• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 {
2 	"valid cgroup storage access",
3 	.insns = {
4 	BPF_MOV64_IMM(BPF_REG_2, 0),
5 	BPF_LD_MAP_FD(BPF_REG_1, 0),
6 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
7 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
8 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10 	BPF_EXIT_INSN(),
11 	},
12 	.fixup_cgroup_storage = { 1 },
13 	.result = ACCEPT,
14 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
15 },
16 {
17 	"invalid cgroup storage access 1",
18 	.insns = {
19 	BPF_MOV64_IMM(BPF_REG_2, 0),
20 	BPF_LD_MAP_FD(BPF_REG_1, 0),
21 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
22 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
23 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
24 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
25 	BPF_EXIT_INSN(),
26 	},
27 	.fixup_map_hash_8b = { 1 },
28 	.result = REJECT,
29 	.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
30 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
31 },
32 {
33 	"invalid cgroup storage access 2",
34 	.insns = {
35 	BPF_MOV64_IMM(BPF_REG_2, 0),
36 	BPF_LD_MAP_FD(BPF_REG_1, 1),
37 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
38 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
39 	BPF_EXIT_INSN(),
40 	},
41 	.result = REJECT,
42 	.errstr = "fd 1 is not pointing to valid bpf_map",
43 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
44 },
45 {
46 	"invalid cgroup storage access 3",
47 	.insns = {
48 	BPF_MOV64_IMM(BPF_REG_2, 0),
49 	BPF_LD_MAP_FD(BPF_REG_1, 0),
50 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
51 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
52 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
53 	BPF_MOV64_IMM(BPF_REG_0, 0),
54 	BPF_EXIT_INSN(),
55 	},
56 	.fixup_cgroup_storage = { 1 },
57 	.result = REJECT,
58 	.errstr = "invalid access to map value, value_size=64 off=256 size=4",
59 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
60 },
61 {
62 	"invalid cgroup storage access 4",
63 	.insns = {
64 	BPF_MOV64_IMM(BPF_REG_2, 0),
65 	BPF_LD_MAP_FD(BPF_REG_1, 0),
66 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
67 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
68 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
69 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
70 	BPF_EXIT_INSN(),
71 	},
72 	.fixup_cgroup_storage = { 1 },
73 	.result = REJECT,
74 	.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
75 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
76 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
77 },
78 {
79 	"invalid cgroup storage access 5",
80 	.insns = {
81 	BPF_MOV64_IMM(BPF_REG_2, 7),
82 	BPF_LD_MAP_FD(BPF_REG_1, 0),
83 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
84 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
85 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
86 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
87 	BPF_EXIT_INSN(),
88 	},
89 	.fixup_cgroup_storage = { 1 },
90 	.result = REJECT,
91 	.errstr = "get_local_storage() doesn't support non-zero flags",
92 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
93 },
94 {
95 	"invalid cgroup storage access 6",
96 	.insns = {
97 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
98 	BPF_LD_MAP_FD(BPF_REG_1, 0),
99 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
100 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
101 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
102 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
103 	BPF_EXIT_INSN(),
104 	},
105 	.fixup_cgroup_storage = { 1 },
106 	.result = REJECT,
107 	.errstr = "get_local_storage() doesn't support non-zero flags",
108 	.errstr_unpriv = "R2 leaks addr into helper function",
109 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
110 },
111 {
112 	"valid per-cpu cgroup storage access",
113 	.insns = {
114 	BPF_MOV64_IMM(BPF_REG_2, 0),
115 	BPF_LD_MAP_FD(BPF_REG_1, 0),
116 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
117 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
118 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
119 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
120 	BPF_EXIT_INSN(),
121 	},
122 	.fixup_percpu_cgroup_storage = { 1 },
123 	.result = ACCEPT,
124 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
125 },
126 {
127 	"invalid per-cpu cgroup storage access 1",
128 	.insns = {
129 	BPF_MOV64_IMM(BPF_REG_2, 0),
130 	BPF_LD_MAP_FD(BPF_REG_1, 0),
131 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
132 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
133 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
134 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
135 	BPF_EXIT_INSN(),
136 	},
137 	.fixup_map_hash_8b = { 1 },
138 	.result = REJECT,
139 	.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
140 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
141 },
142 {
143 	"invalid per-cpu cgroup storage access 2",
144 	.insns = {
145 	BPF_MOV64_IMM(BPF_REG_2, 0),
146 	BPF_LD_MAP_FD(BPF_REG_1, 1),
147 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
148 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
149 	BPF_EXIT_INSN(),
150 	},
151 	.result = REJECT,
152 	.errstr = "fd 1 is not pointing to valid bpf_map",
153 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
154 },
155 {
156 	"invalid per-cpu cgroup storage access 3",
157 	.insns = {
158 	BPF_MOV64_IMM(BPF_REG_2, 0),
159 	BPF_LD_MAP_FD(BPF_REG_1, 0),
160 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
161 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
162 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
163 	BPF_MOV64_IMM(BPF_REG_0, 0),
164 	BPF_EXIT_INSN(),
165 	},
166 	.fixup_percpu_cgroup_storage = { 1 },
167 	.result = REJECT,
168 	.errstr = "invalid access to map value, value_size=64 off=256 size=4",
169 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
170 },
171 {
172 	"invalid per-cpu cgroup storage access 4",
173 	.insns = {
174 	BPF_MOV64_IMM(BPF_REG_2, 0),
175 	BPF_LD_MAP_FD(BPF_REG_1, 0),
176 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
177 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
178 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
179 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
180 	BPF_EXIT_INSN(),
181 	},
182 	.fixup_cgroup_storage = { 1 },
183 	.result = REJECT,
184 	.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
185 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
186 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
187 },
188 {
189 	"invalid per-cpu cgroup storage access 5",
190 	.insns = {
191 	BPF_MOV64_IMM(BPF_REG_2, 7),
192 	BPF_LD_MAP_FD(BPF_REG_1, 0),
193 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
194 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
195 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
196 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
197 	BPF_EXIT_INSN(),
198 	},
199 	.fixup_percpu_cgroup_storage = { 1 },
200 	.result = REJECT,
201 	.errstr = "get_local_storage() doesn't support non-zero flags",
202 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
203 },
204 {
205 	"invalid per-cpu cgroup storage access 6",
206 	.insns = {
207 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
208 	BPF_LD_MAP_FD(BPF_REG_1, 0),
209 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage),
210 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
211 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
212 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
213 	BPF_EXIT_INSN(),
214 	},
215 	.fixup_percpu_cgroup_storage = { 1 },
216 	.result = REJECT,
217 	.errstr = "get_local_storage() doesn't support non-zero flags",
218 	.errstr_unpriv = "R2 leaks addr into helper function",
219 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
220 },
221