1*4882a593Smuzhiyun { 2*4882a593Smuzhiyun "pointer/scalar confusion in state equality check (way 1)", 3*4882a593Smuzhiyun .insns = { 4*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 8*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 9*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 10*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 11*4882a593Smuzhiyun BPF_JMP_A(1), 12*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 13*4882a593Smuzhiyun BPF_JMP_A(0), 14*4882a593Smuzhiyun BPF_EXIT_INSN(), 15*4882a593Smuzhiyun }, 16*4882a593Smuzhiyun .fixup_map_hash_8b = { 3 }, 17*4882a593Smuzhiyun .result = ACCEPT, 18*4882a593Smuzhiyun .retval = POINTER_VALUE, 19*4882a593Smuzhiyun .result_unpriv = REJECT, 20*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr as return value" 21*4882a593Smuzhiyun }, 22*4882a593Smuzhiyun { 23*4882a593Smuzhiyun "pointer/scalar confusion in state equality check (way 2)", 24*4882a593Smuzhiyun .insns = { 25*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 26*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 27*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 28*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 29*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 30*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 31*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 32*4882a593Smuzhiyun BPF_JMP_A(1), 33*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 34*4882a593Smuzhiyun BPF_EXIT_INSN(), 35*4882a593Smuzhiyun }, 36*4882a593Smuzhiyun .fixup_map_hash_8b = { 3 }, 37*4882a593Smuzhiyun .result = ACCEPT, 38*4882a593Smuzhiyun .retval = POINTER_VALUE, 39*4882a593Smuzhiyun .result_unpriv = REJECT, 40*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr as return value" 41*4882a593Smuzhiyun }, 42*4882a593Smuzhiyun { 43*4882a593Smuzhiyun "liveness pruning and write screening", 44*4882a593Smuzhiyun .insns = { 45*4882a593Smuzhiyun /* Get an unknown value */ 46*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 47*4882a593Smuzhiyun /* branch conditions teach us nothing about R2 */ 48*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 49*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 50*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 51*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 52*4882a593Smuzhiyun BPF_EXIT_INSN(), 53*4882a593Smuzhiyun }, 54*4882a593Smuzhiyun .errstr = "R0 !read_ok", 55*4882a593Smuzhiyun .result = REJECT, 56*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_LWT_IN, 57*4882a593Smuzhiyun }, 58*4882a593Smuzhiyun { 59*4882a593Smuzhiyun "varlen_map_value_access pruning", 60*4882a593Smuzhiyun .insns = { 61*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 62*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 63*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 64*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 65*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 66*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 67*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 68*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 69*4882a593Smuzhiyun BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 70*4882a593Smuzhiyun BPF_MOV32_IMM(BPF_REG_1, 0), 71*4882a593Smuzhiyun BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 72*4882a593Smuzhiyun BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 73*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JA, 0, 0, 0), 74*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 75*4882a593Smuzhiyun BPF_EXIT_INSN(), 76*4882a593Smuzhiyun }, 77*4882a593Smuzhiyun .fixup_map_hash_48b = { 3 }, 78*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 79*4882a593Smuzhiyun .errstr = "R0 unbounded memory access", 80*4882a593Smuzhiyun .result_unpriv = REJECT, 81*4882a593Smuzhiyun .result = REJECT, 82*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 83*4882a593Smuzhiyun }, 84*4882a593Smuzhiyun { 85*4882a593Smuzhiyun "search pruning: all branches should be verified (nop operation)", 86*4882a593Smuzhiyun .insns = { 87*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 88*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 89*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 90*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 91*4882a593Smuzhiyun BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 92*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 93*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 94*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2), 95*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0), 96*4882a593Smuzhiyun BPF_JMP_A(1), 97*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 1), 98*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16), 99*4882a593Smuzhiyun BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), 100*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16), 101*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2), 102*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_6, 0), 103*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead), 104*4882a593Smuzhiyun BPF_EXIT_INSN(), 105*4882a593Smuzhiyun }, 106*4882a593Smuzhiyun .fixup_map_hash_8b = { 3 }, 107*4882a593Smuzhiyun .errstr = "R6 invalid mem access 'inv'", 108*4882a593Smuzhiyun .result = REJECT, 109*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_TRACEPOINT, 110*4882a593Smuzhiyun }, 111*4882a593Smuzhiyun { 112*4882a593Smuzhiyun "search pruning: all branches should be verified (invalid stack access)", 113*4882a593Smuzhiyun .insns = { 114*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 115*4882a593Smuzhiyun BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 116*4882a593Smuzhiyun BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 117*4882a593Smuzhiyun BPF_LD_MAP_FD(BPF_REG_1, 0), 118*4882a593Smuzhiyun BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 119*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 120*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 121*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_4, 0), 122*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2), 123*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16), 124*4882a593Smuzhiyun BPF_JMP_A(1), 125*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24), 126*4882a593Smuzhiyun BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), 127*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16), 128*4882a593Smuzhiyun BPF_EXIT_INSN(), 129*4882a593Smuzhiyun }, 130*4882a593Smuzhiyun .fixup_map_hash_8b = { 3 }, 131*4882a593Smuzhiyun .errstr = "invalid read from stack off -16+0 size 8", 132*4882a593Smuzhiyun .result = REJECT, 133*4882a593Smuzhiyun .prog_type = BPF_PROG_TYPE_TRACEPOINT, 134*4882a593Smuzhiyun }, 135*4882a593Smuzhiyun { 136*4882a593Smuzhiyun "allocated_stack", 137*4882a593Smuzhiyun .insns = { 138*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 139*4882a593Smuzhiyun BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32), 140*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_7, BPF_REG_0), 141*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 142*4882a593Smuzhiyun BPF_MOV64_IMM(BPF_REG_0, 0), 143*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 144*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, -8), 145*4882a593Smuzhiyun BPF_STX_MEM(BPF_B, BPF_REG_10, BPF_REG_7, -9), 146*4882a593Smuzhiyun BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_10, -9), 147*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0), 148*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0), 149*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0), 150*4882a593Smuzhiyun BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0), 151*4882a593Smuzhiyun BPF_EXIT_INSN(), 152*4882a593Smuzhiyun }, 153*4882a593Smuzhiyun .result = ACCEPT, 154*4882a593Smuzhiyun .result_unpriv = ACCEPT, 155*4882a593Smuzhiyun .insn_processed = 15, 156*4882a593Smuzhiyun }, 157