2 "map access: known scalar += value_ptr unknown vs const",
4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5 offsetof(struct __sk_buff, len)),
6 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
10 BPF_LD_MAP_FD(BPF_REG_1, 0),
11 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12 BPF_LD_MAP_FD(BPF_REG_1, 0),
13 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
14 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
15 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
16 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
17 BPF_MOV64_IMM(BPF_REG_1, 6),
18 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
19 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
20 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
21 BPF_MOV64_IMM(BPF_REG_1, 3),
22 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
23 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
24 BPF_MOV64_IMM(BPF_REG_0, 1),
27 .fixup_map_hash_16b = { 5 },
28 .fixup_map_array_48b = { 8 },
29 .result_unpriv = REJECT,
30 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
35 "map access: known scalar += value_ptr const vs unknown",
37 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
38 offsetof(struct __sk_buff, len)),
39 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
40 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
41 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
42 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
43 BPF_LD_MAP_FD(BPF_REG_1, 0),
44 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
45 BPF_LD_MAP_FD(BPF_REG_1, 0),
46 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
47 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
48 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
49 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),
50 BPF_MOV64_IMM(BPF_REG_1, 3),
51 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
52 BPF_MOV64_IMM(BPF_REG_1, 6),
53 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
54 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
55 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
56 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
57 BPF_MOV64_IMM(BPF_REG_0, 1),
60 .fixup_map_hash_16b = { 5 },
61 .fixup_map_array_48b = { 8 },
62 .result_unpriv = REJECT,
63 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
68 "map access: known scalar += value_ptr const vs const (ne)",
70 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
71 offsetof(struct __sk_buff, len)),
72 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
73 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
74 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
75 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
76 BPF_LD_MAP_FD(BPF_REG_1, 0),
77 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
78 BPF_LD_MAP_FD(BPF_REG_1, 0),
79 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
80 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
81 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
82 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),
83 BPF_MOV64_IMM(BPF_REG_1, 3),
84 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
85 BPF_MOV64_IMM(BPF_REG_1, 5),
86 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
87 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
88 BPF_MOV64_IMM(BPF_REG_0, 1),
91 .fixup_map_hash_16b = { 5 },
92 .fixup_map_array_48b = { 8 },
93 .result_unpriv = REJECT,
94 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
99 "map access: known scalar += value_ptr const vs const (eq)",
101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
102 offsetof(struct __sk_buff, len)),
103 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
107 BPF_LD_MAP_FD(BPF_REG_1, 0),
108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
109 BPF_LD_MAP_FD(BPF_REG_1, 0),
110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
112 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
113 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 2),
114 BPF_MOV64_IMM(BPF_REG_1, 5),
115 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
116 BPF_MOV64_IMM(BPF_REG_1, 5),
117 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
119 BPF_MOV64_IMM(BPF_REG_0, 1),
122 .fixup_map_hash_16b = { 5 },
123 .fixup_map_array_48b = { 8 },
128 "map access: known scalar += value_ptr unknown vs unknown (eq)",
130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
131 offsetof(struct __sk_buff, len)),
132 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
135 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
136 BPF_LD_MAP_FD(BPF_REG_1, 0),
137 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
138 BPF_LD_MAP_FD(BPF_REG_1, 0),
139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
141 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
143 BPF_MOV64_IMM(BPF_REG_1, 6),
144 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
145 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
146 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
147 BPF_MOV64_IMM(BPF_REG_1, 6),
148 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
149 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
150 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
151 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
152 BPF_MOV64_IMM(BPF_REG_0, 1),
155 .fixup_map_hash_16b = { 5 },
156 .fixup_map_array_48b = { 8 },
161 "map access: known scalar += value_ptr unknown vs unknown (lt)",
163 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
164 offsetof(struct __sk_buff, len)),
165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
169 BPF_LD_MAP_FD(BPF_REG_1, 0),
170 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
171 BPF_LD_MAP_FD(BPF_REG_1, 0),
172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
174 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
176 BPF_MOV64_IMM(BPF_REG_1, 6),
177 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
178 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3),
179 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
180 BPF_MOV64_IMM(BPF_REG_1, 6),
181 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
182 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
183 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
185 BPF_MOV64_IMM(BPF_REG_0, 1),
188 .fixup_map_hash_16b = { 5 },
189 .fixup_map_array_48b = { 8 },
190 .result_unpriv = REJECT,
191 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
196 "map access: known scalar += value_ptr unknown vs unknown (gt)",
198 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
199 offsetof(struct __sk_buff, len)),
200 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
201 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
204 BPF_LD_MAP_FD(BPF_REG_1, 0),
205 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
206 BPF_LD_MAP_FD(BPF_REG_1, 0),
207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
209 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_0, 0),
210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_4, 1, 4),
211 BPF_MOV64_IMM(BPF_REG_1, 6),
212 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
213 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
214 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
215 BPF_MOV64_IMM(BPF_REG_1, 6),
216 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
217 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x3),
218 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
220 BPF_MOV64_IMM(BPF_REG_0, 1),
223 .fixup_map_hash_16b = { 5 },
224 .fixup_map_array_48b = { 8 },
225 .result_unpriv = REJECT,
226 .errstr_unpriv = "R1 tried to add from different maps, paths or scalars",
231 "map access: known scalar += value_ptr from different maps",
233 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
234 offsetof(struct __sk_buff, len)),
235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
239 BPF_LD_MAP_FD(BPF_REG_1, 0),
240 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
241 BPF_LD_MAP_FD(BPF_REG_1, 0),
242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
244 BPF_MOV64_IMM(BPF_REG_1, 4),
245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
246 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
247 BPF_MOV64_IMM(BPF_REG_0, 1),
250 .fixup_map_hash_16b = { 5 },
251 .fixup_map_array_48b = { 8 },
256 "map access: value_ptr -= known scalar from different maps",
258 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
259 offsetof(struct __sk_buff, len)),
260 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
264 BPF_LD_MAP_FD(BPF_REG_1, 0),
265 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
266 BPF_LD_MAP_FD(BPF_REG_1, 0),
267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
269 BPF_MOV64_IMM(BPF_REG_1, 4),
270 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
271 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
272 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
273 BPF_MOV64_IMM(BPF_REG_0, 1),
276 .fixup_map_hash_16b = { 5 },
277 .fixup_map_array_48b = { 8 },
279 .result_unpriv = REJECT,
280 .errstr_unpriv = "R0 min value is outside of the allowed memory range",
284 "map access: known scalar += value_ptr from different maps, but same value properties",
286 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
287 offsetof(struct __sk_buff, len)),
288 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
289 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
292 BPF_LD_MAP_FD(BPF_REG_1, 0),
293 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
294 BPF_LD_MAP_FD(BPF_REG_1, 0),
295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
297 BPF_MOV64_IMM(BPF_REG_1, 4),
298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
300 BPF_MOV64_IMM(BPF_REG_0, 1),
303 .fixup_map_hash_48b = { 5 },
304 .fixup_map_array_48b = { 8 },
309 "map access: mixing value pointer and scalar, 1",
311 // load map value pointer into r0 and r2
312 BPF_MOV64_IMM(BPF_REG_0, 1),
313 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
314 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
316 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
317 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
318 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
320 // load some number from the map into r1
321 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
322 // depending on r1, branch:
323 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
326 BPF_MOV64_IMM(BPF_REG_3, 0),
329 BPF_MOV64_IMM(BPF_REG_2, 0),
330 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
331 // common instruction
332 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
333 // depending on r1, branch:
334 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
338 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
339 // verifier follows fall-through
340 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
341 BPF_MOV64_IMM(BPF_REG_0, 0),
343 // fake-dead code; targeted from branch A to
344 // prevent dead code sanitization
345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
346 BPF_MOV64_IMM(BPF_REG_0, 0),
349 .fixup_map_array_48b = { 1 },
351 .result_unpriv = REJECT,
352 .errstr_unpriv = "R2 pointer comparison prohibited",
356 "map access: mixing value pointer and scalar, 2",
358 // load map value pointer into r0 and r2
359 BPF_MOV64_IMM(BPF_REG_0, 1),
360 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
361 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
363 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
364 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
365 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
367 // load some number from the map into r1
368 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
369 // depending on r1, branch:
370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
372 BPF_MOV64_IMM(BPF_REG_2, 0),
373 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
376 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
377 BPF_MOV64_IMM(BPF_REG_3, 0),
378 // common instruction
379 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
380 // depending on r1, branch:
381 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
385 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
386 // verifier follows fall-through
387 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
388 BPF_MOV64_IMM(BPF_REG_0, 0),
390 // fake-dead code; targeted from branch A to
391 // prevent dead code sanitization, rejected
392 // via branch B however
393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
394 BPF_MOV64_IMM(BPF_REG_0, 0),
397 .fixup_map_array_48b = { 1 },
399 .result_unpriv = REJECT,
400 .errstr_unpriv = "R0 invalid mem access 'inv'",
404 "sanitation: alu with different scalars 1",
406 BPF_MOV64_IMM(BPF_REG_0, 1),
407 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
408 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
410 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
411 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
412 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
414 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
415 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
416 BPF_MOV64_IMM(BPF_REG_2, 0),
417 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
419 BPF_MOV64_IMM(BPF_REG_2, 42),
420 BPF_MOV64_IMM(BPF_REG_3, 0x100001),
421 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
425 .fixup_map_array_48b = { 1 },
430 "sanitation: alu with different scalars 2",
432 BPF_MOV64_IMM(BPF_REG_0, 1),
433 BPF_LD_MAP_FD(BPF_REG_1, 0),
434 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
437 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
438 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
439 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
443 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
444 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
445 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
446 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
447 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
450 .fixup_map_array_48b = { 1 },
452 .retval = -EINVAL * 2,
455 "sanitation: alu with different scalars 3",
457 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
458 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
459 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
460 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
461 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
462 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
463 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
464 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
465 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
469 .retval = -EINVAL * 2,
472 "map access: value_ptr += known scalar, upper oob arith, test 1",
474 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
475 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
477 BPF_LD_MAP_FD(BPF_REG_1, 0),
478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
480 BPF_MOV64_IMM(BPF_REG_1, 48),
481 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
482 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
483 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
484 BPF_MOV64_IMM(BPF_REG_0, 1),
487 .fixup_map_array_48b = { 3 },
489 .result_unpriv = REJECT,
490 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
494 "map access: value_ptr += known scalar, upper oob arith, test 2",
496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
497 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
499 BPF_LD_MAP_FD(BPF_REG_1, 0),
500 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
502 BPF_MOV64_IMM(BPF_REG_1, 49),
503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
504 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
505 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
506 BPF_MOV64_IMM(BPF_REG_0, 1),
509 .fixup_map_array_48b = { 3 },
511 .result_unpriv = REJECT,
512 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
516 "map access: value_ptr += known scalar, upper oob arith, test 3",
518 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
521 BPF_LD_MAP_FD(BPF_REG_1, 0),
522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
524 BPF_MOV64_IMM(BPF_REG_1, 47),
525 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
526 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
527 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
528 BPF_MOV64_IMM(BPF_REG_0, 1),
531 .fixup_map_array_48b = { 3 },
536 "map access: value_ptr -= known scalar, lower oob arith, test 1",
538 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
541 BPF_LD_MAP_FD(BPF_REG_1, 0),
542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
544 BPF_MOV64_IMM(BPF_REG_1, 47),
545 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
546 BPF_MOV64_IMM(BPF_REG_1, 48),
547 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
548 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
549 BPF_MOV64_IMM(BPF_REG_0, 1),
552 .fixup_map_array_48b = { 3 },
554 .errstr = "R0 min value is outside of the allowed memory range",
555 .result_unpriv = REJECT,
556 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
559 "map access: value_ptr -= known scalar, lower oob arith, test 2",
561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
564 BPF_LD_MAP_FD(BPF_REG_1, 0),
565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
567 BPF_MOV64_IMM(BPF_REG_1, 47),
568 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
569 BPF_MOV64_IMM(BPF_REG_1, 48),
570 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
571 BPF_MOV64_IMM(BPF_REG_1, 1),
572 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
573 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
574 BPF_MOV64_IMM(BPF_REG_0, 1),
577 .fixup_map_array_48b = { 3 },
579 .result_unpriv = REJECT,
580 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
584 "map access: value_ptr -= known scalar, lower oob arith, test 3",
586 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
587 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
589 BPF_LD_MAP_FD(BPF_REG_1, 0),
590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
592 BPF_MOV64_IMM(BPF_REG_1, 47),
593 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
594 BPF_MOV64_IMM(BPF_REG_1, 47),
595 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
596 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
597 BPF_MOV64_IMM(BPF_REG_0, 1),
600 .fixup_map_array_48b = { 3 },
605 "map access: known scalar += value_ptr",
607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
610 BPF_LD_MAP_FD(BPF_REG_1, 0),
611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
613 BPF_MOV64_IMM(BPF_REG_1, 4),
614 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
615 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
616 BPF_MOV64_IMM(BPF_REG_0, 1),
619 .fixup_map_array_48b = { 3 },
624 "map access: value_ptr += known scalar, 1",
626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
629 BPF_LD_MAP_FD(BPF_REG_1, 0),
630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
632 BPF_MOV64_IMM(BPF_REG_1, 4),
633 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
634 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
635 BPF_MOV64_IMM(BPF_REG_0, 1),
638 .fixup_map_array_48b = { 3 },
643 "map access: value_ptr += known scalar, 2",
645 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
646 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
648 BPF_LD_MAP_FD(BPF_REG_1, 0),
649 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
651 BPF_MOV64_IMM(BPF_REG_1, 49),
652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
653 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
654 BPF_MOV64_IMM(BPF_REG_0, 1),
657 .fixup_map_array_48b = { 3 },
659 .errstr = "invalid access to map value",
662 "map access: value_ptr += known scalar, 3",
664 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
667 BPF_LD_MAP_FD(BPF_REG_1, 0),
668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
670 BPF_MOV64_IMM(BPF_REG_1, -1),
671 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
672 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
673 BPF_MOV64_IMM(BPF_REG_0, 1),
676 .fixup_map_array_48b = { 3 },
678 .errstr = "invalid access to map value",
681 "map access: value_ptr += known scalar, 4",
683 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
686 BPF_LD_MAP_FD(BPF_REG_1, 0),
687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
689 BPF_MOV64_IMM(BPF_REG_1, 5),
690 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
691 BPF_MOV64_IMM(BPF_REG_1, -2),
692 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
693 BPF_MOV64_IMM(BPF_REG_1, -1),
694 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
695 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
696 BPF_MOV64_IMM(BPF_REG_0, 1),
699 .fixup_map_array_48b = { 3 },
704 "map access: value_ptr += known scalar, 5",
706 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
709 BPF_LD_MAP_FD(BPF_REG_1, 0),
710 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
712 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
713 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
714 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
717 .fixup_map_array_48b = { 3 },
719 .retval = 0xabcdef12,
722 "map access: value_ptr += known scalar, 6",
724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
727 BPF_LD_MAP_FD(BPF_REG_1, 0),
728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
730 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
731 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
732 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
733 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
737 .fixup_map_array_48b = { 3 },
739 .retval = 0xabcdef12,
742 "map access: value_ptr += N, value_ptr -= N known scalar",
744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
747 BPF_LD_MAP_FD(BPF_REG_1, 0),
748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
750 BPF_MOV32_IMM(BPF_REG_1, 0x12345678),
751 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
753 BPF_MOV64_IMM(BPF_REG_1, 2),
754 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
758 .fixup_map_array_48b = { 3 },
760 .retval = 0x12345678,
763 "map access: unknown scalar += value_ptr, 1",
765 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
768 BPF_LD_MAP_FD(BPF_REG_1, 0),
769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
771 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
772 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
773 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
774 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
775 BPF_MOV64_IMM(BPF_REG_0, 1),
778 .fixup_map_array_48b = { 3 },
783 "map access: unknown scalar += value_ptr, 2",
785 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
788 BPF_LD_MAP_FD(BPF_REG_1, 0),
789 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
791 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
792 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
793 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
794 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
797 .fixup_map_array_48b = { 3 },
799 .retval = 0xabcdef12,
800 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
803 "map access: unknown scalar += value_ptr, 3",
805 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
806 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
808 BPF_LD_MAP_FD(BPF_REG_1, 0),
809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
811 BPF_MOV64_IMM(BPF_REG_1, -1),
812 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
813 BPF_MOV64_IMM(BPF_REG_1, 1),
814 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
815 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
816 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
817 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
818 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
821 .fixup_map_array_48b = { 3 },
823 .result_unpriv = REJECT,
824 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
825 .retval = 0xabcdef12,
826 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
829 "map access: unknown scalar += value_ptr, 4",
831 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
834 BPF_LD_MAP_FD(BPF_REG_1, 0),
835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
837 BPF_MOV64_IMM(BPF_REG_1, 19),
838 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
839 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
840 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
841 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
842 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
845 .fixup_map_array_48b = { 3 },
847 .errstr = "R1 max value is outside of the allowed memory range",
848 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
849 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
852 "map access: value_ptr += unknown scalar, 1",
854 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
857 BPF_LD_MAP_FD(BPF_REG_1, 0),
858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
860 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
861 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
862 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
863 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
864 BPF_MOV64_IMM(BPF_REG_0, 1),
867 .fixup_map_array_48b = { 3 },
872 "map access: value_ptr += unknown scalar, 2",
874 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
877 BPF_LD_MAP_FD(BPF_REG_1, 0),
878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
879 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
880 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
881 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
886 .fixup_map_array_48b = { 3 },
888 .retval = 0xabcdef12,
889 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
892 "map access: value_ptr += unknown scalar, 3",
894 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
897 BPF_LD_MAP_FD(BPF_REG_1, 0),
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
900 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
901 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
902 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
903 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
904 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
905 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
906 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
907 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
908 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
909 BPF_MOV64_IMM(BPF_REG_0, 1),
911 BPF_MOV64_IMM(BPF_REG_0, 2),
912 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
914 .fixup_map_array_48b = { 3 },
919 "map access: value_ptr += value_ptr",
921 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
924 BPF_LD_MAP_FD(BPF_REG_1, 0),
925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
927 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
928 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
929 BPF_MOV64_IMM(BPF_REG_0, 1),
932 .fixup_map_array_48b = { 3 },
934 .errstr = "R0 pointer += pointer prohibited",
937 "map access: known scalar -= value_ptr",
939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
942 BPF_LD_MAP_FD(BPF_REG_1, 0),
943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
945 BPF_MOV64_IMM(BPF_REG_1, 4),
946 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
948 BPF_MOV64_IMM(BPF_REG_0, 1),
951 .fixup_map_array_48b = { 3 },
953 .errstr = "R1 tried to subtract pointer from scalar",
956 "map access: value_ptr -= known scalar",
958 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
961 BPF_LD_MAP_FD(BPF_REG_1, 0),
962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
963 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
964 BPF_MOV64_IMM(BPF_REG_1, 4),
965 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
966 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
967 BPF_MOV64_IMM(BPF_REG_0, 1),
970 .fixup_map_array_48b = { 3 },
972 .errstr = "R0 min value is outside of the allowed memory range",
975 "map access: value_ptr -= known scalar, 2",
977 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
978 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
980 BPF_LD_MAP_FD(BPF_REG_1, 0),
981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
983 BPF_MOV64_IMM(BPF_REG_1, 6),
984 BPF_MOV64_IMM(BPF_REG_2, 4),
985 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
986 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
987 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
988 BPF_MOV64_IMM(BPF_REG_0, 1),
991 .fixup_map_array_48b = { 3 },
996 "map access: unknown scalar -= value_ptr",
998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1001 BPF_LD_MAP_FD(BPF_REG_1, 0),
1002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1003 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
1004 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1005 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
1006 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
1007 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
1008 BPF_MOV64_IMM(BPF_REG_0, 1),
1011 .fixup_map_array_48b = { 3 },
1013 .errstr = "R1 tried to subtract pointer from scalar",
1016 "map access: value_ptr -= unknown scalar",
1018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1021 BPF_LD_MAP_FD(BPF_REG_1, 0),
1022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1023 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
1024 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1025 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
1026 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1027 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1028 BPF_MOV64_IMM(BPF_REG_0, 1),
1031 .fixup_map_array_48b = { 3 },
1033 .errstr = "R0 min value is negative",
1036 "map access: value_ptr -= unknown scalar, 2",
1038 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1041 BPF_LD_MAP_FD(BPF_REG_1, 0),
1042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1043 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
1044 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1045 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
1046 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
1047 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
1048 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1049 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
1050 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
1051 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1052 BPF_MOV64_IMM(BPF_REG_0, 1),
1055 .fixup_map_array_48b = { 3 },
1057 .result_unpriv = REJECT,
1058 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
1062 "map access: value_ptr -= value_ptr",
1064 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1067 BPF_LD_MAP_FD(BPF_REG_1, 0),
1068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1070 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
1071 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
1072 BPF_MOV64_IMM(BPF_REG_0, 1),
1075 .fixup_map_array_48b = { 3 },
1077 .errstr = "R0 invalid mem access 'inv'",
1078 .errstr_unpriv = "R0 pointer -= pointer prohibited",
1081 "map access: trying to leak tained dst reg",
1083 BPF_MOV64_IMM(BPF_REG_0, 0),
1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1089 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
1092 BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
1093 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
1094 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
1095 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
1096 BPF_MOV64_IMM(BPF_REG_0, 0),
1099 .fixup_map_array_48b = { 4 },
1101 .errstr = "math between map_value pointer and 4294967295 is not allowed",
1104 "32bit pkt_ptr -= scalar",
1106 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
1107 offsetof(struct __sk_buff, data_end)),
1108 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
1109 offsetof(struct __sk_buff, data)),
1110 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
1111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40),
1112 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2),
1113 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_7),
1114 BPF_ALU32_REG(BPF_SUB, BPF_REG_6, BPF_REG_4),
1115 BPF_MOV64_IMM(BPF_REG_0, 0),
1118 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1120 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1123 "32bit scalar -= pkt_ptr",
1125 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
1126 offsetof(struct __sk_buff, data_end)),
1127 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
1128 offsetof(struct __sk_buff, data)),
1129 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
1130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 40),
1131 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_8, 2),
1132 BPF_ALU32_REG(BPF_MOV, BPF_REG_4, BPF_REG_6),
1133 BPF_ALU32_REG(BPF_SUB, BPF_REG_4, BPF_REG_7),
1134 BPF_MOV64_IMM(BPF_REG_0, 0),
1137 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1139 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,