tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1{
2 "context stores via ST",
3 .insns = {
4 BPF_MOV64_IMM(BPF_REG_0, 0),
5 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
6 BPF_EXIT_INSN(),
7 },
8 .errstr = "BPF_ST stores into R1 ctx is not allowed",
9 .result = REJECT,
10 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11},
12{
13 "context stores via BPF_ATOMIC",
14 .insns = {
15 BPF_MOV64_IMM(BPF_REG_0, 0),
16 BPF_ATOMIC_OP(BPF_W, BPF_ADD, BPF_REG_1, BPF_REG_0, offsetof(struct __sk_buff, mark)),
17 BPF_EXIT_INSN(),
18 },
19 .errstr = "BPF_ATOMIC stores into R1 ctx is not allowed",
20 .result = REJECT,
21 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
22},
23{
24 "arithmetic ops make PTR_TO_CTX unusable",
25 .insns = {
26 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
27 offsetof(struct __sk_buff, data) -
28 offsetof(struct __sk_buff, mark)),
29 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
30 offsetof(struct __sk_buff, mark)),
31 BPF_EXIT_INSN(),
32 },
33 .errstr = "dereference of modified ctx ptr",
34 .result = REJECT,
35 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
36},
37{
38 "pass unmodified ctx pointer to helper",
39 .insns = {
40 BPF_MOV64_IMM(BPF_REG_2, 0),
41 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
42 BPF_FUNC_csum_update),
43 BPF_MOV64_IMM(BPF_REG_0, 0),
44 BPF_EXIT_INSN(),
45 },
46 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
47 .result = ACCEPT,
48},
49{
50 "pass modified ctx pointer to helper, 1",
51 .insns = {
52 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
53 BPF_MOV64_IMM(BPF_REG_2, 0),
54 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
55 BPF_FUNC_csum_update),
56 BPF_MOV64_IMM(BPF_REG_0, 0),
57 BPF_EXIT_INSN(),
58 },
59 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
60 .result = REJECT,
61 .errstr = "dereference of modified ctx ptr",
62},
63{
64 "pass modified ctx pointer to helper, 2",
65 .insns = {
66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
67 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
68 BPF_FUNC_get_socket_cookie),
69 BPF_MOV64_IMM(BPF_REG_0, 0),
70 BPF_EXIT_INSN(),
71 },
72 .result_unpriv = REJECT,
73 .result = REJECT,
74 .errstr_unpriv = "dereference of modified ctx ptr",
75 .errstr = "dereference of modified ctx ptr",
76},
77{
78 "pass modified ctx pointer to helper, 3",
79 .insns = {
80 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
81 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
82 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
83 BPF_MOV64_IMM(BPF_REG_2, 0),
84 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
85 BPF_FUNC_csum_update),
86 BPF_MOV64_IMM(BPF_REG_0, 0),
87 BPF_EXIT_INSN(),
88 },
89 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
90 .result = REJECT,
91 .errstr = "variable ctx access var_off=(0x0; 0x4)",
92},
93{
94 "pass ctx or null check, 1: ctx",
95 .insns = {
96 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
97 BPF_FUNC_get_netns_cookie),
98 BPF_MOV64_IMM(BPF_REG_0, 0),
99 BPF_EXIT_INSN(),
100 },
101 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
102 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
103 .result = ACCEPT,
104},
105{
106 "pass ctx or null check, 2: null",
107 .insns = {
108 BPF_MOV64_IMM(BPF_REG_1, 0),
109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
110 BPF_FUNC_get_netns_cookie),
111 BPF_MOV64_IMM(BPF_REG_0, 0),
112 BPF_EXIT_INSN(),
113 },
114 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
115 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
116 .result = ACCEPT,
117},
118{
119 "pass ctx or null check, 3: 1",
120 .insns = {
121 BPF_MOV64_IMM(BPF_REG_1, 1),
122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
123 BPF_FUNC_get_netns_cookie),
124 BPF_MOV64_IMM(BPF_REG_0, 0),
125 BPF_EXIT_INSN(),
126 },
127 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
128 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
129 .result = REJECT,
130 .errstr = "R1 type=inv expected=ctx",
131},
132{
133 "pass ctx or null check, 4: ctx - const",
134 .insns = {
135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
137 BPF_FUNC_get_netns_cookie),
138 BPF_MOV64_IMM(BPF_REG_0, 0),
139 BPF_EXIT_INSN(),
140 },
141 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
142 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
143 .result = REJECT,
144 .errstr = "dereference of modified ctx ptr",
145},
146{
147 "pass ctx or null check, 5: null (connect)",
148 .insns = {
149 BPF_MOV64_IMM(BPF_REG_1, 0),
150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
151 BPF_FUNC_get_netns_cookie),
152 BPF_MOV64_IMM(BPF_REG_0, 0),
153 BPF_EXIT_INSN(),
154 },
155 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
156 .expected_attach_type = BPF_CGROUP_INET4_CONNECT,
157 .result = ACCEPT,
158},
159{
160 "pass ctx or null check, 6: null (bind)",
161 .insns = {
162 BPF_MOV64_IMM(BPF_REG_1, 0),
163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
164 BPF_FUNC_get_netns_cookie),
165 BPF_MOV64_IMM(BPF_REG_0, 0),
166 BPF_EXIT_INSN(),
167 },
168 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
169 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
170 .result = ACCEPT,
171},
172{
173 "pass ctx or null check, 7: ctx (bind)",
174 .insns = {
175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
176 BPF_FUNC_get_socket_cookie),
177 BPF_MOV64_IMM(BPF_REG_0, 0),
178 BPF_EXIT_INSN(),
179 },
180 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
181 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
182 .result = ACCEPT,
183},
184{
185 "pass ctx or null check, 8: null (bind)",
186 .insns = {
187 BPF_MOV64_IMM(BPF_REG_1, 0),
188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
189 BPF_FUNC_get_socket_cookie),
190 BPF_MOV64_IMM(BPF_REG_0, 0),
191 BPF_EXIT_INSN(),
192 },
193 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
194 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
195 .result = REJECT,
196 .errstr = "R1 type=inv expected=ctx",
197},