stack=0 before 5\ 186 regs=10 stack=0 before 4\ 187 regs=0 stack=1 before 3\ 188 last_idx 6 first_idx 6\ 189 parent didn't have regs=1 stack=0 marks\ 190 last_idx 5 first_idx 3\ 191 regs=1 stack=0 before 5", 192 .result = VERBOSE_ACCEPT, 193 .retval = -1, 194 }, 195 { 196 "precise: mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO", 197 .insns = { 198 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, offsetof(struct xdp_md, ingress_ifindex)), 199 BPF_LD_MAP_FD(BPF_REG_6, 0), 200 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 201 BPF_MOV64_IMM(BPF_REG_2, 1), 202 BPF_MOV64_IMM(BPF_REG_3, 0), 203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 0, 1), 204 BPF_MOV64_IMM(BPF_REG_2, 0x1000), 205 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), 206 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 207 BPF_EXIT_INSN(), 208 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 209 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 42), 210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), 211 BPF_MOV64_IMM(BPF_REG_0, 0), 212 BPF_EXIT_INSN(), 213 }, 214 .fixup_map_ringbuf = { 1 }, 215 .prog_type = BPF_PROG_TYPE_XDP, 216 .flags = BPF_F_TEST_STATE_FREQ, 217 .errstr = "invalid access to memory, mem_size=1 off=42 size=8", 218 .result = REJECT, 219 }, 220