• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 {
2 	"invalid direct packet write for LWT_IN",
3 	.insns = {
4 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5 		    offsetof(struct __sk_buff, data)),
6 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7 		    offsetof(struct __sk_buff, data_end)),
8 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
11 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
12 	BPF_MOV64_IMM(BPF_REG_0, 0),
13 	BPF_EXIT_INSN(),
14 	},
15 	.errstr = "cannot write into packet",
16 	.result = REJECT,
17 	.prog_type = BPF_PROG_TYPE_LWT_IN,
18 },
19 {
20 	"invalid direct packet write for LWT_OUT",
21 	.insns = {
22 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
23 		    offsetof(struct __sk_buff, data)),
24 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
25 		    offsetof(struct __sk_buff, data_end)),
26 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
27 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
28 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
29 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
30 	BPF_MOV64_IMM(BPF_REG_0, 0),
31 	BPF_EXIT_INSN(),
32 	},
33 	.errstr = "cannot write into packet",
34 	.result = REJECT,
35 	.prog_type = BPF_PROG_TYPE_LWT_OUT,
36 },
37 {
38 	"direct packet write for LWT_XMIT",
39 	.insns = {
40 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
41 		    offsetof(struct __sk_buff, data)),
42 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
43 		    offsetof(struct __sk_buff, data_end)),
44 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
45 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
46 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
47 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
48 	BPF_MOV64_IMM(BPF_REG_0, 0),
49 	BPF_EXIT_INSN(),
50 	},
51 	.result = ACCEPT,
52 	.prog_type = BPF_PROG_TYPE_LWT_XMIT,
53 },
54 {
55 	"direct packet read for LWT_IN",
56 	.insns = {
57 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
58 		    offsetof(struct __sk_buff, data)),
59 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
60 		    offsetof(struct __sk_buff, data_end)),
61 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
62 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
63 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
64 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
65 	BPF_MOV64_IMM(BPF_REG_0, 0),
66 	BPF_EXIT_INSN(),
67 	},
68 	.result = ACCEPT,
69 	.prog_type = BPF_PROG_TYPE_LWT_IN,
70 },
71 {
72 	"direct packet read for LWT_OUT",
73 	.insns = {
74 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
75 		    offsetof(struct __sk_buff, data)),
76 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
77 		    offsetof(struct __sk_buff, data_end)),
78 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
79 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
80 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
81 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
82 	BPF_MOV64_IMM(BPF_REG_0, 0),
83 	BPF_EXIT_INSN(),
84 	},
85 	.result = ACCEPT,
86 	.prog_type = BPF_PROG_TYPE_LWT_OUT,
87 },
88 {
89 	"direct packet read for LWT_XMIT",
90 	.insns = {
91 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
92 		    offsetof(struct __sk_buff, data)),
93 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
94 		    offsetof(struct __sk_buff, data_end)),
95 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
96 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
97 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
98 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
99 	BPF_MOV64_IMM(BPF_REG_0, 0),
100 	BPF_EXIT_INSN(),
101 	},
102 	.result = ACCEPT,
103 	.prog_type = BPF_PROG_TYPE_LWT_XMIT,
104 },
105 {
106 	"overlapping checks for direct packet access",
107 	.insns = {
108 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
109 		    offsetof(struct __sk_buff, data)),
110 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
111 		    offsetof(struct __sk_buff, data_end)),
112 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
113 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
114 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
115 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
116 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
117 	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
118 	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
119 	BPF_MOV64_IMM(BPF_REG_0, 0),
120 	BPF_EXIT_INSN(),
121 	},
122 	.result = ACCEPT,
123 	.prog_type = BPF_PROG_TYPE_LWT_XMIT,
124 },
125 {
126 	"make headroom for LWT_XMIT",
127 	.insns = {
128 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
129 	BPF_MOV64_IMM(BPF_REG_2, 34),
130 	BPF_MOV64_IMM(BPF_REG_3, 0),
131 	BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
132 	/* split for s390 to succeed */
133 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
134 	BPF_MOV64_IMM(BPF_REG_2, 42),
135 	BPF_MOV64_IMM(BPF_REG_3, 0),
136 	BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
137 	BPF_MOV64_IMM(BPF_REG_0, 0),
138 	BPF_EXIT_INSN(),
139 	},
140 	.result = ACCEPT,
141 	.prog_type = BPF_PROG_TYPE_LWT_XMIT,
142 },
143 {
144 	"invalid access of tc_classid for LWT_IN",
145 	.insns = {
146 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
147 		    offsetof(struct __sk_buff, tc_classid)),
148 	BPF_EXIT_INSN(),
149 	},
150 	.result = REJECT,
151 	.errstr = "invalid bpf_context access",
152 },
153 {
154 	"invalid access of tc_classid for LWT_OUT",
155 	.insns = {
156 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
157 		    offsetof(struct __sk_buff, tc_classid)),
158 	BPF_EXIT_INSN(),
159 	},
160 	.result = REJECT,
161 	.errstr = "invalid bpf_context access",
162 },
163 {
164 	"invalid access of tc_classid for LWT_XMIT",
165 	.insns = {
166 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
167 		    offsetof(struct __sk_buff, tc_classid)),
168 	BPF_EXIT_INSN(),
169 	},
170 	.result = REJECT,
171 	.errstr = "invalid bpf_context access",
172 },
173 {
174 	"check skb->tc_classid half load not permitted for lwt prog",
175 	.insns = {
176 	BPF_MOV64_IMM(BPF_REG_0, 0),
177 #if __BYTE_ORDER == __LITTLE_ENDIAN
178 	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
179 		    offsetof(struct __sk_buff, tc_classid)),
180 #else
181 	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
182 		    offsetof(struct __sk_buff, tc_classid) + 2),
183 #endif
184 	BPF_EXIT_INSN(),
185 	},
186 	.result = REJECT,
187 	.errstr = "invalid bpf_context access",
188 	.prog_type = BPF_PROG_TYPE_LWT_IN,
189 },
190