1*4882a593Smuzhiyun { 2*4882a593Smuzhiyun "access skb fields ok", 3*4882a593Smuzhiyun .insns = { 4*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 5*4882a593Smuzhiyun offsetof(struct __sk_buff, len)), 6*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 7*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 8*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 9*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 10*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 11*4882a593Smuzhiyun offsetof(struct __sk_buff, pkt_type)), 12*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 13*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 14*4882a593Smuzhiyun offsetof(struct __sk_buff, queue_mapping)), 15*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 16*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 17*4882a593Smuzhiyun offsetof(struct __sk_buff, protocol)), 18*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 19*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 20*4882a593Smuzhiyun offsetof(struct __sk_buff, vlan_present)), 21*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 22*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 23*4882a593Smuzhiyun offsetof(struct __sk_buff, vlan_tci)), 24*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 25*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 26*4882a593Smuzhiyun offsetof(struct __sk_buff, napi_id)), 27*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 28*4882a593Smuzhiyun BPF_EXIT_INSN(), 29*4882a593Smuzhiyun }, 30*4882a593Smuzhiyun .result = ACCEPT, 31*4882a593Smuzhiyun }, 32*4882a593Smuzhiyun { 33*4882a593Smuzhiyun "access skb fields bad1", 34*4882a593Smuzhiyun .insns = { 35*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 36*4882a593Smuzhiyun BPF_EXIT_INSN(), 37*4882a593Smuzhiyun }, 38*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 39*4882a593Smuzhiyun .result = REJECT, 40*4882a593Smuzhiyun }, 41*4882a593Smuzhiyun { 42*4882a593Smuzhiyun "access skb fields bad2", 43*4882a593Smuzhiyun .insns = { 44*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 45*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 46*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 47*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 48*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 49*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 50*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 51*4882a593Smuzhiyun BPF_EXIT_INSN(), 52*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 53*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 54*4882a593Smuzhiyun offsetof(struct __sk_buff, pkt_type)), 55*4882a593Smuzhiyun BPF_EXIT_INSN(), 56*4882a593Smuzhiyun }, 57*4882a593Smuzhiyun .fixup_map_hash_8b = { 4 }, 58*4882a593Smuzhiyun .errstr = "different pointers", 59*4882a593Smuzhiyun .errstr_unpriv = "R1 pointer comparison", 60*4882a593Smuzhiyun .result = REJECT, 61*4882a593Smuzhiyun }, 62*4882a593Smuzhiyun { 63*4882a593Smuzhiyun "access skb fields bad3", 64*4882a593Smuzhiyun .insns = { 65*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 66*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 67*4882a593Smuzhiyun offsetof(struct __sk_buff, pkt_type)), 68*4882a593Smuzhiyun BPF_EXIT_INSN(), 69*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 70*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 71*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 72*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 73*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 74*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 75*4882a593Smuzhiyun BPF_EXIT_INSN(), 76*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 77*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JA, 0, 0, -12), 78*4882a593Smuzhiyun }, 79*4882a593Smuzhiyun .fixup_map_hash_8b = { 6 }, 80*4882a593Smuzhiyun .errstr = "different pointers", 81*4882a593Smuzhiyun .errstr_unpriv = "R1 pointer comparison", 82*4882a593Smuzhiyun .result = REJECT, 83*4882a593Smuzhiyun }, 84*4882a593Smuzhiyun { 85*4882a593Smuzhiyun "access skb fields bad4", 86*4882a593Smuzhiyun .insns = { 87*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 88*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 89*4882a593Smuzhiyun offsetof(struct __sk_buff, len)), 90*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 91*4882a593Smuzhiyun BPF_EXIT_INSN(), 92*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 93*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 94*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 95*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 96*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 97*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 98*4882a593Smuzhiyun BPF_EXIT_INSN(), 99*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 100*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JA, 0, 0, -13), 101*4882a593Smuzhiyun }, 102*4882a593Smuzhiyun .fixup_map_hash_8b = { 7 }, 103*4882a593Smuzhiyun .errstr = "different pointers", 104*4882a593Smuzhiyun .errstr_unpriv = "R1 pointer comparison", 105*4882a593Smuzhiyun .result = REJECT, 106*4882a593Smuzhiyun }, 107*4882a593Smuzhiyun { 108*4882a593Smuzhiyun "invalid access __sk_buff family", 109*4882a593Smuzhiyun .insns = { 110*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 111*4882a593Smuzhiyun offsetof(struct __sk_buff, family)), 112*4882a593Smuzhiyun BPF_EXIT_INSN(), 113*4882a593Smuzhiyun }, 114*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 115*4882a593Smuzhiyun .result = REJECT, 116*4882a593Smuzhiyun }, 117*4882a593Smuzhiyun { 118*4882a593Smuzhiyun "invalid access __sk_buff remote_ip4", 119*4882a593Smuzhiyun .insns = { 120*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 121*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip4)), 122*4882a593Smuzhiyun BPF_EXIT_INSN(), 123*4882a593Smuzhiyun }, 124*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 125*4882a593Smuzhiyun .result = REJECT, 126*4882a593Smuzhiyun }, 127*4882a593Smuzhiyun { 128*4882a593Smuzhiyun "invalid access __sk_buff local_ip4", 129*4882a593Smuzhiyun .insns = { 130*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 131*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip4)), 132*4882a593Smuzhiyun BPF_EXIT_INSN(), 133*4882a593Smuzhiyun }, 134*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 135*4882a593Smuzhiyun .result = REJECT, 136*4882a593Smuzhiyun }, 137*4882a593Smuzhiyun { 138*4882a593Smuzhiyun "invalid access __sk_buff remote_ip6", 139*4882a593Smuzhiyun .insns = { 140*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 141*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip6)), 142*4882a593Smuzhiyun BPF_EXIT_INSN(), 143*4882a593Smuzhiyun }, 144*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 145*4882a593Smuzhiyun .result = REJECT, 146*4882a593Smuzhiyun }, 147*4882a593Smuzhiyun { 148*4882a593Smuzhiyun "invalid access __sk_buff local_ip6", 149*4882a593Smuzhiyun .insns = { 150*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 151*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip6)), 152*4882a593Smuzhiyun BPF_EXIT_INSN(), 153*4882a593Smuzhiyun }, 154*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 155*4882a593Smuzhiyun .result = REJECT, 156*4882a593Smuzhiyun }, 157*4882a593Smuzhiyun { 158*4882a593Smuzhiyun "invalid access __sk_buff remote_port", 159*4882a593Smuzhiyun .insns = { 160*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 161*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_port)), 162*4882a593Smuzhiyun BPF_EXIT_INSN(), 163*4882a593Smuzhiyun }, 164*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 165*4882a593Smuzhiyun .result = REJECT, 166*4882a593Smuzhiyun }, 167*4882a593Smuzhiyun { 168*4882a593Smuzhiyun "invalid access __sk_buff remote_port", 169*4882a593Smuzhiyun .insns = { 170*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 171*4882a593Smuzhiyun offsetof(struct __sk_buff, local_port)), 172*4882a593Smuzhiyun BPF_EXIT_INSN(), 173*4882a593Smuzhiyun }, 174*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 175*4882a593Smuzhiyun .result = REJECT, 176*4882a593Smuzhiyun }, 177*4882a593Smuzhiyun { 178*4882a593Smuzhiyun "valid access __sk_buff family", 179*4882a593Smuzhiyun .insns = { 180*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 181*4882a593Smuzhiyun offsetof(struct __sk_buff, family)), 182*4882a593Smuzhiyun BPF_EXIT_INSN(), 183*4882a593Smuzhiyun }, 184*4882a593Smuzhiyun .result = ACCEPT, 185*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 186*4882a593Smuzhiyun }, 187*4882a593Smuzhiyun { 188*4882a593Smuzhiyun "valid access __sk_buff remote_ip4", 189*4882a593Smuzhiyun .insns = { 190*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 191*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip4)), 192*4882a593Smuzhiyun BPF_EXIT_INSN(), 193*4882a593Smuzhiyun }, 194*4882a593Smuzhiyun .result = ACCEPT, 195*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 196*4882a593Smuzhiyun }, 197*4882a593Smuzhiyun { 198*4882a593Smuzhiyun "valid access __sk_buff local_ip4", 199*4882a593Smuzhiyun .insns = { 200*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 201*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip4)), 202*4882a593Smuzhiyun BPF_EXIT_INSN(), 203*4882a593Smuzhiyun }, 204*4882a593Smuzhiyun .result = ACCEPT, 205*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 206*4882a593Smuzhiyun }, 207*4882a593Smuzhiyun { 208*4882a593Smuzhiyun "valid access __sk_buff remote_ip6", 209*4882a593Smuzhiyun .insns = { 210*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 211*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip6[0])), 212*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 213*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip6[1])), 214*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 215*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip6[2])), 216*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 217*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_ip6[3])), 218*4882a593Smuzhiyun BPF_EXIT_INSN(), 219*4882a593Smuzhiyun }, 220*4882a593Smuzhiyun .result = ACCEPT, 221*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 222*4882a593Smuzhiyun }, 223*4882a593Smuzhiyun { 224*4882a593Smuzhiyun "valid access __sk_buff local_ip6", 225*4882a593Smuzhiyun .insns = { 226*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 227*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip6[0])), 228*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 229*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip6[1])), 230*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 231*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip6[2])), 232*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 233*4882a593Smuzhiyun offsetof(struct __sk_buff, local_ip6[3])), 234*4882a593Smuzhiyun BPF_EXIT_INSN(), 235*4882a593Smuzhiyun }, 236*4882a593Smuzhiyun .result = ACCEPT, 237*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 238*4882a593Smuzhiyun }, 239*4882a593Smuzhiyun { 240*4882a593Smuzhiyun "valid access __sk_buff remote_port", 241*4882a593Smuzhiyun .insns = { 242*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 243*4882a593Smuzhiyun offsetof(struct __sk_buff, remote_port)), 244*4882a593Smuzhiyun BPF_EXIT_INSN(), 245*4882a593Smuzhiyun }, 246*4882a593Smuzhiyun .result = ACCEPT, 247*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 248*4882a593Smuzhiyun }, 249*4882a593Smuzhiyun { 250*4882a593Smuzhiyun "valid access __sk_buff remote_port", 251*4882a593Smuzhiyun .insns = { 252*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 253*4882a593Smuzhiyun offsetof(struct __sk_buff, local_port)), 254*4882a593Smuzhiyun BPF_EXIT_INSN(), 255*4882a593Smuzhiyun }, 256*4882a593Smuzhiyun .result = ACCEPT, 257*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 258*4882a593Smuzhiyun }, 259*4882a593Smuzhiyun { 260*4882a593Smuzhiyun "invalid access of tc_classid for SK_SKB", 261*4882a593Smuzhiyun .insns = { 262*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 263*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_classid)), 264*4882a593Smuzhiyun BPF_EXIT_INSN(), 265*4882a593Smuzhiyun }, 266*4882a593Smuzhiyun .result = REJECT, 267*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 268*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 269*4882a593Smuzhiyun }, 270*4882a593Smuzhiyun { 271*4882a593Smuzhiyun "invalid access of skb->mark for SK_SKB", 272*4882a593Smuzhiyun .insns = { 273*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 274*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 275*4882a593Smuzhiyun BPF_EXIT_INSN(), 276*4882a593Smuzhiyun }, 277*4882a593Smuzhiyun .result = REJECT, 278*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 279*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 280*4882a593Smuzhiyun }, 281*4882a593Smuzhiyun { 282*4882a593Smuzhiyun "check skb->mark is not writeable by SK_SKB", 283*4882a593Smuzhiyun .insns = { 284*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 285*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 286*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 287*4882a593Smuzhiyun BPF_EXIT_INSN(), 288*4882a593Smuzhiyun }, 289*4882a593Smuzhiyun .result = REJECT, 290*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 291*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 292*4882a593Smuzhiyun }, 293*4882a593Smuzhiyun { 294*4882a593Smuzhiyun "check skb->tc_index is writeable by SK_SKB", 295*4882a593Smuzhiyun .insns = { 296*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 297*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 298*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index)), 299*4882a593Smuzhiyun BPF_EXIT_INSN(), 300*4882a593Smuzhiyun }, 301*4882a593Smuzhiyun .result = ACCEPT, 302*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 303*4882a593Smuzhiyun }, 304*4882a593Smuzhiyun { 305*4882a593Smuzhiyun "check skb->priority is writeable by SK_SKB", 306*4882a593Smuzhiyun .insns = { 307*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 308*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 309*4882a593Smuzhiyun offsetof(struct __sk_buff, priority)), 310*4882a593Smuzhiyun BPF_EXIT_INSN(), 311*4882a593Smuzhiyun }, 312*4882a593Smuzhiyun .result = ACCEPT, 313*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 314*4882a593Smuzhiyun }, 315*4882a593Smuzhiyun { 316*4882a593Smuzhiyun "direct packet read for SK_SKB", 317*4882a593Smuzhiyun .insns = { 318*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 319*4882a593Smuzhiyun offsetof(struct __sk_buff, data)), 320*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 321*4882a593Smuzhiyun offsetof(struct __sk_buff, data_end)), 322*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 323*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 324*4882a593Smuzhiyun BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 325*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 326*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 327*4882a593Smuzhiyun BPF_EXIT_INSN(), 328*4882a593Smuzhiyun }, 329*4882a593Smuzhiyun .result = ACCEPT, 330*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 331*4882a593Smuzhiyun }, 332*4882a593Smuzhiyun { 333*4882a593Smuzhiyun "direct packet write for SK_SKB", 334*4882a593Smuzhiyun .insns = { 335*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 336*4882a593Smuzhiyun offsetof(struct __sk_buff, data)), 337*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 338*4882a593Smuzhiyun offsetof(struct __sk_buff, data_end)), 339*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 340*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 341*4882a593Smuzhiyun BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 342*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 343*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 344*4882a593Smuzhiyun BPF_EXIT_INSN(), 345*4882a593Smuzhiyun }, 346*4882a593Smuzhiyun .result = ACCEPT, 347*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 348*4882a593Smuzhiyun }, 349*4882a593Smuzhiyun { 350*4882a593Smuzhiyun "overlapping checks for direct packet access SK_SKB", 351*4882a593Smuzhiyun .insns = { 352*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 353*4882a593Smuzhiyun offsetof(struct __sk_buff, data)), 354*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 355*4882a593Smuzhiyun offsetof(struct __sk_buff, data_end)), 356*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 357*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 358*4882a593Smuzhiyun BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 359*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 360*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 361*4882a593Smuzhiyun BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 362*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 363*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 364*4882a593Smuzhiyun BPF_EXIT_INSN(), 365*4882a593Smuzhiyun }, 366*4882a593Smuzhiyun .result = ACCEPT, 367*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SK_SKB, 368*4882a593Smuzhiyun }, 369*4882a593Smuzhiyun { 370*4882a593Smuzhiyun "check skb->mark is not writeable by sockets", 371*4882a593Smuzhiyun .insns = { 372*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 373*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 374*4882a593Smuzhiyun BPF_EXIT_INSN(), 375*4882a593Smuzhiyun }, 376*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 377*4882a593Smuzhiyun .errstr_unpriv = "R1 leaks addr", 378*4882a593Smuzhiyun .result = REJECT, 379*4882a593Smuzhiyun }, 380*4882a593Smuzhiyun { 381*4882a593Smuzhiyun "check skb->tc_index is not writeable by sockets", 382*4882a593Smuzhiyun .insns = { 383*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 384*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index)), 385*4882a593Smuzhiyun BPF_EXIT_INSN(), 386*4882a593Smuzhiyun }, 387*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 388*4882a593Smuzhiyun .errstr_unpriv = "R1 leaks addr", 389*4882a593Smuzhiyun .result = REJECT, 390*4882a593Smuzhiyun }, 391*4882a593Smuzhiyun { 392*4882a593Smuzhiyun "check cb access: byte", 393*4882a593Smuzhiyun .insns = { 394*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 395*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 396*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 397*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 398*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 1), 399*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 400*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 2), 401*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 402*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 3), 403*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 404*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 405*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 406*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 1), 407*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 408*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 2), 409*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 410*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 3), 411*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 412*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 413*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 414*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 1), 415*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 416*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 2), 417*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 418*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 3), 419*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 420*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 421*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 422*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 1), 423*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 424*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 2), 425*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 426*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 3), 427*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 428*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 429*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 430*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 1), 431*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 432*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 2), 433*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 434*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 3), 435*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 436*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 437*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 438*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 1), 439*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 440*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 2), 441*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 442*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 3), 443*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 444*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 445*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 446*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 1), 447*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 448*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 2), 449*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 450*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 3), 451*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 452*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 453*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 454*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 1), 455*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 456*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 2), 457*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 458*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 3), 459*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 460*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 461*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 462*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 1), 463*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 464*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 2), 465*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 466*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 3), 467*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 468*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 469*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 470*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 1), 471*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 472*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 2), 473*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 474*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 3), 475*4882a593Smuzhiyun BPF_EXIT_INSN(), 476*4882a593Smuzhiyun }, 477*4882a593Smuzhiyun .result = ACCEPT, 478*4882a593Smuzhiyun }, 479*4882a593Smuzhiyun { 480*4882a593Smuzhiyun "__sk_buff->hash, offset 0, byte store not permitted", 481*4882a593Smuzhiyun .insns = { 482*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 483*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 484*4882a593Smuzhiyun offsetof(struct __sk_buff, hash)), 485*4882a593Smuzhiyun BPF_EXIT_INSN(), 486*4882a593Smuzhiyun }, 487*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 488*4882a593Smuzhiyun .result = REJECT, 489*4882a593Smuzhiyun }, 490*4882a593Smuzhiyun { 491*4882a593Smuzhiyun "__sk_buff->tc_index, offset 3, byte store not permitted", 492*4882a593Smuzhiyun .insns = { 493*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 494*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 495*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index) + 3), 496*4882a593Smuzhiyun BPF_EXIT_INSN(), 497*4882a593Smuzhiyun }, 498*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 499*4882a593Smuzhiyun .result = REJECT, 500*4882a593Smuzhiyun }, 501*4882a593Smuzhiyun { 502*4882a593Smuzhiyun "check skb->hash byte load permitted", 503*4882a593Smuzhiyun .insns = { 504*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 505*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 506*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 507*4882a593Smuzhiyun offsetof(struct __sk_buff, hash)), 508*4882a593Smuzhiyun #else 509*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 510*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 3), 511*4882a593Smuzhiyun #endif 512*4882a593Smuzhiyun BPF_EXIT_INSN(), 513*4882a593Smuzhiyun }, 514*4882a593Smuzhiyun .result = ACCEPT, 515*4882a593Smuzhiyun }, 516*4882a593Smuzhiyun { 517*4882a593Smuzhiyun "check skb->hash byte load permitted 1", 518*4882a593Smuzhiyun .insns = { 519*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 520*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 521*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 1), 522*4882a593Smuzhiyun BPF_EXIT_INSN(), 523*4882a593Smuzhiyun }, 524*4882a593Smuzhiyun .result = ACCEPT, 525*4882a593Smuzhiyun }, 526*4882a593Smuzhiyun { 527*4882a593Smuzhiyun "check skb->hash byte load permitted 2", 528*4882a593Smuzhiyun .insns = { 529*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 530*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 531*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 2), 532*4882a593Smuzhiyun BPF_EXIT_INSN(), 533*4882a593Smuzhiyun }, 534*4882a593Smuzhiyun .result = ACCEPT, 535*4882a593Smuzhiyun }, 536*4882a593Smuzhiyun { 537*4882a593Smuzhiyun "check skb->hash byte load permitted 3", 538*4882a593Smuzhiyun .insns = { 539*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 540*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 541*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 542*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 3), 543*4882a593Smuzhiyun #else 544*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 545*4882a593Smuzhiyun offsetof(struct __sk_buff, hash)), 546*4882a593Smuzhiyun #endif 547*4882a593Smuzhiyun BPF_EXIT_INSN(), 548*4882a593Smuzhiyun }, 549*4882a593Smuzhiyun .result = ACCEPT, 550*4882a593Smuzhiyun }, 551*4882a593Smuzhiyun { 552*4882a593Smuzhiyun "check cb access: byte, wrong type", 553*4882a593Smuzhiyun .insns = { 554*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 555*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 556*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 557*4882a593Smuzhiyun BPF_EXIT_INSN(), 558*4882a593Smuzhiyun }, 559*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 560*4882a593Smuzhiyun .result = REJECT, 561*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 562*4882a593Smuzhiyun }, 563*4882a593Smuzhiyun { 564*4882a593Smuzhiyun "check cb access: half", 565*4882a593Smuzhiyun .insns = { 566*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 567*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 568*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 569*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 570*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 2), 571*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 572*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 573*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 574*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 2), 575*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 576*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 577*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 578*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 2), 579*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 580*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 581*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 582*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 2), 583*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 584*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 585*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 586*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 2), 587*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 588*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 589*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 590*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 2), 591*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 592*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 593*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 594*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1]) + 2), 595*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 596*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 597*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 598*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2]) + 2), 599*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 600*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 601*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 602*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3]) + 2), 603*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 604*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 605*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 606*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 2), 607*4882a593Smuzhiyun BPF_EXIT_INSN(), 608*4882a593Smuzhiyun }, 609*4882a593Smuzhiyun .result = ACCEPT, 610*4882a593Smuzhiyun }, 611*4882a593Smuzhiyun { 612*4882a593Smuzhiyun "check cb access: half, unaligned", 613*4882a593Smuzhiyun .insns = { 614*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 615*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 616*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 1), 617*4882a593Smuzhiyun BPF_EXIT_INSN(), 618*4882a593Smuzhiyun }, 619*4882a593Smuzhiyun .errstr = "misaligned context access", 620*4882a593Smuzhiyun .result = REJECT, 621*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 622*4882a593Smuzhiyun }, 623*4882a593Smuzhiyun { 624*4882a593Smuzhiyun "check __sk_buff->hash, offset 0, half store not permitted", 625*4882a593Smuzhiyun .insns = { 626*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 627*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 628*4882a593Smuzhiyun offsetof(struct __sk_buff, hash)), 629*4882a593Smuzhiyun BPF_EXIT_INSN(), 630*4882a593Smuzhiyun }, 631*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 632*4882a593Smuzhiyun .result = REJECT, 633*4882a593Smuzhiyun }, 634*4882a593Smuzhiyun { 635*4882a593Smuzhiyun "check __sk_buff->tc_index, offset 2, half store not permitted", 636*4882a593Smuzhiyun .insns = { 637*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 638*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 639*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index) + 2), 640*4882a593Smuzhiyun BPF_EXIT_INSN(), 641*4882a593Smuzhiyun }, 642*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 643*4882a593Smuzhiyun .result = REJECT, 644*4882a593Smuzhiyun }, 645*4882a593Smuzhiyun { 646*4882a593Smuzhiyun "check skb->hash half load permitted", 647*4882a593Smuzhiyun .insns = { 648*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 649*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 650*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 651*4882a593Smuzhiyun offsetof(struct __sk_buff, hash)), 652*4882a593Smuzhiyun #else 653*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 654*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 2), 655*4882a593Smuzhiyun #endif 656*4882a593Smuzhiyun BPF_EXIT_INSN(), 657*4882a593Smuzhiyun }, 658*4882a593Smuzhiyun .result = ACCEPT, 659*4882a593Smuzhiyun }, 660*4882a593Smuzhiyun { 661*4882a593Smuzhiyun "check skb->hash half load permitted 2", 662*4882a593Smuzhiyun .insns = { 663*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 664*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 665*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 666*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 2), 667*4882a593Smuzhiyun #else 668*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 669*4882a593Smuzhiyun offsetof(struct __sk_buff, hash)), 670*4882a593Smuzhiyun #endif 671*4882a593Smuzhiyun BPF_EXIT_INSN(), 672*4882a593Smuzhiyun }, 673*4882a593Smuzhiyun .result = ACCEPT, 674*4882a593Smuzhiyun }, 675*4882a593Smuzhiyun { 676*4882a593Smuzhiyun "check skb->hash half load not permitted, unaligned 1", 677*4882a593Smuzhiyun .insns = { 678*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 679*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 680*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 681*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 1), 682*4882a593Smuzhiyun #else 683*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 684*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 3), 685*4882a593Smuzhiyun #endif 686*4882a593Smuzhiyun BPF_EXIT_INSN(), 687*4882a593Smuzhiyun }, 688*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 689*4882a593Smuzhiyun .result = REJECT, 690*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 691*4882a593Smuzhiyun }, 692*4882a593Smuzhiyun { 693*4882a593Smuzhiyun "check skb->hash half load not permitted, unaligned 3", 694*4882a593Smuzhiyun .insns = { 695*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 696*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 697*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 698*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 3), 699*4882a593Smuzhiyun #else 700*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 701*4882a593Smuzhiyun offsetof(struct __sk_buff, hash) + 1), 702*4882a593Smuzhiyun #endif 703*4882a593Smuzhiyun BPF_EXIT_INSN(), 704*4882a593Smuzhiyun }, 705*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 706*4882a593Smuzhiyun .result = REJECT, 707*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 708*4882a593Smuzhiyun }, 709*4882a593Smuzhiyun { 710*4882a593Smuzhiyun "check cb access: half, wrong type", 711*4882a593Smuzhiyun .insns = { 712*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 713*4882a593Smuzhiyun BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 714*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 715*4882a593Smuzhiyun BPF_EXIT_INSN(), 716*4882a593Smuzhiyun }, 717*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 718*4882a593Smuzhiyun .result = REJECT, 719*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 720*4882a593Smuzhiyun }, 721*4882a593Smuzhiyun { 722*4882a593Smuzhiyun "check cb access: word", 723*4882a593Smuzhiyun .insns = { 724*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 725*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 726*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 727*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 728*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 729*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 730*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 731*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 732*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 733*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 734*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 735*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 736*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 737*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 738*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 739*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 740*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 741*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 742*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 743*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 744*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 745*4882a593Smuzhiyun BPF_EXIT_INSN(), 746*4882a593Smuzhiyun }, 747*4882a593Smuzhiyun .result = ACCEPT, 748*4882a593Smuzhiyun }, 749*4882a593Smuzhiyun { 750*4882a593Smuzhiyun "check cb access: word, unaligned 1", 751*4882a593Smuzhiyun .insns = { 752*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 753*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 754*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 2), 755*4882a593Smuzhiyun BPF_EXIT_INSN(), 756*4882a593Smuzhiyun }, 757*4882a593Smuzhiyun .errstr = "misaligned context access", 758*4882a593Smuzhiyun .result = REJECT, 759*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 760*4882a593Smuzhiyun }, 761*4882a593Smuzhiyun { 762*4882a593Smuzhiyun "check cb access: word, unaligned 2", 763*4882a593Smuzhiyun .insns = { 764*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 765*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 766*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 1), 767*4882a593Smuzhiyun BPF_EXIT_INSN(), 768*4882a593Smuzhiyun }, 769*4882a593Smuzhiyun .errstr = "misaligned context access", 770*4882a593Smuzhiyun .result = REJECT, 771*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 772*4882a593Smuzhiyun }, 773*4882a593Smuzhiyun { 774*4882a593Smuzhiyun "check cb access: word, unaligned 3", 775*4882a593Smuzhiyun .insns = { 776*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 777*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 778*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 2), 779*4882a593Smuzhiyun BPF_EXIT_INSN(), 780*4882a593Smuzhiyun }, 781*4882a593Smuzhiyun .errstr = "misaligned context access", 782*4882a593Smuzhiyun .result = REJECT, 783*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 784*4882a593Smuzhiyun }, 785*4882a593Smuzhiyun { 786*4882a593Smuzhiyun "check cb access: word, unaligned 4", 787*4882a593Smuzhiyun .insns = { 788*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 789*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 790*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4]) + 3), 791*4882a593Smuzhiyun BPF_EXIT_INSN(), 792*4882a593Smuzhiyun }, 793*4882a593Smuzhiyun .errstr = "misaligned context access", 794*4882a593Smuzhiyun .result = REJECT, 795*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 796*4882a593Smuzhiyun }, 797*4882a593Smuzhiyun { 798*4882a593Smuzhiyun "check cb access: double", 799*4882a593Smuzhiyun .insns = { 800*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 801*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 802*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 803*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 804*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 805*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 806*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 807*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 808*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 809*4882a593Smuzhiyun BPF_EXIT_INSN(), 810*4882a593Smuzhiyun }, 811*4882a593Smuzhiyun .result = ACCEPT, 812*4882a593Smuzhiyun }, 813*4882a593Smuzhiyun { 814*4882a593Smuzhiyun "check cb access: double, unaligned 1", 815*4882a593Smuzhiyun .insns = { 816*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 817*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 818*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[1])), 819*4882a593Smuzhiyun BPF_EXIT_INSN(), 820*4882a593Smuzhiyun }, 821*4882a593Smuzhiyun .errstr = "misaligned context access", 822*4882a593Smuzhiyun .result = REJECT, 823*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 824*4882a593Smuzhiyun }, 825*4882a593Smuzhiyun { 826*4882a593Smuzhiyun "check cb access: double, unaligned 2", 827*4882a593Smuzhiyun .insns = { 828*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 829*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 830*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 831*4882a593Smuzhiyun BPF_EXIT_INSN(), 832*4882a593Smuzhiyun }, 833*4882a593Smuzhiyun .errstr = "misaligned context access", 834*4882a593Smuzhiyun .result = REJECT, 835*4882a593Smuzhiyun .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 836*4882a593Smuzhiyun }, 837*4882a593Smuzhiyun { 838*4882a593Smuzhiyun "check cb access: double, oob 1", 839*4882a593Smuzhiyun .insns = { 840*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 841*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 842*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 843*4882a593Smuzhiyun BPF_EXIT_INSN(), 844*4882a593Smuzhiyun }, 845*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 846*4882a593Smuzhiyun .result = REJECT, 847*4882a593Smuzhiyun }, 848*4882a593Smuzhiyun { 849*4882a593Smuzhiyun "check cb access: double, oob 2", 850*4882a593Smuzhiyun .insns = { 851*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 852*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 853*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 854*4882a593Smuzhiyun BPF_EXIT_INSN(), 855*4882a593Smuzhiyun }, 856*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 857*4882a593Smuzhiyun .result = REJECT, 858*4882a593Smuzhiyun }, 859*4882a593Smuzhiyun { 860*4882a593Smuzhiyun "check __sk_buff->ifindex dw store not permitted", 861*4882a593Smuzhiyun .insns = { 862*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 863*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 864*4882a593Smuzhiyun offsetof(struct __sk_buff, ifindex)), 865*4882a593Smuzhiyun BPF_EXIT_INSN(), 866*4882a593Smuzhiyun }, 867*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 868*4882a593Smuzhiyun .result = REJECT, 869*4882a593Smuzhiyun }, 870*4882a593Smuzhiyun { 871*4882a593Smuzhiyun "check __sk_buff->ifindex dw load not permitted", 872*4882a593Smuzhiyun .insns = { 873*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 874*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 875*4882a593Smuzhiyun offsetof(struct __sk_buff, ifindex)), 876*4882a593Smuzhiyun BPF_EXIT_INSN(), 877*4882a593Smuzhiyun }, 878*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 879*4882a593Smuzhiyun .result = REJECT, 880*4882a593Smuzhiyun }, 881*4882a593Smuzhiyun { 882*4882a593Smuzhiyun "check cb access: double, wrong type", 883*4882a593Smuzhiyun .insns = { 884*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 885*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 886*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 887*4882a593Smuzhiyun BPF_EXIT_INSN(), 888*4882a593Smuzhiyun }, 889*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 890*4882a593Smuzhiyun .result = REJECT, 891*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 892*4882a593Smuzhiyun }, 893*4882a593Smuzhiyun { 894*4882a593Smuzhiyun "check out of range skb->cb access", 895*4882a593Smuzhiyun .insns = { 896*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 897*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0]) + 256), 898*4882a593Smuzhiyun BPF_EXIT_INSN(), 899*4882a593Smuzhiyun }, 900*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 901*4882a593Smuzhiyun .errstr_unpriv = "", 902*4882a593Smuzhiyun .result = REJECT, 903*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_ACT, 904*4882a593Smuzhiyun }, 905*4882a593Smuzhiyun { 906*4882a593Smuzhiyun "write skb fields from socket prog", 907*4882a593Smuzhiyun .insns = { 908*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 909*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[4])), 910*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 911*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 912*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 913*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 914*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index)), 915*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 916*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 917*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 918*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 919*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[2])), 920*4882a593Smuzhiyun BPF_EXIT_INSN(), 921*4882a593Smuzhiyun }, 922*4882a593Smuzhiyun .result = ACCEPT, 923*4882a593Smuzhiyun .errstr_unpriv = "R1 leaks addr", 924*4882a593Smuzhiyun .result_unpriv = REJECT, 925*4882a593Smuzhiyun }, 926*4882a593Smuzhiyun { 927*4882a593Smuzhiyun "write skb fields from tc_cls_act prog", 928*4882a593Smuzhiyun .insns = { 929*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 930*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 931*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 932*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 933*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 934*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index)), 935*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 936*4882a593Smuzhiyun offsetof(struct __sk_buff, tc_index)), 937*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 938*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[3])), 939*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 940*4882a593Smuzhiyun offsetof(struct __sk_buff, tstamp)), 941*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 942*4882a593Smuzhiyun offsetof(struct __sk_buff, tstamp)), 943*4882a593Smuzhiyun BPF_EXIT_INSN(), 944*4882a593Smuzhiyun }, 945*4882a593Smuzhiyun .errstr_unpriv = "", 946*4882a593Smuzhiyun .result_unpriv = REJECT, 947*4882a593Smuzhiyun .result = ACCEPT, 948*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 949*4882a593Smuzhiyun }, 950*4882a593Smuzhiyun { 951*4882a593Smuzhiyun "check skb->data half load not permitted", 952*4882a593Smuzhiyun .insns = { 953*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 954*4882a593Smuzhiyun #if __BYTE_ORDER == __LITTLE_ENDIAN 955*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 956*4882a593Smuzhiyun offsetof(struct __sk_buff, data)), 957*4882a593Smuzhiyun #else 958*4882a593Smuzhiyun BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 959*4882a593Smuzhiyun offsetof(struct __sk_buff, data) + 2), 960*4882a593Smuzhiyun #endif 961*4882a593Smuzhiyun BPF_EXIT_INSN(), 962*4882a593Smuzhiyun }, 963*4882a593Smuzhiyun .result = REJECT, 964*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 965*4882a593Smuzhiyun }, 966*4882a593Smuzhiyun { 967*4882a593Smuzhiyun "read gso_segs from CGROUP_SKB", 968*4882a593Smuzhiyun .insns = { 969*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 970*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_segs)), 971*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 972*4882a593Smuzhiyun BPF_EXIT_INSN(), 973*4882a593Smuzhiyun }, 974*4882a593Smuzhiyun .result = ACCEPT, 975*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 976*4882a593Smuzhiyun }, 977*4882a593Smuzhiyun { 978*4882a593Smuzhiyun "read gso_segs from CGROUP_SKB", 979*4882a593Smuzhiyun .insns = { 980*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 981*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_segs)), 982*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 983*4882a593Smuzhiyun BPF_EXIT_INSN(), 984*4882a593Smuzhiyun }, 985*4882a593Smuzhiyun .result = ACCEPT, 986*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 987*4882a593Smuzhiyun }, 988*4882a593Smuzhiyun { 989*4882a593Smuzhiyun "write gso_segs from CGROUP_SKB", 990*4882a593Smuzhiyun .insns = { 991*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 992*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 993*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_segs)), 994*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 995*4882a593Smuzhiyun BPF_EXIT_INSN(), 996*4882a593Smuzhiyun }, 997*4882a593Smuzhiyun .result = REJECT, 998*4882a593Smuzhiyun .result_unpriv = REJECT, 999*4882a593Smuzhiyun .errstr = "invalid bpf_context access off=164 size=4", 1000*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 1001*4882a593Smuzhiyun }, 1002*4882a593Smuzhiyun { 1003*4882a593Smuzhiyun "read gso_segs from CLS", 1004*4882a593Smuzhiyun .insns = { 1005*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1006*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_segs)), 1007*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 1008*4882a593Smuzhiyun BPF_EXIT_INSN(), 1009*4882a593Smuzhiyun }, 1010*4882a593Smuzhiyun .result = ACCEPT, 1011*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1012*4882a593Smuzhiyun }, 1013*4882a593Smuzhiyun { 1014*4882a593Smuzhiyun "read gso_size from CGROUP_SKB", 1015*4882a593Smuzhiyun .insns = { 1016*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1017*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_size)), 1018*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 1019*4882a593Smuzhiyun BPF_EXIT_INSN(), 1020*4882a593Smuzhiyun }, 1021*4882a593Smuzhiyun .result = ACCEPT, 1022*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 1023*4882a593Smuzhiyun }, 1024*4882a593Smuzhiyun { 1025*4882a593Smuzhiyun "read gso_size from CGROUP_SKB", 1026*4882a593Smuzhiyun .insns = { 1027*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1028*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_size)), 1029*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 1030*4882a593Smuzhiyun BPF_EXIT_INSN(), 1031*4882a593Smuzhiyun }, 1032*4882a593Smuzhiyun .result = ACCEPT, 1033*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 1034*4882a593Smuzhiyun }, 1035*4882a593Smuzhiyun { 1036*4882a593Smuzhiyun "write gso_size from CGROUP_SKB", 1037*4882a593Smuzhiyun .insns = { 1038*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 1039*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1040*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_size)), 1041*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 1042*4882a593Smuzhiyun BPF_EXIT_INSN(), 1043*4882a593Smuzhiyun }, 1044*4882a593Smuzhiyun .result = REJECT, 1045*4882a593Smuzhiyun .result_unpriv = REJECT, 1046*4882a593Smuzhiyun .errstr = "invalid bpf_context access off=176 size=4", 1047*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 1048*4882a593Smuzhiyun }, 1049*4882a593Smuzhiyun { 1050*4882a593Smuzhiyun "read gso_size from CLS", 1051*4882a593Smuzhiyun .insns = { 1052*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1053*4882a593Smuzhiyun offsetof(struct __sk_buff, gso_size)), 1054*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 1055*4882a593Smuzhiyun BPF_EXIT_INSN(), 1056*4882a593Smuzhiyun }, 1057*4882a593Smuzhiyun .result = ACCEPT, 1058*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1059*4882a593Smuzhiyun }, 1060*4882a593Smuzhiyun { 1061*4882a593Smuzhiyun "check wire_len is not readable by sockets", 1062*4882a593Smuzhiyun .insns = { 1063*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1064*4882a593Smuzhiyun offsetof(struct __sk_buff, wire_len)), 1065*4882a593Smuzhiyun BPF_EXIT_INSN(), 1066*4882a593Smuzhiyun }, 1067*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 1068*4882a593Smuzhiyun .result = REJECT, 1069*4882a593Smuzhiyun }, 1070*4882a593Smuzhiyun { 1071*4882a593Smuzhiyun "check wire_len is readable by tc classifier", 1072*4882a593Smuzhiyun .insns = { 1073*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1074*4882a593Smuzhiyun offsetof(struct __sk_buff, wire_len)), 1075*4882a593Smuzhiyun BPF_EXIT_INSN(), 1076*4882a593Smuzhiyun }, 1077*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1078*4882a593Smuzhiyun .result = ACCEPT, 1079*4882a593Smuzhiyun }, 1080*4882a593Smuzhiyun { 1081*4882a593Smuzhiyun "check wire_len is not writable by tc classifier", 1082*4882a593Smuzhiyun .insns = { 1083*4882a593Smuzhiyun BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1084*4882a593Smuzhiyun offsetof(struct __sk_buff, wire_len)), 1085*4882a593Smuzhiyun BPF_EXIT_INSN(), 1086*4882a593Smuzhiyun }, 1087*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1088*4882a593Smuzhiyun .errstr = "invalid bpf_context access", 1089*4882a593Smuzhiyun .errstr_unpriv = "R1 leaks addr", 1090*4882a593Smuzhiyun .result = REJECT, 1091*4882a593Smuzhiyun }, 1092