Back to home page

OSCL-LXR
 
 

     

0001 {
0002     "pointer/scalar confusion in state equality check (way 1)",
0003     .insns = {
0004     BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0005     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0006     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0007     BPF_LD_MAP_FD(BPF_REG_1, 0),
0008     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0009     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
0010     BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0011     BPF_JMP_A(1),
0012     BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
0013     BPF_JMP_A(0),
0014     BPF_EXIT_INSN(),
0015     },
0016     .fixup_map_hash_8b = { 3 },
0017     .result = ACCEPT,
0018     .retval = POINTER_VALUE,
0019     .result_unpriv = REJECT,
0020     .errstr_unpriv = "R0 leaks addr as return value"
0021 },
0022 {
0023     "pointer/scalar confusion in state equality check (way 2)",
0024     .insns = {
0025     BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0026     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0027     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0028     BPF_LD_MAP_FD(BPF_REG_1, 0),
0029     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0030     BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0031     BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
0032     BPF_JMP_A(1),
0033     BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0034     BPF_EXIT_INSN(),
0035     },
0036     .fixup_map_hash_8b = { 3 },
0037     .result = ACCEPT,
0038     .retval = POINTER_VALUE,
0039     .result_unpriv = REJECT,
0040     .errstr_unpriv = "R0 leaks addr as return value"
0041 },
0042 {
0043     "liveness pruning and write screening",
0044     .insns = {
0045     /* Get an unknown value */
0046     BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
0047     /* branch conditions teach us nothing about R2 */
0048     BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
0049     BPF_MOV64_IMM(BPF_REG_0, 0),
0050     BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
0051     BPF_MOV64_IMM(BPF_REG_0, 0),
0052     BPF_EXIT_INSN(),
0053     },
0054     .errstr = "R0 !read_ok",
0055     .result = REJECT,
0056     .prog_type = BPF_PROG_TYPE_LWT_IN,
0057 },
0058 {
0059     "varlen_map_value_access pruning",
0060     .insns = {
0061     BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0062     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0063     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0064     BPF_LD_MAP_FD(BPF_REG_1, 0),
0065     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0066     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
0067     BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
0068     BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
0069     BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
0070     BPF_MOV32_IMM(BPF_REG_1, 0),
0071     BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
0072     BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0073     BPF_JMP_IMM(BPF_JA, 0, 0, 0),
0074     BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
0075     BPF_EXIT_INSN(),
0076     },
0077     .fixup_map_hash_48b = { 3 },
0078     .errstr_unpriv = "R0 leaks addr",
0079     .errstr = "R0 unbounded memory access",
0080     .result_unpriv = REJECT,
0081     .result = REJECT,
0082     .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0083 },
0084 {
0085     "search pruning: all branches should be verified (nop operation)",
0086     .insns = {
0087         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0088         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0089         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0090         BPF_LD_MAP_FD(BPF_REG_1, 0),
0091         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0092         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0093         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
0094         BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
0095         BPF_MOV64_IMM(BPF_REG_4, 0),
0096         BPF_JMP_A(1),
0097         BPF_MOV64_IMM(BPF_REG_4, 1),
0098         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
0099         BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
0100         BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
0101         BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
0102         BPF_MOV64_IMM(BPF_REG_6, 0),
0103         BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
0104         BPF_EXIT_INSN(),
0105     },
0106     .fixup_map_hash_8b = { 3 },
0107     .errstr = "R6 invalid mem access 'scalar'",
0108     .result = REJECT,
0109     .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0110 },
0111 {
0112     "search pruning: all branches should be verified (invalid stack access)",
0113     .insns = {
0114         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0115         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0116         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0117         BPF_LD_MAP_FD(BPF_REG_1, 0),
0118         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0119         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
0120         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
0121         BPF_MOV64_IMM(BPF_REG_4, 0),
0122         BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
0123         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
0124         BPF_JMP_A(1),
0125         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
0126         BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
0127         BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
0128         BPF_EXIT_INSN(),
0129     },
0130     .fixup_map_hash_8b = { 3 },
0131     .errstr = "invalid read from stack off -16+0 size 8",
0132     .result = REJECT,
0133     .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0134 },
0135 {
0136     "precision tracking for u32 spill/fill",
0137     .insns = {
0138         BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
0139         BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
0140         BPF_MOV32_IMM(BPF_REG_6, 32),
0141         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0142         BPF_MOV32_IMM(BPF_REG_6, 4),
0143         /* Additional insns to introduce a pruning point. */
0144         BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
0145         BPF_MOV64_IMM(BPF_REG_3, 0),
0146         BPF_MOV64_IMM(BPF_REG_3, 0),
0147         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0148         BPF_MOV64_IMM(BPF_REG_3, 0),
0149         /* u32 spill/fill */
0150         BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -8),
0151         BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_10, -8),
0152         /* out-of-bound map value access for r6=32 */
0153         BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
0154         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0155         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
0156         BPF_LD_MAP_FD(BPF_REG_1, 0),
0157         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0158         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
0159         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
0160         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0161         BPF_MOV64_IMM(BPF_REG_0, 0),
0162         BPF_EXIT_INSN(),
0163     },
0164     .fixup_map_hash_8b = { 15 },
0165     .result = REJECT,
0166     .errstr = "R0 min value is outside of the allowed memory range",
0167     .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0168 },
0169 {
0170     "precision tracking for u32 spills, u64 fill",
0171     .insns = {
0172         BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
0173         BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
0174         BPF_MOV32_IMM(BPF_REG_7, 0xffffffff),
0175         /* Additional insns to introduce a pruning point. */
0176         BPF_MOV64_IMM(BPF_REG_3, 1),
0177         BPF_MOV64_IMM(BPF_REG_3, 1),
0178         BPF_MOV64_IMM(BPF_REG_3, 1),
0179         BPF_MOV64_IMM(BPF_REG_3, 1),
0180         BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
0181         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0182         BPF_MOV64_IMM(BPF_REG_3, 1),
0183         BPF_ALU32_IMM(BPF_DIV, BPF_REG_3, 0),
0184         /* u32 spills, u64 fill */
0185         BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_6, -4),
0186         BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_7, -8),
0187         BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_10, -8),
0188         /* if r8 != X goto pc+1  r8 known in fallthrough branch */
0189         BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 0xffffffff, 1),
0190         BPF_MOV64_IMM(BPF_REG_3, 1),
0191         /* if r8 == X goto pc+1  condition always true on first
0192          * traversal, so starts backtracking to mark r8 as requiring
0193          * precision. r7 marked as needing precision. r6 not marked
0194          * since it's not tracked.
0195          */
0196         BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 0xffffffff, 1),
0197         /* fails if r8 correctly marked unknown after fill. */
0198         BPF_ALU32_IMM(BPF_DIV, BPF_REG_3, 0),
0199         BPF_MOV64_IMM(BPF_REG_0, 0),
0200         BPF_EXIT_INSN(),
0201     },
0202     .result = REJECT,
0203     .errstr = "div by zero",
0204     .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0205 },
0206 {
0207     "allocated_stack",
0208     .insns = {
0209         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
0210         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
0211         BPF_ALU64_REG(BPF_MOV, BPF_REG_7, BPF_REG_0),
0212         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0213         BPF_MOV64_IMM(BPF_REG_0, 0),
0214         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
0215         BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, -8),
0216         BPF_STX_MEM(BPF_B, BPF_REG_10, BPF_REG_7, -9),
0217         BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_10, -9),
0218         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
0219         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
0220         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
0221         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
0222         BPF_EXIT_INSN(),
0223     },
0224     .result = ACCEPT,
0225     .result_unpriv = ACCEPT,
0226     .insn_processed = 15,
0227 },
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!