1 {
2 "invalid direct packet write for LWT_IN",
3 .insns = {
4 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5 offsetof(struct __sk_buff, data)),
6 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7 offsetof(struct __sk_buff, data_end)),
8 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
11 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
12 BPF_MOV64_IMM(BPF_REG_0, 0),
13 BPF_EXIT_INSN(),
14 },
15 .errstr = "cannot write into packet",
16 .result = REJECT,
17 .prog_type = BPF_PROG_TYPE_LWT_IN,
18 },
19 {
20 "invalid direct packet write for LWT_OUT",
21 .insns = {
22 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
23 offsetof(struct __sk_buff, data)),
24 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
25 offsetof(struct __sk_buff, data_end)),
26 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
27 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
28 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
29 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
30 BPF_MOV64_IMM(BPF_REG_0, 0),
31 BPF_EXIT_INSN(),
32 },
33 .errstr = "cannot write into packet",
34 .result = REJECT,
35 .prog_type = BPF_PROG_TYPE_LWT_OUT,
36 },
37 {
38 "direct packet write for LWT_XMIT",
39 .insns = {
40 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
41 offsetof(struct __sk_buff, data)),
42 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
43 offsetof(struct __sk_buff, data_end)),
44 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
45 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
46 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
47 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
48 BPF_MOV64_IMM(BPF_REG_0, 0),
49 BPF_EXIT_INSN(),
50 },
51 .result = ACCEPT,
52 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
53 },
54 {
55 "direct packet read for LWT_IN",
56 .insns = {
57 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
58 offsetof(struct __sk_buff, data)),
59 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
60 offsetof(struct __sk_buff, data_end)),
61 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
62 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
63 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
64 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
65 BPF_MOV64_IMM(BPF_REG_0, 0),
66 BPF_EXIT_INSN(),
67 },
68 .result = ACCEPT,
69 .prog_type = BPF_PROG_TYPE_LWT_IN,
70 },
71 {
72 "direct packet read for LWT_OUT",
73 .insns = {
74 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
75 offsetof(struct __sk_buff, data)),
76 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
77 offsetof(struct __sk_buff, data_end)),
78 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
79 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
80 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
81 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
82 BPF_MOV64_IMM(BPF_REG_0, 0),
83 BPF_EXIT_INSN(),
84 },
85 .result = ACCEPT,
86 .prog_type = BPF_PROG_TYPE_LWT_OUT,
87 },
88 {
89 "direct packet read for LWT_XMIT",
90 .insns = {
91 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
92 offsetof(struct __sk_buff, data)),
93 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
94 offsetof(struct __sk_buff, data_end)),
95 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
96 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
97 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
98 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
99 BPF_MOV64_IMM(BPF_REG_0, 0),
100 BPF_EXIT_INSN(),
101 },
102 .result = ACCEPT,
103 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
104 },
105 {
106 "overlapping checks for direct packet access",
107 .insns = {
108 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
109 offsetof(struct __sk_buff, data)),
110 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
111 offsetof(struct __sk_buff, data_end)),
112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
114 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
117 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
119 BPF_MOV64_IMM(BPF_REG_0, 0),
120 BPF_EXIT_INSN(),
121 },
122 .result = ACCEPT,
123 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
124 },
125 {
126 "make headroom for LWT_XMIT",
127 .insns = {
128 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
129 BPF_MOV64_IMM(BPF_REG_2, 34),
130 BPF_MOV64_IMM(BPF_REG_3, 0),
131 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
132
133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
134 BPF_MOV64_IMM(BPF_REG_2, 42),
135 BPF_MOV64_IMM(BPF_REG_3, 0),
136 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
137 BPF_MOV64_IMM(BPF_REG_0, 0),
138 BPF_EXIT_INSN(),
139 },
140 .result = ACCEPT,
141 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
142 },
143 {
144 "invalid access of tc_classid for LWT_IN",
145 .insns = {
146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
147 offsetof(struct __sk_buff, tc_classid)),
148 BPF_EXIT_INSN(),
149 },
150 .result = REJECT,
151 .errstr = "invalid bpf_context access",
152 },
153 {
154 "invalid access of tc_classid for LWT_OUT",
155 .insns = {
156 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
157 offsetof(struct __sk_buff, tc_classid)),
158 BPF_EXIT_INSN(),
159 },
160 .result = REJECT,
161 .errstr = "invalid bpf_context access",
162 },
163 {
164 "invalid access of tc_classid for LWT_XMIT",
165 .insns = {
166 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
167 offsetof(struct __sk_buff, tc_classid)),
168 BPF_EXIT_INSN(),
169 },
170 .result = REJECT,
171 .errstr = "invalid bpf_context access",
172 },
173 {
174 "check skb->tc_classid half load not permitted for lwt prog",
175 .insns = {
176 BPF_MOV64_IMM(BPF_REG_0, 0),
177 #if __BYTE_ORDER == __LITTLE_ENDIAN
178 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
179 offsetof(struct __sk_buff, tc_classid)),
180 #else
181 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
182 offsetof(struct __sk_buff, tc_classid) + 2),
183 #endif
184 BPF_EXIT_INSN(),
185 },
186 .result = REJECT,
187 .errstr = "invalid bpf_context access",
188 .prog_type = BPF_PROG_TYPE_LWT_IN,
189 },