1 {
2 "helper access to map: full range",
3 .insns = {
4 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7 BPF_LD_MAP_FD(BPF_REG_1, 0),
8 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
10 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
12 BPF_MOV64_IMM(BPF_REG_3, 0),
13 BPF_EMIT_CALL(BPF_FUNC_probe_read),
14 BPF_EXIT_INSN(),
15 },
16 .fixup_map_hash_48b = { 3 },
17 .result = ACCEPT,
18 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
19 },
20 {
21 "helper access to map: partial range",
22 .insns = {
23 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
24 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
25 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
26 BPF_LD_MAP_FD(BPF_REG_1, 0),
27 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
28 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
29 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
30 BPF_MOV64_IMM(BPF_REG_2, 8),
31 BPF_MOV64_IMM(BPF_REG_3, 0),
32 BPF_EMIT_CALL(BPF_FUNC_probe_read),
33 BPF_EXIT_INSN(),
34 },
35 .fixup_map_hash_48b = { 3 },
36 .result = ACCEPT,
37 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
38 },
39 {
40 "helper access to map: empty range",
41 .insns = {
42 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
43 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
44 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
45 BPF_LD_MAP_FD(BPF_REG_1, 0),
46 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
48 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
49 BPF_MOV64_IMM(BPF_REG_2, 0),
50 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
51 BPF_EXIT_INSN(),
52 },
53 .fixup_map_hash_48b = { 3 },
54 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
55 .result = REJECT,
56 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
57 },
58 {
59 "helper access to map: out-of-bound range",
60 .insns = {
61 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
62 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
63 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
64 BPF_LD_MAP_FD(BPF_REG_1, 0),
65 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
66 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
67 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
68 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
69 BPF_MOV64_IMM(BPF_REG_3, 0),
70 BPF_EMIT_CALL(BPF_FUNC_probe_read),
71 BPF_EXIT_INSN(),
72 },
73 .fixup_map_hash_48b = { 3 },
74 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
75 .result = REJECT,
76 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
77 },
78 {
79 "helper access to map: negative range",
80 .insns = {
81 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
82 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
83 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
84 BPF_LD_MAP_FD(BPF_REG_1, 0),
85 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
86 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
87 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
88 BPF_MOV64_IMM(BPF_REG_2, -8),
89 BPF_MOV64_IMM(BPF_REG_3, 0),
90 BPF_EMIT_CALL(BPF_FUNC_probe_read),
91 BPF_EXIT_INSN(),
92 },
93 .fixup_map_hash_48b = { 3 },
94 .errstr = "R2 min value is negative",
95 .result = REJECT,
96 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
97 },
98 {
99 "helper access to adjusted map (via const imm): full range",
100 .insns = {
101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
104 BPF_LD_MAP_FD(BPF_REG_1, 0),
105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
109 BPF_MOV64_IMM(BPF_REG_2,
110 sizeof(struct test_val) - offsetof(struct test_val, foo)),
111 BPF_MOV64_IMM(BPF_REG_3, 0),
112 BPF_EMIT_CALL(BPF_FUNC_probe_read),
113 BPF_EXIT_INSN(),
114 },
115 .fixup_map_hash_48b = { 3 },
116 .result = ACCEPT,
117 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
118 },
119 {
120 "helper access to adjusted map (via const imm): partial range",
121 .insns = {
122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
124 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
125 BPF_LD_MAP_FD(BPF_REG_1, 0),
126 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
127 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
130 BPF_MOV64_IMM(BPF_REG_2, 8),
131 BPF_MOV64_IMM(BPF_REG_3, 0),
132 BPF_EMIT_CALL(BPF_FUNC_probe_read),
133 BPF_EXIT_INSN(),
134 },
135 .fixup_map_hash_48b = { 3 },
136 .result = ACCEPT,
137 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
138 },
139 {
140 "helper access to adjusted map (via const imm): empty range",
141 .insns = {
142 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
144 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
145 BPF_LD_MAP_FD(BPF_REG_1, 0),
146 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
150 BPF_MOV64_IMM(BPF_REG_2, 0),
151 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
152 BPF_EXIT_INSN(),
153 },
154 .fixup_map_hash_48b = { 3 },
155 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
156 .result = REJECT,
157 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
158 },
159 {
160 "helper access to adjusted map (via const imm): out-of-bound range",
161 .insns = {
162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
164 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
165 BPF_LD_MAP_FD(BPF_REG_1, 0),
166 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
170 BPF_MOV64_IMM(BPF_REG_2,
171 sizeof(struct test_val) - offsetof(struct test_val, foo) + 8),
172 BPF_MOV64_IMM(BPF_REG_3, 0),
173 BPF_EMIT_CALL(BPF_FUNC_probe_read),
174 BPF_EXIT_INSN(),
175 },
176 .fixup_map_hash_48b = { 3 },
177 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
178 .result = REJECT,
179 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
180 },
181 {
182 "helper access to adjusted map (via const imm): negative range (> adjustment)",
183 .insns = {
184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
186 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
187 BPF_LD_MAP_FD(BPF_REG_1, 0),
188 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
189 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
192 BPF_MOV64_IMM(BPF_REG_2, -8),
193 BPF_MOV64_IMM(BPF_REG_3, 0),
194 BPF_EMIT_CALL(BPF_FUNC_probe_read),
195 BPF_EXIT_INSN(),
196 },
197 .fixup_map_hash_48b = { 3 },
198 .errstr = "R2 min value is negative",
199 .result = REJECT,
200 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
201 },
202 {
203 "helper access to adjusted map (via const imm): negative range (< adjustment)",
204 .insns = {
205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
207 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
208 BPF_LD_MAP_FD(BPF_REG_1, 0),
209 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
211 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
213 BPF_MOV64_IMM(BPF_REG_2, -1),
214 BPF_MOV64_IMM(BPF_REG_3, 0),
215 BPF_EMIT_CALL(BPF_FUNC_probe_read),
216 BPF_EXIT_INSN(),
217 },
218 .fixup_map_hash_48b = { 3 },
219 .errstr = "R2 min value is negative",
220 .result = REJECT,
221 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
222 },
223 {
224 "helper access to adjusted map (via const reg): full range",
225 .insns = {
226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
228 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
229 BPF_LD_MAP_FD(BPF_REG_1, 0),
230 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
233 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
234 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
235 BPF_MOV64_IMM(BPF_REG_2,
236 sizeof(struct test_val) - offsetof(struct test_val, foo)),
237 BPF_MOV64_IMM(BPF_REG_3, 0),
238 BPF_EMIT_CALL(BPF_FUNC_probe_read),
239 BPF_EXIT_INSN(),
240 },
241 .fixup_map_hash_48b = { 3 },
242 .result = ACCEPT,
243 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
244 },
245 {
246 "helper access to adjusted map (via const reg): partial range",
247 .insns = {
248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
251 BPF_LD_MAP_FD(BPF_REG_1, 0),
252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
255 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
256 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
257 BPF_MOV64_IMM(BPF_REG_2, 8),
258 BPF_MOV64_IMM(BPF_REG_3, 0),
259 BPF_EMIT_CALL(BPF_FUNC_probe_read),
260 BPF_EXIT_INSN(),
261 },
262 .fixup_map_hash_48b = { 3 },
263 .result = ACCEPT,
264 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
265 },
266 {
267 "helper access to adjusted map (via const reg): empty range",
268 .insns = {
269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
271 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
272 BPF_LD_MAP_FD(BPF_REG_1, 0),
273 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
276 BPF_MOV64_IMM(BPF_REG_3, 0),
277 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
278 BPF_MOV64_IMM(BPF_REG_2, 0),
279 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
280 BPF_EXIT_INSN(),
281 },
282 .fixup_map_hash_48b = { 3 },
283 .errstr = "R1 min value is outside of the array range",
284 .result = REJECT,
285 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
286 },
287 {
288 "helper access to adjusted map (via const reg): out-of-bound range",
289 .insns = {
290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
292 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
293 BPF_LD_MAP_FD(BPF_REG_1, 0),
294 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
297 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
299 BPF_MOV64_IMM(BPF_REG_2,
300 sizeof(struct test_val) -
301 offsetof(struct test_val, foo) + 8),
302 BPF_MOV64_IMM(BPF_REG_3, 0),
303 BPF_EMIT_CALL(BPF_FUNC_probe_read),
304 BPF_EXIT_INSN(),
305 },
306 .fixup_map_hash_48b = { 3 },
307 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
308 .result = REJECT,
309 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
310 },
311 {
312 "helper access to adjusted map (via const reg): negative range (> adjustment)",
313 .insns = {
314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
316 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
317 BPF_LD_MAP_FD(BPF_REG_1, 0),
318 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
321 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
322 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
323 BPF_MOV64_IMM(BPF_REG_2, -8),
324 BPF_MOV64_IMM(BPF_REG_3, 0),
325 BPF_EMIT_CALL(BPF_FUNC_probe_read),
326 BPF_EXIT_INSN(),
327 },
328 .fixup_map_hash_48b = { 3 },
329 .errstr = "R2 min value is negative",
330 .result = REJECT,
331 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
332 },
333 {
334 "helper access to adjusted map (via const reg): negative range (< adjustment)",
335 .insns = {
336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
338 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
339 BPF_LD_MAP_FD(BPF_REG_1, 0),
340 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
343 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
344 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
345 BPF_MOV64_IMM(BPF_REG_2, -1),
346 BPF_MOV64_IMM(BPF_REG_3, 0),
347 BPF_EMIT_CALL(BPF_FUNC_probe_read),
348 BPF_EXIT_INSN(),
349 },
350 .fixup_map_hash_48b = { 3 },
351 .errstr = "R2 min value is negative",
352 .result = REJECT,
353 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
354 },
355 {
356 "helper access to adjusted map (via variable): full range",
357 .insns = {
358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
360 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
361 BPF_LD_MAP_FD(BPF_REG_1, 0),
362 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
364 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
365 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
366 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
367 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
368 BPF_MOV64_IMM(BPF_REG_2,
369 sizeof(struct test_val) - offsetof(struct test_val, foo)),
370 BPF_MOV64_IMM(BPF_REG_3, 0),
371 BPF_EMIT_CALL(BPF_FUNC_probe_read),
372 BPF_EXIT_INSN(),
373 },
374 .fixup_map_hash_48b = { 3 },
375 .result = ACCEPT,
376 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
377 },
378 {
379 "helper access to adjusted map (via variable): partial range",
380 .insns = {
381 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
383 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
384 BPF_LD_MAP_FD(BPF_REG_1, 0),
385 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
386 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
387 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
388 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
389 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
390 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
391 BPF_MOV64_IMM(BPF_REG_2, 8),
392 BPF_MOV64_IMM(BPF_REG_3, 0),
393 BPF_EMIT_CALL(BPF_FUNC_probe_read),
394 BPF_EXIT_INSN(),
395 },
396 .fixup_map_hash_48b = { 3 },
397 .result = ACCEPT,
398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
399 },
400 {
401 "helper access to adjusted map (via variable): empty range",
402 .insns = {
403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
405 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
406 BPF_LD_MAP_FD(BPF_REG_1, 0),
407 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
408 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
410 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
411 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 3),
412 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
413 BPF_MOV64_IMM(BPF_REG_2, 0),
414 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
415 BPF_EXIT_INSN(),
416 },
417 .fixup_map_hash_48b = { 3 },
418 .errstr = "R1 min value is outside of the array range",
419 .result = REJECT,
420 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
421 },
422 {
423 "helper access to adjusted map (via variable): no max check",
424 .insns = {
425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
427 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
428 BPF_LD_MAP_FD(BPF_REG_1, 0),
429 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
430 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
432 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
433 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
434 BPF_MOV64_IMM(BPF_REG_2, 1),
435 BPF_MOV64_IMM(BPF_REG_3, 0),
436 BPF_EMIT_CALL(BPF_FUNC_probe_read),
437 BPF_EXIT_INSN(),
438 },
439 .fixup_map_hash_48b = { 3 },
440 .errstr = "R1 unbounded memory access",
441 .result = REJECT,
442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
443 },
444 {
445 "helper access to adjusted map (via variable): wrong max check",
446 .insns = {
447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
450 BPF_LD_MAP_FD(BPF_REG_1, 0),
451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
455 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
456 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
457 BPF_MOV64_IMM(BPF_REG_2,
458 sizeof(struct test_val) -
459 offsetof(struct test_val, foo) + 1),
460 BPF_MOV64_IMM(BPF_REG_3, 0),
461 BPF_EMIT_CALL(BPF_FUNC_probe_read),
462 BPF_EXIT_INSN(),
463 },
464 .fixup_map_hash_48b = { 3 },
465 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
466 .result = REJECT,
467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
468 },
469 {
470 "helper access to map: bounds check using <, good access",
471 .insns = {
472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
474 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
475 BPF_LD_MAP_FD(BPF_REG_1, 0),
476 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
479 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
480 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
481 BPF_MOV64_IMM(BPF_REG_0, 0),
482 BPF_EXIT_INSN(),
483 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
484 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
485 BPF_MOV64_IMM(BPF_REG_0, 0),
486 BPF_EXIT_INSN(),
487 },
488 .fixup_map_hash_48b = { 3 },
489 .result = ACCEPT,
490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
491 },
492 {
493 "helper access to map: bounds check using <, bad access",
494 .insns = {
495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
497 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
498 BPF_LD_MAP_FD(BPF_REG_1, 0),
499 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
500 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
503 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
504 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
505 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
506 BPF_MOV64_IMM(BPF_REG_0, 0),
507 BPF_EXIT_INSN(),
508 BPF_MOV64_IMM(BPF_REG_0, 0),
509 BPF_EXIT_INSN(),
510 },
511 .fixup_map_hash_48b = { 3 },
512 .result = REJECT,
513 .errstr = "R1 unbounded memory access",
514 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
515 },
516 {
517 "helper access to map: bounds check using <=, good access",
518 .insns = {
519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
521 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
522 BPF_LD_MAP_FD(BPF_REG_1, 0),
523 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
526 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
527 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
528 BPF_MOV64_IMM(BPF_REG_0, 0),
529 BPF_EXIT_INSN(),
530 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
531 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
532 BPF_MOV64_IMM(BPF_REG_0, 0),
533 BPF_EXIT_INSN(),
534 },
535 .fixup_map_hash_48b = { 3 },
536 .result = ACCEPT,
537 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
538 },
539 {
540 "helper access to map: bounds check using <=, bad access",
541 .insns = {
542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
544 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
545 BPF_LD_MAP_FD(BPF_REG_1, 0),
546 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
548 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
550 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
551 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
552 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
553 BPF_MOV64_IMM(BPF_REG_0, 0),
554 BPF_EXIT_INSN(),
555 BPF_MOV64_IMM(BPF_REG_0, 0),
556 BPF_EXIT_INSN(),
557 },
558 .fixup_map_hash_48b = { 3 },
559 .result = REJECT,
560 .errstr = "R1 unbounded memory access",
561 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
562 },
563 {
564 "helper access to map: bounds check using s<, good access",
565 .insns = {
566 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
568 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
569 BPF_LD_MAP_FD(BPF_REG_1, 0),
570 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
574 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
575 BPF_MOV64_IMM(BPF_REG_0, 0),
576 BPF_EXIT_INSN(),
577 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
578 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
579 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
580 BPF_MOV64_IMM(BPF_REG_0, 0),
581 BPF_EXIT_INSN(),
582 },
583 .fixup_map_hash_48b = { 3 },
584 .result = ACCEPT,
585 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
586 },
587 {
588 "helper access to map: bounds check using s<, good access 2",
589 .insns = {
590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
593 BPF_LD_MAP_FD(BPF_REG_1, 0),
594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
598 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
599 BPF_MOV64_IMM(BPF_REG_0, 0),
600 BPF_EXIT_INSN(),
601 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
602 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
603 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
604 BPF_MOV64_IMM(BPF_REG_0, 0),
605 BPF_EXIT_INSN(),
606 },
607 .fixup_map_hash_48b = { 3 },
608 .result = ACCEPT,
609 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
610 },
611 {
612 "helper access to map: bounds check using s<, bad access",
613 .insns = {
614 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
616 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
617 BPF_LD_MAP_FD(BPF_REG_1, 0),
618 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
619 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
621 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
622 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
623 BPF_MOV64_IMM(BPF_REG_0, 0),
624 BPF_EXIT_INSN(),
625 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
626 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
627 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
628 BPF_MOV64_IMM(BPF_REG_0, 0),
629 BPF_EXIT_INSN(),
630 },
631 .fixup_map_hash_48b = { 3 },
632 .result = REJECT,
633 .errstr = "R1 min value is negative",
634 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
635 },
636 {
637 "helper access to map: bounds check using s<=, good access",
638 .insns = {
639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
642 BPF_LD_MAP_FD(BPF_REG_1, 0),
643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
647 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
648 BPF_MOV64_IMM(BPF_REG_0, 0),
649 BPF_EXIT_INSN(),
650 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
651 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
652 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
653 BPF_MOV64_IMM(BPF_REG_0, 0),
654 BPF_EXIT_INSN(),
655 },
656 .fixup_map_hash_48b = { 3 },
657 .result = ACCEPT,
658 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
659 },
660 {
661 "helper access to map: bounds check using s<=, good access 2",
662 .insns = {
663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
666 BPF_LD_MAP_FD(BPF_REG_1, 0),
667 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
671 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
672 BPF_MOV64_IMM(BPF_REG_0, 0),
673 BPF_EXIT_INSN(),
674 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
675 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
676 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
677 BPF_MOV64_IMM(BPF_REG_0, 0),
678 BPF_EXIT_INSN(),
679 },
680 .fixup_map_hash_48b = { 3 },
681 .result = ACCEPT,
682 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
683 },
684 {
685 "helper access to map: bounds check using s<=, bad access",
686 .insns = {
687 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
689 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
690 BPF_LD_MAP_FD(BPF_REG_1, 0),
691 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
693 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
694 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
695 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
696 BPF_MOV64_IMM(BPF_REG_0, 0),
697 BPF_EXIT_INSN(),
698 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
699 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
700 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
701 BPF_MOV64_IMM(BPF_REG_0, 0),
702 BPF_EXIT_INSN(),
703 },
704 .fixup_map_hash_48b = { 3 },
705 .result = REJECT,
706 .errstr = "R1 min value is negative",
707 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
708 },
709 {
710 "map lookup helper access to map",
711 .insns = {
712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
714 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
715 BPF_LD_MAP_FD(BPF_REG_1, 0),
716 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
719 BPF_LD_MAP_FD(BPF_REG_1, 0),
720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
721 BPF_EXIT_INSN(),
722 },
723 .fixup_map_hash_16b = { 3, 8 },
724 .result = ACCEPT,
725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
726 },
727 {
728 "map update helper access to map",
729 .insns = {
730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
733 BPF_LD_MAP_FD(BPF_REG_1, 0),
734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
736 BPF_MOV64_IMM(BPF_REG_4, 0),
737 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
739 BPF_LD_MAP_FD(BPF_REG_1, 0),
740 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
741 BPF_EXIT_INSN(),
742 },
743 .fixup_map_hash_16b = { 3, 10 },
744 .result = ACCEPT,
745 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
746 },
747 {
748 "map update helper access to map: wrong size",
749 .insns = {
750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
752 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
753 BPF_LD_MAP_FD(BPF_REG_1, 0),
754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
756 BPF_MOV64_IMM(BPF_REG_4, 0),
757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
759 BPF_LD_MAP_FD(BPF_REG_1, 0),
760 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
761 BPF_EXIT_INSN(),
762 },
763 .fixup_map_hash_8b = { 3 },
764 .fixup_map_hash_16b = { 10 },
765 .result = REJECT,
766 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
767 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
768 },
769 {
770 "map helper access to adjusted map (via const imm)",
771 .insns = {
772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
775 BPF_LD_MAP_FD(BPF_REG_1, 0),
776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, offsetof(struct other_val, bar)),
780 BPF_LD_MAP_FD(BPF_REG_1, 0),
781 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
782 BPF_EXIT_INSN(),
783 },
784 .fixup_map_hash_16b = { 3, 9 },
785 .result = ACCEPT,
786 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
787 },
788 {
789 "map helper access to adjusted map (via const imm): out-of-bound 1",
790 .insns = {
791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
793 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
794 BPF_LD_MAP_FD(BPF_REG_1, 0),
795 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
797 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, sizeof(struct other_val) - 4),
799 BPF_LD_MAP_FD(BPF_REG_1, 0),
800 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
801 BPF_EXIT_INSN(),
802 },
803 .fixup_map_hash_16b = { 3, 9 },
804 .result = REJECT,
805 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
806 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
807 },
808 {
809 "map helper access to adjusted map (via const imm): out-of-bound 2",
810 .insns = {
811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
813 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
814 BPF_LD_MAP_FD(BPF_REG_1, 0),
815 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
819 BPF_LD_MAP_FD(BPF_REG_1, 0),
820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
821 BPF_EXIT_INSN(),
822 },
823 .fixup_map_hash_16b = { 3, 9 },
824 .result = REJECT,
825 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
826 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
827 },
828 {
829 "map helper access to adjusted map (via const reg)",
830 .insns = {
831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
833 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
834 BPF_LD_MAP_FD(BPF_REG_1, 0),
835 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
838 BPF_MOV64_IMM(BPF_REG_3, offsetof(struct other_val, bar)),
839 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
840 BPF_LD_MAP_FD(BPF_REG_1, 0),
841 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
842 BPF_EXIT_INSN(),
843 },
844 .fixup_map_hash_16b = { 3, 10 },
845 .result = ACCEPT,
846 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
847 },
848 {
849 "map helper access to adjusted map (via const reg): out-of-bound 1",
850 .insns = {
851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
853 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
854 BPF_LD_MAP_FD(BPF_REG_1, 0),
855 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
858 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct other_val) - 4),
859 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
860 BPF_LD_MAP_FD(BPF_REG_1, 0),
861 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
862 BPF_EXIT_INSN(),
863 },
864 .fixup_map_hash_16b = { 3, 10 },
865 .result = REJECT,
866 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
867 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
868 },
869 {
870 "map helper access to adjusted map (via const reg): out-of-bound 2",
871 .insns = {
872 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
874 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
875 BPF_LD_MAP_FD(BPF_REG_1, 0),
876 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
879 BPF_MOV64_IMM(BPF_REG_3, -4),
880 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
881 BPF_LD_MAP_FD(BPF_REG_1, 0),
882 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
883 BPF_EXIT_INSN(),
884 },
885 .fixup_map_hash_16b = { 3, 10 },
886 .result = REJECT,
887 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
888 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
889 },
890 {
891 "map helper access to adjusted map (via variable)",
892 .insns = {
893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
895 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
896 BPF_LD_MAP_FD(BPF_REG_1, 0),
897 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
900 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
901 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar), 4),
902 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
903 BPF_LD_MAP_FD(BPF_REG_1, 0),
904 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
905 BPF_EXIT_INSN(),
906 },
907 .fixup_map_hash_16b = { 3, 11 },
908 .result = ACCEPT,
909 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
910 },
911 {
912 "map helper access to adjusted map (via variable): no max check",
913 .insns = {
914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
916 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
917 BPF_LD_MAP_FD(BPF_REG_1, 0),
918 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
921 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
922 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
923 BPF_LD_MAP_FD(BPF_REG_1, 0),
924 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
925 BPF_EXIT_INSN(),
926 },
927 .fixup_map_hash_16b = { 3, 10 },
928 .result = REJECT,
929 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
930 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
931 },
932 {
933 "map helper access to adjusted map (via variable): wrong max check",
934 .insns = {
935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
937 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
938 BPF_LD_MAP_FD(BPF_REG_1, 0),
939 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
943 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar) + 1, 4),
944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
945 BPF_LD_MAP_FD(BPF_REG_1, 0),
946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
947 BPF_EXIT_INSN(),
948 },
949 .fixup_map_hash_16b = { 3, 11 },
950 .result = REJECT,
951 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
952 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
953 },