0001 {
0002 "bounded loop, count to 4",
0003 .insns = {
0004 BPF_MOV64_IMM(BPF_REG_0, 0),
0005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0006 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, -2),
0007 BPF_EXIT_INSN(),
0008 },
0009 .result = ACCEPT,
0010 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0011 .retval = 4,
0012 },
0013 {
0014 "bounded loop, count to 20",
0015 .insns = {
0016 BPF_MOV64_IMM(BPF_REG_0, 0),
0017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
0018 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 20, -2),
0019 BPF_EXIT_INSN(),
0020 },
0021 .result = ACCEPT,
0022 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0023 },
0024 {
0025 "bounded loop, count from positive unknown to 4",
0026 .insns = {
0027 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
0028 BPF_JMP_IMM(BPF_JSLT, BPF_REG_0, 0, 2),
0029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0030 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, -2),
0031 BPF_EXIT_INSN(),
0032 },
0033 .result = ACCEPT,
0034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0035 .retval = 4,
0036 },
0037 {
0038 "bounded loop, count from totally unknown to 4",
0039 .insns = {
0040 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
0041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0042 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, -2),
0043 BPF_EXIT_INSN(),
0044 },
0045 .result = ACCEPT,
0046 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0047 },
0048 {
0049 "bounded loop, count to 4 with equality",
0050 .insns = {
0051 BPF_MOV64_IMM(BPF_REG_0, 0),
0052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0053 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 4, -2),
0054 BPF_EXIT_INSN(),
0055 },
0056 .result = ACCEPT,
0057 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0058 },
0059 {
0060 "bounded loop, start in the middle",
0061 .insns = {
0062 BPF_MOV64_IMM(BPF_REG_0, 0),
0063 BPF_JMP_A(1),
0064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0065 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, -2),
0066 BPF_EXIT_INSN(),
0067 },
0068 .result = REJECT,
0069 .errstr = "back-edge",
0070 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0071 .retval = 4,
0072 },
0073 {
0074 "bounded loop containing a forward jump",
0075 .insns = {
0076 BPF_MOV64_IMM(BPF_REG_0, 0),
0077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0078 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_0, 0),
0079 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, -3),
0080 BPF_EXIT_INSN(),
0081 },
0082 .result = ACCEPT,
0083 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0084 .retval = 4,
0085 },
0086 {
0087 "bounded loop that jumps out rather than in",
0088 .insns = {
0089 BPF_MOV64_IMM(BPF_REG_6, 0),
0090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
0091 BPF_JMP_IMM(BPF_JGT, BPF_REG_6, 10000, 2),
0092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
0093 BPF_JMP_A(-4),
0094 BPF_EXIT_INSN(),
0095 },
0096 .result = ACCEPT,
0097 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0098 },
0099 {
0100 "infinite loop after a conditional jump",
0101 .insns = {
0102 BPF_MOV64_IMM(BPF_REG_0, 5),
0103 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, 2),
0104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0105 BPF_JMP_A(-2),
0106 BPF_EXIT_INSN(),
0107 },
0108 .result = REJECT,
0109 .errstr = "program is too large",
0110 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0111 },
0112 {
0113 "bounded recursion",
0114 .insns = {
0115 BPF_MOV64_IMM(BPF_REG_1, 0),
0116 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
0117 BPF_EXIT_INSN(),
0118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
0119 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
0120 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 4, 1),
0121 BPF_EXIT_INSN(),
0122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -5),
0123 BPF_EXIT_INSN(),
0124 },
0125 .result = REJECT,
0126 .errstr = "back-edge",
0127 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0128 },
0129 {
0130 "infinite loop in two jumps",
0131 .insns = {
0132 BPF_MOV64_IMM(BPF_REG_0, 0),
0133 BPF_JMP_A(0),
0134 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 4, -2),
0135 BPF_EXIT_INSN(),
0136 },
0137 .result = REJECT,
0138 .errstr = "loop detected",
0139 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0140 },
0141 {
0142 "infinite loop: three-jump trick",
0143 .insns = {
0144 BPF_MOV64_IMM(BPF_REG_0, 0),
0145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0146 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0147 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 2, 1),
0148 BPF_EXIT_INSN(),
0149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0150 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0151 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 2, 1),
0152 BPF_EXIT_INSN(),
0153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
0154 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
0155 BPF_JMP_IMM(BPF_JLT, BPF_REG_0, 2, -11),
0156 BPF_EXIT_INSN(),
0157 },
0158 .result = REJECT,
0159 .errstr = "loop detected",
0160 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0161 },
0162 {
0163 "not-taken loop with back jump to 1st insn",
0164 .insns = {
0165 BPF_MOV64_IMM(BPF_REG_0, 123),
0166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 4, -2),
0167 BPF_EXIT_INSN(),
0168 },
0169 .result = ACCEPT,
0170 .prog_type = BPF_PROG_TYPE_XDP,
0171 .retval = 123,
0172 },
0173 {
0174 "taken loop with back jump to 1st insn",
0175 .insns = {
0176 BPF_MOV64_IMM(BPF_REG_1, 10),
0177 BPF_MOV64_IMM(BPF_REG_2, 0),
0178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
0179 BPF_EXIT_INSN(),
0180 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
0181 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
0182 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, -3),
0183 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0184 BPF_EXIT_INSN(),
0185 },
0186 .result = ACCEPT,
0187 .prog_type = BPF_PROG_TYPE_XDP,
0188 .retval = 55,
0189 },
0190 {
0191 "taken loop with back jump to 1st insn, 2",
0192 .insns = {
0193 BPF_MOV64_IMM(BPF_REG_1, 10),
0194 BPF_MOV64_IMM(BPF_REG_2, 0),
0195 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
0196 BPF_EXIT_INSN(),
0197 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
0198 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
0199 BPF_JMP32_IMM(BPF_JNE, BPF_REG_1, 0, -3),
0200 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0201 BPF_EXIT_INSN(),
0202 },
0203 .result = ACCEPT,
0204 .prog_type = BPF_PROG_TYPE_XDP,
0205 .retval = 55,
0206 },
