0001 {
0002 "PTR_TO_STACK store/load",
0003 .insns = {
0004 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
0006 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
0007 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
0008 BPF_EXIT_INSN(),
0009 },
0010 .result = ACCEPT,
0011 .retval = 0xfaceb00c,
0012 },
0013 {
0014 "PTR_TO_STACK store/load - bad alignment on off",
0015 .insns = {
0016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0018 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
0019 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
0020 BPF_EXIT_INSN(),
0021 },
0022 .result = REJECT,
0023 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
0024 },
0025 {
0026 "PTR_TO_STACK store/load - bad alignment on reg",
0027 .insns = {
0028 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
0030 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
0031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
0032 BPF_EXIT_INSN(),
0033 },
0034 .result = REJECT,
0035 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
0036 },
0037 {
0038 "PTR_TO_STACK store/load - out of bounds low",
0039 .insns = {
0040 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
0042 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
0043 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
0044 BPF_EXIT_INSN(),
0045 },
0046 .result = REJECT,
0047 .errstr = "invalid write to stack R1 off=-79992 size=8",
0048 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0049 },
0050 {
0051 "PTR_TO_STACK store/load - out of bounds high",
0052 .insns = {
0053 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0055 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
0056 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
0057 BPF_EXIT_INSN(),
0058 },
0059 .result = REJECT,
0060 .errstr = "invalid write to stack R1 off=0 size=8",
0061 },
0062 {
0063 "PTR_TO_STACK check high 1",
0064 .insns = {
0065 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
0067 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0068 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0069 BPF_EXIT_INSN(),
0070 },
0071 .result = ACCEPT,
0072 .retval = 42,
0073 },
0074 {
0075 "PTR_TO_STACK check high 2",
0076 .insns = {
0077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0078 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
0079 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
0080 BPF_EXIT_INSN(),
0081 },
0082 .result = ACCEPT,
0083 .retval = 42,
0084 },
0085 {
0086 "PTR_TO_STACK check high 3",
0087 .insns = {
0088 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0089 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
0090 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
0091 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
0092 BPF_EXIT_INSN(),
0093 },
0094 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0095 .result_unpriv = REJECT,
0096 .result = ACCEPT,
0097 .retval = 42,
0098 },
0099 {
0100 "PTR_TO_STACK check high 4",
0101 .insns = {
0102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
0104 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0106 BPF_EXIT_INSN(),
0107 },
0108 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0109 .errstr = "invalid write to stack R1 off=0 size=1",
0110 .result = REJECT,
0111 },
0112 {
0113 "PTR_TO_STACK check high 5",
0114 .insns = {
0115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
0117 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0119 BPF_EXIT_INSN(),
0120 },
0121 .result = REJECT,
0122 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0123 .errstr = "invalid write to stack R1",
0124 },
0125 {
0126 "PTR_TO_STACK check high 6",
0127 .insns = {
0128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
0130 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
0131 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
0132 BPF_EXIT_INSN(),
0133 },
0134 .result = REJECT,
0135 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0136 .errstr = "invalid write to stack",
0137 },
0138 {
0139 "PTR_TO_STACK check high 7",
0140 .insns = {
0141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
0143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
0144 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
0145 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
0146 BPF_EXIT_INSN(),
0147 },
0148 .result = REJECT,
0149 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0150 .errstr = "fp pointer offset",
0151 },
0152 {
0153 "PTR_TO_STACK check low 1",
0154 .insns = {
0155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
0157 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0158 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0159 BPF_EXIT_INSN(),
0160 },
0161 .result = ACCEPT,
0162 .retval = 42,
0163 },
0164 {
0165 "PTR_TO_STACK check low 2",
0166 .insns = {
0167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
0169 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
0170 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
0171 BPF_EXIT_INSN(),
0172 },
0173 .result_unpriv = REJECT,
0174 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0175 .result = ACCEPT,
0176 .retval = 42,
0177 },
0178 {
0179 "PTR_TO_STACK check low 3",
0180 .insns = {
0181 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
0183 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0185 BPF_EXIT_INSN(),
0186 },
0187 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0188 .errstr = "invalid write to stack R1 off=-513 size=1",
0189 .result = REJECT,
0190 },
0191 {
0192 "PTR_TO_STACK check low 4",
0193 .insns = {
0194 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
0196 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0197 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0198 BPF_EXIT_INSN(),
0199 },
0200 .result = REJECT,
0201 .errstr = "math between fp pointer",
0202 },
0203 {
0204 "PTR_TO_STACK check low 5",
0205 .insns = {
0206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
0208 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0209 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0210 BPF_EXIT_INSN(),
0211 },
0212 .result = REJECT,
0213 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0214 .errstr = "invalid write to stack",
0215 },
0216 {
0217 "PTR_TO_STACK check low 6",
0218 .insns = {
0219 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
0221 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
0222 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
0223 BPF_EXIT_INSN(),
0224 },
0225 .result = REJECT,
0226 .errstr = "invalid write to stack",
0227 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0228 },
0229 {
0230 "PTR_TO_STACK check low 7",
0231 .insns = {
0232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
0234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
0235 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
0236 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
0237 BPF_EXIT_INSN(),
0238 },
0239 .result = REJECT,
0240 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0241 .errstr = "fp pointer offset",
0242 },
0243 {
0244 "PTR_TO_STACK mixed reg/k, 1",
0245 .insns = {
0246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
0248 BPF_MOV64_IMM(BPF_REG_2, -3),
0249 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
0250 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0251 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0252 BPF_EXIT_INSN(),
0253 },
0254 .result = ACCEPT,
0255 .retval = 42,
0256 },
0257 {
0258 "PTR_TO_STACK mixed reg/k, 2",
0259 .insns = {
0260 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0261 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
0262 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
0264 BPF_MOV64_IMM(BPF_REG_2, -3),
0265 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
0266 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0267 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
0268 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
0269 BPF_EXIT_INSN(),
0270 },
0271 .result = ACCEPT,
0272 .retval = 42,
0273 },
0274 {
0275 "PTR_TO_STACK mixed reg/k, 3",
0276 .insns = {
0277 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
0279 BPF_MOV64_IMM(BPF_REG_2, -3),
0280 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
0281 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0282 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0283 BPF_EXIT_INSN(),
0284 },
0285 .result = ACCEPT,
0286 .retval = -3,
0287 },
0288 {
0289 "PTR_TO_STACK reg",
0290 .insns = {
0291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0292 BPF_MOV64_IMM(BPF_REG_2, -3),
0293 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
0294 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
0295 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0296 BPF_EXIT_INSN(),
0297 },
0298 .result = ACCEPT,
0299 .retval = 42,
0300 },
0301 {
0302 "stack pointer arithmetic",
0303 .insns = {
0304 BPF_MOV64_IMM(BPF_REG_1, 4),
0305 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
0306 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
0307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
0308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
0309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
0310 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
0311 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
0312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
0313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
0314 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
0315 BPF_MOV64_IMM(BPF_REG_0, 0),
0316 BPF_EXIT_INSN(),
0317 },
0318 .result = ACCEPT,
0319 },
0320 {
0321 "store PTR_TO_STACK in R10 to array map using BPF_B",
0322 .insns = {
0323
0324 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0326 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0327 BPF_LD_MAP_FD(BPF_REG_1, 0),
0328 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0329 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0330 BPF_MOV64_IMM(BPF_REG_0, 2),
0331 BPF_EXIT_INSN(),
0332 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0333
0334 BPF_MOV64_REG(BPF_REG_9, BPF_REG_10),
0335
0336 BPF_MOV64_IMM(BPF_REG_2, -1),
0337 BPF_MOV64_IMM(BPF_REG_3, -1),
0338 BPF_MOV64_IMM(BPF_REG_4, -1),
0339 BPF_MOV64_IMM(BPF_REG_5, -1),
0340 BPF_MOV64_IMM(BPF_REG_6, -1),
0341 BPF_MOV64_IMM(BPF_REG_7, -1),
0342 BPF_MOV64_IMM(BPF_REG_8, -1),
0343
0344 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_10, 0),
0345 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_1, 0),
0346 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_9, 0),
0347 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_1, 0),
0348
0349 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_3, 2),
0350 BPF_MOV64_IMM(BPF_REG_0, 1),
0351 BPF_EXIT_INSN(),
0352 BPF_MOV64_IMM(BPF_REG_0, 42),
0353 BPF_EXIT_INSN(),
0354 },
0355 .fixup_map_array_48b = { 3 },
0356 .result = ACCEPT,
0357 .retval = 42,
0358 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0359 },
