cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

map_in_map.c (3161B)

      1{
      2	"map in map access",
      3	.insns = {
      4	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
      5	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
      6	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
      7	BPF_LD_MAP_FD(BPF_REG_1, 0),
      8	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
      9	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
     10	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
     11	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
     12	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
     13	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
     14	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     15	BPF_MOV64_IMM(BPF_REG_0, 0),
     16	BPF_EXIT_INSN(),
     17	},
     18	.fixup_map_in_map = { 3 },
     19	.result = ACCEPT,
     20},
     21{
     22	"map in map state pruning",
     23	.insns = {
     24	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
     25	BPF_MOV64_REG(BPF_REG_6, BPF_REG_10),
     26	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -4),
     27	BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
     28	BPF_LD_MAP_FD(BPF_REG_1, 0),
     29	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     30	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
     31	BPF_EXIT_INSN(),
     32	BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
     33	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
     34	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     35	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 11),
     36	BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
     37	BPF_LD_MAP_FD(BPF_REG_1, 0),
     38	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     39	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
     40	BPF_EXIT_INSN(),
     41	BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
     42	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
     43	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     44	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
     45	BPF_EXIT_INSN(),
     46	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
     47	BPF_EXIT_INSN(),
     48	},
     49	.fixup_map_in_map = { 4, 14 },
     50	.flags = BPF_F_TEST_STATE_FREQ,
     51	.result = VERBOSE_ACCEPT,
     52	.errstr = "processed 25 insns",
     53	.prog_type = BPF_PROG_TYPE_XDP,
     54},
     55{
     56	"invalid inner map pointer",
     57	.insns = {
     58	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
     59	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
     60	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
     61	BPF_LD_MAP_FD(BPF_REG_1, 0),
     62	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     63	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
     64	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
     65	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
     66	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
     67	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
     68	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
     69	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     70	BPF_MOV64_IMM(BPF_REG_0, 0),
     71	BPF_EXIT_INSN(),
     72	},
     73	.fixup_map_in_map = { 3 },
     74	.errstr = "R1 pointer arithmetic on map_ptr prohibited",
     75	.result = REJECT,
     76},
     77{
     78	"forgot null checking on the inner map pointer",
     79	.insns = {
     80	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
     81	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
     82	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
     83	BPF_LD_MAP_FD(BPF_REG_1, 0),
     84	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     85	BPF_ST_MEM(0, BPF_REG_10, -4, 0),
     86	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
     87	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
     88	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
     89	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
     90	BPF_MOV64_IMM(BPF_REG_0, 0),
     91	BPF_EXIT_INSN(),
     92	},
     93	.fixup_map_in_map = { 3 },
     94	.errstr = "R1 type=map_value_or_null expected=map_ptr",
     95	.result = REJECT,
     96},