0001 {
0002 "unpriv: return pointer",
0003 .insns = {
0004 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
0005 BPF_EXIT_INSN(),
0006 },
0007 .result = ACCEPT,
0008 .result_unpriv = REJECT,
0009 .errstr_unpriv = "R0 leaks addr",
0010 .retval = POINTER_VALUE,
0011 },
0012 {
0013 "unpriv: add const to pointer",
0014 .insns = {
0015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
0016 BPF_MOV64_IMM(BPF_REG_0, 0),
0017 BPF_EXIT_INSN(),
0018 },
0019 .result = ACCEPT,
0020 },
0021 {
0022 "unpriv: add pointer to pointer",
0023 .insns = {
0024 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
0025 BPF_MOV64_IMM(BPF_REG_0, 0),
0026 BPF_EXIT_INSN(),
0027 },
0028 .result = REJECT,
0029 .errstr = "R1 pointer += pointer",
0030 },
0031 {
0032 "unpriv: neg pointer",
0033 .insns = {
0034 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0035 BPF_MOV64_IMM(BPF_REG_0, 0),
0036 BPF_EXIT_INSN(),
0037 },
0038 .result = ACCEPT,
0039 .result_unpriv = REJECT,
0040 .errstr_unpriv = "R1 pointer arithmetic",
0041 },
0042 {
0043 "unpriv: cmp pointer with const",
0044 .insns = {
0045 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
0046 BPF_MOV64_IMM(BPF_REG_0, 0),
0047 BPF_EXIT_INSN(),
0048 },
0049 .result = ACCEPT,
0050 .result_unpriv = REJECT,
0051 .errstr_unpriv = "R1 pointer comparison",
0052 },
0053 {
0054 "unpriv: cmp pointer with pointer",
0055 .insns = {
0056 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
0057 BPF_MOV64_IMM(BPF_REG_0, 0),
0058 BPF_EXIT_INSN(),
0059 },
0060 .result = ACCEPT,
0061 .result_unpriv = REJECT,
0062 .errstr_unpriv = "R10 pointer comparison",
0063 },
0064 {
0065 "unpriv: check that printk is disallowed",
0066 .insns = {
0067 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0068 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0070 BPF_MOV64_IMM(BPF_REG_2, 8),
0071 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
0072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk),
0073 BPF_MOV64_IMM(BPF_REG_0, 0),
0074 BPF_EXIT_INSN(),
0075 },
0076 .errstr_unpriv = "unknown func bpf_trace_printk#6",
0077 .result_unpriv = REJECT,
0078 .result = ACCEPT,
0079 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
0080 },
0081 {
0082 "unpriv: pass pointer to helper function",
0083 .insns = {
0084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0087 BPF_LD_MAP_FD(BPF_REG_1, 0),
0088 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
0089 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
0090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
0091 BPF_MOV64_IMM(BPF_REG_0, 0),
0092 BPF_EXIT_INSN(),
0093 },
0094 .fixup_map_hash_8b = { 3 },
0095 .errstr_unpriv = "R4 leaks addr",
0096 .result_unpriv = REJECT,
0097 .result = ACCEPT,
0098 },
0099 {
0100 "unpriv: indirectly pass pointer on stack to helper function",
0101 .insns = {
0102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
0103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0105 BPF_LD_MAP_FD(BPF_REG_1, 0),
0106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0107 BPF_MOV64_IMM(BPF_REG_0, 0),
0108 BPF_EXIT_INSN(),
0109 },
0110 .fixup_map_hash_8b = { 3 },
0111 .errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8",
0112 .result_unpriv = REJECT,
0113 .result = ACCEPT,
0114 },
0115 {
0116 "unpriv: mangle pointer on stack 1",
0117 .insns = {
0118 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
0119 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
0120 BPF_MOV64_IMM(BPF_REG_0, 0),
0121 BPF_EXIT_INSN(),
0122 },
0123 .errstr_unpriv = "attempt to corrupt spilled",
0124 .result_unpriv = REJECT,
0125 .result = ACCEPT,
0126 },
0127 {
0128 "unpriv: mangle pointer on stack 2",
0129 .insns = {
0130 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
0131 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
0132 BPF_MOV64_IMM(BPF_REG_0, 0),
0133 BPF_EXIT_INSN(),
0134 },
0135 .errstr_unpriv = "attempt to corrupt spilled",
0136 .result_unpriv = REJECT,
0137 .result = ACCEPT,
0138 },
0139 {
0140 "unpriv: read pointer from stack in small chunks",
0141 .insns = {
0142 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
0143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
0144 BPF_MOV64_IMM(BPF_REG_0, 0),
0145 BPF_EXIT_INSN(),
0146 },
0147 .errstr = "invalid size",
0148 .result = REJECT,
0149 },
0150 {
0151 "unpriv: write pointer into ctx",
0152 .insns = {
0153 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
0154 BPF_MOV64_IMM(BPF_REG_0, 0),
0155 BPF_EXIT_INSN(),
0156 },
0157 .errstr_unpriv = "R1 leaks addr",
0158 .result_unpriv = REJECT,
0159 .errstr = "invalid bpf_context access",
0160 .result = REJECT,
0161 },
0162 {
0163 "unpriv: spill/fill of ctx",
0164 .insns = {
0165 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0167 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0168 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0169 BPF_MOV64_IMM(BPF_REG_0, 0),
0170 BPF_EXIT_INSN(),
0171 },
0172 .result = ACCEPT,
0173 },
0174 {
0175 "unpriv: spill/fill of ctx 2",
0176 .insns = {
0177 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0179 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0180 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc),
0182 BPF_MOV64_IMM(BPF_REG_0, 0),
0183 BPF_EXIT_INSN(),
0184 },
0185 .result = ACCEPT,
0186 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0187 },
0188 {
0189 "unpriv: spill/fill of ctx 3",
0190 .insns = {
0191 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0193 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0194 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
0195 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc),
0197 BPF_EXIT_INSN(),
0198 },
0199 .result = REJECT,
0200 .errstr = "R1 type=fp expected=ctx",
0201 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0202 },
0203 {
0204 "unpriv: spill/fill of ctx 4",
0205 .insns = {
0206 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0208 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0209 BPF_MOV64_IMM(BPF_REG_0, 1),
0210 BPF_RAW_INSN(BPF_STX | BPF_ATOMIC | BPF_DW,
0211 BPF_REG_10, BPF_REG_0, -8, BPF_ADD),
0212 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc),
0214 BPF_EXIT_INSN(),
0215 },
0216 .result = REJECT,
0217 .errstr = "R1 type=scalar expected=ctx",
0218 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0219 },
0220 {
0221 "unpriv: spill/fill of different pointers stx",
0222 .insns = {
0223 BPF_MOV64_IMM(BPF_REG_3, 42),
0224 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
0227 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
0229 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
0230 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0231 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0232 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0233 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
0234 offsetof(struct __sk_buff, mark)),
0235 BPF_MOV64_IMM(BPF_REG_0, 0),
0236 BPF_EXIT_INSN(),
0237 },
0238 .result = REJECT,
0239 .errstr = "same insn cannot be used with different pointers",
0240 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0241 },
0242 {
0243 "unpriv: spill/fill of different pointers stx - ctx and sock",
0244 .insns = {
0245 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
0246
0247 BPF_SK_LOOKUP(sk_lookup_tcp),
0248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0249
0250
0251 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
0254
0255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
0256 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
0257
0258 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0260
0261 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0262
0263 BPF_MOV64_IMM(BPF_REG_3, 42),
0264 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
0265 offsetof(struct __sk_buff, mark)),
0266
0267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
0268 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0269 BPF_MOV64_IMM(BPF_REG_0, 0),
0270 BPF_EXIT_INSN(),
0271 },
0272 .result = REJECT,
0273 .errstr = "type=ctx expected=sock",
0274 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0275 },
0276 {
0277 "unpriv: spill/fill of different pointers stx - leak sock",
0278 .insns = {
0279 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
0280
0281 BPF_SK_LOOKUP(sk_lookup_tcp),
0282 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0283
0284
0285 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0287 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
0288
0289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
0290 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
0291
0292 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0293 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0294
0295 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0296
0297 BPF_MOV64_IMM(BPF_REG_3, 42),
0298 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
0299 offsetof(struct __sk_buff, mark)),
0300 BPF_EXIT_INSN(),
0301 },
0302 .result = REJECT,
0303
0304 .errstr = "Unreleased reference",
0305 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0306 },
0307 {
0308 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
0309 .insns = {
0310 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
0311
0312 BPF_SK_LOOKUP(sk_lookup_tcp),
0313 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0314
0315
0316 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
0319
0320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
0321 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0322
0323 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0324 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
0325
0326 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0327
0328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
0329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
0330 offsetof(struct bpf_sock, mark)),
0331 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0332 BPF_MOV64_IMM(BPF_REG_0, 0),
0333 BPF_EXIT_INSN(),
0334 },
0335 .result = REJECT,
0336 .errstr = "same insn cannot be used with different pointers",
0337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0338 },
0339 {
0340 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
0341 .insns = {
0342 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
0343
0344 BPF_SK_LOOKUP(sk_lookup_tcp),
0345 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0346
0347
0348 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
0351
0352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
0353 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0354
0355 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0356 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
0357
0358 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0359
0360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
0361 BPF_MOV64_IMM(BPF_REG_3, 42),
0362 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
0363 offsetof(struct bpf_sock, mark)),
0364 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0365 BPF_MOV64_IMM(BPF_REG_0, 0),
0366 BPF_EXIT_INSN(),
0367 },
0368 .result = REJECT,
0369
0370 .errstr = "cannot write into sock",
0371 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0372 },
0373 {
0374 "unpriv: spill/fill of different pointers ldx",
0375 .insns = {
0376 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
0379 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
0381 -(__s32)offsetof(struct bpf_perf_event_data,
0382 sample_period) - 8),
0383 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
0384 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0385 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
0386 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
0387 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
0388 offsetof(struct bpf_perf_event_data, sample_period)),
0389 BPF_MOV64_IMM(BPF_REG_0, 0),
0390 BPF_EXIT_INSN(),
0391 },
0392 .result = REJECT,
0393 .errstr = "same insn cannot be used with different pointers",
0394 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
0395 },
0396 {
0397 "unpriv: write pointer into map elem value",
0398 .insns = {
0399 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0402 BPF_LD_MAP_FD(BPF_REG_1, 0),
0403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0405 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0406 BPF_EXIT_INSN(),
0407 },
0408 .fixup_map_hash_8b = { 3 },
0409 .errstr_unpriv = "R0 leaks addr",
0410 .result_unpriv = REJECT,
0411 .result = ACCEPT,
0412 },
0413 {
0414 "alu32: mov u32 const",
0415 .insns = {
0416 BPF_MOV32_IMM(BPF_REG_7, 0),
0417 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
0418 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
0419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0420 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
0421 BPF_EXIT_INSN(),
0422 },
0423 .errstr_unpriv = "R7 invalid mem access 'scalar'",
0424 .result_unpriv = REJECT,
0425 .result = ACCEPT,
0426 .retval = 0,
0427 },
0428 {
0429 "unpriv: partial copy of pointer",
0430 .insns = {
0431 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
0432 BPF_MOV64_IMM(BPF_REG_0, 0),
0433 BPF_EXIT_INSN(),
0434 },
0435 .errstr_unpriv = "R10 partial copy",
0436 .result_unpriv = REJECT,
0437 .result = ACCEPT,
0438 },
0439 {
0440 "unpriv: pass pointer to tail_call",
0441 .insns = {
0442 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
0443 BPF_LD_MAP_FD(BPF_REG_2, 0),
0444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
0445 BPF_MOV64_IMM(BPF_REG_0, 0),
0446 BPF_EXIT_INSN(),
0447 },
0448 .fixup_prog1 = { 1 },
0449 .errstr_unpriv = "R3 leaks addr into helper",
0450 .result_unpriv = REJECT,
0451 .result = ACCEPT,
0452 },
0453 {
0454 "unpriv: cmp map pointer with zero",
0455 .insns = {
0456 BPF_MOV64_IMM(BPF_REG_1, 0),
0457 BPF_LD_MAP_FD(BPF_REG_1, 0),
0458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
0459 BPF_MOV64_IMM(BPF_REG_0, 0),
0460 BPF_EXIT_INSN(),
0461 },
0462 .fixup_map_hash_8b = { 1 },
0463 .errstr_unpriv = "R1 pointer comparison",
0464 .result_unpriv = REJECT,
0465 .result = ACCEPT,
0466 },
0467 {
0468 "unpriv: write into frame pointer",
0469 .insns = {
0470 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
0471 BPF_MOV64_IMM(BPF_REG_0, 0),
0472 BPF_EXIT_INSN(),
0473 },
0474 .errstr = "frame pointer is read only",
0475 .result = REJECT,
0476 },
0477 {
0478 "unpriv: spill/fill frame pointer",
0479 .insns = {
0480 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
0481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
0482 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
0483 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
0484 BPF_MOV64_IMM(BPF_REG_0, 0),
0485 BPF_EXIT_INSN(),
0486 },
0487 .errstr = "frame pointer is read only",
0488 .result = REJECT,
0489 },
0490 {
0491 "unpriv: cmp of frame pointer",
0492 .insns = {
0493 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
0494 BPF_MOV64_IMM(BPF_REG_0, 0),
0495 BPF_EXIT_INSN(),
0496 },
0497 .errstr_unpriv = "R10 pointer comparison",
0498 .result_unpriv = REJECT,
0499 .result = ACCEPT,
0500 },
0501 {
0502 "unpriv: adding of fp, reg",
0503 .insns = {
0504 BPF_MOV64_IMM(BPF_REG_0, 0),
0505 BPF_MOV64_IMM(BPF_REG_1, 0),
0506 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
0507 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
0508 BPF_EXIT_INSN(),
0509 },
0510 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0511 .result_unpriv = REJECT,
0512 .result = ACCEPT,
0513 },
0514 {
0515 "unpriv: adding of fp, imm",
0516 .insns = {
0517 BPF_MOV64_IMM(BPF_REG_0, 0),
0518 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
0520 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
0521 BPF_EXIT_INSN(),
0522 },
0523 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
0524 .result_unpriv = REJECT,
0525 .result = ACCEPT,
0526 },
0527 {
0528 "unpriv: cmp of stack pointer",
0529 .insns = {
0530 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
0533 BPF_MOV64_IMM(BPF_REG_0, 0),
0534 BPF_EXIT_INSN(),
0535 },
0536 .errstr_unpriv = "R2 pointer comparison",
0537 .result_unpriv = REJECT,
0538 .result = ACCEPT,
0539 },
