cgroup_storage.c (6730B)
1{ 2 "valid cgroup storage access", 3 .insns = { 4 BPF_MOV64_IMM(BPF_REG_2, 0), 5 BPF_LD_MAP_FD(BPF_REG_1, 0), 6 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 7 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 8 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 9 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 10 BPF_EXIT_INSN(), 11 }, 12 .fixup_cgroup_storage = { 1 }, 13 .result = ACCEPT, 14 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 15}, 16{ 17 "invalid cgroup storage access 1", 18 .insns = { 19 BPF_MOV64_IMM(BPF_REG_2, 0), 20 BPF_LD_MAP_FD(BPF_REG_1, 0), 21 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 22 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 23 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 24 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 25 BPF_EXIT_INSN(), 26 }, 27 .fixup_map_hash_8b = { 1 }, 28 .result = REJECT, 29 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage", 30 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 31}, 32{ 33 "invalid cgroup storage access 2", 34 .insns = { 35 BPF_MOV64_IMM(BPF_REG_2, 0), 36 BPF_LD_MAP_FD(BPF_REG_1, 1), 37 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 38 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 39 BPF_EXIT_INSN(), 40 }, 41 .result = REJECT, 42 .errstr = "fd 1 is not pointing to valid bpf_map", 43 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 44}, 45{ 46 "invalid cgroup storage access 3", 47 .insns = { 48 BPF_MOV64_IMM(BPF_REG_2, 0), 49 BPF_LD_MAP_FD(BPF_REG_1, 0), 50 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 51 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256), 52 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 53 BPF_MOV64_IMM(BPF_REG_0, 0), 54 BPF_EXIT_INSN(), 55 }, 56 .fixup_cgroup_storage = { 1 }, 57 .result = REJECT, 58 .errstr = "invalid access to map value, value_size=64 off=256 size=4", 59 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 60}, 61{ 62 "invalid cgroup storage access 4", 63 .insns = { 64 BPF_MOV64_IMM(BPF_REG_2, 0), 65 BPF_LD_MAP_FD(BPF_REG_1, 0), 66 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 67 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2), 68 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 69 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 70 BPF_EXIT_INSN(), 71 }, 72 .fixup_cgroup_storage = { 1 }, 73 .result = REJECT, 74 .errstr = "invalid access to map value, value_size=64 off=-2 size=4", 75 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 76 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 77}, 78{ 79 "invalid cgroup storage access 5", 80 .insns = { 81 BPF_MOV64_IMM(BPF_REG_2, 7), 82 BPF_LD_MAP_FD(BPF_REG_1, 0), 83 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 84 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 85 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 86 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 87 BPF_EXIT_INSN(), 88 }, 89 .fixup_cgroup_storage = { 1 }, 90 .result = REJECT, 91 .errstr = "get_local_storage() doesn't support non-zero flags", 92 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 93}, 94{ 95 "invalid cgroup storage access 6", 96 .insns = { 97 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 98 BPF_LD_MAP_FD(BPF_REG_1, 0), 99 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 100 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 101 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 102 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 103 BPF_EXIT_INSN(), 104 }, 105 .fixup_cgroup_storage = { 1 }, 106 .result = REJECT, 107 .errstr = "get_local_storage() doesn't support non-zero flags", 108 .errstr_unpriv = "R2 leaks addr into helper function", 109 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 110}, 111{ 112 "valid per-cpu cgroup storage access", 113 .insns = { 114 BPF_MOV64_IMM(BPF_REG_2, 0), 115 BPF_LD_MAP_FD(BPF_REG_1, 0), 116 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 117 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 118 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 119 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 120 BPF_EXIT_INSN(), 121 }, 122 .fixup_percpu_cgroup_storage = { 1 }, 123 .result = ACCEPT, 124 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 125}, 126{ 127 "invalid per-cpu cgroup storage access 1", 128 .insns = { 129 BPF_MOV64_IMM(BPF_REG_2, 0), 130 BPF_LD_MAP_FD(BPF_REG_1, 0), 131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 132 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 133 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 134 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 135 BPF_EXIT_INSN(), 136 }, 137 .fixup_map_hash_8b = { 1 }, 138 .result = REJECT, 139 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage", 140 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 141}, 142{ 143 "invalid per-cpu cgroup storage access 2", 144 .insns = { 145 BPF_MOV64_IMM(BPF_REG_2, 0), 146 BPF_LD_MAP_FD(BPF_REG_1, 1), 147 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 148 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 149 BPF_EXIT_INSN(), 150 }, 151 .result = REJECT, 152 .errstr = "fd 1 is not pointing to valid bpf_map", 153 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 154}, 155{ 156 "invalid per-cpu cgroup storage access 3", 157 .insns = { 158 BPF_MOV64_IMM(BPF_REG_2, 0), 159 BPF_LD_MAP_FD(BPF_REG_1, 0), 160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 161 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256), 162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 163 BPF_MOV64_IMM(BPF_REG_0, 0), 164 BPF_EXIT_INSN(), 165 }, 166 .fixup_percpu_cgroup_storage = { 1 }, 167 .result = REJECT, 168 .errstr = "invalid access to map value, value_size=64 off=256 size=4", 169 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 170}, 171{ 172 "invalid per-cpu cgroup storage access 4", 173 .insns = { 174 BPF_MOV64_IMM(BPF_REG_2, 0), 175 BPF_LD_MAP_FD(BPF_REG_1, 0), 176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 177 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2), 178 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 180 BPF_EXIT_INSN(), 181 }, 182 .fixup_cgroup_storage = { 1 }, 183 .result = REJECT, 184 .errstr = "invalid access to map value, value_size=64 off=-2 size=4", 185 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 186 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 187}, 188{ 189 "invalid per-cpu cgroup storage access 5", 190 .insns = { 191 BPF_MOV64_IMM(BPF_REG_2, 7), 192 BPF_LD_MAP_FD(BPF_REG_1, 0), 193 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 194 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 195 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 196 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 197 BPF_EXIT_INSN(), 198 }, 199 .fixup_percpu_cgroup_storage = { 1 }, 200 .result = REJECT, 201 .errstr = "get_local_storage() doesn't support non-zero flags", 202 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 203}, 204{ 205 "invalid per-cpu cgroup storage access 6", 206 .insns = { 207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 208 BPF_LD_MAP_FD(BPF_REG_1, 0), 209 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_local_storage), 210 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 211 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 212 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 213 BPF_EXIT_INSN(), 214 }, 215 .fixup_percpu_cgroup_storage = { 1 }, 216 .result = REJECT, 217 .errstr = "get_local_storage() doesn't support non-zero flags", 218 .errstr_unpriv = "R2 leaks addr into helper function", 219 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 220},