Back to home page

OSCL-LXR
 
 

     

0001 {
0002     "multiple registers share map_lookup_elem result",
0003     .insns = {
0004     BPF_MOV64_IMM(BPF_REG_1, 10),
0005     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0006     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0007     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0008     BPF_LD_MAP_FD(BPF_REG_1, 0),
0009     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0010     BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
0011     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0012     BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
0013     BPF_EXIT_INSN(),
0014     },
0015     .fixup_map_hash_8b = { 4 },
0016     .result = ACCEPT,
0017     .prog_type = BPF_PROG_TYPE_SCHED_CLS
0018 },
0019 {
0020     "alu ops on ptr_to_map_value_or_null, 1",
0021     .insns = {
0022     BPF_MOV64_IMM(BPF_REG_1, 10),
0023     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0024     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0025     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0026     BPF_LD_MAP_FD(BPF_REG_1, 0),
0027     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0028     BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
0029     BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
0030     BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
0031     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0032     BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
0033     BPF_EXIT_INSN(),
0034     },
0035     .fixup_map_hash_8b = { 4 },
0036     .errstr = "R4 pointer arithmetic on map_value_or_null",
0037     .result = REJECT,
0038     .prog_type = BPF_PROG_TYPE_SCHED_CLS
0039 },
0040 {
0041     "alu ops on ptr_to_map_value_or_null, 2",
0042     .insns = {
0043     BPF_MOV64_IMM(BPF_REG_1, 10),
0044     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0045     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0046     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0047     BPF_LD_MAP_FD(BPF_REG_1, 0),
0048     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0049     BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
0050     BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
0051     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0052     BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
0053     BPF_EXIT_INSN(),
0054     },
0055     .fixup_map_hash_8b = { 4 },
0056     .errstr = "R4 pointer arithmetic on map_value_or_null",
0057     .result = REJECT,
0058     .prog_type = BPF_PROG_TYPE_SCHED_CLS
0059 },
0060 {
0061     "alu ops on ptr_to_map_value_or_null, 3",
0062     .insns = {
0063     BPF_MOV64_IMM(BPF_REG_1, 10),
0064     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0065     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0066     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0067     BPF_LD_MAP_FD(BPF_REG_1, 0),
0068     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0069     BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
0070     BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
0071     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0072     BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
0073     BPF_EXIT_INSN(),
0074     },
0075     .fixup_map_hash_8b = { 4 },
0076     .errstr = "R4 pointer arithmetic on map_value_or_null",
0077     .result = REJECT,
0078     .prog_type = BPF_PROG_TYPE_SCHED_CLS
0079 },
0080 {
0081     "invalid memory access with multiple map_lookup_elem calls",
0082     .insns = {
0083     BPF_MOV64_IMM(BPF_REG_1, 10),
0084     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0085     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0086     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0087     BPF_LD_MAP_FD(BPF_REG_1, 0),
0088     BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
0089     BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
0090     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0091     BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
0092     BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
0093     BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
0094     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0095     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0096     BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
0097     BPF_EXIT_INSN(),
0098     },
0099     .fixup_map_hash_8b = { 4 },
0100     .result = REJECT,
0101     .errstr = "R4 !read_ok",
0102     .prog_type = BPF_PROG_TYPE_SCHED_CLS
0103 },
0104 {
0105     "valid indirect map_lookup_elem access with 2nd lookup in branch",
0106     .insns = {
0107     BPF_MOV64_IMM(BPF_REG_1, 10),
0108     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0109     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0110     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0111     BPF_LD_MAP_FD(BPF_REG_1, 0),
0112     BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
0113     BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
0114     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0115     BPF_MOV64_IMM(BPF_REG_2, 10),
0116     BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
0117     BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
0118     BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
0119     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0120     BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
0121     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
0122     BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
0123     BPF_EXIT_INSN(),
0124     },
0125     .fixup_map_hash_8b = { 4 },
0126     .result = ACCEPT,
0127     .prog_type = BPF_PROG_TYPE_SCHED_CLS
0128 },
0129 {
0130     "invalid map access from else condition",
0131     .insns = {
0132     BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0133     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0134     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0135     BPF_LD_MAP_FD(BPF_REG_1, 0),
0136     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0137     BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0138     BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0139     BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
0140     BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
0141     BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
0142     BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0143     BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
0144     BPF_EXIT_INSN(),
0145     },
0146     .fixup_map_hash_48b = { 3 },
0147     .errstr = "R0 unbounded memory access",
0148     .result = REJECT,
0149     .errstr_unpriv = "R0 leaks addr",
0150     .result_unpriv = REJECT,
0151     .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0152 },
0153 {
0154     "map lookup and null branch prediction",
0155     .insns = {
0156     BPF_MOV64_IMM(BPF_REG_1, 10),
0157     BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
0158     BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0159     BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0160     BPF_LD_MAP_FD(BPF_REG_1, 0),
0161     BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0162     BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
0163     BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 2),
0164     BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1),
0165     BPF_ALU64_IMM(BPF_ADD, BPF_REG_10, 10),
0166     BPF_EXIT_INSN(),
0167     },
0168     .fixup_map_hash_8b = { 4 },
0169     .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0170     .result = ACCEPT,
0171 },
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!