1 {
2 "PTR_TO_STACK store/load",
3 .insns = {
4 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
6 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
7 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
8 BPF_EXIT_INSN(),
9 },
10 .result = ACCEPT,
11 .retval = 0xfaceb00c,
12 },
13 {
14 "PTR_TO_STACK store/load - bad alignment on off",
15 .insns = {
16 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
17 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
18 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
19 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
20 BPF_EXIT_INSN(),
21 },
22 .result = REJECT,
23 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
24 },
25 {
26 "PTR_TO_STACK store/load - bad alignment on reg",
27 .insns = {
28 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
29 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
30 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
31 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
32 BPF_EXIT_INSN(),
33 },
34 .result = REJECT,
35 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
36 },
37 {
38 "PTR_TO_STACK store/load - out of bounds low",
39 .insns = {
40 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
41 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
42 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
43 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
44 BPF_EXIT_INSN(),
45 },
46 .result = REJECT,
47 .errstr = "invalid stack off=-79992 size=8",
48 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
49 },
50 {
51 "PTR_TO_STACK store/load - out of bounds high",
52 .insns = {
53 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
54 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
55 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
56 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
57 BPF_EXIT_INSN(),
58 },
59 .result = REJECT,
60 .errstr = "invalid stack off=0 size=8",
61 },
62 {
63 "PTR_TO_STACK check high 1",
64 .insns = {
65 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
67 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
68 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
69 BPF_EXIT_INSN(),
70 },
71 .result = ACCEPT,
72 .retval = 42,
73 },
74 {
75 "PTR_TO_STACK check high 2",
76 .insns = {
77 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
78 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
79 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
80 BPF_EXIT_INSN(),
81 },
82 .result = ACCEPT,
83 .retval = 42,
84 },
85 {
86 "PTR_TO_STACK check high 3",
87 .insns = {
88 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
89 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
90 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
91 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
92 BPF_EXIT_INSN(),
93 },
94 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
95 .result_unpriv = REJECT,
96 .result = ACCEPT,
97 .retval = 42,
98 },
99 {
100 "PTR_TO_STACK check high 4",
101 .insns = {
102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
104 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
106 BPF_EXIT_INSN(),
107 },
108 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
109 .errstr = "invalid stack off=0 size=1",
110 .result = REJECT,
111 },
112 {
113 "PTR_TO_STACK check high 5",
114 .insns = {
115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
117 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
119 BPF_EXIT_INSN(),
120 },
121 .result = REJECT,
122 .errstr = "invalid stack off",
123 },
124 {
125 "PTR_TO_STACK check high 6",
126 .insns = {
127 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
129 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
130 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
131 BPF_EXIT_INSN(),
132 },
133 .result = REJECT,
134 .errstr = "invalid stack off",
135 },
136 {
137 "PTR_TO_STACK check high 7",
138 .insns = {
139 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
142 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
143 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
144 BPF_EXIT_INSN(),
145 },
146 .result = REJECT,
147 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
148 .errstr = "fp pointer offset",
149 },
150 {
151 "PTR_TO_STACK check low 1",
152 .insns = {
153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
155 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
156 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
157 BPF_EXIT_INSN(),
158 },
159 .result = ACCEPT,
160 .retval = 42,
161 },
162 {
163 "PTR_TO_STACK check low 2",
164 .insns = {
165 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
167 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
168 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
169 BPF_EXIT_INSN(),
170 },
171 .result_unpriv = REJECT,
172 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
173 .result = ACCEPT,
174 .retval = 42,
175 },
176 {
177 "PTR_TO_STACK check low 3",
178 .insns = {
179 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
181 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
182 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
183 BPF_EXIT_INSN(),
184 },
185 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
186 .errstr = "invalid stack off=-513 size=1",
187 .result = REJECT,
188 },
189 {
190 "PTR_TO_STACK check low 4",
191 .insns = {
192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
194 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
195 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
196 BPF_EXIT_INSN(),
197 },
198 .result = REJECT,
199 .errstr = "math between fp pointer",
200 },
201 {
202 "PTR_TO_STACK check low 5",
203 .insns = {
204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
206 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
208 BPF_EXIT_INSN(),
209 },
210 .result = REJECT,
211 .errstr = "invalid stack off",
212 },
213 {
214 "PTR_TO_STACK check low 6",
215 .insns = {
216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
218 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
220 BPF_EXIT_INSN(),
221 },
222 .result = REJECT,
223 .errstr = "invalid stack off",
224 },
225 {
226 "PTR_TO_STACK check low 7",
227 .insns = {
228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
231 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
232 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
233 BPF_EXIT_INSN(),
234 },
235 .result = REJECT,
236 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
237 .errstr = "fp pointer offset",
238 },
239 {
240 "PTR_TO_STACK mixed reg/k, 1",
241 .insns = {
242 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
244 BPF_MOV64_IMM(BPF_REG_2, -3),
245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
246 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
247 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
248 BPF_EXIT_INSN(),
249 },
250 .result = ACCEPT,
251 .retval = 42,
252 },
253 {
254 "PTR_TO_STACK mixed reg/k, 2",
255 .insns = {
256 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
257 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
260 BPF_MOV64_IMM(BPF_REG_2, -3),
261 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
262 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
263 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
264 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
265 BPF_EXIT_INSN(),
266 },
267 .result = ACCEPT,
268 .retval = 42,
269 },
270 {
271 "PTR_TO_STACK mixed reg/k, 3",
272 .insns = {
273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
275 BPF_MOV64_IMM(BPF_REG_2, -3),
276 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
277 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
278 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
279 BPF_EXIT_INSN(),
280 },
281 .result = ACCEPT,
282 .retval = -3,
283 },
284 {
285 "PTR_TO_STACK reg",
286 .insns = {
287 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
288 BPF_MOV64_IMM(BPF_REG_2, -3),
289 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
290 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
291 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
292 BPF_EXIT_INSN(),
293 },
294 .result_unpriv = REJECT,
295 .errstr_unpriv = "invalid stack off=0 size=1",
296 .result = ACCEPT,
297 .retval = 42,
298 },
299 {
300 "stack pointer arithmetic",
301 .insns = {
302 BPF_MOV64_IMM(BPF_REG_1, 4),
303 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
304 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
308 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
309 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
312 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
313 BPF_MOV64_IMM(BPF_REG_0, 0),
314 BPF_EXIT_INSN(),
315 },
316 .result = ACCEPT,
317 },