0001 {
0002 "raw_stack: no skb_load_bytes",
0003 .insns = {
0004 BPF_MOV64_IMM(BPF_REG_2, 4),
0005 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0007 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0008 BPF_MOV64_IMM(BPF_REG_4, 8),
0009
0010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0011 BPF_EXIT_INSN(),
0012 },
0013 .result = REJECT,
0014 .errstr = "invalid read from stack R6 off=-8 size=8",
0015 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0016 },
0017 {
0018 "raw_stack: skb_load_bytes, negative len",
0019 .insns = {
0020 BPF_MOV64_IMM(BPF_REG_2, 4),
0021 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0023 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0024 BPF_MOV64_IMM(BPF_REG_4, -8),
0025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0026 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0027 BPF_EXIT_INSN(),
0028 },
0029 .result = REJECT,
0030 .errstr = "R4 min value is negative",
0031 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0032 },
0033 {
0034 "raw_stack: skb_load_bytes, negative len 2",
0035 .insns = {
0036 BPF_MOV64_IMM(BPF_REG_2, 4),
0037 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0039 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0040 BPF_MOV64_IMM(BPF_REG_4, ~0),
0041 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0042 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0043 BPF_EXIT_INSN(),
0044 },
0045 .result = REJECT,
0046 .errstr = "R4 min value is negative",
0047 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0048 },
0049 {
0050 "raw_stack: skb_load_bytes, zero len",
0051 .insns = {
0052 BPF_MOV64_IMM(BPF_REG_2, 4),
0053 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0055 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0056 BPF_MOV64_IMM(BPF_REG_4, 0),
0057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0058 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0059 BPF_EXIT_INSN(),
0060 },
0061 .result = REJECT,
0062 .errstr = "invalid zero-sized read",
0063 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0064 },
0065 {
0066 "raw_stack: skb_load_bytes, no init",
0067 .insns = {
0068 BPF_MOV64_IMM(BPF_REG_2, 4),
0069 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0071 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0072 BPF_MOV64_IMM(BPF_REG_4, 8),
0073 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0074 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0075 BPF_EXIT_INSN(),
0076 },
0077 .result = ACCEPT,
0078 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0079 },
0080 {
0081 "raw_stack: skb_load_bytes, init",
0082 .insns = {
0083 BPF_MOV64_IMM(BPF_REG_2, 4),
0084 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0086 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
0087 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0088 BPF_MOV64_IMM(BPF_REG_4, 8),
0089 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0090 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0091 BPF_EXIT_INSN(),
0092 },
0093 .result = ACCEPT,
0094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0095 },
0096 {
0097 "raw_stack: skb_load_bytes, spilled regs around bounds",
0098 .insns = {
0099 BPF_MOV64_IMM(BPF_REG_2, 4),
0100 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
0102 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
0103 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
0104 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0105 BPF_MOV64_IMM(BPF_REG_4, 8),
0106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0107 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
0108 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
0109 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
0110 offsetof(struct __sk_buff, mark)),
0111 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
0112 offsetof(struct __sk_buff, priority)),
0113 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
0114 BPF_EXIT_INSN(),
0115 },
0116 .result = ACCEPT,
0117 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0118 },
0119 {
0120 "raw_stack: skb_load_bytes, spilled regs corruption",
0121 .insns = {
0122 BPF_MOV64_IMM(BPF_REG_2, 4),
0123 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0125 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0126 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0127 BPF_MOV64_IMM(BPF_REG_4, 8),
0128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0129 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
0131 offsetof(struct __sk_buff, mark)),
0132 BPF_EXIT_INSN(),
0133 },
0134 .result = REJECT,
0135 .errstr = "R0 invalid mem access 'scalar'",
0136 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0137 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0138 },
0139 {
0140 "raw_stack: skb_load_bytes, spilled regs corruption 2",
0141 .insns = {
0142 BPF_MOV64_IMM(BPF_REG_2, 4),
0143 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
0145 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
0146 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0147 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
0148 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0149 BPF_MOV64_IMM(BPF_REG_4, 8),
0150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0151 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
0152 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
0153 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
0154 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
0155 offsetof(struct __sk_buff, mark)),
0156 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
0157 offsetof(struct __sk_buff, priority)),
0158 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
0159 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
0160 offsetof(struct __sk_buff, pkt_type)),
0161 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
0162 BPF_EXIT_INSN(),
0163 },
0164 .result = REJECT,
0165 .errstr = "R3 invalid mem access 'scalar'",
0166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0167 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0168 },
0169 {
0170 "raw_stack: skb_load_bytes, spilled regs + data",
0171 .insns = {
0172 BPF_MOV64_IMM(BPF_REG_2, 4),
0173 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
0175 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
0176 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0177 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
0178 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0179 BPF_MOV64_IMM(BPF_REG_4, 8),
0180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0181 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
0182 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
0183 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
0184 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
0185 offsetof(struct __sk_buff, mark)),
0186 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
0187 offsetof(struct __sk_buff, priority)),
0188 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
0189 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
0190 BPF_EXIT_INSN(),
0191 },
0192 .result = ACCEPT,
0193 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0194 },
0195 {
0196 "raw_stack: skb_load_bytes, invalid access 1",
0197 .insns = {
0198 BPF_MOV64_IMM(BPF_REG_2, 4),
0199 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0200 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
0201 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0202 BPF_MOV64_IMM(BPF_REG_4, 8),
0203 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0204 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0205 BPF_EXIT_INSN(),
0206 },
0207 .result = REJECT,
0208 .errstr = "invalid indirect access to stack R3 off=-513 size=8",
0209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0210 },
0211 {
0212 "raw_stack: skb_load_bytes, invalid access 2",
0213 .insns = {
0214 BPF_MOV64_IMM(BPF_REG_2, 4),
0215 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
0217 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0218 BPF_MOV64_IMM(BPF_REG_4, 8),
0219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0220 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0221 BPF_EXIT_INSN(),
0222 },
0223 .result = REJECT,
0224 .errstr = "invalid indirect access to stack R3 off=-1 size=8",
0225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0226 },
0227 {
0228 "raw_stack: skb_load_bytes, invalid access 3",
0229 .insns = {
0230 BPF_MOV64_IMM(BPF_REG_2, 4),
0231 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
0233 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0234 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
0235 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0236 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0237 BPF_EXIT_INSN(),
0238 },
0239 .result = REJECT,
0240 .errstr = "R4 min value is negative",
0241 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0242 },
0243 {
0244 "raw_stack: skb_load_bytes, invalid access 4",
0245 .insns = {
0246 BPF_MOV64_IMM(BPF_REG_2, 4),
0247 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
0249 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0250 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
0251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0253 BPF_EXIT_INSN(),
0254 },
0255 .result = REJECT,
0256 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
0257 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0258 },
0259 {
0260 "raw_stack: skb_load_bytes, invalid access 5",
0261 .insns = {
0262 BPF_MOV64_IMM(BPF_REG_2, 4),
0263 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
0265 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0266 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
0267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0269 BPF_EXIT_INSN(),
0270 },
0271 .result = REJECT,
0272 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
0273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0274 },
0275 {
0276 "raw_stack: skb_load_bytes, invalid access 6",
0277 .insns = {
0278 BPF_MOV64_IMM(BPF_REG_2, 4),
0279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
0281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0282 BPF_MOV64_IMM(BPF_REG_4, 0),
0283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0285 BPF_EXIT_INSN(),
0286 },
0287 .result = REJECT,
0288 .errstr = "invalid zero-sized read",
0289 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0290 },
0291 {
0292 "raw_stack: skb_load_bytes, large access",
0293 .insns = {
0294 BPF_MOV64_IMM(BPF_REG_2, 4),
0295 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
0297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
0298 BPF_MOV64_IMM(BPF_REG_4, 512),
0299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
0300 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
0301 BPF_EXIT_INSN(),
0302 },
0303 .result = ACCEPT,
0304 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0305 },
