blob: 3c64f30cf63cc2b6adb532a3b1f3201533193f7f [file] [log] [blame]
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07001/*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
9 */
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020010
Daniel Borkmann2c460622017-08-04 22:24:41 +020011#include <endian.h>
Alexei Starovoitov1da8ac72017-03-10 22:05:55 -080012#include <asm/types.h>
13#include <linux/types.h>
Mickaël Salaün702498a2017-02-10 00:21:44 +010014#include <stdint.h>
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070015#include <stdio.h>
Mickaël Salaün702498a2017-02-10 00:21:44 +010016#include <stdlib.h>
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070017#include <unistd.h>
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070018#include <errno.h>
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070019#include <string.h>
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -070020#include <stddef.h>
Alexei Starovoitovbf508872015-10-07 22:23:23 -070021#include <stdbool.h>
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020022#include <sched.h>
23
Mickaël Salaünd02d8982017-02-10 00:21:37 +010024#include <sys/capability.h>
Alexei Starovoitovbf508872015-10-07 22:23:23 -070025#include <sys/resource.h>
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070026
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020027#include <linux/unistd.h>
28#include <linux/filter.h>
29#include <linux/bpf_perf_event.h>
30#include <linux/bpf.h>
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070031
Mickaël Salaün2ee89fb2017-02-10 00:21:38 +010032#include <bpf/bpf.h>
33
Daniel Borkmann02ea80b2017-03-31 02:24:04 +020034#ifdef HAVE_GENHDR
35# include "autoconf.h"
36#else
37# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38# define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
39# endif
40#endif
41
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020042#include "../../../include/linux/filter.h"
43
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020044#ifndef ARRAY_SIZE
45# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
46#endif
47
48#define MAX_INSNS 512
49#define MAX_FIXUPS 8
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -070050#define MAX_NR_MAPS 4
Alexei Starovoitovbf508872015-10-07 22:23:23 -070051
Daniel Borkmann02ea80b2017-03-31 02:24:04 +020052#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
Daniel Borkmann614d0d72017-05-25 01:05:09 +020053#define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
Daniel Borkmann02ea80b2017-03-31 02:24:04 +020054
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070055struct bpf_test {
56 const char *descr;
57 struct bpf_insn insns[MAX_INSNS];
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020058 int fixup_map1[MAX_FIXUPS];
59 int fixup_map2[MAX_FIXUPS];
60 int fixup_prog[MAX_FIXUPS];
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -070061 int fixup_map_in_map[MAX_FIXUPS];
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070062 const char *errstr;
Alexei Starovoitovbf508872015-10-07 22:23:23 -070063 const char *errstr_unpriv;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070064 enum {
Alexei Starovoitovbf508872015-10-07 22:23:23 -070065 UNDEF,
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070066 ACCEPT,
67 REJECT
Alexei Starovoitovbf508872015-10-07 22:23:23 -070068 } result, result_unpriv;
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -070069 enum bpf_prog_type prog_type;
Daniel Borkmann02ea80b2017-03-31 02:24:04 +020070 uint8_t flags;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070071};
72
Josef Bacik48461132016-09-28 10:54:32 -040073/* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
75 */
76#define MAX_ENTRIES 11
Josef Bacik48461132016-09-28 10:54:32 -040077
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +020078struct test_val {
79 unsigned int index;
80 int foo[MAX_ENTRIES];
Josef Bacik48461132016-09-28 10:54:32 -040081};
82
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -070083static struct bpf_test tests[] = {
84 {
85 "add+sub+mul",
86 .insns = {
87 BPF_MOV64_IMM(BPF_REG_1, 1),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 BPF_MOV64_IMM(BPF_REG_2, 3),
90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
94 BPF_EXIT_INSN(),
95 },
96 .result = ACCEPT,
97 },
98 {
99 "unreachable",
100 .insns = {
101 BPF_EXIT_INSN(),
102 BPF_EXIT_INSN(),
103 },
104 .errstr = "unreachable",
105 .result = REJECT,
106 },
107 {
108 "unreachable2",
109 .insns = {
110 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
112 BPF_EXIT_INSN(),
113 },
114 .errstr = "unreachable",
115 .result = REJECT,
116 },
117 {
118 "out of range jump",
119 .insns = {
120 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
121 BPF_EXIT_INSN(),
122 },
123 .errstr = "jump out of range",
124 .result = REJECT,
125 },
126 {
127 "out of range jump2",
128 .insns = {
129 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
130 BPF_EXIT_INSN(),
131 },
132 .errstr = "jump out of range",
133 .result = REJECT,
134 },
135 {
136 "test1 ld_imm64",
137 .insns = {
138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 0),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_LD_IMM64(BPF_REG_0, 1),
143 BPF_MOV64_IMM(BPF_REG_0, 2),
144 BPF_EXIT_INSN(),
145 },
146 .errstr = "invalid BPF_LD_IMM insn",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700147 .errstr_unpriv = "R1 pointer comparison",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700148 .result = REJECT,
149 },
150 {
151 "test2 ld_imm64",
152 .insns = {
153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 0),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_LD_IMM64(BPF_REG_0, 1),
158 BPF_EXIT_INSN(),
159 },
160 .errstr = "invalid BPF_LD_IMM insn",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700161 .errstr_unpriv = "R1 pointer comparison",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700162 .result = REJECT,
163 },
164 {
165 "test3 ld_imm64",
166 .insns = {
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_LD_IMM64(BPF_REG_0, 1),
173 BPF_EXIT_INSN(),
174 },
175 .errstr = "invalid bpf_ld_imm64 insn",
176 .result = REJECT,
177 },
178 {
179 "test4 ld_imm64",
180 .insns = {
181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
182 BPF_EXIT_INSN(),
183 },
184 .errstr = "invalid bpf_ld_imm64 insn",
185 .result = REJECT,
186 },
187 {
188 "test5 ld_imm64",
189 .insns = {
190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
191 },
192 .errstr = "invalid bpf_ld_imm64 insn",
193 .result = REJECT,
194 },
195 {
Daniel Borkmann728a8532017-04-27 01:39:32 +0200196 "test6 ld_imm64",
197 .insns = {
198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
200 BPF_EXIT_INSN(),
201 },
202 .result = ACCEPT,
203 },
204 {
205 "test7 ld_imm64",
206 .insns = {
207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
209 BPF_EXIT_INSN(),
210 },
211 .result = ACCEPT,
212 },
213 {
214 "test8 ld_imm64",
215 .insns = {
216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
218 BPF_EXIT_INSN(),
219 },
220 .errstr = "uses reserved fields",
221 .result = REJECT,
222 },
223 {
224 "test9 ld_imm64",
225 .insns = {
226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
228 BPF_EXIT_INSN(),
229 },
230 .errstr = "invalid bpf_ld_imm64 insn",
231 .result = REJECT,
232 },
233 {
234 "test10 ld_imm64",
235 .insns = {
236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
238 BPF_EXIT_INSN(),
239 },
240 .errstr = "invalid bpf_ld_imm64 insn",
241 .result = REJECT,
242 },
243 {
244 "test11 ld_imm64",
245 .insns = {
246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
248 BPF_EXIT_INSN(),
249 },
250 .errstr = "invalid bpf_ld_imm64 insn",
251 .result = REJECT,
252 },
253 {
254 "test12 ld_imm64",
255 .insns = {
256 BPF_MOV64_IMM(BPF_REG_1, 0),
257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
259 BPF_EXIT_INSN(),
260 },
261 .errstr = "not pointing to valid bpf_map",
262 .result = REJECT,
263 },
264 {
265 "test13 ld_imm64",
266 .insns = {
267 BPF_MOV64_IMM(BPF_REG_1, 0),
268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
270 BPF_EXIT_INSN(),
271 },
272 .errstr = "invalid bpf_ld_imm64 insn",
273 .result = REJECT,
274 },
275 {
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700276 "no bpf_exit",
277 .insns = {
278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
279 },
280 .errstr = "jump out of range",
281 .result = REJECT,
282 },
283 {
284 "loop (back-edge)",
285 .insns = {
286 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
287 BPF_EXIT_INSN(),
288 },
289 .errstr = "back-edge",
290 .result = REJECT,
291 },
292 {
293 "loop2 (back-edge)",
294 .insns = {
295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
298 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
299 BPF_EXIT_INSN(),
300 },
301 .errstr = "back-edge",
302 .result = REJECT,
303 },
304 {
305 "conditional loop",
306 .insns = {
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
311 BPF_EXIT_INSN(),
312 },
313 .errstr = "back-edge",
314 .result = REJECT,
315 },
316 {
317 "read uninitialized register",
318 .insns = {
319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
320 BPF_EXIT_INSN(),
321 },
322 .errstr = "R2 !read_ok",
323 .result = REJECT,
324 },
325 {
326 "read invalid register",
327 .insns = {
328 BPF_MOV64_REG(BPF_REG_0, -1),
329 BPF_EXIT_INSN(),
330 },
331 .errstr = "R15 is invalid",
332 .result = REJECT,
333 },
334 {
335 "program doesn't init R0 before exit",
336 .insns = {
337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
338 BPF_EXIT_INSN(),
339 },
340 .errstr = "R0 !read_ok",
341 .result = REJECT,
342 },
343 {
Alexei Starovoitov32bf08a2014-10-20 14:54:57 -0700344 "program doesn't init R0 before exit in all branches",
345 .insns = {
346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
347 BPF_MOV64_IMM(BPF_REG_0, 1),
348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
349 BPF_EXIT_INSN(),
350 },
351 .errstr = "R0 !read_ok",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700352 .errstr_unpriv = "R1 pointer comparison",
Alexei Starovoitov32bf08a2014-10-20 14:54:57 -0700353 .result = REJECT,
354 },
355 {
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700356 "stack out of bounds",
357 .insns = {
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
359 BPF_EXIT_INSN(),
360 },
361 .errstr = "invalid stack",
362 .result = REJECT,
363 },
364 {
365 "invalid call insn1",
366 .insns = {
367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
368 BPF_EXIT_INSN(),
369 },
370 .errstr = "BPF_CALL uses reserved",
371 .result = REJECT,
372 },
373 {
374 "invalid call insn2",
375 .insns = {
376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
377 BPF_EXIT_INSN(),
378 },
379 .errstr = "BPF_CALL uses reserved",
380 .result = REJECT,
381 },
382 {
383 "invalid function call",
384 .insns = {
385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
386 BPF_EXIT_INSN(),
387 },
Daniel Borkmanne00c7b22016-11-26 01:28:09 +0100388 .errstr = "invalid func unknown#1234567",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700389 .result = REJECT,
390 },
391 {
392 "uninitialized stack1",
393 .insns = {
394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
396 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
398 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700399 BPF_EXIT_INSN(),
400 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200401 .fixup_map1 = { 2 },
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700402 .errstr = "invalid indirect read from stack",
403 .result = REJECT,
404 },
405 {
406 "uninitialized stack2",
407 .insns = {
408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
410 BPF_EXIT_INSN(),
411 },
412 .errstr = "invalid read from stack",
413 .result = REJECT,
414 },
415 {
Daniel Borkmann728a8532017-04-27 01:39:32 +0200416 "invalid fp arithmetic",
417 /* If this gets ever changed, make sure JITs can deal with it. */
418 .insns = {
419 BPF_MOV64_IMM(BPF_REG_0, 0),
420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
423 BPF_EXIT_INSN(),
424 },
Edward Creef65b1842017-08-07 15:27:12 +0100425 .errstr_unpriv = "R1 subtraction from stack pointer",
Daniel Borkmann728a8532017-04-27 01:39:32 +0200426 .result_unpriv = REJECT,
427 .errstr = "R1 invalid mem access",
428 .result = REJECT,
429 },
430 {
431 "non-invalid fp arithmetic",
432 .insns = {
433 BPF_MOV64_IMM(BPF_REG_0, 0),
434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
435 BPF_EXIT_INSN(),
436 },
437 .result = ACCEPT,
438 },
439 {
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +0200440 "invalid argument register",
441 .insns = {
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
443 BPF_FUNC_get_cgroup_classid),
444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
445 BPF_FUNC_get_cgroup_classid),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +0200446 BPF_EXIT_INSN(),
447 },
448 .errstr = "R1 !read_ok",
449 .result = REJECT,
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
451 },
452 {
453 "non-invalid argument register",
454 .insns = {
455 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
457 BPF_FUNC_get_cgroup_classid),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +0200458 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
460 BPF_FUNC_get_cgroup_classid),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +0200461 BPF_EXIT_INSN(),
462 },
463 .result = ACCEPT,
464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
465 },
466 {
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700467 "check valid spill/fill",
468 .insns = {
469 /* spill R1(ctx) into stack */
470 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700471 /* fill it back into R2 */
472 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700473 /* should be able to access R0 = *(R2 + 8) */
Daniel Borkmannf91fe172015-03-01 12:31:41 +0100474 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700476 BPF_EXIT_INSN(),
477 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700478 .errstr_unpriv = "R0 leaks addr",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700479 .result = ACCEPT,
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700480 .result_unpriv = REJECT,
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700481 },
482 {
Daniel Borkmann3f2050e2016-04-13 00:10:54 +0200483 "check valid spill/fill, skb mark",
484 .insns = {
485 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
489 offsetof(struct __sk_buff, mark)),
490 BPF_EXIT_INSN(),
491 },
492 .result = ACCEPT,
493 .result_unpriv = ACCEPT,
494 },
495 {
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700496 "check corrupted spill/fill",
497 .insns = {
498 /* spill R1(ctx) into stack */
499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700500 /* mess up with R1 pointer on stack */
501 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700502 /* fill back into R0 should fail */
503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700504 BPF_EXIT_INSN(),
505 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700506 .errstr_unpriv = "attempt to corrupt spilled",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700507 .errstr = "corrupted spill",
508 .result = REJECT,
509 },
510 {
511 "invalid src register in STX",
512 .insns = {
513 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
514 BPF_EXIT_INSN(),
515 },
516 .errstr = "R15 is invalid",
517 .result = REJECT,
518 },
519 {
520 "invalid dst register in STX",
521 .insns = {
522 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
523 BPF_EXIT_INSN(),
524 },
525 .errstr = "R14 is invalid",
526 .result = REJECT,
527 },
528 {
529 "invalid dst register in ST",
530 .insns = {
531 BPF_ST_MEM(BPF_B, 14, -1, -1),
532 BPF_EXIT_INSN(),
533 },
534 .errstr = "R14 is invalid",
535 .result = REJECT,
536 },
537 {
538 "invalid src register in LDX",
539 .insns = {
540 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
541 BPF_EXIT_INSN(),
542 },
543 .errstr = "R12 is invalid",
544 .result = REJECT,
545 },
546 {
547 "invalid dst register in LDX",
548 .insns = {
549 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
550 BPF_EXIT_INSN(),
551 },
552 .errstr = "R11 is invalid",
553 .result = REJECT,
554 },
555 {
556 "junk insn",
557 .insns = {
558 BPF_RAW_INSN(0, 0, 0, 0, 0),
559 BPF_EXIT_INSN(),
560 },
561 .errstr = "invalid BPF_LD_IMM",
562 .result = REJECT,
563 },
564 {
565 "junk insn2",
566 .insns = {
567 BPF_RAW_INSN(1, 0, 0, 0, 0),
568 BPF_EXIT_INSN(),
569 },
570 .errstr = "BPF_LDX uses reserved fields",
571 .result = REJECT,
572 },
573 {
574 "junk insn3",
575 .insns = {
576 BPF_RAW_INSN(-1, 0, 0, 0, 0),
577 BPF_EXIT_INSN(),
578 },
579 .errstr = "invalid BPF_ALU opcode f0",
580 .result = REJECT,
581 },
582 {
583 "junk insn4",
584 .insns = {
585 BPF_RAW_INSN(-1, -1, -1, -1, -1),
586 BPF_EXIT_INSN(),
587 },
588 .errstr = "invalid BPF_ALU opcode f0",
589 .result = REJECT,
590 },
591 {
592 "junk insn5",
593 .insns = {
594 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
595 BPF_EXIT_INSN(),
596 },
597 .errstr = "BPF_ALU uses reserved fields",
598 .result = REJECT,
599 },
600 {
601 "misaligned read from stack",
602 .insns = {
603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
604 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
605 BPF_EXIT_INSN(),
606 },
Edward Creef65b1842017-08-07 15:27:12 +0100607 .errstr = "misaligned stack access",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700608 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +0100609 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700610 },
611 {
612 "invalid map_fd for function call",
613 .insns = {
614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
615 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
617 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
619 BPF_FUNC_map_delete_elem),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700620 BPF_EXIT_INSN(),
621 },
622 .errstr = "fd 0 is not pointing to valid bpf_map",
623 .result = REJECT,
624 },
625 {
626 "don't check return value before access",
627 .insns = {
628 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
631 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200632 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
633 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700634 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
635 BPF_EXIT_INSN(),
636 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200637 .fixup_map1 = { 3 },
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700638 .errstr = "R0 invalid mem access 'map_value_or_null'",
639 .result = REJECT,
640 },
641 {
642 "access memory with incorrect alignment",
643 .insns = {
644 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
647 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
649 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
651 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
652 BPF_EXIT_INSN(),
653 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200654 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +0100655 .errstr = "misaligned value access",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700656 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +0100657 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700658 },
659 {
660 "sometimes access memory with incorrect alignment",
661 .insns = {
662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
667 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
669 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
670 BPF_EXIT_INSN(),
671 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
672 BPF_EXIT_INSN(),
673 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200674 .fixup_map1 = { 3 },
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700675 .errstr = "R0 invalid mem access",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700676 .errstr_unpriv = "R0 leaks addr",
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700677 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +0100678 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -0700679 },
Alexei Starovoitovfd10c2e2014-09-29 18:50:02 -0700680 {
681 "jump test 1",
682 .insns = {
683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
684 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
694 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
695 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
696 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
697 BPF_MOV64_IMM(BPF_REG_0, 0),
698 BPF_EXIT_INSN(),
699 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700700 .errstr_unpriv = "R1 pointer comparison",
701 .result_unpriv = REJECT,
Alexei Starovoitovfd10c2e2014-09-29 18:50:02 -0700702 .result = ACCEPT,
703 },
704 {
705 "jump test 2",
706 .insns = {
707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
710 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
713 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
716 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
719 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
722 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
724 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
725 BPF_MOV64_IMM(BPF_REG_0, 0),
726 BPF_EXIT_INSN(),
727 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700728 .errstr_unpriv = "R1 pointer comparison",
729 .result_unpriv = REJECT,
Alexei Starovoitovfd10c2e2014-09-29 18:50:02 -0700730 .result = ACCEPT,
731 },
732 {
733 "jump test 3",
734 .insns = {
735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
739 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
743 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
751 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
755 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
757 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
759 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
761 BPF_FUNC_map_delete_elem),
Alexei Starovoitovfd10c2e2014-09-29 18:50:02 -0700762 BPF_EXIT_INSN(),
763 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200764 .fixup_map1 = { 24 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700765 .errstr_unpriv = "R1 pointer comparison",
766 .result_unpriv = REJECT,
Alexei Starovoitovfd10c2e2014-09-29 18:50:02 -0700767 .result = ACCEPT,
768 },
769 {
770 "jump test 4",
771 .insns = {
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
812 BPF_MOV64_IMM(BPF_REG_0, 0),
813 BPF_EXIT_INSN(),
814 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700815 .errstr_unpriv = "R1 pointer comparison",
816 .result_unpriv = REJECT,
Alexei Starovoitovfd10c2e2014-09-29 18:50:02 -0700817 .result = ACCEPT,
818 },
Alexei Starovoitov342ded42014-10-28 15:11:42 -0700819 {
820 "jump test 5",
821 .insns = {
822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
823 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
824 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
825 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
826 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
828 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
829 BPF_MOV64_IMM(BPF_REG_0, 0),
830 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
831 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
832 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
834 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
835 BPF_MOV64_IMM(BPF_REG_0, 0),
836 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
837 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
838 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
840 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
841 BPF_MOV64_IMM(BPF_REG_0, 0),
842 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
843 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
844 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
846 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
847 BPF_MOV64_IMM(BPF_REG_0, 0),
848 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
849 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
850 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
851 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
852 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
853 BPF_MOV64_IMM(BPF_REG_0, 0),
854 BPF_EXIT_INSN(),
855 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700856 .errstr_unpriv = "R1 pointer comparison",
857 .result_unpriv = REJECT,
Alexei Starovoitov342ded42014-10-28 15:11:42 -0700858 .result = ACCEPT,
859 },
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700860 {
861 "access skb fields ok",
862 .insns = {
863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
864 offsetof(struct __sk_buff, len)),
865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
867 offsetof(struct __sk_buff, mark)),
868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
870 offsetof(struct __sk_buff, pkt_type)),
871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
873 offsetof(struct __sk_buff, queue_mapping)),
874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
Alexei Starovoitovc2497392015-03-16 18:06:02 -0700875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
876 offsetof(struct __sk_buff, protocol)),
877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
879 offsetof(struct __sk_buff, vlan_present)),
880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
882 offsetof(struct __sk_buff, vlan_tci)),
883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
Daniel Borkmannb1d9fc42017-04-19 23:01:17 +0200884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
885 offsetof(struct __sk_buff, napi_id)),
886 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700887 BPF_EXIT_INSN(),
888 },
889 .result = ACCEPT,
890 },
891 {
892 "access skb fields bad1",
893 .insns = {
894 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
895 BPF_EXIT_INSN(),
896 },
897 .errstr = "invalid bpf_context access",
898 .result = REJECT,
899 },
900 {
901 "access skb fields bad2",
902 .insns = {
903 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
904 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
907 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
909 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700910 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
911 BPF_EXIT_INSN(),
912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
913 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
914 offsetof(struct __sk_buff, pkt_type)),
915 BPF_EXIT_INSN(),
916 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200917 .fixup_map1 = { 4 },
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700918 .errstr = "different pointers",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700919 .errstr_unpriv = "R1 pointer comparison",
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700920 .result = REJECT,
921 },
922 {
923 "access skb fields bad3",
924 .insns = {
925 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
926 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
927 offsetof(struct __sk_buff, pkt_type)),
928 BPF_EXIT_INSN(),
929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
932 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
934 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700935 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
936 BPF_EXIT_INSN(),
937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
938 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
939 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200940 .fixup_map1 = { 6 },
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700941 .errstr = "different pointers",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700942 .errstr_unpriv = "R1 pointer comparison",
Alexei Starovoitov614cd3b2015-03-13 11:57:43 -0700943 .result = REJECT,
944 },
Alexei Starovoitov725f9dc2015-04-15 16:19:33 -0700945 {
946 "access skb fields bad4",
947 .insns = {
948 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
949 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
950 offsetof(struct __sk_buff, len)),
951 BPF_MOV64_IMM(BPF_REG_0, 0),
952 BPF_EXIT_INSN(),
953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
956 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
958 BPF_FUNC_map_lookup_elem),
Alexei Starovoitov725f9dc2015-04-15 16:19:33 -0700959 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
960 BPF_EXIT_INSN(),
961 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
962 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
963 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +0200964 .fixup_map1 = { 7 },
Alexei Starovoitov725f9dc2015-04-15 16:19:33 -0700965 .errstr = "different pointers",
Alexei Starovoitovbf508872015-10-07 22:23:23 -0700966 .errstr_unpriv = "R1 pointer comparison",
Alexei Starovoitov725f9dc2015-04-15 16:19:33 -0700967 .result = REJECT,
968 },
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -0700969 {
John Fastabend41bc94f2017-08-15 22:33:56 -0700970 "invalid access __sk_buff family",
971 .insns = {
972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
973 offsetof(struct __sk_buff, family)),
974 BPF_EXIT_INSN(),
975 },
976 .errstr = "invalid bpf_context access",
977 .result = REJECT,
978 },
979 {
980 "invalid access __sk_buff remote_ip4",
981 .insns = {
982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
983 offsetof(struct __sk_buff, remote_ip4)),
984 BPF_EXIT_INSN(),
985 },
986 .errstr = "invalid bpf_context access",
987 .result = REJECT,
988 },
989 {
990 "invalid access __sk_buff local_ip4",
991 .insns = {
992 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
993 offsetof(struct __sk_buff, local_ip4)),
994 BPF_EXIT_INSN(),
995 },
996 .errstr = "invalid bpf_context access",
997 .result = REJECT,
998 },
999 {
1000 "invalid access __sk_buff remote_ip6",
1001 .insns = {
1002 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1003 offsetof(struct __sk_buff, remote_ip6)),
1004 BPF_EXIT_INSN(),
1005 },
1006 .errstr = "invalid bpf_context access",
1007 .result = REJECT,
1008 },
1009 {
1010 "invalid access __sk_buff local_ip6",
1011 .insns = {
1012 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1013 offsetof(struct __sk_buff, local_ip6)),
1014 BPF_EXIT_INSN(),
1015 },
1016 .errstr = "invalid bpf_context access",
1017 .result = REJECT,
1018 },
1019 {
1020 "invalid access __sk_buff remote_port",
1021 .insns = {
1022 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1023 offsetof(struct __sk_buff, remote_port)),
1024 BPF_EXIT_INSN(),
1025 },
1026 .errstr = "invalid bpf_context access",
1027 .result = REJECT,
1028 },
1029 {
1030 "invalid access __sk_buff remote_port",
1031 .insns = {
1032 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1033 offsetof(struct __sk_buff, local_port)),
1034 BPF_EXIT_INSN(),
1035 },
1036 .errstr = "invalid bpf_context access",
1037 .result = REJECT,
1038 },
1039 {
1040 "valid access __sk_buff family",
1041 .insns = {
1042 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1043 offsetof(struct __sk_buff, family)),
1044 BPF_EXIT_INSN(),
1045 },
1046 .result = ACCEPT,
1047 .prog_type = BPF_PROG_TYPE_SK_SKB,
1048 },
1049 {
1050 "valid access __sk_buff remote_ip4",
1051 .insns = {
1052 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1053 offsetof(struct __sk_buff, remote_ip4)),
1054 BPF_EXIT_INSN(),
1055 },
1056 .result = ACCEPT,
1057 .prog_type = BPF_PROG_TYPE_SK_SKB,
1058 },
1059 {
1060 "valid access __sk_buff local_ip4",
1061 .insns = {
1062 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1063 offsetof(struct __sk_buff, local_ip4)),
1064 BPF_EXIT_INSN(),
1065 },
1066 .result = ACCEPT,
1067 .prog_type = BPF_PROG_TYPE_SK_SKB,
1068 },
1069 {
1070 "valid access __sk_buff remote_ip6",
1071 .insns = {
1072 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1073 offsetof(struct __sk_buff, remote_ip6[0])),
1074 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1075 offsetof(struct __sk_buff, remote_ip6[1])),
1076 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1077 offsetof(struct __sk_buff, remote_ip6[2])),
1078 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1079 offsetof(struct __sk_buff, remote_ip6[3])),
1080 BPF_EXIT_INSN(),
1081 },
1082 .result = ACCEPT,
1083 .prog_type = BPF_PROG_TYPE_SK_SKB,
1084 },
1085 {
1086 "valid access __sk_buff local_ip6",
1087 .insns = {
1088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1089 offsetof(struct __sk_buff, local_ip6[0])),
1090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1091 offsetof(struct __sk_buff, local_ip6[1])),
1092 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1093 offsetof(struct __sk_buff, local_ip6[2])),
1094 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1095 offsetof(struct __sk_buff, local_ip6[3])),
1096 BPF_EXIT_INSN(),
1097 },
1098 .result = ACCEPT,
1099 .prog_type = BPF_PROG_TYPE_SK_SKB,
1100 },
1101 {
1102 "valid access __sk_buff remote_port",
1103 .insns = {
1104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1105 offsetof(struct __sk_buff, remote_port)),
1106 BPF_EXIT_INSN(),
1107 },
1108 .result = ACCEPT,
1109 .prog_type = BPF_PROG_TYPE_SK_SKB,
1110 },
1111 {
1112 "valid access __sk_buff remote_port",
1113 .insns = {
1114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1115 offsetof(struct __sk_buff, local_port)),
1116 BPF_EXIT_INSN(),
1117 },
1118 .result = ACCEPT,
1119 .prog_type = BPF_PROG_TYPE_SK_SKB,
1120 },
1121 {
John Fastabended850542017-08-28 07:11:24 -07001122 "invalid access of tc_classid for SK_SKB",
1123 .insns = {
1124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1125 offsetof(struct __sk_buff, tc_classid)),
1126 BPF_EXIT_INSN(),
1127 },
1128 .result = REJECT,
1129 .prog_type = BPF_PROG_TYPE_SK_SKB,
1130 .errstr = "invalid bpf_context access",
1131 },
1132 {
John Fastabendf7e9cb12017-10-18 07:10:58 -07001133 "invalid access of skb->mark for SK_SKB",
1134 .insns = {
1135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1136 offsetof(struct __sk_buff, mark)),
1137 BPF_EXIT_INSN(),
1138 },
1139 .result = REJECT,
1140 .prog_type = BPF_PROG_TYPE_SK_SKB,
1141 .errstr = "invalid bpf_context access",
1142 },
1143 {
1144 "check skb->mark is not writeable by SK_SKB",
John Fastabended850542017-08-28 07:11:24 -07001145 .insns = {
1146 BPF_MOV64_IMM(BPF_REG_0, 0),
1147 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1148 offsetof(struct __sk_buff, mark)),
1149 BPF_EXIT_INSN(),
1150 },
John Fastabendf7e9cb12017-10-18 07:10:58 -07001151 .result = REJECT,
John Fastabended850542017-08-28 07:11:24 -07001152 .prog_type = BPF_PROG_TYPE_SK_SKB,
John Fastabendf7e9cb12017-10-18 07:10:58 -07001153 .errstr = "invalid bpf_context access",
John Fastabended850542017-08-28 07:11:24 -07001154 },
1155 {
1156 "check skb->tc_index is writeable by SK_SKB",
1157 .insns = {
1158 BPF_MOV64_IMM(BPF_REG_0, 0),
1159 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1160 offsetof(struct __sk_buff, tc_index)),
1161 BPF_EXIT_INSN(),
1162 },
1163 .result = ACCEPT,
1164 .prog_type = BPF_PROG_TYPE_SK_SKB,
1165 },
1166 {
1167 "check skb->priority is writeable by SK_SKB",
1168 .insns = {
1169 BPF_MOV64_IMM(BPF_REG_0, 0),
1170 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1171 offsetof(struct __sk_buff, priority)),
1172 BPF_EXIT_INSN(),
1173 },
1174 .result = ACCEPT,
1175 .prog_type = BPF_PROG_TYPE_SK_SKB,
1176 },
1177 {
1178 "direct packet read for SK_SKB",
1179 .insns = {
1180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1181 offsetof(struct __sk_buff, data)),
1182 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1183 offsetof(struct __sk_buff, data_end)),
1184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1188 BPF_MOV64_IMM(BPF_REG_0, 0),
1189 BPF_EXIT_INSN(),
1190 },
1191 .result = ACCEPT,
1192 .prog_type = BPF_PROG_TYPE_SK_SKB,
1193 },
1194 {
1195 "direct packet write for SK_SKB",
1196 .insns = {
1197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1198 offsetof(struct __sk_buff, data)),
1199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1200 offsetof(struct __sk_buff, data_end)),
1201 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1203 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1204 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1206 BPF_EXIT_INSN(),
1207 },
1208 .result = ACCEPT,
1209 .prog_type = BPF_PROG_TYPE_SK_SKB,
1210 },
1211 {
1212 "overlapping checks for direct packet access SK_SKB",
1213 .insns = {
1214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1215 offsetof(struct __sk_buff, data)),
1216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1217 offsetof(struct __sk_buff, data_end)),
1218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1220 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1223 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1225 BPF_MOV64_IMM(BPF_REG_0, 0),
1226 BPF_EXIT_INSN(),
1227 },
1228 .result = ACCEPT,
1229 .prog_type = BPF_PROG_TYPE_SK_SKB,
1230 },
1231 {
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001232 "check skb->mark is not writeable by sockets",
1233 .insns = {
1234 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1235 offsetof(struct __sk_buff, mark)),
1236 BPF_EXIT_INSN(),
1237 },
1238 .errstr = "invalid bpf_context access",
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001239 .errstr_unpriv = "R1 leaks addr",
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001240 .result = REJECT,
1241 },
1242 {
1243 "check skb->tc_index is not writeable by sockets",
1244 .insns = {
1245 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1246 offsetof(struct __sk_buff, tc_index)),
1247 BPF_EXIT_INSN(),
1248 },
1249 .errstr = "invalid bpf_context access",
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001250 .errstr_unpriv = "R1 leaks addr",
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001251 .result = REJECT,
1252 },
1253 {
Daniel Borkmann62c79892017-01-12 11:51:33 +01001254 "check cb access: byte",
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001255 .insns = {
Daniel Borkmann62c79892017-01-12 11:51:33 +01001256 BPF_MOV64_IMM(BPF_REG_0, 0),
1257 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1258 offsetof(struct __sk_buff, cb[0])),
1259 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1260 offsetof(struct __sk_buff, cb[0]) + 1),
1261 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1262 offsetof(struct __sk_buff, cb[0]) + 2),
1263 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1264 offsetof(struct __sk_buff, cb[0]) + 3),
1265 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1266 offsetof(struct __sk_buff, cb[1])),
1267 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1268 offsetof(struct __sk_buff, cb[1]) + 1),
1269 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1270 offsetof(struct __sk_buff, cb[1]) + 2),
1271 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1272 offsetof(struct __sk_buff, cb[1]) + 3),
1273 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1274 offsetof(struct __sk_buff, cb[2])),
1275 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1276 offsetof(struct __sk_buff, cb[2]) + 1),
1277 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1278 offsetof(struct __sk_buff, cb[2]) + 2),
1279 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1280 offsetof(struct __sk_buff, cb[2]) + 3),
1281 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1282 offsetof(struct __sk_buff, cb[3])),
1283 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1284 offsetof(struct __sk_buff, cb[3]) + 1),
1285 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1286 offsetof(struct __sk_buff, cb[3]) + 2),
1287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1288 offsetof(struct __sk_buff, cb[3]) + 3),
1289 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1290 offsetof(struct __sk_buff, cb[4])),
1291 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1292 offsetof(struct __sk_buff, cb[4]) + 1),
1293 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1294 offsetof(struct __sk_buff, cb[4]) + 2),
1295 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1296 offsetof(struct __sk_buff, cb[4]) + 3),
1297 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1298 offsetof(struct __sk_buff, cb[0])),
1299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1300 offsetof(struct __sk_buff, cb[0]) + 1),
1301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1302 offsetof(struct __sk_buff, cb[0]) + 2),
1303 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1304 offsetof(struct __sk_buff, cb[0]) + 3),
1305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1306 offsetof(struct __sk_buff, cb[1])),
1307 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1308 offsetof(struct __sk_buff, cb[1]) + 1),
1309 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1310 offsetof(struct __sk_buff, cb[1]) + 2),
1311 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1312 offsetof(struct __sk_buff, cb[1]) + 3),
1313 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1314 offsetof(struct __sk_buff, cb[2])),
1315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1316 offsetof(struct __sk_buff, cb[2]) + 1),
1317 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1318 offsetof(struct __sk_buff, cb[2]) + 2),
1319 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1320 offsetof(struct __sk_buff, cb[2]) + 3),
1321 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1322 offsetof(struct __sk_buff, cb[3])),
1323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, cb[3]) + 1),
1325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1326 offsetof(struct __sk_buff, cb[3]) + 2),
1327 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1328 offsetof(struct __sk_buff, cb[3]) + 3),
1329 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, cb[4])),
1331 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1332 offsetof(struct __sk_buff, cb[4]) + 1),
1333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1334 offsetof(struct __sk_buff, cb[4]) + 2),
1335 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, cb[4]) + 3),
1337 BPF_EXIT_INSN(),
1338 },
1339 .result = ACCEPT,
1340 },
1341 {
Yonghong Song31fd8582017-06-13 15:52:13 -07001342 "__sk_buff->hash, offset 0, byte store not permitted",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001343 .insns = {
1344 BPF_MOV64_IMM(BPF_REG_0, 0),
1345 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
Yonghong Song31fd8582017-06-13 15:52:13 -07001346 offsetof(struct __sk_buff, hash)),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001347 BPF_EXIT_INSN(),
1348 },
1349 .errstr = "invalid bpf_context access",
1350 .result = REJECT,
1351 },
1352 {
Yonghong Song31fd8582017-06-13 15:52:13 -07001353 "__sk_buff->tc_index, offset 3, byte store not permitted",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001354 .insns = {
1355 BPF_MOV64_IMM(BPF_REG_0, 0),
1356 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
Yonghong Song31fd8582017-06-13 15:52:13 -07001357 offsetof(struct __sk_buff, tc_index) + 3),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001358 BPF_EXIT_INSN(),
1359 },
1360 .errstr = "invalid bpf_context access",
1361 .result = REJECT,
1362 },
1363 {
Yonghong Song18f3d6b2017-06-13 15:52:14 -07001364 "check skb->hash byte load permitted",
1365 .insns = {
1366 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02001367#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07001368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, hash)),
1370#else
1371 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1372 offsetof(struct __sk_buff, hash) + 3),
1373#endif
1374 BPF_EXIT_INSN(),
1375 },
1376 .result = ACCEPT,
1377 },
1378 {
1379 "check skb->hash byte load not permitted 1",
1380 .insns = {
1381 BPF_MOV64_IMM(BPF_REG_0, 0),
1382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1383 offsetof(struct __sk_buff, hash) + 1),
1384 BPF_EXIT_INSN(),
1385 },
1386 .errstr = "invalid bpf_context access",
1387 .result = REJECT,
1388 },
1389 {
1390 "check skb->hash byte load not permitted 2",
1391 .insns = {
1392 BPF_MOV64_IMM(BPF_REG_0, 0),
1393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1394 offsetof(struct __sk_buff, hash) + 2),
1395 BPF_EXIT_INSN(),
1396 },
1397 .errstr = "invalid bpf_context access",
1398 .result = REJECT,
1399 },
1400 {
1401 "check skb->hash byte load not permitted 3",
1402 .insns = {
1403 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02001404#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07001405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, hash) + 3),
1407#else
1408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1409 offsetof(struct __sk_buff, hash)),
1410#endif
1411 BPF_EXIT_INSN(),
1412 },
1413 .errstr = "invalid bpf_context access",
1414 .result = REJECT,
1415 },
1416 {
Daniel Borkmann62c79892017-01-12 11:51:33 +01001417 "check cb access: byte, wrong type",
1418 .insns = {
1419 BPF_MOV64_IMM(BPF_REG_0, 0),
1420 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001421 offsetof(struct __sk_buff, cb[0])),
1422 BPF_EXIT_INSN(),
1423 },
1424 .errstr = "invalid bpf_context access",
1425 .result = REJECT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001426 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1427 },
1428 {
1429 "check cb access: half",
1430 .insns = {
1431 BPF_MOV64_IMM(BPF_REG_0, 0),
1432 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1433 offsetof(struct __sk_buff, cb[0])),
1434 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1435 offsetof(struct __sk_buff, cb[0]) + 2),
1436 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1437 offsetof(struct __sk_buff, cb[1])),
1438 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1439 offsetof(struct __sk_buff, cb[1]) + 2),
1440 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1441 offsetof(struct __sk_buff, cb[2])),
1442 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1443 offsetof(struct __sk_buff, cb[2]) + 2),
1444 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1445 offsetof(struct __sk_buff, cb[3])),
1446 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1447 offsetof(struct __sk_buff, cb[3]) + 2),
1448 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1449 offsetof(struct __sk_buff, cb[4])),
1450 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1451 offsetof(struct __sk_buff, cb[4]) + 2),
1452 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1453 offsetof(struct __sk_buff, cb[0])),
1454 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1455 offsetof(struct __sk_buff, cb[0]) + 2),
1456 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1457 offsetof(struct __sk_buff, cb[1])),
1458 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1459 offsetof(struct __sk_buff, cb[1]) + 2),
1460 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1461 offsetof(struct __sk_buff, cb[2])),
1462 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1463 offsetof(struct __sk_buff, cb[2]) + 2),
1464 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1465 offsetof(struct __sk_buff, cb[3])),
1466 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1467 offsetof(struct __sk_buff, cb[3]) + 2),
1468 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1469 offsetof(struct __sk_buff, cb[4])),
1470 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1471 offsetof(struct __sk_buff, cb[4]) + 2),
1472 BPF_EXIT_INSN(),
1473 },
1474 .result = ACCEPT,
1475 },
1476 {
1477 "check cb access: half, unaligned",
1478 .insns = {
1479 BPF_MOV64_IMM(BPF_REG_0, 0),
1480 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1481 offsetof(struct __sk_buff, cb[0]) + 1),
1482 BPF_EXIT_INSN(),
1483 },
Edward Creef65b1842017-08-07 15:27:12 +01001484 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001485 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001486 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001487 },
1488 {
Yonghong Song31fd8582017-06-13 15:52:13 -07001489 "check __sk_buff->hash, offset 0, half store not permitted",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001490 .insns = {
1491 BPF_MOV64_IMM(BPF_REG_0, 0),
1492 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
Yonghong Song31fd8582017-06-13 15:52:13 -07001493 offsetof(struct __sk_buff, hash)),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001494 BPF_EXIT_INSN(),
1495 },
1496 .errstr = "invalid bpf_context access",
1497 .result = REJECT,
1498 },
1499 {
Yonghong Song31fd8582017-06-13 15:52:13 -07001500 "check __sk_buff->tc_index, offset 2, half store not permitted",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001501 .insns = {
1502 BPF_MOV64_IMM(BPF_REG_0, 0),
1503 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
Yonghong Song31fd8582017-06-13 15:52:13 -07001504 offsetof(struct __sk_buff, tc_index) + 2),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001505 BPF_EXIT_INSN(),
1506 },
1507 .errstr = "invalid bpf_context access",
1508 .result = REJECT,
1509 },
1510 {
Yonghong Song18f3d6b2017-06-13 15:52:14 -07001511 "check skb->hash half load permitted",
1512 .insns = {
1513 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02001514#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07001515 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1516 offsetof(struct __sk_buff, hash)),
1517#else
1518 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1519 offsetof(struct __sk_buff, hash) + 2),
1520#endif
1521 BPF_EXIT_INSN(),
1522 },
1523 .result = ACCEPT,
1524 },
1525 {
1526 "check skb->hash half load not permitted",
1527 .insns = {
1528 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02001529#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07001530 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1531 offsetof(struct __sk_buff, hash) + 2),
1532#else
1533 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, hash)),
1535#endif
1536 BPF_EXIT_INSN(),
1537 },
1538 .errstr = "invalid bpf_context access",
1539 .result = REJECT,
1540 },
1541 {
Daniel Borkmann62c79892017-01-12 11:51:33 +01001542 "check cb access: half, wrong type",
1543 .insns = {
1544 BPF_MOV64_IMM(BPF_REG_0, 0),
1545 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1546 offsetof(struct __sk_buff, cb[0])),
1547 BPF_EXIT_INSN(),
1548 },
1549 .errstr = "invalid bpf_context access",
1550 .result = REJECT,
1551 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1552 },
1553 {
1554 "check cb access: word",
1555 .insns = {
1556 BPF_MOV64_IMM(BPF_REG_0, 0),
1557 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1558 offsetof(struct __sk_buff, cb[0])),
1559 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1560 offsetof(struct __sk_buff, cb[1])),
1561 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1562 offsetof(struct __sk_buff, cb[2])),
1563 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1564 offsetof(struct __sk_buff, cb[3])),
1565 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1566 offsetof(struct __sk_buff, cb[4])),
1567 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1568 offsetof(struct __sk_buff, cb[0])),
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, cb[1])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, cb[2])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, cb[3])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, cb[4])),
1577 BPF_EXIT_INSN(),
1578 },
1579 .result = ACCEPT,
1580 },
1581 {
1582 "check cb access: word, unaligned 1",
1583 .insns = {
1584 BPF_MOV64_IMM(BPF_REG_0, 0),
1585 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1586 offsetof(struct __sk_buff, cb[0]) + 2),
1587 BPF_EXIT_INSN(),
1588 },
Edward Creef65b1842017-08-07 15:27:12 +01001589 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001590 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001591 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001592 },
1593 {
1594 "check cb access: word, unaligned 2",
1595 .insns = {
1596 BPF_MOV64_IMM(BPF_REG_0, 0),
1597 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1598 offsetof(struct __sk_buff, cb[4]) + 1),
1599 BPF_EXIT_INSN(),
1600 },
Edward Creef65b1842017-08-07 15:27:12 +01001601 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001602 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001603 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001604 },
1605 {
1606 "check cb access: word, unaligned 3",
1607 .insns = {
1608 BPF_MOV64_IMM(BPF_REG_0, 0),
1609 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1610 offsetof(struct __sk_buff, cb[4]) + 2),
1611 BPF_EXIT_INSN(),
1612 },
Edward Creef65b1842017-08-07 15:27:12 +01001613 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001614 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001615 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001616 },
1617 {
1618 "check cb access: word, unaligned 4",
1619 .insns = {
1620 BPF_MOV64_IMM(BPF_REG_0, 0),
1621 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1622 offsetof(struct __sk_buff, cb[4]) + 3),
1623 BPF_EXIT_INSN(),
1624 },
Edward Creef65b1842017-08-07 15:27:12 +01001625 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001626 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001627 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001628 },
1629 {
1630 "check cb access: double",
1631 .insns = {
1632 BPF_MOV64_IMM(BPF_REG_0, 0),
1633 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1634 offsetof(struct __sk_buff, cb[0])),
1635 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1636 offsetof(struct __sk_buff, cb[2])),
1637 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1638 offsetof(struct __sk_buff, cb[0])),
1639 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1640 offsetof(struct __sk_buff, cb[2])),
1641 BPF_EXIT_INSN(),
1642 },
1643 .result = ACCEPT,
1644 },
1645 {
1646 "check cb access: double, unaligned 1",
1647 .insns = {
1648 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1650 offsetof(struct __sk_buff, cb[1])),
1651 BPF_EXIT_INSN(),
1652 },
Edward Creef65b1842017-08-07 15:27:12 +01001653 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001654 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001655 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001656 },
1657 {
1658 "check cb access: double, unaligned 2",
1659 .insns = {
1660 BPF_MOV64_IMM(BPF_REG_0, 0),
1661 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1662 offsetof(struct __sk_buff, cb[3])),
1663 BPF_EXIT_INSN(),
1664 },
Edward Creef65b1842017-08-07 15:27:12 +01001665 .errstr = "misaligned context access",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001666 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001667 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmann62c79892017-01-12 11:51:33 +01001668 },
1669 {
1670 "check cb access: double, oob 1",
1671 .insns = {
1672 BPF_MOV64_IMM(BPF_REG_0, 0),
1673 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1674 offsetof(struct __sk_buff, cb[4])),
1675 BPF_EXIT_INSN(),
1676 },
1677 .errstr = "invalid bpf_context access",
1678 .result = REJECT,
1679 },
1680 {
1681 "check cb access: double, oob 2",
1682 .insns = {
1683 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001684 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1685 offsetof(struct __sk_buff, cb[4])),
1686 BPF_EXIT_INSN(),
1687 },
1688 .errstr = "invalid bpf_context access",
1689 .result = REJECT,
1690 },
1691 {
Yonghong Song31fd8582017-06-13 15:52:13 -07001692 "check __sk_buff->ifindex dw store not permitted",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001693 .insns = {
1694 BPF_MOV64_IMM(BPF_REG_0, 0),
Yonghong Song31fd8582017-06-13 15:52:13 -07001695 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1696 offsetof(struct __sk_buff, ifindex)),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001697 BPF_EXIT_INSN(),
1698 },
1699 .errstr = "invalid bpf_context access",
1700 .result = REJECT,
1701 },
1702 {
Yonghong Song31fd8582017-06-13 15:52:13 -07001703 "check __sk_buff->ifindex dw load not permitted",
Daniel Borkmann62c79892017-01-12 11:51:33 +01001704 .insns = {
1705 BPF_MOV64_IMM(BPF_REG_0, 0),
1706 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
Yonghong Song31fd8582017-06-13 15:52:13 -07001707 offsetof(struct __sk_buff, ifindex)),
Daniel Borkmann62c79892017-01-12 11:51:33 +01001708 BPF_EXIT_INSN(),
1709 },
1710 .errstr = "invalid bpf_context access",
1711 .result = REJECT,
1712 },
1713 {
1714 "check cb access: double, wrong type",
1715 .insns = {
1716 BPF_MOV64_IMM(BPF_REG_0, 0),
1717 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1718 offsetof(struct __sk_buff, cb[0])),
1719 BPF_EXIT_INSN(),
1720 },
1721 .errstr = "invalid bpf_context access",
1722 .result = REJECT,
1723 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001724 },
1725 {
1726 "check out of range skb->cb access",
1727 .insns = {
1728 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001729 offsetof(struct __sk_buff, cb[0]) + 256),
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001730 BPF_EXIT_INSN(),
1731 },
1732 .errstr = "invalid bpf_context access",
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001733 .errstr_unpriv = "",
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001734 .result = REJECT,
1735 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1736 },
1737 {
1738 "write skb fields from socket prog",
1739 .insns = {
1740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1741 offsetof(struct __sk_buff, cb[4])),
1742 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct __sk_buff, mark)),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct __sk_buff, tc_index)),
1747 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1748 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1749 offsetof(struct __sk_buff, cb[0])),
1750 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1751 offsetof(struct __sk_buff, cb[2])),
1752 BPF_EXIT_INSN(),
1753 },
1754 .result = ACCEPT,
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001755 .errstr_unpriv = "R1 leaks addr",
1756 .result_unpriv = REJECT,
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001757 },
1758 {
1759 "write skb fields from tc_cls_act prog",
1760 .insns = {
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct __sk_buff, cb[0])),
1763 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1764 offsetof(struct __sk_buff, mark)),
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct __sk_buff, tc_index)),
1767 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1768 offsetof(struct __sk_buff, tc_index)),
1769 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1770 offsetof(struct __sk_buff, cb[3])),
1771 BPF_EXIT_INSN(),
1772 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001773 .errstr_unpriv = "",
1774 .result_unpriv = REJECT,
Alexei Starovoitovd691f9e2015-06-04 10:11:54 -07001775 .result = ACCEPT,
1776 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1777 },
Alex Gartrell24b4d2a2015-07-23 14:24:40 -07001778 {
1779 "PTR_TO_STACK store/load",
1780 .insns = {
1781 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1783 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1784 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1785 BPF_EXIT_INSN(),
1786 },
1787 .result = ACCEPT,
1788 },
1789 {
1790 "PTR_TO_STACK store/load - bad alignment on off",
1791 .insns = {
1792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1794 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1795 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1796 BPF_EXIT_INSN(),
1797 },
1798 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001799 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
1800 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Alex Gartrell24b4d2a2015-07-23 14:24:40 -07001801 },
1802 {
1803 "PTR_TO_STACK store/load - bad alignment on reg",
1804 .insns = {
1805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1807 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1809 BPF_EXIT_INSN(),
1810 },
1811 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001812 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
1813 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
Alex Gartrell24b4d2a2015-07-23 14:24:40 -07001814 },
1815 {
1816 "PTR_TO_STACK store/load - out of bounds low",
1817 .insns = {
1818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1820 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1821 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1822 BPF_EXIT_INSN(),
1823 },
1824 .result = REJECT,
1825 .errstr = "invalid stack off=-79992 size=8",
1826 },
1827 {
1828 "PTR_TO_STACK store/load - out of bounds high",
1829 .insns = {
1830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1832 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1833 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1834 BPF_EXIT_INSN(),
1835 },
1836 .result = REJECT,
1837 .errstr = "invalid stack off=0 size=8",
1838 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001839 {
1840 "unpriv: return pointer",
1841 .insns = {
1842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1843 BPF_EXIT_INSN(),
1844 },
1845 .result = ACCEPT,
1846 .result_unpriv = REJECT,
1847 .errstr_unpriv = "R0 leaks addr",
1848 },
1849 {
1850 "unpriv: add const to pointer",
1851 .insns = {
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1853 BPF_MOV64_IMM(BPF_REG_0, 0),
1854 BPF_EXIT_INSN(),
1855 },
1856 .result = ACCEPT,
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001857 },
1858 {
1859 "unpriv: add pointer to pointer",
1860 .insns = {
1861 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1862 BPF_MOV64_IMM(BPF_REG_0, 0),
1863 BPF_EXIT_INSN(),
1864 },
1865 .result = ACCEPT,
1866 .result_unpriv = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01001867 .errstr_unpriv = "R1 pointer += pointer",
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001868 },
1869 {
1870 "unpriv: neg pointer",
1871 .insns = {
1872 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1873 BPF_MOV64_IMM(BPF_REG_0, 0),
1874 BPF_EXIT_INSN(),
1875 },
1876 .result = ACCEPT,
1877 .result_unpriv = REJECT,
1878 .errstr_unpriv = "R1 pointer arithmetic",
1879 },
1880 {
1881 "unpriv: cmp pointer with const",
1882 .insns = {
1883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1884 BPF_MOV64_IMM(BPF_REG_0, 0),
1885 BPF_EXIT_INSN(),
1886 },
1887 .result = ACCEPT,
1888 .result_unpriv = REJECT,
1889 .errstr_unpriv = "R1 pointer comparison",
1890 },
1891 {
1892 "unpriv: cmp pointer with pointer",
1893 .insns = {
1894 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1895 BPF_MOV64_IMM(BPF_REG_0, 0),
1896 BPF_EXIT_INSN(),
1897 },
1898 .result = ACCEPT,
1899 .result_unpriv = REJECT,
1900 .errstr_unpriv = "R10 pointer comparison",
1901 },
1902 {
1903 "unpriv: check that printk is disallowed",
1904 .insns = {
1905 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1908 BPF_MOV64_IMM(BPF_REG_2, 8),
1909 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02001910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1911 BPF_FUNC_trace_printk),
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001912 BPF_MOV64_IMM(BPF_REG_0, 0),
1913 BPF_EXIT_INSN(),
1914 },
Daniel Borkmann0eb69842016-12-15 01:39:10 +01001915 .errstr_unpriv = "unknown func bpf_trace_printk#6",
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001916 .result_unpriv = REJECT,
1917 .result = ACCEPT,
1918 },
1919 {
1920 "unpriv: pass pointer to helper function",
1921 .insns = {
1922 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1925 BPF_LD_MAP_FD(BPF_REG_1, 0),
1926 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1927 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02001928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1929 BPF_FUNC_map_update_elem),
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001930 BPF_MOV64_IMM(BPF_REG_0, 0),
1931 BPF_EXIT_INSN(),
1932 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02001933 .fixup_map1 = { 3 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001934 .errstr_unpriv = "R4 leaks addr",
1935 .result_unpriv = REJECT,
1936 .result = ACCEPT,
1937 },
1938 {
1939 "unpriv: indirectly pass pointer on stack to helper function",
1940 .insns = {
1941 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1944 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02001945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1946 BPF_FUNC_map_lookup_elem),
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001947 BPF_MOV64_IMM(BPF_REG_0, 0),
1948 BPF_EXIT_INSN(),
1949 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02001950 .fixup_map1 = { 3 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07001951 .errstr = "invalid indirect read from stack off -8+0 size 8",
1952 .result = REJECT,
1953 },
1954 {
1955 "unpriv: mangle pointer on stack 1",
1956 .insns = {
1957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1958 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1959 BPF_MOV64_IMM(BPF_REG_0, 0),
1960 BPF_EXIT_INSN(),
1961 },
1962 .errstr_unpriv = "attempt to corrupt spilled",
1963 .result_unpriv = REJECT,
1964 .result = ACCEPT,
1965 },
1966 {
1967 "unpriv: mangle pointer on stack 2",
1968 .insns = {
1969 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1970 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1971 BPF_MOV64_IMM(BPF_REG_0, 0),
1972 BPF_EXIT_INSN(),
1973 },
1974 .errstr_unpriv = "attempt to corrupt spilled",
1975 .result_unpriv = REJECT,
1976 .result = ACCEPT,
1977 },
1978 {
1979 "unpriv: read pointer from stack in small chunks",
1980 .insns = {
1981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1983 BPF_MOV64_IMM(BPF_REG_0, 0),
1984 BPF_EXIT_INSN(),
1985 },
1986 .errstr = "invalid size",
1987 .result = REJECT,
1988 },
1989 {
1990 "unpriv: write pointer into ctx",
1991 .insns = {
1992 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1993 BPF_MOV64_IMM(BPF_REG_0, 0),
1994 BPF_EXIT_INSN(),
1995 },
1996 .errstr_unpriv = "R1 leaks addr",
1997 .result_unpriv = REJECT,
1998 .errstr = "invalid bpf_context access",
1999 .result = REJECT,
2000 },
2001 {
Daniel Borkmann1a776b92016-10-17 14:28:35 +02002002 "unpriv: spill/fill of ctx",
2003 .insns = {
2004 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2006 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2007 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2008 BPF_MOV64_IMM(BPF_REG_0, 0),
2009 BPF_EXIT_INSN(),
2010 },
2011 .result = ACCEPT,
2012 },
2013 {
2014 "unpriv: spill/fill of ctx 2",
2015 .insns = {
2016 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2018 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2019 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2021 BPF_FUNC_get_hash_recalc),
Daniel Borkmann1a776b92016-10-17 14:28:35 +02002022 BPF_EXIT_INSN(),
2023 },
2024 .result = ACCEPT,
2025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2026 },
2027 {
2028 "unpriv: spill/fill of ctx 3",
2029 .insns = {
2030 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2032 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2033 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2034 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2036 BPF_FUNC_get_hash_recalc),
Daniel Borkmann1a776b92016-10-17 14:28:35 +02002037 BPF_EXIT_INSN(),
2038 },
2039 .result = REJECT,
2040 .errstr = "R1 type=fp expected=ctx",
2041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2042 },
2043 {
2044 "unpriv: spill/fill of ctx 4",
2045 .insns = {
2046 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2048 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2049 BPF_MOV64_IMM(BPF_REG_0, 1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002050 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2051 BPF_REG_0, -8, 0),
Daniel Borkmann1a776b92016-10-17 14:28:35 +02002052 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002053 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2054 BPF_FUNC_get_hash_recalc),
Daniel Borkmann1a776b92016-10-17 14:28:35 +02002055 BPF_EXIT_INSN(),
2056 },
2057 .result = REJECT,
2058 .errstr = "R1 type=inv expected=ctx",
2059 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2060 },
2061 {
2062 "unpriv: spill/fill of different pointers stx",
2063 .insns = {
2064 BPF_MOV64_IMM(BPF_REG_3, 42),
2065 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2070 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2071 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2072 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2073 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2074 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2075 offsetof(struct __sk_buff, mark)),
2076 BPF_MOV64_IMM(BPF_REG_0, 0),
2077 BPF_EXIT_INSN(),
2078 },
2079 .result = REJECT,
2080 .errstr = "same insn cannot be used with different pointers",
2081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2082 },
2083 {
2084 "unpriv: spill/fill of different pointers ldx",
2085 .insns = {
2086 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2091 -(__s32)offsetof(struct bpf_perf_event_data,
2092 sample_period) - 8),
2093 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2094 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2095 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2096 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2097 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2098 offsetof(struct bpf_perf_event_data,
2099 sample_period)),
2100 BPF_MOV64_IMM(BPF_REG_0, 0),
2101 BPF_EXIT_INSN(),
2102 },
2103 .result = REJECT,
2104 .errstr = "same insn cannot be used with different pointers",
2105 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2106 },
2107 {
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002108 "unpriv: write pointer into map elem value",
2109 .insns = {
2110 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2111 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2113 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2115 BPF_FUNC_map_lookup_elem),
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002116 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2117 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2118 BPF_EXIT_INSN(),
2119 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002120 .fixup_map1 = { 3 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002121 .errstr_unpriv = "R0 leaks addr",
2122 .result_unpriv = REJECT,
2123 .result = ACCEPT,
2124 },
2125 {
2126 "unpriv: partial copy of pointer",
2127 .insns = {
2128 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_EXIT_INSN(),
2131 },
2132 .errstr_unpriv = "R10 partial copy",
2133 .result_unpriv = REJECT,
2134 .result = ACCEPT,
2135 },
2136 {
2137 "unpriv: pass pointer to tail_call",
2138 .insns = {
2139 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2140 BPF_LD_MAP_FD(BPF_REG_2, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2142 BPF_FUNC_tail_call),
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002143 BPF_MOV64_IMM(BPF_REG_0, 0),
2144 BPF_EXIT_INSN(),
2145 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002146 .fixup_prog = { 1 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002147 .errstr_unpriv = "R3 leaks addr into helper",
2148 .result_unpriv = REJECT,
2149 .result = ACCEPT,
2150 },
2151 {
2152 "unpriv: cmp map pointer with zero",
2153 .insns = {
2154 BPF_MOV64_IMM(BPF_REG_1, 0),
2155 BPF_LD_MAP_FD(BPF_REG_1, 0),
2156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2157 BPF_MOV64_IMM(BPF_REG_0, 0),
2158 BPF_EXIT_INSN(),
2159 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002160 .fixup_map1 = { 1 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002161 .errstr_unpriv = "R1 pointer comparison",
2162 .result_unpriv = REJECT,
2163 .result = ACCEPT,
2164 },
2165 {
2166 "unpriv: write into frame pointer",
2167 .insns = {
2168 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2169 BPF_MOV64_IMM(BPF_REG_0, 0),
2170 BPF_EXIT_INSN(),
2171 },
2172 .errstr = "frame pointer is read only",
2173 .result = REJECT,
2174 },
2175 {
Daniel Borkmann1a776b92016-10-17 14:28:35 +02002176 "unpriv: spill/fill frame pointer",
2177 .insns = {
2178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2180 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2181 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2183 BPF_EXIT_INSN(),
2184 },
2185 .errstr = "frame pointer is read only",
2186 .result = REJECT,
2187 },
2188 {
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002189 "unpriv: cmp of frame pointer",
2190 .insns = {
2191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2192 BPF_MOV64_IMM(BPF_REG_0, 0),
2193 BPF_EXIT_INSN(),
2194 },
2195 .errstr_unpriv = "R10 pointer comparison",
2196 .result_unpriv = REJECT,
2197 .result = ACCEPT,
2198 },
2199 {
Daniel Borkmann728a8532017-04-27 01:39:32 +02002200 "unpriv: adding of fp",
2201 .insns = {
2202 BPF_MOV64_IMM(BPF_REG_0, 0),
2203 BPF_MOV64_IMM(BPF_REG_1, 0),
2204 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2205 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2206 BPF_EXIT_INSN(),
2207 },
Edward Creef65b1842017-08-07 15:27:12 +01002208 .result = ACCEPT,
Daniel Borkmann728a8532017-04-27 01:39:32 +02002209 },
2210 {
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002211 "unpriv: cmp of stack pointer",
2212 .insns = {
2213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2216 BPF_MOV64_IMM(BPF_REG_0, 0),
2217 BPF_EXIT_INSN(),
2218 },
2219 .errstr_unpriv = "R2 pointer comparison",
2220 .result_unpriv = REJECT,
2221 .result = ACCEPT,
2222 },
2223 {
Yonghong Song332270f2017-04-29 22:52:42 -07002224 "stack pointer arithmetic",
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002225 .insns = {
Yonghong Song332270f2017-04-29 22:52:42 -07002226 BPF_MOV64_IMM(BPF_REG_1, 4),
2227 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2228 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2232 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2233 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2234 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2236 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002237 BPF_MOV64_IMM(BPF_REG_0, 0),
2238 BPF_EXIT_INSN(),
2239 },
Alexei Starovoitovbf508872015-10-07 22:23:23 -07002240 .result = ACCEPT,
2241 },
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002242 {
2243 "raw_stack: no skb_load_bytes",
2244 .insns = {
2245 BPF_MOV64_IMM(BPF_REG_2, 4),
2246 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2248 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2249 BPF_MOV64_IMM(BPF_REG_4, 8),
2250 /* Call to skb_load_bytes() omitted. */
2251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2252 BPF_EXIT_INSN(),
2253 },
2254 .result = REJECT,
2255 .errstr = "invalid read from stack off -8+0 size 8",
2256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2257 },
2258 {
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002259 "raw_stack: skb_load_bytes, negative len",
2260 .insns = {
2261 BPF_MOV64_IMM(BPF_REG_2, 4),
2262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2265 BPF_MOV64_IMM(BPF_REG_4, -8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2267 BPF_FUNC_skb_load_bytes),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2269 BPF_EXIT_INSN(),
2270 },
2271 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01002272 .errstr = "R4 min value is negative",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2274 },
2275 {
2276 "raw_stack: skb_load_bytes, negative len 2",
2277 .insns = {
2278 BPF_MOV64_IMM(BPF_REG_2, 4),
2279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2282 BPF_MOV64_IMM(BPF_REG_4, ~0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2284 BPF_FUNC_skb_load_bytes),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002285 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2286 BPF_EXIT_INSN(),
2287 },
2288 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01002289 .errstr = "R4 min value is negative",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2291 },
2292 {
2293 "raw_stack: skb_load_bytes, zero len",
2294 .insns = {
2295 BPF_MOV64_IMM(BPF_REG_2, 4),
2296 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2298 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2299 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2301 BPF_FUNC_skb_load_bytes),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2303 BPF_EXIT_INSN(),
2304 },
2305 .result = REJECT,
2306 .errstr = "invalid stack type R3",
2307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2308 },
2309 {
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002310 "raw_stack: skb_load_bytes, no init",
2311 .insns = {
2312 BPF_MOV64_IMM(BPF_REG_2, 4),
2313 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2315 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2316 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2318 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002319 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2320 BPF_EXIT_INSN(),
2321 },
2322 .result = ACCEPT,
2323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2324 },
2325 {
2326 "raw_stack: skb_load_bytes, init",
2327 .insns = {
2328 BPF_MOV64_IMM(BPF_REG_2, 4),
2329 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2331 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2332 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2333 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2335 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002336 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2337 BPF_EXIT_INSN(),
2338 },
2339 .result = ACCEPT,
2340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2341 },
2342 {
2343 "raw_stack: skb_load_bytes, spilled regs around bounds",
2344 .insns = {
2345 BPF_MOV64_IMM(BPF_REG_2, 4),
2346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002348 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2349 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2351 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2353 BPF_FUNC_skb_load_bytes),
2354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2355 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2357 offsetof(struct __sk_buff, mark)),
2358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2359 offsetof(struct __sk_buff, priority)),
2360 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2361 BPF_EXIT_INSN(),
2362 },
2363 .result = ACCEPT,
2364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2365 },
2366 {
2367 "raw_stack: skb_load_bytes, spilled regs corruption",
2368 .insns = {
2369 BPF_MOV64_IMM(BPF_REG_2, 4),
2370 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002372 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002373 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2374 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2376 BPF_FUNC_skb_load_bytes),
2377 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2379 offsetof(struct __sk_buff, mark)),
2380 BPF_EXIT_INSN(),
2381 },
2382 .result = REJECT,
2383 .errstr = "R0 invalid mem access 'inv'",
2384 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2385 },
2386 {
2387 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2388 .insns = {
2389 BPF_MOV64_IMM(BPF_REG_2, 4),
2390 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002392 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2393 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2394 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002395 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2396 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2398 BPF_FUNC_skb_load_bytes),
2399 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2400 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2401 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002402 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2403 offsetof(struct __sk_buff, mark)),
2404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2405 offsetof(struct __sk_buff, priority)),
2406 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2408 offsetof(struct __sk_buff, pkt_type)),
2409 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2410 BPF_EXIT_INSN(),
2411 },
2412 .result = REJECT,
2413 .errstr = "R3 invalid mem access 'inv'",
2414 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2415 },
2416 {
2417 "raw_stack: skb_load_bytes, spilled regs + data",
2418 .insns = {
2419 BPF_MOV64_IMM(BPF_REG_2, 4),
2420 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002422 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2423 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2424 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002425 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2426 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2428 BPF_FUNC_skb_load_bytes),
2429 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2430 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2431 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002432 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2433 offsetof(struct __sk_buff, mark)),
2434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2435 offsetof(struct __sk_buff, priority)),
2436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2438 BPF_EXIT_INSN(),
2439 },
2440 .result = ACCEPT,
2441 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2442 },
2443 {
2444 "raw_stack: skb_load_bytes, invalid access 1",
2445 .insns = {
2446 BPF_MOV64_IMM(BPF_REG_2, 4),
2447 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2449 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2450 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2452 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002453 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2454 BPF_EXIT_INSN(),
2455 },
2456 .result = REJECT,
2457 .errstr = "invalid stack type R3 off=-513 access_size=8",
2458 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2459 },
2460 {
2461 "raw_stack: skb_load_bytes, invalid access 2",
2462 .insns = {
2463 BPF_MOV64_IMM(BPF_REG_2, 4),
2464 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2466 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2467 BPF_MOV64_IMM(BPF_REG_4, 8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2469 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2471 BPF_EXIT_INSN(),
2472 },
2473 .result = REJECT,
2474 .errstr = "invalid stack type R3 off=-1 access_size=8",
2475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2476 },
2477 {
2478 "raw_stack: skb_load_bytes, invalid access 3",
2479 .insns = {
2480 BPF_MOV64_IMM(BPF_REG_2, 4),
2481 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2483 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2484 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002485 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2486 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2488 BPF_EXIT_INSN(),
2489 },
2490 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01002491 .errstr = "R4 min value is negative",
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002492 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2493 },
2494 {
2495 "raw_stack: skb_load_bytes, invalid access 4",
2496 .insns = {
2497 BPF_MOV64_IMM(BPF_REG_2, 4),
2498 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2500 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2501 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2503 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2505 BPF_EXIT_INSN(),
2506 },
2507 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01002508 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002509 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2510 },
2511 {
2512 "raw_stack: skb_load_bytes, invalid access 5",
2513 .insns = {
2514 BPF_MOV64_IMM(BPF_REG_2, 4),
2515 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2517 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2518 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2520 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002521 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2522 BPF_EXIT_INSN(),
2523 },
2524 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01002525 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002526 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2527 },
2528 {
2529 "raw_stack: skb_load_bytes, invalid access 6",
2530 .insns = {
2531 BPF_MOV64_IMM(BPF_REG_2, 4),
2532 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2535 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2537 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2539 BPF_EXIT_INSN(),
2540 },
2541 .result = REJECT,
2542 .errstr = "invalid stack type R3 off=-512 access_size=0",
2543 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2544 },
2545 {
2546 "raw_stack: skb_load_bytes, large access",
2547 .insns = {
2548 BPF_MOV64_IMM(BPF_REG_2, 4),
2549 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2551 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2552 BPF_MOV64_IMM(BPF_REG_4, 512),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02002553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 BPF_FUNC_skb_load_bytes),
Daniel Borkmann3f2050e2016-04-13 00:10:54 +02002555 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2556 BPF_EXIT_INSN(),
2557 },
2558 .result = ACCEPT,
2559 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2560 },
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002561 {
Aaron Yue1633ac02016-08-11 18:17:17 -07002562 "direct packet access: test1",
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002563 .insns = {
2564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2565 offsetof(struct __sk_buff, data)),
2566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2567 offsetof(struct __sk_buff, data_end)),
2568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2572 BPF_MOV64_IMM(BPF_REG_0, 0),
2573 BPF_EXIT_INSN(),
2574 },
2575 .result = ACCEPT,
2576 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2577 },
2578 {
Aaron Yue1633ac02016-08-11 18:17:17 -07002579 "direct packet access: test2",
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002580 .insns = {
2581 BPF_MOV64_IMM(BPF_REG_0, 1),
2582 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2583 offsetof(struct __sk_buff, data_end)),
2584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2585 offsetof(struct __sk_buff, data)),
2586 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2588 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2590 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2591 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2592 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2593 offsetof(struct __sk_buff, data)),
2594 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
Edward Cree1f9ab382017-08-07 15:29:11 +01002596 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2597 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002598 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2601 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2602 offsetof(struct __sk_buff, data_end)),
2603 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2604 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2605 BPF_MOV64_IMM(BPF_REG_0, 0),
2606 BPF_EXIT_INSN(),
2607 },
2608 .result = ACCEPT,
2609 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2610 },
2611 {
Aaron Yue1633ac02016-08-11 18:17:17 -07002612 "direct packet access: test3",
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002613 .insns = {
2614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2615 offsetof(struct __sk_buff, data)),
2616 BPF_MOV64_IMM(BPF_REG_0, 0),
2617 BPF_EXIT_INSN(),
2618 },
2619 .errstr = "invalid bpf_context access off=76",
2620 .result = REJECT,
2621 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2622 },
2623 {
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002624 "direct packet access: test4 (write)",
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002625 .insns = {
2626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2627 offsetof(struct __sk_buff, data)),
2628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2629 offsetof(struct __sk_buff, data_end)),
2630 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2632 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2633 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2634 BPF_MOV64_IMM(BPF_REG_0, 0),
2635 BPF_EXIT_INSN(),
2636 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002637 .result = ACCEPT,
Alexei Starovoitov883e44e2016-05-05 19:49:15 -07002638 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2639 },
Aaron Yue1633ac02016-08-11 18:17:17 -07002640 {
Daniel Borkmann2d2be8c2016-09-08 01:03:42 +02002641 "direct packet access: test5 (pkt_end >= reg, good access)",
2642 .insns = {
2643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2644 offsetof(struct __sk_buff, data)),
2645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2646 offsetof(struct __sk_buff, data_end)),
2647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2649 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2650 BPF_MOV64_IMM(BPF_REG_0, 1),
2651 BPF_EXIT_INSN(),
2652 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2653 BPF_MOV64_IMM(BPF_REG_0, 0),
2654 BPF_EXIT_INSN(),
2655 },
2656 .result = ACCEPT,
2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2658 },
2659 {
2660 "direct packet access: test6 (pkt_end >= reg, bad access)",
2661 .insns = {
2662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2663 offsetof(struct __sk_buff, data)),
2664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2665 offsetof(struct __sk_buff, data_end)),
2666 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2668 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2670 BPF_MOV64_IMM(BPF_REG_0, 1),
2671 BPF_EXIT_INSN(),
2672 BPF_MOV64_IMM(BPF_REG_0, 0),
2673 BPF_EXIT_INSN(),
2674 },
2675 .errstr = "invalid access to packet",
2676 .result = REJECT,
2677 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 },
2679 {
2680 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2681 .insns = {
2682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2683 offsetof(struct __sk_buff, data)),
2684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2685 offsetof(struct __sk_buff, data_end)),
2686 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2688 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2689 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2690 BPF_MOV64_IMM(BPF_REG_0, 1),
2691 BPF_EXIT_INSN(),
2692 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2693 BPF_MOV64_IMM(BPF_REG_0, 0),
2694 BPF_EXIT_INSN(),
2695 },
2696 .errstr = "invalid access to packet",
2697 .result = REJECT,
2698 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2699 },
2700 {
2701 "direct packet access: test8 (double test, variant 1)",
2702 .insns = {
2703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2704 offsetof(struct __sk_buff, data)),
2705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2706 offsetof(struct __sk_buff, data_end)),
2707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2709 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2711 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2712 BPF_MOV64_IMM(BPF_REG_0, 1),
2713 BPF_EXIT_INSN(),
2714 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2715 BPF_MOV64_IMM(BPF_REG_0, 0),
2716 BPF_EXIT_INSN(),
2717 },
2718 .result = ACCEPT,
2719 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2720 },
2721 {
2722 "direct packet access: test9 (double test, variant 2)",
2723 .insns = {
2724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2725 offsetof(struct __sk_buff, data)),
2726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2727 offsetof(struct __sk_buff, data_end)),
2728 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2730 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2731 BPF_MOV64_IMM(BPF_REG_0, 1),
2732 BPF_EXIT_INSN(),
2733 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2734 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2736 BPF_MOV64_IMM(BPF_REG_0, 0),
2737 BPF_EXIT_INSN(),
2738 },
2739 .result = ACCEPT,
2740 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2741 },
2742 {
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02002743 "direct packet access: test10 (write invalid)",
2744 .insns = {
2745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2746 offsetof(struct __sk_buff, data)),
2747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2748 offsetof(struct __sk_buff, data_end)),
2749 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2751 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2752 BPF_MOV64_IMM(BPF_REG_0, 0),
2753 BPF_EXIT_INSN(),
2754 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2755 BPF_MOV64_IMM(BPF_REG_0, 0),
2756 BPF_EXIT_INSN(),
2757 },
2758 .errstr = "invalid access to packet",
2759 .result = REJECT,
2760 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2761 },
2762 {
Daniel Borkmann3fadc802017-01-24 01:06:30 +01002763 "direct packet access: test11 (shift, good access)",
2764 .insns = {
2765 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2766 offsetof(struct __sk_buff, data)),
2767 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2768 offsetof(struct __sk_buff, data_end)),
2769 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2771 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2772 BPF_MOV64_IMM(BPF_REG_3, 144),
2773 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2775 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2776 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2777 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2778 BPF_MOV64_IMM(BPF_REG_0, 1),
2779 BPF_EXIT_INSN(),
2780 BPF_MOV64_IMM(BPF_REG_0, 0),
2781 BPF_EXIT_INSN(),
2782 },
2783 .result = ACCEPT,
2784 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2785 },
2786 {
2787 "direct packet access: test12 (and, good access)",
2788 .insns = {
2789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2790 offsetof(struct __sk_buff, data)),
2791 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2792 offsetof(struct __sk_buff, data_end)),
2793 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2795 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2796 BPF_MOV64_IMM(BPF_REG_3, 144),
2797 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2799 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2800 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2801 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2802 BPF_MOV64_IMM(BPF_REG_0, 1),
2803 BPF_EXIT_INSN(),
2804 BPF_MOV64_IMM(BPF_REG_0, 0),
2805 BPF_EXIT_INSN(),
2806 },
2807 .result = ACCEPT,
2808 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2809 },
2810 {
2811 "direct packet access: test13 (branches, good access)",
2812 .insns = {
2813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2814 offsetof(struct __sk_buff, data)),
2815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2816 offsetof(struct __sk_buff, data_end)),
2817 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2819 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct __sk_buff, mark)),
2822 BPF_MOV64_IMM(BPF_REG_4, 1),
2823 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2824 BPF_MOV64_IMM(BPF_REG_3, 14),
2825 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2826 BPF_MOV64_IMM(BPF_REG_3, 24),
2827 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2829 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2830 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2831 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2832 BPF_MOV64_IMM(BPF_REG_0, 1),
2833 BPF_EXIT_INSN(),
2834 BPF_MOV64_IMM(BPF_REG_0, 0),
2835 BPF_EXIT_INSN(),
2836 },
2837 .result = ACCEPT,
2838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2839 },
2840 {
William Tu63dfef72017-02-04 08:37:29 -08002841 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2842 .insns = {
2843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2844 offsetof(struct __sk_buff, data)),
2845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2846 offsetof(struct __sk_buff, data_end)),
2847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2850 BPF_MOV64_IMM(BPF_REG_5, 12),
2851 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2852 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2853 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2854 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2855 BPF_MOV64_IMM(BPF_REG_0, 1),
2856 BPF_EXIT_INSN(),
2857 BPF_MOV64_IMM(BPF_REG_0, 0),
2858 BPF_EXIT_INSN(),
2859 },
2860 .result = ACCEPT,
2861 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2862 },
2863 {
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02002864 "direct packet access: test15 (spill with xadd)",
2865 .insns = {
2866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2867 offsetof(struct __sk_buff, data)),
2868 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2869 offsetof(struct __sk_buff, data_end)),
2870 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2872 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2873 BPF_MOV64_IMM(BPF_REG_5, 4096),
2874 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2877 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2879 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2880 BPF_MOV64_IMM(BPF_REG_0, 0),
2881 BPF_EXIT_INSN(),
2882 },
2883 .errstr = "R2 invalid mem access 'inv'",
2884 .result = REJECT,
2885 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2886 },
2887 {
Daniel Borkmann728a8532017-04-27 01:39:32 +02002888 "direct packet access: test16 (arith on data_end)",
2889 .insns = {
2890 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2891 offsetof(struct __sk_buff, data)),
2892 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2893 offsetof(struct __sk_buff, data_end)),
2894 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2897 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2898 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2899 BPF_MOV64_IMM(BPF_REG_0, 0),
2900 BPF_EXIT_INSN(),
2901 },
2902 .errstr = "invalid access to packet",
2903 .result = REJECT,
2904 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2905 },
2906 {
Daniel Borkmann614d0d72017-05-25 01:05:09 +02002907 "direct packet access: test17 (pruning, alignment)",
2908 .insns = {
2909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2910 offsetof(struct __sk_buff, data)),
2911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2912 offsetof(struct __sk_buff, data_end)),
2913 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2914 offsetof(struct __sk_buff, mark)),
2915 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2917 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2918 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2919 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2920 BPF_MOV64_IMM(BPF_REG_0, 0),
2921 BPF_EXIT_INSN(),
2922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2923 BPF_JMP_A(-6),
2924 },
Edward Creef65b1842017-08-07 15:27:12 +01002925 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
Daniel Borkmann614d0d72017-05-25 01:05:09 +02002926 .result = REJECT,
2927 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2928 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2929 },
2930 {
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02002931 "direct packet access: test18 (imm += pkt_ptr, 1)",
2932 .insns = {
2933 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2934 offsetof(struct __sk_buff, data)),
2935 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2936 offsetof(struct __sk_buff, data_end)),
2937 BPF_MOV64_IMM(BPF_REG_0, 8),
2938 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2939 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2940 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2941 BPF_MOV64_IMM(BPF_REG_0, 0),
2942 BPF_EXIT_INSN(),
2943 },
2944 .result = ACCEPT,
2945 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2946 },
2947 {
2948 "direct packet access: test19 (imm += pkt_ptr, 2)",
2949 .insns = {
2950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2951 offsetof(struct __sk_buff, data)),
2952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2953 offsetof(struct __sk_buff, data_end)),
2954 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2956 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2957 BPF_MOV64_IMM(BPF_REG_4, 4),
2958 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2959 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2960 BPF_MOV64_IMM(BPF_REG_0, 0),
2961 BPF_EXIT_INSN(),
2962 },
2963 .result = ACCEPT,
2964 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2965 },
2966 {
2967 "direct packet access: test20 (x += pkt_ptr, 1)",
2968 .insns = {
2969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2970 offsetof(struct __sk_buff, data)),
2971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2972 offsetof(struct __sk_buff, data_end)),
2973 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2974 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2975 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
Edward Cree1f9ab382017-08-07 15:29:11 +01002976 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02002977 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2978 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2979 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
Edward Cree1f9ab382017-08-07 15:29:11 +01002980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02002981 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2982 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2984 BPF_EXIT_INSN(),
2985 },
2986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2987 .result = ACCEPT,
2988 },
2989 {
2990 "direct packet access: test21 (x += pkt_ptr, 2)",
2991 .insns = {
2992 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2993 offsetof(struct __sk_buff, data)),
2994 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2995 offsetof(struct __sk_buff, data_end)),
2996 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2998 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2999 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3001 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
Edward Cree1f9ab382017-08-07 15:29:11 +01003002 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02003003 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3004 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
Edward Cree1f9ab382017-08-07 15:29:11 +01003005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02003006 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3007 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3008 BPF_MOV64_IMM(BPF_REG_0, 0),
3009 BPF_EXIT_INSN(),
3010 },
3011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3012 .result = ACCEPT,
3013 },
3014 {
3015 "direct packet access: test22 (x += pkt_ptr, 3)",
3016 .insns = {
3017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3018 offsetof(struct __sk_buff, data)),
3019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3020 offsetof(struct __sk_buff, data_end)),
3021 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3023 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3024 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3025 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3026 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3027 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3028 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3029 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3030 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
Edward Cree1f9ab382017-08-07 15:29:11 +01003031 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02003032 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3035 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3036 BPF_MOV64_IMM(BPF_REG_2, 1),
3037 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3038 BPF_MOV64_IMM(BPF_REG_0, 0),
3039 BPF_EXIT_INSN(),
3040 },
3041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3042 .result = ACCEPT,
3043 },
3044 {
3045 "direct packet access: test23 (x += pkt_ptr, 4)",
3046 .insns = {
3047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3048 offsetof(struct __sk_buff, data)),
3049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3050 offsetof(struct __sk_buff, data_end)),
3051 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3052 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3053 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3054 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3055 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3056 BPF_MOV64_IMM(BPF_REG_0, 31),
3057 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3058 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3059 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3061 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3062 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3063 BPF_MOV64_IMM(BPF_REG_0, 0),
3064 BPF_EXIT_INSN(),
3065 },
3066 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3067 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01003068 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02003069 },
3070 {
3071 "direct packet access: test24 (x += pkt_ptr, 5)",
3072 .insns = {
3073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3074 offsetof(struct __sk_buff, data)),
3075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3076 offsetof(struct __sk_buff, data_end)),
3077 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3078 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3079 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3080 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3081 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3082 BPF_MOV64_IMM(BPF_REG_0, 64),
3083 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3084 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3085 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
Edward Cree1f9ab382017-08-07 15:29:11 +01003086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
Daniel Borkmann6d191ed42017-07-02 02:13:31 +02003087 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3088 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3089 BPF_MOV64_IMM(BPF_REG_0, 0),
3090 BPF_EXIT_INSN(),
3091 },
3092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3093 .result = ACCEPT,
3094 },
3095 {
Daniel Borkmann31e482b2017-08-10 01:40:03 +02003096 "direct packet access: test25 (marking on <, good access)",
3097 .insns = {
3098 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3099 offsetof(struct __sk_buff, data)),
3100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3101 offsetof(struct __sk_buff, data_end)),
3102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3104 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3105 BPF_MOV64_IMM(BPF_REG_0, 0),
3106 BPF_EXIT_INSN(),
3107 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3108 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3109 },
3110 .result = ACCEPT,
3111 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3112 },
3113 {
3114 "direct packet access: test26 (marking on <, bad access)",
3115 .insns = {
3116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3117 offsetof(struct __sk_buff, data)),
3118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3119 offsetof(struct __sk_buff, data_end)),
3120 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3122 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3123 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3124 BPF_MOV64_IMM(BPF_REG_0, 0),
3125 BPF_EXIT_INSN(),
3126 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3127 },
3128 .result = REJECT,
3129 .errstr = "invalid access to packet",
3130 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3131 },
3132 {
3133 "direct packet access: test27 (marking on <=, good access)",
3134 .insns = {
3135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3136 offsetof(struct __sk_buff, data)),
3137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3138 offsetof(struct __sk_buff, data_end)),
3139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3141 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3142 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3143 BPF_MOV64_IMM(BPF_REG_0, 1),
3144 BPF_EXIT_INSN(),
3145 },
3146 .result = ACCEPT,
3147 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3148 },
3149 {
3150 "direct packet access: test28 (marking on <=, bad access)",
3151 .insns = {
3152 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3153 offsetof(struct __sk_buff, data)),
3154 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3155 offsetof(struct __sk_buff, data_end)),
3156 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3158 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3159 BPF_MOV64_IMM(BPF_REG_0, 1),
3160 BPF_EXIT_INSN(),
3161 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3162 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3163 },
3164 .result = REJECT,
3165 .errstr = "invalid access to packet",
3166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3167 },
3168 {
Aaron Yue1633ac02016-08-11 18:17:17 -07003169 "helper access to packet: test1, valid packet_ptr range",
3170 .insns = {
3171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3172 offsetof(struct xdp_md, data)),
3173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3174 offsetof(struct xdp_md, data_end)),
3175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3177 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3178 BPF_LD_MAP_FD(BPF_REG_1, 0),
3179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3180 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3182 BPF_FUNC_map_update_elem),
Aaron Yue1633ac02016-08-11 18:17:17 -07003183 BPF_MOV64_IMM(BPF_REG_0, 0),
3184 BPF_EXIT_INSN(),
3185 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003186 .fixup_map1 = { 5 },
Aaron Yue1633ac02016-08-11 18:17:17 -07003187 .result_unpriv = ACCEPT,
3188 .result = ACCEPT,
3189 .prog_type = BPF_PROG_TYPE_XDP,
3190 },
3191 {
3192 "helper access to packet: test2, unchecked packet_ptr",
3193 .insns = {
3194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3195 offsetof(struct xdp_md, data)),
3196 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198 BPF_FUNC_map_lookup_elem),
Aaron Yue1633ac02016-08-11 18:17:17 -07003199 BPF_MOV64_IMM(BPF_REG_0, 0),
3200 BPF_EXIT_INSN(),
3201 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003202 .fixup_map1 = { 1 },
Aaron Yue1633ac02016-08-11 18:17:17 -07003203 .result = REJECT,
3204 .errstr = "invalid access to packet",
3205 .prog_type = BPF_PROG_TYPE_XDP,
3206 },
3207 {
3208 "helper access to packet: test3, variable add",
3209 .insns = {
3210 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3211 offsetof(struct xdp_md, data)),
3212 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3213 offsetof(struct xdp_md, data_end)),
3214 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3216 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3217 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3219 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3220 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3222 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3223 BPF_LD_MAP_FD(BPF_REG_1, 0),
3224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3226 BPF_FUNC_map_lookup_elem),
Aaron Yue1633ac02016-08-11 18:17:17 -07003227 BPF_MOV64_IMM(BPF_REG_0, 0),
3228 BPF_EXIT_INSN(),
3229 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003230 .fixup_map1 = { 11 },
Aaron Yue1633ac02016-08-11 18:17:17 -07003231 .result = ACCEPT,
3232 .prog_type = BPF_PROG_TYPE_XDP,
3233 },
3234 {
3235 "helper access to packet: test4, packet_ptr with bad range",
3236 .insns = {
3237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3238 offsetof(struct xdp_md, data)),
3239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3240 offsetof(struct xdp_md, data_end)),
3241 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3243 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3244 BPF_MOV64_IMM(BPF_REG_0, 0),
3245 BPF_EXIT_INSN(),
3246 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3248 BPF_FUNC_map_lookup_elem),
Aaron Yue1633ac02016-08-11 18:17:17 -07003249 BPF_MOV64_IMM(BPF_REG_0, 0),
3250 BPF_EXIT_INSN(),
3251 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003252 .fixup_map1 = { 7 },
Aaron Yue1633ac02016-08-11 18:17:17 -07003253 .result = REJECT,
3254 .errstr = "invalid access to packet",
3255 .prog_type = BPF_PROG_TYPE_XDP,
3256 },
3257 {
3258 "helper access to packet: test5, packet_ptr with too short range",
3259 .insns = {
3260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3261 offsetof(struct xdp_md, data)),
3262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3263 offsetof(struct xdp_md, data_end)),
3264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3265 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3267 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3268 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3270 BPF_FUNC_map_lookup_elem),
Aaron Yue1633ac02016-08-11 18:17:17 -07003271 BPF_MOV64_IMM(BPF_REG_0, 0),
3272 BPF_EXIT_INSN(),
3273 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003274 .fixup_map1 = { 6 },
Aaron Yue1633ac02016-08-11 18:17:17 -07003275 .result = REJECT,
3276 .errstr = "invalid access to packet",
3277 .prog_type = BPF_PROG_TYPE_XDP,
3278 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003279 {
3280 "helper access to packet: test6, cls valid packet_ptr range",
3281 .insns = {
3282 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3283 offsetof(struct __sk_buff, data)),
3284 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3285 offsetof(struct __sk_buff, data_end)),
3286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3289 BPF_LD_MAP_FD(BPF_REG_1, 0),
3290 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3291 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 BPF_FUNC_map_update_elem),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003294 BPF_MOV64_IMM(BPF_REG_0, 0),
3295 BPF_EXIT_INSN(),
3296 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003297 .fixup_map1 = { 5 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003298 .result = ACCEPT,
3299 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3300 },
3301 {
3302 "helper access to packet: test7, cls unchecked packet_ptr",
3303 .insns = {
3304 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3305 offsetof(struct __sk_buff, data)),
3306 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3308 BPF_FUNC_map_lookup_elem),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003309 BPF_MOV64_IMM(BPF_REG_0, 0),
3310 BPF_EXIT_INSN(),
3311 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003312 .fixup_map1 = { 1 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003313 .result = REJECT,
3314 .errstr = "invalid access to packet",
3315 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3316 },
3317 {
3318 "helper access to packet: test8, cls variable add",
3319 .insns = {
3320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3321 offsetof(struct __sk_buff, data)),
3322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3323 offsetof(struct __sk_buff, data_end)),
3324 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3326 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3327 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3328 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3329 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3330 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3332 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3333 BPF_LD_MAP_FD(BPF_REG_1, 0),
3334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3336 BPF_FUNC_map_lookup_elem),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003337 BPF_MOV64_IMM(BPF_REG_0, 0),
3338 BPF_EXIT_INSN(),
3339 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003340 .fixup_map1 = { 11 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003341 .result = ACCEPT,
3342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 },
3344 {
3345 "helper access to packet: test9, cls packet_ptr with bad range",
3346 .insns = {
3347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3348 offsetof(struct __sk_buff, data)),
3349 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3350 offsetof(struct __sk_buff, data_end)),
3351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3353 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3354 BPF_MOV64_IMM(BPF_REG_0, 0),
3355 BPF_EXIT_INSN(),
3356 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3358 BPF_FUNC_map_lookup_elem),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003359 BPF_MOV64_IMM(BPF_REG_0, 0),
3360 BPF_EXIT_INSN(),
3361 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003362 .fixup_map1 = { 7 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003363 .result = REJECT,
3364 .errstr = "invalid access to packet",
3365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3366 },
3367 {
3368 "helper access to packet: test10, cls packet_ptr with too short range",
3369 .insns = {
3370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371 offsetof(struct __sk_buff, data)),
3372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373 offsetof(struct __sk_buff, data_end)),
3374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3375 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3377 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3378 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3380 BPF_FUNC_map_lookup_elem),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003381 BPF_MOV64_IMM(BPF_REG_0, 0),
3382 BPF_EXIT_INSN(),
3383 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003384 .fixup_map1 = { 6 },
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003385 .result = REJECT,
3386 .errstr = "invalid access to packet",
3387 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3388 },
3389 {
3390 "helper access to packet: test11, cls unsuitable helper 1",
3391 .insns = {
3392 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3393 offsetof(struct __sk_buff, data)),
3394 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3395 offsetof(struct __sk_buff, data_end)),
3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3397 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3399 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3400 BPF_MOV64_IMM(BPF_REG_2, 0),
3401 BPF_MOV64_IMM(BPF_REG_4, 42),
3402 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3404 BPF_FUNC_skb_store_bytes),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003405 BPF_MOV64_IMM(BPF_REG_0, 0),
3406 BPF_EXIT_INSN(),
3407 },
3408 .result = REJECT,
3409 .errstr = "helper access to the packet",
3410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3411 },
3412 {
3413 "helper access to packet: test12, cls unsuitable helper 2",
3414 .insns = {
3415 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3416 offsetof(struct __sk_buff, data)),
3417 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3418 offsetof(struct __sk_buff, data_end)),
3419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3421 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3422 BPF_MOV64_IMM(BPF_REG_2, 0),
3423 BPF_MOV64_IMM(BPF_REG_4, 4),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3425 BPF_FUNC_skb_load_bytes),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003426 BPF_MOV64_IMM(BPF_REG_0, 0),
3427 BPF_EXIT_INSN(),
3428 },
3429 .result = REJECT,
3430 .errstr = "helper access to the packet",
3431 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3432 },
3433 {
3434 "helper access to packet: test13, cls helper ok",
3435 .insns = {
3436 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3437 offsetof(struct __sk_buff, data)),
3438 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3439 offsetof(struct __sk_buff, data_end)),
3440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3443 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3445 BPF_MOV64_IMM(BPF_REG_2, 4),
3446 BPF_MOV64_IMM(BPF_REG_3, 0),
3447 BPF_MOV64_IMM(BPF_REG_4, 0),
3448 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3450 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003451 BPF_MOV64_IMM(BPF_REG_0, 0),
3452 BPF_EXIT_INSN(),
3453 },
3454 .result = ACCEPT,
3455 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3456 },
3457 {
Edward Creef65b1842017-08-07 15:27:12 +01003458 "helper access to packet: test14, cls helper ok sub",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003459 .insns = {
3460 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3461 offsetof(struct __sk_buff, data)),
3462 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3463 offsetof(struct __sk_buff, data_end)),
3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3467 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3468 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3469 BPF_MOV64_IMM(BPF_REG_2, 4),
3470 BPF_MOV64_IMM(BPF_REG_3, 0),
3471 BPF_MOV64_IMM(BPF_REG_4, 0),
3472 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3474 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003475 BPF_MOV64_IMM(BPF_REG_0, 0),
3476 BPF_EXIT_INSN(),
3477 },
Edward Creef65b1842017-08-07 15:27:12 +01003478 .result = ACCEPT,
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003479 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3480 },
3481 {
Edward Creef65b1842017-08-07 15:27:12 +01003482 "helper access to packet: test15, cls helper fail sub",
3483 .insns = {
3484 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3485 offsetof(struct __sk_buff, data)),
3486 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3487 offsetof(struct __sk_buff, data_end)),
3488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3489 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3491 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3492 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3493 BPF_MOV64_IMM(BPF_REG_2, 4),
3494 BPF_MOV64_IMM(BPF_REG_3, 0),
3495 BPF_MOV64_IMM(BPF_REG_4, 0),
3496 BPF_MOV64_IMM(BPF_REG_5, 0),
3497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3498 BPF_FUNC_csum_diff),
3499 BPF_MOV64_IMM(BPF_REG_0, 0),
3500 BPF_EXIT_INSN(),
3501 },
3502 .result = REJECT,
3503 .errstr = "invalid access to packet",
3504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3505 },
3506 {
3507 "helper access to packet: test16, cls helper fail range 1",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003508 .insns = {
3509 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3510 offsetof(struct __sk_buff, data)),
3511 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3512 offsetof(struct __sk_buff, data_end)),
3513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3514 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3516 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3518 BPF_MOV64_IMM(BPF_REG_2, 8),
3519 BPF_MOV64_IMM(BPF_REG_3, 0),
3520 BPF_MOV64_IMM(BPF_REG_4, 0),
3521 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3523 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003524 BPF_MOV64_IMM(BPF_REG_0, 0),
3525 BPF_EXIT_INSN(),
3526 },
3527 .result = REJECT,
3528 .errstr = "invalid access to packet",
3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 },
3531 {
Edward Creef65b1842017-08-07 15:27:12 +01003532 "helper access to packet: test17, cls helper fail range 2",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003533 .insns = {
3534 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3535 offsetof(struct __sk_buff, data)),
3536 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3537 offsetof(struct __sk_buff, data_end)),
3538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3541 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3543 BPF_MOV64_IMM(BPF_REG_2, -9),
3544 BPF_MOV64_IMM(BPF_REG_3, 0),
3545 BPF_MOV64_IMM(BPF_REG_4, 0),
3546 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3548 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003549 BPF_MOV64_IMM(BPF_REG_0, 0),
3550 BPF_EXIT_INSN(),
3551 },
3552 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01003553 .errstr = "R2 min value is negative",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003554 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3555 },
3556 {
Edward Creef65b1842017-08-07 15:27:12 +01003557 "helper access to packet: test18, cls helper fail range 3",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003558 .insns = {
3559 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3560 offsetof(struct __sk_buff, data)),
3561 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3562 offsetof(struct __sk_buff, data_end)),
3563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3566 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3567 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3568 BPF_MOV64_IMM(BPF_REG_2, ~0),
3569 BPF_MOV64_IMM(BPF_REG_3, 0),
3570 BPF_MOV64_IMM(BPF_REG_4, 0),
3571 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3573 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003574 BPF_MOV64_IMM(BPF_REG_0, 0),
3575 BPF_EXIT_INSN(),
3576 },
3577 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01003578 .errstr = "R2 min value is negative",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003579 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3580 },
3581 {
Yonghong Songb6ff6392017-11-12 14:49:11 -08003582 "helper access to packet: test19, cls helper range zero",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003583 .insns = {
3584 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3585 offsetof(struct __sk_buff, data)),
3586 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3587 offsetof(struct __sk_buff, data_end)),
3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3593 BPF_MOV64_IMM(BPF_REG_2, 0),
3594 BPF_MOV64_IMM(BPF_REG_3, 0),
3595 BPF_MOV64_IMM(BPF_REG_4, 0),
3596 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3598 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003599 BPF_MOV64_IMM(BPF_REG_0, 0),
3600 BPF_EXIT_INSN(),
3601 },
Yonghong Songb6ff6392017-11-12 14:49:11 -08003602 .result = ACCEPT,
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003603 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3604 },
3605 {
Edward Creef65b1842017-08-07 15:27:12 +01003606 "helper access to packet: test20, pkt end as input",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003607 .insns = {
3608 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3609 offsetof(struct __sk_buff, data)),
3610 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3611 offsetof(struct __sk_buff, data_end)),
3612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3613 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3615 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3616 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3617 BPF_MOV64_IMM(BPF_REG_2, 4),
3618 BPF_MOV64_IMM(BPF_REG_3, 0),
3619 BPF_MOV64_IMM(BPF_REG_4, 0),
3620 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3622 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003623 BPF_MOV64_IMM(BPF_REG_0, 0),
3624 BPF_EXIT_INSN(),
3625 },
3626 .result = REJECT,
3627 .errstr = "R1 type=pkt_end expected=fp",
3628 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3629 },
3630 {
Edward Creef65b1842017-08-07 15:27:12 +01003631 "helper access to packet: test21, wrong reg",
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003632 .insns = {
3633 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3634 offsetof(struct __sk_buff, data)),
3635 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3636 offsetof(struct __sk_buff, data_end)),
3637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3638 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3640 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3641 BPF_MOV64_IMM(BPF_REG_2, 4),
3642 BPF_MOV64_IMM(BPF_REG_3, 0),
3643 BPF_MOV64_IMM(BPF_REG_4, 0),
3644 BPF_MOV64_IMM(BPF_REG_5, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3646 BPF_FUNC_csum_diff),
Daniel Borkmann7d95b0a2016-09-20 00:26:14 +02003647 BPF_MOV64_IMM(BPF_REG_0, 0),
3648 BPF_EXIT_INSN(),
3649 },
3650 .result = REJECT,
3651 .errstr = "invalid access to packet",
3652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3653 },
Josef Bacik48461132016-09-28 10:54:32 -04003654 {
3655 "valid map access into an array with a constant",
3656 .insns = {
3657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3658 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3660 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3662 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003664 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3665 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003666 BPF_EXIT_INSN(),
3667 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003668 .fixup_map2 = { 3 },
Josef Bacik48461132016-09-28 10:54:32 -04003669 .errstr_unpriv = "R0 leaks addr",
3670 .result_unpriv = REJECT,
3671 .result = ACCEPT,
3672 },
3673 {
3674 "valid map access into an array with a register",
3675 .insns = {
3676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3679 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3681 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3683 BPF_MOV64_IMM(BPF_REG_1, 4),
3684 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3685 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003686 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3687 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003688 BPF_EXIT_INSN(),
3689 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003690 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01003691 .errstr_unpriv = "R0 leaks addr",
Josef Bacik48461132016-09-28 10:54:32 -04003692 .result_unpriv = REJECT,
3693 .result = ACCEPT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003694 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003695 },
3696 {
3697 "valid map access into an array with a variable",
3698 .insns = {
3699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3702 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3704 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3707 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3708 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003710 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3711 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003712 BPF_EXIT_INSN(),
3713 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003714 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01003715 .errstr_unpriv = "R0 leaks addr",
Josef Bacik48461132016-09-28 10:54:32 -04003716 .result_unpriv = REJECT,
3717 .result = ACCEPT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003718 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003719 },
3720 {
3721 "valid map access into an array with a signed variable",
3722 .insns = {
3723 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3724 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3726 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3728 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3730 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3731 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3732 BPF_MOV32_IMM(BPF_REG_1, 0),
3733 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3734 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3735 BPF_MOV32_IMM(BPF_REG_1, 0),
3736 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3737 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003738 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3739 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003740 BPF_EXIT_INSN(),
3741 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003742 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01003743 .errstr_unpriv = "R0 leaks addr",
Josef Bacik48461132016-09-28 10:54:32 -04003744 .result_unpriv = REJECT,
3745 .result = ACCEPT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003746 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003747 },
3748 {
3749 "invalid map access into an array with a constant",
3750 .insns = {
3751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3754 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3756 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3758 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3759 offsetof(struct test_val, foo)),
3760 BPF_EXIT_INSN(),
3761 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003762 .fixup_map2 = { 3 },
Josef Bacik48461132016-09-28 10:54:32 -04003763 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3764 .result = REJECT,
3765 },
3766 {
3767 "invalid map access into an array with a register",
3768 .insns = {
3769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3772 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3774 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3776 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3777 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3778 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003779 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3780 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003781 BPF_EXIT_INSN(),
3782 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003783 .fixup_map2 = { 3 },
Josef Bacik48461132016-09-28 10:54:32 -04003784 .errstr = "R0 min value is outside of the array range",
3785 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003787 },
3788 {
3789 "invalid map access into an array with a variable",
3790 .insns = {
3791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3794 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3796 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3798 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3799 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3800 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3802 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003803 BPF_EXIT_INSN(),
3804 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003805 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01003806 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
Josef Bacik48461132016-09-28 10:54:32 -04003807 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003808 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003809 },
3810 {
3811 "invalid map access into an array with no floor check",
3812 .insns = {
3813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3816 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3818 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
Edward Creef65b1842017-08-07 15:27:12 +01003820 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
Josef Bacik48461132016-09-28 10:54:32 -04003821 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3822 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3823 BPF_MOV32_IMM(BPF_REG_1, 0),
3824 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003826 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3827 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003828 BPF_EXIT_INSN(),
3829 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003830 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01003831 .errstr_unpriv = "R0 leaks addr",
3832 .errstr = "R0 unbounded memory access",
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003833 .result_unpriv = REJECT,
Josef Bacik48461132016-09-28 10:54:32 -04003834 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003836 },
3837 {
3838 "invalid map access into an array with a invalid max check",
3839 .insns = {
3840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3843 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3845 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3847 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3848 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3849 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3850 BPF_MOV32_IMM(BPF_REG_1, 0),
3851 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003853 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3854 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003855 BPF_EXIT_INSN(),
3856 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003857 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01003858 .errstr_unpriv = "R0 leaks addr",
Josef Bacik48461132016-09-28 10:54:32 -04003859 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003860 .result_unpriv = REJECT,
Josef Bacik48461132016-09-28 10:54:32 -04003861 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003862 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003863 },
3864 {
3865 "invalid map access into an array with a invalid max check",
3866 .insns = {
3867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3870 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3872 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3874 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3875 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3878 BPF_LD_MAP_FD(BPF_REG_1, 0),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3880 BPF_FUNC_map_lookup_elem),
Josef Bacik48461132016-09-28 10:54:32 -04003881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3884 offsetof(struct test_val, foo)),
Josef Bacik48461132016-09-28 10:54:32 -04003885 BPF_EXIT_INSN(),
3886 },
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003887 .fixup_map2 = { 3, 11 },
Edward Creef65b1842017-08-07 15:27:12 +01003888 .errstr_unpriv = "R0 pointer += pointer",
3889 .errstr = "R0 invalid mem access 'inv'",
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02003890 .result_unpriv = REJECT,
Josef Bacik48461132016-09-28 10:54:32 -04003891 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02003892 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik48461132016-09-28 10:54:32 -04003893 },
Thomas Graf57a09bf2016-10-18 19:51:19 +02003894 {
3895 "multiple registers share map_lookup_elem result",
3896 .insns = {
3897 BPF_MOV64_IMM(BPF_REG_1, 10),
3898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3901 BPF_LD_MAP_FD(BPF_REG_1, 0),
3902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3903 BPF_FUNC_map_lookup_elem),
3904 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3906 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3907 BPF_EXIT_INSN(),
3908 },
3909 .fixup_map1 = { 4 },
3910 .result = ACCEPT,
3911 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3912 },
3913 {
Daniel Borkmann614d0d72017-05-25 01:05:09 +02003914 "alu ops on ptr_to_map_value_or_null, 1",
3915 .insns = {
3916 BPF_MOV64_IMM(BPF_REG_1, 10),
3917 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3920 BPF_LD_MAP_FD(BPF_REG_1, 0),
3921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3922 BPF_FUNC_map_lookup_elem),
3923 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3927 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3928 BPF_EXIT_INSN(),
3929 },
3930 .fixup_map1 = { 4 },
3931 .errstr = "R4 invalid mem access",
3932 .result = REJECT,
3933 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3934 },
3935 {
3936 "alu ops on ptr_to_map_value_or_null, 2",
3937 .insns = {
3938 BPF_MOV64_IMM(BPF_REG_1, 10),
3939 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3942 BPF_LD_MAP_FD(BPF_REG_1, 0),
3943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3944 BPF_FUNC_map_lookup_elem),
3945 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3946 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3948 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3949 BPF_EXIT_INSN(),
3950 },
3951 .fixup_map1 = { 4 },
3952 .errstr = "R4 invalid mem access",
3953 .result = REJECT,
3954 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3955 },
3956 {
3957 "alu ops on ptr_to_map_value_or_null, 3",
3958 .insns = {
3959 BPF_MOV64_IMM(BPF_REG_1, 10),
3960 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3963 BPF_LD_MAP_FD(BPF_REG_1, 0),
3964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965 BPF_FUNC_map_lookup_elem),
3966 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3967 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3969 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3970 BPF_EXIT_INSN(),
3971 },
3972 .fixup_map1 = { 4 },
3973 .errstr = "R4 invalid mem access",
3974 .result = REJECT,
3975 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3976 },
3977 {
Thomas Graf57a09bf2016-10-18 19:51:19 +02003978 "invalid memory access with multiple map_lookup_elem calls",
3979 .insns = {
3980 BPF_MOV64_IMM(BPF_REG_1, 10),
3981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3984 BPF_LD_MAP_FD(BPF_REG_1, 0),
3985 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3986 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3988 BPF_FUNC_map_lookup_elem),
3989 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3993 BPF_FUNC_map_lookup_elem),
3994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3995 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3996 BPF_EXIT_INSN(),
3997 },
3998 .fixup_map1 = { 4 },
3999 .result = REJECT,
4000 .errstr = "R4 !read_ok",
4001 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4002 },
4003 {
4004 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4005 .insns = {
4006 BPF_MOV64_IMM(BPF_REG_1, 10),
4007 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4010 BPF_LD_MAP_FD(BPF_REG_1, 0),
4011 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4012 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4014 BPF_FUNC_map_lookup_elem),
4015 BPF_MOV64_IMM(BPF_REG_2, 10),
4016 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4020 BPF_FUNC_map_lookup_elem),
4021 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4022 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4023 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4024 BPF_EXIT_INSN(),
4025 },
4026 .fixup_map1 = { 4 },
4027 .result = ACCEPT,
4028 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4029 },
Josef Bacike9548902016-11-29 12:35:19 -05004030 {
4031 "invalid map access from else condition",
4032 .insns = {
4033 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4036 BPF_LD_MAP_FD(BPF_REG_1, 0),
4037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4039 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4040 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4042 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4043 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4044 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4045 BPF_EXIT_INSN(),
4046 },
4047 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004048 .errstr = "R0 unbounded memory access",
Josef Bacike9548902016-11-29 12:35:19 -05004049 .result = REJECT,
Edward Creef65b1842017-08-07 15:27:12 +01004050 .errstr_unpriv = "R0 leaks addr",
Josef Bacike9548902016-11-29 12:35:19 -05004051 .result_unpriv = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02004052 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacike9548902016-11-29 12:35:19 -05004053 },
Gianluca Borello3c8397442016-12-03 12:31:33 -08004054 {
4055 "constant register |= constant should keep constant type",
4056 .insns = {
4057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4059 BPF_MOV64_IMM(BPF_REG_2, 34),
4060 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4061 BPF_MOV64_IMM(BPF_REG_3, 0),
4062 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4063 BPF_EXIT_INSN(),
4064 },
4065 .result = ACCEPT,
4066 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4067 },
4068 {
4069 "constant register |= constant should not bypass stack boundary checks",
4070 .insns = {
4071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4073 BPF_MOV64_IMM(BPF_REG_2, 34),
4074 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4075 BPF_MOV64_IMM(BPF_REG_3, 0),
4076 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4077 BPF_EXIT_INSN(),
4078 },
4079 .errstr = "invalid stack type R1 off=-48 access_size=58",
4080 .result = REJECT,
4081 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4082 },
4083 {
4084 "constant register |= constant register should keep constant type",
4085 .insns = {
4086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4088 BPF_MOV64_IMM(BPF_REG_2, 34),
4089 BPF_MOV64_IMM(BPF_REG_4, 13),
4090 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4091 BPF_MOV64_IMM(BPF_REG_3, 0),
4092 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4093 BPF_EXIT_INSN(),
4094 },
4095 .result = ACCEPT,
4096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4097 },
4098 {
4099 "constant register |= constant register should not bypass stack boundary checks",
4100 .insns = {
4101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4103 BPF_MOV64_IMM(BPF_REG_2, 34),
4104 BPF_MOV64_IMM(BPF_REG_4, 24),
4105 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4106 BPF_MOV64_IMM(BPF_REG_3, 0),
4107 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4108 BPF_EXIT_INSN(),
4109 },
4110 .errstr = "invalid stack type R1 off=-48 access_size=58",
4111 .result = REJECT,
4112 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4113 },
Thomas Graf3f731d82016-12-05 10:30:52 +01004114 {
4115 "invalid direct packet write for LWT_IN",
4116 .insns = {
4117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4118 offsetof(struct __sk_buff, data)),
4119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4120 offsetof(struct __sk_buff, data_end)),
4121 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4123 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4124 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4125 BPF_MOV64_IMM(BPF_REG_0, 0),
4126 BPF_EXIT_INSN(),
4127 },
4128 .errstr = "cannot write into packet",
4129 .result = REJECT,
4130 .prog_type = BPF_PROG_TYPE_LWT_IN,
4131 },
4132 {
4133 "invalid direct packet write for LWT_OUT",
4134 .insns = {
4135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4136 offsetof(struct __sk_buff, data)),
4137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4138 offsetof(struct __sk_buff, data_end)),
4139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4141 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4142 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4143 BPF_MOV64_IMM(BPF_REG_0, 0),
4144 BPF_EXIT_INSN(),
4145 },
4146 .errstr = "cannot write into packet",
4147 .result = REJECT,
4148 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4149 },
4150 {
4151 "direct packet write for LWT_XMIT",
4152 .insns = {
4153 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4154 offsetof(struct __sk_buff, data)),
4155 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4156 offsetof(struct __sk_buff, data_end)),
4157 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4159 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4160 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4161 BPF_MOV64_IMM(BPF_REG_0, 0),
4162 BPF_EXIT_INSN(),
4163 },
4164 .result = ACCEPT,
4165 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4166 },
4167 {
4168 "direct packet read for LWT_IN",
4169 .insns = {
4170 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4171 offsetof(struct __sk_buff, data)),
4172 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4173 offsetof(struct __sk_buff, data_end)),
4174 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4176 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4177 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4178 BPF_MOV64_IMM(BPF_REG_0, 0),
4179 BPF_EXIT_INSN(),
4180 },
4181 .result = ACCEPT,
4182 .prog_type = BPF_PROG_TYPE_LWT_IN,
4183 },
4184 {
4185 "direct packet read for LWT_OUT",
4186 .insns = {
4187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4188 offsetof(struct __sk_buff, data)),
4189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4190 offsetof(struct __sk_buff, data_end)),
4191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4193 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4194 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4195 BPF_MOV64_IMM(BPF_REG_0, 0),
4196 BPF_EXIT_INSN(),
4197 },
4198 .result = ACCEPT,
4199 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4200 },
4201 {
4202 "direct packet read for LWT_XMIT",
4203 .insns = {
4204 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4205 offsetof(struct __sk_buff, data)),
4206 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4207 offsetof(struct __sk_buff, data_end)),
4208 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4210 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4211 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4212 BPF_MOV64_IMM(BPF_REG_0, 0),
4213 BPF_EXIT_INSN(),
4214 },
4215 .result = ACCEPT,
4216 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4217 },
4218 {
Alexei Starovoitovb1977682017-03-24 15:57:33 -07004219 "overlapping checks for direct packet access",
4220 .insns = {
4221 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4222 offsetof(struct __sk_buff, data)),
4223 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4224 offsetof(struct __sk_buff, data_end)),
4225 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4227 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4230 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4231 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4232 BPF_MOV64_IMM(BPF_REG_0, 0),
4233 BPF_EXIT_INSN(),
4234 },
4235 .result = ACCEPT,
4236 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4237 },
4238 {
Thomas Graf3f731d82016-12-05 10:30:52 +01004239 "invalid access of tc_classid for LWT_IN",
4240 .insns = {
4241 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4242 offsetof(struct __sk_buff, tc_classid)),
4243 BPF_EXIT_INSN(),
4244 },
4245 .result = REJECT,
4246 .errstr = "invalid bpf_context access",
4247 },
4248 {
4249 "invalid access of tc_classid for LWT_OUT",
4250 .insns = {
4251 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4252 offsetof(struct __sk_buff, tc_classid)),
4253 BPF_EXIT_INSN(),
4254 },
4255 .result = REJECT,
4256 .errstr = "invalid bpf_context access",
4257 },
4258 {
4259 "invalid access of tc_classid for LWT_XMIT",
4260 .insns = {
4261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4262 offsetof(struct __sk_buff, tc_classid)),
4263 BPF_EXIT_INSN(),
4264 },
4265 .result = REJECT,
4266 .errstr = "invalid bpf_context access",
4267 },
Gianluca Borello57225692017-01-09 10:19:47 -08004268 {
Daniel Borkmann6bdf6ab2017-06-29 03:04:59 +02004269 "leak pointer into ctx 1",
4270 .insns = {
4271 BPF_MOV64_IMM(BPF_REG_0, 0),
4272 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4273 offsetof(struct __sk_buff, cb[0])),
4274 BPF_LD_MAP_FD(BPF_REG_2, 0),
4275 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4276 offsetof(struct __sk_buff, cb[0])),
4277 BPF_EXIT_INSN(),
4278 },
4279 .fixup_map1 = { 2 },
4280 .errstr_unpriv = "R2 leaks addr into mem",
4281 .result_unpriv = REJECT,
4282 .result = ACCEPT,
4283 },
4284 {
4285 "leak pointer into ctx 2",
4286 .insns = {
4287 BPF_MOV64_IMM(BPF_REG_0, 0),
4288 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4289 offsetof(struct __sk_buff, cb[0])),
4290 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4291 offsetof(struct __sk_buff, cb[0])),
4292 BPF_EXIT_INSN(),
4293 },
4294 .errstr_unpriv = "R10 leaks addr into mem",
4295 .result_unpriv = REJECT,
4296 .result = ACCEPT,
4297 },
4298 {
4299 "leak pointer into ctx 3",
4300 .insns = {
4301 BPF_MOV64_IMM(BPF_REG_0, 0),
4302 BPF_LD_MAP_FD(BPF_REG_2, 0),
4303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4304 offsetof(struct __sk_buff, cb[0])),
4305 BPF_EXIT_INSN(),
4306 },
4307 .fixup_map1 = { 1 },
4308 .errstr_unpriv = "R2 leaks addr into ctx",
4309 .result_unpriv = REJECT,
4310 .result = ACCEPT,
4311 },
4312 {
4313 "leak pointer into map val",
4314 .insns = {
4315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4319 BPF_LD_MAP_FD(BPF_REG_1, 0),
4320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4321 BPF_FUNC_map_lookup_elem),
4322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4323 BPF_MOV64_IMM(BPF_REG_3, 0),
4324 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4325 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4326 BPF_MOV64_IMM(BPF_REG_0, 0),
4327 BPF_EXIT_INSN(),
4328 },
4329 .fixup_map1 = { 4 },
4330 .errstr_unpriv = "R6 leaks addr into mem",
4331 .result_unpriv = REJECT,
4332 .result = ACCEPT,
4333 },
4334 {
Gianluca Borello57225692017-01-09 10:19:47 -08004335 "helper access to map: full range",
4336 .insns = {
4337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4339 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4340 BPF_LD_MAP_FD(BPF_REG_1, 0),
4341 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4344 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4345 BPF_MOV64_IMM(BPF_REG_3, 0),
4346 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4347 BPF_EXIT_INSN(),
4348 },
4349 .fixup_map2 = { 3 },
4350 .result = ACCEPT,
4351 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4352 },
4353 {
4354 "helper access to map: partial range",
4355 .insns = {
4356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4358 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4359 BPF_LD_MAP_FD(BPF_REG_1, 0),
4360 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4361 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4363 BPF_MOV64_IMM(BPF_REG_2, 8),
4364 BPF_MOV64_IMM(BPF_REG_3, 0),
4365 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4366 BPF_EXIT_INSN(),
4367 },
4368 .fixup_map2 = { 3 },
4369 .result = ACCEPT,
4370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4371 },
4372 {
4373 "helper access to map: empty range",
4374 .insns = {
4375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4382 BPF_MOV64_IMM(BPF_REG_2, 0),
4383 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
Gianluca Borello57225692017-01-09 10:19:47 -08004384 BPF_EXIT_INSN(),
4385 },
4386 .fixup_map2 = { 3 },
4387 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4388 .result = REJECT,
4389 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4390 },
4391 {
4392 "helper access to map: out-of-bound range",
4393 .insns = {
4394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4396 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4397 BPF_LD_MAP_FD(BPF_REG_1, 0),
4398 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4400 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4401 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4402 BPF_MOV64_IMM(BPF_REG_3, 0),
4403 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4404 BPF_EXIT_INSN(),
4405 },
4406 .fixup_map2 = { 3 },
4407 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4408 .result = REJECT,
4409 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4410 },
4411 {
4412 "helper access to map: negative range",
4413 .insns = {
4414 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4416 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4417 BPF_LD_MAP_FD(BPF_REG_1, 0),
4418 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4421 BPF_MOV64_IMM(BPF_REG_2, -8),
4422 BPF_MOV64_IMM(BPF_REG_3, 0),
4423 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4424 BPF_EXIT_INSN(),
4425 },
4426 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004427 .errstr = "R2 min value is negative",
Gianluca Borello57225692017-01-09 10:19:47 -08004428 .result = REJECT,
4429 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4430 },
4431 {
4432 "helper access to adjusted map (via const imm): full range",
4433 .insns = {
4434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4436 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4437 BPF_LD_MAP_FD(BPF_REG_1, 0),
4438 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4442 offsetof(struct test_val, foo)),
4443 BPF_MOV64_IMM(BPF_REG_2,
4444 sizeof(struct test_val) -
4445 offsetof(struct test_val, foo)),
4446 BPF_MOV64_IMM(BPF_REG_3, 0),
4447 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4448 BPF_EXIT_INSN(),
4449 },
4450 .fixup_map2 = { 3 },
4451 .result = ACCEPT,
4452 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4453 },
4454 {
4455 "helper access to adjusted map (via const imm): partial range",
4456 .insns = {
4457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4459 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4460 BPF_LD_MAP_FD(BPF_REG_1, 0),
4461 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4462 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4465 offsetof(struct test_val, foo)),
4466 BPF_MOV64_IMM(BPF_REG_2, 8),
4467 BPF_MOV64_IMM(BPF_REG_3, 0),
4468 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4469 BPF_EXIT_INSN(),
4470 },
4471 .fixup_map2 = { 3 },
4472 .result = ACCEPT,
4473 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4474 },
4475 {
4476 "helper access to adjusted map (via const imm): empty range",
4477 .insns = {
4478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4480 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4481 BPF_LD_MAP_FD(BPF_REG_1, 0),
4482 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
Gianluca Borello57225692017-01-09 10:19:47 -08004484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4486 offsetof(struct test_val, foo)),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004487 BPF_MOV64_IMM(BPF_REG_2, 0),
4488 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
Gianluca Borello57225692017-01-09 10:19:47 -08004489 BPF_EXIT_INSN(),
4490 },
4491 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004492 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
Gianluca Borello57225692017-01-09 10:19:47 -08004493 .result = REJECT,
4494 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4495 },
4496 {
4497 "helper access to adjusted map (via const imm): out-of-bound range",
4498 .insns = {
4499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4501 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4502 BPF_LD_MAP_FD(BPF_REG_1, 0),
4503 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4507 offsetof(struct test_val, foo)),
4508 BPF_MOV64_IMM(BPF_REG_2,
4509 sizeof(struct test_val) -
4510 offsetof(struct test_val, foo) + 8),
4511 BPF_MOV64_IMM(BPF_REG_3, 0),
4512 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4513 BPF_EXIT_INSN(),
4514 },
4515 .fixup_map2 = { 3 },
4516 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4517 .result = REJECT,
4518 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4519 },
4520 {
4521 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4522 .insns = {
4523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4525 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4526 BPF_LD_MAP_FD(BPF_REG_1, 0),
4527 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4528 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4529 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4531 offsetof(struct test_val, foo)),
4532 BPF_MOV64_IMM(BPF_REG_2, -8),
4533 BPF_MOV64_IMM(BPF_REG_3, 0),
4534 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4535 BPF_EXIT_INSN(),
4536 },
4537 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004538 .errstr = "R2 min value is negative",
Gianluca Borello57225692017-01-09 10:19:47 -08004539 .result = REJECT,
4540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4541 },
4542 {
4543 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4544 .insns = {
4545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4547 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4548 BPF_LD_MAP_FD(BPF_REG_1, 0),
4549 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4553 offsetof(struct test_val, foo)),
4554 BPF_MOV64_IMM(BPF_REG_2, -1),
4555 BPF_MOV64_IMM(BPF_REG_3, 0),
4556 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4557 BPF_EXIT_INSN(),
4558 },
4559 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004560 .errstr = "R2 min value is negative",
Gianluca Borello57225692017-01-09 10:19:47 -08004561 .result = REJECT,
4562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4563 },
4564 {
4565 "helper access to adjusted map (via const reg): full range",
4566 .insns = {
4567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4570 BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4574 BPF_MOV64_IMM(BPF_REG_3,
4575 offsetof(struct test_val, foo)),
4576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4577 BPF_MOV64_IMM(BPF_REG_2,
4578 sizeof(struct test_val) -
4579 offsetof(struct test_val, foo)),
4580 BPF_MOV64_IMM(BPF_REG_3, 0),
4581 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4582 BPF_EXIT_INSN(),
4583 },
4584 .fixup_map2 = { 3 },
4585 .result = ACCEPT,
4586 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4587 },
4588 {
4589 "helper access to adjusted map (via const reg): partial range",
4590 .insns = {
4591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4593 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4594 BPF_LD_MAP_FD(BPF_REG_1, 0),
4595 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4597 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4598 BPF_MOV64_IMM(BPF_REG_3,
4599 offsetof(struct test_val, foo)),
4600 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4601 BPF_MOV64_IMM(BPF_REG_2, 8),
4602 BPF_MOV64_IMM(BPF_REG_3, 0),
4603 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4604 BPF_EXIT_INSN(),
4605 },
4606 .fixup_map2 = { 3 },
4607 .result = ACCEPT,
4608 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4609 },
4610 {
4611 "helper access to adjusted map (via const reg): empty range",
4612 .insns = {
4613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4615 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4616 BPF_LD_MAP_FD(BPF_REG_1, 0),
4617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
Gianluca Borello57225692017-01-09 10:19:47 -08004619 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4620 BPF_MOV64_IMM(BPF_REG_3, 0),
4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004622 BPF_MOV64_IMM(BPF_REG_2, 0),
4623 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
Gianluca Borello57225692017-01-09 10:19:47 -08004624 BPF_EXIT_INSN(),
4625 },
4626 .fixup_map2 = { 3 },
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004627 .errstr = "R1 min value is outside of the array range",
Gianluca Borello57225692017-01-09 10:19:47 -08004628 .result = REJECT,
4629 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4630 },
4631 {
4632 "helper access to adjusted map (via const reg): out-of-bound range",
4633 .insns = {
4634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4636 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4637 BPF_LD_MAP_FD(BPF_REG_1, 0),
4638 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4641 BPF_MOV64_IMM(BPF_REG_3,
4642 offsetof(struct test_val, foo)),
4643 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4644 BPF_MOV64_IMM(BPF_REG_2,
4645 sizeof(struct test_val) -
4646 offsetof(struct test_val, foo) + 8),
4647 BPF_MOV64_IMM(BPF_REG_3, 0),
4648 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4649 BPF_EXIT_INSN(),
4650 },
4651 .fixup_map2 = { 3 },
4652 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4653 .result = REJECT,
4654 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4655 },
4656 {
4657 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4658 .insns = {
4659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4662 BPF_LD_MAP_FD(BPF_REG_1, 0),
4663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4666 BPF_MOV64_IMM(BPF_REG_3,
4667 offsetof(struct test_val, foo)),
4668 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4669 BPF_MOV64_IMM(BPF_REG_2, -8),
4670 BPF_MOV64_IMM(BPF_REG_3, 0),
4671 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4672 BPF_EXIT_INSN(),
4673 },
4674 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004675 .errstr = "R2 min value is negative",
Gianluca Borello57225692017-01-09 10:19:47 -08004676 .result = REJECT,
4677 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4678 },
4679 {
4680 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4681 .insns = {
4682 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4684 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4685 BPF_LD_MAP_FD(BPF_REG_1, 0),
4686 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4688 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4689 BPF_MOV64_IMM(BPF_REG_3,
4690 offsetof(struct test_val, foo)),
4691 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4692 BPF_MOV64_IMM(BPF_REG_2, -1),
4693 BPF_MOV64_IMM(BPF_REG_3, 0),
4694 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4695 BPF_EXIT_INSN(),
4696 },
4697 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004698 .errstr = "R2 min value is negative",
Gianluca Borello57225692017-01-09 10:19:47 -08004699 .result = REJECT,
4700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4701 },
4702 {
4703 "helper access to adjusted map (via variable): full range",
4704 .insns = {
4705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4707 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4708 BPF_LD_MAP_FD(BPF_REG_1, 0),
4709 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4712 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4713 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4714 offsetof(struct test_val, foo), 4),
4715 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4716 BPF_MOV64_IMM(BPF_REG_2,
4717 sizeof(struct test_val) -
4718 offsetof(struct test_val, foo)),
4719 BPF_MOV64_IMM(BPF_REG_3, 0),
4720 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4721 BPF_EXIT_INSN(),
4722 },
4723 .fixup_map2 = { 3 },
4724 .result = ACCEPT,
4725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4726 },
4727 {
4728 "helper access to adjusted map (via variable): partial range",
4729 .insns = {
4730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4733 BPF_LD_MAP_FD(BPF_REG_1, 0),
4734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4738 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4739 offsetof(struct test_val, foo), 4),
4740 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4741 BPF_MOV64_IMM(BPF_REG_2, 8),
4742 BPF_MOV64_IMM(BPF_REG_3, 0),
4743 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4744 BPF_EXIT_INSN(),
4745 },
4746 .fixup_map2 = { 3 },
4747 .result = ACCEPT,
4748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4749 },
4750 {
4751 "helper access to adjusted map (via variable): empty range",
4752 .insns = {
4753 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4756 BPF_LD_MAP_FD(BPF_REG_1, 0),
4757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
Gianluca Borello57225692017-01-09 10:19:47 -08004759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4761 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004762 offsetof(struct test_val, foo), 3),
Gianluca Borello57225692017-01-09 10:19:47 -08004763 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004764 BPF_MOV64_IMM(BPF_REG_2, 0),
4765 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
Gianluca Borello57225692017-01-09 10:19:47 -08004766 BPF_EXIT_INSN(),
4767 },
4768 .fixup_map2 = { 3 },
Yonghong Songf1a8b8e2017-11-21 11:23:40 -08004769 .errstr = "R1 min value is outside of the array range",
Gianluca Borello57225692017-01-09 10:19:47 -08004770 .result = REJECT,
4771 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4772 },
4773 {
4774 "helper access to adjusted map (via variable): no max check",
4775 .insns = {
4776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4779 BPF_LD_MAP_FD(BPF_REG_1, 0),
4780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4783 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4784 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
Edward Creef65b1842017-08-07 15:27:12 +01004785 BPF_MOV64_IMM(BPF_REG_2, 1),
Gianluca Borello57225692017-01-09 10:19:47 -08004786 BPF_MOV64_IMM(BPF_REG_3, 0),
4787 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4788 BPF_EXIT_INSN(),
4789 },
4790 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01004791 .errstr = "R1 unbounded memory access",
Gianluca Borello57225692017-01-09 10:19:47 -08004792 .result = REJECT,
4793 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4794 },
4795 {
4796 "helper access to adjusted map (via variable): wrong max check",
4797 .insns = {
4798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4800 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4801 BPF_LD_MAP_FD(BPF_REG_1, 0),
4802 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4806 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4807 offsetof(struct test_val, foo), 4),
4808 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4809 BPF_MOV64_IMM(BPF_REG_2,
4810 sizeof(struct test_val) -
4811 offsetof(struct test_val, foo) + 1),
4812 BPF_MOV64_IMM(BPF_REG_3, 0),
4813 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4814 BPF_EXIT_INSN(),
4815 },
4816 .fixup_map2 = { 3 },
4817 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4818 .result = REJECT,
4819 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4820 },
Gianluca Borellof0318d02017-01-09 10:19:48 -08004821 {
Daniel Borkmann31e482b2017-08-10 01:40:03 +02004822 "helper access to map: bounds check using <, good access",
4823 .insns = {
4824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4826 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4827 BPF_LD_MAP_FD(BPF_REG_1, 0),
4828 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4831 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4832 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4833 BPF_MOV64_IMM(BPF_REG_0, 0),
4834 BPF_EXIT_INSN(),
4835 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4836 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4837 BPF_MOV64_IMM(BPF_REG_0, 0),
4838 BPF_EXIT_INSN(),
4839 },
4840 .fixup_map2 = { 3 },
4841 .result = ACCEPT,
4842 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4843 },
4844 {
4845 "helper access to map: bounds check using <, bad access",
4846 .insns = {
4847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4849 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4850 BPF_LD_MAP_FD(BPF_REG_1, 0),
4851 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4855 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4856 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4857 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4858 BPF_MOV64_IMM(BPF_REG_0, 0),
4859 BPF_EXIT_INSN(),
4860 BPF_MOV64_IMM(BPF_REG_0, 0),
4861 BPF_EXIT_INSN(),
4862 },
4863 .fixup_map2 = { 3 },
4864 .result = REJECT,
4865 .errstr = "R1 unbounded memory access",
4866 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4867 },
4868 {
4869 "helper access to map: bounds check using <=, good access",
4870 .insns = {
4871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4873 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4874 BPF_LD_MAP_FD(BPF_REG_1, 0),
4875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4879 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4880 BPF_MOV64_IMM(BPF_REG_0, 0),
4881 BPF_EXIT_INSN(),
4882 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4883 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4884 BPF_MOV64_IMM(BPF_REG_0, 0),
4885 BPF_EXIT_INSN(),
4886 },
4887 .fixup_map2 = { 3 },
4888 .result = ACCEPT,
4889 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4890 },
4891 {
4892 "helper access to map: bounds check using <=, bad access",
4893 .insns = {
4894 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4896 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4897 BPF_LD_MAP_FD(BPF_REG_1, 0),
4898 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4901 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4902 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
4903 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4904 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4905 BPF_MOV64_IMM(BPF_REG_0, 0),
4906 BPF_EXIT_INSN(),
4907 BPF_MOV64_IMM(BPF_REG_0, 0),
4908 BPF_EXIT_INSN(),
4909 },
4910 .fixup_map2 = { 3 },
4911 .result = REJECT,
4912 .errstr = "R1 unbounded memory access",
4913 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4914 },
4915 {
4916 "helper access to map: bounds check using s<, good access",
4917 .insns = {
4918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4920 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4921 BPF_LD_MAP_FD(BPF_REG_1, 0),
4922 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4925 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4926 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4927 BPF_MOV64_IMM(BPF_REG_0, 0),
4928 BPF_EXIT_INSN(),
4929 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
4930 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4931 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4932 BPF_MOV64_IMM(BPF_REG_0, 0),
4933 BPF_EXIT_INSN(),
4934 },
4935 .fixup_map2 = { 3 },
4936 .result = ACCEPT,
4937 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4938 },
4939 {
4940 "helper access to map: bounds check using s<, good access 2",
4941 .insns = {
4942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4944 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4945 BPF_LD_MAP_FD(BPF_REG_1, 0),
4946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4950 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4951 BPF_MOV64_IMM(BPF_REG_0, 0),
4952 BPF_EXIT_INSN(),
4953 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4954 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4955 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4956 BPF_MOV64_IMM(BPF_REG_0, 0),
4957 BPF_EXIT_INSN(),
4958 },
4959 .fixup_map2 = { 3 },
4960 .result = ACCEPT,
4961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4962 },
4963 {
4964 "helper access to map: bounds check using s<, bad access",
4965 .insns = {
4966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4968 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4969 BPF_LD_MAP_FD(BPF_REG_1, 0),
4970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4973 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
4974 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4975 BPF_MOV64_IMM(BPF_REG_0, 0),
4976 BPF_EXIT_INSN(),
4977 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4978 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4979 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4980 BPF_MOV64_IMM(BPF_REG_0, 0),
4981 BPF_EXIT_INSN(),
4982 },
4983 .fixup_map2 = { 3 },
4984 .result = REJECT,
4985 .errstr = "R1 min value is negative",
4986 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4987 },
4988 {
4989 "helper access to map: bounds check using s<=, good access",
4990 .insns = {
4991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4993 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4994 BPF_LD_MAP_FD(BPF_REG_1, 0),
4995 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4998 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4999 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5000 BPF_MOV64_IMM(BPF_REG_0, 0),
5001 BPF_EXIT_INSN(),
5002 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5003 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5004 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5005 BPF_MOV64_IMM(BPF_REG_0, 0),
5006 BPF_EXIT_INSN(),
5007 },
5008 .fixup_map2 = { 3 },
5009 .result = ACCEPT,
5010 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5011 },
5012 {
5013 "helper access to map: bounds check using s<=, good access 2",
5014 .insns = {
5015 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5017 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5018 BPF_LD_MAP_FD(BPF_REG_1, 0),
5019 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5020 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5023 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5024 BPF_MOV64_IMM(BPF_REG_0, 0),
5025 BPF_EXIT_INSN(),
5026 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5027 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5028 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5029 BPF_MOV64_IMM(BPF_REG_0, 0),
5030 BPF_EXIT_INSN(),
5031 },
5032 .fixup_map2 = { 3 },
5033 .result = ACCEPT,
5034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5035 },
5036 {
5037 "helper access to map: bounds check using s<=, bad access",
5038 .insns = {
5039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5041 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5042 BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5044 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5045 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5046 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5047 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5048 BPF_MOV64_IMM(BPF_REG_0, 0),
5049 BPF_EXIT_INSN(),
5050 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5051 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5052 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5053 BPF_MOV64_IMM(BPF_REG_0, 0),
5054 BPF_EXIT_INSN(),
5055 },
5056 .fixup_map2 = { 3 },
5057 .result = REJECT,
5058 .errstr = "R1 min value is negative",
5059 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5060 },
5061 {
Gianluca Borellof0318d02017-01-09 10:19:48 -08005062 "map element value is preserved across register spilling",
5063 .insns = {
5064 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5066 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5067 BPF_LD_MAP_FD(BPF_REG_1, 0),
5068 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5070 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5073 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5074 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5075 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5076 BPF_EXIT_INSN(),
5077 },
5078 .fixup_map2 = { 3 },
5079 .errstr_unpriv = "R0 leaks addr",
5080 .result = ACCEPT,
5081 .result_unpriv = REJECT,
5082 },
5083 {
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005084 "map element value or null is marked on register spilling",
5085 .insns = {
5086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5088 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5089 BPF_LD_MAP_FD(BPF_REG_1, 0),
5090 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5093 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5094 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5095 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5096 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5097 BPF_EXIT_INSN(),
5098 },
5099 .fixup_map2 = { 3 },
5100 .errstr_unpriv = "R0 leaks addr",
5101 .result = ACCEPT,
5102 .result_unpriv = REJECT,
5103 },
5104 {
5105 "map element value store of cleared call register",
5106 .insns = {
5107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5109 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5110 BPF_LD_MAP_FD(BPF_REG_1, 0),
5111 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5113 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5114 BPF_EXIT_INSN(),
5115 },
5116 .fixup_map2 = { 3 },
5117 .errstr_unpriv = "R1 !read_ok",
5118 .errstr = "R1 !read_ok",
5119 .result = REJECT,
5120 .result_unpriv = REJECT,
5121 },
5122 {
5123 "map element value with unaligned store",
5124 .insns = {
5125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5127 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5128 BPF_LD_MAP_FD(BPF_REG_1, 0),
5129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5132 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5133 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5134 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5135 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5136 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5137 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5138 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5140 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5141 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5142 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5143 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5145 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5146 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5147 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5148 BPF_EXIT_INSN(),
5149 },
5150 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005151 .errstr_unpriv = "R0 leaks addr",
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005152 .result = ACCEPT,
5153 .result_unpriv = REJECT,
5154 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5155 },
5156 {
5157 "map element value with unaligned load",
5158 .insns = {
5159 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5161 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5162 BPF_LD_MAP_FD(BPF_REG_1, 0),
5163 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5165 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5166 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5168 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5169 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5170 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5171 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5172 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5174 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5175 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5176 BPF_EXIT_INSN(),
5177 },
5178 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005179 .errstr_unpriv = "R0 leaks addr",
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005180 .result = ACCEPT,
5181 .result_unpriv = REJECT,
5182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5183 },
5184 {
5185 "map element value illegal alu op, 1",
5186 .insns = {
5187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5189 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5190 BPF_LD_MAP_FD(BPF_REG_1, 0),
5191 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5193 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5194 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5195 BPF_EXIT_INSN(),
5196 },
5197 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005198 .errstr_unpriv = "R0 bitwise operator &= on pointer",
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005199 .errstr = "invalid mem access 'inv'",
5200 .result = REJECT,
5201 .result_unpriv = REJECT,
5202 },
5203 {
5204 "map element value illegal alu op, 2",
5205 .insns = {
5206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5208 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5209 BPF_LD_MAP_FD(BPF_REG_1, 0),
5210 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5211 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5212 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5213 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5214 BPF_EXIT_INSN(),
5215 },
5216 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005217 .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited",
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005218 .errstr = "invalid mem access 'inv'",
5219 .result = REJECT,
5220 .result_unpriv = REJECT,
5221 },
5222 {
5223 "map element value illegal alu op, 3",
5224 .insns = {
5225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5227 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5228 BPF_LD_MAP_FD(BPF_REG_1, 0),
5229 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5231 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5232 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5233 BPF_EXIT_INSN(),
5234 },
5235 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005236 .errstr_unpriv = "R0 pointer arithmetic with /= operator",
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005237 .errstr = "invalid mem access 'inv'",
5238 .result = REJECT,
5239 .result_unpriv = REJECT,
5240 },
5241 {
5242 "map element value illegal alu op, 4",
5243 .insns = {
5244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5246 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5247 BPF_LD_MAP_FD(BPF_REG_1, 0),
5248 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5250 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5251 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5252 BPF_EXIT_INSN(),
5253 },
5254 .fixup_map2 = { 3 },
5255 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5256 .errstr = "invalid mem access 'inv'",
5257 .result = REJECT,
5258 .result_unpriv = REJECT,
5259 },
5260 {
5261 "map element value illegal alu op, 5",
5262 .insns = {
5263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5265 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5266 BPF_LD_MAP_FD(BPF_REG_1, 0),
5267 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5269 BPF_MOV64_IMM(BPF_REG_3, 4096),
5270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5272 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5273 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5274 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5275 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5276 BPF_EXIT_INSN(),
5277 },
5278 .fixup_map2 = { 3 },
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005279 .errstr = "R0 invalid mem access 'inv'",
5280 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005281 },
5282 {
5283 "map element value is preserved across register spilling",
Gianluca Borellof0318d02017-01-09 10:19:48 -08005284 .insns = {
5285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5288 BPF_LD_MAP_FD(BPF_REG_1, 0),
5289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5292 offsetof(struct test_val, foo)),
5293 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5296 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5297 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5298 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5299 BPF_EXIT_INSN(),
5300 },
5301 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005302 .errstr_unpriv = "R0 leaks addr",
Gianluca Borellof0318d02017-01-09 10:19:48 -08005303 .result = ACCEPT,
5304 .result_unpriv = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005305 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Gianluca Borellof0318d02017-01-09 10:19:48 -08005306 },
Gianluca Borello06c1c042017-01-09 10:19:49 -08005307 {
5308 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5309 .insns = {
5310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5312 BPF_MOV64_IMM(BPF_REG_0, 0),
5313 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5314 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5316 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5318 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5319 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5320 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5321 BPF_MOV64_IMM(BPF_REG_2, 16),
5322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5323 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5324 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5325 BPF_MOV64_IMM(BPF_REG_4, 0),
5326 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5327 BPF_MOV64_IMM(BPF_REG_3, 0),
5328 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5329 BPF_MOV64_IMM(BPF_REG_0, 0),
5330 BPF_EXIT_INSN(),
5331 },
5332 .result = ACCEPT,
5333 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5334 },
5335 {
5336 "helper access to variable memory: stack, bitwise AND, zero included",
5337 .insns = {
5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5340 BPF_MOV64_IMM(BPF_REG_2, 16),
5341 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5342 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5343 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5344 BPF_MOV64_IMM(BPF_REG_3, 0),
5345 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5346 BPF_EXIT_INSN(),
5347 },
Yonghong Songb6ff6392017-11-12 14:49:11 -08005348 .errstr = "invalid indirect read from stack off -64+0 size 64",
Gianluca Borello06c1c042017-01-09 10:19:49 -08005349 .result = REJECT,
5350 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5351 },
5352 {
5353 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5354 .insns = {
5355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5357 BPF_MOV64_IMM(BPF_REG_2, 16),
5358 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5359 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5360 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5361 BPF_MOV64_IMM(BPF_REG_4, 0),
5362 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5363 BPF_MOV64_IMM(BPF_REG_3, 0),
5364 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5365 BPF_MOV64_IMM(BPF_REG_0, 0),
5366 BPF_EXIT_INSN(),
5367 },
5368 .errstr = "invalid stack type R1 off=-64 access_size=65",
5369 .result = REJECT,
5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371 },
5372 {
5373 "helper access to variable memory: stack, JMP, correct bounds",
5374 .insns = {
5375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5377 BPF_MOV64_IMM(BPF_REG_0, 0),
5378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5379 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5381 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5386 BPF_MOV64_IMM(BPF_REG_2, 16),
5387 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5388 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5389 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5390 BPF_MOV64_IMM(BPF_REG_4, 0),
5391 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5392 BPF_MOV64_IMM(BPF_REG_3, 0),
5393 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5394 BPF_MOV64_IMM(BPF_REG_0, 0),
5395 BPF_EXIT_INSN(),
5396 },
5397 .result = ACCEPT,
5398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5399 },
5400 {
5401 "helper access to variable memory: stack, JMP (signed), correct bounds",
5402 .insns = {
5403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5405 BPF_MOV64_IMM(BPF_REG_0, 0),
5406 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5408 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5414 BPF_MOV64_IMM(BPF_REG_2, 16),
5415 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5416 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5417 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5418 BPF_MOV64_IMM(BPF_REG_4, 0),
5419 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5420 BPF_MOV64_IMM(BPF_REG_3, 0),
5421 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5422 BPF_MOV64_IMM(BPF_REG_0, 0),
5423 BPF_EXIT_INSN(),
5424 },
5425 .result = ACCEPT,
5426 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5427 },
5428 {
5429 "helper access to variable memory: stack, JMP, bounds + offset",
5430 .insns = {
5431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5433 BPF_MOV64_IMM(BPF_REG_2, 16),
5434 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5435 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5436 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5437 BPF_MOV64_IMM(BPF_REG_4, 0),
5438 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5440 BPF_MOV64_IMM(BPF_REG_3, 0),
5441 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 BPF_MOV64_IMM(BPF_REG_0, 0),
5443 BPF_EXIT_INSN(),
5444 },
5445 .errstr = "invalid stack type R1 off=-64 access_size=65",
5446 .result = REJECT,
5447 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5448 },
5449 {
5450 "helper access to variable memory: stack, JMP, wrong max",
5451 .insns = {
5452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5454 BPF_MOV64_IMM(BPF_REG_2, 16),
5455 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5457 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5458 BPF_MOV64_IMM(BPF_REG_4, 0),
5459 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5460 BPF_MOV64_IMM(BPF_REG_3, 0),
5461 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5462 BPF_MOV64_IMM(BPF_REG_0, 0),
5463 BPF_EXIT_INSN(),
5464 },
5465 .errstr = "invalid stack type R1 off=-64 access_size=65",
5466 .result = REJECT,
5467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5468 },
5469 {
5470 "helper access to variable memory: stack, JMP, no max check",
5471 .insns = {
5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5474 BPF_MOV64_IMM(BPF_REG_2, 16),
5475 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5477 BPF_MOV64_IMM(BPF_REG_4, 0),
5478 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5479 BPF_MOV64_IMM(BPF_REG_3, 0),
5480 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5481 BPF_MOV64_IMM(BPF_REG_0, 0),
5482 BPF_EXIT_INSN(),
5483 },
Edward Creef65b1842017-08-07 15:27:12 +01005484 /* because max wasn't checked, signed min is negative */
5485 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
Gianluca Borello06c1c042017-01-09 10:19:49 -08005486 .result = REJECT,
5487 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5488 },
5489 {
5490 "helper access to variable memory: stack, JMP, no min check",
5491 .insns = {
5492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5494 BPF_MOV64_IMM(BPF_REG_2, 16),
5495 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5496 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5497 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5498 BPF_MOV64_IMM(BPF_REG_3, 0),
5499 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5500 BPF_MOV64_IMM(BPF_REG_0, 0),
5501 BPF_EXIT_INSN(),
5502 },
Yonghong Songb6ff6392017-11-12 14:49:11 -08005503 .errstr = "invalid indirect read from stack off -64+0 size 64",
Gianluca Borello06c1c042017-01-09 10:19:49 -08005504 .result = REJECT,
5505 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5506 },
5507 {
5508 "helper access to variable memory: stack, JMP (signed), no min check",
5509 .insns = {
5510 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5512 BPF_MOV64_IMM(BPF_REG_2, 16),
5513 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5514 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5515 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5516 BPF_MOV64_IMM(BPF_REG_3, 0),
5517 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5518 BPF_MOV64_IMM(BPF_REG_0, 0),
5519 BPF_EXIT_INSN(),
5520 },
5521 .errstr = "R2 min value is negative",
5522 .result = REJECT,
5523 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5524 },
5525 {
5526 "helper access to variable memory: map, JMP, correct bounds",
5527 .insns = {
5528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5530 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5531 BPF_LD_MAP_FD(BPF_REG_1, 0),
5532 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5533 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5535 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5536 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5537 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5539 sizeof(struct test_val), 4),
5540 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmanna1502132017-07-21 00:00:23 +02005541 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
Gianluca Borello06c1c042017-01-09 10:19:49 -08005542 BPF_MOV64_IMM(BPF_REG_3, 0),
5543 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5544 BPF_MOV64_IMM(BPF_REG_0, 0),
5545 BPF_EXIT_INSN(),
5546 },
5547 .fixup_map2 = { 3 },
5548 .result = ACCEPT,
5549 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5550 },
5551 {
5552 "helper access to variable memory: map, JMP, wrong max",
5553 .insns = {
5554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557 BPF_LD_MAP_FD(BPF_REG_1, 0),
5558 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5562 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5563 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5564 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5565 sizeof(struct test_val) + 1, 4),
5566 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmanna1502132017-07-21 00:00:23 +02005567 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
Gianluca Borello06c1c042017-01-09 10:19:49 -08005568 BPF_MOV64_IMM(BPF_REG_3, 0),
5569 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5570 BPF_MOV64_IMM(BPF_REG_0, 0),
5571 BPF_EXIT_INSN(),
5572 },
5573 .fixup_map2 = { 3 },
5574 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5575 .result = REJECT,
5576 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5577 },
5578 {
5579 "helper access to variable memory: map adjusted, JMP, correct bounds",
5580 .insns = {
5581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5583 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5584 BPF_LD_MAP_FD(BPF_REG_1, 0),
5585 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5589 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5591 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5592 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5593 sizeof(struct test_val) - 20, 4),
5594 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmanna1502132017-07-21 00:00:23 +02005595 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
Gianluca Borello06c1c042017-01-09 10:19:49 -08005596 BPF_MOV64_IMM(BPF_REG_3, 0),
5597 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5598 BPF_MOV64_IMM(BPF_REG_0, 0),
5599 BPF_EXIT_INSN(),
5600 },
5601 .fixup_map2 = { 3 },
5602 .result = ACCEPT,
5603 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5604 },
5605 {
5606 "helper access to variable memory: map adjusted, JMP, wrong max",
5607 .insns = {
5608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5610 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5611 BPF_LD_MAP_FD(BPF_REG_1, 0),
5612 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5616 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5617 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5620 sizeof(struct test_val) - 19, 4),
5621 BPF_MOV64_IMM(BPF_REG_4, 0),
Daniel Borkmanna1502132017-07-21 00:00:23 +02005622 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
Gianluca Borello06c1c042017-01-09 10:19:49 -08005623 BPF_MOV64_IMM(BPF_REG_3, 0),
5624 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5625 BPF_MOV64_IMM(BPF_REG_0, 0),
5626 BPF_EXIT_INSN(),
5627 },
5628 .fixup_map2 = { 3 },
5629 .errstr = "R1 min value is outside of the array range",
5630 .result = REJECT,
5631 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5632 },
5633 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005634 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
Edward Creef65b1842017-08-07 15:27:12 +01005635 .insns = {
5636 BPF_MOV64_IMM(BPF_REG_1, 0),
5637 BPF_MOV64_IMM(BPF_REG_2, 0),
5638 BPF_MOV64_IMM(BPF_REG_3, 0),
5639 BPF_MOV64_IMM(BPF_REG_4, 0),
5640 BPF_MOV64_IMM(BPF_REG_5, 0),
5641 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5642 BPF_EXIT_INSN(),
5643 },
5644 .result = ACCEPT,
5645 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5646 },
5647 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005648 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
Gianluca Borello06c1c042017-01-09 10:19:49 -08005649 .insns = {
5650 BPF_MOV64_IMM(BPF_REG_1, 0),
5651 BPF_MOV64_IMM(BPF_REG_2, 0),
Daniel Borkmann3fadc802017-01-24 01:06:30 +01005652 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5653 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
Gianluca Borello06c1c042017-01-09 10:19:49 -08005654 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5655 BPF_MOV64_IMM(BPF_REG_3, 0),
5656 BPF_MOV64_IMM(BPF_REG_4, 0),
5657 BPF_MOV64_IMM(BPF_REG_5, 0),
5658 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5659 BPF_EXIT_INSN(),
5660 },
Edward Creef65b1842017-08-07 15:27:12 +01005661 .errstr = "R1 type=inv expected=fp",
Gianluca Borello06c1c042017-01-09 10:19:49 -08005662 .result = REJECT,
5663 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5664 },
5665 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005666 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
Gianluca Borello06c1c042017-01-09 10:19:49 -08005667 .insns = {
5668 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5670 BPF_MOV64_IMM(BPF_REG_2, 0),
5671 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5672 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5673 BPF_MOV64_IMM(BPF_REG_3, 0),
5674 BPF_MOV64_IMM(BPF_REG_4, 0),
5675 BPF_MOV64_IMM(BPF_REG_5, 0),
5676 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5677 BPF_EXIT_INSN(),
5678 },
Yonghong Songb6ff6392017-11-12 14:49:11 -08005679 .result = ACCEPT,
5680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5681 },
5682 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005683 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
Yonghong Songb6ff6392017-11-12 14:49:11 -08005684 .insns = {
5685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5688 BPF_LD_MAP_FD(BPF_REG_1, 0),
5689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5690 BPF_FUNC_map_lookup_elem),
5691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5693 BPF_MOV64_IMM(BPF_REG_2, 0),
5694 BPF_MOV64_IMM(BPF_REG_3, 0),
5695 BPF_MOV64_IMM(BPF_REG_4, 0),
5696 BPF_MOV64_IMM(BPF_REG_5, 0),
5697 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5698 BPF_EXIT_INSN(),
5699 },
5700 .fixup_map1 = { 3 },
5701 .result = ACCEPT,
5702 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5703 },
5704 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005705 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
Yonghong Songb6ff6392017-11-12 14:49:11 -08005706 .insns = {
5707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5710 BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5712 BPF_FUNC_map_lookup_elem),
5713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5714 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5715 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5718 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5719 BPF_MOV64_IMM(BPF_REG_3, 0),
5720 BPF_MOV64_IMM(BPF_REG_4, 0),
5721 BPF_MOV64_IMM(BPF_REG_5, 0),
5722 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5723 BPF_EXIT_INSN(),
5724 },
5725 .fixup_map1 = { 3 },
5726 .result = ACCEPT,
5727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5728 },
5729 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005730 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
Yonghong Songb6ff6392017-11-12 14:49:11 -08005731 .insns = {
5732 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737 BPF_FUNC_map_lookup_elem),
5738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5740 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5741 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5742 BPF_MOV64_IMM(BPF_REG_3, 0),
5743 BPF_MOV64_IMM(BPF_REG_4, 0),
5744 BPF_MOV64_IMM(BPF_REG_5, 0),
5745 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5746 BPF_EXIT_INSN(),
5747 },
5748 .fixup_map1 = { 3 },
5749 .result = ACCEPT,
5750 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5751 },
5752 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005753 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
Yonghong Songb6ff6392017-11-12 14:49:11 -08005754 .insns = {
5755 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5756 offsetof(struct __sk_buff, data)),
5757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5758 offsetof(struct __sk_buff, data_end)),
5759 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5761 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5763 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5764 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5765 BPF_MOV64_IMM(BPF_REG_3, 0),
5766 BPF_MOV64_IMM(BPF_REG_4, 0),
5767 BPF_MOV64_IMM(BPF_REG_5, 0),
5768 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5769 BPF_EXIT_INSN(),
5770 },
5771 .result = ACCEPT,
Gianluca Borello06c1c042017-01-09 10:19:49 -08005772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5773 },
5774 {
Gianluca Borellodb1ac492017-11-22 18:32:53 +00005775 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5776 .insns = {
5777 BPF_MOV64_IMM(BPF_REG_1, 0),
5778 BPF_MOV64_IMM(BPF_REG_2, 0),
5779 BPF_MOV64_IMM(BPF_REG_3, 0),
5780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5781 BPF_EXIT_INSN(),
5782 },
5783 .errstr = "R1 type=inv expected=fp",
5784 .result = REJECT,
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786 },
5787 {
5788 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5789 .insns = {
5790 BPF_MOV64_IMM(BPF_REG_1, 0),
5791 BPF_MOV64_IMM(BPF_REG_2, 1),
5792 BPF_MOV64_IMM(BPF_REG_3, 0),
5793 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5794 BPF_EXIT_INSN(),
5795 },
5796 .errstr = "R1 type=inv expected=fp",
5797 .result = REJECT,
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 },
5800 {
5801 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5802 .insns = {
5803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5805 BPF_MOV64_IMM(BPF_REG_2, 0),
5806 BPF_MOV64_IMM(BPF_REG_3, 0),
5807 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5808 BPF_EXIT_INSN(),
5809 },
5810 .result = ACCEPT,
5811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5812 },
5813 {
5814 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5815 .insns = {
5816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5819 BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5823 BPF_MOV64_IMM(BPF_REG_2, 0),
5824 BPF_MOV64_IMM(BPF_REG_3, 0),
5825 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5826 BPF_EXIT_INSN(),
5827 },
5828 .fixup_map1 = { 3 },
5829 .result = ACCEPT,
5830 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5831 },
5832 {
5833 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5834 .insns = {
5835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5838 BPF_LD_MAP_FD(BPF_REG_1, 0),
5839 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5841 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5842 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5845 BPF_MOV64_IMM(BPF_REG_3, 0),
5846 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5847 BPF_EXIT_INSN(),
5848 },
5849 .fixup_map1 = { 3 },
5850 .result = ACCEPT,
5851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5852 },
5853 {
5854 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5855 .insns = {
5856 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5859 BPF_LD_MAP_FD(BPF_REG_1, 0),
5860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5863 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5864 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5865 BPF_MOV64_IMM(BPF_REG_3, 0),
5866 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 BPF_EXIT_INSN(),
5868 },
5869 .fixup_map1 = { 3 },
5870 .result = ACCEPT,
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 },
5873 {
Gianluca Borello06c1c042017-01-09 10:19:49 -08005874 "helper access to variable memory: 8 bytes leak",
5875 .insns = {
5876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5878 BPF_MOV64_IMM(BPF_REG_0, 0),
5879 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5880 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5882 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5886 BPF_MOV64_IMM(BPF_REG_2, 0),
Daniel Borkmann3fadc802017-01-24 01:06:30 +01005887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
Gianluca Borello06c1c042017-01-09 10:19:49 -08005889 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5891 BPF_MOV64_IMM(BPF_REG_3, 0),
5892 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5894 BPF_EXIT_INSN(),
5895 },
5896 .errstr = "invalid indirect read from stack off -64+32 size 64",
5897 .result = REJECT,
5898 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5899 },
5900 {
5901 "helper access to variable memory: 8 bytes no leak (init memory)",
5902 .insns = {
5903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5904 BPF_MOV64_IMM(BPF_REG_0, 0),
5905 BPF_MOV64_IMM(BPF_REG_0, 0),
5906 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5911 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5912 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5913 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5915 BPF_MOV64_IMM(BPF_REG_2, 0),
5916 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5918 BPF_MOV64_IMM(BPF_REG_3, 0),
5919 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5920 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5921 BPF_EXIT_INSN(),
5922 },
5923 .result = ACCEPT,
5924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5925 },
Josef Bacik29200c12017-02-03 16:25:23 -05005926 {
5927 "invalid and of negative number",
5928 .insns = {
5929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5932 BPF_LD_MAP_FD(BPF_REG_1, 0),
5933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5934 BPF_FUNC_map_lookup_elem),
5935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
Edward Creef65b1842017-08-07 15:27:12 +01005936 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
Josef Bacik29200c12017-02-03 16:25:23 -05005937 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5938 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5939 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5940 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5941 offsetof(struct test_val, foo)),
5942 BPF_EXIT_INSN(),
5943 },
5944 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005945 .errstr = "R0 max value is outside of the array range",
Josef Bacik29200c12017-02-03 16:25:23 -05005946 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005947 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Josef Bacik29200c12017-02-03 16:25:23 -05005948 },
5949 {
5950 "invalid range check",
5951 .insns = {
5952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5955 BPF_LD_MAP_FD(BPF_REG_1, 0),
5956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5957 BPF_FUNC_map_lookup_elem),
5958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5959 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5960 BPF_MOV64_IMM(BPF_REG_9, 1),
5961 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5962 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5963 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5964 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5965 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5966 BPF_MOV32_IMM(BPF_REG_3, 1),
5967 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5968 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5969 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5970 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5971 BPF_MOV64_REG(BPF_REG_0, 0),
5972 BPF_EXIT_INSN(),
5973 },
5974 .fixup_map2 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01005975 .errstr = "R0 max value is outside of the array range",
Josef Bacik29200c12017-02-03 16:25:23 -05005976 .result = REJECT,
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02005977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07005978 },
5979 {
5980 "map in map access",
5981 .insns = {
5982 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5985 BPF_LD_MAP_FD(BPF_REG_1, 0),
5986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5987 BPF_FUNC_map_lookup_elem),
5988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5989 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5994 BPF_FUNC_map_lookup_elem),
5995 BPF_MOV64_REG(BPF_REG_0, 0),
5996 BPF_EXIT_INSN(),
5997 },
5998 .fixup_map_in_map = { 3 },
5999 .result = ACCEPT,
6000 },
6001 {
6002 "invalid inner map pointer",
6003 .insns = {
6004 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6007 BPF_LD_MAP_FD(BPF_REG_1, 0),
6008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6009 BPF_FUNC_map_lookup_elem),
6010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6011 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6017 BPF_FUNC_map_lookup_elem),
6018 BPF_MOV64_REG(BPF_REG_0, 0),
6019 BPF_EXIT_INSN(),
6020 },
6021 .fixup_map_in_map = { 3 },
6022 .errstr = "R1 type=inv expected=map_ptr",
Edward Creef65b1842017-08-07 15:27:12 +01006023 .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07006024 .result = REJECT,
6025 },
6026 {
6027 "forgot null checking on the inner map pointer",
6028 .insns = {
6029 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6032 BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6034 BPF_FUNC_map_lookup_elem),
6035 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6040 BPF_FUNC_map_lookup_elem),
6041 BPF_MOV64_REG(BPF_REG_0, 0),
6042 BPF_EXIT_INSN(),
6043 },
6044 .fixup_map_in_map = { 3 },
6045 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6046 .result = REJECT,
Daniel Borkmann614d0d72017-05-25 01:05:09 +02006047 },
6048 {
6049 "ld_abs: check calling conv, r1",
6050 .insns = {
6051 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6052 BPF_MOV64_IMM(BPF_REG_1, 0),
6053 BPF_LD_ABS(BPF_W, -0x200000),
6054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6055 BPF_EXIT_INSN(),
6056 },
6057 .errstr = "R1 !read_ok",
6058 .result = REJECT,
6059 },
6060 {
6061 "ld_abs: check calling conv, r2",
6062 .insns = {
6063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6064 BPF_MOV64_IMM(BPF_REG_2, 0),
6065 BPF_LD_ABS(BPF_W, -0x200000),
6066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6067 BPF_EXIT_INSN(),
6068 },
6069 .errstr = "R2 !read_ok",
6070 .result = REJECT,
6071 },
6072 {
6073 "ld_abs: check calling conv, r3",
6074 .insns = {
6075 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6076 BPF_MOV64_IMM(BPF_REG_3, 0),
6077 BPF_LD_ABS(BPF_W, -0x200000),
6078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6079 BPF_EXIT_INSN(),
6080 },
6081 .errstr = "R3 !read_ok",
6082 .result = REJECT,
6083 },
6084 {
6085 "ld_abs: check calling conv, r4",
6086 .insns = {
6087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6088 BPF_MOV64_IMM(BPF_REG_4, 0),
6089 BPF_LD_ABS(BPF_W, -0x200000),
6090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6091 BPF_EXIT_INSN(),
6092 },
6093 .errstr = "R4 !read_ok",
6094 .result = REJECT,
6095 },
6096 {
6097 "ld_abs: check calling conv, r5",
6098 .insns = {
6099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6100 BPF_MOV64_IMM(BPF_REG_5, 0),
6101 BPF_LD_ABS(BPF_W, -0x200000),
6102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6103 BPF_EXIT_INSN(),
6104 },
6105 .errstr = "R5 !read_ok",
6106 .result = REJECT,
6107 },
6108 {
6109 "ld_abs: check calling conv, r7",
6110 .insns = {
6111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6112 BPF_MOV64_IMM(BPF_REG_7, 0),
6113 BPF_LD_ABS(BPF_W, -0x200000),
6114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6115 BPF_EXIT_INSN(),
6116 },
6117 .result = ACCEPT,
6118 },
6119 {
6120 "ld_ind: check calling conv, r1",
6121 .insns = {
6122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6123 BPF_MOV64_IMM(BPF_REG_1, 1),
6124 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6126 BPF_EXIT_INSN(),
6127 },
6128 .errstr = "R1 !read_ok",
6129 .result = REJECT,
6130 },
6131 {
6132 "ld_ind: check calling conv, r2",
6133 .insns = {
6134 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6135 BPF_MOV64_IMM(BPF_REG_2, 1),
6136 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6137 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6138 BPF_EXIT_INSN(),
6139 },
6140 .errstr = "R2 !read_ok",
6141 .result = REJECT,
6142 },
6143 {
6144 "ld_ind: check calling conv, r3",
6145 .insns = {
6146 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6147 BPF_MOV64_IMM(BPF_REG_3, 1),
6148 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6149 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6150 BPF_EXIT_INSN(),
6151 },
6152 .errstr = "R3 !read_ok",
6153 .result = REJECT,
6154 },
6155 {
6156 "ld_ind: check calling conv, r4",
6157 .insns = {
6158 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6159 BPF_MOV64_IMM(BPF_REG_4, 1),
6160 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6161 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6162 BPF_EXIT_INSN(),
6163 },
6164 .errstr = "R4 !read_ok",
6165 .result = REJECT,
6166 },
6167 {
6168 "ld_ind: check calling conv, r5",
6169 .insns = {
6170 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6171 BPF_MOV64_IMM(BPF_REG_5, 1),
6172 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6174 BPF_EXIT_INSN(),
6175 },
6176 .errstr = "R5 !read_ok",
6177 .result = REJECT,
6178 },
6179 {
6180 "ld_ind: check calling conv, r7",
6181 .insns = {
6182 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6183 BPF_MOV64_IMM(BPF_REG_7, 1),
6184 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6185 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6186 BPF_EXIT_INSN(),
6187 },
6188 .result = ACCEPT,
6189 },
Yonghong Song18f3d6b2017-06-13 15:52:14 -07006190 {
6191 "check bpf_perf_event_data->sample_period byte load permitted",
6192 .insns = {
6193 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02006194#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07006195 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6196 offsetof(struct bpf_perf_event_data, sample_period)),
6197#else
6198 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6199 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6200#endif
6201 BPF_EXIT_INSN(),
6202 },
6203 .result = ACCEPT,
6204 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6205 },
6206 {
6207 "check bpf_perf_event_data->sample_period half load permitted",
6208 .insns = {
6209 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02006210#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07006211 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6212 offsetof(struct bpf_perf_event_data, sample_period)),
6213#else
6214 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6215 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6216#endif
6217 BPF_EXIT_INSN(),
6218 },
6219 .result = ACCEPT,
6220 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6221 },
6222 {
6223 "check bpf_perf_event_data->sample_period word load permitted",
6224 .insns = {
6225 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02006226#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07006227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6228 offsetof(struct bpf_perf_event_data, sample_period)),
6229#else
6230 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6231 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6232#endif
6233 BPF_EXIT_INSN(),
6234 },
6235 .result = ACCEPT,
6236 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6237 },
6238 {
6239 "check bpf_perf_event_data->sample_period dword load permitted",
6240 .insns = {
6241 BPF_MOV64_IMM(BPF_REG_0, 0),
6242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6243 offsetof(struct bpf_perf_event_data, sample_period)),
6244 BPF_EXIT_INSN(),
6245 },
6246 .result = ACCEPT,
6247 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6248 },
6249 {
6250 "check skb->data half load not permitted",
6251 .insns = {
6252 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02006253#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07006254 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6255 offsetof(struct __sk_buff, data)),
6256#else
6257 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6258 offsetof(struct __sk_buff, data) + 2),
6259#endif
6260 BPF_EXIT_INSN(),
6261 },
6262 .result = REJECT,
6263 .errstr = "invalid bpf_context access",
6264 },
6265 {
6266 "check skb->tc_classid half load not permitted for lwt prog",
6267 .insns = {
6268 BPF_MOV64_IMM(BPF_REG_0, 0),
Daniel Borkmann2c460622017-08-04 22:24:41 +02006269#if __BYTE_ORDER == __LITTLE_ENDIAN
Yonghong Song18f3d6b2017-06-13 15:52:14 -07006270 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6271 offsetof(struct __sk_buff, tc_classid)),
6272#else
6273 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6274 offsetof(struct __sk_buff, tc_classid) + 2),
6275#endif
6276 BPF_EXIT_INSN(),
6277 },
6278 .result = REJECT,
6279 .errstr = "invalid bpf_context access",
6280 .prog_type = BPF_PROG_TYPE_LWT_IN,
6281 },
Edward Creeb7122962017-07-21 00:00:24 +02006282 {
6283 "bounds checks mixing signed and unsigned, positive bounds",
6284 .insns = {
6285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6288 BPF_LD_MAP_FD(BPF_REG_1, 0),
6289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6290 BPF_FUNC_map_lookup_elem),
6291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6292 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6293 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6294 BPF_MOV64_IMM(BPF_REG_2, 2),
6295 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6296 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6297 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6298 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6299 BPF_MOV64_IMM(BPF_REG_0, 0),
6300 BPF_EXIT_INSN(),
6301 },
6302 .fixup_map1 = { 3 },
Edward Creeb7122962017-07-21 00:00:24 +02006303 .errstr = "R0 min value is negative",
6304 .result = REJECT,
Edward Creeb7122962017-07-21 00:00:24 +02006305 },
6306 {
6307 "bounds checks mixing signed and unsigned",
6308 .insns = {
6309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 BPF_LD_MAP_FD(BPF_REG_1, 0),
6313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6314 BPF_FUNC_map_lookup_elem),
6315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6317 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6318 BPF_MOV64_IMM(BPF_REG_2, -1),
6319 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6320 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6321 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6322 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6323 BPF_MOV64_IMM(BPF_REG_0, 0),
6324 BPF_EXIT_INSN(),
6325 },
6326 .fixup_map1 = { 3 },
Edward Creeb7122962017-07-21 00:00:24 +02006327 .errstr = "R0 min value is negative",
6328 .result = REJECT,
Edward Creeb7122962017-07-21 00:00:24 +02006329 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006330 {
6331 "bounds checks mixing signed and unsigned, variant 2",
6332 .insns = {
6333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6336 BPF_LD_MAP_FD(BPF_REG_1, 0),
6337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6338 BPF_FUNC_map_lookup_elem),
6339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6340 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6342 BPF_MOV64_IMM(BPF_REG_2, -1),
6343 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6344 BPF_MOV64_IMM(BPF_REG_8, 0),
6345 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6346 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6347 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6348 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6349 BPF_MOV64_IMM(BPF_REG_0, 0),
6350 BPF_EXIT_INSN(),
6351 },
6352 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006353 .errstr = "R8 invalid mem access 'inv'",
6354 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006355 },
6356 {
6357 "bounds checks mixing signed and unsigned, variant 3",
6358 .insns = {
6359 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6362 BPF_LD_MAP_FD(BPF_REG_1, 0),
6363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6364 BPF_FUNC_map_lookup_elem),
6365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6366 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6367 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6368 BPF_MOV64_IMM(BPF_REG_2, -1),
6369 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6370 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6371 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6372 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6373 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6374 BPF_MOV64_IMM(BPF_REG_0, 0),
6375 BPF_EXIT_INSN(),
6376 },
6377 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006378 .errstr = "R8 invalid mem access 'inv'",
6379 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006380 },
6381 {
6382 "bounds checks mixing signed and unsigned, variant 4",
6383 .insns = {
6384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6387 BPF_LD_MAP_FD(BPF_REG_1, 0),
6388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6389 BPF_FUNC_map_lookup_elem),
6390 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6391 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6392 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6393 BPF_MOV64_IMM(BPF_REG_2, 1),
6394 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6395 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6396 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6397 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6398 BPF_MOV64_IMM(BPF_REG_0, 0),
6399 BPF_EXIT_INSN(),
6400 },
6401 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01006402 .result = ACCEPT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006403 },
6404 {
6405 "bounds checks mixing signed and unsigned, variant 5",
6406 .insns = {
6407 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6410 BPF_LD_MAP_FD(BPF_REG_1, 0),
6411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6412 BPF_FUNC_map_lookup_elem),
6413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6414 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6415 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6416 BPF_MOV64_IMM(BPF_REG_2, -1),
6417 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6418 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6420 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6421 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6422 BPF_MOV64_IMM(BPF_REG_0, 0),
6423 BPF_EXIT_INSN(),
6424 },
6425 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01006426 .errstr = "R0 min value is negative",
Daniel Borkmann86412502017-07-21 00:00:25 +02006427 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006428 },
6429 {
6430 "bounds checks mixing signed and unsigned, variant 6",
6431 .insns = {
6432 BPF_MOV64_IMM(BPF_REG_2, 0),
6433 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6435 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6436 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6437 BPF_MOV64_IMM(BPF_REG_6, -1),
6438 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6439 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6441 BPF_MOV64_IMM(BPF_REG_5, 0),
6442 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6444 BPF_FUNC_skb_load_bytes),
6445 BPF_MOV64_IMM(BPF_REG_0, 0),
6446 BPF_EXIT_INSN(),
6447 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006448 .errstr = "R4 min value is negative, either use unsigned",
6449 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006450 },
6451 {
6452 "bounds checks mixing signed and unsigned, variant 7",
6453 .insns = {
6454 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6455 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6457 BPF_LD_MAP_FD(BPF_REG_1, 0),
6458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6459 BPF_FUNC_map_lookup_elem),
6460 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6461 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6462 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6463 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6464 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6465 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6466 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6467 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6468 BPF_MOV64_IMM(BPF_REG_0, 0),
6469 BPF_EXIT_INSN(),
6470 },
6471 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01006472 .result = ACCEPT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006473 },
6474 {
6475 "bounds checks mixing signed and unsigned, variant 8",
6476 .insns = {
6477 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6480 BPF_LD_MAP_FD(BPF_REG_1, 0),
6481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6482 BPF_FUNC_map_lookup_elem),
Daniel Borkmann86412502017-07-21 00:00:25 +02006483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6484 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6485 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6486 BPF_MOV64_IMM(BPF_REG_2, -1),
6487 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6488 BPF_MOV64_IMM(BPF_REG_0, 0),
6489 BPF_EXIT_INSN(),
6490 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6491 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6492 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6493 BPF_MOV64_IMM(BPF_REG_0, 0),
6494 BPF_EXIT_INSN(),
6495 },
6496 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006497 .errstr = "R0 min value is negative",
6498 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006499 },
6500 {
Edward Creef65b1842017-08-07 15:27:12 +01006501 "bounds checks mixing signed and unsigned, variant 9",
Daniel Borkmann86412502017-07-21 00:00:25 +02006502 .insns = {
6503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6506 BPF_LD_MAP_FD(BPF_REG_1, 0),
6507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6508 BPF_FUNC_map_lookup_elem),
6509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6511 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6512 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6513 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6514 BPF_MOV64_IMM(BPF_REG_0, 0),
6515 BPF_EXIT_INSN(),
6516 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6517 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6518 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6519 BPF_MOV64_IMM(BPF_REG_0, 0),
6520 BPF_EXIT_INSN(),
6521 },
6522 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01006523 .result = ACCEPT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006524 },
6525 {
Edward Creef65b1842017-08-07 15:27:12 +01006526 "bounds checks mixing signed and unsigned, variant 10",
Daniel Borkmann86412502017-07-21 00:00:25 +02006527 .insns = {
6528 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6529 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6531 BPF_LD_MAP_FD(BPF_REG_1, 0),
6532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6533 BPF_FUNC_map_lookup_elem),
6534 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6535 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6536 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6537 BPF_MOV64_IMM(BPF_REG_2, 0),
6538 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6539 BPF_MOV64_IMM(BPF_REG_0, 0),
6540 BPF_EXIT_INSN(),
6541 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6542 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6543 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6544 BPF_MOV64_IMM(BPF_REG_0, 0),
6545 BPF_EXIT_INSN(),
6546 },
6547 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006548 .errstr = "R0 min value is negative",
6549 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006550 },
6551 {
Edward Creef65b1842017-08-07 15:27:12 +01006552 "bounds checks mixing signed and unsigned, variant 11",
Daniel Borkmann86412502017-07-21 00:00:25 +02006553 .insns = {
6554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6557 BPF_LD_MAP_FD(BPF_REG_1, 0),
6558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6559 BPF_FUNC_map_lookup_elem),
6560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6562 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6563 BPF_MOV64_IMM(BPF_REG_2, -1),
6564 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6565 /* Dead branch. */
6566 BPF_MOV64_IMM(BPF_REG_0, 0),
6567 BPF_EXIT_INSN(),
6568 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6569 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6570 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6571 BPF_MOV64_IMM(BPF_REG_0, 0),
6572 BPF_EXIT_INSN(),
6573 },
6574 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006575 .errstr = "R0 min value is negative",
6576 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006577 },
6578 {
Edward Creef65b1842017-08-07 15:27:12 +01006579 "bounds checks mixing signed and unsigned, variant 12",
Daniel Borkmann86412502017-07-21 00:00:25 +02006580 .insns = {
6581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6584 BPF_LD_MAP_FD(BPF_REG_1, 0),
6585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6586 BPF_FUNC_map_lookup_elem),
6587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6588 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6589 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6590 BPF_MOV64_IMM(BPF_REG_2, -6),
6591 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6592 BPF_MOV64_IMM(BPF_REG_0, 0),
6593 BPF_EXIT_INSN(),
6594 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6595 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6596 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6597 BPF_MOV64_IMM(BPF_REG_0, 0),
6598 BPF_EXIT_INSN(),
6599 },
6600 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006601 .errstr = "R0 min value is negative",
6602 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006603 },
6604 {
Edward Creef65b1842017-08-07 15:27:12 +01006605 "bounds checks mixing signed and unsigned, variant 13",
Daniel Borkmann86412502017-07-21 00:00:25 +02006606 .insns = {
6607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6610 BPF_LD_MAP_FD(BPF_REG_1, 0),
6611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6612 BPF_FUNC_map_lookup_elem),
6613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6615 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6616 BPF_MOV64_IMM(BPF_REG_2, 2),
6617 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6618 BPF_MOV64_IMM(BPF_REG_7, 1),
6619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6620 BPF_MOV64_IMM(BPF_REG_0, 0),
6621 BPF_EXIT_INSN(),
6622 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6623 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6624 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6625 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6626 BPF_MOV64_IMM(BPF_REG_0, 0),
6627 BPF_EXIT_INSN(),
6628 },
6629 .fixup_map1 = { 3 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006630 .errstr = "R0 min value is negative",
6631 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006632 },
6633 {
Edward Creef65b1842017-08-07 15:27:12 +01006634 "bounds checks mixing signed and unsigned, variant 14",
Daniel Borkmann86412502017-07-21 00:00:25 +02006635 .insns = {
6636 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6637 offsetof(struct __sk_buff, mark)),
6638 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6641 BPF_LD_MAP_FD(BPF_REG_1, 0),
6642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6643 BPF_FUNC_map_lookup_elem),
6644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6645 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6646 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6647 BPF_MOV64_IMM(BPF_REG_2, -1),
6648 BPF_MOV64_IMM(BPF_REG_8, 2),
6649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6650 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6651 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6653 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6654 BPF_MOV64_IMM(BPF_REG_0, 0),
6655 BPF_EXIT_INSN(),
6656 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6657 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6658 },
6659 .fixup_map1 = { 4 },
Daniel Borkmann86412502017-07-21 00:00:25 +02006660 .errstr = "R0 min value is negative",
6661 .result = REJECT,
Daniel Borkmann86412502017-07-21 00:00:25 +02006662 },
6663 {
Edward Creef65b1842017-08-07 15:27:12 +01006664 "bounds checks mixing signed and unsigned, variant 15",
Daniel Borkmann86412502017-07-21 00:00:25 +02006665 .insns = {
6666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6667 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6669 BPF_LD_MAP_FD(BPF_REG_1, 0),
6670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6671 BPF_FUNC_map_lookup_elem),
6672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6673 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6674 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6675 BPF_MOV64_IMM(BPF_REG_2, -6),
6676 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6677 BPF_MOV64_IMM(BPF_REG_0, 0),
6678 BPF_EXIT_INSN(),
6679 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6680 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6681 BPF_MOV64_IMM(BPF_REG_0, 0),
6682 BPF_EXIT_INSN(),
6683 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6684 BPF_MOV64_IMM(BPF_REG_0, 0),
6685 BPF_EXIT_INSN(),
6686 },
6687 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01006688 .errstr_unpriv = "R0 pointer comparison prohibited",
Daniel Borkmann86412502017-07-21 00:00:25 +02006689 .errstr = "R0 min value is negative",
6690 .result = REJECT,
6691 .result_unpriv = REJECT,
6692 },
Edward Cree545722c2017-07-21 14:36:57 +01006693 {
Edward Creef65b1842017-08-07 15:27:12 +01006694 "subtraction bounds (map value) variant 1",
Edward Cree545722c2017-07-21 14:36:57 +01006695 .insns = {
6696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6699 BPF_LD_MAP_FD(BPF_REG_1, 0),
6700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6701 BPF_FUNC_map_lookup_elem),
6702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6703 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6704 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6705 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6706 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6707 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6708 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6710 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6711 BPF_EXIT_INSN(),
6712 BPF_MOV64_IMM(BPF_REG_0, 0),
6713 BPF_EXIT_INSN(),
6714 },
6715 .fixup_map1 = { 3 },
Edward Creef65b1842017-08-07 15:27:12 +01006716 .errstr = "R0 max value is outside of the array range",
6717 .result = REJECT,
6718 },
6719 {
6720 "subtraction bounds (map value) variant 2",
6721 .insns = {
6722 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6725 BPF_LD_MAP_FD(BPF_REG_1, 0),
6726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6727 BPF_FUNC_map_lookup_elem),
6728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6729 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6730 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6731 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6732 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6733 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6734 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6736 BPF_EXIT_INSN(),
6737 BPF_MOV64_IMM(BPF_REG_0, 0),
6738 BPF_EXIT_INSN(),
6739 },
6740 .fixup_map1 = { 3 },
Edward Cree545722c2017-07-21 14:36:57 +01006741 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6742 .result = REJECT,
Edward Cree545722c2017-07-21 14:36:57 +01006743 },
Edward Cree69c4e8a2017-08-07 15:29:51 +01006744 {
6745 "variable-offset ctx access",
6746 .insns = {
6747 /* Get an unknown value */
6748 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6749 /* Make it small and 4-byte aligned */
6750 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6751 /* add it to skb. We now have either &skb->len or
6752 * &skb->pkt_type, but we don't know which
6753 */
6754 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6755 /* dereference it */
6756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
6757 BPF_EXIT_INSN(),
6758 },
6759 .errstr = "variable ctx access var_off=(0x0; 0x4)",
6760 .result = REJECT,
6761 .prog_type = BPF_PROG_TYPE_LWT_IN,
6762 },
6763 {
6764 "variable-offset stack access",
6765 .insns = {
6766 /* Fill the top 8 bytes of the stack */
6767 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6768 /* Get an unknown value */
6769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6770 /* Make it small and 4-byte aligned */
6771 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6772 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
6773 /* add it to fp. We now have either fp-4 or fp-8, but
6774 * we don't know which
6775 */
6776 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
6777 /* dereference it */
6778 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
6779 BPF_EXIT_INSN(),
6780 },
6781 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
6782 .result = REJECT,
6783 .prog_type = BPF_PROG_TYPE_LWT_IN,
6784 },
Edward Creed893dc22017-08-23 15:09:46 +01006785 {
6786 "liveness pruning and write screening",
6787 .insns = {
6788 /* Get an unknown value */
6789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6790 /* branch conditions teach us nothing about R2 */
6791 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6792 BPF_MOV64_IMM(BPF_REG_0, 0),
6793 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6794 BPF_MOV64_IMM(BPF_REG_0, 0),
6795 BPF_EXIT_INSN(),
6796 },
6797 .errstr = "R0 !read_ok",
6798 .result = REJECT,
6799 .prog_type = BPF_PROG_TYPE_LWT_IN,
6800 },
Alexei Starovoitovdf20cb72017-08-23 15:10:26 +01006801 {
6802 "varlen_map_value_access pruning",
6803 .insns = {
6804 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6807 BPF_LD_MAP_FD(BPF_REG_1, 0),
6808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6809 BPF_FUNC_map_lookup_elem),
6810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6811 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6812 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
6813 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
6814 BPF_MOV32_IMM(BPF_REG_1, 0),
6815 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
6816 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6817 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
6818 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6819 offsetof(struct test_val, foo)),
6820 BPF_EXIT_INSN(),
6821 },
6822 .fixup_map2 = { 3 },
6823 .errstr_unpriv = "R0 leaks addr",
6824 .errstr = "R0 unbounded memory access",
6825 .result_unpriv = REJECT,
6826 .result = REJECT,
6827 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6828 },
Edward Creee67b8a62017-09-15 14:37:38 +01006829 {
6830 "invalid 64-bit BPF_END",
6831 .insns = {
6832 BPF_MOV32_IMM(BPF_REG_0, 0),
6833 {
6834 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
6835 .dst_reg = BPF_REG_0,
6836 .src_reg = 0,
6837 .off = 0,
6838 .imm = 32,
6839 },
6840 BPF_EXIT_INSN(),
6841 },
6842 .errstr = "BPF_END uses reserved fields",
6843 .result = REJECT,
6844 },
Daniel Borkmann22c88522017-09-25 02:25:53 +02006845 {
6846 "meta access, test1",
6847 .insns = {
6848 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6849 offsetof(struct xdp_md, data_meta)),
6850 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6851 offsetof(struct xdp_md, data)),
6852 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6854 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6855 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6856 BPF_MOV64_IMM(BPF_REG_0, 0),
6857 BPF_EXIT_INSN(),
6858 },
6859 .result = ACCEPT,
6860 .prog_type = BPF_PROG_TYPE_XDP,
6861 },
6862 {
6863 "meta access, test2",
6864 .insns = {
6865 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6866 offsetof(struct xdp_md, data_meta)),
6867 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6868 offsetof(struct xdp_md, data)),
6869 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6870 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
6871 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6873 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6874 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6875 BPF_MOV64_IMM(BPF_REG_0, 0),
6876 BPF_EXIT_INSN(),
6877 },
6878 .result = REJECT,
6879 .errstr = "invalid access to packet, off=-8",
6880 .prog_type = BPF_PROG_TYPE_XDP,
6881 },
6882 {
6883 "meta access, test3",
6884 .insns = {
6885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6886 offsetof(struct xdp_md, data_meta)),
6887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6888 offsetof(struct xdp_md, data_end)),
6889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6892 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6893 BPF_MOV64_IMM(BPF_REG_0, 0),
6894 BPF_EXIT_INSN(),
6895 },
6896 .result = REJECT,
6897 .errstr = "invalid access to packet",
6898 .prog_type = BPF_PROG_TYPE_XDP,
6899 },
6900 {
6901 "meta access, test4",
6902 .insns = {
6903 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6904 offsetof(struct xdp_md, data_meta)),
6905 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6906 offsetof(struct xdp_md, data_end)),
6907 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6908 offsetof(struct xdp_md, data)),
6909 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6911 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6912 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6913 BPF_MOV64_IMM(BPF_REG_0, 0),
6914 BPF_EXIT_INSN(),
6915 },
6916 .result = REJECT,
6917 .errstr = "invalid access to packet",
6918 .prog_type = BPF_PROG_TYPE_XDP,
6919 },
6920 {
6921 "meta access, test5",
6922 .insns = {
6923 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6924 offsetof(struct xdp_md, data_meta)),
6925 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6926 offsetof(struct xdp_md, data)),
6927 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6929 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
6930 BPF_MOV64_IMM(BPF_REG_2, -8),
6931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6932 BPF_FUNC_xdp_adjust_meta),
6933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
6934 BPF_MOV64_IMM(BPF_REG_0, 0),
6935 BPF_EXIT_INSN(),
6936 },
6937 .result = REJECT,
6938 .errstr = "R3 !read_ok",
6939 .prog_type = BPF_PROG_TYPE_XDP,
6940 },
6941 {
6942 "meta access, test6",
6943 .insns = {
6944 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6945 offsetof(struct xdp_md, data_meta)),
6946 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6947 offsetof(struct xdp_md, data)),
6948 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6950 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6952 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
6953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6954 BPF_MOV64_IMM(BPF_REG_0, 0),
6955 BPF_EXIT_INSN(),
6956 },
6957 .result = REJECT,
6958 .errstr = "invalid access to packet",
6959 .prog_type = BPF_PROG_TYPE_XDP,
6960 },
6961 {
6962 "meta access, test7",
6963 .insns = {
6964 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6965 offsetof(struct xdp_md, data_meta)),
6966 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6967 offsetof(struct xdp_md, data)),
6968 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6970 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6972 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6974 BPF_MOV64_IMM(BPF_REG_0, 0),
6975 BPF_EXIT_INSN(),
6976 },
6977 .result = ACCEPT,
6978 .prog_type = BPF_PROG_TYPE_XDP,
6979 },
6980 {
6981 "meta access, test8",
6982 .insns = {
6983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6984 offsetof(struct xdp_md, data_meta)),
6985 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6986 offsetof(struct xdp_md, data)),
6987 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
6989 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6991 BPF_MOV64_IMM(BPF_REG_0, 0),
6992 BPF_EXIT_INSN(),
6993 },
6994 .result = ACCEPT,
6995 .prog_type = BPF_PROG_TYPE_XDP,
6996 },
6997 {
6998 "meta access, test9",
6999 .insns = {
7000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7001 offsetof(struct xdp_md, data_meta)),
7002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7003 offsetof(struct xdp_md, data)),
7004 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7007 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7008 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7009 BPF_MOV64_IMM(BPF_REG_0, 0),
7010 BPF_EXIT_INSN(),
7011 },
7012 .result = REJECT,
7013 .errstr = "invalid access to packet",
7014 .prog_type = BPF_PROG_TYPE_XDP,
7015 },
7016 {
7017 "meta access, test10",
7018 .insns = {
7019 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7020 offsetof(struct xdp_md, data_meta)),
7021 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7022 offsetof(struct xdp_md, data)),
7023 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7024 offsetof(struct xdp_md, data_end)),
7025 BPF_MOV64_IMM(BPF_REG_5, 42),
7026 BPF_MOV64_IMM(BPF_REG_6, 24),
7027 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7028 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7029 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7030 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7031 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7032 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7033 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7035 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7036 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7037 BPF_MOV64_IMM(BPF_REG_0, 0),
7038 BPF_EXIT_INSN(),
7039 },
7040 .result = REJECT,
7041 .errstr = "invalid access to packet",
7042 .prog_type = BPF_PROG_TYPE_XDP,
7043 },
7044 {
7045 "meta access, test11",
7046 .insns = {
7047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7048 offsetof(struct xdp_md, data_meta)),
7049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7050 offsetof(struct xdp_md, data)),
7051 BPF_MOV64_IMM(BPF_REG_5, 42),
7052 BPF_MOV64_IMM(BPF_REG_6, 24),
7053 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7054 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7055 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7056 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7057 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7058 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7059 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7061 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7062 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7063 BPF_MOV64_IMM(BPF_REG_0, 0),
7064 BPF_EXIT_INSN(),
7065 },
7066 .result = ACCEPT,
7067 .prog_type = BPF_PROG_TYPE_XDP,
7068 },
7069 {
7070 "meta access, test12",
7071 .insns = {
7072 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7073 offsetof(struct xdp_md, data_meta)),
7074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7075 offsetof(struct xdp_md, data)),
7076 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7077 offsetof(struct xdp_md, data_end)),
7078 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7080 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
7081 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7082 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7084 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
7085 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7086 BPF_MOV64_IMM(BPF_REG_0, 0),
7087 BPF_EXIT_INSN(),
7088 },
7089 .result = ACCEPT,
7090 .prog_type = BPF_PROG_TYPE_XDP,
7091 },
Alexei Starovoitov390ee7e2017-10-02 22:50:23 -07007092 {
Jakub Kicinski28e33f92017-10-16 11:16:55 -07007093 "arithmetic ops make PTR_TO_CTX unusable",
7094 .insns = {
7095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7096 offsetof(struct __sk_buff, data) -
7097 offsetof(struct __sk_buff, mark)),
7098 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7099 offsetof(struct __sk_buff, mark)),
7100 BPF_EXIT_INSN(),
7101 },
7102 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
7103 .result = REJECT,
7104 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7105 },
Daniel Borkmannb37242c2017-10-21 02:34:23 +02007106 {
7107 "XDP pkt read, pkt_end mangling, bad access 1",
7108 .insns = {
7109 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7110 offsetof(struct xdp_md, data)),
7111 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7112 offsetof(struct xdp_md, data_end)),
7113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7116 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7117 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7118 BPF_MOV64_IMM(BPF_REG_0, 0),
7119 BPF_EXIT_INSN(),
7120 },
7121 .errstr = "R1 offset is outside of the packet",
7122 .result = REJECT,
7123 .prog_type = BPF_PROG_TYPE_XDP,
7124 },
7125 {
7126 "XDP pkt read, pkt_end mangling, bad access 2",
7127 .insns = {
7128 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7129 offsetof(struct xdp_md, data)),
7130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7131 offsetof(struct xdp_md, data_end)),
7132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7134 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7135 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7136 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7137 BPF_MOV64_IMM(BPF_REG_0, 0),
7138 BPF_EXIT_INSN(),
7139 },
7140 .errstr = "R1 offset is outside of the packet",
7141 .result = REJECT,
7142 .prog_type = BPF_PROG_TYPE_XDP,
7143 },
7144 {
7145 "XDP pkt read, pkt_data' > pkt_end, good access",
7146 .insns = {
7147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7148 offsetof(struct xdp_md, data)),
7149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7150 offsetof(struct xdp_md, data_end)),
7151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7153 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7154 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7155 BPF_MOV64_IMM(BPF_REG_0, 0),
7156 BPF_EXIT_INSN(),
7157 },
7158 .result = ACCEPT,
7159 .prog_type = BPF_PROG_TYPE_XDP,
7160 },
7161 {
7162 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
7163 .insns = {
7164 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7165 offsetof(struct xdp_md, data)),
7166 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7167 offsetof(struct xdp_md, data_end)),
7168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7170 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7171 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7172 BPF_MOV64_IMM(BPF_REG_0, 0),
7173 BPF_EXIT_INSN(),
7174 },
7175 .errstr = "R1 offset is outside of the packet",
7176 .result = REJECT,
7177 .prog_type = BPF_PROG_TYPE_XDP,
7178 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7179 },
7180 {
7181 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
7182 .insns = {
7183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7184 offsetof(struct xdp_md, data)),
7185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7186 offsetof(struct xdp_md, data_end)),
7187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7189 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7190 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7191 BPF_MOV64_IMM(BPF_REG_0, 0),
7192 BPF_EXIT_INSN(),
7193 },
7194 .errstr = "R1 offset is outside of the packet",
7195 .result = REJECT,
7196 .prog_type = BPF_PROG_TYPE_XDP,
7197 },
7198 {
7199 "XDP pkt read, pkt_end > pkt_data', good access",
7200 .insns = {
7201 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7202 offsetof(struct xdp_md, data)),
7203 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7204 offsetof(struct xdp_md, data_end)),
7205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7207 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7208 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7209 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7210 BPF_MOV64_IMM(BPF_REG_0, 0),
7211 BPF_EXIT_INSN(),
7212 },
7213 .result = ACCEPT,
7214 .prog_type = BPF_PROG_TYPE_XDP,
7215 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7216 },
7217 {
7218 "XDP pkt read, pkt_end > pkt_data', bad access 1",
7219 .insns = {
7220 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7221 offsetof(struct xdp_md, data)),
7222 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7223 offsetof(struct xdp_md, data_end)),
7224 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7226 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7227 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7228 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7229 BPF_MOV64_IMM(BPF_REG_0, 0),
7230 BPF_EXIT_INSN(),
7231 },
7232 .errstr = "R1 offset is outside of the packet",
7233 .result = REJECT,
7234 .prog_type = BPF_PROG_TYPE_XDP,
7235 },
7236 {
7237 "XDP pkt read, pkt_end > pkt_data', bad access 2",
7238 .insns = {
7239 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7240 offsetof(struct xdp_md, data)),
7241 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7242 offsetof(struct xdp_md, data_end)),
7243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7245 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7246 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7247 BPF_MOV64_IMM(BPF_REG_0, 0),
7248 BPF_EXIT_INSN(),
7249 },
7250 .errstr = "R1 offset is outside of the packet",
7251 .result = REJECT,
7252 .prog_type = BPF_PROG_TYPE_XDP,
7253 },
7254 {
7255 "XDP pkt read, pkt_data' < pkt_end, good access",
7256 .insns = {
7257 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7258 offsetof(struct xdp_md, data)),
7259 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7260 offsetof(struct xdp_md, data_end)),
7261 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7263 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7264 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7265 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7266 BPF_MOV64_IMM(BPF_REG_0, 0),
7267 BPF_EXIT_INSN(),
7268 },
7269 .result = ACCEPT,
7270 .prog_type = BPF_PROG_TYPE_XDP,
7271 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7272 },
7273 {
7274 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
7275 .insns = {
7276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7277 offsetof(struct xdp_md, data)),
7278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7279 offsetof(struct xdp_md, data_end)),
7280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7282 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7283 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7285 BPF_MOV64_IMM(BPF_REG_0, 0),
7286 BPF_EXIT_INSN(),
7287 },
7288 .errstr = "R1 offset is outside of the packet",
7289 .result = REJECT,
7290 .prog_type = BPF_PROG_TYPE_XDP,
7291 },
7292 {
7293 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
7294 .insns = {
7295 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7296 offsetof(struct xdp_md, data)),
7297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7298 offsetof(struct xdp_md, data_end)),
7299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7301 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7303 BPF_MOV64_IMM(BPF_REG_0, 0),
7304 BPF_EXIT_INSN(),
7305 },
7306 .errstr = "R1 offset is outside of the packet",
7307 .result = REJECT,
7308 .prog_type = BPF_PROG_TYPE_XDP,
7309 },
7310 {
7311 "XDP pkt read, pkt_end < pkt_data', good access",
7312 .insns = {
7313 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7314 offsetof(struct xdp_md, data)),
7315 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7316 offsetof(struct xdp_md, data_end)),
7317 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7319 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7321 BPF_MOV64_IMM(BPF_REG_0, 0),
7322 BPF_EXIT_INSN(),
7323 },
7324 .result = ACCEPT,
7325 .prog_type = BPF_PROG_TYPE_XDP,
7326 },
7327 {
7328 "XDP pkt read, pkt_end < pkt_data', bad access 1",
7329 .insns = {
7330 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7331 offsetof(struct xdp_md, data)),
7332 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7333 offsetof(struct xdp_md, data_end)),
7334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7336 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7337 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7338 BPF_MOV64_IMM(BPF_REG_0, 0),
7339 BPF_EXIT_INSN(),
7340 },
7341 .errstr = "R1 offset is outside of the packet",
7342 .result = REJECT,
7343 .prog_type = BPF_PROG_TYPE_XDP,
7344 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7345 },
7346 {
7347 "XDP pkt read, pkt_end < pkt_data', bad access 2",
7348 .insns = {
7349 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7350 offsetof(struct xdp_md, data)),
7351 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7352 offsetof(struct xdp_md, data_end)),
7353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7355 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7357 BPF_MOV64_IMM(BPF_REG_0, 0),
7358 BPF_EXIT_INSN(),
7359 },
7360 .errstr = "R1 offset is outside of the packet",
7361 .result = REJECT,
7362 .prog_type = BPF_PROG_TYPE_XDP,
7363 },
7364 {
7365 "XDP pkt read, pkt_data' >= pkt_end, good access",
7366 .insns = {
7367 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7368 offsetof(struct xdp_md, data)),
7369 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7370 offsetof(struct xdp_md, data_end)),
7371 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7373 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7374 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7375 BPF_MOV64_IMM(BPF_REG_0, 0),
7376 BPF_EXIT_INSN(),
7377 },
7378 .result = ACCEPT,
7379 .prog_type = BPF_PROG_TYPE_XDP,
7380 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7381 },
7382 {
7383 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7384 .insns = {
7385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7386 offsetof(struct xdp_md, data)),
7387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7388 offsetof(struct xdp_md, data_end)),
7389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7391 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7392 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7393 BPF_MOV64_IMM(BPF_REG_0, 0),
7394 BPF_EXIT_INSN(),
7395 },
7396 .errstr = "R1 offset is outside of the packet",
7397 .result = REJECT,
7398 .prog_type = BPF_PROG_TYPE_XDP,
7399 },
7400 {
7401 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7402 .insns = {
7403 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7404 offsetof(struct xdp_md, data)),
7405 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7406 offsetof(struct xdp_md, data_end)),
7407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7409 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7410 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7411 BPF_MOV64_IMM(BPF_REG_0, 0),
7412 BPF_EXIT_INSN(),
7413 },
7414 .errstr = "R1 offset is outside of the packet",
7415 .result = REJECT,
7416 .prog_type = BPF_PROG_TYPE_XDP,
7417 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7418 },
7419 {
7420 "XDP pkt read, pkt_end >= pkt_data', good access",
7421 .insns = {
7422 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7423 offsetof(struct xdp_md, data)),
7424 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7425 offsetof(struct xdp_md, data_end)),
7426 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7428 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7429 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7430 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7431 BPF_MOV64_IMM(BPF_REG_0, 0),
7432 BPF_EXIT_INSN(),
7433 },
7434 .result = ACCEPT,
7435 .prog_type = BPF_PROG_TYPE_XDP,
7436 },
7437 {
7438 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
7439 .insns = {
7440 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7441 offsetof(struct xdp_md, data)),
7442 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7443 offsetof(struct xdp_md, data_end)),
7444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7446 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7447 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7448 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7449 BPF_MOV64_IMM(BPF_REG_0, 0),
7450 BPF_EXIT_INSN(),
7451 },
7452 .errstr = "R1 offset is outside of the packet",
7453 .result = REJECT,
7454 .prog_type = BPF_PROG_TYPE_XDP,
7455 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7456 },
7457 {
7458 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
7459 .insns = {
7460 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7461 offsetof(struct xdp_md, data)),
7462 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7463 offsetof(struct xdp_md, data_end)),
7464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7466 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7467 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7468 BPF_MOV64_IMM(BPF_REG_0, 0),
7469 BPF_EXIT_INSN(),
7470 },
7471 .errstr = "R1 offset is outside of the packet",
7472 .result = REJECT,
7473 .prog_type = BPF_PROG_TYPE_XDP,
7474 },
7475 {
7476 "XDP pkt read, pkt_data' <= pkt_end, good access",
7477 .insns = {
7478 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7479 offsetof(struct xdp_md, data)),
7480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7481 offsetof(struct xdp_md, data_end)),
7482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7484 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7485 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7487 BPF_MOV64_IMM(BPF_REG_0, 0),
7488 BPF_EXIT_INSN(),
7489 },
7490 .result = ACCEPT,
7491 .prog_type = BPF_PROG_TYPE_XDP,
7492 },
7493 {
7494 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
7495 .insns = {
7496 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7497 offsetof(struct xdp_md, data)),
7498 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7499 offsetof(struct xdp_md, data_end)),
7500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7502 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7503 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7505 BPF_MOV64_IMM(BPF_REG_0, 0),
7506 BPF_EXIT_INSN(),
7507 },
7508 .errstr = "R1 offset is outside of the packet",
7509 .result = REJECT,
7510 .prog_type = BPF_PROG_TYPE_XDP,
7511 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7512 },
7513 {
7514 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
7515 .insns = {
7516 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7517 offsetof(struct xdp_md, data)),
7518 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7519 offsetof(struct xdp_md, data_end)),
7520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7522 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7523 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7524 BPF_MOV64_IMM(BPF_REG_0, 0),
7525 BPF_EXIT_INSN(),
7526 },
7527 .errstr = "R1 offset is outside of the packet",
7528 .result = REJECT,
7529 .prog_type = BPF_PROG_TYPE_XDP,
7530 },
7531 {
7532 "XDP pkt read, pkt_end <= pkt_data', good access",
7533 .insns = {
7534 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7535 offsetof(struct xdp_md, data)),
7536 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7537 offsetof(struct xdp_md, data_end)),
7538 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7540 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7541 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7542 BPF_MOV64_IMM(BPF_REG_0, 0),
7543 BPF_EXIT_INSN(),
7544 },
7545 .result = ACCEPT,
7546 .prog_type = BPF_PROG_TYPE_XDP,
7547 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7548 },
7549 {
7550 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
7551 .insns = {
7552 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7553 offsetof(struct xdp_md, data)),
7554 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7555 offsetof(struct xdp_md, data_end)),
7556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7558 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7559 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7560 BPF_MOV64_IMM(BPF_REG_0, 0),
7561 BPF_EXIT_INSN(),
7562 },
7563 .errstr = "R1 offset is outside of the packet",
7564 .result = REJECT,
7565 .prog_type = BPF_PROG_TYPE_XDP,
7566 },
7567 {
7568 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
7569 .insns = {
7570 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7571 offsetof(struct xdp_md, data)),
7572 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7573 offsetof(struct xdp_md, data_end)),
7574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7576 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
7577 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7578 BPF_MOV64_IMM(BPF_REG_0, 0),
7579 BPF_EXIT_INSN(),
7580 },
7581 .errstr = "R1 offset is outside of the packet",
7582 .result = REJECT,
7583 .prog_type = BPF_PROG_TYPE_XDP,
7584 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7585 },
Daniel Borkmannb06723d2017-11-01 23:58:09 +01007586 {
Daniel Borkmann634eab12017-11-01 23:58:11 +01007587 "XDP pkt read, pkt_meta' > pkt_data, good access",
7588 .insns = {
7589 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7590 offsetof(struct xdp_md, data_meta)),
7591 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7592 offsetof(struct xdp_md, data)),
7593 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7595 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7596 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7597 BPF_MOV64_IMM(BPF_REG_0, 0),
7598 BPF_EXIT_INSN(),
7599 },
7600 .result = ACCEPT,
7601 .prog_type = BPF_PROG_TYPE_XDP,
7602 },
7603 {
7604 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
7605 .insns = {
7606 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7607 offsetof(struct xdp_md, data_meta)),
7608 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7609 offsetof(struct xdp_md, data)),
7610 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7612 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7613 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7614 BPF_MOV64_IMM(BPF_REG_0, 0),
7615 BPF_EXIT_INSN(),
7616 },
7617 .errstr = "R1 offset is outside of the packet",
7618 .result = REJECT,
7619 .prog_type = BPF_PROG_TYPE_XDP,
7620 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7621 },
7622 {
7623 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
7624 .insns = {
7625 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7626 offsetof(struct xdp_md, data_meta)),
7627 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7628 offsetof(struct xdp_md, data)),
7629 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7631 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7632 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7633 BPF_MOV64_IMM(BPF_REG_0, 0),
7634 BPF_EXIT_INSN(),
7635 },
7636 .errstr = "R1 offset is outside of the packet",
7637 .result = REJECT,
7638 .prog_type = BPF_PROG_TYPE_XDP,
7639 },
7640 {
7641 "XDP pkt read, pkt_data > pkt_meta', good access",
7642 .insns = {
7643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7644 offsetof(struct xdp_md, data_meta)),
7645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7646 offsetof(struct xdp_md, data)),
7647 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7649 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7650 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7651 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7652 BPF_MOV64_IMM(BPF_REG_0, 0),
7653 BPF_EXIT_INSN(),
7654 },
7655 .result = ACCEPT,
7656 .prog_type = BPF_PROG_TYPE_XDP,
7657 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7658 },
7659 {
7660 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
7661 .insns = {
7662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7663 offsetof(struct xdp_md, data_meta)),
7664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7665 offsetof(struct xdp_md, data)),
7666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7668 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7669 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7670 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7671 BPF_MOV64_IMM(BPF_REG_0, 0),
7672 BPF_EXIT_INSN(),
7673 },
7674 .errstr = "R1 offset is outside of the packet",
7675 .result = REJECT,
7676 .prog_type = BPF_PROG_TYPE_XDP,
7677 },
7678 {
7679 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
7680 .insns = {
7681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7682 offsetof(struct xdp_md, data_meta)),
7683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7684 offsetof(struct xdp_md, data)),
7685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7687 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7688 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7689 BPF_MOV64_IMM(BPF_REG_0, 0),
7690 BPF_EXIT_INSN(),
7691 },
7692 .errstr = "R1 offset is outside of the packet",
7693 .result = REJECT,
7694 .prog_type = BPF_PROG_TYPE_XDP,
7695 },
7696 {
7697 "XDP pkt read, pkt_meta' < pkt_data, good access",
7698 .insns = {
7699 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7700 offsetof(struct xdp_md, data_meta)),
7701 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7702 offsetof(struct xdp_md, data)),
7703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7705 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7706 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7707 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7708 BPF_MOV64_IMM(BPF_REG_0, 0),
7709 BPF_EXIT_INSN(),
7710 },
7711 .result = ACCEPT,
7712 .prog_type = BPF_PROG_TYPE_XDP,
7713 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7714 },
7715 {
7716 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
7717 .insns = {
7718 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7719 offsetof(struct xdp_md, data_meta)),
7720 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7721 offsetof(struct xdp_md, data)),
7722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7724 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7725 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7726 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7727 BPF_MOV64_IMM(BPF_REG_0, 0),
7728 BPF_EXIT_INSN(),
7729 },
7730 .errstr = "R1 offset is outside of the packet",
7731 .result = REJECT,
7732 .prog_type = BPF_PROG_TYPE_XDP,
7733 },
7734 {
7735 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
7736 .insns = {
7737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7738 offsetof(struct xdp_md, data_meta)),
7739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7740 offsetof(struct xdp_md, data)),
7741 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7743 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7744 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7745 BPF_MOV64_IMM(BPF_REG_0, 0),
7746 BPF_EXIT_INSN(),
7747 },
7748 .errstr = "R1 offset is outside of the packet",
7749 .result = REJECT,
7750 .prog_type = BPF_PROG_TYPE_XDP,
7751 },
7752 {
7753 "XDP pkt read, pkt_data < pkt_meta', good access",
7754 .insns = {
7755 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7756 offsetof(struct xdp_md, data_meta)),
7757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7758 offsetof(struct xdp_md, data)),
7759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7761 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7762 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7763 BPF_MOV64_IMM(BPF_REG_0, 0),
7764 BPF_EXIT_INSN(),
7765 },
7766 .result = ACCEPT,
7767 .prog_type = BPF_PROG_TYPE_XDP,
7768 },
7769 {
7770 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
7771 .insns = {
7772 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7773 offsetof(struct xdp_md, data_meta)),
7774 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7775 offsetof(struct xdp_md, data)),
7776 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7778 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7779 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7780 BPF_MOV64_IMM(BPF_REG_0, 0),
7781 BPF_EXIT_INSN(),
7782 },
7783 .errstr = "R1 offset is outside of the packet",
7784 .result = REJECT,
7785 .prog_type = BPF_PROG_TYPE_XDP,
7786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7787 },
7788 {
7789 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
7790 .insns = {
7791 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7792 offsetof(struct xdp_md, data_meta)),
7793 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7794 offsetof(struct xdp_md, data)),
7795 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7797 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7798 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7799 BPF_MOV64_IMM(BPF_REG_0, 0),
7800 BPF_EXIT_INSN(),
7801 },
7802 .errstr = "R1 offset is outside of the packet",
7803 .result = REJECT,
7804 .prog_type = BPF_PROG_TYPE_XDP,
7805 },
7806 {
7807 "XDP pkt read, pkt_meta' >= pkt_data, good access",
7808 .insns = {
7809 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7810 offsetof(struct xdp_md, data_meta)),
7811 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7812 offsetof(struct xdp_md, data)),
7813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7815 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7816 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7817 BPF_MOV64_IMM(BPF_REG_0, 0),
7818 BPF_EXIT_INSN(),
7819 },
7820 .result = ACCEPT,
7821 .prog_type = BPF_PROG_TYPE_XDP,
7822 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7823 },
7824 {
7825 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
7826 .insns = {
7827 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7828 offsetof(struct xdp_md, data_meta)),
7829 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7830 offsetof(struct xdp_md, data)),
7831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7833 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7834 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7835 BPF_MOV64_IMM(BPF_REG_0, 0),
7836 BPF_EXIT_INSN(),
7837 },
7838 .errstr = "R1 offset is outside of the packet",
7839 .result = REJECT,
7840 .prog_type = BPF_PROG_TYPE_XDP,
7841 },
7842 {
7843 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
7844 .insns = {
7845 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7846 offsetof(struct xdp_md, data_meta)),
7847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7848 offsetof(struct xdp_md, data)),
7849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7851 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7852 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7853 BPF_MOV64_IMM(BPF_REG_0, 0),
7854 BPF_EXIT_INSN(),
7855 },
7856 .errstr = "R1 offset is outside of the packet",
7857 .result = REJECT,
7858 .prog_type = BPF_PROG_TYPE_XDP,
7859 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7860 },
7861 {
7862 "XDP pkt read, pkt_data >= pkt_meta', good access",
7863 .insns = {
7864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7865 offsetof(struct xdp_md, data_meta)),
7866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7867 offsetof(struct xdp_md, data)),
7868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7870 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7871 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7872 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7873 BPF_MOV64_IMM(BPF_REG_0, 0),
7874 BPF_EXIT_INSN(),
7875 },
7876 .result = ACCEPT,
7877 .prog_type = BPF_PROG_TYPE_XDP,
7878 },
7879 {
7880 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
7881 .insns = {
7882 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7883 offsetof(struct xdp_md, data_meta)),
7884 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7885 offsetof(struct xdp_md, data)),
7886 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7888 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7889 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7890 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7891 BPF_MOV64_IMM(BPF_REG_0, 0),
7892 BPF_EXIT_INSN(),
7893 },
7894 .errstr = "R1 offset is outside of the packet",
7895 .result = REJECT,
7896 .prog_type = BPF_PROG_TYPE_XDP,
7897 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7898 },
7899 {
7900 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
7901 .insns = {
7902 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7903 offsetof(struct xdp_md, data_meta)),
7904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7905 offsetof(struct xdp_md, data)),
7906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7908 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7909 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7910 BPF_MOV64_IMM(BPF_REG_0, 0),
7911 BPF_EXIT_INSN(),
7912 },
7913 .errstr = "R1 offset is outside of the packet",
7914 .result = REJECT,
7915 .prog_type = BPF_PROG_TYPE_XDP,
7916 },
7917 {
7918 "XDP pkt read, pkt_meta' <= pkt_data, good access",
7919 .insns = {
7920 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7921 offsetof(struct xdp_md, data_meta)),
7922 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7923 offsetof(struct xdp_md, data)),
7924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7926 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7927 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7928 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7929 BPF_MOV64_IMM(BPF_REG_0, 0),
7930 BPF_EXIT_INSN(),
7931 },
7932 .result = ACCEPT,
7933 .prog_type = BPF_PROG_TYPE_XDP,
7934 },
7935 {
7936 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
7937 .insns = {
7938 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7939 offsetof(struct xdp_md, data_meta)),
7940 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7941 offsetof(struct xdp_md, data)),
7942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7944 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7945 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7947 BPF_MOV64_IMM(BPF_REG_0, 0),
7948 BPF_EXIT_INSN(),
7949 },
7950 .errstr = "R1 offset is outside of the packet",
7951 .result = REJECT,
7952 .prog_type = BPF_PROG_TYPE_XDP,
7953 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7954 },
7955 {
7956 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
7957 .insns = {
7958 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7959 offsetof(struct xdp_md, data_meta)),
7960 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7961 offsetof(struct xdp_md, data)),
7962 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7964 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7965 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7966 BPF_MOV64_IMM(BPF_REG_0, 0),
7967 BPF_EXIT_INSN(),
7968 },
7969 .errstr = "R1 offset is outside of the packet",
7970 .result = REJECT,
7971 .prog_type = BPF_PROG_TYPE_XDP,
7972 },
7973 {
7974 "XDP pkt read, pkt_data <= pkt_meta', good access",
7975 .insns = {
7976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7977 offsetof(struct xdp_md, data_meta)),
7978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7979 offsetof(struct xdp_md, data)),
7980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7982 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7983 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7984 BPF_MOV64_IMM(BPF_REG_0, 0),
7985 BPF_EXIT_INSN(),
7986 },
7987 .result = ACCEPT,
7988 .prog_type = BPF_PROG_TYPE_XDP,
7989 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7990 },
7991 {
7992 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
7993 .insns = {
7994 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7995 offsetof(struct xdp_md, data_meta)),
7996 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7997 offsetof(struct xdp_md, data)),
7998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8000 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8001 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8002 BPF_MOV64_IMM(BPF_REG_0, 0),
8003 BPF_EXIT_INSN(),
8004 },
8005 .errstr = "R1 offset is outside of the packet",
8006 .result = REJECT,
8007 .prog_type = BPF_PROG_TYPE_XDP,
8008 },
8009 {
8010 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8011 .insns = {
8012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8013 offsetof(struct xdp_md, data_meta)),
8014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8015 offsetof(struct xdp_md, data)),
8016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8018 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8020 BPF_MOV64_IMM(BPF_REG_0, 0),
8021 BPF_EXIT_INSN(),
8022 },
8023 .errstr = "R1 offset is outside of the packet",
8024 .result = REJECT,
8025 .prog_type = BPF_PROG_TYPE_XDP,
8026 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8027 },
8028 {
Daniel Borkmannb06723d2017-11-01 23:58:09 +01008029 "bpf_exit with invalid return code. test1",
8030 .insns = {
8031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8032 BPF_EXIT_INSN(),
8033 },
8034 .errstr = "R0 has value (0x0; 0xffffffff)",
8035 .result = REJECT,
8036 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8037 },
8038 {
8039 "bpf_exit with invalid return code. test2",
8040 .insns = {
8041 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8042 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
8043 BPF_EXIT_INSN(),
8044 },
8045 .result = ACCEPT,
8046 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8047 },
8048 {
8049 "bpf_exit with invalid return code. test3",
8050 .insns = {
8051 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8052 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
8053 BPF_EXIT_INSN(),
8054 },
8055 .errstr = "R0 has value (0x0; 0x3)",
8056 .result = REJECT,
8057 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8058 },
8059 {
8060 "bpf_exit with invalid return code. test4",
8061 .insns = {
8062 BPF_MOV64_IMM(BPF_REG_0, 1),
8063 BPF_EXIT_INSN(),
8064 },
8065 .result = ACCEPT,
8066 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8067 },
8068 {
8069 "bpf_exit with invalid return code. test5",
8070 .insns = {
8071 BPF_MOV64_IMM(BPF_REG_0, 2),
8072 BPF_EXIT_INSN(),
8073 },
8074 .errstr = "R0 has value (0x2; 0x0)",
8075 .result = REJECT,
8076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8077 },
8078 {
8079 "bpf_exit with invalid return code. test6",
8080 .insns = {
8081 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8082 BPF_EXIT_INSN(),
8083 },
8084 .errstr = "R0 is not a known value (ctx)",
8085 .result = REJECT,
8086 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8087 },
8088 {
8089 "bpf_exit with invalid return code. test7",
8090 .insns = {
8091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
8093 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
8094 BPF_EXIT_INSN(),
8095 },
8096 .errstr = "R0 has unknown scalar value",
8097 .result = REJECT,
8098 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8099 },
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008100};
8101
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008102static int probe_filter_length(const struct bpf_insn *fp)
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008103{
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008104 int len;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008105
8106 for (len = MAX_INSNS - 1; len > 0; --len)
8107 if (fp[len].code != 0 || fp[len].imm != 0)
8108 break;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008109 return len + 1;
8110}
8111
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008112static int create_map(uint32_t size_value, uint32_t max_elem)
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008113{
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008114 int fd;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008115
Mickaël Salaünf4874d02017-02-10 00:21:43 +01008116 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008117 size_value, max_elem, BPF_F_NO_PREALLOC);
8118 if (fd < 0)
8119 printf("Failed to create hash map '%s'!\n", strerror(errno));
Alexei Starovoitovbf508872015-10-07 22:23:23 -07008120
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008121 return fd;
Alexei Starovoitovbf508872015-10-07 22:23:23 -07008122}
8123
8124static int create_prog_array(void)
8125{
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008126 int fd;
Alexei Starovoitovbf508872015-10-07 22:23:23 -07008127
Mickaël Salaünf4874d02017-02-10 00:21:43 +01008128 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008129 sizeof(int), 4, 0);
8130 if (fd < 0)
8131 printf("Failed to create prog array '%s'!\n", strerror(errno));
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008132
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008133 return fd;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008134}
8135
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008136static int create_map_in_map(void)
8137{
8138 int inner_map_fd, outer_map_fd;
8139
8140 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
8141 sizeof(int), 1, 0);
8142 if (inner_map_fd < 0) {
8143 printf("Failed to create array '%s'!\n", strerror(errno));
8144 return inner_map_fd;
8145 }
8146
Martin KaFai Lau88cda1c2017-09-27 14:37:54 -07008147 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008148 sizeof(int), inner_map_fd, 1, 0);
8149 if (outer_map_fd < 0)
8150 printf("Failed to create array of maps '%s'!\n",
8151 strerror(errno));
8152
8153 close(inner_map_fd);
8154
8155 return outer_map_fd;
8156}
8157
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008158static char bpf_vlog[32768];
8159
8160static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008161 int *map_fds)
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008162{
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008163 int *fixup_map1 = test->fixup_map1;
8164 int *fixup_map2 = test->fixup_map2;
8165 int *fixup_prog = test->fixup_prog;
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008166 int *fixup_map_in_map = test->fixup_map_in_map;
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008167
8168 /* Allocating HTs with 1 elem is fine here, since we only test
8169 * for verifier and not do a runtime lookup, so the only thing
8170 * that really matters is value size in this case.
8171 */
8172 if (*fixup_map1) {
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008173 map_fds[0] = create_map(sizeof(long long), 1);
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008174 do {
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008175 prog[*fixup_map1].imm = map_fds[0];
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008176 fixup_map1++;
8177 } while (*fixup_map1);
8178 }
8179
8180 if (*fixup_map2) {
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008181 map_fds[1] = create_map(sizeof(struct test_val), 1);
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008182 do {
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008183 prog[*fixup_map2].imm = map_fds[1];
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008184 fixup_map2++;
8185 } while (*fixup_map2);
8186 }
8187
8188 if (*fixup_prog) {
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008189 map_fds[2] = create_prog_array();
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008190 do {
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008191 prog[*fixup_prog].imm = map_fds[2];
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008192 fixup_prog++;
8193 } while (*fixup_prog);
8194 }
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008195
8196 if (*fixup_map_in_map) {
8197 map_fds[3] = create_map_in_map();
8198 do {
8199 prog[*fixup_map_in_map].imm = map_fds[3];
8200 fixup_map_in_map++;
8201 } while (*fixup_map_in_map);
8202 }
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008203}
8204
8205static void do_test_single(struct bpf_test *test, bool unpriv,
8206 int *passes, int *errors)
8207{
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02008208 int fd_prog, expected_ret, reject_from_alignment;
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008209 struct bpf_insn *prog = test->insns;
8210 int prog_len = probe_filter_length(prog);
8211 int prog_type = test->prog_type;
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008212 int map_fds[MAX_NR_MAPS];
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008213 const char *expected_err;
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008214 int i;
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008215
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008216 for (i = 0; i < MAX_NR_MAPS; i++)
8217 map_fds[i] = -1;
8218
8219 do_test_fixup(test, prog, map_fds);
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008220
Daniel Borkmann614d0d72017-05-25 01:05:09 +02008221 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
8222 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
Daniel Borkmannd6554902017-07-21 00:00:22 +02008223 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008224
8225 expected_ret = unpriv && test->result_unpriv != UNDEF ?
8226 test->result_unpriv : test->result;
8227 expected_err = unpriv && test->errstr_unpriv ?
8228 test->errstr_unpriv : test->errstr;
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02008229
8230 reject_from_alignment = fd_prog < 0 &&
8231 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
8232 strstr(bpf_vlog, "Unknown alignment.");
8233#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
8234 if (reject_from_alignment) {
8235 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
8236 strerror(errno));
8237 goto fail_log;
8238 }
8239#endif
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008240 if (expected_ret == ACCEPT) {
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02008241 if (fd_prog < 0 && !reject_from_alignment) {
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008242 printf("FAIL\nFailed to load prog '%s'!\n",
8243 strerror(errno));
8244 goto fail_log;
8245 }
8246 } else {
8247 if (fd_prog >= 0) {
8248 printf("FAIL\nUnexpected success to load!\n");
8249 goto fail_log;
8250 }
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02008251 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008252 printf("FAIL\nUnexpected error message!\n");
8253 goto fail_log;
8254 }
8255 }
8256
8257 (*passes)++;
Daniel Borkmann02ea80b2017-03-31 02:24:04 +02008258 printf("OK%s\n", reject_from_alignment ?
8259 " (NOTE: reject due to unknown alignment)" : "");
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008260close_fds:
8261 close(fd_prog);
Martin KaFai Laufb30d4b2017-03-22 10:00:35 -07008262 for (i = 0; i < MAX_NR_MAPS; i++)
8263 close(map_fds[i]);
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008264 sched_yield();
8265 return;
8266fail_log:
8267 (*errors)++;
8268 printf("%s", bpf_vlog);
8269 goto close_fds;
8270}
8271
Mickaël Salaünd02d8982017-02-10 00:21:37 +01008272static bool is_admin(void)
8273{
8274 cap_t caps;
8275 cap_flag_value_t sysadmin = CAP_CLEAR;
8276 const cap_value_t cap_val = CAP_SYS_ADMIN;
8277
Alexei Starovoitov1da8ac72017-03-10 22:05:55 -08008278#ifdef CAP_IS_SUPPORTED
Mickaël Salaünd02d8982017-02-10 00:21:37 +01008279 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
8280 perror("cap_get_flag");
8281 return false;
8282 }
Alexei Starovoitov1da8ac72017-03-10 22:05:55 -08008283#endif
Mickaël Salaünd02d8982017-02-10 00:21:37 +01008284 caps = cap_get_proc();
8285 if (!caps) {
8286 perror("cap_get_proc");
8287 return false;
8288 }
8289 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
8290 perror("cap_get_flag");
8291 if (cap_free(caps))
8292 perror("cap_free");
8293 return (sysadmin == CAP_SET);
8294}
8295
8296static int set_admin(bool admin)
8297{
8298 cap_t caps;
8299 const cap_value_t cap_val = CAP_SYS_ADMIN;
8300 int ret = -1;
8301
8302 caps = cap_get_proc();
8303 if (!caps) {
8304 perror("cap_get_proc");
8305 return -1;
8306 }
8307 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
8308 admin ? CAP_SET : CAP_CLEAR)) {
8309 perror("cap_set_flag");
8310 goto out;
8311 }
8312 if (cap_set_proc(caps)) {
8313 perror("cap_set_proc");
8314 goto out;
8315 }
8316 ret = 0;
8317out:
8318 if (cap_free(caps))
8319 perror("cap_free");
8320 return ret;
8321}
8322
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008323static int do_test(bool unpriv, unsigned int from, unsigned int to)
8324{
8325 int i, passes = 0, errors = 0;
8326
8327 for (i = from; i < to; i++) {
8328 struct bpf_test *test = &tests[i];
8329
8330 /* Program types that are not supported by non-root we
8331 * skip right away.
8332 */
Mickaël Salaünd02d8982017-02-10 00:21:37 +01008333 if (!test->prog_type) {
8334 if (!unpriv)
8335 set_admin(false);
8336 printf("#%d/u %s ", i, test->descr);
8337 do_test_single(test, true, &passes, &errors);
8338 if (!unpriv)
8339 set_admin(true);
8340 }
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008341
Mickaël Salaünd02d8982017-02-10 00:21:37 +01008342 if (!unpriv) {
8343 printf("#%d/p %s ", i, test->descr);
8344 do_test_single(test, false, &passes, &errors);
8345 }
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008346 }
8347
8348 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
Jesper Dangaard Brouerefe5f9c2017-06-13 15:17:19 +02008349 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008350}
8351
8352int main(int argc, char **argv)
8353{
8354 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
8355 struct rlimit rlim = { 1 << 20, 1 << 20 };
8356 unsigned int from = 0, to = ARRAY_SIZE(tests);
Mickaël Salaünd02d8982017-02-10 00:21:37 +01008357 bool unpriv = !is_admin();
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008358
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008359 if (argc == 3) {
8360 unsigned int l = atoi(argv[argc - 2]);
8361 unsigned int u = atoi(argv[argc - 1]);
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008362
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008363 if (l < to && u < to) {
8364 from = l;
8365 to = u + 1;
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008366 }
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008367 } else if (argc == 2) {
8368 unsigned int t = atoi(argv[argc - 1]);
Alexei Starovoitovbf508872015-10-07 22:23:23 -07008369
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008370 if (t < to) {
8371 from = t;
8372 to = t + 1;
Alexei Starovoitovbf508872015-10-07 22:23:23 -07008373 }
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008374 }
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008375
Daniel Borkmann5aa5bd12016-10-17 14:28:36 +02008376 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
8377 return do_test(unpriv, from, to);
Alexei Starovoitov3c731eb2014-09-26 00:17:07 -07008378}