1*4882a593Smuzhiyun { 2*4882a593Smuzhiyun "raw_stack: no skb_load_bytes", 3*4882a593Smuzhiyun .insns = { 4*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 5*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 6*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 7*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 8*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 9*4882a593Smuzhiyun /* Call to skb_load_bytes() omitted. */ 10*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 11*4882a593Smuzhiyun BPF_EXIT_INSN(), 12*4882a593Smuzhiyun }, 13*4882a593Smuzhiyun .result = REJECT, 14*4882a593Smuzhiyun .errstr = "invalid read from stack R6 off=-8 size=8", 15*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 16*4882a593Smuzhiyun }, 17*4882a593Smuzhiyun { 18*4882a593Smuzhiyun "raw_stack: skb_load_bytes, negative len", 19*4882a593Smuzhiyun .insns = { 20*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 21*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 22*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 23*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 24*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, -8), 25*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 26*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 27*4882a593Smuzhiyun BPF_EXIT_INSN(), 28*4882a593Smuzhiyun }, 29*4882a593Smuzhiyun .result = REJECT, 30*4882a593Smuzhiyun .errstr = "R4 min value is negative", 31*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 32*4882a593Smuzhiyun }, 33*4882a593Smuzhiyun { 34*4882a593Smuzhiyun "raw_stack: skb_load_bytes, negative len 2", 35*4882a593Smuzhiyun .insns = { 36*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 37*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 38*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 39*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 40*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, ~0), 41*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 42*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 43*4882a593Smuzhiyun BPF_EXIT_INSN(), 44*4882a593Smuzhiyun }, 45*4882a593Smuzhiyun .result = REJECT, 46*4882a593Smuzhiyun .errstr = "R4 min value is negative", 47*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 48*4882a593Smuzhiyun }, 49*4882a593Smuzhiyun { 50*4882a593Smuzhiyun "raw_stack: skb_load_bytes, zero len", 51*4882a593Smuzhiyun .insns = { 52*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 53*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 54*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 55*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 56*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0), 57*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 58*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 59*4882a593Smuzhiyun BPF_EXIT_INSN(), 60*4882a593Smuzhiyun }, 61*4882a593Smuzhiyun .result = REJECT, 62*4882a593Smuzhiyun .errstr = "invalid zero-sized read", 63*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 64*4882a593Smuzhiyun }, 65*4882a593Smuzhiyun { 66*4882a593Smuzhiyun "raw_stack: skb_load_bytes, no init", 67*4882a593Smuzhiyun .insns = { 68*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 69*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 70*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 71*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 72*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 73*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 74*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 75*4882a593Smuzhiyun BPF_EXIT_INSN(), 76*4882a593Smuzhiyun }, 77*4882a593Smuzhiyun .result = ACCEPT, 78*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 79*4882a593Smuzhiyun }, 80*4882a593Smuzhiyun { 81*4882a593Smuzhiyun "raw_stack: skb_load_bytes, init", 82*4882a593Smuzhiyun .insns = { 83*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 84*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 85*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 86*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 87*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 88*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 89*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 90*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 91*4882a593Smuzhiyun BPF_EXIT_INSN(), 92*4882a593Smuzhiyun }, 93*4882a593Smuzhiyun .result = ACCEPT, 94*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 95*4882a593Smuzhiyun }, 96*4882a593Smuzhiyun { 97*4882a593Smuzhiyun "raw_stack: skb_load_bytes, spilled regs around bounds", 98*4882a593Smuzhiyun .insns = { 99*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 100*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 101*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 102*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 103*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 104*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 105*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 106*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 107*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 108*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 109*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 110*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 111*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 112*4882a593Smuzhiyun offsetof(struct __sk_buff, priority)), 113*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 114*4882a593Smuzhiyun BPF_EXIT_INSN(), 115*4882a593Smuzhiyun }, 116*4882a593Smuzhiyun .result = ACCEPT, 117*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 118*4882a593Smuzhiyun }, 119*4882a593Smuzhiyun { 120*4882a593Smuzhiyun "raw_stack: skb_load_bytes, spilled regs corruption", 121*4882a593Smuzhiyun .insns = { 122*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 123*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 124*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 125*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 126*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 127*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 128*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 129*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 130*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 131*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 132*4882a593Smuzhiyun BPF_EXIT_INSN(), 133*4882a593Smuzhiyun }, 134*4882a593Smuzhiyun .result = REJECT, 135*4882a593Smuzhiyun .errstr = "R0 invalid mem access 'inv'", 136*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 137*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 138*4882a593Smuzhiyun }, 139*4882a593Smuzhiyun { 140*4882a593Smuzhiyun "raw_stack: skb_load_bytes, spilled regs corruption 2", 141*4882a593Smuzhiyun .insns = { 142*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 143*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 144*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 145*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 146*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 147*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 148*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 149*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 150*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 151*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 152*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 153*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 154*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 155*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 156*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 157*4882a593Smuzhiyun offsetof(struct __sk_buff, priority)), 158*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 159*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 160*4882a593Smuzhiyun offsetof(struct __sk_buff, pkt_type)), 161*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 162*4882a593Smuzhiyun BPF_EXIT_INSN(), 163*4882a593Smuzhiyun }, 164*4882a593Smuzhiyun .result = REJECT, 165*4882a593Smuzhiyun .errstr = "R3 invalid mem access 'inv'", 166*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 167*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 168*4882a593Smuzhiyun }, 169*4882a593Smuzhiyun { 170*4882a593Smuzhiyun "raw_stack: skb_load_bytes, spilled regs + data", 171*4882a593Smuzhiyun .insns = { 172*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 173*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 174*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 175*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 176*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 177*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 178*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 179*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 180*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 181*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 182*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 183*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 184*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 185*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 186*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 187*4882a593Smuzhiyun offsetof(struct __sk_buff, priority)), 188*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 189*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 190*4882a593Smuzhiyun BPF_EXIT_INSN(), 191*4882a593Smuzhiyun }, 192*4882a593Smuzhiyun .result = ACCEPT, 193*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 194*4882a593Smuzhiyun }, 195*4882a593Smuzhiyun { 196*4882a593Smuzhiyun "raw_stack: skb_load_bytes, invalid access 1", 197*4882a593Smuzhiyun .insns = { 198*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 199*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 200*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 201*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 202*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 203*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 204*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 205*4882a593Smuzhiyun BPF_EXIT_INSN(), 206*4882a593Smuzhiyun }, 207*4882a593Smuzhiyun .result = REJECT, 208*4882a593Smuzhiyun .errstr = "invalid indirect access to stack R3 off=-513 size=8", 209*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 210*4882a593Smuzhiyun }, 211*4882a593Smuzhiyun { 212*4882a593Smuzhiyun "raw_stack: skb_load_bytes, invalid access 2", 213*4882a593Smuzhiyun .insns = { 214*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 215*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 216*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 217*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 218*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 8), 219*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 220*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 221*4882a593Smuzhiyun BPF_EXIT_INSN(), 222*4882a593Smuzhiyun }, 223*4882a593Smuzhiyun .result = REJECT, 224*4882a593Smuzhiyun .errstr = "invalid indirect access to stack R3 off=-1 size=8", 225*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 226*4882a593Smuzhiyun }, 227*4882a593Smuzhiyun { 228*4882a593Smuzhiyun "raw_stack: skb_load_bytes, invalid access 3", 229*4882a593Smuzhiyun .insns = { 230*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 231*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 232*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 233*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 234*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 235*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 236*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 237*4882a593Smuzhiyun BPF_EXIT_INSN(), 238*4882a593Smuzhiyun }, 239*4882a593Smuzhiyun .result = REJECT, 240*4882a593Smuzhiyun .errstr = "R4 min value is negative", 241*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 242*4882a593Smuzhiyun }, 243*4882a593Smuzhiyun { 244*4882a593Smuzhiyun "raw_stack: skb_load_bytes, invalid access 4", 245*4882a593Smuzhiyun .insns = { 246*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 247*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 248*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 249*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 250*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 251*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 252*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 253*4882a593Smuzhiyun BPF_EXIT_INSN(), 254*4882a593Smuzhiyun }, 255*4882a593Smuzhiyun .result = REJECT, 256*4882a593Smuzhiyun .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 257*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 258*4882a593Smuzhiyun }, 259*4882a593Smuzhiyun { 260*4882a593Smuzhiyun "raw_stack: skb_load_bytes, invalid access 5", 261*4882a593Smuzhiyun .insns = { 262*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 263*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 264*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 265*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 266*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 267*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 268*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 269*4882a593Smuzhiyun BPF_EXIT_INSN(), 270*4882a593Smuzhiyun }, 271*4882a593Smuzhiyun .result = REJECT, 272*4882a593Smuzhiyun .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 273*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 274*4882a593Smuzhiyun }, 275*4882a593Smuzhiyun { 276*4882a593Smuzhiyun "raw_stack: skb_load_bytes, invalid access 6", 277*4882a593Smuzhiyun .insns = { 278*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 279*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 280*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 281*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 282*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0), 283*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 284*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 285*4882a593Smuzhiyun BPF_EXIT_INSN(), 286*4882a593Smuzhiyun }, 287*4882a593Smuzhiyun .result = REJECT, 288*4882a593Smuzhiyun .errstr = "invalid zero-sized read", 289*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 290*4882a593Smuzhiyun }, 291*4882a593Smuzhiyun { 292*4882a593Smuzhiyun "raw_stack: skb_load_bytes, large access", 293*4882a593Smuzhiyun .insns = { 294*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_2, 4), 295*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 296*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 297*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 298*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 512), 299*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes), 300*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 301*4882a593Smuzhiyun BPF_EXIT_INSN(), 302*4882a593Smuzhiyun }, 303*4882a593Smuzhiyun .result = ACCEPT, 304*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_SCHED_CLS, 305*4882a593Smuzhiyun }, 306