helper_access_var_len.c (21053B)
1{ 2 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 3 .insns = { 4 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6 BPF_MOV64_IMM(BPF_REG_0, 0), 7 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 8 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 9 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 10 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 11 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 12 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 13 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 14 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 15 BPF_MOV64_IMM(BPF_REG_2, 16), 16 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 17 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 18 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 19 BPF_MOV64_IMM(BPF_REG_4, 0), 20 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 21 BPF_MOV64_IMM(BPF_REG_3, 0), 22 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 23 BPF_MOV64_IMM(BPF_REG_0, 0), 24 BPF_EXIT_INSN(), 25 }, 26 .result = ACCEPT, 27 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 28}, 29{ 30 "helper access to variable memory: stack, bitwise AND, zero included", 31 .insns = { 32 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 33 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 34 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 35 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 36 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 37 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 38 BPF_MOV64_IMM(BPF_REG_3, 0), 39 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 40 BPF_EXIT_INSN(), 41 }, 42 .errstr = "invalid indirect read from stack R1 off -64+0 size 64", 43 .result = REJECT, 44 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 45}, 46{ 47 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 48 .insns = { 49 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 50 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 52 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 53 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 54 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 55 BPF_MOV64_IMM(BPF_REG_4, 0), 56 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 57 BPF_MOV64_IMM(BPF_REG_3, 0), 58 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 59 BPF_MOV64_IMM(BPF_REG_0, 0), 60 BPF_EXIT_INSN(), 61 }, 62 .errstr = "invalid indirect access to stack R1 off=-64 size=65", 63 .result = REJECT, 64 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 65}, 66{ 67 "helper access to variable memory: stack, JMP, correct bounds", 68 .insns = { 69 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 70 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 71 BPF_MOV64_IMM(BPF_REG_0, 0), 72 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 73 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 74 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 75 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 76 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 77 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 78 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 79 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 80 BPF_MOV64_IMM(BPF_REG_2, 16), 81 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 82 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 83 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 84 BPF_MOV64_IMM(BPF_REG_4, 0), 85 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 86 BPF_MOV64_IMM(BPF_REG_3, 0), 87 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 88 BPF_MOV64_IMM(BPF_REG_0, 0), 89 BPF_EXIT_INSN(), 90 }, 91 .result = ACCEPT, 92 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 93}, 94{ 95 "helper access to variable memory: stack, JMP (signed), correct bounds", 96 .insns = { 97 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 98 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 99 BPF_MOV64_IMM(BPF_REG_0, 0), 100 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 101 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 103 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 104 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 105 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 106 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 107 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 108 BPF_MOV64_IMM(BPF_REG_2, 16), 109 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 110 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 111 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 112 BPF_MOV64_IMM(BPF_REG_4, 0), 113 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 114 BPF_MOV64_IMM(BPF_REG_3, 0), 115 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 116 BPF_MOV64_IMM(BPF_REG_0, 0), 117 BPF_EXIT_INSN(), 118 }, 119 .result = ACCEPT, 120 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 121}, 122{ 123 "helper access to variable memory: stack, JMP, bounds + offset", 124 .insns = { 125 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 128 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 129 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 130 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 131 BPF_MOV64_IMM(BPF_REG_4, 0), 132 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 134 BPF_MOV64_IMM(BPF_REG_3, 0), 135 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 136 BPF_MOV64_IMM(BPF_REG_0, 0), 137 BPF_EXIT_INSN(), 138 }, 139 .errstr = "invalid indirect access to stack R1 off=-64 size=65", 140 .result = REJECT, 141 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 142}, 143{ 144 "helper access to variable memory: stack, JMP, wrong max", 145 .insns = { 146 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 149 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 150 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 151 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 152 BPF_MOV64_IMM(BPF_REG_4, 0), 153 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 154 BPF_MOV64_IMM(BPF_REG_3, 0), 155 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 156 BPF_MOV64_IMM(BPF_REG_0, 0), 157 BPF_EXIT_INSN(), 158 }, 159 .errstr = "invalid indirect access to stack R1 off=-64 size=65", 160 .result = REJECT, 161 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 162}, 163{ 164 "helper access to variable memory: stack, JMP, no max check", 165 .insns = { 166 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 169 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 170 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 171 BPF_MOV64_IMM(BPF_REG_4, 0), 172 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 173 BPF_MOV64_IMM(BPF_REG_3, 0), 174 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 175 BPF_MOV64_IMM(BPF_REG_0, 0), 176 BPF_EXIT_INSN(), 177 }, 178 /* because max wasn't checked, signed min is negative */ 179 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'", 180 .result = REJECT, 181 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 182}, 183{ 184 "helper access to variable memory: stack, JMP, no min check", 185 .insns = { 186 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 189 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 190 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 191 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 192 BPF_MOV64_IMM(BPF_REG_3, 0), 193 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 194 BPF_MOV64_IMM(BPF_REG_0, 0), 195 BPF_EXIT_INSN(), 196 }, 197 .errstr = "invalid indirect read from stack R1 off -64+0 size 64", 198 .result = REJECT, 199 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 200}, 201{ 202 "helper access to variable memory: stack, JMP (signed), no min check", 203 .insns = { 204 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 207 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 208 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 209 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 210 BPF_MOV64_IMM(BPF_REG_3, 0), 211 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 212 BPF_MOV64_IMM(BPF_REG_0, 0), 213 BPF_EXIT_INSN(), 214 }, 215 .errstr = "R2 min value is negative", 216 .result = REJECT, 217 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 218}, 219{ 220 "helper access to variable memory: map, JMP, correct bounds", 221 .insns = { 222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 225 BPF_LD_MAP_FD(BPF_REG_1, 0), 226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 229 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 230 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 231 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 232 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val), 4), 233 BPF_MOV64_IMM(BPF_REG_4, 0), 234 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 235 BPF_MOV64_IMM(BPF_REG_3, 0), 236 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 237 BPF_MOV64_IMM(BPF_REG_0, 0), 238 BPF_EXIT_INSN(), 239 }, 240 .fixup_map_hash_48b = { 3 }, 241 .result = ACCEPT, 242 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 243}, 244{ 245 "helper access to variable memory: map, JMP, wrong max", 246 .insns = { 247 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 251 BPF_LD_MAP_FD(BPF_REG_1, 0), 252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6), 256 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 257 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 258 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) + 1, 4), 259 BPF_MOV64_IMM(BPF_REG_4, 0), 260 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 261 BPF_MOV64_IMM(BPF_REG_3, 0), 262 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 263 BPF_MOV64_IMM(BPF_REG_0, 0), 264 BPF_EXIT_INSN(), 265 }, 266 .fixup_map_hash_48b = { 4 }, 267 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 268 .result = REJECT, 269 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 270}, 271{ 272 "helper access to variable memory: map adjusted, JMP, correct bounds", 273 .insns = { 274 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 275 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 276 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 277 BPF_LD_MAP_FD(BPF_REG_1, 0), 278 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 282 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 284 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 285 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 20, 4), 286 BPF_MOV64_IMM(BPF_REG_4, 0), 287 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 288 BPF_MOV64_IMM(BPF_REG_3, 0), 289 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 290 BPF_MOV64_IMM(BPF_REG_0, 0), 291 BPF_EXIT_INSN(), 292 }, 293 .fixup_map_hash_48b = { 3 }, 294 .result = ACCEPT, 295 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 296}, 297{ 298 "helper access to variable memory: map adjusted, JMP, wrong max", 299 .insns = { 300 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 301 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 303 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 304 BPF_LD_MAP_FD(BPF_REG_1, 0), 305 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 306 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6), 310 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 311 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 312 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 19, 4), 313 BPF_MOV64_IMM(BPF_REG_4, 0), 314 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 315 BPF_MOV64_IMM(BPF_REG_3, 0), 316 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 317 BPF_MOV64_IMM(BPF_REG_0, 0), 318 BPF_EXIT_INSN(), 319 }, 320 .fixup_map_hash_48b = { 4 }, 321 .errstr = "R1 min value is outside of the allowed memory range", 322 .result = REJECT, 323 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 324}, 325{ 326 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 327 .insns = { 328 BPF_MOV64_IMM(BPF_REG_1, 0), 329 BPF_MOV64_IMM(BPF_REG_2, 0), 330 BPF_MOV64_IMM(BPF_REG_3, 0), 331 BPF_MOV64_IMM(BPF_REG_4, 0), 332 BPF_MOV64_IMM(BPF_REG_5, 0), 333 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 334 BPF_EXIT_INSN(), 335 }, 336 .result = ACCEPT, 337 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 338}, 339{ 340 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 341 .insns = { 342 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 343 BPF_MOV64_IMM(BPF_REG_1, 0), 344 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 346 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 347 BPF_MOV64_IMM(BPF_REG_3, 0), 348 BPF_MOV64_IMM(BPF_REG_4, 0), 349 BPF_MOV64_IMM(BPF_REG_5, 0), 350 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 351 BPF_EXIT_INSN(), 352 }, 353 .errstr = "R1 type=scalar expected=fp", 354 .result = REJECT, 355 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 356}, 357{ 358 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 359 .insns = { 360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 362 BPF_MOV64_IMM(BPF_REG_2, 0), 363 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 364 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 365 BPF_MOV64_IMM(BPF_REG_3, 0), 366 BPF_MOV64_IMM(BPF_REG_4, 0), 367 BPF_MOV64_IMM(BPF_REG_5, 0), 368 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 369 BPF_EXIT_INSN(), 370 }, 371 .result = ACCEPT, 372 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 373}, 374{ 375 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 376 .insns = { 377 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 378 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 380 BPF_LD_MAP_FD(BPF_REG_1, 0), 381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 382 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 384 BPF_MOV64_IMM(BPF_REG_2, 0), 385 BPF_MOV64_IMM(BPF_REG_3, 0), 386 BPF_MOV64_IMM(BPF_REG_4, 0), 387 BPF_MOV64_IMM(BPF_REG_5, 0), 388 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 389 BPF_EXIT_INSN(), 390 }, 391 .fixup_map_hash_8b = { 3 }, 392 .result = ACCEPT, 393 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 394}, 395{ 396 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 397 .insns = { 398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 401 BPF_LD_MAP_FD(BPF_REG_1, 0), 402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 404 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 405 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7), 406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 408 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 409 BPF_MOV64_IMM(BPF_REG_3, 0), 410 BPF_MOV64_IMM(BPF_REG_4, 0), 411 BPF_MOV64_IMM(BPF_REG_5, 0), 412 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 413 BPF_EXIT_INSN(), 414 }, 415 .fixup_map_hash_8b = { 3 }, 416 .result = ACCEPT, 417 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 418}, 419{ 420 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 421 .insns = { 422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 425 BPF_LD_MAP_FD(BPF_REG_1, 0), 426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 429 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 430 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 431 BPF_MOV64_IMM(BPF_REG_3, 0), 432 BPF_MOV64_IMM(BPF_REG_4, 0), 433 BPF_MOV64_IMM(BPF_REG_5, 0), 434 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 435 BPF_EXIT_INSN(), 436 }, 437 .fixup_map_hash_8b = { 3 }, 438 .result = ACCEPT, 439 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 440}, 441{ 442 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)", 443 .insns = { 444 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 445 offsetof(struct __sk_buff, data)), 446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 447 offsetof(struct __sk_buff, data_end)), 448 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), 449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 450 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 452 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0), 453 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 454 BPF_MOV64_IMM(BPF_REG_3, 0), 455 BPF_MOV64_IMM(BPF_REG_4, 0), 456 BPF_MOV64_IMM(BPF_REG_5, 0), 457 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 458 BPF_EXIT_INSN(), 459 }, 460 .result = ACCEPT, 461 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 462 .retval = 0 /* csum_diff of 64-byte packet */, 463 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 464}, 465{ 466 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 467 .insns = { 468 BPF_MOV64_IMM(BPF_REG_1, 0), 469 BPF_MOV64_IMM(BPF_REG_2, 0), 470 BPF_MOV64_IMM(BPF_REG_3, 0), 471 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 472 BPF_EXIT_INSN(), 473 }, 474 .errstr = "R1 type=scalar expected=fp", 475 .result = REJECT, 476 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 477}, 478{ 479 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 480 .insns = { 481 BPF_MOV64_IMM(BPF_REG_1, 0), 482 BPF_MOV64_IMM(BPF_REG_2, 1), 483 BPF_MOV64_IMM(BPF_REG_3, 0), 484 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 485 BPF_EXIT_INSN(), 486 }, 487 .errstr = "R1 type=scalar expected=fp", 488 .result = REJECT, 489 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 490}, 491{ 492 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 493 .insns = { 494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 496 BPF_MOV64_IMM(BPF_REG_2, 0), 497 BPF_MOV64_IMM(BPF_REG_3, 0), 498 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 499 BPF_EXIT_INSN(), 500 }, 501 .result = ACCEPT, 502 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 503}, 504{ 505 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 506 .insns = { 507 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 508 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 510 BPF_LD_MAP_FD(BPF_REG_1, 0), 511 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 514 BPF_MOV64_IMM(BPF_REG_2, 0), 515 BPF_MOV64_IMM(BPF_REG_3, 0), 516 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 517 BPF_EXIT_INSN(), 518 }, 519 .fixup_map_hash_8b = { 3 }, 520 .result = ACCEPT, 521 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 522}, 523{ 524 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 525 .insns = { 526 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 529 BPF_LD_MAP_FD(BPF_REG_1, 0), 530 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 531 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 532 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 533 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 536 BPF_MOV64_IMM(BPF_REG_3, 0), 537 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 538 BPF_EXIT_INSN(), 539 }, 540 .fixup_map_hash_8b = { 3 }, 541 .result = ACCEPT, 542 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 543}, 544{ 545 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 546 .insns = { 547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 550 BPF_LD_MAP_FD(BPF_REG_1, 0), 551 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 553 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 554 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 555 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2), 556 BPF_MOV64_IMM(BPF_REG_3, 0), 557 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 558 BPF_EXIT_INSN(), 559 }, 560 .fixup_map_hash_8b = { 3 }, 561 .result = ACCEPT, 562 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 563}, 564{ 565 "helper access to variable memory: 8 bytes leak", 566 .insns = { 567 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8), 568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 570 BPF_MOV64_IMM(BPF_REG_0, 0), 571 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 572 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 573 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 574 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 575 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 576 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 578 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 579 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 580 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 582 BPF_MOV64_IMM(BPF_REG_3, 0), 583 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 584 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 585 BPF_EXIT_INSN(), 586 }, 587 .errstr = "invalid indirect read from stack R1 off -64+32 size 64", 588 .result = REJECT, 589 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 590}, 591{ 592 "helper access to variable memory: 8 bytes no leak (init memory)", 593 .insns = { 594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 595 BPF_MOV64_IMM(BPF_REG_0, 0), 596 BPF_MOV64_IMM(BPF_REG_0, 0), 597 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 598 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 599 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 600 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 601 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 602 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 604 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 606 BPF_MOV64_IMM(BPF_REG_2, 0), 607 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 609 BPF_MOV64_IMM(BPF_REG_3, 0), 610 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 611 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 612 BPF_EXIT_INSN(), 613 }, 614 .result = ACCEPT, 615 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 616},