aboutsummaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2017-11-23 12:33:01 -0500
committerDavid S. Miller <davem@davemloft.net>2017-11-23 12:33:01 -0500
commite4be7baba81a816bdf778804508b43fa92c6446d (patch)
tree119e98d982af88dff2498031f77f817d7c7b6c33 /tools
parent0c19f846d582af919db66a5914a0189f9f92c936 (diff)
parentc131187db2d3fa2f8bf32fdf4e9a4ef805168467 (diff)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says: ==================== pull-request: bpf 2017-11-23 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Several BPF offloading fixes, from Jakub. Among others: - Limit offload to cls_bpf and XDP program types only. - Move device validation into the driver and don't make any assumptions about the device in the classifier due to shared blocks semantics. - Don't pass offloaded XDP program into the driver when it should be run in native XDP instead. Offloaded ones are not JITed for the host in such cases. - Don't destroy device offload state when moved to another namespace. - Revert dumping offload info into user space for now, since ifindex alone is not sufficient. This will be redone properly for bpf-next tree. 2) Fix test_verifier to avoid using bpf_probe_write_user() helper in test cases, since it's dumping a warning into kernel log which may confuse users when only running tests. Switch to use bpf_trace_printk() instead, from Yonghong. 3) Several fixes for correcting ARG_CONST_SIZE_OR_ZERO semantics before it becomes uabi, from Gianluca. More specifically: - Add a type ARG_PTR_TO_MEM_OR_NULL that is used only by bpf_csum_diff(), where the argument is either a valid pointer or NULL. The subsequent ARG_CONST_SIZE_OR_ZERO then enforces a valid pointer in case of non-0 size or a valid pointer or NULL in case of size 0. Given that, the semantics for ARG_PTR_TO_MEM in combination with ARG_CONST_SIZE_OR_ZERO are now such that in case of size 0, the pointer must always be valid and cannot be NULL. This fix in semantics allows for bpf_probe_read() to drop the recently added size == 0 check in the helper that would become part of uabi otherwise once released. At the same time we can then fix bpf_probe_read_str() and bpf_perf_event_output() to use ARG_CONST_SIZE_OR_ZERO instead of ARG_CONST_SIZE in order to fix recently reported issues by Arnaldo et al, where LLVM optimizes two boundary checks into a single one for unknown variables where the verifier looses track of the variable bounds and thus rejects valid programs otherwise. 4) A fix for the verifier for the case when it detects comparison of two constants where the branch is guaranteed to not be taken at runtime. Verifier will rightfully prune the exploration of such paths, but we still pass the program to JITs, where they would complain about using reserved fields, etc. Track such dead instructions and sanitize them with mov r0,r0. Rejection is not possible since LLVM may generate them for valid C code and doesn't do as much data flow analysis as verifier. For bpf-next we might implement removal of such dead code and adjust branches instead. Fix from Alexei. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'tools')
-rw-r--r--tools/bpf/bpftool/prog.c31
-rw-r--r--tools/include/uapi/linux/bpf.h8
-rw-r--r--tools/testing/selftests/bpf/test_verifier.c152
3 files changed, 123 insertions, 68 deletions
diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
index f45c44ef9bec..ad619b96c276 100644
--- a/tools/bpf/bpftool/prog.c
+++ b/tools/bpf/bpftool/prog.c
@@ -41,7 +41,6 @@
41#include <string.h> 41#include <string.h>
42#include <time.h> 42#include <time.h>
43#include <unistd.h> 43#include <unistd.h>
44#include <net/if.h>
45#include <sys/types.h> 44#include <sys/types.h>
46#include <sys/stat.h> 45#include <sys/stat.h>
47 46
@@ -230,21 +229,6 @@ static void print_prog_json(struct bpf_prog_info *info, int fd)
230 info->tag[0], info->tag[1], info->tag[2], info->tag[3], 229 info->tag[0], info->tag[1], info->tag[2], info->tag[3],
231 info->tag[4], info->tag[5], info->tag[6], info->tag[7]); 230 info->tag[4], info->tag[5], info->tag[6], info->tag[7]);
232 231
233 if (info->status & BPF_PROG_STATUS_DEV_BOUND) {
234 jsonw_name(json_wtr, "dev");
235 if (info->ifindex) {
236 char name[IF_NAMESIZE];
237
238 if (!if_indextoname(info->ifindex, name))
239 jsonw_printf(json_wtr, "\"ifindex:%d\"",
240 info->ifindex);
241 else
242 jsonw_printf(json_wtr, "\"%s\"", name);
243 } else {
244 jsonw_printf(json_wtr, "\"unknown\"");
245 }
246 }
247
248 if (info->load_time) { 232 if (info->load_time) {
249 char buf[32]; 233 char buf[32];
250 234
@@ -302,21 +286,6 @@ static void print_prog_plain(struct bpf_prog_info *info, int fd)
302 286
303 printf("tag "); 287 printf("tag ");
304 fprint_hex(stdout, info->tag, BPF_TAG_SIZE, ""); 288 fprint_hex(stdout, info->tag, BPF_TAG_SIZE, "");
305 printf(" ");
306
307 if (info->status & BPF_PROG_STATUS_DEV_BOUND) {
308 printf("dev ");
309 if (info->ifindex) {
310 char name[IF_NAMESIZE];
311
312 if (!if_indextoname(info->ifindex, name))
313 printf("ifindex:%d ", info->ifindex);
314 else
315 printf("%s ", name);
316 } else {
317 printf("unknown ");
318 }
319 }
320 printf("\n"); 289 printf("\n");
321 290
322 if (info->load_time) { 291 if (info->load_time) {
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index e880ae6434ee..4c223ab30293 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -262,7 +262,7 @@ union bpf_attr {
262 __u32 kern_version; /* checked when prog_type=kprobe */ 262 __u32 kern_version; /* checked when prog_type=kprobe */
263 __u32 prog_flags; 263 __u32 prog_flags;
264 char prog_name[BPF_OBJ_NAME_LEN]; 264 char prog_name[BPF_OBJ_NAME_LEN];
265 __u32 prog_target_ifindex; /* ifindex of netdev to prep for */ 265 __u32 prog_ifindex; /* ifindex of netdev to prep for */
266 }; 266 };
267 267
268 struct { /* anonymous struct used by BPF_OBJ_* commands */ 268 struct { /* anonymous struct used by BPF_OBJ_* commands */
@@ -897,10 +897,6 @@ enum sk_action {
897 897
898#define BPF_TAG_SIZE 8 898#define BPF_TAG_SIZE 8
899 899
900enum bpf_prog_status {
901 BPF_PROG_STATUS_DEV_BOUND = (1 << 0),
902};
903
904struct bpf_prog_info { 900struct bpf_prog_info {
905 __u32 type; 901 __u32 type;
906 __u32 id; 902 __u32 id;
@@ -914,8 +910,6 @@ struct bpf_prog_info {
914 __u32 nr_map_ids; 910 __u32 nr_map_ids;
915 __aligned_u64 map_ids; 911 __aligned_u64 map_ids;
916 char name[BPF_OBJ_NAME_LEN]; 912 char name[BPF_OBJ_NAME_LEN];
917 __u32 ifindex;
918 __u32 status;
919} __attribute__((aligned(8))); 913} __attribute__((aligned(8)));
920 914
921struct bpf_map_info { 915struct bpf_map_info {
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index bf092b83e453..3c64f30cf63c 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -4377,11 +4377,10 @@ static struct bpf_test tests[] = {
4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0), 4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4381 BPF_MOV64_IMM(BPF_REG_1, 0), 4381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 4382 BPF_MOV64_IMM(BPF_REG_2, 0),
4383 BPF_MOV64_IMM(BPF_REG_3, 0), 4383 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4384 BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
4385 BPF_EXIT_INSN(), 4384 BPF_EXIT_INSN(),
4386 }, 4385 },
4387 .fixup_map2 = { 3 }, 4386 .fixup_map2 = { 3 },
@@ -4481,14 +4480,12 @@ static struct bpf_test tests[] = {
4481 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4480 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4482 BPF_LD_MAP_FD(BPF_REG_1, 0), 4481 BPF_LD_MAP_FD(BPF_REG_1, 0),
4483 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4482 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4484 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4487 offsetof(struct test_val, foo)), 4486 offsetof(struct test_val, foo)),
4488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 4487 BPF_MOV64_IMM(BPF_REG_2, 0),
4489 BPF_MOV64_IMM(BPF_REG_1, 0), 4488 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4490 BPF_MOV64_IMM(BPF_REG_3, 0),
4491 BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
4492 BPF_EXIT_INSN(), 4489 BPF_EXIT_INSN(),
4493 }, 4490 },
4494 .fixup_map2 = { 3 }, 4491 .fixup_map2 = { 3 },
@@ -4618,18 +4615,16 @@ static struct bpf_test tests[] = {
4618 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4615 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4619 BPF_LD_MAP_FD(BPF_REG_1, 0), 4616 BPF_LD_MAP_FD(BPF_REG_1, 0),
4620 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4621 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4619 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4623 BPF_MOV64_IMM(BPF_REG_3, 0), 4620 BPF_MOV64_IMM(BPF_REG_3, 0),
4624 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4625 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 4622 BPF_MOV64_IMM(BPF_REG_2, 0),
4626 BPF_MOV64_IMM(BPF_REG_1, 0), 4623 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4627 BPF_MOV64_IMM(BPF_REG_3, 0),
4628 BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
4629 BPF_EXIT_INSN(), 4624 BPF_EXIT_INSN(),
4630 }, 4625 },
4631 .fixup_map2 = { 3 }, 4626 .fixup_map2 = { 3 },
4632 .errstr = "R2 min value is outside of the array range", 4627 .errstr = "R1 min value is outside of the array range",
4633 .result = REJECT, 4628 .result = REJECT,
4634 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4629 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4635 }, 4630 },
@@ -4760,20 +4755,18 @@ static struct bpf_test tests[] = {
4760 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 4755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4761 BPF_LD_MAP_FD(BPF_REG_1, 0), 4756 BPF_LD_MAP_FD(BPF_REG_1, 0),
4762 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 4757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4763 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4764 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4765 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 4760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4766 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 4761 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4767 offsetof(struct test_val, foo), 4), 4762 offsetof(struct test_val, foo), 3),
4768 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 4763 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 4764 BPF_MOV64_IMM(BPF_REG_2, 0),
4770 BPF_MOV64_IMM(BPF_REG_1, 0), 4765 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4771 BPF_MOV64_IMM(BPF_REG_3, 0),
4772 BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
4773 BPF_EXIT_INSN(), 4766 BPF_EXIT_INSN(),
4774 }, 4767 },
4775 .fixup_map2 = { 3 }, 4768 .fixup_map2 = { 3 },
4776 .errstr = "R2 min value is outside of the array range", 4769 .errstr = "R1 min value is outside of the array range",
4777 .result = REJECT, 4770 .result = REJECT,
4778 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4771 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4779 }, 4772 },
@@ -5638,7 +5631,7 @@ static struct bpf_test tests[] = {
5638 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5631 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5639 }, 5632 },
5640 { 5633 {
5641 "helper access to variable memory: size = 0 allowed on NULL", 5634 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5642 .insns = { 5635 .insns = {
5643 BPF_MOV64_IMM(BPF_REG_1, 0), 5636 BPF_MOV64_IMM(BPF_REG_1, 0),
5644 BPF_MOV64_IMM(BPF_REG_2, 0), 5637 BPF_MOV64_IMM(BPF_REG_2, 0),
@@ -5652,7 +5645,7 @@ static struct bpf_test tests[] = {
5652 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5645 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5653 }, 5646 },
5654 { 5647 {
5655 "helper access to variable memory: size > 0 not allowed on NULL", 5648 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5656 .insns = { 5649 .insns = {
5657 BPF_MOV64_IMM(BPF_REG_1, 0), 5650 BPF_MOV64_IMM(BPF_REG_1, 0),
5658 BPF_MOV64_IMM(BPF_REG_2, 0), 5651 BPF_MOV64_IMM(BPF_REG_2, 0),
@@ -5670,7 +5663,7 @@ static struct bpf_test tests[] = {
5670 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5663 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5671 }, 5664 },
5672 { 5665 {
5673 "helper access to variable memory: size = 0 allowed on != NULL stack pointer", 5666 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5674 .insns = { 5667 .insns = {
5675 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5668 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 5669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
@@ -5687,7 +5680,7 @@ static struct bpf_test tests[] = {
5687 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5688 }, 5681 },
5689 { 5682 {
5690 "helper access to variable memory: size = 0 allowed on != NULL map pointer", 5683 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5691 .insns = { 5684 .insns = {
5692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -5709,7 +5702,7 @@ static struct bpf_test tests[] = {
5709 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5702 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5710 }, 5703 },
5711 { 5704 {
5712 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer", 5705 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5713 .insns = { 5706 .insns = {
5714 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -5734,7 +5727,7 @@ static struct bpf_test tests[] = {
5734 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5735 }, 5728 },
5736 { 5729 {
5737 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer", 5730 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5738 .insns = { 5731 .insns = {
5739 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5732 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5740 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
@@ -5757,7 +5750,7 @@ static struct bpf_test tests[] = {
5757 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5750 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5758 }, 5751 },
5759 { 5752 {
5760 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer", 5753 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
5761 .insns = { 5754 .insns = {
5762 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 5755 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5763 offsetof(struct __sk_buff, data)), 5756 offsetof(struct __sk_buff, data)),
@@ -5779,6 +5772,105 @@ static struct bpf_test tests[] = {
5779 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5780 }, 5773 },
5781 { 5774 {
5775 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5776 .insns = {
5777 BPF_MOV64_IMM(BPF_REG_1, 0),
5778 BPF_MOV64_IMM(BPF_REG_2, 0),
5779 BPF_MOV64_IMM(BPF_REG_3, 0),
5780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5781 BPF_EXIT_INSN(),
5782 },
5783 .errstr = "R1 type=inv expected=fp",
5784 .result = REJECT,
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786 },
5787 {
5788 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5789 .insns = {
5790 BPF_MOV64_IMM(BPF_REG_1, 0),
5791 BPF_MOV64_IMM(BPF_REG_2, 1),
5792 BPF_MOV64_IMM(BPF_REG_3, 0),
5793 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5794 BPF_EXIT_INSN(),
5795 },
5796 .errstr = "R1 type=inv expected=fp",
5797 .result = REJECT,
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 },
5800 {
5801 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5802 .insns = {
5803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5805 BPF_MOV64_IMM(BPF_REG_2, 0),
5806 BPF_MOV64_IMM(BPF_REG_3, 0),
5807 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5808 BPF_EXIT_INSN(),
5809 },
5810 .result = ACCEPT,
5811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5812 },
5813 {
5814 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5815 .insns = {
5816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5819 BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5823 BPF_MOV64_IMM(BPF_REG_2, 0),
5824 BPF_MOV64_IMM(BPF_REG_3, 0),
5825 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5826 BPF_EXIT_INSN(),
5827 },
5828 .fixup_map1 = { 3 },
5829 .result = ACCEPT,
5830 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5831 },
5832 {
5833 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5834 .insns = {
5835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5838 BPF_LD_MAP_FD(BPF_REG_1, 0),
5839 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5841 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5842 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5845 BPF_MOV64_IMM(BPF_REG_3, 0),
5846 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5847 BPF_EXIT_INSN(),
5848 },
5849 .fixup_map1 = { 3 },
5850 .result = ACCEPT,
5851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5852 },
5853 {
5854 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5855 .insns = {
5856 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5859 BPF_LD_MAP_FD(BPF_REG_1, 0),
5860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5863 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5864 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5865 BPF_MOV64_IMM(BPF_REG_3, 0),
5866 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 BPF_EXIT_INSN(),
5868 },
5869 .fixup_map1 = { 3 },
5870 .result = ACCEPT,
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 },
5873 {
5782 "helper access to variable memory: 8 bytes leak", 5874 "helper access to variable memory: 8 bytes leak",
5783 .insns = { 5875 .insns = {
5784 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-30 07:42:25 -0400