0001 {
0002 "map access: known scalar += value_ptr unknown vs const",
0003 .insns = {
0004 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0005 offsetof(struct __sk_buff, len)),
0006 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0007 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0010 BPF_LD_MAP_FD(BPF_REG_1, 0),
0011 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0012 BPF_LD_MAP_FD(BPF_REG_1, 0),
0013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0014 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
0015 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0016 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
0017 BPF_MOV64_IMM(BPF_REG_1, 6),
0018 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0019 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
0020 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
0021 BPF_MOV64_IMM(BPF_REG_1, 3),
0022 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0023 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0024 BPF_MOV64_IMM(BPF_REG_0, 1),
0025 BPF_EXIT_INSN(),
0026 },
0027 .fixup_map_hash_16b = { 5 },
0028 .fixup_map_array_48b = { 8 },
0029 .result_unpriv = REJECT,
0030 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
0031 .result = ACCEPT,
0032 .retval = 1,
0033 },
0034 {
0035 "map access: known scalar += value_ptr const vs unknown",
0036 .insns = {
0037 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0038 offsetof(struct __sk_buff, len)),
0039 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0040 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0042 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0043 BPF_LD_MAP_FD(BPF_REG_1, 0),
0044 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0045 BPF_LD_MAP_FD(BPF_REG_1, 0),
0046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
0048 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0049 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),
0050 BPF_MOV64_IMM(BPF_REG_1, 3),
0051 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
0052 BPF_MOV64_IMM(BPF_REG_1, 6),
0053 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0054 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
0055 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0056 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0057 BPF_MOV64_IMM(BPF_REG_0, 1),
0058 BPF_EXIT_INSN(),
0059 },
0060 .fixup_map_hash_16b = { 5 },
0061 .fixup_map_array_48b = { 8 },
0062 .result_unpriv = REJECT,
0063 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
0064 .result = ACCEPT,
0065 .retval = 1,
0066 },
0067 {
0068 "map access: known scalar += value_ptr const vs const (ne)",
0069 .insns = {
0070 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0071 offsetof(struct __sk_buff, len)),
0072 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0073 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0075 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0076 BPF_LD_MAP_FD(BPF_REG_1, 0),
0077 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0078 BPF_LD_MAP_FD(BPF_REG_1, 0),
0079 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0080 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0081 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0082 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),
0083 BPF_MOV64_IMM(BPF_REG_1, 3),
0084 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
0085 BPF_MOV64_IMM(BPF_REG_1, 5),
0086 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0087 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0088 BPF_MOV64_IMM(BPF_REG_0, 1),
0089 BPF_EXIT_INSN(),
0090 },
0091 .fixup_map_hash_16b = { 5 },
0092 .fixup_map_array_48b = { 8 },
0093 .result_unpriv = REJECT,
0094 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
0095 .result = ACCEPT,
0096 .retval = 1,
0097 },
0098 {
0099 "map access: known scalar += value_ptr const vs const (eq)",
0100 .insns = {
0101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0102 offsetof(struct __sk_buff, len)),
0103 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0107 BPF_LD_MAP_FD(BPF_REG_1, 0),
0108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0109 BPF_LD_MAP_FD(BPF_REG_1, 0),
0110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0112 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0113 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),
0114 BPF_MOV64_IMM(BPF_REG_1, 5),
0115 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
0116 BPF_MOV64_IMM(BPF_REG_1, 5),
0117 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0119 BPF_MOV64_IMM(BPF_REG_0, 1),
0120 BPF_EXIT_INSN(),
0121 },
0122 .fixup_map_hash_16b = { 5 },
0123 .fixup_map_array_48b = { 8 },
0124 .result = ACCEPT,
0125 .retval = 1,
0126 },
0127 {
0128 "map access: known scalar += value_ptr unknown vs unknown (eq)",
0129 .insns = {
0130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0131 offsetof(struct __sk_buff, len)),
0132 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0135 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0136 BPF_LD_MAP_FD(BPF_REG_1, 0),
0137 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0138 BPF_LD_MAP_FD(BPF_REG_1, 0),
0139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0141 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
0143 BPF_MOV64_IMM(BPF_REG_1, 6),
0144 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0145 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
0146 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
0147 BPF_MOV64_IMM(BPF_REG_1, 6),
0148 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0149 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
0150 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0151 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0152 BPF_MOV64_IMM(BPF_REG_0, 1),
0153 BPF_EXIT_INSN(),
0154 },
0155 .fixup_map_hash_16b = { 5 },
0156 .fixup_map_array_48b = { 8 },
0157 .result = ACCEPT,
0158 .retval = 1,
0159 },
0160 {
0161 "map access: known scalar += value_ptr unknown vs unknown (lt)",
0162 .insns = {
0163 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0164 offsetof(struct __sk_buff, len)),
0165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0169 BPF_LD_MAP_FD(BPF_REG_1, 0),
0170 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0171 BPF_LD_MAP_FD(BPF_REG_1, 0),
0172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0174 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
0176 BPF_MOV64_IMM(BPF_REG_1, 6),
0177 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0178 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3),
0179 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
0180 BPF_MOV64_IMM(BPF_REG_1, 6),
0181 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0182 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
0183 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0185 BPF_MOV64_IMM(BPF_REG_0, 1),
0186 BPF_EXIT_INSN(),
0187 },
0188 .fixup_map_hash_16b = { 5 },
0189 .fixup_map_array_48b = { 8 },
0190 .result_unpriv = REJECT,
0191 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
0192 .result = ACCEPT,
0193 .retval = 1,
0194 },
0195 {
0196 "map access: known scalar += value_ptr unknown vs unknown (gt)",
0197 .insns = {
0198 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0199 offsetof(struct __sk_buff, len)),
0200 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0201 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0204 BPF_LD_MAP_FD(BPF_REG_1, 0),
0205 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0206 BPF_LD_MAP_FD(BPF_REG_1, 0),
0207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0209 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
0210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
0211 BPF_MOV64_IMM(BPF_REG_1, 6),
0212 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0213 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
0214 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
0215 BPF_MOV64_IMM(BPF_REG_1, 6),
0216 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
0217 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3),
0218 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0220 BPF_MOV64_IMM(BPF_REG_0, 1),
0221 BPF_EXIT_INSN(),
0222 },
0223 .fixup_map_hash_16b = { 5 },
0224 .fixup_map_array_48b = { 8 },
0225 .result_unpriv = REJECT,
0226 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
0227 .result = ACCEPT,
0228 .retval = 1,
0229 },
0230 {
0231 "map access: known scalar += value_ptr from different maps",
0232 .insns = {
0233 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0234 offsetof(struct __sk_buff, len)),
0235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0239 BPF_LD_MAP_FD(BPF_REG_1, 0),
0240 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0241 BPF_LD_MAP_FD(BPF_REG_1, 0),
0242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0244 BPF_MOV64_IMM(BPF_REG_1, 4),
0245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0246 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0247 BPF_MOV64_IMM(BPF_REG_0, 1),
0248 BPF_EXIT_INSN(),
0249 },
0250 .fixup_map_hash_16b = { 5 },
0251 .fixup_map_array_48b = { 8 },
0252 .result = ACCEPT,
0253 .retval = 1,
0254 },
0255 {
0256 "map access: value_ptr -= known scalar from different maps",
0257 .insns = {
0258 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0259 offsetof(struct __sk_buff, len)),
0260 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0264 BPF_LD_MAP_FD(BPF_REG_1, 0),
0265 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0266 BPF_LD_MAP_FD(BPF_REG_1, 0),
0267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0269 BPF_MOV64_IMM(BPF_REG_1, 4),
0270 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0271 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0272 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0273 BPF_MOV64_IMM(BPF_REG_0, 1),
0274 BPF_EXIT_INSN(),
0275 },
0276 .fixup_map_hash_16b = { 5 },
0277 .fixup_map_array_48b = { 8 },
0278 .result = ACCEPT,
0279 .result_unpriv = REJECT,
0280 .errstr_unpriv = "R0 min value is outside of the allowed memory range",
0281 .retval = 1,
0282 },
0283 {
0284 "map access: known scalar += value_ptr from different maps, but same value properties",
0285 .insns = {
0286 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
0287 offsetof(struct __sk_buff, len)),
0288 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0289 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
0292 BPF_LD_MAP_FD(BPF_REG_1, 0),
0293 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
0294 BPF_LD_MAP_FD(BPF_REG_1, 0),
0295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0297 BPF_MOV64_IMM(BPF_REG_1, 4),
0298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0300 BPF_MOV64_IMM(BPF_REG_0, 1),
0301 BPF_EXIT_INSN(),
0302 },
0303 .fixup_map_hash_48b = { 5 },
0304 .fixup_map_array_48b = { 8 },
0305 .result = ACCEPT,
0306 .retval = 1,
0307 },
0308 {
0309 "map access: mixing value pointer and scalar, 1",
0310 .insns = {
0311
0312 BPF_MOV64_IMM(BPF_REG_0, 1),
0313 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
0314 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
0315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
0316 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
0317 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0318 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0319 BPF_EXIT_INSN(),
0320
0321 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0322
0323 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
0324
0325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0326 BPF_MOV64_IMM(BPF_REG_3, 0),
0327 BPF_JMP_A(2),
0328
0329 BPF_MOV64_IMM(BPF_REG_2, 0),
0330 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
0331
0332 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0333
0334 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0335
0336 BPF_JMP_A(4),
0337
0338 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
0339
0340 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
0341 BPF_MOV64_IMM(BPF_REG_0, 0),
0342 BPF_EXIT_INSN(),
0343
0344
0345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0346 BPF_MOV64_IMM(BPF_REG_0, 0),
0347 BPF_EXIT_INSN(),
0348 },
0349 .fixup_map_array_48b = { 1 },
0350 .result = ACCEPT,
0351 .result_unpriv = REJECT,
0352 .errstr_unpriv = "R2 pointer comparison prohibited",
0353 .retval = 0,
0354 },
0355 {
0356 "map access: mixing value pointer and scalar, 2",
0357 .insns = {
0358
0359 BPF_MOV64_IMM(BPF_REG_0, 1),
0360 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
0361 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
0362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
0363 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
0364 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0365 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0366 BPF_EXIT_INSN(),
0367
0368 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0369
0370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
0371
0372 BPF_MOV64_IMM(BPF_REG_2, 0),
0373 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
0374 BPF_JMP_A(2),
0375
0376 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0377 BPF_MOV64_IMM(BPF_REG_3, 0),
0378
0379 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0380
0381 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0382
0383 BPF_JMP_A(4),
0384
0385 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
0386
0387 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
0388 BPF_MOV64_IMM(BPF_REG_0, 0),
0389 BPF_EXIT_INSN(),
0390
0391
0392
0393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0394 BPF_MOV64_IMM(BPF_REG_0, 0),
0395 BPF_EXIT_INSN(),
0396 },
0397 .fixup_map_array_48b = { 1 },
0398 .result = ACCEPT,
0399 .result_unpriv = REJECT,
0400 .errstr_unpriv = "R0 invalid mem access 'scalar'",
0401 .retval = 0,
0402 },
0403 {
0404 "sanitation: alu with different scalars 1",
0405 .insns = {
0406 BPF_MOV64_IMM(BPF_REG_0, 1),
0407 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
0408 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
0409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
0410 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
0411 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0412 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0413 BPF_EXIT_INSN(),
0414 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0415 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
0416 BPF_MOV64_IMM(BPF_REG_2, 0),
0417 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
0418 BPF_JMP_A(2),
0419 BPF_MOV64_IMM(BPF_REG_2, 42),
0420 BPF_MOV64_IMM(BPF_REG_3, 0x100001),
0421 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
0422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
0423 BPF_EXIT_INSN(),
0424 },
0425 .fixup_map_array_48b = { 1 },
0426 .result = ACCEPT,
0427 .retval = 0x100000,
0428 },
0429 {
0430 "sanitation: alu with different scalars 2",
0431 .insns = {
0432 BPF_MOV64_IMM(BPF_REG_0, 1),
0433 BPF_LD_MAP_FD(BPF_REG_1, 0),
0434 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
0435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
0436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
0437 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
0438 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
0439 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
0440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
0442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
0443 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
0444 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
0445 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
0446 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
0447 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
0448 BPF_EXIT_INSN(),
0449 },
0450 .fixup_map_array_48b = { 1 },
0451 .result = ACCEPT,
0452 .retval = -EINVAL * 2,
0453 },
0454 {
0455 "sanitation: alu with different scalars 3",
0456 .insns = {
0457 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
0458 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
0459 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
0460 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
0461 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
0462 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
0463 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
0464 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
0465 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
0466 BPF_EXIT_INSN(),
0467 },
0468 .result = ACCEPT,
0469 .retval = -EINVAL * 2,
0470 },
0471 {
0472 "map access: value_ptr += known scalar, upper oob arith, test 1",
0473 .insns = {
0474 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0475 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0477 BPF_LD_MAP_FD(BPF_REG_1, 0),
0478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0480 BPF_MOV64_IMM(BPF_REG_1, 48),
0481 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0482 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0483 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0484 BPF_MOV64_IMM(BPF_REG_0, 1),
0485 BPF_EXIT_INSN(),
0486 },
0487 .fixup_map_array_48b = { 3 },
0488 .result = ACCEPT,
0489 .result_unpriv = REJECT,
0490 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
0491 .retval = 1,
0492 },
0493 {
0494 "map access: value_ptr += known scalar, upper oob arith, test 2",
0495 .insns = {
0496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0497 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0499 BPF_LD_MAP_FD(BPF_REG_1, 0),
0500 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0502 BPF_MOV64_IMM(BPF_REG_1, 49),
0503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0504 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0505 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0506 BPF_MOV64_IMM(BPF_REG_0, 1),
0507 BPF_EXIT_INSN(),
0508 },
0509 .fixup_map_array_48b = { 3 },
0510 .result = ACCEPT,
0511 .result_unpriv = REJECT,
0512 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
0513 .retval = 1,
0514 },
0515 {
0516 "map access: value_ptr += known scalar, upper oob arith, test 3",
0517 .insns = {
0518 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0521 BPF_LD_MAP_FD(BPF_REG_1, 0),
0522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0524 BPF_MOV64_IMM(BPF_REG_1, 47),
0525 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0526 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0527 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0528 BPF_MOV64_IMM(BPF_REG_0, 1),
0529 BPF_EXIT_INSN(),
0530 },
0531 .fixup_map_array_48b = { 3 },
0532 .result = ACCEPT,
0533 .retval = 1,
0534 },
0535 {
0536 "map access: value_ptr -= known scalar, lower oob arith, test 1",
0537 .insns = {
0538 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0541 BPF_LD_MAP_FD(BPF_REG_1, 0),
0542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0544 BPF_MOV64_IMM(BPF_REG_1, 47),
0545 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0546 BPF_MOV64_IMM(BPF_REG_1, 48),
0547 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0548 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0549 BPF_MOV64_IMM(BPF_REG_0, 1),
0550 BPF_EXIT_INSN(),
0551 },
0552 .fixup_map_array_48b = { 3 },
0553 .result = REJECT,
0554 .errstr = "R0 min value is outside of the allowed memory range",
0555 .result_unpriv = REJECT,
0556 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
0557 },
0558 {
0559 "map access: value_ptr -= known scalar, lower oob arith, test 2",
0560 .insns = {
0561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0564 BPF_LD_MAP_FD(BPF_REG_1, 0),
0565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0567 BPF_MOV64_IMM(BPF_REG_1, 47),
0568 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0569 BPF_MOV64_IMM(BPF_REG_1, 48),
0570 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0571 BPF_MOV64_IMM(BPF_REG_1, 1),
0572 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0573 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0574 BPF_MOV64_IMM(BPF_REG_0, 1),
0575 BPF_EXIT_INSN(),
0576 },
0577 .fixup_map_array_48b = { 3 },
0578 .result = ACCEPT,
0579 .result_unpriv = REJECT,
0580 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
0581 .retval = 1,
0582 },
0583 {
0584 "map access: value_ptr -= known scalar, lower oob arith, test 3",
0585 .insns = {
0586 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0587 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0589 BPF_LD_MAP_FD(BPF_REG_1, 0),
0590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0592 BPF_MOV64_IMM(BPF_REG_1, 47),
0593 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0594 BPF_MOV64_IMM(BPF_REG_1, 47),
0595 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0596 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0597 BPF_MOV64_IMM(BPF_REG_0, 1),
0598 BPF_EXIT_INSN(),
0599 },
0600 .fixup_map_array_48b = { 3 },
0601 .result = ACCEPT,
0602 .retval = 1,
0603 },
0604 {
0605 "map access: known scalar += value_ptr",
0606 .insns = {
0607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0610 BPF_LD_MAP_FD(BPF_REG_1, 0),
0611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0613 BPF_MOV64_IMM(BPF_REG_1, 4),
0614 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0615 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0616 BPF_MOV64_IMM(BPF_REG_0, 1),
0617 BPF_EXIT_INSN(),
0618 },
0619 .fixup_map_array_48b = { 3 },
0620 .result = ACCEPT,
0621 .retval = 1,
0622 },
0623 {
0624 "map access: value_ptr += known scalar, 1",
0625 .insns = {
0626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0629 BPF_LD_MAP_FD(BPF_REG_1, 0),
0630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0632 BPF_MOV64_IMM(BPF_REG_1, 4),
0633 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0634 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0635 BPF_MOV64_IMM(BPF_REG_0, 1),
0636 BPF_EXIT_INSN(),
0637 },
0638 .fixup_map_array_48b = { 3 },
0639 .result = ACCEPT,
0640 .retval = 1,
0641 },
0642 {
0643 "map access: value_ptr += known scalar, 2",
0644 .insns = {
0645 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0646 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0648 BPF_LD_MAP_FD(BPF_REG_1, 0),
0649 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0651 BPF_MOV64_IMM(BPF_REG_1, 49),
0652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0653 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0654 BPF_MOV64_IMM(BPF_REG_0, 1),
0655 BPF_EXIT_INSN(),
0656 },
0657 .fixup_map_array_48b = { 3 },
0658 .result = REJECT,
0659 .errstr = "invalid access to map value",
0660 },
0661 {
0662 "map access: value_ptr += known scalar, 3",
0663 .insns = {
0664 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0667 BPF_LD_MAP_FD(BPF_REG_1, 0),
0668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0670 BPF_MOV64_IMM(BPF_REG_1, -1),
0671 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0672 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0673 BPF_MOV64_IMM(BPF_REG_0, 1),
0674 BPF_EXIT_INSN(),
0675 },
0676 .fixup_map_array_48b = { 3 },
0677 .result = REJECT,
0678 .errstr = "invalid access to map value",
0679 },
0680 {
0681 "map access: value_ptr += known scalar, 4",
0682 .insns = {
0683 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0686 BPF_LD_MAP_FD(BPF_REG_1, 0),
0687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
0689 BPF_MOV64_IMM(BPF_REG_1, 5),
0690 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0691 BPF_MOV64_IMM(BPF_REG_1, -2),
0692 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0693 BPF_MOV64_IMM(BPF_REG_1, -1),
0694 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0695 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0696 BPF_MOV64_IMM(BPF_REG_0, 1),
0697 BPF_EXIT_INSN(),
0698 },
0699 .fixup_map_array_48b = { 3 },
0700 .result = ACCEPT,
0701 .retval = 1,
0702 },
0703 {
0704 "map access: value_ptr += known scalar, 5",
0705 .insns = {
0706 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0709 BPF_LD_MAP_FD(BPF_REG_1, 0),
0710 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0712 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
0713 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0714 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
0715 BPF_EXIT_INSN(),
0716 },
0717 .fixup_map_array_48b = { 3 },
0718 .result = ACCEPT,
0719 .retval = 0xabcdef12,
0720 },
0721 {
0722 "map access: value_ptr += known scalar, 6",
0723 .insns = {
0724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0727 BPF_LD_MAP_FD(BPF_REG_1, 0),
0728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0730 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
0731 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0732 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
0733 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
0735 BPF_EXIT_INSN(),
0736 },
0737 .fixup_map_array_48b = { 3 },
0738 .result = ACCEPT,
0739 .retval = 0xabcdef12,
0740 },
0741 {
0742 "map access: value_ptr += N, value_ptr -= N known scalar",
0743 .insns = {
0744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0747 BPF_LD_MAP_FD(BPF_REG_1, 0),
0748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0750 BPF_MOV32_IMM(BPF_REG_1, 0x12345678),
0751 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
0752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
0753 BPF_MOV64_IMM(BPF_REG_1, 2),
0754 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
0756 BPF_EXIT_INSN(),
0757 },
0758 .fixup_map_array_48b = { 3 },
0759 .result = ACCEPT,
0760 .retval = 0x12345678,
0761 },
0762 {
0763 "map access: unknown scalar += value_ptr, 1",
0764 .insns = {
0765 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0768 BPF_LD_MAP_FD(BPF_REG_1, 0),
0769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0771 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0772 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
0773 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0774 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0775 BPF_MOV64_IMM(BPF_REG_0, 1),
0776 BPF_EXIT_INSN(),
0777 },
0778 .fixup_map_array_48b = { 3 },
0779 .result = ACCEPT,
0780 .retval = 1,
0781 },
0782 {
0783 "map access: unknown scalar += value_ptr, 2",
0784 .insns = {
0785 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0788 BPF_LD_MAP_FD(BPF_REG_1, 0),
0789 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0791 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0792 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
0793 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0794 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
0795 BPF_EXIT_INSN(),
0796 },
0797 .fixup_map_array_48b = { 3 },
0798 .result = ACCEPT,
0799 .retval = 0xabcdef12,
0800 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0801 },
0802 {
0803 "map access: unknown scalar += value_ptr, 3",
0804 .insns = {
0805 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0806 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0808 BPF_LD_MAP_FD(BPF_REG_1, 0),
0809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
0811 BPF_MOV64_IMM(BPF_REG_1, -1),
0812 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0813 BPF_MOV64_IMM(BPF_REG_1, 1),
0814 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0815 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0816 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
0817 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0818 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
0819 BPF_EXIT_INSN(),
0820 },
0821 .fixup_map_array_48b = { 3 },
0822 .result = ACCEPT,
0823 .result_unpriv = REJECT,
0824 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
0825 .retval = 0xabcdef12,
0826 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0827 },
0828 {
0829 "map access: unknown scalar += value_ptr, 4",
0830 .insns = {
0831 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0834 BPF_LD_MAP_FD(BPF_REG_1, 0),
0835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
0837 BPF_MOV64_IMM(BPF_REG_1, 19),
0838 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0839 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0840 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
0841 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
0842 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
0843 BPF_EXIT_INSN(),
0844 },
0845 .fixup_map_array_48b = { 3 },
0846 .result = REJECT,
0847 .errstr = "R1 max value is outside of the allowed memory range",
0848 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
0849 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0850 },
0851 {
0852 "map access: value_ptr += unknown scalar, 1",
0853 .insns = {
0854 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0857 BPF_LD_MAP_FD(BPF_REG_1, 0),
0858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0860 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0861 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
0862 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0863 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0864 BPF_MOV64_IMM(BPF_REG_0, 1),
0865 BPF_EXIT_INSN(),
0866 },
0867 .fixup_map_array_48b = { 3 },
0868 .result = ACCEPT,
0869 .retval = 1,
0870 },
0871 {
0872 "map access: value_ptr += unknown scalar, 2",
0873 .insns = {
0874 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0877 BPF_LD_MAP_FD(BPF_REG_1, 0),
0878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0879 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
0880 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
0881 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
0882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
0884 BPF_EXIT_INSN(),
0885 },
0886 .fixup_map_array_48b = { 3 },
0887 .result = ACCEPT,
0888 .retval = 0xabcdef12,
0889 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
0890 },
0891 {
0892 "map access: value_ptr += unknown scalar, 3",
0893 .insns = {
0894 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0897 BPF_LD_MAP_FD(BPF_REG_1, 0),
0898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
0900 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
0901 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
0902 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
0903 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
0904 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
0905 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
0906 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
0907 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
0908 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
0909 BPF_MOV64_IMM(BPF_REG_0, 1),
0910 BPF_EXIT_INSN(),
0911 BPF_MOV64_IMM(BPF_REG_0, 2),
0912 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
0913 },
0914 .fixup_map_array_48b = { 3 },
0915 .result = ACCEPT,
0916 .retval = 1,
0917 },
0918 {
0919 "map access: value_ptr += value_ptr",
0920 .insns = {
0921 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0924 BPF_LD_MAP_FD(BPF_REG_1, 0),
0925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
0927 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
0928 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0929 BPF_MOV64_IMM(BPF_REG_0, 1),
0930 BPF_EXIT_INSN(),
0931 },
0932 .fixup_map_array_48b = { 3 },
0933 .result = REJECT,
0934 .errstr = "R0 pointer += pointer prohibited",
0935 },
0936 {
0937 "map access: known scalar -= value_ptr",
0938 .insns = {
0939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0942 BPF_LD_MAP_FD(BPF_REG_1, 0),
0943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0945 BPF_MOV64_IMM(BPF_REG_1, 4),
0946 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
0947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
0948 BPF_MOV64_IMM(BPF_REG_0, 1),
0949 BPF_EXIT_INSN(),
0950 },
0951 .fixup_map_array_48b = { 3 },
0952 .result = REJECT,
0953 .errstr = "R1 tried to subtract pointer from scalar",
0954 },
0955 {
0956 "map access: value_ptr -= known scalar",
0957 .insns = {
0958 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0961 BPF_LD_MAP_FD(BPF_REG_1, 0),
0962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0963 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
0964 BPF_MOV64_IMM(BPF_REG_1, 4),
0965 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
0966 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0967 BPF_MOV64_IMM(BPF_REG_0, 1),
0968 BPF_EXIT_INSN(),
0969 },
0970 .fixup_map_array_48b = { 3 },
0971 .result = REJECT,
0972 .errstr = "R0 min value is outside of the allowed memory range",
0973 },
0974 {
0975 "map access: value_ptr -= known scalar, 2",
0976 .insns = {
0977 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0978 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0980 BPF_LD_MAP_FD(BPF_REG_1, 0),
0981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
0983 BPF_MOV64_IMM(BPF_REG_1, 6),
0984 BPF_MOV64_IMM(BPF_REG_2, 4),
0985 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
0986 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
0987 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
0988 BPF_MOV64_IMM(BPF_REG_0, 1),
0989 BPF_EXIT_INSN(),
0990 },
0991 .fixup_map_array_48b = { 3 },
0992 .result = ACCEPT,
0993 .retval = 1,
0994 },
0995 {
0996 "map access: unknown scalar -= value_ptr",
0997 .insns = {
0998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
0999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1001 BPF_LD_MAP_FD(BPF_REG_1, 0),
1002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1003 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
1004 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1005 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
1006 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
1007 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
1008 BPF_MOV64_IMM(BPF_REG_0, 1),
1009 BPF_EXIT_INSN(),
1010 },
1011 .fixup_map_array_48b = { 3 },
1012 .result = REJECT,
1013 .errstr = "R1 tried to subtract pointer from scalar",
1014 },
1015 {
1016 "map access: value_ptr -= unknown scalar",
1017 .insns = {
1018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1021 BPF_LD_MAP_FD(BPF_REG_1, 0),
1022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1023 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
1024 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1025 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
1026 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1027 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1028 BPF_MOV64_IMM(BPF_REG_0, 1),
1029 BPF_EXIT_INSN(),
1030 },
1031 .fixup_map_array_48b = { 3 },
1032 .result = REJECT,
1033 .errstr = "R0 min value is negative",
1034 },
1035 {
1036 "map access: value_ptr -= unknown scalar, 2",
1037 .insns = {
1038 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1041 BPF_LD_MAP_FD(BPF_REG_1, 0),
1042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1043 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
1044 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1045 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
1046 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
1047 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
1048 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1049 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
1050 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1051 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1052 BPF_MOV64_IMM(BPF_REG_0, 1),
1053 BPF_EXIT_INSN(),
1054 },
1055 .fixup_map_array_48b = { 3 },
1056 .result = ACCEPT,
1057 .result_unpriv = REJECT,
1058 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
1059 .retval = 1,
1060 },
1061 {
1062 "map access: value_ptr -= value_ptr",
1063 .insns = {
1064 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1067 BPF_LD_MAP_FD(BPF_REG_1, 0),
1068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1070 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
1071 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1072 BPF_MOV64_IMM(BPF_REG_0, 1),
1073 BPF_EXIT_INSN(),
1074 },
1075 .fixup_map_array_48b = { 3 },
1076 .result = REJECT,
1077 .errstr = "R0 invalid mem access 'scalar'",
1078 .errstr_unpriv = "R0 pointer -= pointer prohibited",
1079 },
1080 {
1081 "map access: trying to leak tainted dst reg",
1082 .insns = {
1083 BPF_MOV64_IMM(BPF_REG_0, 0),
1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1089 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1090 BPF_EXIT_INSN(),
1091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
1092 BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
1093 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
1094 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
1095 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
1096 BPF_MOV64_IMM(BPF_REG_0, 0),
1097 BPF_EXIT_INSN(),
1098 },
1099 .fixup_map_array_48b = { 4 },
1100 .result = REJECT,
1101 .errstr = "math between map_value pointer and 4294967295 is not allowed",
1102 },
1103 {
1104 "32bit pkt_ptr -= scalar",
1105 .insns = {
1106 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
1107 offsetof(struct __sk_buff, data_end)),
1108 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
1109 offsetof(struct __sk_buff, data)),
1110 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
1111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40),
1112 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2),
1113 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_7),
1114 BPF_ALU32_REG(BPF_SUB, BPF_REG_6, BPF_REG_4),
1115 BPF_MOV64_IMM(BPF_REG_0, 0),
1116 BPF_EXIT_INSN(),
1117 },
1118 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1119 .result = ACCEPT,
1120 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1121 },
1122 {
1123 "32bit scalar -= pkt_ptr",
1124 .insns = {
1125 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
1126 offsetof(struct __sk_buff, data_end)),
1127 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
1128 offsetof(struct __sk_buff, data)),
1129 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
1130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40),
1131 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2),
1132 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_6),
1133 BPF_ALU32_REG(BPF_SUB, BPF_REG_4, BPF_REG_7),
1134 BPF_MOV64_IMM(BPF_REG_0, 0),
1135 BPF_EXIT_INSN(),
1136 },
1137 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1138 .result = ACCEPT,
1139 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1140 },
