1 {
2 "valid map access into an array with a constant",
3 .insns = {
4 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7 BPF_LD_MAP_FD(BPF_REG_1, 0),
8 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
11 BPF_EXIT_INSN(),
12 },
13 .fixup_map_hash_48b = { 3 },
14 .errstr_unpriv = "R0 leaks addr",
15 .result_unpriv = REJECT,
16 .result = ACCEPT,
17 },
18 {
19 "valid map access into an array with a register",
20 .insns = {
21 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
22 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
23 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
24 BPF_LD_MAP_FD(BPF_REG_1, 0),
25 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
26 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
27 BPF_MOV64_IMM(BPF_REG_1, 4),
28 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
29 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
30 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
31 BPF_EXIT_INSN(),
32 },
33 .fixup_map_hash_48b = { 3 },
34 .errstr_unpriv = "R0 leaks addr",
35 .result_unpriv = REJECT,
36 .result = ACCEPT,
37 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
38 },
39 {
40 "valid map access into an array with a variable",
41 .insns = {
42 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
43 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
44 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
45 BPF_LD_MAP_FD(BPF_REG_1, 0),
46 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
48 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
49 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
50 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
51 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
52 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
53 BPF_EXIT_INSN(),
54 },
55 .fixup_map_hash_48b = { 3 },
56 .errstr_unpriv = "R0 leaks addr",
57 .result_unpriv = REJECT,
58 .result = ACCEPT,
59 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
60 },
61 {
62 "valid map access into an array with a signed variable",
63 .insns = {
64 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
65 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
67 BPF_LD_MAP_FD(BPF_REG_1, 0),
68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
69 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
70 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
71 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
72 BPF_MOV32_IMM(BPF_REG_1, 0),
73 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
74 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
75 BPF_MOV32_IMM(BPF_REG_1, 0),
76 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
77 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
78 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
79 BPF_EXIT_INSN(),
80 },
81 .fixup_map_hash_48b = { 3 },
82 .errstr_unpriv = "R0 leaks addr",
83 .result_unpriv = REJECT,
84 .result = ACCEPT,
85 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
86 },
87 {
88 "invalid map access into an array with a constant",
89 .insns = {
90 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
91 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
92 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
93 BPF_LD_MAP_FD(BPF_REG_1, 0),
94 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
95 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
96 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
97 offsetof(struct test_val, foo)),
98 BPF_EXIT_INSN(),
99 },
100 .fixup_map_hash_48b = { 3 },
101 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
102 .result = REJECT,
103 },
104 {
105 "invalid map access into an array with a register",
106 .insns = {
107 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
110 BPF_LD_MAP_FD(BPF_REG_1, 0),
111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
113 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
114 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
115 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
116 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
117 BPF_EXIT_INSN(),
118 },
119 .fixup_map_hash_48b = { 3 },
120 .errstr = "R0 min value is outside of the array range",
121 .result = REJECT,
122 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
123 },
124 {
125 "invalid map access into an array with a variable",
126 .insns = {
127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
130 BPF_LD_MAP_FD(BPF_REG_1, 0),
131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
133 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
134 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
135 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
136 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
137 BPF_EXIT_INSN(),
138 },
139 .fixup_map_hash_48b = { 3 },
140 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
141 .result = REJECT,
142 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
143 },
144 {
145 "invalid map access into an array with no floor check",
146 .insns = {
147 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
150 BPF_LD_MAP_FD(BPF_REG_1, 0),
151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
153 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
154 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
155 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
156 BPF_MOV32_IMM(BPF_REG_1, 0),
157 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
158 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
159 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
160 BPF_EXIT_INSN(),
161 },
162 .fixup_map_hash_48b = { 3 },
163 .errstr_unpriv = "R0 leaks addr",
164 .errstr = "R0 unbounded memory access",
165 .result_unpriv = REJECT,
166 .result = REJECT,
167 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
168 },
169 {
170 "invalid map access into an array with a invalid max check",
171 .insns = {
172 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
173 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
175 BPF_LD_MAP_FD(BPF_REG_1, 0),
176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
178 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
179 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
180 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
181 BPF_MOV32_IMM(BPF_REG_1, 0),
182 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
183 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
184 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
185 BPF_EXIT_INSN(),
186 },
187 .fixup_map_hash_48b = { 3 },
188 .errstr_unpriv = "R0 leaks addr",
189 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
190 .result_unpriv = REJECT,
191 .result = REJECT,
192 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
193 },
194 {
195 "invalid map access into an array with a invalid max check",
196 .insns = {
197 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
198 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
200 BPF_LD_MAP_FD(BPF_REG_1, 0),
201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
203 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
207 BPF_LD_MAP_FD(BPF_REG_1, 0),
208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
210 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
211 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
212 offsetof(struct test_val, foo)),
213 BPF_EXIT_INSN(),
214 },
215 .fixup_map_hash_48b = { 3, 11 },
216 .errstr = "R0 pointer += pointer",
217 .result = REJECT,
218 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
219 },
220 {
221 "valid read map access into a read-only array 1",
222 .insns = {
223 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
226 BPF_LD_MAP_FD(BPF_REG_1, 0),
227 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
229 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
230 BPF_EXIT_INSN(),
231 },
232 .fixup_map_array_ro = { 3 },
233 .result = ACCEPT,
234 .retval = 28,
235 },
236 {
237 "valid read map access into a read-only array 2",
238 .insns = {
239 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
242 BPF_LD_MAP_FD(BPF_REG_1, 0),
243 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
245
246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
247 BPF_MOV64_IMM(BPF_REG_2, 4),
248 BPF_MOV64_IMM(BPF_REG_3, 0),
249 BPF_MOV64_IMM(BPF_REG_4, 0),
250 BPF_MOV64_IMM(BPF_REG_5, 0),
251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
252 BPF_FUNC_csum_diff),
253 BPF_EXIT_INSN(),
254 },
255 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
256 .fixup_map_array_ro = { 3 },
257 .result = ACCEPT,
258 .retval = -29,
259 },
260 {
261 "invalid write map access into a read-only array 1",
262 .insns = {
263 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
264 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
266 BPF_LD_MAP_FD(BPF_REG_1, 0),
267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
269 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
270 BPF_EXIT_INSN(),
271 },
272 .fixup_map_array_ro = { 3 },
273 .result = REJECT,
274 .errstr = "write into map forbidden",
275 },
276 {
277 "invalid write map access into a read-only array 2",
278 .insns = {
279 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
280 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
283 BPF_LD_MAP_FD(BPF_REG_1, 0),
284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
287 BPF_MOV64_IMM(BPF_REG_2, 0),
288 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
289 BPF_MOV64_IMM(BPF_REG_4, 8),
290 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
291 BPF_FUNC_skb_load_bytes),
292 BPF_EXIT_INSN(),
293 },
294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
295 .fixup_map_array_ro = { 4 },
296 .result = REJECT,
297 .errstr = "write into map forbidden",
298 },
299 {
300 "valid write map access into a write-only array 1",
301 .insns = {
302 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
305 BPF_LD_MAP_FD(BPF_REG_1, 0),
306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
307 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
308 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
309 BPF_MOV64_IMM(BPF_REG_0, 1),
310 BPF_EXIT_INSN(),
311 },
312 .fixup_map_array_wo = { 3 },
313 .result = ACCEPT,
314 .retval = 1,
315 },
316 {
317 "valid write map access into a write-only array 2",
318 .insns = {
319 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
320 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
321 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
323 BPF_LD_MAP_FD(BPF_REG_1, 0),
324 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
326 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
327 BPF_MOV64_IMM(BPF_REG_2, 0),
328 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
329 BPF_MOV64_IMM(BPF_REG_4, 8),
330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
331 BPF_FUNC_skb_load_bytes),
332 BPF_EXIT_INSN(),
333 },
334 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
335 .fixup_map_array_wo = { 4 },
336 .result = ACCEPT,
337 .retval = 0,
338 },
339 {
340 "invalid read map access into a write-only array 1",
341 .insns = {
342 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
343 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
345 BPF_LD_MAP_FD(BPF_REG_1, 0),
346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
347 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
348 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
349 BPF_EXIT_INSN(),
350 },
351 .fixup_map_array_wo = { 3 },
352 .result = REJECT,
353 .errstr = "read from map forbidden",
354 },
355 {
356 "invalid read map access into a write-only array 2",
357 .insns = {
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
361 BPF_LD_MAP_FD(BPF_REG_1, 0),
362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
364
365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
366 BPF_MOV64_IMM(BPF_REG_2, 4),
367 BPF_MOV64_IMM(BPF_REG_3, 0),
368 BPF_MOV64_IMM(BPF_REG_4, 0),
369 BPF_MOV64_IMM(BPF_REG_5, 0),
370 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
371 BPF_FUNC_csum_diff),
372 BPF_EXIT_INSN(),
373 },
374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
375 .fixup_map_array_wo = { 3 },
376 .result = REJECT,
377 .errstr = "read from map forbidden",
378 },