diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2017-07-20 18:00:25 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-07-20 18:20:27 -0400 |
| commit | 8641250251bfcd93479c71783c6792ae3325d7e4 (patch) | |
| tree | 16ade798c25aadabe9df7a5d39ced646dec0170d | |
| parent | b712296a41ce0a114895fdff68fc22aada165b07 (diff) | |
bpf: more tests for mixed signed and unsigned bounds checks
Add a couple of more test cases to BPF selftests that are related
to mixed signed and unsigned checks.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | tools/testing/selftests/bpf/test_verifier.c | 418 |
1 files changed, 418 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 48b7997c0ae7..af7d173910f4 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c | |||
| @@ -5562,6 +5562,424 @@ static struct bpf_test tests[] = { | |||
| 5562 | .result = REJECT, | 5562 | .result = REJECT, |
| 5563 | .result_unpriv = REJECT, | 5563 | .result_unpriv = REJECT, |
| 5564 | }, | 5564 | }, |
| 5565 | { | ||
| 5566 | "bounds checks mixing signed and unsigned, variant 2", | ||
| 5567 | .insns = { | ||
| 5568 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5569 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5570 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5571 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5572 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5573 | BPF_FUNC_map_lookup_elem), | ||
| 5574 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), | ||
| 5575 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5576 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5577 | BPF_MOV64_IMM(BPF_REG_2, -1), | ||
| 5578 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), | ||
| 5579 | BPF_MOV64_IMM(BPF_REG_8, 0), | ||
| 5580 | BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1), | ||
| 5581 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), | ||
| 5582 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), | ||
| 5583 | BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), | ||
| 5584 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5585 | BPF_EXIT_INSN(), | ||
| 5586 | }, | ||
| 5587 | .fixup_map1 = { 3 }, | ||
| 5588 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5589 | .errstr = "R8 invalid mem access 'inv'", | ||
| 5590 | .result = REJECT, | ||
| 5591 | .result_unpriv = REJECT, | ||
| 5592 | }, | ||
| 5593 | { | ||
| 5594 | "bounds checks mixing signed and unsigned, variant 3", | ||
| 5595 | .insns = { | ||
| 5596 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5597 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5598 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5599 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5600 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5601 | BPF_FUNC_map_lookup_elem), | ||
| 5602 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), | ||
| 5603 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5604 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5605 | BPF_MOV64_IMM(BPF_REG_2, -1), | ||
| 5606 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4), | ||
| 5607 | BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), | ||
| 5608 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), | ||
| 5609 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), | ||
| 5610 | BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), | ||
| 5611 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5612 | BPF_EXIT_INSN(), | ||
| 5613 | }, | ||
| 5614 | .fixup_map1 = { 3 }, | ||
| 5615 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5616 | .errstr = "R8 invalid mem access 'inv'", | ||
| 5617 | .result = REJECT, | ||
| 5618 | .result_unpriv = REJECT, | ||
| 5619 | }, | ||
| 5620 | { | ||
| 5621 | "bounds checks mixing signed and unsigned, variant 4", | ||
| 5622 | .insns = { | ||
| 5623 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5624 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5625 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5626 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5627 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5628 | BPF_FUNC_map_lookup_elem), | ||
| 5629 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), | ||
| 5630 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5631 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5632 | BPF_MOV64_IMM(BPF_REG_2, 1), | ||
| 5633 | BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2), | ||
| 5634 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5635 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5636 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5637 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5638 | BPF_EXIT_INSN(), | ||
| 5639 | }, | ||
| 5640 | .fixup_map1 = { 3 }, | ||
| 5641 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5642 | .errstr = "R0 min value is negative", | ||
| 5643 | .result = REJECT, | ||
| 5644 | .result_unpriv = REJECT, | ||
| 5645 | }, | ||
| 5646 | { | ||
| 5647 | "bounds checks mixing signed and unsigned, variant 5", | ||
| 5648 | .insns = { | ||
| 5649 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5650 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5651 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5652 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5653 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5654 | BPF_FUNC_map_lookup_elem), | ||
| 5655 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), | ||
| 5656 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5657 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5658 | BPF_MOV64_IMM(BPF_REG_2, -1), | ||
| 5659 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), | ||
| 5660 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4), | ||
| 5661 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4), | ||
| 5662 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), | ||
| 5663 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5664 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5665 | BPF_EXIT_INSN(), | ||
| 5666 | }, | ||
| 5667 | .fixup_map1 = { 3 }, | ||
| 5668 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5669 | .errstr = "R0 invalid mem access", | ||
| 5670 | .result = REJECT, | ||
| 5671 | .result_unpriv = REJECT, | ||
| 5672 | }, | ||
| 5673 | { | ||
| 5674 | "bounds checks mixing signed and unsigned, variant 6", | ||
| 5675 | .insns = { | ||
| 5676 | BPF_MOV64_IMM(BPF_REG_2, 0), | ||
| 5677 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), | ||
| 5678 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512), | ||
| 5679 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5680 | BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16), | ||
| 5681 | BPF_MOV64_IMM(BPF_REG_6, -1), | ||
| 5682 | BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5), | ||
| 5683 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4), | ||
| 5684 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), | ||
| 5685 | BPF_MOV64_IMM(BPF_REG_5, 0), | ||
| 5686 | BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0), | ||
| 5687 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5688 | BPF_FUNC_skb_load_bytes), | ||
| 5689 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5690 | BPF_EXIT_INSN(), | ||
| 5691 | }, | ||
| 5692 | .errstr_unpriv = "R4 min value is negative, either use unsigned", | ||
| 5693 | .errstr = "R4 min value is negative, either use unsigned", | ||
| 5694 | .result = REJECT, | ||
| 5695 | .result_unpriv = REJECT, | ||
| 5696 | }, | ||
| 5697 | { | ||
| 5698 | "bounds checks mixing signed and unsigned, variant 7", | ||
| 5699 | .insns = { | ||
| 5700 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5701 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5702 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5703 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5704 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5705 | BPF_FUNC_map_lookup_elem), | ||
| 5706 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), | ||
| 5707 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5708 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5709 | BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024), | ||
| 5710 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), | ||
| 5711 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5712 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5713 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5714 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5715 | BPF_EXIT_INSN(), | ||
| 5716 | }, | ||
| 5717 | .fixup_map1 = { 3 }, | ||
| 5718 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5719 | .errstr = "R0 min value is negative", | ||
| 5720 | .result = REJECT, | ||
| 5721 | .result_unpriv = REJECT, | ||
| 5722 | }, | ||
| 5723 | { | ||
| 5724 | "bounds checks mixing signed and unsigned, variant 8", | ||
| 5725 | .insns = { | ||
| 5726 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5727 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5728 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5729 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5730 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5731 | BPF_FUNC_map_lookup_elem), | ||
| 5732 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), | ||
| 5733 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5734 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5735 | BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024 + 1), | ||
| 5736 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), | ||
| 5737 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5738 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5739 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5740 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5741 | BPF_EXIT_INSN(), | ||
| 5742 | }, | ||
| 5743 | .fixup_map1 = { 3 }, | ||
| 5744 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5745 | .errstr = "R0 min value is negative", | ||
| 5746 | .result = REJECT, | ||
| 5747 | .result_unpriv = REJECT, | ||
| 5748 | }, | ||
| 5749 | { | ||
| 5750 | "bounds checks mixing signed and unsigned, variant 9", | ||
| 5751 | .insns = { | ||
| 5752 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5753 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5754 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5755 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5756 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5757 | BPF_FUNC_map_lookup_elem), | ||
| 5758 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), | ||
| 5759 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5760 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5761 | BPF_MOV64_IMM(BPF_REG_2, -1), | ||
| 5762 | BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), | ||
| 5763 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5764 | BPF_EXIT_INSN(), | ||
| 5765 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5766 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5767 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5768 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5769 | BPF_EXIT_INSN(), | ||
| 5770 | }, | ||
| 5771 | .fixup_map1 = { 3 }, | ||
| 5772 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5773 | .errstr = "R0 min value is negative", | ||
| 5774 | .result = REJECT, | ||
| 5775 | .result_unpriv = REJECT, | ||
| 5776 | }, | ||
| 5777 | { | ||
| 5778 | "bounds checks mixing signed and unsigned, variant 10", | ||
| 5779 | .insns = { | ||
| 5780 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5781 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5782 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5783 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5784 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5785 | BPF_FUNC_map_lookup_elem), | ||
| 5786 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), | ||
| 5787 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5788 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5789 | BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL), | ||
| 5790 | BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), | ||
| 5791 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5792 | BPF_EXIT_INSN(), | ||
| 5793 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5794 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5795 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5796 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5797 | BPF_EXIT_INSN(), | ||
| 5798 | }, | ||
| 5799 | .fixup_map1 = { 3 }, | ||
| 5800 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5801 | .errstr = "R0 min value is negative", | ||
| 5802 | .result = REJECT, | ||
| 5803 | .result_unpriv = REJECT, | ||
| 5804 | }, | ||
| 5805 | { | ||
| 5806 | "bounds checks mixing signed and unsigned, variant 11", | ||
| 5807 | .insns = { | ||
| 5808 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5809 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5810 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5811 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5812 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5813 | BPF_FUNC_map_lookup_elem), | ||
| 5814 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), | ||
| 5815 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5816 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5817 | BPF_MOV64_IMM(BPF_REG_2, 0), | ||
| 5818 | BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), | ||
| 5819 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5820 | BPF_EXIT_INSN(), | ||
| 5821 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5822 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5823 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5824 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5825 | BPF_EXIT_INSN(), | ||
| 5826 | }, | ||
| 5827 | .fixup_map1 = { 3 }, | ||
| 5828 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5829 | .errstr = "R0 min value is negative", | ||
| 5830 | .result = REJECT, | ||
| 5831 | .result_unpriv = REJECT, | ||
| 5832 | }, | ||
| 5833 | { | ||
| 5834 | "bounds checks mixing signed and unsigned, variant 12", | ||
| 5835 | .insns = { | ||
| 5836 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5837 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5838 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5839 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5840 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5841 | BPF_FUNC_map_lookup_elem), | ||
| 5842 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), | ||
| 5843 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5844 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5845 | BPF_MOV64_IMM(BPF_REG_2, -1), | ||
| 5846 | BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), | ||
| 5847 | /* Dead branch. */ | ||
| 5848 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5849 | BPF_EXIT_INSN(), | ||
| 5850 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5851 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5852 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5853 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5854 | BPF_EXIT_INSN(), | ||
| 5855 | }, | ||
| 5856 | .fixup_map1 = { 3 }, | ||
| 5857 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5858 | .errstr = "R0 min value is negative", | ||
| 5859 | .result = REJECT, | ||
| 5860 | .result_unpriv = REJECT, | ||
| 5861 | }, | ||
| 5862 | { | ||
| 5863 | "bounds checks mixing signed and unsigned, variant 13", | ||
| 5864 | .insns = { | ||
| 5865 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5866 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5867 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5868 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5869 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5870 | BPF_FUNC_map_lookup_elem), | ||
| 5871 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), | ||
| 5872 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5873 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5874 | BPF_MOV64_IMM(BPF_REG_2, -6), | ||
| 5875 | BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), | ||
| 5876 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5877 | BPF_EXIT_INSN(), | ||
| 5878 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5879 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5880 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5881 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5882 | BPF_EXIT_INSN(), | ||
| 5883 | }, | ||
| 5884 | .fixup_map1 = { 3 }, | ||
| 5885 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5886 | .errstr = "R0 min value is negative", | ||
| 5887 | .result = REJECT, | ||
| 5888 | .result_unpriv = REJECT, | ||
| 5889 | }, | ||
| 5890 | { | ||
| 5891 | "bounds checks mixing signed and unsigned, variant 14", | ||
| 5892 | .insns = { | ||
| 5893 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5894 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5895 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5896 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5897 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5898 | BPF_FUNC_map_lookup_elem), | ||
| 5899 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), | ||
| 5900 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5901 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5902 | BPF_MOV64_IMM(BPF_REG_2, 2), | ||
| 5903 | BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), | ||
| 5904 | BPF_MOV64_IMM(BPF_REG_7, 1), | ||
| 5905 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2), | ||
| 5906 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5907 | BPF_EXIT_INSN(), | ||
| 5908 | BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1), | ||
| 5909 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2), | ||
| 5910 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7), | ||
| 5911 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5912 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5913 | BPF_EXIT_INSN(), | ||
| 5914 | }, | ||
| 5915 | .fixup_map1 = { 3 }, | ||
| 5916 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5917 | .errstr = "R0 min value is negative", | ||
| 5918 | .result = REJECT, | ||
| 5919 | .result_unpriv = REJECT, | ||
| 5920 | }, | ||
| 5921 | { | ||
| 5922 | "bounds checks mixing signed and unsigned, variant 15", | ||
| 5923 | .insns = { | ||
| 5924 | BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, | ||
| 5925 | offsetof(struct __sk_buff, mark)), | ||
| 5926 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5927 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5928 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5929 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5930 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5931 | BPF_FUNC_map_lookup_elem), | ||
| 5932 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), | ||
| 5933 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5934 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5935 | BPF_MOV64_IMM(BPF_REG_2, -1), | ||
| 5936 | BPF_MOV64_IMM(BPF_REG_8, 2), | ||
| 5937 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6), | ||
| 5938 | BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3), | ||
| 5939 | BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), | ||
| 5940 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5941 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5942 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5943 | BPF_EXIT_INSN(), | ||
| 5944 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3), | ||
| 5945 | BPF_JMP_IMM(BPF_JA, 0, 0, -7), | ||
| 5946 | }, | ||
| 5947 | .fixup_map1 = { 4 }, | ||
| 5948 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5949 | .errstr = "R0 min value is negative", | ||
| 5950 | .result = REJECT, | ||
| 5951 | .result_unpriv = REJECT, | ||
| 5952 | }, | ||
| 5953 | { | ||
| 5954 | "bounds checks mixing signed and unsigned, variant 16", | ||
| 5955 | .insns = { | ||
| 5956 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | ||
| 5957 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | ||
| 5958 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | ||
| 5959 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
| 5960 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, | ||
| 5961 | BPF_FUNC_map_lookup_elem), | ||
| 5962 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), | ||
| 5963 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), | ||
| 5964 | BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), | ||
| 5965 | BPF_MOV64_IMM(BPF_REG_2, -6), | ||
| 5966 | BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), | ||
| 5967 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5968 | BPF_EXIT_INSN(), | ||
| 5969 | BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), | ||
| 5970 | BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2), | ||
| 5971 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5972 | BPF_EXIT_INSN(), | ||
| 5973 | BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), | ||
| 5974 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
| 5975 | BPF_EXIT_INSN(), | ||
| 5976 | }, | ||
| 5977 | .fixup_map1 = { 3 }, | ||
| 5978 | .errstr_unpriv = "R0 pointer arithmetic prohibited", | ||
| 5979 | .errstr = "R0 min value is negative", | ||
| 5980 | .result = REJECT, | ||
| 5981 | .result_unpriv = REJECT, | ||
| 5982 | }, | ||
| 5565 | }; | 5983 | }; |
| 5566 | 5984 | ||
| 5567 | static int probe_filter_length(const struct bpf_insn *fp) | 5985 | static int probe_filter_length(const struct bpf_insn *fp) |