1 { 2 "context stores via ST", 3 .insns = { 4 BPF_MOV64_IMM(BPF_REG_0, 0), 5 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0), 6 BPF_EXIT_INSN(), 7 }, 8 .errstr = "BPF_ST stores into R1 ctx is not allowed", 9 .result = REJECT, 10 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11 }, 12 { 13 "context stores via XADD", 14 .insns = { 15 BPF_MOV64_IMM(BPF_REG_0, 0), 16 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1, 17 BPF_REG_0, offsetof(struct __sk_buff, mark), 0), 18 BPF_EXIT_INSN(), 19 }, 20 .errstr = "BPF_XADD stores into R1 ctx is not allowed", 21 .result = REJECT, 22 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 23 }, 24 { 25 "arithmetic ops make PTR_TO_CTX unusable", 26 .insns = { 27 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 28 offsetof(struct __sk_buff, data) - 29 offsetof(struct __sk_buff, mark)), 30 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 31 offsetof(struct __sk_buff, mark)), 32 BPF_EXIT_INSN(), 33 }, 34 .errstr = "dereference of modified ctx ptr", 35 .result = REJECT, 36 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 37 }, 38 { 39 "pass unmodified ctx pointer to helper", 40 .insns = { 41 BPF_MOV64_IMM(BPF_REG_2, 0), 42 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 43 BPF_FUNC_csum_update), 44 BPF_MOV64_IMM(BPF_REG_0, 0), 45 BPF_EXIT_INSN(), 46 }, 47 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 48 .result = ACCEPT, 49 }, 50 { 51 "pass modified ctx pointer to helper, 1", 52 .insns = { 53 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 54 BPF_MOV64_IMM(BPF_REG_2, 0), 55 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 56 BPF_FUNC_csum_update), 57 BPF_MOV64_IMM(BPF_REG_0, 0), 58 BPF_EXIT_INSN(), 59 }, 60 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 61 .result = REJECT, 62 .errstr = "dereference of modified ctx ptr", 63 }, 64 { 65 "pass modified ctx pointer to helper, 2", 66 .insns = { 67 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 69 BPF_FUNC_get_socket_cookie), 70 BPF_MOV64_IMM(BPF_REG_0, 0), 71 BPF_EXIT_INSN(), 72 }, 73 .result_unpriv = REJECT, 74 .result = REJECT, 75 .errstr_unpriv = "dereference of modified ctx ptr", 76 .errstr = "dereference of modified ctx ptr", 77 }, 78 { 79 "pass modified ctx pointer to helper, 3", 80 .insns = { 81 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0), 82 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4), 83 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 84 BPF_MOV64_IMM(BPF_REG_2, 0), 85 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 86 BPF_FUNC_csum_update), 87 BPF_MOV64_IMM(BPF_REG_0, 0), 88 BPF_EXIT_INSN(), 89 }, 90 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 91 .result = REJECT, 92 .errstr = "variable ctx access var_off=(0x0; 0x4)", 93 },