search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WIP FPC-III support
[linux/fpc-iii.git] / tools / testing / selftests / bpf / verifier / ctx_skb.c
blob2022c0f2cd759b551d041be0c3659a98c0862151
1 {
2 "access skb fields ok",
3 .insns = {
4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5 offsetof(struct __sk_buff, len)),
6 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
7 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8 offsetof(struct __sk_buff, mark)),
9 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
10 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11 offsetof(struct __sk_buff, pkt_type)),
12 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
13 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
14 offsetof(struct __sk_buff, queue_mapping)),
15 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
16 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
17 offsetof(struct __sk_buff, protocol)),
18 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
19 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
20 offsetof(struct __sk_buff, vlan_present)),
21 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
22 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
23 offsetof(struct __sk_buff, vlan_tci)),
24 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
25 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
26 offsetof(struct __sk_buff, napi_id)),
27 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
28 BPF_EXIT_INSN(),
29 },
30 .result = ACCEPT,
31 },
32 {
33 "access skb fields bad1",
34 .insns = {
35 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
36 BPF_EXIT_INSN(),
37 },
38 .errstr = "invalid bpf_context access",
39 .result = REJECT,
40 },
41 {
42 "access skb fields bad2",
43 .insns = {
44 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
45 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
46 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
47 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
48 BPF_LD_MAP_FD(BPF_REG_1, 0),
49 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
50 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
51 BPF_EXIT_INSN(),
52 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
53 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
54 offsetof(struct __sk_buff, pkt_type)),
55 BPF_EXIT_INSN(),
56 },
57 .fixup_map_hash_8b = { 4 },
58 .errstr = "different pointers",
59 .errstr_unpriv = "R1 pointer comparison",
60 .result = REJECT,
61 },
62 {
63 "access skb fields bad3",
64 .insns = {
65 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
66 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
67 offsetof(struct __sk_buff, pkt_type)),
68 BPF_EXIT_INSN(),
69 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
70 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
71 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
72 BPF_LD_MAP_FD(BPF_REG_1, 0),
73 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
74 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
75 BPF_EXIT_INSN(),
76 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
77 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
78 },
79 .fixup_map_hash_8b = { 6 },
80 .errstr = "different pointers",
81 .errstr_unpriv = "R1 pointer comparison",
82 .result = REJECT,
83 },
84 {
85 "access skb fields bad4",
86 .insns = {
87 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
88 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
89 offsetof(struct __sk_buff, len)),
90 BPF_MOV64_IMM(BPF_REG_0, 0),
91 BPF_EXIT_INSN(),
92 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
93 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
94 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
95 BPF_LD_MAP_FD(BPF_REG_1, 0),
96 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
97 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
98 BPF_EXIT_INSN(),
99 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
100 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
101 },
102 .fixup_map_hash_8b = { 7 },
103 .errstr = "different pointers",
104 .errstr_unpriv = "R1 pointer comparison",
105 .result = REJECT,
106 },
107 {
108 "invalid access __sk_buff family",
109 .insns = {
110 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
111 offsetof(struct __sk_buff, family)),
112 BPF_EXIT_INSN(),
113 },
114 .errstr = "invalid bpf_context access",
115 .result = REJECT,
116 },
117 {
118 "invalid access __sk_buff remote_ip4",
119 .insns = {
120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
121 offsetof(struct __sk_buff, remote_ip4)),
122 BPF_EXIT_INSN(),
123 },
124 .errstr = "invalid bpf_context access",
125 .result = REJECT,
126 },
127 {
128 "invalid access __sk_buff local_ip4",
129 .insns = {
130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
131 offsetof(struct __sk_buff, local_ip4)),
132 BPF_EXIT_INSN(),
133 },
134 .errstr = "invalid bpf_context access",
135 .result = REJECT,
136 },
137 {
138 "invalid access __sk_buff remote_ip6",
139 .insns = {
140 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
141 offsetof(struct __sk_buff, remote_ip6)),
142 BPF_EXIT_INSN(),
143 },
144 .errstr = "invalid bpf_context access",
145 .result = REJECT,
146 },
147 {
148 "invalid access __sk_buff local_ip6",
149 .insns = {
150 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
151 offsetof(struct __sk_buff, local_ip6)),
152 BPF_EXIT_INSN(),
153 },
154 .errstr = "invalid bpf_context access",
155 .result = REJECT,
156 },
157 {
158 "invalid access __sk_buff remote_port",
159 .insns = {
160 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
161 offsetof(struct __sk_buff, remote_port)),
162 BPF_EXIT_INSN(),
163 },
164 .errstr = "invalid bpf_context access",
165 .result = REJECT,
166 },
167 {
168 "invalid access __sk_buff remote_port",
169 .insns = {
170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
171 offsetof(struct __sk_buff, local_port)),
172 BPF_EXIT_INSN(),
173 },
174 .errstr = "invalid bpf_context access",
175 .result = REJECT,
176 },
177 {
178 "valid access __sk_buff family",
179 .insns = {
180 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
181 offsetof(struct __sk_buff, family)),
182 BPF_EXIT_INSN(),
183 },
184 .result = ACCEPT,
185 .prog_type = BPF_PROG_TYPE_SK_SKB,
186 },
187 {
188 "valid access __sk_buff remote_ip4",
189 .insns = {
190 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
191 offsetof(struct __sk_buff, remote_ip4)),
192 BPF_EXIT_INSN(),
193 },
194 .result = ACCEPT,
195 .prog_type = BPF_PROG_TYPE_SK_SKB,
196 },
197 {
198 "valid access __sk_buff local_ip4",
199 .insns = {
200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
201 offsetof(struct __sk_buff, local_ip4)),
202 BPF_EXIT_INSN(),
203 },
204 .result = ACCEPT,
205 .prog_type = BPF_PROG_TYPE_SK_SKB,
206 },
207 {
208 "valid access __sk_buff remote_ip6",
209 .insns = {
210 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
211 offsetof(struct __sk_buff, remote_ip6[0])),
212 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
213 offsetof(struct __sk_buff, remote_ip6[1])),
214 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
215 offsetof(struct __sk_buff, remote_ip6[2])),
216 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
217 offsetof(struct __sk_buff, remote_ip6[3])),
218 BPF_EXIT_INSN(),
219 },
220 .result = ACCEPT,
221 .prog_type = BPF_PROG_TYPE_SK_SKB,
222 },
223 {
224 "valid access __sk_buff local_ip6",
225 .insns = {
226 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
227 offsetof(struct __sk_buff, local_ip6[0])),
228 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
229 offsetof(struct __sk_buff, local_ip6[1])),
230 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
231 offsetof(struct __sk_buff, local_ip6[2])),
232 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
233 offsetof(struct __sk_buff, local_ip6[3])),
234 BPF_EXIT_INSN(),
235 },
236 .result = ACCEPT,
237 .prog_type = BPF_PROG_TYPE_SK_SKB,
238 },
239 {
240 "valid access __sk_buff remote_port",
241 .insns = {
242 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
243 offsetof(struct __sk_buff, remote_port)),
244 BPF_EXIT_INSN(),
245 },
246 .result = ACCEPT,
247 .prog_type = BPF_PROG_TYPE_SK_SKB,
248 },
249 {
250 "valid access __sk_buff remote_port",
251 .insns = {
252 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
253 offsetof(struct __sk_buff, local_port)),
254 BPF_EXIT_INSN(),
255 },
256 .result = ACCEPT,
257 .prog_type = BPF_PROG_TYPE_SK_SKB,
258 },
259 {
260 "invalid access of tc_classid for SK_SKB",
261 .insns = {
262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
263 offsetof(struct __sk_buff, tc_classid)),
264 BPF_EXIT_INSN(),
265 },
266 .result = REJECT,
267 .prog_type = BPF_PROG_TYPE_SK_SKB,
268 .errstr = "invalid bpf_context access",
269 },
270 {
271 "invalid access of skb->mark for SK_SKB",
272 .insns = {
273 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
274 offsetof(struct __sk_buff, mark)),
275 BPF_EXIT_INSN(),
276 },
277 .result = REJECT,
278 .prog_type = BPF_PROG_TYPE_SK_SKB,
279 .errstr = "invalid bpf_context access",
280 },
281 {
282 "check skb->mark is not writeable by SK_SKB",
283 .insns = {
284 BPF_MOV64_IMM(BPF_REG_0, 0),
285 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
286 offsetof(struct __sk_buff, mark)),
287 BPF_EXIT_INSN(),
288 },
289 .result = REJECT,
290 .prog_type = BPF_PROG_TYPE_SK_SKB,
291 .errstr = "invalid bpf_context access",
292 },
293 {
294 "check skb->tc_index is writeable by SK_SKB",
295 .insns = {
296 BPF_MOV64_IMM(BPF_REG_0, 0),
297 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
298 offsetof(struct __sk_buff, tc_index)),
299 BPF_EXIT_INSN(),
300 },
301 .result = ACCEPT,
302 .prog_type = BPF_PROG_TYPE_SK_SKB,
303 },
304 {
305 "check skb->priority is writeable by SK_SKB",
306 .insns = {
307 BPF_MOV64_IMM(BPF_REG_0, 0),
308 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
309 offsetof(struct __sk_buff, priority)),
310 BPF_EXIT_INSN(),
311 },
312 .result = ACCEPT,
313 .prog_type = BPF_PROG_TYPE_SK_SKB,
314 },
315 {
316 "direct packet read for SK_SKB",
317 .insns = {
318 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
319 offsetof(struct __sk_buff, data)),
320 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
321 offsetof(struct __sk_buff, data_end)),
322 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
324 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
326 BPF_MOV64_IMM(BPF_REG_0, 0),
327 BPF_EXIT_INSN(),
328 },
329 .result = ACCEPT,
330 .prog_type = BPF_PROG_TYPE_SK_SKB,
331 },
332 {
333 "direct packet write for SK_SKB",
334 .insns = {
335 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
336 offsetof(struct __sk_buff, data)),
337 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
338 offsetof(struct __sk_buff, data_end)),
339 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
341 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
342 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
343 BPF_MOV64_IMM(BPF_REG_0, 0),
344 BPF_EXIT_INSN(),
345 },
346 .result = ACCEPT,
347 .prog_type = BPF_PROG_TYPE_SK_SKB,
348 },
349 {
350 "overlapping checks for direct packet access SK_SKB",
351 .insns = {
352 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
353 offsetof(struct __sk_buff, data)),
354 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
355 offsetof(struct __sk_buff, data_end)),
356 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
358 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
361 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
362 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
363 BPF_MOV64_IMM(BPF_REG_0, 0),
364 BPF_EXIT_INSN(),
365 },
366 .result = ACCEPT,
367 .prog_type = BPF_PROG_TYPE_SK_SKB,
368 },
369 {
370 "check skb->mark is not writeable by sockets",
371 .insns = {
372 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
373 offsetof(struct __sk_buff, mark)),
374 BPF_EXIT_INSN(),
375 },
376 .errstr = "invalid bpf_context access",
377 .errstr_unpriv = "R1 leaks addr",
378 .result = REJECT,
379 },
380 {
381 "check skb->tc_index is not writeable by sockets",
382 .insns = {
383 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
384 offsetof(struct __sk_buff, tc_index)),
385 BPF_EXIT_INSN(),
386 },
387 .errstr = "invalid bpf_context access",
388 .errstr_unpriv = "R1 leaks addr",
389 .result = REJECT,
390 },
391 {
392 "check cb access: byte",
393 .insns = {
394 BPF_MOV64_IMM(BPF_REG_0, 0),
395 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
396 offsetof(struct __sk_buff, cb[0])),
397 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
398 offsetof(struct __sk_buff, cb[0]) + 1),
399 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
400 offsetof(struct __sk_buff, cb[0]) + 2),
401 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
402 offsetof(struct __sk_buff, cb[0]) + 3),
403 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
404 offsetof(struct __sk_buff, cb[1])),
405 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
406 offsetof(struct __sk_buff, cb[1]) + 1),
407 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
408 offsetof(struct __sk_buff, cb[1]) + 2),
409 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
410 offsetof(struct __sk_buff, cb[1]) + 3),
411 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
412 offsetof(struct __sk_buff, cb[2])),
413 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
414 offsetof(struct __sk_buff, cb[2]) + 1),
415 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
416 offsetof(struct __sk_buff, cb[2]) + 2),
417 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
418 offsetof(struct __sk_buff, cb[2]) + 3),
419 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
420 offsetof(struct __sk_buff, cb[3])),
421 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
422 offsetof(struct __sk_buff, cb[3]) + 1),
423 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
424 offsetof(struct __sk_buff, cb[3]) + 2),
425 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
426 offsetof(struct __sk_buff, cb[3]) + 3),
427 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
428 offsetof(struct __sk_buff, cb[4])),
429 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
430 offsetof(struct __sk_buff, cb[4]) + 1),
431 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
432 offsetof(struct __sk_buff, cb[4]) + 2),
433 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
434 offsetof(struct __sk_buff, cb[4]) + 3),
435 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
436 offsetof(struct __sk_buff, cb[0])),
437 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
438 offsetof(struct __sk_buff, cb[0]) + 1),
439 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
440 offsetof(struct __sk_buff, cb[0]) + 2),
441 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
442 offsetof(struct __sk_buff, cb[0]) + 3),
443 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
444 offsetof(struct __sk_buff, cb[1])),
445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
446 offsetof(struct __sk_buff, cb[1]) + 1),
447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
448 offsetof(struct __sk_buff, cb[1]) + 2),
449 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
450 offsetof(struct __sk_buff, cb[1]) + 3),
451 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
452 offsetof(struct __sk_buff, cb[2])),
453 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
454 offsetof(struct __sk_buff, cb[2]) + 1),
455 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
456 offsetof(struct __sk_buff, cb[2]) + 2),
457 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
458 offsetof(struct __sk_buff, cb[2]) + 3),
459 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
460 offsetof(struct __sk_buff, cb[3])),
461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
462 offsetof(struct __sk_buff, cb[3]) + 1),
463 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
464 offsetof(struct __sk_buff, cb[3]) + 2),
465 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
466 offsetof(struct __sk_buff, cb[3]) + 3),
467 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
468 offsetof(struct __sk_buff, cb[4])),
469 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
470 offsetof(struct __sk_buff, cb[4]) + 1),
471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
472 offsetof(struct __sk_buff, cb[4]) + 2),
473 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
474 offsetof(struct __sk_buff, cb[4]) + 3),
475 BPF_EXIT_INSN(),
476 },
477 .result = ACCEPT,
478 },
479 {
480 "__sk_buff->hash, offset 0, byte store not permitted",
481 .insns = {
482 BPF_MOV64_IMM(BPF_REG_0, 0),
483 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
484 offsetof(struct __sk_buff, hash)),
485 BPF_EXIT_INSN(),
486 },
487 .errstr = "invalid bpf_context access",
488 .result = REJECT,
489 },
490 {
491 "__sk_buff->tc_index, offset 3, byte store not permitted",
492 .insns = {
493 BPF_MOV64_IMM(BPF_REG_0, 0),
494 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
495 offsetof(struct __sk_buff, tc_index) + 3),
496 BPF_EXIT_INSN(),
497 },
498 .errstr = "invalid bpf_context access",
499 .result = REJECT,
500 },
501 {
502 "check skb->hash byte load permitted",
503 .insns = {
504 BPF_MOV64_IMM(BPF_REG_0, 0),
505 #if __BYTE_ORDER == __LITTLE_ENDIAN
506 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
507 offsetof(struct __sk_buff, hash)),
508 #else
509 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
510 offsetof(struct __sk_buff, hash) + 3),
511 #endif
512 BPF_EXIT_INSN(),
513 },
514 .result = ACCEPT,
515 },
516 {
517 "check skb->hash byte load permitted 1",
518 .insns = {
519 BPF_MOV64_IMM(BPF_REG_0, 0),
520 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
521 offsetof(struct __sk_buff, hash) + 1),
522 BPF_EXIT_INSN(),
523 },
524 .result = ACCEPT,
525 },
526 {
527 "check skb->hash byte load permitted 2",
528 .insns = {
529 BPF_MOV64_IMM(BPF_REG_0, 0),
530 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
531 offsetof(struct __sk_buff, hash) + 2),
532 BPF_EXIT_INSN(),
533 },
534 .result = ACCEPT,
535 },
536 {
537 "check skb->hash byte load permitted 3",
538 .insns = {
539 BPF_MOV64_IMM(BPF_REG_0, 0),
540 #if __BYTE_ORDER == __LITTLE_ENDIAN
541 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
542 offsetof(struct __sk_buff, hash) + 3),
543 #else
544 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
545 offsetof(struct __sk_buff, hash)),
546 #endif
547 BPF_EXIT_INSN(),
548 },
549 .result = ACCEPT,
550 },
551 {
552 "check cb access: byte, wrong type",
553 .insns = {
554 BPF_MOV64_IMM(BPF_REG_0, 0),
555 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
556 offsetof(struct __sk_buff, cb[0])),
557 BPF_EXIT_INSN(),
558 },
559 .errstr = "invalid bpf_context access",
560 .result = REJECT,
561 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
562 },
563 {
564 "check cb access: half",
565 .insns = {
566 BPF_MOV64_IMM(BPF_REG_0, 0),
567 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
568 offsetof(struct __sk_buff, cb[0])),
569 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
570 offsetof(struct __sk_buff, cb[0]) + 2),
571 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
572 offsetof(struct __sk_buff, cb[1])),
573 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
574 offsetof(struct __sk_buff, cb[1]) + 2),
575 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
576 offsetof(struct __sk_buff, cb[2])),
577 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
578 offsetof(struct __sk_buff, cb[2]) + 2),
579 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
580 offsetof(struct __sk_buff, cb[3])),
581 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
582 offsetof(struct __sk_buff, cb[3]) + 2),
583 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
584 offsetof(struct __sk_buff, cb[4])),
585 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
586 offsetof(struct __sk_buff, cb[4]) + 2),
587 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
588 offsetof(struct __sk_buff, cb[0])),
589 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
590 offsetof(struct __sk_buff, cb[0]) + 2),
591 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
592 offsetof(struct __sk_buff, cb[1])),
593 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
594 offsetof(struct __sk_buff, cb[1]) + 2),
595 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
596 offsetof(struct __sk_buff, cb[2])),
597 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
598 offsetof(struct __sk_buff, cb[2]) + 2),
599 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
600 offsetof(struct __sk_buff, cb[3])),
601 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
602 offsetof(struct __sk_buff, cb[3]) + 2),
603 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
604 offsetof(struct __sk_buff, cb[4])),
605 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
606 offsetof(struct __sk_buff, cb[4]) + 2),
607 BPF_EXIT_INSN(),
608 },
609 .result = ACCEPT,
610 },
611 {
612 "check cb access: half, unaligned",
613 .insns = {
614 BPF_MOV64_IMM(BPF_REG_0, 0),
615 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
616 offsetof(struct __sk_buff, cb[0]) + 1),
617 BPF_EXIT_INSN(),
618 },
619 .errstr = "misaligned context access",
620 .result = REJECT,
621 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
622 },
623 {
624 "check __sk_buff->hash, offset 0, half store not permitted",
625 .insns = {
626 BPF_MOV64_IMM(BPF_REG_0, 0),
627 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
628 offsetof(struct __sk_buff, hash)),
629 BPF_EXIT_INSN(),
630 },
631 .errstr = "invalid bpf_context access",
632 .result = REJECT,
633 },
634 {
635 "check __sk_buff->tc_index, offset 2, half store not permitted",
636 .insns = {
637 BPF_MOV64_IMM(BPF_REG_0, 0),
638 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
639 offsetof(struct __sk_buff, tc_index) + 2),
640 BPF_EXIT_INSN(),
641 },
642 .errstr = "invalid bpf_context access",
643 .result = REJECT,
644 },
645 {
646 "check skb->hash half load permitted",
647 .insns = {
648 BPF_MOV64_IMM(BPF_REG_0, 0),
649 #if __BYTE_ORDER == __LITTLE_ENDIAN
650 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
651 offsetof(struct __sk_buff, hash)),
652 #else
653 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
654 offsetof(struct __sk_buff, hash) + 2),
655 #endif
656 BPF_EXIT_INSN(),
657 },
658 .result = ACCEPT,
659 },
660 {
661 "check skb->hash half load permitted 2",
662 .insns = {
663 BPF_MOV64_IMM(BPF_REG_0, 0),
664 #if __BYTE_ORDER == __LITTLE_ENDIAN
665 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
666 offsetof(struct __sk_buff, hash) + 2),
667 #else
668 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
669 offsetof(struct __sk_buff, hash)),
670 #endif
671 BPF_EXIT_INSN(),
672 },
673 .result = ACCEPT,
674 },
675 {
676 "check skb->hash half load not permitted, unaligned 1",
677 .insns = {
678 BPF_MOV64_IMM(BPF_REG_0, 0),
679 #if __BYTE_ORDER == __LITTLE_ENDIAN
680 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
681 offsetof(struct __sk_buff, hash) + 1),
682 #else
683 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
684 offsetof(struct __sk_buff, hash) + 3),
685 #endif
686 BPF_EXIT_INSN(),
687 },
688 .errstr = "invalid bpf_context access",
689 .result = REJECT,
690 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
691 },
692 {
693 "check skb->hash half load not permitted, unaligned 3",
694 .insns = {
695 BPF_MOV64_IMM(BPF_REG_0, 0),
696 #if __BYTE_ORDER == __LITTLE_ENDIAN
697 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
698 offsetof(struct __sk_buff, hash) + 3),
699 #else
700 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
701 offsetof(struct __sk_buff, hash) + 1),
702 #endif
703 BPF_EXIT_INSN(),
704 },
705 .errstr = "invalid bpf_context access",
706 .result = REJECT,
707 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
708 },
709 {
710 "check cb access: half, wrong type",
711 .insns = {
712 BPF_MOV64_IMM(BPF_REG_0, 0),
713 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
714 offsetof(struct __sk_buff, cb[0])),
715 BPF_EXIT_INSN(),
716 },
717 .errstr = "invalid bpf_context access",
718 .result = REJECT,
719 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
720 },
721 {
722 "check cb access: word",
723 .insns = {
724 BPF_MOV64_IMM(BPF_REG_0, 0),
725 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
726 offsetof(struct __sk_buff, cb[0])),
727 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
728 offsetof(struct __sk_buff, cb[1])),
729 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
730 offsetof(struct __sk_buff, cb[2])),
731 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
732 offsetof(struct __sk_buff, cb[3])),
733 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
734 offsetof(struct __sk_buff, cb[4])),
735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
736 offsetof(struct __sk_buff, cb[0])),
737 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
738 offsetof(struct __sk_buff, cb[1])),
739 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
740 offsetof(struct __sk_buff, cb[2])),
741 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
742 offsetof(struct __sk_buff, cb[3])),
743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
744 offsetof(struct __sk_buff, cb[4])),
745 BPF_EXIT_INSN(),
746 },
747 .result = ACCEPT,
748 },
749 {
750 "check cb access: word, unaligned 1",
751 .insns = {
752 BPF_MOV64_IMM(BPF_REG_0, 0),
753 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
754 offsetof(struct __sk_buff, cb[0]) + 2),
755 BPF_EXIT_INSN(),
756 },
757 .errstr = "misaligned context access",
758 .result = REJECT,
759 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
760 },
761 {
762 "check cb access: word, unaligned 2",
763 .insns = {
764 BPF_MOV64_IMM(BPF_REG_0, 0),
765 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
766 offsetof(struct __sk_buff, cb[4]) + 1),
767 BPF_EXIT_INSN(),
768 },
769 .errstr = "misaligned context access",
770 .result = REJECT,
771 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
772 },
773 {
774 "check cb access: word, unaligned 3",
775 .insns = {
776 BPF_MOV64_IMM(BPF_REG_0, 0),
777 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
778 offsetof(struct __sk_buff, cb[4]) + 2),
779 BPF_EXIT_INSN(),
780 },
781 .errstr = "misaligned context access",
782 .result = REJECT,
783 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
784 },
785 {
786 "check cb access: word, unaligned 4",
787 .insns = {
788 BPF_MOV64_IMM(BPF_REG_0, 0),
789 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
790 offsetof(struct __sk_buff, cb[4]) + 3),
791 BPF_EXIT_INSN(),
792 },
793 .errstr = "misaligned context access",
794 .result = REJECT,
795 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
796 },
797 {
798 "check cb access: double",
799 .insns = {
800 BPF_MOV64_IMM(BPF_REG_0, 0),
801 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
802 offsetof(struct __sk_buff, cb[0])),
803 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
804 offsetof(struct __sk_buff, cb[2])),
805 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
806 offsetof(struct __sk_buff, cb[0])),
807 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
808 offsetof(struct __sk_buff, cb[2])),
809 BPF_EXIT_INSN(),
810 },
811 .result = ACCEPT,
812 },
813 {
814 "check cb access: double, unaligned 1",
815 .insns = {
816 BPF_MOV64_IMM(BPF_REG_0, 0),
817 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
818 offsetof(struct __sk_buff, cb[1])),
819 BPF_EXIT_INSN(),
820 },
821 .errstr = "misaligned context access",
822 .result = REJECT,
823 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
824 },
825 {
826 "check cb access: double, unaligned 2",
827 .insns = {
828 BPF_MOV64_IMM(BPF_REG_0, 0),
829 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
830 offsetof(struct __sk_buff, cb[3])),
831 BPF_EXIT_INSN(),
832 },
833 .errstr = "misaligned context access",
834 .result = REJECT,
835 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
836 },
837 {
838 "check cb access: double, oob 1",
839 .insns = {
840 BPF_MOV64_IMM(BPF_REG_0, 0),
841 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
842 offsetof(struct __sk_buff, cb[4])),
843 BPF_EXIT_INSN(),
844 },
845 .errstr = "invalid bpf_context access",
846 .result = REJECT,
847 },
848 {
849 "check cb access: double, oob 2",
850 .insns = {
851 BPF_MOV64_IMM(BPF_REG_0, 0),
852 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
853 offsetof(struct __sk_buff, cb[4])),
854 BPF_EXIT_INSN(),
855 },
856 .errstr = "invalid bpf_context access",
857 .result = REJECT,
858 },
859 {
860 "check __sk_buff->ifindex dw store not permitted",
861 .insns = {
862 BPF_MOV64_IMM(BPF_REG_0, 0),
863 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
864 offsetof(struct __sk_buff, ifindex)),
865 BPF_EXIT_INSN(),
866 },
867 .errstr = "invalid bpf_context access",
868 .result = REJECT,
869 },
870 {
871 "check __sk_buff->ifindex dw load not permitted",
872 .insns = {
873 BPF_MOV64_IMM(BPF_REG_0, 0),
874 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
875 offsetof(struct __sk_buff, ifindex)),
876 BPF_EXIT_INSN(),
877 },
878 .errstr = "invalid bpf_context access",
879 .result = REJECT,
880 },
881 {
882 "check cb access: double, wrong type",
883 .insns = {
884 BPF_MOV64_IMM(BPF_REG_0, 0),
885 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
886 offsetof(struct __sk_buff, cb[0])),
887 BPF_EXIT_INSN(),
888 },
889 .errstr = "invalid bpf_context access",
890 .result = REJECT,
891 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
892 },
893 {
894 "check out of range skb->cb access",
895 .insns = {
896 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
897 offsetof(struct __sk_buff, cb[0]) + 256),
898 BPF_EXIT_INSN(),
899 },
900 .errstr = "invalid bpf_context access",
901 .errstr_unpriv = "",
902 .result = REJECT,
903 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
904 },
905 {
906 "write skb fields from socket prog",
907 .insns = {
908 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
909 offsetof(struct __sk_buff, cb[4])),
910 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
911 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
912 offsetof(struct __sk_buff, mark)),
913 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
914 offsetof(struct __sk_buff, tc_index)),
915 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
916 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
917 offsetof(struct __sk_buff, cb[0])),
918 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
919 offsetof(struct __sk_buff, cb[2])),
920 BPF_EXIT_INSN(),
921 },
922 .result = ACCEPT,
923 .errstr_unpriv = "R1 leaks addr",
924 .result_unpriv = REJECT,
925 },
926 {
927 "write skb fields from tc_cls_act prog",
928 .insns = {
929 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
930 offsetof(struct __sk_buff, cb[0])),
931 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
932 offsetof(struct __sk_buff, mark)),
933 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
934 offsetof(struct __sk_buff, tc_index)),
935 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
936 offsetof(struct __sk_buff, tc_index)),
937 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
938 offsetof(struct __sk_buff, cb[3])),
939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
940 offsetof(struct __sk_buff, tstamp)),
941 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
942 offsetof(struct __sk_buff, tstamp)),
943 BPF_EXIT_INSN(),
944 },
945 .errstr_unpriv = "",
946 .result_unpriv = REJECT,
947 .result = ACCEPT,
948 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
949 },
950 {
951 "check skb->data half load not permitted",
952 .insns = {
953 BPF_MOV64_IMM(BPF_REG_0, 0),
954 #if __BYTE_ORDER == __LITTLE_ENDIAN
955 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
956 offsetof(struct __sk_buff, data)),
957 #else
958 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
959 offsetof(struct __sk_buff, data) + 2),
960 #endif
961 BPF_EXIT_INSN(),
962 },
963 .result = REJECT,
964 .errstr = "invalid bpf_context access",
965 },
966 {
967 "read gso_segs from CGROUP_SKB",
968 .insns = {
969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
970 offsetof(struct __sk_buff, gso_segs)),
971 BPF_MOV64_IMM(BPF_REG_0, 0),
972 BPF_EXIT_INSN(),
973 },
974 .result = ACCEPT,
975 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
976 },
977 {
978 "read gso_segs from CGROUP_SKB",
979 .insns = {
980 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
981 offsetof(struct __sk_buff, gso_segs)),
982 BPF_MOV64_IMM(BPF_REG_0, 0),
983 BPF_EXIT_INSN(),
984 },
985 .result = ACCEPT,
986 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
987 },
988 {
989 "write gso_segs from CGROUP_SKB",
990 .insns = {
991 BPF_MOV64_IMM(BPF_REG_0, 0),
992 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
993 offsetof(struct __sk_buff, gso_segs)),
994 BPF_MOV64_IMM(BPF_REG_0, 0),
995 BPF_EXIT_INSN(),
996 },
997 .result = REJECT,
998 .result_unpriv = REJECT,
999 .errstr = "invalid bpf_context access off=164 size=4",
1000 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1001 },
1002 {
1003 "read gso_segs from CLS",
1004 .insns = {
1005 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1006 offsetof(struct __sk_buff, gso_segs)),
1007 BPF_MOV64_IMM(BPF_REG_0, 0),
1008 BPF_EXIT_INSN(),
1009 },
1010 .result = ACCEPT,
1011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1012 },
1013 {
1014 "read gso_size from CGROUP_SKB",
1015 .insns = {
1016 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1017 offsetof(struct __sk_buff, gso_size)),
1018 BPF_MOV64_IMM(BPF_REG_0, 0),
1019 BPF_EXIT_INSN(),
1020 },
1021 .result = ACCEPT,
1022 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1023 },
1024 {
1025 "read gso_size from CGROUP_SKB",
1026 .insns = {
1027 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1028 offsetof(struct __sk_buff, gso_size)),
1029 BPF_MOV64_IMM(BPF_REG_0, 0),
1030 BPF_EXIT_INSN(),
1031 },
1032 .result = ACCEPT,
1033 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1034 },
1035 {
1036 "write gso_size from CGROUP_SKB",
1037 .insns = {
1038 BPF_MOV64_IMM(BPF_REG_0, 0),
1039 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1040 offsetof(struct __sk_buff, gso_size)),
1041 BPF_MOV64_IMM(BPF_REG_0, 0),
1042 BPF_EXIT_INSN(),
1043 },
1044 .result = REJECT,
1045 .result_unpriv = REJECT,
1046 .errstr = "invalid bpf_context access off=176 size=4",
1047 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1048 },
1049 {
1050 "read gso_size from CLS",
1051 .insns = {
1052 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1053 offsetof(struct __sk_buff, gso_size)),
1054 BPF_MOV64_IMM(BPF_REG_0, 0),
1055 BPF_EXIT_INSN(),
1056 },
1057 .result = ACCEPT,
1058 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1059 },
1060 {
1061 "check wire_len is not readable by sockets",
1062 .insns = {
1063 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1064 offsetof(struct __sk_buff, wire_len)),
1065 BPF_EXIT_INSN(),
1066 },
1067 .errstr = "invalid bpf_context access",
1068 .result = REJECT,
1069 },
1070 {
1071 "check wire_len is readable by tc classifier",
1072 .insns = {
1073 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1074 offsetof(struct __sk_buff, wire_len)),
1075 BPF_EXIT_INSN(),
1076 },
1077 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1078 .result = ACCEPT,
1079 },
1080 {
1081 "check wire_len is not writable by tc classifier",
1082 .insns = {
1083 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1084 offsetof(struct __sk_buff, wire_len)),
1085 BPF_EXIT_INSN(),
1086 },
1087 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1088 .errstr = "invalid bpf_context access",
1089 .errstr_unpriv = "R1 leaks addr",
1090 .result = REJECT,
1091 },
1092 {
1093 "pkt > pkt_end taken check",
1094 .insns = {
1095 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, // 0. r2 = *(u32 *)(r1 + data_end)
1096 offsetof(struct __sk_buff, data_end)),
1097 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, // 1. r4 = *(u32 *)(r1 + data)
1098 offsetof(struct __sk_buff, data)),
1099 BPF_MOV64_REG(BPF_REG_3, BPF_REG_4), // 2. r3 = r4
1100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 42), // 3. r3 += 42
1101 BPF_MOV64_IMM(BPF_REG_1, 0), // 4. r1 = 0
1102 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_2, 2), // 5. if r3 > r2 goto 8
1103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 14), // 6. r4 += 14
1104 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4), // 7. r1 = r4
1105 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_2, 1), // 8. if r3 > r2 goto 10
1106 BPF_LDX_MEM(BPF_H, BPF_REG_2, BPF_REG_1, 9), // 9. r2 = *(u8 *)(r1 + 9)
1107 BPF_MOV64_IMM(BPF_REG_0, 0), // 10. r0 = 0
1108 BPF_EXIT_INSN(), // 11. exit
1109 },
1110 .result = ACCEPT,
1111 .prog_type = BPF_PROG_TYPE_SK_SKB,
1112 },
1113 {
1114 "pkt_end < pkt taken check",
1115 .insns = {
1116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, // 0. r2 = *(u32 *)(r1 + data_end)
1117 offsetof(struct __sk_buff, data_end)),
1118 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, // 1. r4 = *(u32 *)(r1 + data)
1119 offsetof(struct __sk_buff, data)),
1120 BPF_MOV64_REG(BPF_REG_3, BPF_REG_4), // 2. r3 = r4
1121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 42), // 3. r3 += 42
1122 BPF_MOV64_IMM(BPF_REG_1, 0), // 4. r1 = 0
1123 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_2, 2), // 5. if r3 > r2 goto 8
1124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 14), // 6. r4 += 14
1125 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4), // 7. r1 = r4
1126 BPF_JMP_REG(BPF_JLT, BPF_REG_2, BPF_REG_3, 1), // 8. if r2 < r3 goto 10
1127 BPF_LDX_MEM(BPF_H, BPF_REG_2, BPF_REG_1, 9), // 9. r2 = *(u8 *)(r1 + 9)
1128 BPF_MOV64_IMM(BPF_REG_0, 0), // 10. r0 = 0
1129 BPF_EXIT_INSN(), // 11. exit
1130 },
1131 .result = ACCEPT,
1132 .prog_type = BPF_PROG_TYPE_SK_SKB,
1133 },
Linux with added FPC-III support