tools/testing/selftests/bpf/verifier/helper_access_var_len.c at v5.2-rc4

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / tools / testing / selftests / bpf / verifier / helper_access_var_len.c
at v5.2-rc4 614 lines 21 kB view raw
wrap content
  1{
  2	"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
  3	.insns = {
  4	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
  5	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
  6	BPF_MOV64_IMM(BPF_REG_0, 0),
  7	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
  8	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
  9	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
 10	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
 11	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
 12	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
 13	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
 14	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
 15	BPF_MOV64_IMM(BPF_REG_2, 16),
 16	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
 17	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
 18	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
 19	BPF_MOV64_IMM(BPF_REG_4, 0),
 20	BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
 21	BPF_MOV64_IMM(BPF_REG_3, 0),
 22	BPF_EMIT_CALL(BPF_FUNC_probe_read),
 23	BPF_MOV64_IMM(BPF_REG_0, 0),
 24	BPF_EXIT_INSN(),
 25	},
 26	.result = ACCEPT,
 27	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
 28},
 29{
 30	"helper access to variable memory: stack, bitwise AND, zero included",
 31	.insns = {
 32	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
 33	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
 34	BPF_MOV64_IMM(BPF_REG_2, 16),
 35	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
 36	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
 37	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
 38	BPF_MOV64_IMM(BPF_REG_3, 0),
 39	BPF_EMIT_CALL(BPF_FUNC_probe_read),
 40	BPF_EXIT_INSN(),
 41	},
 42	.errstr = "invalid indirect read from stack off -64+0 size 64",
 43	.result = REJECT,
 44	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
 45},
 46{
 47	"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
 48	.insns = {
 49	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
 50	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
 51	BPF_MOV64_IMM(BPF_REG_2, 16),
 52	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
 53	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
 54	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
 55	BPF_MOV64_IMM(BPF_REG_4, 0),
 56	BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
 57	BPF_MOV64_IMM(BPF_REG_3, 0),
 58	BPF_EMIT_CALL(BPF_FUNC_probe_read),
 59	BPF_MOV64_IMM(BPF_REG_0, 0),
 60	BPF_EXIT_INSN(),
 61	},
 62	.errstr = "invalid stack type R1 off=-64 access_size=65",
 63	.result = REJECT,
 64	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
 65},
 66{
 67	"helper access to variable memory: stack, JMP, correct bounds",
 68	.insns = {
 69	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
 70	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
 71	BPF_MOV64_IMM(BPF_REG_0, 0),
 72	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
 73	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
 74	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
 75	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
 76	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
 77	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
 78	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
 79	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
 80	BPF_MOV64_IMM(BPF_REG_2, 16),
 81	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
 82	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
 83	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
 84	BPF_MOV64_IMM(BPF_REG_4, 0),
 85	BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
 86	BPF_MOV64_IMM(BPF_REG_3, 0),
 87	BPF_EMIT_CALL(BPF_FUNC_probe_read),
 88	BPF_MOV64_IMM(BPF_REG_0, 0),
 89	BPF_EXIT_INSN(),
 90	},
 91	.result = ACCEPT,
 92	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
 93},
 94{
 95	"helper access to variable memory: stack, JMP (signed), correct bounds",
 96	.insns = {
 97	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
 98	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
 99	BPF_MOV64_IMM(BPF_REG_0, 0),
100	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
101	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
102	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
103	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
104	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
105	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
106	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
107	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
108	BPF_MOV64_IMM(BPF_REG_2, 16),
109	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
110	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
111	BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
112	BPF_MOV64_IMM(BPF_REG_4, 0),
113	BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
114	BPF_MOV64_IMM(BPF_REG_3, 0),
115	BPF_EMIT_CALL(BPF_FUNC_probe_read),
116	BPF_MOV64_IMM(BPF_REG_0, 0),
117	BPF_EXIT_INSN(),
118	},
119	.result = ACCEPT,
120	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
121},
122{
123	"helper access to variable memory: stack, JMP, bounds + offset",
124	.insns = {
125	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
126	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
127	BPF_MOV64_IMM(BPF_REG_2, 16),
128	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
129	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
130	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
131	BPF_MOV64_IMM(BPF_REG_4, 0),
132	BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
133	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
134	BPF_MOV64_IMM(BPF_REG_3, 0),
135	BPF_EMIT_CALL(BPF_FUNC_probe_read),
136	BPF_MOV64_IMM(BPF_REG_0, 0),
137	BPF_EXIT_INSN(),
138	},
139	.errstr = "invalid stack type R1 off=-64 access_size=65",
140	.result = REJECT,
141	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
142},
143{
144	"helper access to variable memory: stack, JMP, wrong max",
145	.insns = {
146	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
147	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
148	BPF_MOV64_IMM(BPF_REG_2, 16),
149	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
150	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
151	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
152	BPF_MOV64_IMM(BPF_REG_4, 0),
153	BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
154	BPF_MOV64_IMM(BPF_REG_3, 0),
155	BPF_EMIT_CALL(BPF_FUNC_probe_read),
156	BPF_MOV64_IMM(BPF_REG_0, 0),
157	BPF_EXIT_INSN(),
158	},
159	.errstr = "invalid stack type R1 off=-64 access_size=65",
160	.result = REJECT,
161	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
162},
163{
164	"helper access to variable memory: stack, JMP, no max check",
165	.insns = {
166	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
167	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
168	BPF_MOV64_IMM(BPF_REG_2, 16),
169	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
170	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
171	BPF_MOV64_IMM(BPF_REG_4, 0),
172	BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
173	BPF_MOV64_IMM(BPF_REG_3, 0),
174	BPF_EMIT_CALL(BPF_FUNC_probe_read),
175	BPF_MOV64_IMM(BPF_REG_0, 0),
176	BPF_EXIT_INSN(),
177	},
178	/* because max wasn't checked, signed min is negative */
179	.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
180	.result = REJECT,
181	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
182},
183{
184	"helper access to variable memory: stack, JMP, no min check",
185	.insns = {
186	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
187	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
188	BPF_MOV64_IMM(BPF_REG_2, 16),
189	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
190	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
191	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
192	BPF_MOV64_IMM(BPF_REG_3, 0),
193	BPF_EMIT_CALL(BPF_FUNC_probe_read),
194	BPF_MOV64_IMM(BPF_REG_0, 0),
195	BPF_EXIT_INSN(),
196	},
197	.errstr = "invalid indirect read from stack off -64+0 size 64",
198	.result = REJECT,
199	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
200},
201{
202	"helper access to variable memory: stack, JMP (signed), no min check",
203	.insns = {
204	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
205	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
206	BPF_MOV64_IMM(BPF_REG_2, 16),
207	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
208	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
209	BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
210	BPF_MOV64_IMM(BPF_REG_3, 0),
211	BPF_EMIT_CALL(BPF_FUNC_probe_read),
212	BPF_MOV64_IMM(BPF_REG_0, 0),
213	BPF_EXIT_INSN(),
214	},
215	.errstr = "R2 min value is negative",
216	.result = REJECT,
217	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
218},
219{
220	"helper access to variable memory: map, JMP, correct bounds",
221	.insns = {
222	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
223	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
224	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
225	BPF_LD_MAP_FD(BPF_REG_1, 0),
226	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
227	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
228	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
229	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
230	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
231	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
232	BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val), 4),
233	BPF_MOV64_IMM(BPF_REG_4, 0),
234	BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
235	BPF_MOV64_IMM(BPF_REG_3, 0),
236	BPF_EMIT_CALL(BPF_FUNC_probe_read),
237	BPF_MOV64_IMM(BPF_REG_0, 0),
238	BPF_EXIT_INSN(),
239	},
240	.fixup_map_hash_48b = { 3 },
241	.result = ACCEPT,
242	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
243},
244{
245	"helper access to variable memory: map, JMP, wrong max",
246	.insns = {
247	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
248	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
249	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
250	BPF_LD_MAP_FD(BPF_REG_1, 0),
251	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
252	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
253	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
254	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
255	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
256	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
257	BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) + 1, 4),
258	BPF_MOV64_IMM(BPF_REG_4, 0),
259	BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
260	BPF_MOV64_IMM(BPF_REG_3, 0),
261	BPF_EMIT_CALL(BPF_FUNC_probe_read),
262	BPF_MOV64_IMM(BPF_REG_0, 0),
263	BPF_EXIT_INSN(),
264	},
265	.fixup_map_hash_48b = { 3 },
266	.errstr = "invalid access to map value, value_size=48 off=0 size=49",
267	.result = REJECT,
268	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
269},
270{
271	"helper access to variable memory: map adjusted, JMP, correct bounds",
272	.insns = {
273	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
274	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
275	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
276	BPF_LD_MAP_FD(BPF_REG_1, 0),
277	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
278	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
279	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
280	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
281	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
282	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
283	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
284	BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 20, 4),
285	BPF_MOV64_IMM(BPF_REG_4, 0),
286	BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
287	BPF_MOV64_IMM(BPF_REG_3, 0),
288	BPF_EMIT_CALL(BPF_FUNC_probe_read),
289	BPF_MOV64_IMM(BPF_REG_0, 0),
290	BPF_EXIT_INSN(),
291	},
292	.fixup_map_hash_48b = { 3 },
293	.result = ACCEPT,
294	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
295},
296{
297	"helper access to variable memory: map adjusted, JMP, wrong max",
298	.insns = {
299	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
300	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
301	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
302	BPF_LD_MAP_FD(BPF_REG_1, 0),
303	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
304	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
305	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
306	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
307	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
308	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
309	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
310	BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 19, 4),
311	BPF_MOV64_IMM(BPF_REG_4, 0),
312	BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
313	BPF_MOV64_IMM(BPF_REG_3, 0),
314	BPF_EMIT_CALL(BPF_FUNC_probe_read),
315	BPF_MOV64_IMM(BPF_REG_0, 0),
316	BPF_EXIT_INSN(),
317	},
318	.fixup_map_hash_48b = { 3 },
319	.errstr = "R1 min value is outside of the array range",
320	.result = REJECT,
321	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
322},
323{
324	"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
325	.insns = {
326	BPF_MOV64_IMM(BPF_REG_1, 0),
327	BPF_MOV64_IMM(BPF_REG_2, 0),
328	BPF_MOV64_IMM(BPF_REG_3, 0),
329	BPF_MOV64_IMM(BPF_REG_4, 0),
330	BPF_MOV64_IMM(BPF_REG_5, 0),
331	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
332	BPF_EXIT_INSN(),
333	},
334	.result = ACCEPT,
335	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
336},
337{
338	"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
339	.insns = {
340	BPF_MOV64_IMM(BPF_REG_1, 0),
341	BPF_MOV64_IMM(BPF_REG_2, 1),
342	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
343	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
344	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
345	BPF_MOV64_IMM(BPF_REG_3, 0),
346	BPF_MOV64_IMM(BPF_REG_4, 0),
347	BPF_MOV64_IMM(BPF_REG_5, 0),
348	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
349	BPF_EXIT_INSN(),
350	},
351	.errstr = "R1 type=inv expected=fp",
352	.result = REJECT,
353	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
354},
355{
356	"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
357	.insns = {
358	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
359	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
360	BPF_MOV64_IMM(BPF_REG_2, 0),
361	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
362	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
363	BPF_MOV64_IMM(BPF_REG_3, 0),
364	BPF_MOV64_IMM(BPF_REG_4, 0),
365	BPF_MOV64_IMM(BPF_REG_5, 0),
366	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
367	BPF_EXIT_INSN(),
368	},
369	.result = ACCEPT,
370	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
371},
372{
373	"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
374	.insns = {
375	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
376	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
377	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
378	BPF_LD_MAP_FD(BPF_REG_1, 0),
379	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
380	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
381	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
382	BPF_MOV64_IMM(BPF_REG_2, 0),
383	BPF_MOV64_IMM(BPF_REG_3, 0),
384	BPF_MOV64_IMM(BPF_REG_4, 0),
385	BPF_MOV64_IMM(BPF_REG_5, 0),
386	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
387	BPF_EXIT_INSN(),
388	},
389	.fixup_map_hash_8b = { 3 },
390	.result = ACCEPT,
391	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
392},
393{
394	"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
395	.insns = {
396	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
397	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
398	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
399	BPF_LD_MAP_FD(BPF_REG_1, 0),
400	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
401	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
402	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
403	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
404	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
405	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
406	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
407	BPF_MOV64_IMM(BPF_REG_3, 0),
408	BPF_MOV64_IMM(BPF_REG_4, 0),
409	BPF_MOV64_IMM(BPF_REG_5, 0),
410	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
411	BPF_EXIT_INSN(),
412	},
413	.fixup_map_hash_8b = { 3 },
414	.result = ACCEPT,
415	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
416},
417{
418	"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
419	.insns = {
420	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
421	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
422	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
423	BPF_LD_MAP_FD(BPF_REG_1, 0),
424	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
425	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
426	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
427	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
428	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
429	BPF_MOV64_IMM(BPF_REG_3, 0),
430	BPF_MOV64_IMM(BPF_REG_4, 0),
431	BPF_MOV64_IMM(BPF_REG_5, 0),
432	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
433	BPF_EXIT_INSN(),
434	},
435	.fixup_map_hash_8b = { 3 },
436	.result = ACCEPT,
437	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
438},
439{
440	"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
441	.insns = {
442	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
443		    offsetof(struct __sk_buff, data)),
444	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
445		    offsetof(struct __sk_buff, data_end)),
446	BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
447	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
448	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
449	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
450	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
451	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
452	BPF_MOV64_IMM(BPF_REG_3, 0),
453	BPF_MOV64_IMM(BPF_REG_4, 0),
454	BPF_MOV64_IMM(BPF_REG_5, 0),
455	BPF_EMIT_CALL(BPF_FUNC_csum_diff),
456	BPF_EXIT_INSN(),
457	},
458	.result = ACCEPT,
459	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
460	.retval = 0 /* csum_diff of 64-byte packet */,
461	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
462},
463{
464	"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
465	.insns = {
466	BPF_MOV64_IMM(BPF_REG_1, 0),
467	BPF_MOV64_IMM(BPF_REG_2, 0),
468	BPF_MOV64_IMM(BPF_REG_3, 0),
469	BPF_EMIT_CALL(BPF_FUNC_probe_read),
470	BPF_EXIT_INSN(),
471	},
472	.errstr = "R1 type=inv expected=fp",
473	.result = REJECT,
474	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
475},
476{
477	"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
478	.insns = {
479	BPF_MOV64_IMM(BPF_REG_1, 0),
480	BPF_MOV64_IMM(BPF_REG_2, 1),
481	BPF_MOV64_IMM(BPF_REG_3, 0),
482	BPF_EMIT_CALL(BPF_FUNC_probe_read),
483	BPF_EXIT_INSN(),
484	},
485	.errstr = "R1 type=inv expected=fp",
486	.result = REJECT,
487	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
488},
489{
490	"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
491	.insns = {
492	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
493	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
494	BPF_MOV64_IMM(BPF_REG_2, 0),
495	BPF_MOV64_IMM(BPF_REG_3, 0),
496	BPF_EMIT_CALL(BPF_FUNC_probe_read),
497	BPF_EXIT_INSN(),
498	},
499	.result = ACCEPT,
500	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
501},
502{
503	"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
504	.insns = {
505	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
506	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
507	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
508	BPF_LD_MAP_FD(BPF_REG_1, 0),
509	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
510	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
511	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
512	BPF_MOV64_IMM(BPF_REG_2, 0),
513	BPF_MOV64_IMM(BPF_REG_3, 0),
514	BPF_EMIT_CALL(BPF_FUNC_probe_read),
515	BPF_EXIT_INSN(),
516	},
517	.fixup_map_hash_8b = { 3 },
518	.result = ACCEPT,
519	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
520},
521{
522	"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
523	.insns = {
524	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
525	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
526	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
527	BPF_LD_MAP_FD(BPF_REG_1, 0),
528	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
529	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
530	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
531	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
532	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
533	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
534	BPF_MOV64_IMM(BPF_REG_3, 0),
535	BPF_EMIT_CALL(BPF_FUNC_probe_read),
536	BPF_EXIT_INSN(),
537	},
538	.fixup_map_hash_8b = { 3 },
539	.result = ACCEPT,
540	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
541},
542{
543	"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
544	.insns = {
545	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
546	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
547	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
548	BPF_LD_MAP_FD(BPF_REG_1, 0),
549	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
550	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
551	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
552	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
553	BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
554	BPF_MOV64_IMM(BPF_REG_3, 0),
555	BPF_EMIT_CALL(BPF_FUNC_probe_read),
556	BPF_EXIT_INSN(),
557	},
558	.fixup_map_hash_8b = { 3 },
559	.result = ACCEPT,
560	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
561},
562{
563	"helper access to variable memory: 8 bytes leak",
564	.insns = {
565	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
566	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
567	BPF_MOV64_IMM(BPF_REG_0, 0),
568	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
569	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
570	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
571	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
572	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
573	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
574	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
575	BPF_MOV64_IMM(BPF_REG_2, 1),
576	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
577	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
578	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
579	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
580	BPF_MOV64_IMM(BPF_REG_3, 0),
581	BPF_EMIT_CALL(BPF_FUNC_probe_read),
582	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
583	BPF_EXIT_INSN(),
584	},
585	.errstr = "invalid indirect read from stack off -64+32 size 64",
586	.result = REJECT,
587	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
588},
589{
590	"helper access to variable memory: 8 bytes no leak (init memory)",
591	.insns = {
592	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
593	BPF_MOV64_IMM(BPF_REG_0, 0),
594	BPF_MOV64_IMM(BPF_REG_0, 0),
595	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
596	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
597	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
598	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
599	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
600	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
601	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
602	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
603	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
604	BPF_MOV64_IMM(BPF_REG_2, 0),
605	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
606	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
607	BPF_MOV64_IMM(BPF_REG_3, 0),
608	BPF_EMIT_CALL(BPF_FUNC_probe_read),
609	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
610	BPF_EXIT_INSN(),
611	},
612	.result = ACCEPT,
613	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
614},
Configure Feed

Configure Feed
