1 { 2 "context stores via ST", 3 .insns = { 4 BPF_MOV64_IMM(BPF_REG_0, 0), 5 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0), 6 BPF_EXIT_INSN(), 7 }, 8 .errstr = "BPF_ST stores into R1 ctx is not allowed", 9 .result = REJECT, 10 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11 }, 12 { 13 "context stores via XADD", 14 .insns = { 15 BPF_MOV64_IMM(BPF_REG_0, 0), 16 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1, 17 BPF_REG_0, offsetof(struct __sk_buff, mark), 0), 18 BPF_EXIT_INSN(), 19 }, 20 .errstr = "BPF_XADD stores into R1 ctx is not allowed", 21 .result = REJECT, 22 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 23 }, 24 { 25 "arithmetic ops make PTR_TO_CTX unusable", 26 .insns = { 27 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 28 offsetof(struct __sk_buff, data) - 29 offsetof(struct __sk_buff, mark)), 30 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 31 offsetof(struct __sk_buff, mark)), 32 BPF_EXIT_INSN(), 33 }, 34 .errstr = "dereference of modified ctx ptr", 35 .result = REJECT, 36 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 37 }, 38 { 39 "pass unmodified ctx pointer to helper", 40 .insns = { 41 BPF_MOV64_IMM(BPF_REG_2, 0), 42 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 43 BPF_FUNC_csum_update), 44 BPF_MOV64_IMM(BPF_REG_0, 0), 45 BPF_EXIT_INSN(), 46 }, 47 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 48 .result = ACCEPT, 49 }, 50 { 51 "pass modified ctx pointer to helper, 1", 52 .insns = { 53 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 54 BPF_MOV64_IMM(BPF_REG_2, 0), 55 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 56 BPF_FUNC_csum_update), 57 BPF_MOV64_IMM(BPF_REG_0, 0), 58 BPF_EXIT_INSN(), 59 }, 60 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 61 .result = REJECT, 62 .errstr = "dereference of modified ctx ptr", 63 }, 64 { 65 "pass modified ctx pointer to helper, 2", 66 .insns = { 67 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 69 BPF_FUNC_get_socket_cookie), 70 BPF_MOV64_IMM(BPF_REG_0, 0), 71 BPF_EXIT_INSN(), 72 }, 73 .result_unpriv = REJECT, 74 .result = REJECT, 75 .errstr_unpriv = "dereference of modified ctx ptr", 76 .errstr = "dereference of modified ctx ptr", 77 }, 78 { 79 "pass modified ctx pointer to helper, 3", 80 .insns = { 81 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0), 82 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4), 83 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 84 BPF_MOV64_IMM(BPF_REG_2, 0), 85 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 86 BPF_FUNC_csum_update), 87 BPF_MOV64_IMM(BPF_REG_0, 0), 88 BPF_EXIT_INSN(), 89 }, 90 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 91 .result = REJECT, 92 .errstr = "variable ctx access var_off=(0x0; 0x4)", 93 }, 94 { 95 "pass ctx or null check, 1: ctx", 96 .insns = { 97 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 98 BPF_FUNC_get_netns_cookie), 99 BPF_MOV64_IMM(BPF_REG_0, 0), 100 BPF_EXIT_INSN(), 101 }, 102 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 103 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 104 .result = ACCEPT, 105 }, 106 { 107 "pass ctx or null check, 2: null", 108 .insns = { 109 BPF_MOV64_IMM(BPF_REG_1, 0), 110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 111 BPF_FUNC_get_netns_cookie), 112 BPF_MOV64_IMM(BPF_REG_0, 0), 113 BPF_EXIT_INSN(), 114 }, 115 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 116 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 117 .result = ACCEPT, 118 }, 119 { 120 "pass ctx or null check, 3: 1", 121 .insns = { 122 BPF_MOV64_IMM(BPF_REG_1, 1), 123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 124 BPF_FUNC_get_netns_cookie), 125 BPF_MOV64_IMM(BPF_REG_0, 0), 126 BPF_EXIT_INSN(), 127 }, 128 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 129 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 130 .result = REJECT, 131 .errstr = "R1 type=inv expected=ctx", 132 }, 133 { 134 "pass ctx or null check, 4: ctx - const", 135 .insns = { 136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 138 BPF_FUNC_get_netns_cookie), 139 BPF_MOV64_IMM(BPF_REG_0, 0), 140 BPF_EXIT_INSN(), 141 }, 142 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 143 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 144 .result = REJECT, 145 .errstr = "dereference of modified ctx ptr", 146 }, 147 { 148 "pass ctx or null check, 5: null (connect)", 149 .insns = { 150 BPF_MOV64_IMM(BPF_REG_1, 0), 151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 152 BPF_FUNC_get_netns_cookie), 153 BPF_MOV64_IMM(BPF_REG_0, 0), 154 BPF_EXIT_INSN(), 155 }, 156 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 157 .expected_attach_type = BPF_CGROUP_INET4_CONNECT, 158 .result = ACCEPT, 159 }, 160 { 161 "pass ctx or null check, 6: null (bind)", 162 .insns = { 163 BPF_MOV64_IMM(BPF_REG_1, 0), 164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 165 BPF_FUNC_get_netns_cookie), 166 BPF_MOV64_IMM(BPF_REG_0, 0), 167 BPF_EXIT_INSN(), 168 }, 169 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 170 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 171 .result = ACCEPT, 172 }, 173 { 174 "pass ctx or null check, 7: ctx (bind)", 175 .insns = { 176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 177 BPF_FUNC_get_socket_cookie), 178 BPF_MOV64_IMM(BPF_REG_0, 0), 179 BPF_EXIT_INSN(), 180 }, 181 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 182 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 183 .result = ACCEPT, 184 }, 185 { 186 "pass ctx or null check, 8: null (bind)", 187 .insns = { 188 BPF_MOV64_IMM(BPF_REG_1, 0), 189 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 190 BPF_FUNC_get_socket_cookie), 191 BPF_MOV64_IMM(BPF_REG_0, 0), 192 BPF_EXIT_INSN(), 193 }, 194 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 195 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 196 .result = REJECT, 197 .errstr = "R1 type=inv expected=ctx", 198 }, 199