1 { 2 "PTR_TO_STACK store/load", 3 .insns = { 4 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 6 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 7 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 8 BPF_EXIT_INSN(), 9 }, 10 .result = ACCEPT, 11 .retval = 0xfaceb00c, 12 }, 13 { 14 "PTR_TO_STACK store/load - bad alignment on off", 15 .insns = { 16 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 17 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 18 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 19 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 20 BPF_EXIT_INSN(), 21 }, 22 .result = REJECT, 23 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8", 24 }, 25 { 26 "PTR_TO_STACK store/load - bad alignment on reg", 27 .insns = { 28 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 29 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 30 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 31 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 32 BPF_EXIT_INSN(), 33 }, 34 .result = REJECT, 35 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8", 36 }, 37 { 38 "PTR_TO_STACK store/load - out of bounds low", 39 .insns = { 40 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 41 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 42 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 43 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 44 BPF_EXIT_INSN(), 45 }, 46 .result = REJECT, 47 .errstr = "invalid stack off=-79992 size=8", 48 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 49 }, 50 { 51 "PTR_TO_STACK store/load - out of bounds high", 52 .insns = { 53 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 54 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 55 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 56 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 57 BPF_EXIT_INSN(), 58 }, 59 .result = REJECT, 60 .errstr = "invalid stack off=0 size=8", 61 }, 62 { 63 "PTR_TO_STACK check high 1", 64 .insns = { 65 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 67 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 68 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 69 BPF_EXIT_INSN(), 70 }, 71 .result = ACCEPT, 72 .retval = 42, 73 }, 74 { 75 "PTR_TO_STACK check high 2", 76 .insns = { 77 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 78 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42), 79 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1), 80 BPF_EXIT_INSN(), 81 }, 82 .result = ACCEPT, 83 .retval = 42, 84 }, 85 { 86 "PTR_TO_STACK check high 3", 87 .insns = { 88 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 89 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), 90 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42), 91 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1), 92 BPF_EXIT_INSN(), 93 }, 94 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 95 .result_unpriv = REJECT, 96 .result = ACCEPT, 97 .retval = 42, 98 }, 99 { 100 "PTR_TO_STACK check high 4", 101 .insns = { 102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), 104 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 106 BPF_EXIT_INSN(), 107 }, 108 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 109 .errstr = "invalid stack off=0 size=1", 110 .result = REJECT, 111 }, 112 { 113 "PTR_TO_STACK check high 5", 114 .insns = { 115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 117 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 119 BPF_EXIT_INSN(), 120 }, 121 .result = REJECT, 122 .errstr = "invalid stack off", 123 }, 124 { 125 "PTR_TO_STACK check high 6", 126 .insns = { 127 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 129 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42), 130 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX), 131 BPF_EXIT_INSN(), 132 }, 133 .result = REJECT, 134 .errstr = "invalid stack off", 135 }, 136 { 137 "PTR_TO_STACK check high 7", 138 .insns = { 139 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 142 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42), 143 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX), 144 BPF_EXIT_INSN(), 145 }, 146 .result = REJECT, 147 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 148 .errstr = "fp pointer offset", 149 }, 150 { 151 "PTR_TO_STACK check low 1", 152 .insns = { 153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512), 155 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 156 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 157 BPF_EXIT_INSN(), 158 }, 159 .result = ACCEPT, 160 .retval = 42, 161 }, 162 { 163 "PTR_TO_STACK check low 2", 164 .insns = { 165 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513), 167 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42), 168 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1), 169 BPF_EXIT_INSN(), 170 }, 171 .result_unpriv = REJECT, 172 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 173 .result = ACCEPT, 174 .retval = 42, 175 }, 176 { 177 "PTR_TO_STACK check low 3", 178 .insns = { 179 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513), 181 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 182 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 183 BPF_EXIT_INSN(), 184 }, 185 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 186 .errstr = "invalid stack off=-513 size=1", 187 .result = REJECT, 188 }, 189 { 190 "PTR_TO_STACK check low 4", 191 .insns = { 192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN), 194 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 195 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 196 BPF_EXIT_INSN(), 197 }, 198 .result = REJECT, 199 .errstr = "math between fp pointer", 200 }, 201 { 202 "PTR_TO_STACK check low 5", 203 .insns = { 204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 206 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 208 BPF_EXIT_INSN(), 209 }, 210 .result = REJECT, 211 .errstr = "invalid stack off", 212 }, 213 { 214 "PTR_TO_STACK check low 6", 215 .insns = { 216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 218 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42), 219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN), 220 BPF_EXIT_INSN(), 221 }, 222 .result = REJECT, 223 .errstr = "invalid stack off", 224 }, 225 { 226 "PTR_TO_STACK check low 7", 227 .insns = { 228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 231 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42), 232 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN), 233 BPF_EXIT_INSN(), 234 }, 235 .result = REJECT, 236 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 237 .errstr = "fp pointer offset", 238 }, 239 { 240 "PTR_TO_STACK mixed reg/k, 1", 241 .insns = { 242 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3), 244 BPF_MOV64_IMM(BPF_REG_2, -3), 245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 246 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 247 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 248 BPF_EXIT_INSN(), 249 }, 250 .result = ACCEPT, 251 .retval = 42, 252 }, 253 { 254 "PTR_TO_STACK mixed reg/k, 2", 255 .insns = { 256 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 257 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0), 258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3), 260 BPF_MOV64_IMM(BPF_REG_2, -3), 261 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 262 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 263 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), 264 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6), 265 BPF_EXIT_INSN(), 266 }, 267 .result = ACCEPT, 268 .retval = 42, 269 }, 270 { 271 "PTR_TO_STACK mixed reg/k, 3", 272 .insns = { 273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3), 275 BPF_MOV64_IMM(BPF_REG_2, -3), 276 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 277 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 278 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 279 BPF_EXIT_INSN(), 280 }, 281 .result = ACCEPT, 282 .retval = -3, 283 }, 284 { 285 "PTR_TO_STACK reg", 286 .insns = { 287 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 288 BPF_MOV64_IMM(BPF_REG_2, -3), 289 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 290 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 291 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 292 BPF_EXIT_INSN(), 293 }, 294 .result_unpriv = REJECT, 295 .errstr_unpriv = "invalid stack off=0 size=1", 296 .result = ACCEPT, 297 .retval = 42, 298 }, 299 { 300 "stack pointer arithmetic", 301 .insns = { 302 BPF_MOV64_IMM(BPF_REG_1, 4), 303 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 304 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 308 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 309 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 312 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 313 BPF_MOV64_IMM(BPF_REG_0, 0), 314 BPF_EXIT_INSN(), 315 }, 316 .result = ACCEPT, 317 }, 318