helper_value_access.c (30584B)
1{ 2 "helper access to map: full range", 3 .insns = { 4 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 7 BPF_LD_MAP_FD(BPF_REG_1, 0), 8 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 10 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 11 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 12 BPF_MOV64_IMM(BPF_REG_3, 0), 13 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 14 BPF_EXIT_INSN(), 15 }, 16 .fixup_map_hash_48b = { 3 }, 17 .result = ACCEPT, 18 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 19}, 20{ 21 "helper access to map: partial range", 22 .insns = { 23 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 24 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 25 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 26 BPF_LD_MAP_FD(BPF_REG_1, 0), 27 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 28 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 29 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 30 BPF_MOV64_IMM(BPF_REG_2, 8), 31 BPF_MOV64_IMM(BPF_REG_3, 0), 32 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 33 BPF_EXIT_INSN(), 34 }, 35 .fixup_map_hash_48b = { 3 }, 36 .result = ACCEPT, 37 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 38}, 39{ 40 "helper access to map: empty range", 41 .insns = { 42 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 43 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 44 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 45 BPF_LD_MAP_FD(BPF_REG_1, 0), 46 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 48 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 49 BPF_MOV64_IMM(BPF_REG_2, 0), 50 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 51 BPF_EXIT_INSN(), 52 }, 53 .fixup_map_hash_48b = { 3 }, 54 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 55 .result = REJECT, 56 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 57}, 58{ 59 "helper access to map: out-of-bound range", 60 .insns = { 61 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 62 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 63 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 64 BPF_LD_MAP_FD(BPF_REG_1, 0), 65 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 66 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 67 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 68 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 69 BPF_MOV64_IMM(BPF_REG_3, 0), 70 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 71 BPF_EXIT_INSN(), 72 }, 73 .fixup_map_hash_48b = { 3 }, 74 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 75 .result = REJECT, 76 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 77}, 78{ 79 "helper access to map: negative range", 80 .insns = { 81 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 82 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 83 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 84 BPF_LD_MAP_FD(BPF_REG_1, 0), 85 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 86 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 87 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 88 BPF_MOV64_IMM(BPF_REG_2, -8), 89 BPF_MOV64_IMM(BPF_REG_3, 0), 90 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 91 BPF_EXIT_INSN(), 92 }, 93 .fixup_map_hash_48b = { 3 }, 94 .errstr = "R2 min value is negative", 95 .result = REJECT, 96 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 97}, 98{ 99 "helper access to adjusted map (via const imm): full range", 100 .insns = { 101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 104 BPF_LD_MAP_FD(BPF_REG_1, 0), 105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)), 109 BPF_MOV64_IMM(BPF_REG_2, 110 sizeof(struct test_val) - offsetof(struct test_val, foo)), 111 BPF_MOV64_IMM(BPF_REG_3, 0), 112 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 113 BPF_EXIT_INSN(), 114 }, 115 .fixup_map_hash_48b = { 3 }, 116 .result = ACCEPT, 117 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 118}, 119{ 120 "helper access to adjusted map (via const imm): partial range", 121 .insns = { 122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 124 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 125 BPF_LD_MAP_FD(BPF_REG_1, 0), 126 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 127 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)), 130 BPF_MOV64_IMM(BPF_REG_2, 8), 131 BPF_MOV64_IMM(BPF_REG_3, 0), 132 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 133 BPF_EXIT_INSN(), 134 }, 135 .fixup_map_hash_48b = { 3 }, 136 .result = ACCEPT, 137 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 138}, 139{ 140 "helper access to adjusted map (via const imm): empty range", 141 .insns = { 142 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 144 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 145 BPF_LD_MAP_FD(BPF_REG_1, 0), 146 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)), 150 BPF_MOV64_IMM(BPF_REG_2, 0), 151 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 152 BPF_EXIT_INSN(), 153 }, 154 .fixup_map_hash_48b = { 3 }, 155 .errstr = "invalid access to map value, value_size=48 off=4 size=0", 156 .result = REJECT, 157 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 158}, 159{ 160 "helper access to adjusted map (via const imm): out-of-bound range", 161 .insns = { 162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 164 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 165 BPF_LD_MAP_FD(BPF_REG_1, 0), 166 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)), 170 BPF_MOV64_IMM(BPF_REG_2, 171 sizeof(struct test_val) - offsetof(struct test_val, foo) + 8), 172 BPF_MOV64_IMM(BPF_REG_3, 0), 173 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 174 BPF_EXIT_INSN(), 175 }, 176 .fixup_map_hash_48b = { 3 }, 177 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 178 .result = REJECT, 179 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 180}, 181{ 182 "helper access to adjusted map (via const imm): negative range (> adjustment)", 183 .insns = { 184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 186 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 187 BPF_LD_MAP_FD(BPF_REG_1, 0), 188 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 189 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)), 192 BPF_MOV64_IMM(BPF_REG_2, -8), 193 BPF_MOV64_IMM(BPF_REG_3, 0), 194 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 195 BPF_EXIT_INSN(), 196 }, 197 .fixup_map_hash_48b = { 3 }, 198 .errstr = "R2 min value is negative", 199 .result = REJECT, 200 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 201}, 202{ 203 "helper access to adjusted map (via const imm): negative range (< adjustment)", 204 .insns = { 205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 207 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 208 BPF_LD_MAP_FD(BPF_REG_1, 0), 209 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 211 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)), 213 BPF_MOV64_IMM(BPF_REG_2, -1), 214 BPF_MOV64_IMM(BPF_REG_3, 0), 215 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 216 BPF_EXIT_INSN(), 217 }, 218 .fixup_map_hash_48b = { 3 }, 219 .errstr = "R2 min value is negative", 220 .result = REJECT, 221 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 222}, 223{ 224 "helper access to adjusted map (via const reg): full range", 225 .insns = { 226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 228 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 229 BPF_LD_MAP_FD(BPF_REG_1, 0), 230 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 233 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)), 234 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 235 BPF_MOV64_IMM(BPF_REG_2, 236 sizeof(struct test_val) - offsetof(struct test_val, foo)), 237 BPF_MOV64_IMM(BPF_REG_3, 0), 238 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 239 BPF_EXIT_INSN(), 240 }, 241 .fixup_map_hash_48b = { 3 }, 242 .result = ACCEPT, 243 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 244}, 245{ 246 "helper access to adjusted map (via const reg): partial range", 247 .insns = { 248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 251 BPF_LD_MAP_FD(BPF_REG_1, 0), 252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 255 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)), 256 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 257 BPF_MOV64_IMM(BPF_REG_2, 8), 258 BPF_MOV64_IMM(BPF_REG_3, 0), 259 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 260 BPF_EXIT_INSN(), 261 }, 262 .fixup_map_hash_48b = { 3 }, 263 .result = ACCEPT, 264 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 265}, 266{ 267 "helper access to adjusted map (via const reg): empty range", 268 .insns = { 269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 271 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 272 BPF_LD_MAP_FD(BPF_REG_1, 0), 273 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 276 BPF_MOV64_IMM(BPF_REG_3, 0), 277 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 278 BPF_MOV64_IMM(BPF_REG_2, 0), 279 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 280 BPF_EXIT_INSN(), 281 }, 282 .fixup_map_hash_48b = { 3 }, 283 .errstr = "R1 min value is outside of the allowed memory range", 284 .result = REJECT, 285 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 286}, 287{ 288 "helper access to adjusted map (via const reg): out-of-bound range", 289 .insns = { 290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 292 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 293 BPF_LD_MAP_FD(BPF_REG_1, 0), 294 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 297 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)), 298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 299 BPF_MOV64_IMM(BPF_REG_2, 300 sizeof(struct test_val) - 301 offsetof(struct test_val, foo) + 8), 302 BPF_MOV64_IMM(BPF_REG_3, 0), 303 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 304 BPF_EXIT_INSN(), 305 }, 306 .fixup_map_hash_48b = { 3 }, 307 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 308 .result = REJECT, 309 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 310}, 311{ 312 "helper access to adjusted map (via const reg): negative range (> adjustment)", 313 .insns = { 314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 316 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 317 BPF_LD_MAP_FD(BPF_REG_1, 0), 318 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 321 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)), 322 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 323 BPF_MOV64_IMM(BPF_REG_2, -8), 324 BPF_MOV64_IMM(BPF_REG_3, 0), 325 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 326 BPF_EXIT_INSN(), 327 }, 328 .fixup_map_hash_48b = { 3 }, 329 .errstr = "R2 min value is negative", 330 .result = REJECT, 331 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 332}, 333{ 334 "helper access to adjusted map (via const reg): negative range (< adjustment)", 335 .insns = { 336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 338 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 339 BPF_LD_MAP_FD(BPF_REG_1, 0), 340 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 343 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)), 344 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 345 BPF_MOV64_IMM(BPF_REG_2, -1), 346 BPF_MOV64_IMM(BPF_REG_3, 0), 347 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 348 BPF_EXIT_INSN(), 349 }, 350 .fixup_map_hash_48b = { 3 }, 351 .errstr = "R2 min value is negative", 352 .result = REJECT, 353 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 354}, 355{ 356 "helper access to adjusted map (via variable): full range", 357 .insns = { 358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 360 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 361 BPF_LD_MAP_FD(BPF_REG_1, 0), 362 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 364 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 365 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 366 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4), 367 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 368 BPF_MOV64_IMM(BPF_REG_2, 369 sizeof(struct test_val) - offsetof(struct test_val, foo)), 370 BPF_MOV64_IMM(BPF_REG_3, 0), 371 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 372 BPF_EXIT_INSN(), 373 }, 374 .fixup_map_hash_48b = { 3 }, 375 .result = ACCEPT, 376 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 377}, 378{ 379 "helper access to adjusted map (via variable): partial range", 380 .insns = { 381 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 383 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 384 BPF_LD_MAP_FD(BPF_REG_1, 0), 385 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 386 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 387 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 388 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 389 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4), 390 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 391 BPF_MOV64_IMM(BPF_REG_2, 8), 392 BPF_MOV64_IMM(BPF_REG_3, 0), 393 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 394 BPF_EXIT_INSN(), 395 }, 396 .fixup_map_hash_48b = { 3 }, 397 .result = ACCEPT, 398 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 399}, 400{ 401 "helper access to adjusted map (via variable): empty range", 402 .insns = { 403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 405 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 406 BPF_LD_MAP_FD(BPF_REG_1, 0), 407 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 408 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 410 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 411 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 3), 412 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 413 BPF_MOV64_IMM(BPF_REG_2, 0), 414 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 415 BPF_EXIT_INSN(), 416 }, 417 .fixup_map_hash_48b = { 3 }, 418 .errstr = "R1 min value is outside of the allowed memory range", 419 .result = REJECT, 420 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 421}, 422{ 423 "helper access to adjusted map (via variable): no max check", 424 .insns = { 425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 427 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 428 BPF_LD_MAP_FD(BPF_REG_1, 0), 429 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 430 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 432 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 433 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 434 BPF_MOV64_IMM(BPF_REG_2, 1), 435 BPF_MOV64_IMM(BPF_REG_3, 0), 436 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 437 BPF_EXIT_INSN(), 438 }, 439 .fixup_map_hash_48b = { 3 }, 440 .errstr = "R1 unbounded memory access", 441 .result = REJECT, 442 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 443}, 444{ 445 "helper access to adjusted map (via variable): wrong max check", 446 .insns = { 447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 450 BPF_LD_MAP_FD(BPF_REG_1, 0), 451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 455 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4), 456 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 457 BPF_MOV64_IMM(BPF_REG_2, 458 sizeof(struct test_val) - 459 offsetof(struct test_val, foo) + 1), 460 BPF_MOV64_IMM(BPF_REG_3, 0), 461 BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel), 462 BPF_EXIT_INSN(), 463 }, 464 .fixup_map_hash_48b = { 3 }, 465 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 466 .result = REJECT, 467 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 468}, 469{ 470 "helper access to map: bounds check using <, good access", 471 .insns = { 472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 474 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 475 BPF_LD_MAP_FD(BPF_REG_1, 0), 476 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 479 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 480 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2), 481 BPF_MOV64_IMM(BPF_REG_0, 0), 482 BPF_EXIT_INSN(), 483 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 484 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 485 BPF_MOV64_IMM(BPF_REG_0, 0), 486 BPF_EXIT_INSN(), 487 }, 488 .fixup_map_hash_48b = { 3 }, 489 .result = ACCEPT, 490 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 491}, 492{ 493 "helper access to map: bounds check using <, bad access", 494 .insns = { 495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 497 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 498 BPF_LD_MAP_FD(BPF_REG_1, 0), 499 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 500 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 503 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4), 504 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 505 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 506 BPF_MOV64_IMM(BPF_REG_0, 0), 507 BPF_EXIT_INSN(), 508 BPF_MOV64_IMM(BPF_REG_0, 0), 509 BPF_EXIT_INSN(), 510 }, 511 .fixup_map_hash_48b = { 3 }, 512 .result = REJECT, 513 .errstr = "R1 unbounded memory access", 514 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 515}, 516{ 517 "helper access to map: bounds check using <=, good access", 518 .insns = { 519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 521 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 522 BPF_LD_MAP_FD(BPF_REG_1, 0), 523 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 526 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 527 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2), 528 BPF_MOV64_IMM(BPF_REG_0, 0), 529 BPF_EXIT_INSN(), 530 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 531 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 532 BPF_MOV64_IMM(BPF_REG_0, 0), 533 BPF_EXIT_INSN(), 534 }, 535 .fixup_map_hash_48b = { 3 }, 536 .result = ACCEPT, 537 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 538}, 539{ 540 "helper access to map: bounds check using <=, bad access", 541 .insns = { 542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 544 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 545 BPF_LD_MAP_FD(BPF_REG_1, 0), 546 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 548 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 550 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4), 551 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 552 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 553 BPF_MOV64_IMM(BPF_REG_0, 0), 554 BPF_EXIT_INSN(), 555 BPF_MOV64_IMM(BPF_REG_0, 0), 556 BPF_EXIT_INSN(), 557 }, 558 .fixup_map_hash_48b = { 3 }, 559 .result = REJECT, 560 .errstr = "R1 unbounded memory access", 561 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 562}, 563{ 564 "helper access to map: bounds check using s<, good access", 565 .insns = { 566 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 568 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 569 BPF_LD_MAP_FD(BPF_REG_1, 0), 570 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 574 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 575 BPF_MOV64_IMM(BPF_REG_0, 0), 576 BPF_EXIT_INSN(), 577 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3), 578 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 579 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 580 BPF_MOV64_IMM(BPF_REG_0, 0), 581 BPF_EXIT_INSN(), 582 }, 583 .fixup_map_hash_48b = { 3 }, 584 .result = ACCEPT, 585 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 586}, 587{ 588 "helper access to map: bounds check using s<, good access 2", 589 .insns = { 590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 593 BPF_LD_MAP_FD(BPF_REG_1, 0), 594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 598 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 599 BPF_MOV64_IMM(BPF_REG_0, 0), 600 BPF_EXIT_INSN(), 601 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 602 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 603 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 604 BPF_MOV64_IMM(BPF_REG_0, 0), 605 BPF_EXIT_INSN(), 606 }, 607 .fixup_map_hash_48b = { 3 }, 608 .result = ACCEPT, 609 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 610}, 611{ 612 "helper access to map: bounds check using s<, bad access", 613 .insns = { 614 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 616 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 617 BPF_LD_MAP_FD(BPF_REG_1, 0), 618 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 619 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 621 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 622 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 623 BPF_MOV64_IMM(BPF_REG_0, 0), 624 BPF_EXIT_INSN(), 625 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 626 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 627 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 628 BPF_MOV64_IMM(BPF_REG_0, 0), 629 BPF_EXIT_INSN(), 630 }, 631 .fixup_map_hash_48b = { 3 }, 632 .result = REJECT, 633 .errstr = "R1 min value is negative", 634 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 635}, 636{ 637 "helper access to map: bounds check using s<=, good access", 638 .insns = { 639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 642 BPF_LD_MAP_FD(BPF_REG_1, 0), 643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 647 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 648 BPF_MOV64_IMM(BPF_REG_0, 0), 649 BPF_EXIT_INSN(), 650 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3), 651 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 652 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 653 BPF_MOV64_IMM(BPF_REG_0, 0), 654 BPF_EXIT_INSN(), 655 }, 656 .fixup_map_hash_48b = { 3 }, 657 .result = ACCEPT, 658 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 659}, 660{ 661 "helper access to map: bounds check using s<=, good access 2", 662 .insns = { 663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 665 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 666 BPF_LD_MAP_FD(BPF_REG_1, 0), 667 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 671 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 672 BPF_MOV64_IMM(BPF_REG_0, 0), 673 BPF_EXIT_INSN(), 674 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 675 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 676 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 677 BPF_MOV64_IMM(BPF_REG_0, 0), 678 BPF_EXIT_INSN(), 679 }, 680 .fixup_map_hash_48b = { 3 }, 681 .result = ACCEPT, 682 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 683}, 684{ 685 "helper access to map: bounds check using s<=, bad access", 686 .insns = { 687 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 689 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 690 BPF_LD_MAP_FD(BPF_REG_1, 0), 691 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 693 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 694 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 695 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 696 BPF_MOV64_IMM(BPF_REG_0, 0), 697 BPF_EXIT_INSN(), 698 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 699 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 700 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 701 BPF_MOV64_IMM(BPF_REG_0, 0), 702 BPF_EXIT_INSN(), 703 }, 704 .fixup_map_hash_48b = { 3 }, 705 .result = REJECT, 706 .errstr = "R1 min value is negative", 707 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 708}, 709{ 710 "map lookup helper access to map", 711 .insns = { 712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 714 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 715 BPF_LD_MAP_FD(BPF_REG_1, 0), 716 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 719 BPF_LD_MAP_FD(BPF_REG_1, 0), 720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 721 BPF_EXIT_INSN(), 722 }, 723 .fixup_map_hash_16b = { 3, 8 }, 724 .result = ACCEPT, 725 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 726}, 727{ 728 "map update helper access to map", 729 .insns = { 730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 733 BPF_LD_MAP_FD(BPF_REG_1, 0), 734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 736 BPF_MOV64_IMM(BPF_REG_4, 0), 737 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 739 BPF_LD_MAP_FD(BPF_REG_1, 0), 740 BPF_EMIT_CALL(BPF_FUNC_map_update_elem), 741 BPF_EXIT_INSN(), 742 }, 743 .fixup_map_hash_16b = { 3, 10 }, 744 .result = ACCEPT, 745 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 746}, 747{ 748 "map update helper access to map: wrong size", 749 .insns = { 750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 752 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 753 BPF_LD_MAP_FD(BPF_REG_1, 0), 754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 756 BPF_MOV64_IMM(BPF_REG_4, 0), 757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 759 BPF_LD_MAP_FD(BPF_REG_1, 0), 760 BPF_EMIT_CALL(BPF_FUNC_map_update_elem), 761 BPF_EXIT_INSN(), 762 }, 763 .fixup_map_hash_8b = { 3 }, 764 .fixup_map_hash_16b = { 10 }, 765 .result = REJECT, 766 .errstr = "invalid access to map value, value_size=8 off=0 size=16", 767 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 768}, 769{ 770 "map helper access to adjusted map (via const imm)", 771 .insns = { 772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 775 BPF_LD_MAP_FD(BPF_REG_1, 0), 776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, offsetof(struct other_val, bar)), 780 BPF_LD_MAP_FD(BPF_REG_1, 0), 781 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 782 BPF_EXIT_INSN(), 783 }, 784 .fixup_map_hash_16b = { 3, 9 }, 785 .result = ACCEPT, 786 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 787}, 788{ 789 "map helper access to adjusted map (via const imm): out-of-bound 1", 790 .insns = { 791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 793 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 794 BPF_LD_MAP_FD(BPF_REG_1, 0), 795 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 797 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, sizeof(struct other_val) - 4), 799 BPF_LD_MAP_FD(BPF_REG_1, 0), 800 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 801 BPF_EXIT_INSN(), 802 }, 803 .fixup_map_hash_16b = { 3, 9 }, 804 .result = REJECT, 805 .errstr = "invalid access to map value, value_size=16 off=12 size=8", 806 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 807}, 808{ 809 "map helper access to adjusted map (via const imm): out-of-bound 2", 810 .insns = { 811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 813 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 814 BPF_LD_MAP_FD(BPF_REG_1, 0), 815 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 819 BPF_LD_MAP_FD(BPF_REG_1, 0), 820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 821 BPF_EXIT_INSN(), 822 }, 823 .fixup_map_hash_16b = { 3, 9 }, 824 .result = REJECT, 825 .errstr = "invalid access to map value, value_size=16 off=-4 size=8", 826 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 827}, 828{ 829 "map helper access to adjusted map (via const reg)", 830 .insns = { 831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 833 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 834 BPF_LD_MAP_FD(BPF_REG_1, 0), 835 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 838 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct other_val, bar)), 839 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 840 BPF_LD_MAP_FD(BPF_REG_1, 0), 841 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 842 BPF_EXIT_INSN(), 843 }, 844 .fixup_map_hash_16b = { 3, 10 }, 845 .result = ACCEPT, 846 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 847}, 848{ 849 "map helper access to adjusted map (via const reg): out-of-bound 1", 850 .insns = { 851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 853 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 854 BPF_LD_MAP_FD(BPF_REG_1, 0), 855 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 858 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct other_val) - 4), 859 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 860 BPF_LD_MAP_FD(BPF_REG_1, 0), 861 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 862 BPF_EXIT_INSN(), 863 }, 864 .fixup_map_hash_16b = { 3, 10 }, 865 .result = REJECT, 866 .errstr = "invalid access to map value, value_size=16 off=12 size=8", 867 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 868}, 869{ 870 "map helper access to adjusted map (via const reg): out-of-bound 2", 871 .insns = { 872 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 874 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 875 BPF_LD_MAP_FD(BPF_REG_1, 0), 876 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 879 BPF_MOV64_IMM(BPF_REG_3, -4), 880 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 881 BPF_LD_MAP_FD(BPF_REG_1, 0), 882 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 883 BPF_EXIT_INSN(), 884 }, 885 .fixup_map_hash_16b = { 3, 10 }, 886 .result = REJECT, 887 .errstr = "invalid access to map value, value_size=16 off=-4 size=8", 888 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 889}, 890{ 891 "map helper access to adjusted map (via variable)", 892 .insns = { 893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 895 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 896 BPF_LD_MAP_FD(BPF_REG_1, 0), 897 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 900 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 901 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar), 4), 902 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 903 BPF_LD_MAP_FD(BPF_REG_1, 0), 904 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 905 BPF_EXIT_INSN(), 906 }, 907 .fixup_map_hash_16b = { 3, 11 }, 908 .result = ACCEPT, 909 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 910}, 911{ 912 "map helper access to adjusted map (via variable): no max check", 913 .insns = { 914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 916 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 917 BPF_LD_MAP_FD(BPF_REG_1, 0), 918 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 921 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 922 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 923 BPF_LD_MAP_FD(BPF_REG_1, 0), 924 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 925 BPF_EXIT_INSN(), 926 }, 927 .fixup_map_hash_16b = { 3, 10 }, 928 .result = REJECT, 929 .errstr = "R2 unbounded memory access, make sure to bounds check any such access", 930 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 931}, 932{ 933 "map helper access to adjusted map (via variable): wrong max check", 934 .insns = { 935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 937 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 938 BPF_LD_MAP_FD(BPF_REG_1, 0), 939 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 943 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar) + 1, 4), 944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 945 BPF_LD_MAP_FD(BPF_REG_1, 0), 946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 947 BPF_EXIT_INSN(), 948 }, 949 .fixup_map_hash_16b = { 3, 11 }, 950 .result = REJECT, 951 .errstr = "invalid access to map value, value_size=16 off=9 size=8", 952 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 953},