2 "valid map access into an array with a constant",
4 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7 BPF_LD_MAP_FD(BPF_REG_1, 0),
8 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
13 .fixup_map_hash_48b = { 3 },
14 .errstr_unpriv = "R0 leaks addr",
15 .result_unpriv = REJECT,
19 "valid map access into an array with a register",
21 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
22 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
23 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
24 BPF_LD_MAP_FD(BPF_REG_1, 0),
25 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
26 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
27 BPF_MOV64_IMM(BPF_REG_1, 4),
28 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
29 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
30 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
33 .fixup_map_hash_48b = { 3 },
34 .errstr_unpriv = "R0 leaks addr",
35 .result_unpriv = REJECT,
37 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
40 "valid map access into an array with a variable",
42 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
43 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
44 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
45 BPF_LD_MAP_FD(BPF_REG_1, 0),
46 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
48 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
49 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
50 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
51 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
52 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
55 .fixup_map_hash_48b = { 3 },
56 .errstr_unpriv = "R0 leaks addr",
57 .result_unpriv = REJECT,
59 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
62 "valid map access into an array with a signed variable",
64 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
65 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
67 BPF_LD_MAP_FD(BPF_REG_1, 0),
68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
69 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
70 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
71 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
72 BPF_MOV32_IMM(BPF_REG_1, 0),
73 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
74 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
75 BPF_MOV32_IMM(BPF_REG_1, 0),
76 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
77 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
78 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
81 .fixup_map_hash_48b = { 3 },
82 .errstr_unpriv = "R0 leaks addr",
83 .result_unpriv = REJECT,
85 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
88 "invalid map access into an array with a constant",
90 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
91 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
92 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
93 BPF_LD_MAP_FD(BPF_REG_1, 0),
94 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
95 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
96 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
97 offsetof(struct test_val, foo)),
100 .fixup_map_hash_48b = { 3 },
101 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
105 "invalid map access into an array with a register",
107 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
110 BPF_LD_MAP_FD(BPF_REG_1, 0),
111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
113 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
114 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
115 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
116 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
119 .fixup_map_hash_48b = { 3 },
120 .errstr = "R0 min value is outside of the array range",
122 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
125 "invalid map access into an array with a variable",
127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
130 BPF_LD_MAP_FD(BPF_REG_1, 0),
131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
133 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
134 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
135 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
136 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
139 .fixup_map_hash_48b = { 3 },
140 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
142 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
145 "invalid map access into an array with no floor check",
147 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
150 BPF_LD_MAP_FD(BPF_REG_1, 0),
151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
153 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
154 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
155 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
156 BPF_MOV32_IMM(BPF_REG_1, 0),
157 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
158 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
159 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
162 .fixup_map_hash_48b = { 3 },
163 .errstr_unpriv = "R0 leaks addr",
164 .errstr = "R0 unbounded memory access",
165 .result_unpriv = REJECT,
167 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
170 "invalid map access into an array with a invalid max check",
172 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
173 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
175 BPF_LD_MAP_FD(BPF_REG_1, 0),
176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
178 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
179 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
180 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
181 BPF_MOV32_IMM(BPF_REG_1, 0),
182 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
183 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
184 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
187 .fixup_map_hash_48b = { 3 },
188 .errstr_unpriv = "R0 leaks addr",
189 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
190 .result_unpriv = REJECT,
192 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
195 "invalid map access into an array with a invalid max check",
197 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
198 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
200 BPF_LD_MAP_FD(BPF_REG_1, 0),
201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
203 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
207 BPF_LD_MAP_FD(BPF_REG_1, 0),
208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
210 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
211 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
212 offsetof(struct test_val, foo)),
215 .fixup_map_hash_48b = { 3, 11 },
216 .errstr = "R0 pointer += pointer",
218 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
221 "valid read map access into a read-only array 1",
223 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
226 BPF_LD_MAP_FD(BPF_REG_1, 0),
227 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
229 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
232 .fixup_map_array_ro = { 3 },
237 "valid read map access into a read-only array 2",
239 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
242 BPF_LD_MAP_FD(BPF_REG_1, 0),
243 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
247 BPF_MOV64_IMM(BPF_REG_2, 4),
248 BPF_MOV64_IMM(BPF_REG_3, 0),
249 BPF_MOV64_IMM(BPF_REG_4, 0),
250 BPF_MOV64_IMM(BPF_REG_5, 0),
251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
255 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
256 .fixup_map_array_ro = { 3 },
261 "invalid write map access into a read-only array 1",
263 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
264 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
266 BPF_LD_MAP_FD(BPF_REG_1, 0),
267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
269 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
272 .fixup_map_array_ro = { 3 },
274 .errstr = "write into map forbidden",
277 "invalid write map access into a read-only array 2",
279 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
280 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
283 BPF_LD_MAP_FD(BPF_REG_1, 0),
284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
287 BPF_MOV64_IMM(BPF_REG_2, 0),
288 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
289 BPF_MOV64_IMM(BPF_REG_4, 8),
290 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
291 BPF_FUNC_skb_load_bytes),
294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
295 .fixup_map_array_ro = { 4 },
297 .errstr = "write into map forbidden",
300 "valid write map access into a write-only array 1",
302 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
305 BPF_LD_MAP_FD(BPF_REG_1, 0),
306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
307 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
308 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
309 BPF_MOV64_IMM(BPF_REG_0, 1),
312 .fixup_map_array_wo = { 3 },
317 "valid write map access into a write-only array 2",
319 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
320 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
321 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
323 BPF_LD_MAP_FD(BPF_REG_1, 0),
324 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
326 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
327 BPF_MOV64_IMM(BPF_REG_2, 0),
328 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
329 BPF_MOV64_IMM(BPF_REG_4, 8),
330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
331 BPF_FUNC_skb_load_bytes),
334 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
335 .fixup_map_array_wo = { 4 },
340 "invalid read map access into a write-only array 1",
342 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
343 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
345 BPF_LD_MAP_FD(BPF_REG_1, 0),
346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
347 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
348 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
351 .fixup_map_array_wo = { 3 },
353 .errstr = "read from map forbidden",
356 "invalid read map access into a write-only array 2",
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
361 BPF_LD_MAP_FD(BPF_REG_1, 0),
362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
366 BPF_MOV64_IMM(BPF_REG_2, 4),
367 BPF_MOV64_IMM(BPF_REG_3, 0),
368 BPF_MOV64_IMM(BPF_REG_4, 0),
369 BPF_MOV64_IMM(BPF_REG_5, 0),
370 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
375 .fixup_map_array_wo = { 3 },
377 .errstr = "read from map forbidden",