0001 {
0002 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
0003 .insns = {
0004 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0006 BPF_MOV64_IMM(BPF_REG_0, 0),
0007 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
0008 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
0009 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
0010 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
0011 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
0012 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
0013 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
0014 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
0015 BPF_MOV64_IMM(BPF_REG_2, 16),
0016 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0017 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0018 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
0019 BPF_MOV64_IMM(BPF_REG_4, 0),
0020 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
0021 BPF_MOV64_IMM(BPF_REG_3, 0),
0022 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0023 BPF_MOV64_IMM(BPF_REG_0, 0),
0024 BPF_EXIT_INSN(),
0025 },
0026 .result = ACCEPT,
0027 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0028 },
0029 {
0030 "helper access to variable memory: stack, bitwise AND, zero included",
0031 .insns = {
0032 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0035 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0036 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0037 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
0038 BPF_MOV64_IMM(BPF_REG_3, 0),
0039 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0040 BPF_EXIT_INSN(),
0041 },
0042 .errstr = "invalid indirect read from stack R1 off -64+0 size 64",
0043 .result = REJECT,
0044 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0045 },
0046 {
0047 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
0048 .insns = {
0049 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0050 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0052 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0053 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0054 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
0055 BPF_MOV64_IMM(BPF_REG_4, 0),
0056 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
0057 BPF_MOV64_IMM(BPF_REG_3, 0),
0058 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0059 BPF_MOV64_IMM(BPF_REG_0, 0),
0060 BPF_EXIT_INSN(),
0061 },
0062 .errstr = "invalid indirect access to stack R1 off=-64 size=65",
0063 .result = REJECT,
0064 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0065 },
0066 {
0067 "helper access to variable memory: stack, JMP, correct bounds",
0068 .insns = {
0069 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0071 BPF_MOV64_IMM(BPF_REG_0, 0),
0072 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
0073 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
0074 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
0075 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
0076 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
0077 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
0078 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
0079 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
0080 BPF_MOV64_IMM(BPF_REG_2, 16),
0081 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0082 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0083 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
0084 BPF_MOV64_IMM(BPF_REG_4, 0),
0085 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
0086 BPF_MOV64_IMM(BPF_REG_3, 0),
0087 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0088 BPF_MOV64_IMM(BPF_REG_0, 0),
0089 BPF_EXIT_INSN(),
0090 },
0091 .result = ACCEPT,
0092 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0093 },
0094 {
0095 "helper access to variable memory: stack, JMP (signed), correct bounds",
0096 .insns = {
0097 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0099 BPF_MOV64_IMM(BPF_REG_0, 0),
0100 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
0101 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
0102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
0103 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
0104 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
0105 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
0106 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
0107 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
0108 BPF_MOV64_IMM(BPF_REG_2, 16),
0109 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0110 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0111 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
0112 BPF_MOV64_IMM(BPF_REG_4, 0),
0113 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
0114 BPF_MOV64_IMM(BPF_REG_3, 0),
0115 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0116 BPF_MOV64_IMM(BPF_REG_0, 0),
0117 BPF_EXIT_INSN(),
0118 },
0119 .result = ACCEPT,
0120 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0121 },
0122 {
0123 "helper access to variable memory: stack, JMP, bounds + offset",
0124 .insns = {
0125 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0128 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0129 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0130 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
0131 BPF_MOV64_IMM(BPF_REG_4, 0),
0132 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
0133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
0134 BPF_MOV64_IMM(BPF_REG_3, 0),
0135 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0136 BPF_MOV64_IMM(BPF_REG_0, 0),
0137 BPF_EXIT_INSN(),
0138 },
0139 .errstr = "invalid indirect access to stack R1 off=-64 size=65",
0140 .result = REJECT,
0141 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0142 },
0143 {
0144 "helper access to variable memory: stack, JMP, wrong max",
0145 .insns = {
0146 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0149 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0150 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0151 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
0152 BPF_MOV64_IMM(BPF_REG_4, 0),
0153 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
0154 BPF_MOV64_IMM(BPF_REG_3, 0),
0155 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0156 BPF_MOV64_IMM(BPF_REG_0, 0),
0157 BPF_EXIT_INSN(),
0158 },
0159 .errstr = "invalid indirect access to stack R1 off=-64 size=65",
0160 .result = REJECT,
0161 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0162 },
0163 {
0164 "helper access to variable memory: stack, JMP, no max check",
0165 .insns = {
0166 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0169 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0170 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0171 BPF_MOV64_IMM(BPF_REG_4, 0),
0172 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
0173 BPF_MOV64_IMM(BPF_REG_3, 0),
0174 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0175 BPF_MOV64_IMM(BPF_REG_0, 0),
0176 BPF_EXIT_INSN(),
0177 },
0178
0179 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
0180 .result = REJECT,
0181 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0182 },
0183 {
0184 "helper access to variable memory: stack, JMP, no min check",
0185 .insns = {
0186 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0189 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0190 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0191 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
0192 BPF_MOV64_IMM(BPF_REG_3, 0),
0193 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0194 BPF_MOV64_IMM(BPF_REG_0, 0),
0195 BPF_EXIT_INSN(),
0196 },
0197 .errstr = "invalid indirect read from stack R1 off -64+0 size 64",
0198 .result = REJECT,
0199 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0200 },
0201 {
0202 "helper access to variable memory: stack, JMP (signed), no min check",
0203 .insns = {
0204 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0207 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
0208 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
0209 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
0210 BPF_MOV64_IMM(BPF_REG_3, 0),
0211 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0212 BPF_MOV64_IMM(BPF_REG_0, 0),
0213 BPF_EXIT_INSN(),
0214 },
0215 .errstr = "R2 min value is negative",
0216 .result = REJECT,
0217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0218 },
0219 {
0220 "helper access to variable memory: map, JMP, correct bounds",
0221 .insns = {
0222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0225 BPF_LD_MAP_FD(BPF_REG_1, 0),
0226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
0228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0229 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
0230 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
0231 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
0232 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val), 4),
0233 BPF_MOV64_IMM(BPF_REG_4, 0),
0234 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
0235 BPF_MOV64_IMM(BPF_REG_3, 0),
0236 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0237 BPF_MOV64_IMM(BPF_REG_0, 0),
0238 BPF_EXIT_INSN(),
0239 },
0240 .fixup_map_hash_48b = { 3 },
0241 .result = ACCEPT,
0242 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0243 },
0244 {
0245 "helper access to variable memory: map, JMP, wrong max",
0246 .insns = {
0247 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
0248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0251 BPF_LD_MAP_FD(BPF_REG_1, 0),
0252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
0254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
0256 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
0257 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
0258 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) + 1, 4),
0259 BPF_MOV64_IMM(BPF_REG_4, 0),
0260 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
0261 BPF_MOV64_IMM(BPF_REG_3, 0),
0262 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0263 BPF_MOV64_IMM(BPF_REG_0, 0),
0264 BPF_EXIT_INSN(),
0265 },
0266 .fixup_map_hash_48b = { 4 },
0267 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
0268 .result = REJECT,
0269 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0270 },
0271 {
0272 "helper access to variable memory: map adjusted, JMP, correct bounds",
0273 .insns = {
0274 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0275 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0276 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0277 BPF_LD_MAP_FD(BPF_REG_1, 0),
0278 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
0282 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
0283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
0284 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
0285 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 20, 4),
0286 BPF_MOV64_IMM(BPF_REG_4, 0),
0287 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
0288 BPF_MOV64_IMM(BPF_REG_3, 0),
0289 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0290 BPF_MOV64_IMM(BPF_REG_0, 0),
0291 BPF_EXIT_INSN(),
0292 },
0293 .fixup_map_hash_48b = { 3 },
0294 .result = ACCEPT,
0295 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0296 },
0297 {
0298 "helper access to variable memory: map adjusted, JMP, wrong max",
0299 .insns = {
0300 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
0301 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0303 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0304 BPF_LD_MAP_FD(BPF_REG_1, 0),
0305 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0306 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
0309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
0310 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
0311 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
0312 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 19, 4),
0313 BPF_MOV64_IMM(BPF_REG_4, 0),
0314 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
0315 BPF_MOV64_IMM(BPF_REG_3, 0),
0316 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0317 BPF_MOV64_IMM(BPF_REG_0, 0),
0318 BPF_EXIT_INSN(),
0319 },
0320 .fixup_map_hash_48b = { 4 },
0321 .errstr = "R1 min value is outside of the allowed memory range",
0322 .result = REJECT,
0323 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0324 },
0325 {
0326 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
0327 .insns = {
0328 BPF_MOV64_IMM(BPF_REG_1, 0),
0329 BPF_MOV64_IMM(BPF_REG_2, 0),
0330 BPF_MOV64_IMM(BPF_REG_3, 0),
0331 BPF_MOV64_IMM(BPF_REG_4, 0),
0332 BPF_MOV64_IMM(BPF_REG_5, 0),
0333 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0334 BPF_EXIT_INSN(),
0335 },
0336 .result = ACCEPT,
0337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0338 },
0339 {
0340 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
0341 .insns = {
0342 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
0343 BPF_MOV64_IMM(BPF_REG_1, 0),
0344 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
0345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
0346 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
0347 BPF_MOV64_IMM(BPF_REG_3, 0),
0348 BPF_MOV64_IMM(BPF_REG_4, 0),
0349 BPF_MOV64_IMM(BPF_REG_5, 0),
0350 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0351 BPF_EXIT_INSN(),
0352 },
0353 .errstr = "R1 type=scalar expected=fp",
0354 .result = REJECT,
0355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0356 },
0357 {
0358 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
0359 .insns = {
0360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0362 BPF_MOV64_IMM(BPF_REG_2, 0),
0363 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
0364 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
0365 BPF_MOV64_IMM(BPF_REG_3, 0),
0366 BPF_MOV64_IMM(BPF_REG_4, 0),
0367 BPF_MOV64_IMM(BPF_REG_5, 0),
0368 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0369 BPF_EXIT_INSN(),
0370 },
0371 .result = ACCEPT,
0372 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0373 },
0374 {
0375 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
0376 .insns = {
0377 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0378 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0380 BPF_LD_MAP_FD(BPF_REG_1, 0),
0381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0382 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0384 BPF_MOV64_IMM(BPF_REG_2, 0),
0385 BPF_MOV64_IMM(BPF_REG_3, 0),
0386 BPF_MOV64_IMM(BPF_REG_4, 0),
0387 BPF_MOV64_IMM(BPF_REG_5, 0),
0388 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0389 BPF_EXIT_INSN(),
0390 },
0391 .fixup_map_hash_8b = { 3 },
0392 .result = ACCEPT,
0393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0394 },
0395 {
0396 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
0397 .insns = {
0398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0401 BPF_LD_MAP_FD(BPF_REG_1, 0),
0402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
0404 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
0405 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
0406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0408 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
0409 BPF_MOV64_IMM(BPF_REG_3, 0),
0410 BPF_MOV64_IMM(BPF_REG_4, 0),
0411 BPF_MOV64_IMM(BPF_REG_5, 0),
0412 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0413 BPF_EXIT_INSN(),
0414 },
0415 .fixup_map_hash_8b = { 3 },
0416 .result = ACCEPT,
0417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0418 },
0419 {
0420 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
0421 .insns = {
0422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0425 BPF_LD_MAP_FD(BPF_REG_1, 0),
0426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0429 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
0430 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
0431 BPF_MOV64_IMM(BPF_REG_3, 0),
0432 BPF_MOV64_IMM(BPF_REG_4, 0),
0433 BPF_MOV64_IMM(BPF_REG_5, 0),
0434 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0435 BPF_EXIT_INSN(),
0436 },
0437 .fixup_map_hash_8b = { 3 },
0438 .result = ACCEPT,
0439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0440 },
0441 {
0442 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
0443 .insns = {
0444 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
0445 offsetof(struct __sk_buff, data)),
0446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0447 offsetof(struct __sk_buff, data_end)),
0448 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
0449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0450 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
0451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0452 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
0453 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
0454 BPF_MOV64_IMM(BPF_REG_3, 0),
0455 BPF_MOV64_IMM(BPF_REG_4, 0),
0456 BPF_MOV64_IMM(BPF_REG_5, 0),
0457 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
0458 BPF_EXIT_INSN(),
0459 },
0460 .result = ACCEPT,
0461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0462 .retval = 0 ,
0463 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0464 },
0465 {
0466 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
0467 .insns = {
0468 BPF_MOV64_IMM(BPF_REG_1, 0),
0469 BPF_MOV64_IMM(BPF_REG_2, 0),
0470 BPF_MOV64_IMM(BPF_REG_3, 0),
0471 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0472 BPF_EXIT_INSN(),
0473 },
0474 .errstr = "R1 type=scalar expected=fp",
0475 .result = REJECT,
0476 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0477 },
0478 {
0479 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
0480 .insns = {
0481 BPF_MOV64_IMM(BPF_REG_1, 0),
0482 BPF_MOV64_IMM(BPF_REG_2, 1),
0483 BPF_MOV64_IMM(BPF_REG_3, 0),
0484 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0485 BPF_EXIT_INSN(),
0486 },
0487 .errstr = "R1 type=scalar expected=fp",
0488 .result = REJECT,
0489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0490 },
0491 {
0492 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
0493 .insns = {
0494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0496 BPF_MOV64_IMM(BPF_REG_2, 0),
0497 BPF_MOV64_IMM(BPF_REG_3, 0),
0498 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0499 BPF_EXIT_INSN(),
0500 },
0501 .result = ACCEPT,
0502 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0503 },
0504 {
0505 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
0506 .insns = {
0507 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0508 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0510 BPF_LD_MAP_FD(BPF_REG_1, 0),
0511 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0514 BPF_MOV64_IMM(BPF_REG_2, 0),
0515 BPF_MOV64_IMM(BPF_REG_3, 0),
0516 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0517 BPF_EXIT_INSN(),
0518 },
0519 .fixup_map_hash_8b = { 3 },
0520 .result = ACCEPT,
0521 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0522 },
0523 {
0524 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
0525 .insns = {
0526 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0529 BPF_LD_MAP_FD(BPF_REG_1, 0),
0530 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0531 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0532 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
0533 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
0534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0536 BPF_MOV64_IMM(BPF_REG_3, 0),
0537 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0538 BPF_EXIT_INSN(),
0539 },
0540 .fixup_map_hash_8b = { 3 },
0541 .result = ACCEPT,
0542 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0543 },
0544 {
0545 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
0546 .insns = {
0547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0550 BPF_LD_MAP_FD(BPF_REG_1, 0),
0551 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0553 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0554 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
0555 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
0556 BPF_MOV64_IMM(BPF_REG_3, 0),
0557 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0558 BPF_EXIT_INSN(),
0559 },
0560 .fixup_map_hash_8b = { 3 },
0561 .result = ACCEPT,
0562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0563 },
0564 {
0565 "helper access to variable memory: 8 bytes leak",
0566 .insns = {
0567 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
0568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0570 BPF_MOV64_IMM(BPF_REG_0, 0),
0571 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
0572 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
0573 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
0574 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
0575 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
0576 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
0577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
0578 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
0579 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
0580 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
0581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
0582 BPF_MOV64_IMM(BPF_REG_3, 0),
0583 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0584 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
0585 BPF_EXIT_INSN(),
0586 },
0587 .errstr = "invalid indirect read from stack R1 off -64+32 size 64",
0588 .result = REJECT,
0589 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0590 },
0591 {
0592 "helper access to variable memory: 8 bytes no leak (init memory)",
0593 .insns = {
0594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0595 BPF_MOV64_IMM(BPF_REG_0, 0),
0596 BPF_MOV64_IMM(BPF_REG_0, 0),
0597 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
0598 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
0599 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
0600 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
0601 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
0602 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
0603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
0604 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
0605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
0606 BPF_MOV64_IMM(BPF_REG_2, 0),
0607 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
0608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
0609 BPF_MOV64_IMM(BPF_REG_3, 0),
0610 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0611 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
0612 BPF_EXIT_INSN(),
0613 },
0614 .result = ACCEPT,
0615 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0616 },
