0001 {
0002 "invalid direct packet write for LWT_IN",
0003 .insns = {
0004 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0005 offsetof(struct __sk_buff, data)),
0006 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0007 offsetof(struct __sk_buff, data_end)),
0008 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0010 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
0011 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
0012 BPF_MOV64_IMM(BPF_REG_0, 0),
0013 BPF_EXIT_INSN(),
0014 },
0015 .errstr = "cannot write into packet",
0016 .result = REJECT,
0017 .prog_type = BPF_PROG_TYPE_LWT_IN,
0018 },
0019 {
0020 "invalid direct packet write for LWT_OUT",
0021 .insns = {
0022 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0023 offsetof(struct __sk_buff, data)),
0024 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0025 offsetof(struct __sk_buff, data_end)),
0026 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0028 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
0029 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
0030 BPF_MOV64_IMM(BPF_REG_0, 0),
0031 BPF_EXIT_INSN(),
0032 },
0033 .errstr = "cannot write into packet",
0034 .result = REJECT,
0035 .prog_type = BPF_PROG_TYPE_LWT_OUT,
0036 },
0037 {
0038 "direct packet write for LWT_XMIT",
0039 .insns = {
0040 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0041 offsetof(struct __sk_buff, data)),
0042 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0043 offsetof(struct __sk_buff, data_end)),
0044 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0046 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
0047 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
0048 BPF_MOV64_IMM(BPF_REG_0, 0),
0049 BPF_EXIT_INSN(),
0050 },
0051 .result = ACCEPT,
0052 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
0053 },
0054 {
0055 "direct packet read for LWT_IN",
0056 .insns = {
0057 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0058 offsetof(struct __sk_buff, data)),
0059 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0060 offsetof(struct __sk_buff, data_end)),
0061 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0063 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
0064 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
0065 BPF_MOV64_IMM(BPF_REG_0, 0),
0066 BPF_EXIT_INSN(),
0067 },
0068 .result = ACCEPT,
0069 .prog_type = BPF_PROG_TYPE_LWT_IN,
0070 },
0071 {
0072 "direct packet read for LWT_OUT",
0073 .insns = {
0074 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0075 offsetof(struct __sk_buff, data)),
0076 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0077 offsetof(struct __sk_buff, data_end)),
0078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0080 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
0081 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
0082 BPF_MOV64_IMM(BPF_REG_0, 0),
0083 BPF_EXIT_INSN(),
0084 },
0085 .result = ACCEPT,
0086 .prog_type = BPF_PROG_TYPE_LWT_OUT,
0087 },
0088 {
0089 "direct packet read for LWT_XMIT",
0090 .insns = {
0091 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0092 offsetof(struct __sk_buff, data)),
0093 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0094 offsetof(struct __sk_buff, data_end)),
0095 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0097 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
0098 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
0099 BPF_MOV64_IMM(BPF_REG_0, 0),
0100 BPF_EXIT_INSN(),
0101 },
0102 .result = ACCEPT,
0103 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
0104 },
0105 {
0106 "overlapping checks for direct packet access",
0107 .insns = {
0108 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
0109 offsetof(struct __sk_buff, data)),
0110 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0111 offsetof(struct __sk_buff, data_end)),
0112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0114 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
0115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
0116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
0117 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
0118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
0119 BPF_MOV64_IMM(BPF_REG_0, 0),
0120 BPF_EXIT_INSN(),
0121 },
0122 .result = ACCEPT,
0123 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
0124 },
0125 {
0126 "make headroom for LWT_XMIT",
0127 .insns = {
0128 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
0129 BPF_MOV64_IMM(BPF_REG_2, 34),
0130 BPF_MOV64_IMM(BPF_REG_3, 0),
0131 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
0132
0133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0134 BPF_MOV64_IMM(BPF_REG_2, 42),
0135 BPF_MOV64_IMM(BPF_REG_3, 0),
0136 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
0137 BPF_MOV64_IMM(BPF_REG_0, 0),
0138 BPF_EXIT_INSN(),
0139 },
0140 .result = ACCEPT,
0141 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
0142 },
0143 {
0144 "invalid access of tc_classid for LWT_IN",
0145 .insns = {
0146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0147 offsetof(struct __sk_buff, tc_classid)),
0148 BPF_EXIT_INSN(),
0149 },
0150 .result = REJECT,
0151 .errstr = "invalid bpf_context access",
0152 },
0153 {
0154 "invalid access of tc_classid for LWT_OUT",
0155 .insns = {
0156 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0157 offsetof(struct __sk_buff, tc_classid)),
0158 BPF_EXIT_INSN(),
0159 },
0160 .result = REJECT,
0161 .errstr = "invalid bpf_context access",
0162 },
0163 {
0164 "invalid access of tc_classid for LWT_XMIT",
0165 .insns = {
0166 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0167 offsetof(struct __sk_buff, tc_classid)),
0168 BPF_EXIT_INSN(),
0169 },
0170 .result = REJECT,
0171 .errstr = "invalid bpf_context access",
0172 },
0173 {
0174 "check skb->tc_classid half load not permitted for lwt prog",
0175 .insns = {
0176 BPF_MOV64_IMM(BPF_REG_0, 0),
0177 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
0178 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
0179 offsetof(struct __sk_buff, tc_classid)),
0180 #else
0181 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
0182 offsetof(struct __sk_buff, tc_classid) + 2),
0183 #endif
0184 BPF_EXIT_INSN(),
0185 },
0186 .result = REJECT,
0187 .errstr = "invalid bpf_context access",
0188 .prog_type = BPF_PROG_TYPE_LWT_IN,
0189 },
