0001 {
0002 "map element value store of cleared call register",
0003 .insns = {
0004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0007 BPF_LD_MAP_FD(BPF_REG_1, 0),
0008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0010 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
0011 BPF_EXIT_INSN(),
0012 },
0013 .fixup_map_hash_48b = { 3 },
0014 .errstr_unpriv = "R1 !read_ok",
0015 .errstr = "R1 !read_ok",
0016 .result = REJECT,
0017 .result_unpriv = REJECT,
0018 },
0019 {
0020 "map element value with unaligned store",
0021 .insns = {
0022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0024 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0025 BPF_LD_MAP_FD(BPF_REG_1, 0),
0026 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0027 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
0028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
0029 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
0030 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
0031 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
0032 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
0033 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
0034 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
0035 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
0036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
0037 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
0038 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
0039 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
0040 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
0041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
0042 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
0043 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
0044 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
0045 BPF_EXIT_INSN(),
0046 },
0047 .fixup_map_hash_48b = { 3 },
0048 .errstr_unpriv = "R0 leaks addr",
0049 .result = ACCEPT,
0050 .result_unpriv = REJECT,
0051 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0052 },
0053 {
0054 "map element value with unaligned load",
0055 .insns = {
0056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0058 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0059 BPF_LD_MAP_FD(BPF_REG_1, 0),
0060 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0062 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0063 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
0064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
0065 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
0066 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
0067 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
0068 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
0069 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
0070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
0071 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
0072 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
0073 BPF_EXIT_INSN(),
0074 },
0075 .fixup_map_hash_48b = { 3 },
0076 .errstr_unpriv = "R0 leaks addr",
0077 .result = ACCEPT,
0078 .result_unpriv = REJECT,
0079 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0080 },
0081 {
0082 "map element value is preserved across register spilling",
0083 .insns = {
0084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0086 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
0087 BPF_LD_MAP_FD(BPF_REG_1, 0),
0088 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, offsetof(struct test_val, foo)),
0091 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
0092 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
0094 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
0095 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
0096 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
0097 BPF_EXIT_INSN(),
0098 },
0099 .fixup_map_hash_48b = { 3 },
0100 .errstr_unpriv = "R0 leaks addr",
0101 .result = ACCEPT,
0102 .result_unpriv = REJECT,
0103 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0104 },
