1*4882a593Smuzhiyun { 2*4882a593Smuzhiyun "check valid spill/fill", 3*4882a593Smuzhiyun .insns = { 4*4882a593Smuzhiyun /* spill R1(ctx) into stack */ 5*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 6*4882a593Smuzhiyun /* fill it back into R2 */ 7*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 8*4882a593Smuzhiyun /* should be able to access R0 = *(R2 + 8) */ 9*4882a593Smuzhiyun /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 10*4882a593Smuzhiyun BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11*4882a593Smuzhiyun BPF_EXIT_INSN(), 12*4882a593Smuzhiyun }, 13*4882a593Smuzhiyun .errstr_unpriv = "R0 leaks addr", 14*4882a593Smuzhiyun .result = ACCEPT, 15*4882a593Smuzhiyun .result_unpriv = REJECT, 16*4882a593Smuzhiyun .retval = POINTER_VALUE, 17*4882a593Smuzhiyun }, 18*4882a593Smuzhiyun { 19*4882a593Smuzhiyun "check valid spill/fill, skb mark", 20*4882a593Smuzhiyun .insns = { 21*4882a593Smuzhiyun BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 22*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 23*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 24*4882a593Smuzhiyun BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 25*4882a593Smuzhiyun offsetof(struct __sk_buff, mark)), 26*4882a593Smuzhiyun BPF_EXIT_INSN(), 27*4882a593Smuzhiyun }, 28*4882a593Smuzhiyun .result = ACCEPT, 29*4882a593Smuzhiyun .result_unpriv = ACCEPT, 30*4882a593Smuzhiyun }, 31*4882a593Smuzhiyun { 32*4882a593Smuzhiyun "check corrupted spill/fill", 33*4882a593Smuzhiyun .insns = { 34*4882a593Smuzhiyun /* spill R1(ctx) into stack */ 35*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 36*4882a593Smuzhiyun /* mess up with R1 pointer on stack */ 37*4882a593Smuzhiyun BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 38*4882a593Smuzhiyun /* fill back into R0 is fine for priv. 39*4882a593Smuzhiyun * R0 now becomes SCALAR_VALUE. 40*4882a593Smuzhiyun */ 41*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 42*4882a593Smuzhiyun /* Load from R0 should fail. */ 43*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 44*4882a593Smuzhiyun BPF_EXIT_INSN(), 45*4882a593Smuzhiyun }, 46*4882a593Smuzhiyun .errstr_unpriv = "attempt to corrupt spilled", 47*4882a593Smuzhiyun .errstr = "R0 invalid mem access 'inv", 48*4882a593Smuzhiyun .result = REJECT, 49*4882a593Smuzhiyun .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 50*4882a593Smuzhiyun }, 51*4882a593Smuzhiyun { 52*4882a593Smuzhiyun "check corrupted spill/fill, LSB", 53*4882a593Smuzhiyun .insns = { 54*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 55*4882a593Smuzhiyun BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe), 56*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 57*4882a593Smuzhiyun BPF_EXIT_INSN(), 58*4882a593Smuzhiyun }, 59*4882a593Smuzhiyun .errstr_unpriv = "attempt to corrupt spilled", 60*4882a593Smuzhiyun .result_unpriv = REJECT, 61*4882a593Smuzhiyun .result = ACCEPT, 62*4882a593Smuzhiyun .retval = POINTER_VALUE, 63*4882a593Smuzhiyun }, 64*4882a593Smuzhiyun { 65*4882a593Smuzhiyun "check corrupted spill/fill, MSB", 66*4882a593Smuzhiyun .insns = { 67*4882a593Smuzhiyun BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 68*4882a593Smuzhiyun BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678), 69*4882a593Smuzhiyun BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 70*4882a593Smuzhiyun BPF_EXIT_INSN(), 71*4882a593Smuzhiyun }, 72*4882a593Smuzhiyun .errstr_unpriv = "attempt to corrupt spilled", 73*4882a593Smuzhiyun .result_unpriv = REJECT, 74*4882a593Smuzhiyun .result = ACCEPT, 75*4882a593Smuzhiyun .retval = POINTER_VALUE, 76*4882a593Smuzhiyun }, 77