1*4882a593Smuzhiyun { 2*4882a593Smuzhiyun "valid map access into an array with a constant", 3*4882a593Smuzhiyun .insns = { 4*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 8*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 9*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 10*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 11*4882a593Smuzhiyun BPF_EXIT_INSN(), 12*4882a593Smuzhiyun }, 13*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 14*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 15*4882a593Smuzhiyun .result_unpriv = REJECT, 16*4882a593Smuzhiyun .result = ACCEPT, 17*4882a593Smuzhiyun }, 18*4882a593Smuzhiyun { 19*4882a593Smuzhiyun "valid map access into an array with a register", 20*4882a593Smuzhiyun .insns = { 21*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 22*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 23*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 24*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 25*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 26*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 27*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_1, 4), 28*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 29*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 30*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 31*4882a593Smuzhiyun BPF_EXIT_INSN(), 32*4882a593Smuzhiyun }, 33*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 34*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 35*4882a593Smuzhiyun .result_unpriv = REJECT, 36*4882a593Smuzhiyun .result = ACCEPT, 37*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 38*4882a593Smuzhiyun }, 39*4882a593Smuzhiyun { 40*4882a593Smuzhiyun "valid map access into an array with a variable", 41*4882a593Smuzhiyun .insns = { 42*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 43*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 44*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 45*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 46*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 47*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 48*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 49*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 50*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 51*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 52*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 53*4882a593Smuzhiyun BPF_EXIT_INSN(), 54*4882a593Smuzhiyun }, 55*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 56*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 57*4882a593Smuzhiyun .result_unpriv = REJECT, 58*4882a593Smuzhiyun .result = ACCEPT, 59*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 60*4882a593Smuzhiyun }, 61*4882a593Smuzhiyun { 62*4882a593Smuzhiyun "valid map access into an array with a signed variable", 63*4882a593Smuzhiyun .insns = { 64*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 65*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 66*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 67*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 68*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 69*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 70*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 71*4882a593Smuzhiyun BPF_JMP32_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 72*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_1, 0), 73*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 74*4882a593Smuzhiyun BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 75*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_1, 0), 76*4882a593Smuzhiyun BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 77*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 78*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 79*4882a593Smuzhiyun BPF_EXIT_INSN(), 80*4882a593Smuzhiyun }, 81*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 82*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 83*4882a593Smuzhiyun .result_unpriv = REJECT, 84*4882a593Smuzhiyun .result = ACCEPT, 85*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 86*4882a593Smuzhiyun }, 87*4882a593Smuzhiyun { 88*4882a593Smuzhiyun "invalid map access into an array with a constant", 89*4882a593Smuzhiyun .insns = { 90*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 91*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 92*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 93*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 94*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 95*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 96*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 97*4882a593Smuzhiyun offsetof(struct test_val, foo)), 98*4882a593Smuzhiyun BPF_EXIT_INSN(), 99*4882a593Smuzhiyun }, 100*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 101*4882a593Smuzhiyun .errstr = "invalid access to map value, value_size=48 off=48 size=8", 102*4882a593Smuzhiyun .result = REJECT, 103*4882a593Smuzhiyun }, 104*4882a593Smuzhiyun { 105*4882a593Smuzhiyun "invalid map access into an array with a register", 106*4882a593Smuzhiyun .insns = { 107*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 108*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 109*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 110*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 111*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 112*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 113*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 114*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 115*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 116*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 117*4882a593Smuzhiyun BPF_EXIT_INSN(), 118*4882a593Smuzhiyun }, 119*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 120*4882a593Smuzhiyun .errstr = "R0 min value is outside of the allowed memory range", 121*4882a593Smuzhiyun .result = REJECT, 122*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 123*4882a593Smuzhiyun }, 124*4882a593Smuzhiyun { 125*4882a593Smuzhiyun "invalid map access into an array with a variable", 126*4882a593Smuzhiyun .insns = { 127*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 128*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 129*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 130*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 131*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 132*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 133*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 134*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 135*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 136*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 137*4882a593Smuzhiyun BPF_EXIT_INSN(), 138*4882a593Smuzhiyun }, 139*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 140*4882a593Smuzhiyun .errstr = "R0 unbounded memory access, make sure to bounds check any such access", 141*4882a593Smuzhiyun .result = REJECT, 142*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 143*4882a593Smuzhiyun }, 144*4882a593Smuzhiyun { 145*4882a593Smuzhiyun "invalid map access into an array with no floor check", 146*4882a593Smuzhiyun .insns = { 147*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 148*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 149*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 150*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 151*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 152*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 153*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 154*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 155*4882a593Smuzhiyun BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 156*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_1, 0), 157*4882a593Smuzhiyun BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 158*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 159*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 160*4882a593Smuzhiyun BPF_EXIT_INSN(), 161*4882a593Smuzhiyun }, 162*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 163*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 164*4882a593Smuzhiyun .errstr = "R0 unbounded memory access", 165*4882a593Smuzhiyun .result_unpriv = REJECT, 166*4882a593Smuzhiyun .result = REJECT, 167*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 168*4882a593Smuzhiyun }, 169*4882a593Smuzhiyun { 170*4882a593Smuzhiyun "invalid map access into an array with a invalid max check", 171*4882a593Smuzhiyun .insns = { 172*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 173*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 174*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 175*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 176*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 177*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 178*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 179*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 180*4882a593Smuzhiyun BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 181*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_1, 0), 182*4882a593Smuzhiyun BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 183*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 184*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 185*4882a593Smuzhiyun BPF_EXIT_INSN(), 186*4882a593Smuzhiyun }, 187*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 188*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 189*4882a593Smuzhiyun .errstr = "invalid access to map value, value_size=48 off=44 size=8", 190*4882a593Smuzhiyun .result_unpriv = REJECT, 191*4882a593Smuzhiyun .result = REJECT, 192*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 193*4882a593Smuzhiyun }, 194*4882a593Smuzhiyun { 195*4882a593Smuzhiyun "invalid map access into an array with a invalid max check", 196*4882a593Smuzhiyun .insns = { 197*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 198*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 199*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 200*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 201*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 202*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 203*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 204*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 205*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 206*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 207*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 208*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 209*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 210*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 211*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 212*4882a593Smuzhiyun offsetof(struct test_val, foo)), 213*4882a593Smuzhiyun BPF_EXIT_INSN(), 214*4882a593Smuzhiyun }, 215*4882a593Smuzhiyun .fixup_map_hash_48b = { 3, 11 }, 216*4882a593Smuzhiyun .errstr = "R0 pointer += pointer", 217*4882a593Smuzhiyun .result = REJECT, 218*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 219*4882a593Smuzhiyun }, 220*4882a593Smuzhiyun { 221*4882a593Smuzhiyun "valid read map access into a read-only array 1", 222*4882a593Smuzhiyun .insns = { 223*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 224*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 225*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 226*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 227*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 228*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 229*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 230*4882a593Smuzhiyun BPF_EXIT_INSN(), 231*4882a593Smuzhiyun }, 232*4882a593Smuzhiyun .fixup_map_array_ro = { 3 }, 233*4882a593Smuzhiyun .result = ACCEPT, 234*4882a593Smuzhiyun .retval = 28, 235*4882a593Smuzhiyun }, 236*4882a593Smuzhiyun { 237*4882a593Smuzhiyun "valid read map access into a read-only array 2", 238*4882a593Smuzhiyun .insns = { 239*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 240*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 241*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 242*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 243*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 244*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 245*4882a593Smuzhiyun 246*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 247*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 248*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_3, 0), 249*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0), 250*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_5, 0), 251*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 252*4882a593Smuzhiyun BPF_FUNC_csum_diff), 253*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff), 254*4882a593Smuzhiyun BPF_EXIT_INSN(), 255*4882a593Smuzhiyun }, 256*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 257*4882a593Smuzhiyun .fixup_map_array_ro = { 3 }, 258*4882a593Smuzhiyun .result = ACCEPT, 259*4882a593Smuzhiyun .retval = 65507, 260*4882a593Smuzhiyun }, 261*4882a593Smuzhiyun { 262*4882a593Smuzhiyun "invalid write map access into a read-only array 1", 263*4882a593Smuzhiyun .insns = { 264*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 265*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 266*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 267*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 268*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 269*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 270*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 271*4882a593Smuzhiyun BPF_EXIT_INSN(), 272*4882a593Smuzhiyun }, 273*4882a593Smuzhiyun .fixup_map_array_ro = { 3 }, 274*4882a593Smuzhiyun .result = REJECT, 275*4882a593Smuzhiyun .errstr = "write into map forbidden", 276*4882a593Smuzhiyun }, 277*4882a593Smuzhiyun { 278*4882a593Smuzhiyun "invalid write map access into a read-only array 2", 279*4882a593Smuzhiyun .insns = { 280*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 281*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 282*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 283*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 284*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 285*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 286*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 287*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 288*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 0), 289*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 290*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 291*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 292*4882a593Smuzhiyun BPF_FUNC_skb_load_bytes), 293*4882a593Smuzhiyun BPF_EXIT_INSN(), 294*4882a593Smuzhiyun }, 295*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 296*4882a593Smuzhiyun .fixup_map_array_ro = { 4 }, 297*4882a593Smuzhiyun .result = REJECT, 298*4882a593Smuzhiyun .errstr = "write into map forbidden", 299*4882a593Smuzhiyun }, 300*4882a593Smuzhiyun { 301*4882a593Smuzhiyun "valid write map access into a write-only array 1", 302*4882a593Smuzhiyun .insns = { 303*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 304*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 305*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 306*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 307*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 308*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 309*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 310*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 1), 311*4882a593Smuzhiyun BPF_EXIT_INSN(), 312*4882a593Smuzhiyun }, 313*4882a593Smuzhiyun .fixup_map_array_wo = { 3 }, 314*4882a593Smuzhiyun .result = ACCEPT, 315*4882a593Smuzhiyun .retval = 1, 316*4882a593Smuzhiyun }, 317*4882a593Smuzhiyun { 318*4882a593Smuzhiyun "valid write map access into a write-only array 2", 319*4882a593Smuzhiyun .insns = { 320*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 321*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 322*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 323*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 324*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 325*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 326*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 327*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 328*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 0), 329*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 330*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 331*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 332*4882a593Smuzhiyun BPF_FUNC_skb_load_bytes), 333*4882a593Smuzhiyun BPF_EXIT_INSN(), 334*4882a593Smuzhiyun }, 335*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 336*4882a593Smuzhiyun .fixup_map_array_wo = { 4 }, 337*4882a593Smuzhiyun .result = ACCEPT, 338*4882a593Smuzhiyun .retval = 0, 339*4882a593Smuzhiyun }, 340*4882a593Smuzhiyun { 341*4882a593Smuzhiyun "invalid read map access into a write-only array 1", 342*4882a593Smuzhiyun .insns = { 343*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 344*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 345*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 346*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 347*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 348*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 349*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 350*4882a593Smuzhiyun BPF_EXIT_INSN(), 351*4882a593Smuzhiyun }, 352*4882a593Smuzhiyun .fixup_map_array_wo = { 3 }, 353*4882a593Smuzhiyun .result = REJECT, 354*4882a593Smuzhiyun .errstr = "read from map forbidden", 355*4882a593Smuzhiyun }, 356*4882a593Smuzhiyun { 357*4882a593Smuzhiyun "invalid read map access into a write-only array 2", 358*4882a593Smuzhiyun .insns = { 359*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 360*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 361*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 362*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 363*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 364*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 365*4882a593Smuzhiyun 366*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 367*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 368*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_3, 0), 369*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0), 370*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_5, 0), 371*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 372*4882a593Smuzhiyun BPF_FUNC_csum_diff), 373*4882a593Smuzhiyun BPF_EXIT_INSN(), 374*4882a593Smuzhiyun }, 375*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 376*4882a593Smuzhiyun .fixup_map_array_wo = { 3 }, 377*4882a593Smuzhiyun .result = REJECT, 378*4882a593Smuzhiyun .errstr = "read from map forbidden", 379*4882a593Smuzhiyun }, 380