0001 {
0002 "helper access to map: full range",
0003 .insns = {
0004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0007 BPF_LD_MAP_FD(BPF_REG_1, 0),
0008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0011 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
0012 BPF_MOV64_IMM(BPF_REG_3, 0),
0013 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0014 BPF_EXIT_INSN(),
0015 },
0016 .fixup_map_hash_48b = { 3 },
0017 .result = ACCEPT,
0018 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0019 },
0020 {
0021 "helper access to map: partial range",
0022 .insns = {
0023 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0025 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0026 BPF_LD_MAP_FD(BPF_REG_1, 0),
0027 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0028 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0029 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0030 BPF_MOV64_IMM(BPF_REG_2, 8),
0031 BPF_MOV64_IMM(BPF_REG_3, 0),
0032 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0033 BPF_EXIT_INSN(),
0034 },
0035 .fixup_map_hash_48b = { 3 },
0036 .result = ACCEPT,
0037 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0038 },
0039 {
0040 "helper access to map: empty range",
0041 .insns = {
0042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0044 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0045 BPF_LD_MAP_FD(BPF_REG_1, 0),
0046 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0048 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0049 BPF_MOV64_IMM(BPF_REG_2, 0),
0050 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
0051 BPF_EXIT_INSN(),
0052 },
0053 .fixup_map_hash_48b = { 3 },
0054 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
0055 .result = REJECT,
0056 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0057 },
0058 {
0059 "helper access to map: out-of-bound range",
0060 .insns = {
0061 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0063 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0064 BPF_LD_MAP_FD(BPF_REG_1, 0),
0065 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0066 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0068 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
0069 BPF_MOV64_IMM(BPF_REG_3, 0),
0070 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0071 BPF_EXIT_INSN(),
0072 },
0073 .fixup_map_hash_48b = { 3 },
0074 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
0075 .result = REJECT,
0076 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0077 },
0078 {
0079 "helper access to map: negative range",
0080 .insns = {
0081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0083 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0084 BPF_LD_MAP_FD(BPF_REG_1, 0),
0085 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0087 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0088 BPF_MOV64_IMM(BPF_REG_2, -8),
0089 BPF_MOV64_IMM(BPF_REG_3, 0),
0090 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0091 BPF_EXIT_INSN(),
0092 },
0093 .fixup_map_hash_48b = { 3 },
0094 .errstr = "R2 min value is negative",
0095 .result = REJECT,
0096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0097 },
0098 {
0099 "helper access to adjusted map (via const imm): full range",
0100 .insns = {
0101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0104 BPF_LD_MAP_FD(BPF_REG_1, 0),
0105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
0109 BPF_MOV64_IMM(BPF_REG_2,
0110 sizeof(struct test_val) - offsetof(struct test_val, foo)),
0111 BPF_MOV64_IMM(BPF_REG_3, 0),
0112 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0113 BPF_EXIT_INSN(),
0114 },
0115 .fixup_map_hash_48b = { 3 },
0116 .result = ACCEPT,
0117 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0118 },
0119 {
0120 "helper access to adjusted map (via const imm): partial range",
0121 .insns = {
0122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0124 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0125 BPF_LD_MAP_FD(BPF_REG_1, 0),
0126 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0127 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
0130 BPF_MOV64_IMM(BPF_REG_2, 8),
0131 BPF_MOV64_IMM(BPF_REG_3, 0),
0132 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0133 BPF_EXIT_INSN(),
0134 },
0135 .fixup_map_hash_48b = { 3 },
0136 .result = ACCEPT,
0137 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0138 },
0139 {
0140 "helper access to adjusted map (via const imm): empty range",
0141 .insns = {
0142 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0144 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0145 BPF_LD_MAP_FD(BPF_REG_1, 0),
0146 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
0150 BPF_MOV64_IMM(BPF_REG_2, 0),
0151 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
0152 BPF_EXIT_INSN(),
0153 },
0154 .fixup_map_hash_48b = { 3 },
0155 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
0156 .result = REJECT,
0157 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0158 },
0159 {
0160 "helper access to adjusted map (via const imm): out-of-bound range",
0161 .insns = {
0162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0164 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0165 BPF_LD_MAP_FD(BPF_REG_1, 0),
0166 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
0170 BPF_MOV64_IMM(BPF_REG_2,
0171 sizeof(struct test_val) - offsetof(struct test_val, foo) + 8),
0172 BPF_MOV64_IMM(BPF_REG_3, 0),
0173 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0174 BPF_EXIT_INSN(),
0175 },
0176 .fixup_map_hash_48b = { 3 },
0177 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
0178 .result = REJECT,
0179 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0180 },
0181 {
0182 "helper access to adjusted map (via const imm): negative range (> adjustment)",
0183 .insns = {
0184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0186 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0187 BPF_LD_MAP_FD(BPF_REG_1, 0),
0188 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0189 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
0192 BPF_MOV64_IMM(BPF_REG_2, -8),
0193 BPF_MOV64_IMM(BPF_REG_3, 0),
0194 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0195 BPF_EXIT_INSN(),
0196 },
0197 .fixup_map_hash_48b = { 3 },
0198 .errstr = "R2 min value is negative",
0199 .result = REJECT,
0200 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0201 },
0202 {
0203 "helper access to adjusted map (via const imm): negative range (< adjustment)",
0204 .insns = {
0205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0207 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0208 BPF_LD_MAP_FD(BPF_REG_1, 0),
0209 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0211 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
0213 BPF_MOV64_IMM(BPF_REG_2, -1),
0214 BPF_MOV64_IMM(BPF_REG_3, 0),
0215 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0216 BPF_EXIT_INSN(),
0217 },
0218 .fixup_map_hash_48b = { 3 },
0219 .errstr = "R2 min value is negative",
0220 .result = REJECT,
0221 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0222 },
0223 {
0224 "helper access to adjusted map (via const reg): full range",
0225 .insns = {
0226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0228 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0229 BPF_LD_MAP_FD(BPF_REG_1, 0),
0230 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0233 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
0234 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0235 BPF_MOV64_IMM(BPF_REG_2,
0236 sizeof(struct test_val) - offsetof(struct test_val, foo)),
0237 BPF_MOV64_IMM(BPF_REG_3, 0),
0238 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0239 BPF_EXIT_INSN(),
0240 },
0241 .fixup_map_hash_48b = { 3 },
0242 .result = ACCEPT,
0243 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0244 },
0245 {
0246 "helper access to adjusted map (via const reg): partial range",
0247 .insns = {
0248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0251 BPF_LD_MAP_FD(BPF_REG_1, 0),
0252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0255 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
0256 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0257 BPF_MOV64_IMM(BPF_REG_2, 8),
0258 BPF_MOV64_IMM(BPF_REG_3, 0),
0259 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0260 BPF_EXIT_INSN(),
0261 },
0262 .fixup_map_hash_48b = { 3 },
0263 .result = ACCEPT,
0264 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0265 },
0266 {
0267 "helper access to adjusted map (via const reg): empty range",
0268 .insns = {
0269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0271 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0272 BPF_LD_MAP_FD(BPF_REG_1, 0),
0273 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0276 BPF_MOV64_IMM(BPF_REG_3, 0),
0277 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0278 BPF_MOV64_IMM(BPF_REG_2, 0),
0279 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
0280 BPF_EXIT_INSN(),
0281 },
0282 .fixup_map_hash_48b = { 3 },
0283 .errstr = "R1 min value is outside of the allowed memory range",
0284 .result = REJECT,
0285 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0286 },
0287 {
0288 "helper access to adjusted map (via const reg): out-of-bound range",
0289 .insns = {
0290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0292 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0293 BPF_LD_MAP_FD(BPF_REG_1, 0),
0294 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0297 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
0298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0299 BPF_MOV64_IMM(BPF_REG_2,
0300 sizeof(struct test_val) -
0301 offsetof(struct test_val, foo) + 8),
0302 BPF_MOV64_IMM(BPF_REG_3, 0),
0303 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0304 BPF_EXIT_INSN(),
0305 },
0306 .fixup_map_hash_48b = { 3 },
0307 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
0308 .result = REJECT,
0309 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0310 },
0311 {
0312 "helper access to adjusted map (via const reg): negative range (> adjustment)",
0313 .insns = {
0314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0316 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0317 BPF_LD_MAP_FD(BPF_REG_1, 0),
0318 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0321 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
0322 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0323 BPF_MOV64_IMM(BPF_REG_2, -8),
0324 BPF_MOV64_IMM(BPF_REG_3, 0),
0325 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0326 BPF_EXIT_INSN(),
0327 },
0328 .fixup_map_hash_48b = { 3 },
0329 .errstr = "R2 min value is negative",
0330 .result = REJECT,
0331 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0332 },
0333 {
0334 "helper access to adjusted map (via const reg): negative range (< adjustment)",
0335 .insns = {
0336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0338 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0339 BPF_LD_MAP_FD(BPF_REG_1, 0),
0340 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0343 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
0344 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0345 BPF_MOV64_IMM(BPF_REG_2, -1),
0346 BPF_MOV64_IMM(BPF_REG_3, 0),
0347 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0348 BPF_EXIT_INSN(),
0349 },
0350 .fixup_map_hash_48b = { 3 },
0351 .errstr = "R2 min value is negative",
0352 .result = REJECT,
0353 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0354 },
0355 {
0356 "helper access to adjusted map (via variable): full range",
0357 .insns = {
0358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0360 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0361 BPF_LD_MAP_FD(BPF_REG_1, 0),
0362 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0364 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0365 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0366 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
0367 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0368 BPF_MOV64_IMM(BPF_REG_2,
0369 sizeof(struct test_val) - offsetof(struct test_val, foo)),
0370 BPF_MOV64_IMM(BPF_REG_3, 0),
0371 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0372 BPF_EXIT_INSN(),
0373 },
0374 .fixup_map_hash_48b = { 3 },
0375 .result = ACCEPT,
0376 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0377 },
0378 {
0379 "helper access to adjusted map (via variable): partial range",
0380 .insns = {
0381 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0383 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0384 BPF_LD_MAP_FD(BPF_REG_1, 0),
0385 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0386 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0387 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0388 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0389 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
0390 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0391 BPF_MOV64_IMM(BPF_REG_2, 8),
0392 BPF_MOV64_IMM(BPF_REG_3, 0),
0393 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0394 BPF_EXIT_INSN(),
0395 },
0396 .fixup_map_hash_48b = { 3 },
0397 .result = ACCEPT,
0398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0399 },
0400 {
0401 "helper access to adjusted map (via variable): empty range",
0402 .insns = {
0403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0405 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0406 BPF_LD_MAP_FD(BPF_REG_1, 0),
0407 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0408 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0410 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0411 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 3),
0412 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0413 BPF_MOV64_IMM(BPF_REG_2, 0),
0414 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
0415 BPF_EXIT_INSN(),
0416 },
0417 .fixup_map_hash_48b = { 3 },
0418 .errstr = "R1 min value is outside of the allowed memory range",
0419 .result = REJECT,
0420 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0421 },
0422 {
0423 "helper access to adjusted map (via variable): no max check",
0424 .insns = {
0425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0427 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0428 BPF_LD_MAP_FD(BPF_REG_1, 0),
0429 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0430 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0432 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0433 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0434 BPF_MOV64_IMM(BPF_REG_2, 1),
0435 BPF_MOV64_IMM(BPF_REG_3, 0),
0436 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0437 BPF_EXIT_INSN(),
0438 },
0439 .fixup_map_hash_48b = { 3 },
0440 .errstr = "R1 unbounded memory access",
0441 .result = REJECT,
0442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0443 },
0444 {
0445 "helper access to adjusted map (via variable): wrong max check",
0446 .insns = {
0447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0450 BPF_LD_MAP_FD(BPF_REG_1, 0),
0451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0455 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
0456 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0457 BPF_MOV64_IMM(BPF_REG_2,
0458 sizeof(struct test_val) -
0459 offsetof(struct test_val, foo) + 1),
0460 BPF_MOV64_IMM(BPF_REG_3, 0),
0461 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
0462 BPF_EXIT_INSN(),
0463 },
0464 .fixup_map_hash_48b = { 3 },
0465 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
0466 .result = REJECT,
0467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0468 },
0469 {
0470 "helper access to map: bounds check using <, good access",
0471 .insns = {
0472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0474 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0475 BPF_LD_MAP_FD(BPF_REG_1, 0),
0476 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0479 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0480 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
0481 BPF_MOV64_IMM(BPF_REG_0, 0),
0482 BPF_EXIT_INSN(),
0483 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0484 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0485 BPF_MOV64_IMM(BPF_REG_0, 0),
0486 BPF_EXIT_INSN(),
0487 },
0488 .fixup_map_hash_48b = { 3 },
0489 .result = ACCEPT,
0490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0491 },
0492 {
0493 "helper access to map: bounds check using <, bad access",
0494 .insns = {
0495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0497 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0498 BPF_LD_MAP_FD(BPF_REG_1, 0),
0499 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0500 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0503 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
0504 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0505 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0506 BPF_MOV64_IMM(BPF_REG_0, 0),
0507 BPF_EXIT_INSN(),
0508 BPF_MOV64_IMM(BPF_REG_0, 0),
0509 BPF_EXIT_INSN(),
0510 },
0511 .fixup_map_hash_48b = { 3 },
0512 .result = REJECT,
0513 .errstr = "R1 unbounded memory access",
0514 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0515 },
0516 {
0517 "helper access to map: bounds check using <=, good access",
0518 .insns = {
0519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0521 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0522 BPF_LD_MAP_FD(BPF_REG_1, 0),
0523 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0526 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0527 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
0528 BPF_MOV64_IMM(BPF_REG_0, 0),
0529 BPF_EXIT_INSN(),
0530 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0531 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0532 BPF_MOV64_IMM(BPF_REG_0, 0),
0533 BPF_EXIT_INSN(),
0534 },
0535 .fixup_map_hash_48b = { 3 },
0536 .result = ACCEPT,
0537 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0538 },
0539 {
0540 "helper access to map: bounds check using <=, bad access",
0541 .insns = {
0542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0544 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0545 BPF_LD_MAP_FD(BPF_REG_1, 0),
0546 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0548 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0550 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
0551 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0552 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0553 BPF_MOV64_IMM(BPF_REG_0, 0),
0554 BPF_EXIT_INSN(),
0555 BPF_MOV64_IMM(BPF_REG_0, 0),
0556 BPF_EXIT_INSN(),
0557 },
0558 .fixup_map_hash_48b = { 3 },
0559 .result = REJECT,
0560 .errstr = "R1 unbounded memory access",
0561 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0562 },
0563 {
0564 "helper access to map: bounds check using s<, good access",
0565 .insns = {
0566 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0568 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0569 BPF_LD_MAP_FD(BPF_REG_1, 0),
0570 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0574 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
0575 BPF_MOV64_IMM(BPF_REG_0, 0),
0576 BPF_EXIT_INSN(),
0577 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
0578 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0579 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0580 BPF_MOV64_IMM(BPF_REG_0, 0),
0581 BPF_EXIT_INSN(),
0582 },
0583 .fixup_map_hash_48b = { 3 },
0584 .result = ACCEPT,
0585 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0586 },
0587 {
0588 "helper access to map: bounds check using s<, good access 2",
0589 .insns = {
0590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0593 BPF_LD_MAP_FD(BPF_REG_1, 0),
0594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0598 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
0599 BPF_MOV64_IMM(BPF_REG_0, 0),
0600 BPF_EXIT_INSN(),
0601 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
0602 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0603 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0604 BPF_MOV64_IMM(BPF_REG_0, 0),
0605 BPF_EXIT_INSN(),
0606 },
0607 .fixup_map_hash_48b = { 3 },
0608 .result = ACCEPT,
0609 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0610 },
0611 {
0612 "helper access to map: bounds check using s<, bad access",
0613 .insns = {
0614 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0616 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0617 BPF_LD_MAP_FD(BPF_REG_1, 0),
0618 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0619 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0621 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
0622 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
0623 BPF_MOV64_IMM(BPF_REG_0, 0),
0624 BPF_EXIT_INSN(),
0625 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
0626 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0627 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0628 BPF_MOV64_IMM(BPF_REG_0, 0),
0629 BPF_EXIT_INSN(),
0630 },
0631 .fixup_map_hash_48b = { 3 },
0632 .result = REJECT,
0633 .errstr = "R1 min value is negative",
0634 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0635 },
0636 {
0637 "helper access to map: bounds check using s<=, good access",
0638 .insns = {
0639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0642 BPF_LD_MAP_FD(BPF_REG_1, 0),
0643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0647 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
0648 BPF_MOV64_IMM(BPF_REG_0, 0),
0649 BPF_EXIT_INSN(),
0650 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
0651 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0652 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0653 BPF_MOV64_IMM(BPF_REG_0, 0),
0654 BPF_EXIT_INSN(),
0655 },
0656 .fixup_map_hash_48b = { 3 },
0657 .result = ACCEPT,
0658 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0659 },
0660 {
0661 "helper access to map: bounds check using s<=, good access 2",
0662 .insns = {
0663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0665 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0666 BPF_LD_MAP_FD(BPF_REG_1, 0),
0667 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0671 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
0672 BPF_MOV64_IMM(BPF_REG_0, 0),
0673 BPF_EXIT_INSN(),
0674 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
0675 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0676 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0677 BPF_MOV64_IMM(BPF_REG_0, 0),
0678 BPF_EXIT_INSN(),
0679 },
0680 .fixup_map_hash_48b = { 3 },
0681 .result = ACCEPT,
0682 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0683 },
0684 {
0685 "helper access to map: bounds check using s<=, bad access",
0686 .insns = {
0687 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0689 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0690 BPF_LD_MAP_FD(BPF_REG_1, 0),
0691 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0693 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0694 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
0695 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
0696 BPF_MOV64_IMM(BPF_REG_0, 0),
0697 BPF_EXIT_INSN(),
0698 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
0699 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
0700 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
0701 BPF_MOV64_IMM(BPF_REG_0, 0),
0702 BPF_EXIT_INSN(),
0703 },
0704 .fixup_map_hash_48b = { 3 },
0705 .result = REJECT,
0706 .errstr = "R1 min value is negative",
0707 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0708 },
0709 {
0710 "map lookup helper access to map",
0711 .insns = {
0712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0714 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0715 BPF_LD_MAP_FD(BPF_REG_1, 0),
0716 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0719 BPF_LD_MAP_FD(BPF_REG_1, 0),
0720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0721 BPF_EXIT_INSN(),
0722 },
0723 .fixup_map_hash_16b = { 3, 8 },
0724 .result = ACCEPT,
0725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0726 },
0727 {
0728 "map update helper access to map",
0729 .insns = {
0730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0733 BPF_LD_MAP_FD(BPF_REG_1, 0),
0734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0736 BPF_MOV64_IMM(BPF_REG_4, 0),
0737 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
0738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0739 BPF_LD_MAP_FD(BPF_REG_1, 0),
0740 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
0741 BPF_EXIT_INSN(),
0742 },
0743 .fixup_map_hash_16b = { 3, 10 },
0744 .result = ACCEPT,
0745 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0746 },
0747 {
0748 "map update helper access to map: wrong size",
0749 .insns = {
0750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0752 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0753 BPF_LD_MAP_FD(BPF_REG_1, 0),
0754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0756 BPF_MOV64_IMM(BPF_REG_4, 0),
0757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
0758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0759 BPF_LD_MAP_FD(BPF_REG_1, 0),
0760 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
0761 BPF_EXIT_INSN(),
0762 },
0763 .fixup_map_hash_8b = { 3 },
0764 .fixup_map_hash_16b = { 10 },
0765 .result = REJECT,
0766 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
0767 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0768 },
0769 {
0770 "map helper access to adjusted map (via const imm)",
0771 .insns = {
0772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0775 BPF_LD_MAP_FD(BPF_REG_1, 0),
0776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, offsetof(struct other_val, bar)),
0780 BPF_LD_MAP_FD(BPF_REG_1, 0),
0781 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0782 BPF_EXIT_INSN(),
0783 },
0784 .fixup_map_hash_16b = { 3, 9 },
0785 .result = ACCEPT,
0786 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0787 },
0788 {
0789 "map helper access to adjusted map (via const imm): out-of-bound 1",
0790 .insns = {
0791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0793 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0794 BPF_LD_MAP_FD(BPF_REG_1, 0),
0795 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0797 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, sizeof(struct other_val) - 4),
0799 BPF_LD_MAP_FD(BPF_REG_1, 0),
0800 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0801 BPF_EXIT_INSN(),
0802 },
0803 .fixup_map_hash_16b = { 3, 9 },
0804 .result = REJECT,
0805 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
0806 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0807 },
0808 {
0809 "map helper access to adjusted map (via const imm): out-of-bound 2",
0810 .insns = {
0811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0813 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0814 BPF_LD_MAP_FD(BPF_REG_1, 0),
0815 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0819 BPF_LD_MAP_FD(BPF_REG_1, 0),
0820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0821 BPF_EXIT_INSN(),
0822 },
0823 .fixup_map_hash_16b = { 3, 9 },
0824 .result = REJECT,
0825 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
0826 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0827 },
0828 {
0829 "map helper access to adjusted map (via const reg)",
0830 .insns = {
0831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0833 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0834 BPF_LD_MAP_FD(BPF_REG_1, 0),
0835 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0838 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct other_val, bar)),
0839 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0840 BPF_LD_MAP_FD(BPF_REG_1, 0),
0841 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0842 BPF_EXIT_INSN(),
0843 },
0844 .fixup_map_hash_16b = { 3, 10 },
0845 .result = ACCEPT,
0846 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0847 },
0848 {
0849 "map helper access to adjusted map (via const reg): out-of-bound 1",
0850 .insns = {
0851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0853 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0854 BPF_LD_MAP_FD(BPF_REG_1, 0),
0855 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0858 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct other_val) - 4),
0859 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0860 BPF_LD_MAP_FD(BPF_REG_1, 0),
0861 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0862 BPF_EXIT_INSN(),
0863 },
0864 .fixup_map_hash_16b = { 3, 10 },
0865 .result = REJECT,
0866 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
0867 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0868 },
0869 {
0870 "map helper access to adjusted map (via const reg): out-of-bound 2",
0871 .insns = {
0872 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0874 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0875 BPF_LD_MAP_FD(BPF_REG_1, 0),
0876 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0879 BPF_MOV64_IMM(BPF_REG_3, -4),
0880 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0881 BPF_LD_MAP_FD(BPF_REG_1, 0),
0882 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0883 BPF_EXIT_INSN(),
0884 },
0885 .fixup_map_hash_16b = { 3, 10 },
0886 .result = REJECT,
0887 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
0888 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0889 },
0890 {
0891 "map helper access to adjusted map (via variable)",
0892 .insns = {
0893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0895 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0896 BPF_LD_MAP_FD(BPF_REG_1, 0),
0897 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0900 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0901 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar), 4),
0902 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0903 BPF_LD_MAP_FD(BPF_REG_1, 0),
0904 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0905 BPF_EXIT_INSN(),
0906 },
0907 .fixup_map_hash_16b = { 3, 11 },
0908 .result = ACCEPT,
0909 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0910 },
0911 {
0912 "map helper access to adjusted map (via variable): no max check",
0913 .insns = {
0914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0916 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0917 BPF_LD_MAP_FD(BPF_REG_1, 0),
0918 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0921 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0922 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0923 BPF_LD_MAP_FD(BPF_REG_1, 0),
0924 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0925 BPF_EXIT_INSN(),
0926 },
0927 .fixup_map_hash_16b = { 3, 10 },
0928 .result = REJECT,
0929 .errstr = "R2 unbounded memory access, make sure to bounds check any such access",
0930 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0931 },
0932 {
0933 "map helper access to adjusted map (via variable): wrong max check",
0934 .insns = {
0935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0937 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0938 BPF_LD_MAP_FD(BPF_REG_1, 0),
0939 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
0943 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar) + 1, 4),
0944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0945 BPF_LD_MAP_FD(BPF_REG_1, 0),
0946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0947 BPF_EXIT_INSN(),
0948 },
0949 .fixup_map_hash_16b = { 3, 11 },
0950 .result = REJECT,
0951 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
0952 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0953 },
