0001 {
0002 "valid cgroup storage access",
0003 .insns = {
0004 BPF_MOV64_IMM(BPF_REG_2, 0),
0005 BPF_LD_MAP_FD(BPF_REG_1, 0),
0006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0007 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0008 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0009 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0010 BPF_EXIT_INSN(),
0011 },
0012 .fixup_cgroup_storage = { 1 },
0013 .result = ACCEPT,
0014 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0015 },
0016 {
0017 "invalid cgroup storage access 1",
0018 .insns = {
0019 BPF_MOV64_IMM(BPF_REG_2, 0),
0020 BPF_LD_MAP_FD(BPF_REG_1, 0),
0021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0022 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0023 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0024 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0025 BPF_EXIT_INSN(),
0026 },
0027 .fixup_map_hash_8b = { 1 },
0028 .result = REJECT,
0029 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
0030 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0031 },
0032 {
0033 "invalid cgroup storage access 2",
0034 .insns = {
0035 BPF_MOV64_IMM(BPF_REG_2, 0),
0036 BPF_LD_MAP_FD(BPF_REG_1, 1),
0037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0038 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0039 BPF_EXIT_INSN(),
0040 },
0041 .result = REJECT,
0042 .errstr = "fd 1 is not pointing to valid bpf_map",
0043 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0044 },
0045 {
0046 "invalid cgroup storage access 3",
0047 .insns = {
0048 BPF_MOV64_IMM(BPF_REG_2, 0),
0049 BPF_LD_MAP_FD(BPF_REG_1, 0),
0050 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0051 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
0052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
0053 BPF_MOV64_IMM(BPF_REG_0, 0),
0054 BPF_EXIT_INSN(),
0055 },
0056 .fixup_cgroup_storage = { 1 },
0057 .result = REJECT,
0058 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
0059 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0060 },
0061 {
0062 "invalid cgroup storage access 4",
0063 .insns = {
0064 BPF_MOV64_IMM(BPF_REG_2, 0),
0065 BPF_LD_MAP_FD(BPF_REG_1, 0),
0066 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0067 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
0068 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
0070 BPF_EXIT_INSN(),
0071 },
0072 .fixup_cgroup_storage = { 1 },
0073 .result = REJECT,
0074 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
0075 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0076 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0077 },
0078 {
0079 "invalid cgroup storage access 5",
0080 .insns = {
0081 BPF_MOV64_IMM(BPF_REG_2, 7),
0082 BPF_LD_MAP_FD(BPF_REG_1, 0),
0083 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0084 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0085 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0086 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0087 BPF_EXIT_INSN(),
0088 },
0089 .fixup_cgroup_storage = { 1 },
0090 .result = REJECT,
0091 .errstr = "get_local_storage() doesn't support non-zero flags",
0092 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0093 },
0094 {
0095 "invalid cgroup storage access 6",
0096 .insns = {
0097 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
0098 BPF_LD_MAP_FD(BPF_REG_1, 0),
0099 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0100 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0101 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0102 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0103 BPF_EXIT_INSN(),
0104 },
0105 .fixup_cgroup_storage = { 1 },
0106 .result = REJECT,
0107 .errstr = "get_local_storage() doesn't support non-zero flags",
0108 .errstr_unpriv = "R2 leaks addr into helper function",
0109 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0110 },
0111 {
0112 "valid per-cpu cgroup storage access",
0113 .insns = {
0114 BPF_MOV64_IMM(BPF_REG_2, 0),
0115 BPF_LD_MAP_FD(BPF_REG_1, 0),
0116 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0117 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0118 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0119 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0120 BPF_EXIT_INSN(),
0121 },
0122 .fixup_percpu_cgroup_storage = { 1 },
0123 .result = ACCEPT,
0124 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0125 },
0126 {
0127 "invalid per-cpu cgroup storage access 1",
0128 .insns = {
0129 BPF_MOV64_IMM(BPF_REG_2, 0),
0130 BPF_LD_MAP_FD(BPF_REG_1, 0),
0131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0132 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0133 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0134 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0135 BPF_EXIT_INSN(),
0136 },
0137 .fixup_map_hash_8b = { 1 },
0138 .result = REJECT,
0139 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
0140 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0141 },
0142 {
0143 "invalid per-cpu cgroup storage access 2",
0144 .insns = {
0145 BPF_MOV64_IMM(BPF_REG_2, 0),
0146 BPF_LD_MAP_FD(BPF_REG_1, 1),
0147 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0148 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0149 BPF_EXIT_INSN(),
0150 },
0151 .result = REJECT,
0152 .errstr = "fd 1 is not pointing to valid bpf_map",
0153 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0154 },
0155 {
0156 "invalid per-cpu cgroup storage access 3",
0157 .insns = {
0158 BPF_MOV64_IMM(BPF_REG_2, 0),
0159 BPF_LD_MAP_FD(BPF_REG_1, 0),
0160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0161 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
0162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
0163 BPF_MOV64_IMM(BPF_REG_0, 0),
0164 BPF_EXIT_INSN(),
0165 },
0166 .fixup_percpu_cgroup_storage = { 1 },
0167 .result = REJECT,
0168 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
0169 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0170 },
0171 {
0172 "invalid per-cpu cgroup storage access 4",
0173 .insns = {
0174 BPF_MOV64_IMM(BPF_REG_2, 0),
0175 BPF_LD_MAP_FD(BPF_REG_1, 0),
0176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0177 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
0178 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
0180 BPF_EXIT_INSN(),
0181 },
0182 .fixup_cgroup_storage = { 1 },
0183 .result = REJECT,
0184 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
0185 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0186 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0187 },
0188 {
0189 "invalid per-cpu cgroup storage access 5",
0190 .insns = {
0191 BPF_MOV64_IMM(BPF_REG_2, 7),
0192 BPF_LD_MAP_FD(BPF_REG_1, 0),
0193 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0194 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0195 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0196 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0197 BPF_EXIT_INSN(),
0198 },
0199 .fixup_percpu_cgroup_storage = { 1 },
0200 .result = REJECT,
0201 .errstr = "get_local_storage() doesn't support non-zero flags",
0202 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0203 },
0204 {
0205 "invalid per-cpu cgroup storage access 6",
0206 .insns = {
0207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
0208 BPF_LD_MAP_FD(BPF_REG_1, 0),
0209 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
0210 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0211 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0212 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0213 BPF_EXIT_INSN(),
0214 },
0215 .fixup_percpu_cgroup_storage = { 1 },
0216 .result = REJECT,
0217 .errstr = "get_local_storage() doesn't support non-zero flags",
0218 .errstr_unpriv = "R2 leaks addr into helper function",
0219 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0220 },
