tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
selftests/bpf: verifier/raw_stack.c converted to inline assembly
Test verifier/raw_stack.c automatically converted to use inline assembly.
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20230325025524.144043-32-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
authored by
Eduard Zingerman
and committed by
Alexei Starovoitov
5a77a01f
65428312
+373
-305
+2
tools/testing/selftests/bpf/prog_tests/verifier.c
+2
tools/testing/selftests/bpf/prog_tests/verifier.c
···
28
28
#include "verifier_map_ret_val.skel.h"
29
29
#include "verifier_masking.skel.h"
30
30
#include "verifier_meta_access.skel.h"
31
+
#include "verifier_raw_stack.skel.h"
31
32
32
33
__maybe_unused
33
34
static void run_tests_aux(const char *skel_name, skel_elf_bytes_fn elf_bytes_factory)
···
79
78
void test_verifier_map_ret_val(void) { RUN(verifier_map_ret_val); }
80
79
void test_verifier_masking(void) { RUN(verifier_masking); }
81
80
void test_verifier_meta_access(void) { RUN(verifier_meta_access); }
81
+
void test_verifier_raw_stack(void) { RUN(verifier_raw_stack); }
+371
tools/testing/selftests/bpf/progs/verifier_raw_stack.c
+371
tools/testing/selftests/bpf/progs/verifier_raw_stack.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/* Converted from tools/testing/selftests/bpf/verifier/raw_stack.c */
3
+
4
+
#include <linux/bpf.h>
5
+
#include <bpf/bpf_helpers.h>
6
+
#include "bpf_misc.h"
7
+
8
+
SEC("tc")
9
+
__description("raw_stack: no skb_load_bytes")
10
+
__failure __msg("invalid read from stack R6 off=-8 size=8")
11
+
__naked void stack_no_skb_load_bytes(void)
12
+
{
13
+
asm volatile (" \
14
+
r2 = 4; \
15
+
r6 = r10; \
16
+
r6 += -8; \
17
+
r3 = r6; \
18
+
r4 = 8; \
19
+
/* Call to skb_load_bytes() omitted. */ \
20
+
r0 = *(u64*)(r6 + 0); \
21
+
exit; \
22
+
" ::: __clobber_all);
23
+
}
24
+
25
+
SEC("tc")
26
+
__description("raw_stack: skb_load_bytes, negative len")
27
+
__failure __msg("R4 min value is negative")
28
+
__naked void skb_load_bytes_negative_len(void)
29
+
{
30
+
asm volatile (" \
31
+
r2 = 4; \
32
+
r6 = r10; \
33
+
r6 += -8; \
34
+
r3 = r6; \
35
+
r4 = -8; \
36
+
call %[bpf_skb_load_bytes]; \
37
+
r0 = *(u64*)(r6 + 0); \
38
+
exit; \
39
+
" :
40
+
: __imm(bpf_skb_load_bytes)
41
+
: __clobber_all);
42
+
}
43
+
44
+
SEC("tc")
45
+
__description("raw_stack: skb_load_bytes, negative len 2")
46
+
__failure __msg("R4 min value is negative")
47
+
__naked void load_bytes_negative_len_2(void)
48
+
{
49
+
asm volatile (" \
50
+
r2 = 4; \
51
+
r6 = r10; \
52
+
r6 += -8; \
53
+
r3 = r6; \
54
+
r4 = %[__imm_0]; \
55
+
call %[bpf_skb_load_bytes]; \
56
+
r0 = *(u64*)(r6 + 0); \
57
+
exit; \
58
+
" :
59
+
: __imm(bpf_skb_load_bytes),
60
+
__imm_const(__imm_0, ~0)
61
+
: __clobber_all);
62
+
}
63
+
64
+
SEC("tc")
65
+
__description("raw_stack: skb_load_bytes, zero len")
66
+
__failure __msg("invalid zero-sized read")
67
+
__naked void skb_load_bytes_zero_len(void)
68
+
{
69
+
asm volatile (" \
70
+
r2 = 4; \
71
+
r6 = r10; \
72
+
r6 += -8; \
73
+
r3 = r6; \
74
+
r4 = 0; \
75
+
call %[bpf_skb_load_bytes]; \
76
+
r0 = *(u64*)(r6 + 0); \
77
+
exit; \
78
+
" :
79
+
: __imm(bpf_skb_load_bytes)
80
+
: __clobber_all);
81
+
}
82
+
83
+
SEC("tc")
84
+
__description("raw_stack: skb_load_bytes, no init")
85
+
__success __retval(0)
86
+
__naked void skb_load_bytes_no_init(void)
87
+
{
88
+
asm volatile (" \
89
+
r2 = 4; \
90
+
r6 = r10; \
91
+
r6 += -8; \
92
+
r3 = r6; \
93
+
r4 = 8; \
94
+
call %[bpf_skb_load_bytes]; \
95
+
r0 = *(u64*)(r6 + 0); \
96
+
exit; \
97
+
" :
98
+
: __imm(bpf_skb_load_bytes)
99
+
: __clobber_all);
100
+
}
101
+
102
+
SEC("tc")
103
+
__description("raw_stack: skb_load_bytes, init")
104
+
__success __retval(0)
105
+
__naked void stack_skb_load_bytes_init(void)
106
+
{
107
+
asm volatile (" \
108
+
r2 = 4; \
109
+
r6 = r10; \
110
+
r6 += -8; \
111
+
r3 = 0xcafe; \
112
+
*(u64*)(r6 + 0) = r3; \
113
+
r3 = r6; \
114
+
r4 = 8; \
115
+
call %[bpf_skb_load_bytes]; \
116
+
r0 = *(u64*)(r6 + 0); \
117
+
exit; \
118
+
" :
119
+
: __imm(bpf_skb_load_bytes)
120
+
: __clobber_all);
121
+
}
122
+
123
+
SEC("tc")
124
+
__description("raw_stack: skb_load_bytes, spilled regs around bounds")
125
+
__success __retval(0)
126
+
__naked void bytes_spilled_regs_around_bounds(void)
127
+
{
128
+
asm volatile (" \
129
+
r2 = 4; \
130
+
r6 = r10; \
131
+
r6 += -16; \
132
+
*(u64*)(r6 - 8) = r1; \
133
+
*(u64*)(r6 + 8) = r1; \
134
+
r3 = r6; \
135
+
r4 = 8; \
136
+
call %[bpf_skb_load_bytes]; \
137
+
r0 = *(u64*)(r6 - 8); \
138
+
r2 = *(u64*)(r6 + 8); \
139
+
r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
140
+
r2 = *(u32*)(r2 + %[__sk_buff_priority]); \
141
+
r0 += r2; \
142
+
exit; \
143
+
" :
144
+
: __imm(bpf_skb_load_bytes),
145
+
__imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
146
+
__imm_const(__sk_buff_priority, offsetof(struct __sk_buff, priority))
147
+
: __clobber_all);
148
+
}
149
+
150
+
SEC("tc")
151
+
__description("raw_stack: skb_load_bytes, spilled regs corruption")
152
+
__failure __msg("R0 invalid mem access 'scalar'")
153
+
__flag(BPF_F_ANY_ALIGNMENT)
154
+
__naked void load_bytes_spilled_regs_corruption(void)
155
+
{
156
+
asm volatile (" \
157
+
r2 = 4; \
158
+
r6 = r10; \
159
+
r6 += -8; \
160
+
*(u64*)(r6 + 0) = r1; \
161
+
r3 = r6; \
162
+
r4 = 8; \
163
+
call %[bpf_skb_load_bytes]; \
164
+
r0 = *(u64*)(r6 + 0); \
165
+
r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
166
+
exit; \
167
+
" :
168
+
: __imm(bpf_skb_load_bytes),
169
+
__imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark))
170
+
: __clobber_all);
171
+
}
172
+
173
+
SEC("tc")
174
+
__description("raw_stack: skb_load_bytes, spilled regs corruption 2")
175
+
__failure __msg("R3 invalid mem access 'scalar'")
176
+
__flag(BPF_F_ANY_ALIGNMENT)
177
+
__naked void bytes_spilled_regs_corruption_2(void)
178
+
{
179
+
asm volatile (" \
180
+
r2 = 4; \
181
+
r6 = r10; \
182
+
r6 += -16; \
183
+
*(u64*)(r6 - 8) = r1; \
184
+
*(u64*)(r6 + 0) = r1; \
185
+
*(u64*)(r6 + 8) = r1; \
186
+
r3 = r6; \
187
+
r4 = 8; \
188
+
call %[bpf_skb_load_bytes]; \
189
+
r0 = *(u64*)(r6 - 8); \
190
+
r2 = *(u64*)(r6 + 8); \
191
+
r3 = *(u64*)(r6 + 0); \
192
+
r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
193
+
r2 = *(u32*)(r2 + %[__sk_buff_priority]); \
194
+
r0 += r2; \
195
+
r3 = *(u32*)(r3 + %[__sk_buff_pkt_type]); \
196
+
r0 += r3; \
197
+
exit; \
198
+
" :
199
+
: __imm(bpf_skb_load_bytes),
200
+
__imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
201
+
__imm_const(__sk_buff_pkt_type, offsetof(struct __sk_buff, pkt_type)),
202
+
__imm_const(__sk_buff_priority, offsetof(struct __sk_buff, priority))
203
+
: __clobber_all);
204
+
}
205
+
206
+
SEC("tc")
207
+
__description("raw_stack: skb_load_bytes, spilled regs + data")
208
+
__success __retval(0)
209
+
__naked void load_bytes_spilled_regs_data(void)
210
+
{
211
+
asm volatile (" \
212
+
r2 = 4; \
213
+
r6 = r10; \
214
+
r6 += -16; \
215
+
*(u64*)(r6 - 8) = r1; \
216
+
*(u64*)(r6 + 0) = r1; \
217
+
*(u64*)(r6 + 8) = r1; \
218
+
r3 = r6; \
219
+
r4 = 8; \
220
+
call %[bpf_skb_load_bytes]; \
221
+
r0 = *(u64*)(r6 - 8); \
222
+
r2 = *(u64*)(r6 + 8); \
223
+
r3 = *(u64*)(r6 + 0); \
224
+
r0 = *(u32*)(r0 + %[__sk_buff_mark]); \
225
+
r2 = *(u32*)(r2 + %[__sk_buff_priority]); \
226
+
r0 += r2; \
227
+
r0 += r3; \
228
+
exit; \
229
+
" :
230
+
: __imm(bpf_skb_load_bytes),
231
+
__imm_const(__sk_buff_mark, offsetof(struct __sk_buff, mark)),
232
+
__imm_const(__sk_buff_priority, offsetof(struct __sk_buff, priority))
233
+
: __clobber_all);
234
+
}
235
+
236
+
SEC("tc")
237
+
__description("raw_stack: skb_load_bytes, invalid access 1")
238
+
__failure __msg("invalid indirect access to stack R3 off=-513 size=8")
239
+
__naked void load_bytes_invalid_access_1(void)
240
+
{
241
+
asm volatile (" \
242
+
r2 = 4; \
243
+
r6 = r10; \
244
+
r6 += -513; \
245
+
r3 = r6; \
246
+
r4 = 8; \
247
+
call %[bpf_skb_load_bytes]; \
248
+
r0 = *(u64*)(r6 + 0); \
249
+
exit; \
250
+
" :
251
+
: __imm(bpf_skb_load_bytes)
252
+
: __clobber_all);
253
+
}
254
+
255
+
SEC("tc")
256
+
__description("raw_stack: skb_load_bytes, invalid access 2")
257
+
__failure __msg("invalid indirect access to stack R3 off=-1 size=8")
258
+
__naked void load_bytes_invalid_access_2(void)
259
+
{
260
+
asm volatile (" \
261
+
r2 = 4; \
262
+
r6 = r10; \
263
+
r6 += -1; \
264
+
r3 = r6; \
265
+
r4 = 8; \
266
+
call %[bpf_skb_load_bytes]; \
267
+
r0 = *(u64*)(r6 + 0); \
268
+
exit; \
269
+
" :
270
+
: __imm(bpf_skb_load_bytes)
271
+
: __clobber_all);
272
+
}
273
+
274
+
SEC("tc")
275
+
__description("raw_stack: skb_load_bytes, invalid access 3")
276
+
__failure __msg("R4 min value is negative")
277
+
__naked void load_bytes_invalid_access_3(void)
278
+
{
279
+
asm volatile (" \
280
+
r2 = 4; \
281
+
r6 = r10; \
282
+
r6 += 0xffffffff; \
283
+
r3 = r6; \
284
+
r4 = 0xffffffff; \
285
+
call %[bpf_skb_load_bytes]; \
286
+
r0 = *(u64*)(r6 + 0); \
287
+
exit; \
288
+
" :
289
+
: __imm(bpf_skb_load_bytes)
290
+
: __clobber_all);
291
+
}
292
+
293
+
SEC("tc")
294
+
__description("raw_stack: skb_load_bytes, invalid access 4")
295
+
__failure
296
+
__msg("R4 unbounded memory access, use 'var &= const' or 'if (var < const)'")
297
+
__naked void load_bytes_invalid_access_4(void)
298
+
{
299
+
asm volatile (" \
300
+
r2 = 4; \
301
+
r6 = r10; \
302
+
r6 += -1; \
303
+
r3 = r6; \
304
+
r4 = 0x7fffffff; \
305
+
call %[bpf_skb_load_bytes]; \
306
+
r0 = *(u64*)(r6 + 0); \
307
+
exit; \
308
+
" :
309
+
: __imm(bpf_skb_load_bytes)
310
+
: __clobber_all);
311
+
}
312
+
313
+
SEC("tc")
314
+
__description("raw_stack: skb_load_bytes, invalid access 5")
315
+
__failure
316
+
__msg("R4 unbounded memory access, use 'var &= const' or 'if (var < const)'")
317
+
__naked void load_bytes_invalid_access_5(void)
318
+
{
319
+
asm volatile (" \
320
+
r2 = 4; \
321
+
r6 = r10; \
322
+
r6 += -512; \
323
+
r3 = r6; \
324
+
r4 = 0x7fffffff; \
325
+
call %[bpf_skb_load_bytes]; \
326
+
r0 = *(u64*)(r6 + 0); \
327
+
exit; \
328
+
" :
329
+
: __imm(bpf_skb_load_bytes)
330
+
: __clobber_all);
331
+
}
332
+
333
+
SEC("tc")
334
+
__description("raw_stack: skb_load_bytes, invalid access 6")
335
+
__failure __msg("invalid zero-sized read")
336
+
__naked void load_bytes_invalid_access_6(void)
337
+
{
338
+
asm volatile (" \
339
+
r2 = 4; \
340
+
r6 = r10; \
341
+
r6 += -512; \
342
+
r3 = r6; \
343
+
r4 = 0; \
344
+
call %[bpf_skb_load_bytes]; \
345
+
r0 = *(u64*)(r6 + 0); \
346
+
exit; \
347
+
" :
348
+
: __imm(bpf_skb_load_bytes)
349
+
: __clobber_all);
350
+
}
351
+
352
+
SEC("tc")
353
+
__description("raw_stack: skb_load_bytes, large access")
354
+
__success __retval(0)
355
+
__naked void skb_load_bytes_large_access(void)
356
+
{
357
+
asm volatile (" \
358
+
r2 = 4; \
359
+
r6 = r10; \
360
+
r6 += -512; \
361
+
r3 = r6; \
362
+
r4 = 512; \
363
+
call %[bpf_skb_load_bytes]; \
364
+
r0 = *(u64*)(r6 + 0); \
365
+
exit; \
366
+
" :
367
+
: __imm(bpf_skb_load_bytes)
368
+
: __clobber_all);
369
+
}
370
+
371
+
char _license[] SEC("license") = "GPL";
-305
tools/testing/selftests/bpf/verifier/raw_stack.c
-305
tools/testing/selftests/bpf/verifier/raw_stack.c
···
1
-
{
2
-
"raw_stack: no skb_load_bytes",
3
-
.insns = {
4
-
BPF_MOV64_IMM(BPF_REG_2, 4),
5
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
6
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
7
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
8
-
BPF_MOV64_IMM(BPF_REG_4, 8),
9
-
/* Call to skb_load_bytes() omitted. */
10
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11
-
BPF_EXIT_INSN(),
12
-
},
13
-
.result = REJECT,
14
-
.errstr = "invalid read from stack R6 off=-8 size=8",
15
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
16
-
},
17
-
{
18
-
"raw_stack: skb_load_bytes, negative len",
19
-
.insns = {
20
-
BPF_MOV64_IMM(BPF_REG_2, 4),
21
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
22
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
23
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
24
-
BPF_MOV64_IMM(BPF_REG_4, -8),
25
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
26
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
27
-
BPF_EXIT_INSN(),
28
-
},
29
-
.result = REJECT,
30
-
.errstr = "R4 min value is negative",
31
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
32
-
},
33
-
{
34
-
"raw_stack: skb_load_bytes, negative len 2",
35
-
.insns = {
36
-
BPF_MOV64_IMM(BPF_REG_2, 4),
37
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
38
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
39
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
40
-
BPF_MOV64_IMM(BPF_REG_4, ~0),
41
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
42
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
43
-
BPF_EXIT_INSN(),
44
-
},
45
-
.result = REJECT,
46
-
.errstr = "R4 min value is negative",
47
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
48
-
},
49
-
{
50
-
"raw_stack: skb_load_bytes, zero len",
51
-
.insns = {
52
-
BPF_MOV64_IMM(BPF_REG_2, 4),
53
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
54
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
55
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
56
-
BPF_MOV64_IMM(BPF_REG_4, 0),
57
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
58
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
59
-
BPF_EXIT_INSN(),
60
-
},
61
-
.result = REJECT,
62
-
.errstr = "invalid zero-sized read",
63
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
64
-
},
65
-
{
66
-
"raw_stack: skb_load_bytes, no init",
67
-
.insns = {
68
-
BPF_MOV64_IMM(BPF_REG_2, 4),
69
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
70
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
71
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
72
-
BPF_MOV64_IMM(BPF_REG_4, 8),
73
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
74
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
75
-
BPF_EXIT_INSN(),
76
-
},
77
-
.result = ACCEPT,
78
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
79
-
},
80
-
{
81
-
"raw_stack: skb_load_bytes, init",
82
-
.insns = {
83
-
BPF_MOV64_IMM(BPF_REG_2, 4),
84
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
85
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
86
-
BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
87
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
88
-
BPF_MOV64_IMM(BPF_REG_4, 8),
89
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
90
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
91
-
BPF_EXIT_INSN(),
92
-
},
93
-
.result = ACCEPT,
94
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
95
-
},
96
-
{
97
-
"raw_stack: skb_load_bytes, spilled regs around bounds",
98
-
.insns = {
99
-
BPF_MOV64_IMM(BPF_REG_2, 4),
100
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
101
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
102
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
103
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
104
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
105
-
BPF_MOV64_IMM(BPF_REG_4, 8),
106
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
107
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
108
-
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
109
-
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
110
-
offsetof(struct __sk_buff, mark)),
111
-
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
112
-
offsetof(struct __sk_buff, priority)),
113
-
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
114
-
BPF_EXIT_INSN(),
115
-
},
116
-
.result = ACCEPT,
117
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
118
-
},
119
-
{
120
-
"raw_stack: skb_load_bytes, spilled regs corruption",
121
-
.insns = {
122
-
BPF_MOV64_IMM(BPF_REG_2, 4),
123
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
124
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
125
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
126
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
127
-
BPF_MOV64_IMM(BPF_REG_4, 8),
128
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
129
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
130
-
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
131
-
offsetof(struct __sk_buff, mark)),
132
-
BPF_EXIT_INSN(),
133
-
},
134
-
.result = REJECT,
135
-
.errstr = "R0 invalid mem access 'scalar'",
136
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
137
-
.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
138
-
},
139
-
{
140
-
"raw_stack: skb_load_bytes, spilled regs corruption 2",
141
-
.insns = {
142
-
BPF_MOV64_IMM(BPF_REG_2, 4),
143
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
144
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
145
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
146
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
147
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
148
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
149
-
BPF_MOV64_IMM(BPF_REG_4, 8),
150
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
151
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
152
-
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
153
-
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
154
-
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
155
-
offsetof(struct __sk_buff, mark)),
156
-
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
157
-
offsetof(struct __sk_buff, priority)),
158
-
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
159
-
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
160
-
offsetof(struct __sk_buff, pkt_type)),
161
-
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
162
-
BPF_EXIT_INSN(),
163
-
},
164
-
.result = REJECT,
165
-
.errstr = "R3 invalid mem access 'scalar'",
166
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
167
-
.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
168
-
},
169
-
{
170
-
"raw_stack: skb_load_bytes, spilled regs + data",
171
-
.insns = {
172
-
BPF_MOV64_IMM(BPF_REG_2, 4),
173
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
174
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
175
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
176
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
177
-
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
178
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
179
-
BPF_MOV64_IMM(BPF_REG_4, 8),
180
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
181
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
182
-
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
183
-
BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
184
-
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
185
-
offsetof(struct __sk_buff, mark)),
186
-
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
187
-
offsetof(struct __sk_buff, priority)),
188
-
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
189
-
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
190
-
BPF_EXIT_INSN(),
191
-
},
192
-
.result = ACCEPT,
193
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
194
-
},
195
-
{
196
-
"raw_stack: skb_load_bytes, invalid access 1",
197
-
.insns = {
198
-
BPF_MOV64_IMM(BPF_REG_2, 4),
199
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
200
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
201
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
202
-
BPF_MOV64_IMM(BPF_REG_4, 8),
203
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
204
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
205
-
BPF_EXIT_INSN(),
206
-
},
207
-
.result = REJECT,
208
-
.errstr = "invalid indirect access to stack R3 off=-513 size=8",
209
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
210
-
},
211
-
{
212
-
"raw_stack: skb_load_bytes, invalid access 2",
213
-
.insns = {
214
-
BPF_MOV64_IMM(BPF_REG_2, 4),
215
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
216
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
217
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
218
-
BPF_MOV64_IMM(BPF_REG_4, 8),
219
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
220
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
221
-
BPF_EXIT_INSN(),
222
-
},
223
-
.result = REJECT,
224
-
.errstr = "invalid indirect access to stack R3 off=-1 size=8",
225
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
226
-
},
227
-
{
228
-
"raw_stack: skb_load_bytes, invalid access 3",
229
-
.insns = {
230
-
BPF_MOV64_IMM(BPF_REG_2, 4),
231
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
232
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
233
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
234
-
BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
235
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
236
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
237
-
BPF_EXIT_INSN(),
238
-
},
239
-
.result = REJECT,
240
-
.errstr = "R4 min value is negative",
241
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
242
-
},
243
-
{
244
-
"raw_stack: skb_load_bytes, invalid access 4",
245
-
.insns = {
246
-
BPF_MOV64_IMM(BPF_REG_2, 4),
247
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
248
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
249
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
250
-
BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
251
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
252
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
253
-
BPF_EXIT_INSN(),
254
-
},
255
-
.result = REJECT,
256
-
.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
257
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
258
-
},
259
-
{
260
-
"raw_stack: skb_load_bytes, invalid access 5",
261
-
.insns = {
262
-
BPF_MOV64_IMM(BPF_REG_2, 4),
263
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
264
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
265
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
266
-
BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
267
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
268
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
269
-
BPF_EXIT_INSN(),
270
-
},
271
-
.result = REJECT,
272
-
.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
273
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
274
-
},
275
-
{
276
-
"raw_stack: skb_load_bytes, invalid access 6",
277
-
.insns = {
278
-
BPF_MOV64_IMM(BPF_REG_2, 4),
279
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
280
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
281
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
282
-
BPF_MOV64_IMM(BPF_REG_4, 0),
283
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
284
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
285
-
BPF_EXIT_INSN(),
286
-
},
287
-
.result = REJECT,
288
-
.errstr = "invalid zero-sized read",
289
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
290
-
},
291
-
{
292
-
"raw_stack: skb_load_bytes, large access",
293
-
.insns = {
294
-
BPF_MOV64_IMM(BPF_REG_2, 4),
295
-
BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
296
-
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
297
-
BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
298
-
BPF_MOV64_IMM(BPF_REG_4, 512),
299
-
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
300
-
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
301
-
BPF_EXIT_INSN(),
302
-
},
303
-
.result = ACCEPT,
304
-
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
305
-
},