Back to home page

OSCL-LXR
 
 

     

0001 {
0002     "leak pointer into ctx 1",
0003     .insns = {
0004     BPF_MOV64_IMM(BPF_REG_0, 0),
0005     BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
0006             offsetof(struct __sk_buff, cb[0])),
0007     BPF_LD_MAP_FD(BPF_REG_2, 0),
0008     BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_1, BPF_REG_2,
0009               offsetof(struct __sk_buff, cb[0])),
0010     BPF_EXIT_INSN(),
0011     },
0012     .fixup_map_hash_8b = { 2 },
0013     .errstr_unpriv = "R2 leaks addr into mem",
0014     .result_unpriv = REJECT,
0015     .result = REJECT,
0016     .errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
0017 },
0018 {
0019     "leak pointer into ctx 2",
0020     .insns = {
0021     BPF_MOV64_IMM(BPF_REG_0, 0),
0022     BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
0023             offsetof(struct __sk_buff, cb[0])),
0024     BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_1, BPF_REG_10,
0025               offsetof(struct __sk_buff, cb[0])),
0026     BPF_EXIT_INSN(),
0027     },
0028     .errstr_unpriv = "R10 leaks addr into mem",
0029     .result_unpriv = REJECT,
0030     .result = REJECT,
0031     .errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
0032 },
0033 {
0034     "leak pointer into ctx 3",
0035     .insns = {
0036     BPF_MOV64_IMM(BPF_REG_0, 0),
0037     BPF_LD_MAP_FD(BPF_REG_2, 0),
0038     BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
0039               offsetof(struct __sk_buff, cb[0])),
0040     BPF_EXIT_INSN(),
0041     },
0042     .fixup_map_hash_8b = { 1 },
0043     .errstr_unpriv = "R2 leaks addr into ctx",
0044     .result_unpriv = REJECT,
0045     .result = ACCEPT,
0046 },
0047 {
0048     "leak pointer into map val",
0049     .insns = {
0050     BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
0051     BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0052     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0053     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0054     BPF_LD_MAP_FD(BPF_REG_1, 0),
0055     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0056     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0057     BPF_MOV64_IMM(BPF_REG_3, 0),
0058     BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
0059     BPF_ATOMIC_OP(BPF_DW, BPF_ADD, BPF_REG_0, BPF_REG_6, 0),
0060     BPF_MOV64_IMM(BPF_REG_0, 0),
0061     BPF_EXIT_INSN(),
0062     },
0063     .fixup_map_hash_8b = { 4 },
0064     .errstr_unpriv = "R6 leaks addr into mem",
0065     .result_unpriv = REJECT,
0066     .result = ACCEPT,
0067 },
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!