0001 {
0002 "map in map access",
0003 .insns = {
0004 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0007 BPF_LD_MAP_FD(BPF_REG_1, 0),
0008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0010 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0013 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0015 BPF_MOV64_IMM(BPF_REG_0, 0),
0016 BPF_EXIT_INSN(),
0017 },
0018 .fixup_map_in_map = { 3 },
0019 .result = ACCEPT,
0020 },
0021 {
0022 "map in map state pruning",
0023 .insns = {
0024 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0025 BPF_MOV64_REG(BPF_REG_6, BPF_REG_10),
0026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -4),
0027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
0028 BPF_LD_MAP_FD(BPF_REG_1, 0),
0029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0030 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0031 BPF_EXIT_INSN(),
0032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
0033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0035 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 11),
0036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
0037 BPF_LD_MAP_FD(BPF_REG_1, 0),
0038 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0039 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0040 BPF_EXIT_INSN(),
0041 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
0042 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0043 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0044 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0045 BPF_EXIT_INSN(),
0046 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
0047 BPF_EXIT_INSN(),
0048 },
0049 .fixup_map_in_map = { 4, 14 },
0050 .flags = BPF_F_TEST_STATE_FREQ,
0051 .result = VERBOSE_ACCEPT,
0052 .errstr = "processed 25 insns",
0053 .prog_type = BPF_PROG_TYPE_XDP,
0054 },
0055 {
0056 "invalid inner map pointer",
0057 .insns = {
0058 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0061 BPF_LD_MAP_FD(BPF_REG_1, 0),
0062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0064 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
0069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0070 BPF_MOV64_IMM(BPF_REG_0, 0),
0071 BPF_EXIT_INSN(),
0072 },
0073 .fixup_map_in_map = { 3 },
0074 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
0075 .result = REJECT,
0076 },
0077 {
0078 "forgot null checking on the inner map pointer",
0079 .insns = {
0080 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0083 BPF_LD_MAP_FD(BPF_REG_1, 0),
0084 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0085 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
0086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0088 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0089 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0090 BPF_MOV64_IMM(BPF_REG_0, 0),
0091 BPF_EXIT_INSN(),
0092 },
0093 .fixup_map_in_map = { 3 },
0094 .errstr = "R1 type=map_value_or_null expected=map_ptr",
0095 .result = REJECT,
0096 },
