1*4882a593Smuzhiyun { 2*4882a593Smuzhiyun "leak pointer into ctx 1", 3*4882a593Smuzhiyun .insns = { 4*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 5*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 6*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 7*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_2, 0), 8*4882a593Smuzhiyun BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2, 9*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 10*4882a593Smuzhiyun BPF_EXIT_INSN(), 11*4882a593Smuzhiyun }, 12*4882a593Smuzhiyun .fixup_map_hash_8b = { 2 }, 13*4882a593Smuzhiyun .errstr_unpriv = "R2 leaks addr into mem", 14*4882a593Smuzhiyun .result_unpriv = REJECT, 15*4882a593Smuzhiyun .result = REJECT, 16*4882a593Smuzhiyun .errstr = "BPF_XADD stores into R1 ctx is not allowed", 17*4882a593Smuzhiyun }, 18*4882a593Smuzhiyun { 19*4882a593Smuzhiyun "leak pointer into ctx 2", 20*4882a593Smuzhiyun .insns = { 21*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 22*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 23*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 24*4882a593Smuzhiyun BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10, 25*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 26*4882a593Smuzhiyun BPF_EXIT_INSN(), 27*4882a593Smuzhiyun }, 28*4882a593Smuzhiyun .errstr_unpriv = "R10 leaks addr into mem", 29*4882a593Smuzhiyun .result_unpriv = REJECT, 30*4882a593Smuzhiyun .result = REJECT, 31*4882a593Smuzhiyun .errstr = "BPF_XADD stores into R1 ctx is not allowed", 32*4882a593Smuzhiyun }, 33*4882a593Smuzhiyun { 34*4882a593Smuzhiyun "leak pointer into ctx 3", 35*4882a593Smuzhiyun .insns = { 36*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 37*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_2, 0), 38*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 39*4882a593Smuzhiyun offsetof(struct __sk_buff, cb[0])), 40*4882a593Smuzhiyun BPF_EXIT_INSN(), 41*4882a593Smuzhiyun }, 42*4882a593Smuzhiyun .fixup_map_hash_8b = { 1 }, 43*4882a593Smuzhiyun .errstr_unpriv = "R2 leaks addr into ctx", 44*4882a593Smuzhiyun .result_unpriv = REJECT, 45*4882a593Smuzhiyun .result = ACCEPT, 46*4882a593Smuzhiyun }, 47*4882a593Smuzhiyun { 48*4882a593Smuzhiyun "leak pointer into map val", 49*4882a593Smuzhiyun .insns = { 50*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 51*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 52*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 53*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 54*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 55*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 56*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 57*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_3, 0), 58*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 59*4882a593Smuzhiyun BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 60*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 61*4882a593Smuzhiyun BPF_EXIT_INSN(), 62*4882a593Smuzhiyun }, 63*4882a593Smuzhiyun .fixup_map_hash_8b = { 4 }, 64*4882a593Smuzhiyun .errstr_unpriv = "R6 leaks addr into mem", 65*4882a593Smuzhiyun .result_unpriv = REJECT, 66*4882a593Smuzhiyun .result = ACCEPT, 67*4882a593Smuzhiyun }, 68