1 { 2 "map access: known scalar += value_ptr unknown vs const", 3 .insns = { 4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 5 offsetof(struct __sk_buff, len)), 6 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 10 BPF_LD_MAP_FD(BPF_REG_1, 0), 11 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 12 BPF_LD_MAP_FD(BPF_REG_1, 0), 13 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 14 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 15 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 16 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4), 17 BPF_MOV64_IMM(BPF_REG_1, 6), 18 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 19 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 20 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 21 BPF_MOV64_IMM(BPF_REG_1, 3), 22 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 23 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 24 BPF_MOV64_IMM(BPF_REG_0, 1), 25 BPF_EXIT_INSN(), 26 }, 27 .fixup_map_hash_16b = { 5 }, 28 .fixup_map_array_48b = { 8 }, 29 .result_unpriv = REJECT, 30 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars", 31 .result = ACCEPT, 32 .retval = 1, 33 }, 34 { 35 "map access: known scalar += value_ptr const vs unknown", 36 .insns = { 37 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 38 offsetof(struct __sk_buff, len)), 39 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 40 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 41 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 42 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 43 BPF_LD_MAP_FD(BPF_REG_1, 0), 44 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 45 BPF_LD_MAP_FD(BPF_REG_1, 0), 46 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 48 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 49 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2), 50 BPF_MOV64_IMM(BPF_REG_1, 3), 51 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 52 BPF_MOV64_IMM(BPF_REG_1, 6), 53 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 54 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 55 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 56 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 57 BPF_MOV64_IMM(BPF_REG_0, 1), 58 BPF_EXIT_INSN(), 59 }, 60 .fixup_map_hash_16b = { 5 }, 61 .fixup_map_array_48b = { 8 }, 62 .result_unpriv = REJECT, 63 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars", 64 .result = ACCEPT, 65 .retval = 1, 66 }, 67 { 68 "map access: known scalar += value_ptr const vs const (ne)", 69 .insns = { 70 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 71 offsetof(struct __sk_buff, len)), 72 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 73 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 74 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 75 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 76 BPF_LD_MAP_FD(BPF_REG_1, 0), 77 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 78 BPF_LD_MAP_FD(BPF_REG_1, 0), 79 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 80 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 81 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 82 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2), 83 BPF_MOV64_IMM(BPF_REG_1, 3), 84 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 85 BPF_MOV64_IMM(BPF_REG_1, 5), 86 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 87 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 88 BPF_MOV64_IMM(BPF_REG_0, 1), 89 BPF_EXIT_INSN(), 90 }, 91 .fixup_map_hash_16b = { 5 }, 92 .fixup_map_array_48b = { 8 }, 93 .result_unpriv = REJECT, 94 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars", 95 .result = ACCEPT, 96 .retval = 1, 97 }, 98 { 99 "map access: known scalar += value_ptr const vs const (eq)", 100 .insns = { 101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 102 offsetof(struct __sk_buff, len)), 103 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 107 BPF_LD_MAP_FD(BPF_REG_1, 0), 108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 109 BPF_LD_MAP_FD(BPF_REG_1, 0), 110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 112 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 113 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2), 114 BPF_MOV64_IMM(BPF_REG_1, 5), 115 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 116 BPF_MOV64_IMM(BPF_REG_1, 5), 117 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 119 BPF_MOV64_IMM(BPF_REG_0, 1), 120 BPF_EXIT_INSN(), 121 }, 122 .fixup_map_hash_16b = { 5 }, 123 .fixup_map_array_48b = { 8 }, 124 .result = ACCEPT, 125 .retval = 1, 126 }, 127 { 128 "map access: known scalar += value_ptr unknown vs unknown (eq)", 129 .insns = { 130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 131 offsetof(struct __sk_buff, len)), 132 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 135 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 136 BPF_LD_MAP_FD(BPF_REG_1, 0), 137 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 138 BPF_LD_MAP_FD(BPF_REG_1, 0), 139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 141 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4), 143 BPF_MOV64_IMM(BPF_REG_1, 6), 144 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 145 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 146 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 147 BPF_MOV64_IMM(BPF_REG_1, 6), 148 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 149 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 150 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 151 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 152 BPF_MOV64_IMM(BPF_REG_0, 1), 153 BPF_EXIT_INSN(), 154 }, 155 .fixup_map_hash_16b = { 5 }, 156 .fixup_map_array_48b = { 8 }, 157 .result = ACCEPT, 158 .retval = 1, 159 }, 160 { 161 "map access: known scalar += value_ptr unknown vs unknown (lt)", 162 .insns = { 163 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 164 offsetof(struct __sk_buff, len)), 165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 169 BPF_LD_MAP_FD(BPF_REG_1, 0), 170 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 171 BPF_LD_MAP_FD(BPF_REG_1, 0), 172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 174 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4), 176 BPF_MOV64_IMM(BPF_REG_1, 6), 177 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 178 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3), 179 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 180 BPF_MOV64_IMM(BPF_REG_1, 6), 181 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 182 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 183 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 185 BPF_MOV64_IMM(BPF_REG_0, 1), 186 BPF_EXIT_INSN(), 187 }, 188 .fixup_map_hash_16b = { 5 }, 189 .fixup_map_array_48b = { 8 }, 190 .result_unpriv = REJECT, 191 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars", 192 .result = ACCEPT, 193 .retval = 1, 194 }, 195 { 196 "map access: known scalar += value_ptr unknown vs unknown (gt)", 197 .insns = { 198 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 199 offsetof(struct __sk_buff, len)), 200 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 201 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 204 BPF_LD_MAP_FD(BPF_REG_1, 0), 205 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 206 BPF_LD_MAP_FD(BPF_REG_1, 0), 207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 209 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0), 210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4), 211 BPF_MOV64_IMM(BPF_REG_1, 6), 212 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 213 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 214 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 215 BPF_MOV64_IMM(BPF_REG_1, 6), 216 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 217 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3), 218 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 220 BPF_MOV64_IMM(BPF_REG_0, 1), 221 BPF_EXIT_INSN(), 222 }, 223 .fixup_map_hash_16b = { 5 }, 224 .fixup_map_array_48b = { 8 }, 225 .result_unpriv = REJECT, 226 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars", 227 .result = ACCEPT, 228 .retval = 1, 229 }, 230 { 231 "map access: known scalar += value_ptr from different maps", 232 .insns = { 233 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 234 offsetof(struct __sk_buff, len)), 235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 239 BPF_LD_MAP_FD(BPF_REG_1, 0), 240 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 241 BPF_LD_MAP_FD(BPF_REG_1, 0), 242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 244 BPF_MOV64_IMM(BPF_REG_1, 4), 245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 246 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 247 BPF_MOV64_IMM(BPF_REG_0, 1), 248 BPF_EXIT_INSN(), 249 }, 250 .fixup_map_hash_16b = { 5 }, 251 .fixup_map_array_48b = { 8 }, 252 .result = ACCEPT, 253 .retval = 1, 254 }, 255 { 256 "map access: value_ptr -= known scalar from different maps", 257 .insns = { 258 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 259 offsetof(struct __sk_buff, len)), 260 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 264 BPF_LD_MAP_FD(BPF_REG_1, 0), 265 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 266 BPF_LD_MAP_FD(BPF_REG_1, 0), 267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 269 BPF_MOV64_IMM(BPF_REG_1, 4), 270 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 271 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 272 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 273 BPF_MOV64_IMM(BPF_REG_0, 1), 274 BPF_EXIT_INSN(), 275 }, 276 .fixup_map_hash_16b = { 5 }, 277 .fixup_map_array_48b = { 8 }, 278 .result = ACCEPT, 279 .result_unpriv = REJECT, 280 .errstr_unpriv = "R0 min value is outside of the allowed memory range", 281 .retval = 1, 282 }, 283 { 284 "map access: known scalar += value_ptr from different maps, but same value properties", 285 .insns = { 286 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 287 offsetof(struct __sk_buff, len)), 288 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 289 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3), 292 BPF_LD_MAP_FD(BPF_REG_1, 0), 293 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 294 BPF_LD_MAP_FD(BPF_REG_1, 0), 295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 297 BPF_MOV64_IMM(BPF_REG_1, 4), 298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 300 BPF_MOV64_IMM(BPF_REG_0, 1), 301 BPF_EXIT_INSN(), 302 }, 303 .fixup_map_hash_48b = { 5 }, 304 .fixup_map_array_48b = { 8 }, 305 .result = ACCEPT, 306 .retval = 1, 307 }, 308 { 309 "map access: mixing value pointer and scalar, 1", 310 .insns = { 311 // load map value pointer into r0 and r2 312 BPF_MOV64_IMM(BPF_REG_0, 1), 313 BPF_LD_MAP_FD(BPF_REG_ARG1, 0), 314 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), 315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16), 316 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0), 317 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 318 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 319 BPF_EXIT_INSN(), 320 // load some number from the map into r1 321 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 322 // depending on r1, branch: 323 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3), 324 // branch A 325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 326 BPF_MOV64_IMM(BPF_REG_3, 0), 327 BPF_JMP_A(2), 328 // branch B 329 BPF_MOV64_IMM(BPF_REG_2, 0), 330 BPF_MOV64_IMM(BPF_REG_3, 0x100000), 331 // common instruction 332 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 333 // depending on r1, branch: 334 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 335 // branch A 336 BPF_JMP_A(4), 337 // branch B 338 BPF_MOV64_IMM(BPF_REG_0, 0x13371337), 339 // verifier follows fall-through 340 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2), 341 BPF_MOV64_IMM(BPF_REG_0, 0), 342 BPF_EXIT_INSN(), 343 // fake-dead code; targeted from branch A to 344 // prevent dead code sanitization 345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 346 BPF_MOV64_IMM(BPF_REG_0, 0), 347 BPF_EXIT_INSN(), 348 }, 349 .fixup_map_array_48b = { 1 }, 350 .result = ACCEPT, 351 .result_unpriv = REJECT, 352 .errstr_unpriv = "R2 pointer comparison prohibited", 353 .retval = 0, 354 }, 355 { 356 "map access: mixing value pointer and scalar, 2", 357 .insns = { 358 // load map value pointer into r0 and r2 359 BPF_MOV64_IMM(BPF_REG_0, 1), 360 BPF_LD_MAP_FD(BPF_REG_ARG1, 0), 361 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), 362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16), 363 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0), 364 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 365 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 366 BPF_EXIT_INSN(), 367 // load some number from the map into r1 368 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 369 // depending on r1, branch: 370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 371 // branch A 372 BPF_MOV64_IMM(BPF_REG_2, 0), 373 BPF_MOV64_IMM(BPF_REG_3, 0x100000), 374 BPF_JMP_A(2), 375 // branch B 376 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 377 BPF_MOV64_IMM(BPF_REG_3, 0), 378 // common instruction 379 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 380 // depending on r1, branch: 381 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 382 // branch A 383 BPF_JMP_A(4), 384 // branch B 385 BPF_MOV64_IMM(BPF_REG_0, 0x13371337), 386 // verifier follows fall-through 387 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2), 388 BPF_MOV64_IMM(BPF_REG_0, 0), 389 BPF_EXIT_INSN(), 390 // fake-dead code; targeted from branch A to 391 // prevent dead code sanitization, rejected 392 // via branch B however 393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 394 BPF_MOV64_IMM(BPF_REG_0, 0), 395 BPF_EXIT_INSN(), 396 }, 397 .fixup_map_array_48b = { 1 }, 398 .result = ACCEPT, 399 .result_unpriv = REJECT, 400 .errstr_unpriv = "R0 invalid mem access 'scalar'", 401 .retval = 0, 402 }, 403 { 404 "sanitation: alu with different scalars 1", 405 .insns = { 406 BPF_MOV64_IMM(BPF_REG_0, 1), 407 BPF_LD_MAP_FD(BPF_REG_ARG1, 0), 408 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), 409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16), 410 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0), 411 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 412 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 413 BPF_EXIT_INSN(), 414 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 415 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 416 BPF_MOV64_IMM(BPF_REG_2, 0), 417 BPF_MOV64_IMM(BPF_REG_3, 0x100000), 418 BPF_JMP_A(2), 419 BPF_MOV64_IMM(BPF_REG_2, 42), 420 BPF_MOV64_IMM(BPF_REG_3, 0x100001), 421 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 423 BPF_EXIT_INSN(), 424 }, 425 .fixup_map_array_48b = { 1 }, 426 .result = ACCEPT, 427 .retval = 0x100000, 428 }, 429 { 430 "sanitation: alu with different scalars 2", 431 .insns = { 432 BPF_MOV64_IMM(BPF_REG_0, 1), 433 BPF_LD_MAP_FD(BPF_REG_1, 0), 434 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), 436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 437 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0), 438 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem), 439 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), 442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 443 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem), 444 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 445 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6), 446 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7), 447 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8), 448 BPF_EXIT_INSN(), 449 }, 450 .fixup_map_array_48b = { 1 }, 451 .result = ACCEPT, 452 .retval = -EINVAL * 2, 453 }, 454 { 455 "sanitation: alu with different scalars 3", 456 .insns = { 457 BPF_MOV64_IMM(BPF_REG_0, EINVAL), 458 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1), 459 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 460 BPF_MOV64_IMM(BPF_REG_0, EINVAL), 461 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1), 462 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 463 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6), 464 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7), 465 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8), 466 BPF_EXIT_INSN(), 467 }, 468 .result = ACCEPT, 469 .retval = -EINVAL * 2, 470 }, 471 { 472 "map access: value_ptr += known scalar, upper oob arith, test 1", 473 .insns = { 474 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 475 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 477 BPF_LD_MAP_FD(BPF_REG_1, 0), 478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 480 BPF_MOV64_IMM(BPF_REG_1, 48), 481 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 482 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 483 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 484 BPF_MOV64_IMM(BPF_REG_0, 1), 485 BPF_EXIT_INSN(), 486 }, 487 .fixup_map_array_48b = { 3 }, 488 .result = ACCEPT, 489 .result_unpriv = REJECT, 490 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 491 .retval = 1, 492 }, 493 { 494 "map access: value_ptr += known scalar, upper oob arith, test 2", 495 .insns = { 496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 497 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 499 BPF_LD_MAP_FD(BPF_REG_1, 0), 500 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 502 BPF_MOV64_IMM(BPF_REG_1, 49), 503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 504 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 505 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 506 BPF_MOV64_IMM(BPF_REG_0, 1), 507 BPF_EXIT_INSN(), 508 }, 509 .fixup_map_array_48b = { 3 }, 510 .result = ACCEPT, 511 .result_unpriv = REJECT, 512 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 513 .retval = 1, 514 }, 515 { 516 "map access: value_ptr += known scalar, upper oob arith, test 3", 517 .insns = { 518 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 521 BPF_LD_MAP_FD(BPF_REG_1, 0), 522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 524 BPF_MOV64_IMM(BPF_REG_1, 47), 525 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 526 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 527 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 528 BPF_MOV64_IMM(BPF_REG_0, 1), 529 BPF_EXIT_INSN(), 530 }, 531 .fixup_map_array_48b = { 3 }, 532 .result = ACCEPT, 533 .retval = 1, 534 }, 535 { 536 "map access: value_ptr -= known scalar, lower oob arith, test 1", 537 .insns = { 538 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 541 BPF_LD_MAP_FD(BPF_REG_1, 0), 542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 544 BPF_MOV64_IMM(BPF_REG_1, 47), 545 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 546 BPF_MOV64_IMM(BPF_REG_1, 48), 547 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 548 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 549 BPF_MOV64_IMM(BPF_REG_0, 1), 550 BPF_EXIT_INSN(), 551 }, 552 .fixup_map_array_48b = { 3 }, 553 .result = REJECT, 554 .errstr = "R0 min value is outside of the allowed memory range", 555 .result_unpriv = REJECT, 556 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 557 }, 558 { 559 "map access: value_ptr -= known scalar, lower oob arith, test 2", 560 .insns = { 561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 564 BPF_LD_MAP_FD(BPF_REG_1, 0), 565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 567 BPF_MOV64_IMM(BPF_REG_1, 47), 568 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 569 BPF_MOV64_IMM(BPF_REG_1, 48), 570 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 571 BPF_MOV64_IMM(BPF_REG_1, 1), 572 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 573 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 574 BPF_MOV64_IMM(BPF_REG_0, 1), 575 BPF_EXIT_INSN(), 576 }, 577 .fixup_map_array_48b = { 3 }, 578 .result = ACCEPT, 579 .result_unpriv = REJECT, 580 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 581 .retval = 1, 582 }, 583 { 584 "map access: value_ptr -= known scalar, lower oob arith, test 3", 585 .insns = { 586 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 587 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 589 BPF_LD_MAP_FD(BPF_REG_1, 0), 590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 592 BPF_MOV64_IMM(BPF_REG_1, 47), 593 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 594 BPF_MOV64_IMM(BPF_REG_1, 47), 595 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 596 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 597 BPF_MOV64_IMM(BPF_REG_0, 1), 598 BPF_EXIT_INSN(), 599 }, 600 .fixup_map_array_48b = { 3 }, 601 .result = ACCEPT, 602 .retval = 1, 603 }, 604 { 605 "map access: known scalar += value_ptr", 606 .insns = { 607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 610 BPF_LD_MAP_FD(BPF_REG_1, 0), 611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 613 BPF_MOV64_IMM(BPF_REG_1, 4), 614 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 615 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 616 BPF_MOV64_IMM(BPF_REG_0, 1), 617 BPF_EXIT_INSN(), 618 }, 619 .fixup_map_array_48b = { 3 }, 620 .result = ACCEPT, 621 .retval = 1, 622 }, 623 { 624 "map access: value_ptr += known scalar, 1", 625 .insns = { 626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 629 BPF_LD_MAP_FD(BPF_REG_1, 0), 630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 632 BPF_MOV64_IMM(BPF_REG_1, 4), 633 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 634 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 635 BPF_MOV64_IMM(BPF_REG_0, 1), 636 BPF_EXIT_INSN(), 637 }, 638 .fixup_map_array_48b = { 3 }, 639 .result = ACCEPT, 640 .retval = 1, 641 }, 642 { 643 "map access: value_ptr += known scalar, 2", 644 .insns = { 645 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 646 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 648 BPF_LD_MAP_FD(BPF_REG_1, 0), 649 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 651 BPF_MOV64_IMM(BPF_REG_1, 49), 652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 653 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 654 BPF_MOV64_IMM(BPF_REG_0, 1), 655 BPF_EXIT_INSN(), 656 }, 657 .fixup_map_array_48b = { 3 }, 658 .result = REJECT, 659 .errstr = "invalid access to map value", 660 }, 661 { 662 "map access: value_ptr += known scalar, 3", 663 .insns = { 664 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 667 BPF_LD_MAP_FD(BPF_REG_1, 0), 668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 670 BPF_MOV64_IMM(BPF_REG_1, -1), 671 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 672 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 673 BPF_MOV64_IMM(BPF_REG_0, 1), 674 BPF_EXIT_INSN(), 675 }, 676 .fixup_map_array_48b = { 3 }, 677 .result = REJECT, 678 .errstr = "invalid access to map value", 679 }, 680 { 681 "map access: value_ptr += known scalar, 4", 682 .insns = { 683 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 686 BPF_LD_MAP_FD(BPF_REG_1, 0), 687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 689 BPF_MOV64_IMM(BPF_REG_1, 5), 690 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 691 BPF_MOV64_IMM(BPF_REG_1, -2), 692 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 693 BPF_MOV64_IMM(BPF_REG_1, -1), 694 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 695 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 696 BPF_MOV64_IMM(BPF_REG_0, 1), 697 BPF_EXIT_INSN(), 698 }, 699 .fixup_map_array_48b = { 3 }, 700 .result = ACCEPT, 701 .retval = 1, 702 }, 703 { 704 "map access: value_ptr += known scalar, 5", 705 .insns = { 706 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 709 BPF_LD_MAP_FD(BPF_REG_1, 0), 710 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 712 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)), 713 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 714 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 715 BPF_EXIT_INSN(), 716 }, 717 .fixup_map_array_48b = { 3 }, 718 .result = ACCEPT, 719 .retval = 0xabcdef12, 720 }, 721 { 722 "map access: value_ptr += known scalar, 6", 723 .insns = { 724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 727 BPF_LD_MAP_FD(BPF_REG_1, 0), 728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 730 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)), 731 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 732 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)), 733 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 735 BPF_EXIT_INSN(), 736 }, 737 .fixup_map_array_48b = { 3 }, 738 .result = ACCEPT, 739 .retval = 0xabcdef12, 740 }, 741 { 742 "map access: value_ptr += N, value_ptr -= N known scalar", 743 .insns = { 744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 747 BPF_LD_MAP_FD(BPF_REG_1, 0), 748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 750 BPF_MOV32_IMM(BPF_REG_1, 0x12345678), 751 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 753 BPF_MOV64_IMM(BPF_REG_1, 2), 754 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 756 BPF_EXIT_INSN(), 757 }, 758 .fixup_map_array_48b = { 3 }, 759 .result = ACCEPT, 760 .retval = 0x12345678, 761 }, 762 { 763 "map access: unknown scalar += value_ptr, 1", 764 .insns = { 765 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 768 BPF_LD_MAP_FD(BPF_REG_1, 0), 769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 771 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 772 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf), 773 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 774 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 775 BPF_MOV64_IMM(BPF_REG_0, 1), 776 BPF_EXIT_INSN(), 777 }, 778 .fixup_map_array_48b = { 3 }, 779 .result = ACCEPT, 780 .retval = 1, 781 }, 782 { 783 "map access: unknown scalar += value_ptr, 2", 784 .insns = { 785 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 788 BPF_LD_MAP_FD(BPF_REG_1, 0), 789 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 791 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 792 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31), 793 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 794 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 795 BPF_EXIT_INSN(), 796 }, 797 .fixup_map_array_48b = { 3 }, 798 .result = ACCEPT, 799 .retval = 0xabcdef12, 800 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 801 }, 802 { 803 "map access: unknown scalar += value_ptr, 3", 804 .insns = { 805 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 806 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 808 BPF_LD_MAP_FD(BPF_REG_1, 0), 809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 811 BPF_MOV64_IMM(BPF_REG_1, -1), 812 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 813 BPF_MOV64_IMM(BPF_REG_1, 1), 814 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 815 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 816 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31), 817 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 818 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 819 BPF_EXIT_INSN(), 820 }, 821 .fixup_map_array_48b = { 3 }, 822 .result = ACCEPT, 823 .result_unpriv = REJECT, 824 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 825 .retval = 0xabcdef12, 826 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 827 }, 828 { 829 "map access: unknown scalar += value_ptr, 4", 830 .insns = { 831 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 834 BPF_LD_MAP_FD(BPF_REG_1, 0), 835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 837 BPF_MOV64_IMM(BPF_REG_1, 19), 838 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 839 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 840 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31), 841 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 842 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 843 BPF_EXIT_INSN(), 844 }, 845 .fixup_map_array_48b = { 3 }, 846 .result = REJECT, 847 .errstr = "R1 max value is outside of the allowed memory range", 848 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range", 849 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 850 }, 851 { 852 "map access: value_ptr += unknown scalar, 1", 853 .insns = { 854 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 857 BPF_LD_MAP_FD(BPF_REG_1, 0), 858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 860 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 861 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf), 862 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 863 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 864 BPF_MOV64_IMM(BPF_REG_0, 1), 865 BPF_EXIT_INSN(), 866 }, 867 .fixup_map_array_48b = { 3 }, 868 .result = ACCEPT, 869 .retval = 1, 870 }, 871 { 872 "map access: value_ptr += unknown scalar, 2", 873 .insns = { 874 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 877 BPF_LD_MAP_FD(BPF_REG_1, 0), 878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 879 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 880 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 881 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31), 882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 884 BPF_EXIT_INSN(), 885 }, 886 .fixup_map_array_48b = { 3 }, 887 .result = ACCEPT, 888 .retval = 0xabcdef12, 889 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 890 }, 891 { 892 "map access: value_ptr += unknown scalar, 3", 893 .insns = { 894 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 897 BPF_LD_MAP_FD(BPF_REG_1, 0), 898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 900 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 901 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8), 902 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16), 903 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf), 904 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1), 905 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1), 906 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4), 907 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 908 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 909 BPF_MOV64_IMM(BPF_REG_0, 1), 910 BPF_EXIT_INSN(), 911 BPF_MOV64_IMM(BPF_REG_0, 2), 912 BPF_JMP_IMM(BPF_JA, 0, 0, -3), 913 }, 914 .fixup_map_array_48b = { 3 }, 915 .result = ACCEPT, 916 .retval = 1, 917 }, 918 { 919 "map access: value_ptr += value_ptr", 920 .insns = { 921 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 924 BPF_LD_MAP_FD(BPF_REG_1, 0), 925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 927 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0), 928 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 929 BPF_MOV64_IMM(BPF_REG_0, 1), 930 BPF_EXIT_INSN(), 931 }, 932 .fixup_map_array_48b = { 3 }, 933 .result = REJECT, 934 .errstr = "R0 pointer += pointer prohibited", 935 }, 936 { 937 "map access: known scalar -= value_ptr", 938 .insns = { 939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 942 BPF_LD_MAP_FD(BPF_REG_1, 0), 943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 945 BPF_MOV64_IMM(BPF_REG_1, 4), 946 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 948 BPF_MOV64_IMM(BPF_REG_0, 1), 949 BPF_EXIT_INSN(), 950 }, 951 .fixup_map_array_48b = { 3 }, 952 .result = REJECT, 953 .errstr = "R1 tried to subtract pointer from scalar", 954 }, 955 { 956 "map access: value_ptr -= known scalar", 957 .insns = { 958 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 961 BPF_LD_MAP_FD(BPF_REG_1, 0), 962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 963 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 964 BPF_MOV64_IMM(BPF_REG_1, 4), 965 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 966 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 967 BPF_MOV64_IMM(BPF_REG_0, 1), 968 BPF_EXIT_INSN(), 969 }, 970 .fixup_map_array_48b = { 3 }, 971 .result = REJECT, 972 .errstr = "R0 min value is outside of the allowed memory range", 973 }, 974 { 975 "map access: value_ptr -= known scalar, 2", 976 .insns = { 977 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 978 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 980 BPF_LD_MAP_FD(BPF_REG_1, 0), 981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 983 BPF_MOV64_IMM(BPF_REG_1, 6), 984 BPF_MOV64_IMM(BPF_REG_2, 4), 985 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 986 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2), 987 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 988 BPF_MOV64_IMM(BPF_REG_0, 1), 989 BPF_EXIT_INSN(), 990 }, 991 .fixup_map_array_48b = { 3 }, 992 .result = ACCEPT, 993 .retval = 1, 994 }, 995 { 996 "map access: unknown scalar -= value_ptr", 997 .insns = { 998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1001 BPF_LD_MAP_FD(BPF_REG_1, 0), 1002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1003 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 1004 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1005 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf), 1006 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 1007 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 1008 BPF_MOV64_IMM(BPF_REG_0, 1), 1009 BPF_EXIT_INSN(), 1010 }, 1011 .fixup_map_array_48b = { 3 }, 1012 .result = REJECT, 1013 .errstr = "R1 tried to subtract pointer from scalar", 1014 }, 1015 { 1016 "map access: value_ptr -= unknown scalar", 1017 .insns = { 1018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1021 BPF_LD_MAP_FD(BPF_REG_1, 0), 1022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1023 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 1024 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1025 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf), 1026 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 1027 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1028 BPF_MOV64_IMM(BPF_REG_0, 1), 1029 BPF_EXIT_INSN(), 1030 }, 1031 .fixup_map_array_48b = { 3 }, 1032 .result = REJECT, 1033 .errstr = "R0 min value is negative", 1034 }, 1035 { 1036 "map access: value_ptr -= unknown scalar, 2", 1037 .insns = { 1038 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1041 BPF_LD_MAP_FD(BPF_REG_1, 0), 1042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1043 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 1044 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1045 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf), 1046 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7), 1047 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 1048 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1049 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7), 1050 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 1051 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1052 BPF_MOV64_IMM(BPF_REG_0, 1), 1053 BPF_EXIT_INSN(), 1054 }, 1055 .fixup_map_array_48b = { 3 }, 1056 .result = ACCEPT, 1057 .result_unpriv = REJECT, 1058 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 1059 .retval = 1, 1060 }, 1061 { 1062 "map access: value_ptr -= value_ptr", 1063 .insns = { 1064 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1067 BPF_LD_MAP_FD(BPF_REG_1, 0), 1068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 1070 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0), 1071 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 1072 BPF_MOV64_IMM(BPF_REG_0, 1), 1073 BPF_EXIT_INSN(), 1074 }, 1075 .fixup_map_array_48b = { 3 }, 1076 .result = REJECT, 1077 .errstr = "R0 invalid mem access 'scalar'", 1078 .errstr_unpriv = "R0 pointer -= pointer prohibited", 1079 }, 1080 { 1081 "map access: trying to leak tainted dst reg", 1082 .insns = { 1083 BPF_MOV64_IMM(BPF_REG_0, 0), 1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1087 BPF_LD_MAP_FD(BPF_REG_1, 0), 1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1089 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 1090 BPF_EXIT_INSN(), 1091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 1092 BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF), 1093 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), 1094 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1), 1095 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 1096 BPF_MOV64_IMM(BPF_REG_0, 0), 1097 BPF_EXIT_INSN(), 1098 }, 1099 .fixup_map_array_48b = { 4 }, 1100 .result = REJECT, 1101 .errstr = "math between map_value pointer and 4294967295 is not allowed", 1102 }, 1103 { 1104 "32bit pkt_ptr -= scalar", 1105 .insns = { 1106 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, 1107 offsetof(struct __sk_buff, data_end)), 1108 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 1109 offsetof(struct __sk_buff, data)), 1110 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 1111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40), 1112 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2), 1113 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_7), 1114 BPF_ALU32_REG(BPF_SUB, BPF_REG_6, BPF_REG_4), 1115 BPF_MOV64_IMM(BPF_REG_0, 0), 1116 BPF_EXIT_INSN(), 1117 }, 1118 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1119 .result = ACCEPT, 1120 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 1121 }, 1122 { 1123 "32bit scalar -= pkt_ptr", 1124 .insns = { 1125 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, 1126 offsetof(struct __sk_buff, data_end)), 1127 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 1128 offsetof(struct __sk_buff, data)), 1129 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 1130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40), 1131 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2), 1132 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_6), 1133 BPF_ALU32_REG(BPF_SUB, BPF_REG_4, BPF_REG_7), 1134 BPF_MOV64_IMM(BPF_REG_0, 0), 1135 BPF_EXIT_INSN(), 1136 }, 1137 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1138 .result = ACCEPT, 1139 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 1140 }, 1141