Commit | Line | Data |
---|---|---|
3c731eba AS |
1 | /* |
2 | * Testsuite for eBPF verifier | |
3 | * | |
4 | * Copyright (c) 2014 PLUMgrid, http://plumgrid.com | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of version 2 of the GNU General Public | |
8 | * License as published by the Free Software Foundation. | |
9 | */ | |
10 | #include <stdio.h> | |
11 | #include <unistd.h> | |
12 | #include <linux/bpf.h> | |
13 | #include <errno.h> | |
14 | #include <linux/unistd.h> | |
15 | #include <string.h> | |
16 | #include <linux/filter.h> | |
614cd3bd | 17 | #include <stddef.h> |
bf508877 AS |
18 | #include <stdbool.h> |
19 | #include <sys/resource.h> | |
3c731eba AS |
20 | #include "libbpf.h" |
21 | ||
22 | #define MAX_INSNS 512 | |
23 | #define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x))) | |
24 | ||
bf508877 AS |
25 | #define MAX_FIXUPS 8 |
26 | ||
3c731eba AS |
27 | struct bpf_test { |
28 | const char *descr; | |
29 | struct bpf_insn insns[MAX_INSNS]; | |
bf508877 AS |
30 | int fixup[MAX_FIXUPS]; |
31 | int prog_array_fixup[MAX_FIXUPS]; | |
3c731eba | 32 | const char *errstr; |
bf508877 | 33 | const char *errstr_unpriv; |
3c731eba | 34 | enum { |
bf508877 | 35 | UNDEF, |
3c731eba AS |
36 | ACCEPT, |
37 | REJECT | |
bf508877 | 38 | } result, result_unpriv; |
d691f9e8 | 39 | enum bpf_prog_type prog_type; |
3c731eba AS |
40 | }; |
41 | ||
42 | static struct bpf_test tests[] = { | |
43 | { | |
44 | "add+sub+mul", | |
45 | .insns = { | |
46 | BPF_MOV64_IMM(BPF_REG_1, 1), | |
47 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), | |
48 | BPF_MOV64_IMM(BPF_REG_2, 3), | |
49 | BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), | |
50 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), | |
51 | BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), | |
52 | BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), | |
53 | BPF_EXIT_INSN(), | |
54 | }, | |
55 | .result = ACCEPT, | |
56 | }, | |
57 | { | |
58 | "unreachable", | |
59 | .insns = { | |
60 | BPF_EXIT_INSN(), | |
61 | BPF_EXIT_INSN(), | |
62 | }, | |
63 | .errstr = "unreachable", | |
64 | .result = REJECT, | |
65 | }, | |
66 | { | |
67 | "unreachable2", | |
68 | .insns = { | |
69 | BPF_JMP_IMM(BPF_JA, 0, 0, 1), | |
70 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), | |
71 | BPF_EXIT_INSN(), | |
72 | }, | |
73 | .errstr = "unreachable", | |
74 | .result = REJECT, | |
75 | }, | |
76 | { | |
77 | "out of range jump", | |
78 | .insns = { | |
79 | BPF_JMP_IMM(BPF_JA, 0, 0, 1), | |
80 | BPF_EXIT_INSN(), | |
81 | }, | |
82 | .errstr = "jump out of range", | |
83 | .result = REJECT, | |
84 | }, | |
85 | { | |
86 | "out of range jump2", | |
87 | .insns = { | |
88 | BPF_JMP_IMM(BPF_JA, 0, 0, -2), | |
89 | BPF_EXIT_INSN(), | |
90 | }, | |
91 | .errstr = "jump out of range", | |
92 | .result = REJECT, | |
93 | }, | |
94 | { | |
95 | "test1 ld_imm64", | |
96 | .insns = { | |
97 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), | |
98 | BPF_LD_IMM64(BPF_REG_0, 0), | |
99 | BPF_LD_IMM64(BPF_REG_0, 0), | |
100 | BPF_LD_IMM64(BPF_REG_0, 1), | |
101 | BPF_LD_IMM64(BPF_REG_0, 1), | |
102 | BPF_MOV64_IMM(BPF_REG_0, 2), | |
103 | BPF_EXIT_INSN(), | |
104 | }, | |
105 | .errstr = "invalid BPF_LD_IMM insn", | |
bf508877 | 106 | .errstr_unpriv = "R1 pointer comparison", |
3c731eba AS |
107 | .result = REJECT, |
108 | }, | |
109 | { | |
110 | "test2 ld_imm64", | |
111 | .insns = { | |
112 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), | |
113 | BPF_LD_IMM64(BPF_REG_0, 0), | |
114 | BPF_LD_IMM64(BPF_REG_0, 0), | |
115 | BPF_LD_IMM64(BPF_REG_0, 1), | |
116 | BPF_LD_IMM64(BPF_REG_0, 1), | |
117 | BPF_EXIT_INSN(), | |
118 | }, | |
119 | .errstr = "invalid BPF_LD_IMM insn", | |
bf508877 | 120 | .errstr_unpriv = "R1 pointer comparison", |
3c731eba AS |
121 | .result = REJECT, |
122 | }, | |
123 | { | |
124 | "test3 ld_imm64", | |
125 | .insns = { | |
126 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), | |
127 | BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), | |
128 | BPF_LD_IMM64(BPF_REG_0, 0), | |
129 | BPF_LD_IMM64(BPF_REG_0, 0), | |
130 | BPF_LD_IMM64(BPF_REG_0, 1), | |
131 | BPF_LD_IMM64(BPF_REG_0, 1), | |
132 | BPF_EXIT_INSN(), | |
133 | }, | |
134 | .errstr = "invalid bpf_ld_imm64 insn", | |
135 | .result = REJECT, | |
136 | }, | |
137 | { | |
138 | "test4 ld_imm64", | |
139 | .insns = { | |
140 | BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), | |
141 | BPF_EXIT_INSN(), | |
142 | }, | |
143 | .errstr = "invalid bpf_ld_imm64 insn", | |
144 | .result = REJECT, | |
145 | }, | |
146 | { | |
147 | "test5 ld_imm64", | |
148 | .insns = { | |
149 | BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), | |
150 | }, | |
151 | .errstr = "invalid bpf_ld_imm64 insn", | |
152 | .result = REJECT, | |
153 | }, | |
154 | { | |
155 | "no bpf_exit", | |
156 | .insns = { | |
157 | BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), | |
158 | }, | |
159 | .errstr = "jump out of range", | |
160 | .result = REJECT, | |
161 | }, | |
162 | { | |
163 | "loop (back-edge)", | |
164 | .insns = { | |
165 | BPF_JMP_IMM(BPF_JA, 0, 0, -1), | |
166 | BPF_EXIT_INSN(), | |
167 | }, | |
168 | .errstr = "back-edge", | |
169 | .result = REJECT, | |
170 | }, | |
171 | { | |
172 | "loop2 (back-edge)", | |
173 | .insns = { | |
174 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), | |
175 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), | |
176 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), | |
177 | BPF_JMP_IMM(BPF_JA, 0, 0, -4), | |
178 | BPF_EXIT_INSN(), | |
179 | }, | |
180 | .errstr = "back-edge", | |
181 | .result = REJECT, | |
182 | }, | |
183 | { | |
184 | "conditional loop", | |
185 | .insns = { | |
186 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), | |
187 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), | |
188 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), | |
189 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), | |
190 | BPF_EXIT_INSN(), | |
191 | }, | |
192 | .errstr = "back-edge", | |
193 | .result = REJECT, | |
194 | }, | |
195 | { | |
196 | "read uninitialized register", | |
197 | .insns = { | |
198 | BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), | |
199 | BPF_EXIT_INSN(), | |
200 | }, | |
201 | .errstr = "R2 !read_ok", | |
202 | .result = REJECT, | |
203 | }, | |
204 | { | |
205 | "read invalid register", | |
206 | .insns = { | |
207 | BPF_MOV64_REG(BPF_REG_0, -1), | |
208 | BPF_EXIT_INSN(), | |
209 | }, | |
210 | .errstr = "R15 is invalid", | |
211 | .result = REJECT, | |
212 | }, | |
213 | { | |
214 | "program doesn't init R0 before exit", | |
215 | .insns = { | |
216 | BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), | |
217 | BPF_EXIT_INSN(), | |
218 | }, | |
219 | .errstr = "R0 !read_ok", | |
220 | .result = REJECT, | |
221 | }, | |
32bf08a6 AS |
222 | { |
223 | "program doesn't init R0 before exit in all branches", | |
224 | .insns = { | |
225 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
226 | BPF_MOV64_IMM(BPF_REG_0, 1), | |
227 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), | |
228 | BPF_EXIT_INSN(), | |
229 | }, | |
230 | .errstr = "R0 !read_ok", | |
bf508877 | 231 | .errstr_unpriv = "R1 pointer comparison", |
32bf08a6 AS |
232 | .result = REJECT, |
233 | }, | |
3c731eba AS |
234 | { |
235 | "stack out of bounds", | |
236 | .insns = { | |
237 | BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), | |
238 | BPF_EXIT_INSN(), | |
239 | }, | |
240 | .errstr = "invalid stack", | |
241 | .result = REJECT, | |
242 | }, | |
243 | { | |
244 | "invalid call insn1", | |
245 | .insns = { | |
246 | BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), | |
247 | BPF_EXIT_INSN(), | |
248 | }, | |
249 | .errstr = "BPF_CALL uses reserved", | |
250 | .result = REJECT, | |
251 | }, | |
252 | { | |
253 | "invalid call insn2", | |
254 | .insns = { | |
255 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), | |
256 | BPF_EXIT_INSN(), | |
257 | }, | |
258 | .errstr = "BPF_CALL uses reserved", | |
259 | .result = REJECT, | |
260 | }, | |
261 | { | |
262 | "invalid function call", | |
263 | .insns = { | |
264 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), | |
265 | BPF_EXIT_INSN(), | |
266 | }, | |
267 | .errstr = "invalid func 1234567", | |
268 | .result = REJECT, | |
269 | }, | |
270 | { | |
271 | "uninitialized stack1", | |
272 | .insns = { | |
273 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
274 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
275 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
7943c0f3 | 276 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
3c731eba AS |
277 | BPF_EXIT_INSN(), |
278 | }, | |
279 | .fixup = {2}, | |
280 | .errstr = "invalid indirect read from stack", | |
281 | .result = REJECT, | |
282 | }, | |
283 | { | |
284 | "uninitialized stack2", | |
285 | .insns = { | |
286 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
287 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), | |
288 | BPF_EXIT_INSN(), | |
289 | }, | |
290 | .errstr = "invalid read from stack", | |
291 | .result = REJECT, | |
292 | }, | |
293 | { | |
294 | "check valid spill/fill", | |
295 | .insns = { | |
296 | /* spill R1(ctx) into stack */ | |
297 | BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), | |
298 | ||
299 | /* fill it back into R2 */ | |
300 | BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), | |
301 | ||
302 | /* should be able to access R0 = *(R2 + 8) */ | |
f91fe17e DB |
303 | /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ |
304 | BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), | |
3c731eba AS |
305 | BPF_EXIT_INSN(), |
306 | }, | |
bf508877 | 307 | .errstr_unpriv = "R0 leaks addr", |
3c731eba | 308 | .result = ACCEPT, |
bf508877 | 309 | .result_unpriv = REJECT, |
3c731eba AS |
310 | }, |
311 | { | |
312 | "check corrupted spill/fill", | |
313 | .insns = { | |
314 | /* spill R1(ctx) into stack */ | |
315 | BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), | |
316 | ||
317 | /* mess up with R1 pointer on stack */ | |
318 | BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), | |
319 | ||
320 | /* fill back into R0 should fail */ | |
321 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), | |
322 | ||
323 | BPF_EXIT_INSN(), | |
324 | }, | |
bf508877 | 325 | .errstr_unpriv = "attempt to corrupt spilled", |
3c731eba AS |
326 | .errstr = "corrupted spill", |
327 | .result = REJECT, | |
328 | }, | |
329 | { | |
330 | "invalid src register in STX", | |
331 | .insns = { | |
332 | BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), | |
333 | BPF_EXIT_INSN(), | |
334 | }, | |
335 | .errstr = "R15 is invalid", | |
336 | .result = REJECT, | |
337 | }, | |
338 | { | |
339 | "invalid dst register in STX", | |
340 | .insns = { | |
341 | BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), | |
342 | BPF_EXIT_INSN(), | |
343 | }, | |
344 | .errstr = "R14 is invalid", | |
345 | .result = REJECT, | |
346 | }, | |
347 | { | |
348 | "invalid dst register in ST", | |
349 | .insns = { | |
350 | BPF_ST_MEM(BPF_B, 14, -1, -1), | |
351 | BPF_EXIT_INSN(), | |
352 | }, | |
353 | .errstr = "R14 is invalid", | |
354 | .result = REJECT, | |
355 | }, | |
356 | { | |
357 | "invalid src register in LDX", | |
358 | .insns = { | |
359 | BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), | |
360 | BPF_EXIT_INSN(), | |
361 | }, | |
362 | .errstr = "R12 is invalid", | |
363 | .result = REJECT, | |
364 | }, | |
365 | { | |
366 | "invalid dst register in LDX", | |
367 | .insns = { | |
368 | BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), | |
369 | BPF_EXIT_INSN(), | |
370 | }, | |
371 | .errstr = "R11 is invalid", | |
372 | .result = REJECT, | |
373 | }, | |
374 | { | |
375 | "junk insn", | |
376 | .insns = { | |
377 | BPF_RAW_INSN(0, 0, 0, 0, 0), | |
378 | BPF_EXIT_INSN(), | |
379 | }, | |
380 | .errstr = "invalid BPF_LD_IMM", | |
381 | .result = REJECT, | |
382 | }, | |
383 | { | |
384 | "junk insn2", | |
385 | .insns = { | |
386 | BPF_RAW_INSN(1, 0, 0, 0, 0), | |
387 | BPF_EXIT_INSN(), | |
388 | }, | |
389 | .errstr = "BPF_LDX uses reserved fields", | |
390 | .result = REJECT, | |
391 | }, | |
392 | { | |
393 | "junk insn3", | |
394 | .insns = { | |
395 | BPF_RAW_INSN(-1, 0, 0, 0, 0), | |
396 | BPF_EXIT_INSN(), | |
397 | }, | |
398 | .errstr = "invalid BPF_ALU opcode f0", | |
399 | .result = REJECT, | |
400 | }, | |
401 | { | |
402 | "junk insn4", | |
403 | .insns = { | |
404 | BPF_RAW_INSN(-1, -1, -1, -1, -1), | |
405 | BPF_EXIT_INSN(), | |
406 | }, | |
407 | .errstr = "invalid BPF_ALU opcode f0", | |
408 | .result = REJECT, | |
409 | }, | |
410 | { | |
411 | "junk insn5", | |
412 | .insns = { | |
413 | BPF_RAW_INSN(0x7f, -1, -1, -1, -1), | |
414 | BPF_EXIT_INSN(), | |
415 | }, | |
416 | .errstr = "BPF_ALU uses reserved fields", | |
417 | .result = REJECT, | |
418 | }, | |
419 | { | |
420 | "misaligned read from stack", | |
421 | .insns = { | |
422 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
423 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), | |
424 | BPF_EXIT_INSN(), | |
425 | }, | |
426 | .errstr = "misaligned access", | |
427 | .result = REJECT, | |
428 | }, | |
429 | { | |
430 | "invalid map_fd for function call", | |
431 | .insns = { | |
432 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
433 | BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), | |
434 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
435 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
7943c0f3 | 436 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem), |
3c731eba AS |
437 | BPF_EXIT_INSN(), |
438 | }, | |
439 | .errstr = "fd 0 is not pointing to valid bpf_map", | |
440 | .result = REJECT, | |
441 | }, | |
442 | { | |
443 | "don't check return value before access", | |
444 | .insns = { | |
445 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
446 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
447 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
448 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
7943c0f3 | 449 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
3c731eba AS |
450 | BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), |
451 | BPF_EXIT_INSN(), | |
452 | }, | |
453 | .fixup = {3}, | |
454 | .errstr = "R0 invalid mem access 'map_value_or_null'", | |
455 | .result = REJECT, | |
456 | }, | |
457 | { | |
458 | "access memory with incorrect alignment", | |
459 | .insns = { | |
460 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
461 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
462 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
463 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
7943c0f3 | 464 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
3c731eba AS |
465 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), |
466 | BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), | |
467 | BPF_EXIT_INSN(), | |
468 | }, | |
469 | .fixup = {3}, | |
470 | .errstr = "misaligned access", | |
471 | .result = REJECT, | |
472 | }, | |
473 | { | |
474 | "sometimes access memory with incorrect alignment", | |
475 | .insns = { | |
476 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
477 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
478 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
479 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
7943c0f3 | 480 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
3c731eba AS |
481 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), |
482 | BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), | |
483 | BPF_EXIT_INSN(), | |
484 | BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), | |
485 | BPF_EXIT_INSN(), | |
486 | }, | |
487 | .fixup = {3}, | |
488 | .errstr = "R0 invalid mem access", | |
bf508877 | 489 | .errstr_unpriv = "R0 leaks addr", |
3c731eba AS |
490 | .result = REJECT, |
491 | }, | |
fd10c2ef AS |
492 | { |
493 | "jump test 1", | |
494 | .insns = { | |
495 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
496 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), | |
497 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), | |
498 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), | |
499 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), | |
500 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), | |
501 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), | |
502 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), | |
503 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), | |
504 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), | |
505 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), | |
506 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), | |
507 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), | |
508 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), | |
509 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
510 | BPF_EXIT_INSN(), | |
511 | }, | |
bf508877 AS |
512 | .errstr_unpriv = "R1 pointer comparison", |
513 | .result_unpriv = REJECT, | |
fd10c2ef AS |
514 | .result = ACCEPT, |
515 | }, | |
516 | { | |
517 | "jump test 2", | |
518 | .insns = { | |
519 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
520 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), | |
521 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), | |
522 | BPF_JMP_IMM(BPF_JA, 0, 0, 14), | |
523 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), | |
524 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), | |
525 | BPF_JMP_IMM(BPF_JA, 0, 0, 11), | |
526 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), | |
527 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), | |
528 | BPF_JMP_IMM(BPF_JA, 0, 0, 8), | |
529 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), | |
530 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), | |
531 | BPF_JMP_IMM(BPF_JA, 0, 0, 5), | |
532 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), | |
533 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), | |
534 | BPF_JMP_IMM(BPF_JA, 0, 0, 2), | |
535 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), | |
536 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), | |
537 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
538 | BPF_EXIT_INSN(), | |
539 | }, | |
bf508877 AS |
540 | .errstr_unpriv = "R1 pointer comparison", |
541 | .result_unpriv = REJECT, | |
fd10c2ef AS |
542 | .result = ACCEPT, |
543 | }, | |
544 | { | |
545 | "jump test 3", | |
546 | .insns = { | |
547 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
548 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), | |
549 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), | |
550 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
551 | BPF_JMP_IMM(BPF_JA, 0, 0, 19), | |
552 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), | |
553 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), | |
554 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), | |
555 | BPF_JMP_IMM(BPF_JA, 0, 0, 15), | |
556 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), | |
557 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), | |
558 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), | |
559 | BPF_JMP_IMM(BPF_JA, 0, 0, 11), | |
560 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), | |
561 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), | |
562 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), | |
563 | BPF_JMP_IMM(BPF_JA, 0, 0, 7), | |
564 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), | |
565 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), | |
566 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), | |
567 | BPF_JMP_IMM(BPF_JA, 0, 0, 3), | |
568 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), | |
569 | BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), | |
570 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), | |
571 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
7943c0f3 | 572 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem), |
fd10c2ef AS |
573 | BPF_EXIT_INSN(), |
574 | }, | |
575 | .fixup = {24}, | |
bf508877 AS |
576 | .errstr_unpriv = "R1 pointer comparison", |
577 | .result_unpriv = REJECT, | |
fd10c2ef AS |
578 | .result = ACCEPT, |
579 | }, | |
580 | { | |
581 | "jump test 4", | |
582 | .insns = { | |
583 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
584 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
585 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
586 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
587 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
588 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
589 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
590 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
591 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
592 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
593 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
594 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
595 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
596 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
597 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
598 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
599 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
600 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
601 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
602 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
603 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
604 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
605 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
606 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
607 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
608 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
609 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
610 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
611 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
612 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
613 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
614 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
615 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), | |
616 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), | |
617 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), | |
618 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), | |
619 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), | |
620 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), | |
621 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), | |
622 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), | |
623 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
624 | BPF_EXIT_INSN(), | |
625 | }, | |
bf508877 AS |
626 | .errstr_unpriv = "R1 pointer comparison", |
627 | .result_unpriv = REJECT, | |
fd10c2ef AS |
628 | .result = ACCEPT, |
629 | }, | |
342ded40 AS |
630 | { |
631 | "jump test 5", | |
632 | .insns = { | |
633 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
634 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), | |
635 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
636 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), | |
637 | BPF_JMP_IMM(BPF_JA, 0, 0, 2), | |
638 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), | |
639 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), | |
640 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
641 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
642 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), | |
643 | BPF_JMP_IMM(BPF_JA, 0, 0, 2), | |
644 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), | |
645 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), | |
646 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
647 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
648 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), | |
649 | BPF_JMP_IMM(BPF_JA, 0, 0, 2), | |
650 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), | |
651 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), | |
652 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
653 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
654 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), | |
655 | BPF_JMP_IMM(BPF_JA, 0, 0, 2), | |
656 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), | |
657 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), | |
658 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
659 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
660 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), | |
661 | BPF_JMP_IMM(BPF_JA, 0, 0, 2), | |
662 | BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), | |
663 | BPF_JMP_IMM(BPF_JA, 0, 0, 0), | |
664 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
665 | BPF_EXIT_INSN(), | |
666 | }, | |
bf508877 AS |
667 | .errstr_unpriv = "R1 pointer comparison", |
668 | .result_unpriv = REJECT, | |
342ded40 AS |
669 | .result = ACCEPT, |
670 | }, | |
614cd3bd AS |
671 | { |
672 | "access skb fields ok", | |
673 | .insns = { | |
674 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
675 | offsetof(struct __sk_buff, len)), | |
676 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), | |
677 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
678 | offsetof(struct __sk_buff, mark)), | |
679 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), | |
680 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
681 | offsetof(struct __sk_buff, pkt_type)), | |
682 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), | |
683 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
684 | offsetof(struct __sk_buff, queue_mapping)), | |
685 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), | |
c2497395 AS |
686 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, |
687 | offsetof(struct __sk_buff, protocol)), | |
688 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), | |
689 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
690 | offsetof(struct __sk_buff, vlan_present)), | |
691 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), | |
692 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
693 | offsetof(struct __sk_buff, vlan_tci)), | |
694 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), | |
614cd3bd AS |
695 | BPF_EXIT_INSN(), |
696 | }, | |
697 | .result = ACCEPT, | |
698 | }, | |
699 | { | |
700 | "access skb fields bad1", | |
701 | .insns = { | |
702 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), | |
703 | BPF_EXIT_INSN(), | |
704 | }, | |
705 | .errstr = "invalid bpf_context access", | |
706 | .result = REJECT, | |
707 | }, | |
708 | { | |
709 | "access skb fields bad2", | |
710 | .insns = { | |
711 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), | |
712 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
713 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
714 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
715 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
716 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
717 | BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), | |
718 | BPF_EXIT_INSN(), | |
719 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), | |
720 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
721 | offsetof(struct __sk_buff, pkt_type)), | |
722 | BPF_EXIT_INSN(), | |
723 | }, | |
724 | .fixup = {4}, | |
725 | .errstr = "different pointers", | |
bf508877 | 726 | .errstr_unpriv = "R1 pointer comparison", |
614cd3bd AS |
727 | .result = REJECT, |
728 | }, | |
729 | { | |
730 | "access skb fields bad3", | |
731 | .insns = { | |
732 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
733 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
734 | offsetof(struct __sk_buff, pkt_type)), | |
735 | BPF_EXIT_INSN(), | |
736 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
737 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
738 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
739 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
740 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
741 | BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), | |
742 | BPF_EXIT_INSN(), | |
743 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), | |
744 | BPF_JMP_IMM(BPF_JA, 0, 0, -12), | |
745 | }, | |
746 | .fixup = {6}, | |
747 | .errstr = "different pointers", | |
bf508877 | 748 | .errstr_unpriv = "R1 pointer comparison", |
614cd3bd AS |
749 | .result = REJECT, |
750 | }, | |
725f9dcd AS |
751 | { |
752 | "access skb fields bad4", | |
753 | .insns = { | |
754 | BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), | |
755 | BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, | |
756 | offsetof(struct __sk_buff, len)), | |
757 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
758 | BPF_EXIT_INSN(), | |
759 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
760 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
761 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
762 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
763 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
764 | BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), | |
765 | BPF_EXIT_INSN(), | |
766 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), | |
767 | BPF_JMP_IMM(BPF_JA, 0, 0, -13), | |
768 | }, | |
769 | .fixup = {7}, | |
770 | .errstr = "different pointers", | |
bf508877 | 771 | .errstr_unpriv = "R1 pointer comparison", |
725f9dcd AS |
772 | .result = REJECT, |
773 | }, | |
d691f9e8 AS |
774 | { |
775 | "check skb->mark is not writeable by sockets", | |
776 | .insns = { | |
777 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, | |
778 | offsetof(struct __sk_buff, mark)), | |
779 | BPF_EXIT_INSN(), | |
780 | }, | |
781 | .errstr = "invalid bpf_context access", | |
bf508877 | 782 | .errstr_unpriv = "R1 leaks addr", |
d691f9e8 AS |
783 | .result = REJECT, |
784 | }, | |
785 | { | |
786 | "check skb->tc_index is not writeable by sockets", | |
787 | .insns = { | |
788 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, | |
789 | offsetof(struct __sk_buff, tc_index)), | |
790 | BPF_EXIT_INSN(), | |
791 | }, | |
792 | .errstr = "invalid bpf_context access", | |
bf508877 | 793 | .errstr_unpriv = "R1 leaks addr", |
d691f9e8 AS |
794 | .result = REJECT, |
795 | }, | |
796 | { | |
797 | "check non-u32 access to cb", | |
798 | .insns = { | |
799 | BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_1, | |
800 | offsetof(struct __sk_buff, cb[0])), | |
801 | BPF_EXIT_INSN(), | |
802 | }, | |
803 | .errstr = "invalid bpf_context access", | |
bf508877 | 804 | .errstr_unpriv = "R1 leaks addr", |
d691f9e8 AS |
805 | .result = REJECT, |
806 | }, | |
807 | { | |
808 | "check out of range skb->cb access", | |
809 | .insns = { | |
810 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
bf508877 | 811 | offsetof(struct __sk_buff, cb[0]) + 256), |
d691f9e8 AS |
812 | BPF_EXIT_INSN(), |
813 | }, | |
814 | .errstr = "invalid bpf_context access", | |
bf508877 | 815 | .errstr_unpriv = "", |
d691f9e8 AS |
816 | .result = REJECT, |
817 | .prog_type = BPF_PROG_TYPE_SCHED_ACT, | |
818 | }, | |
819 | { | |
820 | "write skb fields from socket prog", | |
821 | .insns = { | |
822 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
823 | offsetof(struct __sk_buff, cb[4])), | |
824 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), | |
825 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
826 | offsetof(struct __sk_buff, mark)), | |
827 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
828 | offsetof(struct __sk_buff, tc_index)), | |
829 | BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), | |
830 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, | |
831 | offsetof(struct __sk_buff, cb[0])), | |
832 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, | |
833 | offsetof(struct __sk_buff, cb[2])), | |
834 | BPF_EXIT_INSN(), | |
835 | }, | |
836 | .result = ACCEPT, | |
bf508877 AS |
837 | .errstr_unpriv = "R1 leaks addr", |
838 | .result_unpriv = REJECT, | |
d691f9e8 AS |
839 | }, |
840 | { | |
841 | "write skb fields from tc_cls_act prog", | |
842 | .insns = { | |
843 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
844 | offsetof(struct __sk_buff, cb[0])), | |
845 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, | |
846 | offsetof(struct __sk_buff, mark)), | |
847 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, | |
848 | offsetof(struct __sk_buff, tc_index)), | |
849 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, | |
850 | offsetof(struct __sk_buff, tc_index)), | |
851 | BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, | |
852 | offsetof(struct __sk_buff, cb[3])), | |
853 | BPF_EXIT_INSN(), | |
854 | }, | |
bf508877 AS |
855 | .errstr_unpriv = "", |
856 | .result_unpriv = REJECT, | |
d691f9e8 AS |
857 | .result = ACCEPT, |
858 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, | |
859 | }, | |
24b4d2ab AG |
860 | { |
861 | "PTR_TO_STACK store/load", | |
862 | .insns = { | |
863 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
864 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), | |
865 | BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), | |
866 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), | |
867 | BPF_EXIT_INSN(), | |
868 | }, | |
869 | .result = ACCEPT, | |
870 | }, | |
871 | { | |
872 | "PTR_TO_STACK store/load - bad alignment on off", | |
873 | .insns = { | |
874 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
875 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), | |
876 | BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), | |
877 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), | |
878 | BPF_EXIT_INSN(), | |
879 | }, | |
880 | .result = REJECT, | |
881 | .errstr = "misaligned access off -6 size 8", | |
882 | }, | |
883 | { | |
884 | "PTR_TO_STACK store/load - bad alignment on reg", | |
885 | .insns = { | |
886 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
887 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), | |
888 | BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), | |
889 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), | |
890 | BPF_EXIT_INSN(), | |
891 | }, | |
892 | .result = REJECT, | |
893 | .errstr = "misaligned access off -2 size 8", | |
894 | }, | |
895 | { | |
896 | "PTR_TO_STACK store/load - out of bounds low", | |
897 | .insns = { | |
898 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
899 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), | |
900 | BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), | |
901 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), | |
902 | BPF_EXIT_INSN(), | |
903 | }, | |
904 | .result = REJECT, | |
905 | .errstr = "invalid stack off=-79992 size=8", | |
906 | }, | |
907 | { | |
908 | "PTR_TO_STACK store/load - out of bounds high", | |
909 | .insns = { | |
910 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
911 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), | |
912 | BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), | |
913 | BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), | |
914 | BPF_EXIT_INSN(), | |
915 | }, | |
916 | .result = REJECT, | |
917 | .errstr = "invalid stack off=0 size=8", | |
918 | }, | |
bf508877 AS |
919 | { |
920 | "unpriv: return pointer", | |
921 | .insns = { | |
922 | BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), | |
923 | BPF_EXIT_INSN(), | |
924 | }, | |
925 | .result = ACCEPT, | |
926 | .result_unpriv = REJECT, | |
927 | .errstr_unpriv = "R0 leaks addr", | |
928 | }, | |
929 | { | |
930 | "unpriv: add const to pointer", | |
931 | .insns = { | |
932 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), | |
933 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
934 | BPF_EXIT_INSN(), | |
935 | }, | |
936 | .result = ACCEPT, | |
937 | .result_unpriv = REJECT, | |
938 | .errstr_unpriv = "R1 pointer arithmetic", | |
939 | }, | |
940 | { | |
941 | "unpriv: add pointer to pointer", | |
942 | .insns = { | |
943 | BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), | |
944 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
945 | BPF_EXIT_INSN(), | |
946 | }, | |
947 | .result = ACCEPT, | |
948 | .result_unpriv = REJECT, | |
949 | .errstr_unpriv = "R1 pointer arithmetic", | |
950 | }, | |
951 | { | |
952 | "unpriv: neg pointer", | |
953 | .insns = { | |
954 | BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), | |
955 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
956 | BPF_EXIT_INSN(), | |
957 | }, | |
958 | .result = ACCEPT, | |
959 | .result_unpriv = REJECT, | |
960 | .errstr_unpriv = "R1 pointer arithmetic", | |
961 | }, | |
962 | { | |
963 | "unpriv: cmp pointer with const", | |
964 | .insns = { | |
965 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), | |
966 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
967 | BPF_EXIT_INSN(), | |
968 | }, | |
969 | .result = ACCEPT, | |
970 | .result_unpriv = REJECT, | |
971 | .errstr_unpriv = "R1 pointer comparison", | |
972 | }, | |
973 | { | |
974 | "unpriv: cmp pointer with pointer", | |
975 | .insns = { | |
976 | BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), | |
977 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
978 | BPF_EXIT_INSN(), | |
979 | }, | |
980 | .result = ACCEPT, | |
981 | .result_unpriv = REJECT, | |
982 | .errstr_unpriv = "R10 pointer comparison", | |
983 | }, | |
984 | { | |
985 | "unpriv: check that printk is disallowed", | |
986 | .insns = { | |
987 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
988 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
989 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), | |
990 | BPF_MOV64_IMM(BPF_REG_2, 8), | |
991 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), | |
992 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk), | |
993 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
994 | BPF_EXIT_INSN(), | |
995 | }, | |
996 | .errstr_unpriv = "unknown func 6", | |
997 | .result_unpriv = REJECT, | |
998 | .result = ACCEPT, | |
999 | }, | |
1000 | { | |
1001 | "unpriv: pass pointer to helper function", | |
1002 | .insns = { | |
1003 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
1004 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
1005 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
1006 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
1007 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), | |
1008 | BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), | |
1009 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem), | |
1010 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1011 | BPF_EXIT_INSN(), | |
1012 | }, | |
1013 | .fixup = {3}, | |
1014 | .errstr_unpriv = "R4 leaks addr", | |
1015 | .result_unpriv = REJECT, | |
1016 | .result = ACCEPT, | |
1017 | }, | |
1018 | { | |
1019 | "unpriv: indirectly pass pointer on stack to helper function", | |
1020 | .insns = { | |
1021 | BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), | |
1022 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
1023 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
1024 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
1025 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
1026 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1027 | BPF_EXIT_INSN(), | |
1028 | }, | |
1029 | .fixup = {3}, | |
1030 | .errstr = "invalid indirect read from stack off -8+0 size 8", | |
1031 | .result = REJECT, | |
1032 | }, | |
1033 | { | |
1034 | "unpriv: mangle pointer on stack 1", | |
1035 | .insns = { | |
1036 | BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), | |
1037 | BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), | |
1038 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1039 | BPF_EXIT_INSN(), | |
1040 | }, | |
1041 | .errstr_unpriv = "attempt to corrupt spilled", | |
1042 | .result_unpriv = REJECT, | |
1043 | .result = ACCEPT, | |
1044 | }, | |
1045 | { | |
1046 | "unpriv: mangle pointer on stack 2", | |
1047 | .insns = { | |
1048 | BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), | |
1049 | BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), | |
1050 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1051 | BPF_EXIT_INSN(), | |
1052 | }, | |
1053 | .errstr_unpriv = "attempt to corrupt spilled", | |
1054 | .result_unpriv = REJECT, | |
1055 | .result = ACCEPT, | |
1056 | }, | |
1057 | { | |
1058 | "unpriv: read pointer from stack in small chunks", | |
1059 | .insns = { | |
1060 | BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), | |
1061 | BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), | |
1062 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1063 | BPF_EXIT_INSN(), | |
1064 | }, | |
1065 | .errstr = "invalid size", | |
1066 | .result = REJECT, | |
1067 | }, | |
1068 | { | |
1069 | "unpriv: write pointer into ctx", | |
1070 | .insns = { | |
1071 | BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), | |
1072 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1073 | BPF_EXIT_INSN(), | |
1074 | }, | |
1075 | .errstr_unpriv = "R1 leaks addr", | |
1076 | .result_unpriv = REJECT, | |
1077 | .errstr = "invalid bpf_context access", | |
1078 | .result = REJECT, | |
1079 | }, | |
1080 | { | |
1081 | "unpriv: write pointer into map elem value", | |
1082 | .insns = { | |
1083 | BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), | |
1084 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
1085 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
1086 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
1087 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
1088 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), | |
1089 | BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), | |
1090 | BPF_EXIT_INSN(), | |
1091 | }, | |
1092 | .fixup = {3}, | |
1093 | .errstr_unpriv = "R0 leaks addr", | |
1094 | .result_unpriv = REJECT, | |
1095 | .result = ACCEPT, | |
1096 | }, | |
1097 | { | |
1098 | "unpriv: partial copy of pointer", | |
1099 | .insns = { | |
1100 | BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), | |
1101 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1102 | BPF_EXIT_INSN(), | |
1103 | }, | |
1104 | .errstr_unpriv = "R10 partial copy", | |
1105 | .result_unpriv = REJECT, | |
1106 | .result = ACCEPT, | |
1107 | }, | |
1108 | { | |
1109 | "unpriv: pass pointer to tail_call", | |
1110 | .insns = { | |
1111 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), | |
1112 | BPF_LD_MAP_FD(BPF_REG_2, 0), | |
1113 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call), | |
1114 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1115 | BPF_EXIT_INSN(), | |
1116 | }, | |
1117 | .prog_array_fixup = {1}, | |
1118 | .errstr_unpriv = "R3 leaks addr into helper", | |
1119 | .result_unpriv = REJECT, | |
1120 | .result = ACCEPT, | |
1121 | }, | |
1122 | { | |
1123 | "unpriv: cmp map pointer with zero", | |
1124 | .insns = { | |
1125 | BPF_MOV64_IMM(BPF_REG_1, 0), | |
1126 | BPF_LD_MAP_FD(BPF_REG_1, 0), | |
1127 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), | |
1128 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1129 | BPF_EXIT_INSN(), | |
1130 | }, | |
1131 | .fixup = {1}, | |
1132 | .errstr_unpriv = "R1 pointer comparison", | |
1133 | .result_unpriv = REJECT, | |
1134 | .result = ACCEPT, | |
1135 | }, | |
1136 | { | |
1137 | "unpriv: write into frame pointer", | |
1138 | .insns = { | |
1139 | BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), | |
1140 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1141 | BPF_EXIT_INSN(), | |
1142 | }, | |
1143 | .errstr = "frame pointer is read only", | |
1144 | .result = REJECT, | |
1145 | }, | |
1146 | { | |
1147 | "unpriv: cmp of frame pointer", | |
1148 | .insns = { | |
1149 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), | |
1150 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1151 | BPF_EXIT_INSN(), | |
1152 | }, | |
1153 | .errstr_unpriv = "R10 pointer comparison", | |
1154 | .result_unpriv = REJECT, | |
1155 | .result = ACCEPT, | |
1156 | }, | |
1157 | { | |
1158 | "unpriv: cmp of stack pointer", | |
1159 | .insns = { | |
1160 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
1161 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
1162 | BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), | |
1163 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1164 | BPF_EXIT_INSN(), | |
1165 | }, | |
1166 | .errstr_unpriv = "R2 pointer comparison", | |
1167 | .result_unpriv = REJECT, | |
1168 | .result = ACCEPT, | |
1169 | }, | |
1170 | { | |
1171 | "unpriv: obfuscate stack pointer", | |
1172 | .insns = { | |
1173 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), | |
1174 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
1175 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), | |
1176 | BPF_MOV64_IMM(BPF_REG_0, 0), | |
1177 | BPF_EXIT_INSN(), | |
1178 | }, | |
1179 | .errstr_unpriv = "R2 pointer arithmetic", | |
1180 | .result_unpriv = REJECT, | |
1181 | .result = ACCEPT, | |
1182 | }, | |
3c731eba AS |
1183 | }; |
1184 | ||
1185 | static int probe_filter_length(struct bpf_insn *fp) | |
1186 | { | |
1187 | int len = 0; | |
1188 | ||
1189 | for (len = MAX_INSNS - 1; len > 0; --len) | |
1190 | if (fp[len].code != 0 || fp[len].imm != 0) | |
1191 | break; | |
1192 | ||
1193 | return len + 1; | |
1194 | } | |
1195 | ||
1196 | static int create_map(void) | |
1197 | { | |
3c731eba AS |
1198 | int map_fd; |
1199 | ||
bf508877 | 1200 | map_fd = bpf_create_map(BPF_MAP_TYPE_HASH, |
89b97607 | 1201 | sizeof(long long), sizeof(long long), 1024, 0); |
bf508877 | 1202 | if (map_fd < 0) |
3c731eba | 1203 | printf("failed to create map '%s'\n", strerror(errno)); |
bf508877 AS |
1204 | |
1205 | return map_fd; | |
1206 | } | |
1207 | ||
1208 | static int create_prog_array(void) | |
1209 | { | |
1210 | int map_fd; | |
1211 | ||
1212 | map_fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, | |
89b97607 | 1213 | sizeof(int), sizeof(int), 4, 0); |
bf508877 AS |
1214 | if (map_fd < 0) |
1215 | printf("failed to create prog_array '%s'\n", strerror(errno)); | |
3c731eba AS |
1216 | |
1217 | return map_fd; | |
1218 | } | |
1219 | ||
1220 | static int test(void) | |
1221 | { | |
342ded40 | 1222 | int prog_fd, i, pass_cnt = 0, err_cnt = 0; |
bf508877 | 1223 | bool unpriv = geteuid() != 0; |
3c731eba AS |
1224 | |
1225 | for (i = 0; i < ARRAY_SIZE(tests); i++) { | |
1226 | struct bpf_insn *prog = tests[i].insns; | |
d691f9e8 | 1227 | int prog_type = tests[i].prog_type; |
3c731eba AS |
1228 | int prog_len = probe_filter_length(prog); |
1229 | int *fixup = tests[i].fixup; | |
bf508877 AS |
1230 | int *prog_array_fixup = tests[i].prog_array_fixup; |
1231 | int expected_result; | |
1232 | const char *expected_errstr; | |
1233 | int map_fd = -1, prog_array_fd = -1; | |
3c731eba AS |
1234 | |
1235 | if (*fixup) { | |
1236 | map_fd = create_map(); | |
1237 | ||
1238 | do { | |
1239 | prog[*fixup].imm = map_fd; | |
1240 | fixup++; | |
1241 | } while (*fixup); | |
1242 | } | |
bf508877 AS |
1243 | if (*prog_array_fixup) { |
1244 | prog_array_fd = create_prog_array(); | |
1245 | ||
1246 | do { | |
1247 | prog[*prog_array_fixup].imm = prog_array_fd; | |
1248 | prog_array_fixup++; | |
1249 | } while (*prog_array_fixup); | |
1250 | } | |
3c731eba AS |
1251 | printf("#%d %s ", i, tests[i].descr); |
1252 | ||
d691f9e8 AS |
1253 | prog_fd = bpf_prog_load(prog_type ?: BPF_PROG_TYPE_SOCKET_FILTER, |
1254 | prog, prog_len * sizeof(struct bpf_insn), | |
b896c4f9 | 1255 | "GPL", 0); |
3c731eba | 1256 | |
bf508877 AS |
1257 | if (unpriv && tests[i].result_unpriv != UNDEF) |
1258 | expected_result = tests[i].result_unpriv; | |
1259 | else | |
1260 | expected_result = tests[i].result; | |
1261 | ||
1262 | if (unpriv && tests[i].errstr_unpriv) | |
1263 | expected_errstr = tests[i].errstr_unpriv; | |
1264 | else | |
1265 | expected_errstr = tests[i].errstr; | |
1266 | ||
1267 | if (expected_result == ACCEPT) { | |
3c731eba AS |
1268 | if (prog_fd < 0) { |
1269 | printf("FAIL\nfailed to load prog '%s'\n", | |
1270 | strerror(errno)); | |
1271 | printf("%s", bpf_log_buf); | |
342ded40 | 1272 | err_cnt++; |
3c731eba AS |
1273 | goto fail; |
1274 | } | |
1275 | } else { | |
1276 | if (prog_fd >= 0) { | |
1277 | printf("FAIL\nunexpected success to load\n"); | |
1278 | printf("%s", bpf_log_buf); | |
342ded40 | 1279 | err_cnt++; |
3c731eba AS |
1280 | goto fail; |
1281 | } | |
bf508877 | 1282 | if (strstr(bpf_log_buf, expected_errstr) == 0) { |
3c731eba AS |
1283 | printf("FAIL\nunexpected error message: %s", |
1284 | bpf_log_buf); | |
342ded40 | 1285 | err_cnt++; |
3c731eba AS |
1286 | goto fail; |
1287 | } | |
1288 | } | |
1289 | ||
342ded40 | 1290 | pass_cnt++; |
3c731eba AS |
1291 | printf("OK\n"); |
1292 | fail: | |
1293 | if (map_fd >= 0) | |
1294 | close(map_fd); | |
bf508877 AS |
1295 | if (prog_array_fd >= 0) |
1296 | close(prog_array_fd); | |
3c731eba AS |
1297 | close(prog_fd); |
1298 | ||
1299 | } | |
342ded40 | 1300 | printf("Summary: %d PASSED, %d FAILED\n", pass_cnt, err_cnt); |
3c731eba AS |
1301 | |
1302 | return 0; | |
1303 | } | |
1304 | ||
1305 | int main(void) | |
1306 | { | |
bf508877 AS |
1307 | struct rlimit r = {1 << 20, 1 << 20}; |
1308 | ||
1309 | setrlimit(RLIMIT_MEMLOCK, &r); | |
3c731eba AS |
1310 | return test(); |
1311 | } |