2 "map access: known scalar += value_ptr from different maps",
4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5 offsetof(struct __sk_buff, len)),
6 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
10 BPF_LD_MAP_FD(BPF_REG_1, 0),
11 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12 BPF_LD_MAP_FD(BPF_REG_1, 0),
13 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
14 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15 BPF_MOV64_IMM(BPF_REG_1, 4),
16 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
17 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
18 BPF_MOV64_IMM(BPF_REG_0, 1),
21 .fixup_map_hash_16b = { 5 },
22 .fixup_map_array_48b = { 8 },
24 .result_unpriv = REJECT,
25 .errstr_unpriv = "R1 tried to add from different maps",
29 "map access: value_ptr -= known scalar from different maps",
31 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
32 offsetof(struct __sk_buff, len)),
33 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
34 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
35 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
36 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
37 BPF_LD_MAP_FD(BPF_REG_1, 0),
38 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
39 BPF_LD_MAP_FD(BPF_REG_1, 0),
40 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
41 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
42 BPF_MOV64_IMM(BPF_REG_1, 4),
43 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
44 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
45 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
46 BPF_MOV64_IMM(BPF_REG_0, 1),
49 .fixup_map_hash_16b = { 5 },
50 .fixup_map_array_48b = { 8 },
52 .result_unpriv = REJECT,
53 .errstr_unpriv = "R0 min value is outside of the array range",
57 "map access: known scalar += value_ptr from different maps, but same value properties",
59 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
60 offsetof(struct __sk_buff, len)),
61 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
62 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
63 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
64 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
65 BPF_LD_MAP_FD(BPF_REG_1, 0),
66 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
67 BPF_LD_MAP_FD(BPF_REG_1, 0),
68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
69 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
70 BPF_MOV64_IMM(BPF_REG_1, 4),
71 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
72 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
73 BPF_MOV64_IMM(BPF_REG_0, 1),
76 .fixup_map_hash_48b = { 5 },
77 .fixup_map_array_48b = { 8 },
82 "map access: mixing value pointer and scalar, 1",
84 // load map value pointer into r0 and r2
85 BPF_MOV64_IMM(BPF_REG_0, 1),
86 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
87 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
89 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
90 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
91 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
93 // load some number from the map into r1
94 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
95 // depending on r1, branch:
96 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
98 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
99 BPF_MOV64_IMM(BPF_REG_3, 0),
102 BPF_MOV64_IMM(BPF_REG_2, 0),
103 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
104 // common instruction
105 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
106 // depending on r1, branch:
107 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
111 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
112 // verifier follows fall-through
113 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
114 BPF_MOV64_IMM(BPF_REG_0, 0),
116 // fake-dead code; targeted from branch A to
117 // prevent dead code sanitization
118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
119 BPF_MOV64_IMM(BPF_REG_0, 0),
122 .fixup_map_array_48b = { 1 },
124 .result_unpriv = REJECT,
125 .errstr_unpriv = "R2 tried to add from different pointers or scalars",
129 "map access: mixing value pointer and scalar, 2",
131 // load map value pointer into r0 and r2
132 BPF_MOV64_IMM(BPF_REG_0, 1),
133 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
134 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
136 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
137 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
138 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
140 // load some number from the map into r1
141 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
142 // depending on r1, branch:
143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
145 BPF_MOV64_IMM(BPF_REG_2, 0),
146 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
149 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
150 BPF_MOV64_IMM(BPF_REG_3, 0),
151 // common instruction
152 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
153 // depending on r1, branch:
154 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
158 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
159 // verifier follows fall-through
160 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
161 BPF_MOV64_IMM(BPF_REG_0, 0),
163 // fake-dead code; targeted from branch A to
164 // prevent dead code sanitization
165 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
166 BPF_MOV64_IMM(BPF_REG_0, 0),
169 .fixup_map_array_48b = { 1 },
171 .result_unpriv = REJECT,
172 .errstr_unpriv = "R2 tried to add from different maps or paths",
176 "sanitation: alu with different scalars",
178 BPF_MOV64_IMM(BPF_REG_0, 1),
179 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
180 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
182 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
183 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
184 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
186 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
187 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
188 BPF_MOV64_IMM(BPF_REG_2, 0),
189 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
191 BPF_MOV64_IMM(BPF_REG_2, 42),
192 BPF_MOV64_IMM(BPF_REG_3, 0x100001),
193 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
194 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
197 .fixup_map_array_48b = { 1 },
202 "map access: value_ptr += known scalar, upper oob arith, test 1",
204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
207 BPF_LD_MAP_FD(BPF_REG_1, 0),
208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
210 BPF_MOV64_IMM(BPF_REG_1, 48),
211 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
212 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
213 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
214 BPF_MOV64_IMM(BPF_REG_0, 1),
217 .fixup_map_array_48b = { 3 },
219 .result_unpriv = REJECT,
220 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
224 "map access: value_ptr += known scalar, upper oob arith, test 2",
226 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
227 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
229 BPF_LD_MAP_FD(BPF_REG_1, 0),
230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
232 BPF_MOV64_IMM(BPF_REG_1, 49),
233 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
234 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
235 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
236 BPF_MOV64_IMM(BPF_REG_0, 1),
239 .fixup_map_array_48b = { 3 },
241 .result_unpriv = REJECT,
242 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
246 "map access: value_ptr += known scalar, upper oob arith, test 3",
248 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
251 BPF_LD_MAP_FD(BPF_REG_1, 0),
252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
254 BPF_MOV64_IMM(BPF_REG_1, 47),
255 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
256 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
257 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
258 BPF_MOV64_IMM(BPF_REG_0, 1),
261 .fixup_map_array_48b = { 3 },
263 .result_unpriv = REJECT,
264 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
268 "map access: value_ptr -= known scalar, lower oob arith, test 1",
270 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
273 BPF_LD_MAP_FD(BPF_REG_1, 0),
274 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
276 BPF_MOV64_IMM(BPF_REG_1, 47),
277 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
278 BPF_MOV64_IMM(BPF_REG_1, 48),
279 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
280 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
281 BPF_MOV64_IMM(BPF_REG_0, 1),
284 .fixup_map_array_48b = { 3 },
286 .errstr = "R0 min value is outside of the array range",
287 .result_unpriv = REJECT,
288 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
291 "map access: value_ptr -= known scalar, lower oob arith, test 2",
293 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
296 BPF_LD_MAP_FD(BPF_REG_1, 0),
297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
298 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
299 BPF_MOV64_IMM(BPF_REG_1, 47),
300 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
301 BPF_MOV64_IMM(BPF_REG_1, 48),
302 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
303 BPF_MOV64_IMM(BPF_REG_1, 1),
304 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
306 BPF_MOV64_IMM(BPF_REG_0, 1),
309 .fixup_map_array_48b = { 3 },
311 .result_unpriv = REJECT,
312 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
316 "map access: value_ptr -= known scalar, lower oob arith, test 3",
318 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
321 BPF_LD_MAP_FD(BPF_REG_1, 0),
322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
323 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
324 BPF_MOV64_IMM(BPF_REG_1, 47),
325 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
326 BPF_MOV64_IMM(BPF_REG_1, 47),
327 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
328 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
329 BPF_MOV64_IMM(BPF_REG_0, 1),
332 .fixup_map_array_48b = { 3 },
334 .result_unpriv = REJECT,
335 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
339 "map access: known scalar += value_ptr",
341 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
342 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
344 BPF_LD_MAP_FD(BPF_REG_1, 0),
345 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
346 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
347 BPF_MOV64_IMM(BPF_REG_1, 4),
348 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
349 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
350 BPF_MOV64_IMM(BPF_REG_0, 1),
353 .fixup_map_array_48b = { 3 },
358 "map access: value_ptr += known scalar, 1",
360 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
361 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
363 BPF_LD_MAP_FD(BPF_REG_1, 0),
364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
366 BPF_MOV64_IMM(BPF_REG_1, 4),
367 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
368 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
369 BPF_MOV64_IMM(BPF_REG_0, 1),
372 .fixup_map_array_48b = { 3 },
377 "map access: value_ptr += known scalar, 2",
379 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
380 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
382 BPF_LD_MAP_FD(BPF_REG_1, 0),
383 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
384 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
385 BPF_MOV64_IMM(BPF_REG_1, 49),
386 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
387 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
388 BPF_MOV64_IMM(BPF_REG_0, 1),
391 .fixup_map_array_48b = { 3 },
393 .errstr = "invalid access to map value",
396 "map access: value_ptr += known scalar, 3",
398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
401 BPF_LD_MAP_FD(BPF_REG_1, 0),
402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
404 BPF_MOV64_IMM(BPF_REG_1, -1),
405 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
406 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
407 BPF_MOV64_IMM(BPF_REG_0, 1),
410 .fixup_map_array_48b = { 3 },
412 .errstr = "invalid access to map value",
415 "map access: value_ptr += known scalar, 4",
417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
420 BPF_LD_MAP_FD(BPF_REG_1, 0),
421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
422 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
423 BPF_MOV64_IMM(BPF_REG_1, 5),
424 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
425 BPF_MOV64_IMM(BPF_REG_1, -2),
426 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
427 BPF_MOV64_IMM(BPF_REG_1, -1),
428 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
429 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
430 BPF_MOV64_IMM(BPF_REG_0, 1),
433 .fixup_map_array_48b = { 3 },
435 .result_unpriv = REJECT,
436 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
440 "map access: value_ptr += known scalar, 5",
442 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
443 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
445 BPF_LD_MAP_FD(BPF_REG_1, 0),
446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
447 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
448 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
449 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
450 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
453 .fixup_map_array_48b = { 3 },
455 .retval = 0xabcdef12,
458 "map access: value_ptr += known scalar, 6",
460 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
461 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
463 BPF_LD_MAP_FD(BPF_REG_1, 0),
464 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
465 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
466 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
467 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
468 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
469 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
470 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
473 .fixup_map_array_48b = { 3 },
475 .retval = 0xabcdef12,
478 "map access: unknown scalar += value_ptr, 1",
480 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
481 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
483 BPF_LD_MAP_FD(BPF_REG_1, 0),
484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
485 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
486 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
487 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
488 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
489 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
490 BPF_MOV64_IMM(BPF_REG_0, 1),
493 .fixup_map_array_48b = { 3 },
498 "map access: unknown scalar += value_ptr, 2",
500 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
503 BPF_LD_MAP_FD(BPF_REG_1, 0),
504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
505 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
506 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
507 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
508 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
509 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
512 .fixup_map_array_48b = { 3 },
514 .retval = 0xabcdef12,
517 "map access: unknown scalar += value_ptr, 3",
519 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
522 BPF_LD_MAP_FD(BPF_REG_1, 0),
523 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
525 BPF_MOV64_IMM(BPF_REG_1, -1),
526 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
527 BPF_MOV64_IMM(BPF_REG_1, 1),
528 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
529 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
530 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
531 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
532 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
535 .fixup_map_array_48b = { 3 },
537 .result_unpriv = REJECT,
538 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
539 .retval = 0xabcdef12,
542 "map access: unknown scalar += value_ptr, 4",
544 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
547 BPF_LD_MAP_FD(BPF_REG_1, 0),
548 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
549 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
550 BPF_MOV64_IMM(BPF_REG_1, 19),
551 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
552 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
553 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
554 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
555 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
558 .fixup_map_array_48b = { 3 },
560 .errstr = "R1 max value is outside of the array range",
561 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
564 "map access: value_ptr += unknown scalar, 1",
566 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
569 BPF_LD_MAP_FD(BPF_REG_1, 0),
570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
572 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
573 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
574 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
575 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
576 BPF_MOV64_IMM(BPF_REG_0, 1),
579 .fixup_map_array_48b = { 3 },
584 "map access: value_ptr += unknown scalar, 2",
586 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
587 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
589 BPF_LD_MAP_FD(BPF_REG_1, 0),
590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
592 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
593 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
594 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
595 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
598 .fixup_map_array_48b = { 3 },
600 .retval = 0xabcdef12,
603 "map access: value_ptr += unknown scalar, 3",
605 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
606 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
608 BPF_LD_MAP_FD(BPF_REG_1, 0),
609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
610 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
611 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
612 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
613 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
614 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
615 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
616 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
617 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
618 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
619 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
620 BPF_MOV64_IMM(BPF_REG_0, 1),
622 BPF_MOV64_IMM(BPF_REG_0, 2),
623 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
625 .fixup_map_array_48b = { 3 },
630 "map access: value_ptr += value_ptr",
632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
633 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
635 BPF_LD_MAP_FD(BPF_REG_1, 0),
636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
637 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
638 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
639 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
640 BPF_MOV64_IMM(BPF_REG_0, 1),
643 .fixup_map_array_48b = { 3 },
645 .errstr = "R0 pointer += pointer prohibited",
648 "map access: known scalar -= value_ptr",
650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
653 BPF_LD_MAP_FD(BPF_REG_1, 0),
654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
656 BPF_MOV64_IMM(BPF_REG_1, 4),
657 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
658 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
659 BPF_MOV64_IMM(BPF_REG_0, 1),
662 .fixup_map_array_48b = { 3 },
664 .errstr = "R1 tried to subtract pointer from scalar",
667 "map access: value_ptr -= known scalar",
669 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
670 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
672 BPF_LD_MAP_FD(BPF_REG_1, 0),
673 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
674 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
675 BPF_MOV64_IMM(BPF_REG_1, 4),
676 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
677 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
678 BPF_MOV64_IMM(BPF_REG_0, 1),
681 .fixup_map_array_48b = { 3 },
683 .errstr = "R0 min value is outside of the array range",
686 "map access: value_ptr -= known scalar, 2",
688 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
689 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
691 BPF_LD_MAP_FD(BPF_REG_1, 0),
692 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
694 BPF_MOV64_IMM(BPF_REG_1, 6),
695 BPF_MOV64_IMM(BPF_REG_2, 4),
696 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
697 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
698 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
699 BPF_MOV64_IMM(BPF_REG_0, 1),
702 .fixup_map_array_48b = { 3 },
704 .result_unpriv = REJECT,
705 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
709 "map access: unknown scalar -= value_ptr",
711 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
714 BPF_LD_MAP_FD(BPF_REG_1, 0),
715 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
717 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
718 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
719 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
720 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
721 BPF_MOV64_IMM(BPF_REG_0, 1),
724 .fixup_map_array_48b = { 3 },
726 .errstr = "R1 tried to subtract pointer from scalar",
729 "map access: value_ptr -= unknown scalar",
731 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
734 BPF_LD_MAP_FD(BPF_REG_1, 0),
735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
737 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
738 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
739 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
740 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
741 BPF_MOV64_IMM(BPF_REG_0, 1),
744 .fixup_map_array_48b = { 3 },
746 .errstr = "R0 min value is negative",
749 "map access: value_ptr -= unknown scalar, 2",
751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
754 BPF_LD_MAP_FD(BPF_REG_1, 0),
755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
757 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
758 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
759 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
760 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
761 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
762 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
763 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
764 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
765 BPF_MOV64_IMM(BPF_REG_0, 1),
768 .fixup_map_array_48b = { 3 },
770 .result_unpriv = REJECT,
771 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
775 "map access: value_ptr -= value_ptr",
777 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
780 BPF_LD_MAP_FD(BPF_REG_1, 0),
781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
783 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
784 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
785 BPF_MOV64_IMM(BPF_REG_0, 1),
788 .fixup_map_array_48b = { 3 },
790 .errstr = "R0 invalid mem access 'inv'",
791 .errstr_unpriv = "R0 pointer -= pointer prohibited",
projects / linux.git / blob