1 { 2 "unpriv: return pointer", 3 .insns = { 4 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 5 BPF_EXIT_INSN(), 6 }, 7 .result = ACCEPT, 8 .result_unpriv = REJECT, 9 .errstr_unpriv = "R0 leaks addr", 10 .retval = POINTER_VALUE, 11 }, 12 { 13 "unpriv: add const to pointer", 14 .insns = { 15 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 16 BPF_MOV64_IMM(BPF_REG_0, 0), 17 BPF_EXIT_INSN(), 18 }, 19 .result = ACCEPT, 20 }, 21 { 22 "unpriv: add pointer to pointer", 23 .insns = { 24 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 25 BPF_MOV64_IMM(BPF_REG_0, 0), 26 BPF_EXIT_INSN(), 27 }, 28 .result = REJECT, 29 .errstr = "R1 pointer += pointer", 30 }, 31 { 32 "unpriv: neg pointer", 33 .insns = { 34 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 35 BPF_MOV64_IMM(BPF_REG_0, 0), 36 BPF_EXIT_INSN(), 37 }, 38 .result = ACCEPT, 39 .result_unpriv = REJECT, 40 .errstr_unpriv = "R1 pointer arithmetic", 41 }, 42 { 43 "unpriv: cmp pointer with const", 44 .insns = { 45 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 46 BPF_MOV64_IMM(BPF_REG_0, 0), 47 BPF_EXIT_INSN(), 48 }, 49 .result = ACCEPT, 50 .result_unpriv = REJECT, 51 .errstr_unpriv = "R1 pointer comparison", 52 }, 53 { 54 "unpriv: cmp pointer with pointer", 55 .insns = { 56 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 57 BPF_MOV64_IMM(BPF_REG_0, 0), 58 BPF_EXIT_INSN(), 59 }, 60 .result = ACCEPT, 61 .result_unpriv = REJECT, 62 .errstr_unpriv = "R10 pointer comparison", 63 }, 64 { 65 "unpriv: check that printk is disallowed", 66 .insns = { 67 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 68 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 69 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 70 BPF_MOV64_IMM(BPF_REG_2, 8), 71 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 72 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk), 73 BPF_MOV64_IMM(BPF_REG_0, 0), 74 BPF_EXIT_INSN(), 75 }, 76 .errstr_unpriv = "unknown func bpf_trace_printk#6", 77 .result_unpriv = REJECT, 78 .result = ACCEPT, 79 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 80 }, 81 { 82 "unpriv: pass pointer to helper function", 83 .insns = { 84 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 85 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 86 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 87 BPF_LD_MAP_FD(BPF_REG_1, 0), 88 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 89 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 90 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem), 91 BPF_MOV64_IMM(BPF_REG_0, 0), 92 BPF_EXIT_INSN(), 93 }, 94 .fixup_map_hash_8b = { 3 }, 95 .errstr_unpriv = "R4 leaks addr", 96 .result_unpriv = REJECT, 97 .result = ACCEPT, 98 }, 99 { 100 "unpriv: indirectly pass pointer on stack to helper function", 101 .insns = { 102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 105 BPF_LD_MAP_FD(BPF_REG_1, 0), 106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 107 BPF_MOV64_IMM(BPF_REG_0, 0), 108 BPF_EXIT_INSN(), 109 }, 110 .fixup_map_hash_8b = { 3 }, 111 .errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8", 112 .result_unpriv = REJECT, 113 .result = ACCEPT, 114 }, 115 { 116 "unpriv: mangle pointer on stack 1", 117 .insns = { 118 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 119 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 120 BPF_MOV64_IMM(BPF_REG_0, 0), 121 BPF_EXIT_INSN(), 122 }, 123 .errstr_unpriv = "attempt to corrupt spilled", 124 .result_unpriv = REJECT, 125 .result = ACCEPT, 126 }, 127 { 128 "unpriv: mangle pointer on stack 2", 129 .insns = { 130 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 131 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 132 BPF_MOV64_IMM(BPF_REG_0, 0), 133 BPF_EXIT_INSN(), 134 }, 135 .errstr_unpriv = "attempt to corrupt spilled", 136 .result_unpriv = REJECT, 137 .result = ACCEPT, 138 }, 139 { 140 "unpriv: read pointer from stack in small chunks", 141 .insns = { 142 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 144 BPF_MOV64_IMM(BPF_REG_0, 0), 145 BPF_EXIT_INSN(), 146 }, 147 .errstr = "invalid size", 148 .result = REJECT, 149 }, 150 { 151 "unpriv: write pointer into ctx", 152 .insns = { 153 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 154 BPF_MOV64_IMM(BPF_REG_0, 0), 155 BPF_EXIT_INSN(), 156 }, 157 .errstr_unpriv = "R1 leaks addr", 158 .result_unpriv = REJECT, 159 .errstr = "invalid bpf_context access", 160 .result = REJECT, 161 }, 162 { 163 "unpriv: spill/fill of ctx", 164 .insns = { 165 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 167 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 168 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 169 BPF_MOV64_IMM(BPF_REG_0, 0), 170 BPF_EXIT_INSN(), 171 }, 172 .result = ACCEPT, 173 }, 174 { 175 "unpriv: spill/fill of ctx 2", 176 .insns = { 177 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 179 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 180 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc), 182 BPF_MOV64_IMM(BPF_REG_0, 0), 183 BPF_EXIT_INSN(), 184 }, 185 .result = ACCEPT, 186 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 187 }, 188 { 189 "unpriv: spill/fill of ctx 3", 190 .insns = { 191 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 193 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 194 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 195 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc), 197 BPF_EXIT_INSN(), 198 }, 199 .result = REJECT, 200 .errstr = "R1 type=fp expected=ctx", 201 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 202 }, 203 { 204 "unpriv: spill/fill of ctx 4", 205 .insns = { 206 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 208 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 209 BPF_MOV64_IMM(BPF_REG_0, 1), 210 BPF_RAW_INSN(BPF_STX | BPF_ATOMIC | BPF_DW, 211 BPF_REG_10, BPF_REG_0, -8, BPF_ADD), 212 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc), 214 BPF_EXIT_INSN(), 215 }, 216 .result = REJECT, 217 .errstr = "R1 type=scalar expected=ctx", 218 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 219 }, 220 { 221 "unpriv: spill/fill of different pointers stx", 222 .insns = { 223 BPF_MOV64_IMM(BPF_REG_3, 42), 224 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 227 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 229 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 230 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 231 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 232 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 233 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 234 offsetof(struct __sk_buff, mark)), 235 BPF_MOV64_IMM(BPF_REG_0, 0), 236 BPF_EXIT_INSN(), 237 }, 238 .result = REJECT, 239 .errstr = "same insn cannot be used with different pointers", 240 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 241 }, 242 { 243 "unpriv: spill/fill of different pointers stx - ctx and sock", 244 .insns = { 245 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 246 /* struct bpf_sock *sock = bpf_sock_lookup(...); */ 247 BPF_SK_LOOKUP(sk_lookup_tcp), 248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 249 /* u64 foo; */ 250 /* void *target = &foo; */ 251 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 254 /* if (skb == NULL) *target = sock; */ 255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 256 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 257 /* else *target = skb; */ 258 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 260 /* struct __sk_buff *skb = *target; */ 261 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 262 /* skb->mark = 42; */ 263 BPF_MOV64_IMM(BPF_REG_3, 42), 264 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 265 offsetof(struct __sk_buff, mark)), 266 /* if (sk) bpf_sk_release(sk) */ 267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 268 BPF_EMIT_CALL(BPF_FUNC_sk_release), 269 BPF_MOV64_IMM(BPF_REG_0, 0), 270 BPF_EXIT_INSN(), 271 }, 272 .result = REJECT, 273 .errstr = "type=ctx expected=sock", 274 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 275 }, 276 { 277 "unpriv: spill/fill of different pointers stx - leak sock", 278 .insns = { 279 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 280 /* struct bpf_sock *sock = bpf_sock_lookup(...); */ 281 BPF_SK_LOOKUP(sk_lookup_tcp), 282 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 283 /* u64 foo; */ 284 /* void *target = &foo; */ 285 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 287 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 288 /* if (skb == NULL) *target = sock; */ 289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 290 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 291 /* else *target = skb; */ 292 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 293 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 294 /* struct __sk_buff *skb = *target; */ 295 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 296 /* skb->mark = 42; */ 297 BPF_MOV64_IMM(BPF_REG_3, 42), 298 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 299 offsetof(struct __sk_buff, mark)), 300 BPF_EXIT_INSN(), 301 }, 302 .result = REJECT, 303 //.errstr = "same insn cannot be used with different pointers", 304 .errstr = "Unreleased reference", 305 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 306 }, 307 { 308 "unpriv: spill/fill of different pointers stx - sock and ctx (read)", 309 .insns = { 310 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 311 /* struct bpf_sock *sock = bpf_sock_lookup(...); */ 312 BPF_SK_LOOKUP(sk_lookup_tcp), 313 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 314 /* u64 foo; */ 315 /* void *target = &foo; */ 316 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 319 /* if (skb) *target = skb */ 320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 321 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 322 /* else *target = sock */ 323 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 324 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 325 /* struct bpf_sock *sk = *target; */ 326 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 327 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */ 328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 330 offsetof(struct bpf_sock, mark)), 331 BPF_EMIT_CALL(BPF_FUNC_sk_release), 332 BPF_MOV64_IMM(BPF_REG_0, 0), 333 BPF_EXIT_INSN(), 334 }, 335 .result = REJECT, 336 .errstr = "same insn cannot be used with different pointers", 337 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 338 }, 339 { 340 "unpriv: spill/fill of different pointers stx - sock and ctx (write)", 341 .insns = { 342 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 343 /* struct bpf_sock *sock = bpf_sock_lookup(...); */ 344 BPF_SK_LOOKUP(sk_lookup_tcp), 345 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 346 /* u64 foo; */ 347 /* void *target = &foo; */ 348 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 351 /* if (skb) *target = skb */ 352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 353 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 354 /* else *target = sock */ 355 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 356 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 357 /* struct bpf_sock *sk = *target; */ 358 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 359 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */ 360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 361 BPF_MOV64_IMM(BPF_REG_3, 42), 362 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 363 offsetof(struct bpf_sock, mark)), 364 BPF_EMIT_CALL(BPF_FUNC_sk_release), 365 BPF_MOV64_IMM(BPF_REG_0, 0), 366 BPF_EXIT_INSN(), 367 }, 368 .result = REJECT, 369 //.errstr = "same insn cannot be used with different pointers", 370 .errstr = "cannot write into sock", 371 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 372 }, 373 { 374 "unpriv: spill/fill of different pointers ldx", 375 .insns = { 376 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 379 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 381 -(__s32)offsetof(struct bpf_perf_event_data, 382 sample_period) - 8), 383 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 384 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 385 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 386 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 387 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 388 offsetof(struct bpf_perf_event_data, sample_period)), 389 BPF_MOV64_IMM(BPF_REG_0, 0), 390 BPF_EXIT_INSN(), 391 }, 392 .result = REJECT, 393 .errstr = "same insn cannot be used with different pointers", 394 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 395 }, 396 { 397 "unpriv: write pointer into map elem value", 398 .insns = { 399 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 402 BPF_LD_MAP_FD(BPF_REG_1, 0), 403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 405 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 406 BPF_EXIT_INSN(), 407 }, 408 .fixup_map_hash_8b = { 3 }, 409 .errstr_unpriv = "R0 leaks addr", 410 .result_unpriv = REJECT, 411 .result = ACCEPT, 412 }, 413 { 414 "alu32: mov u32 const", 415 .insns = { 416 BPF_MOV32_IMM(BPF_REG_7, 0), 417 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1), 418 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7), 419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 420 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0), 421 BPF_EXIT_INSN(), 422 }, 423 .errstr_unpriv = "R7 invalid mem access 'scalar'", 424 .result_unpriv = REJECT, 425 .result = ACCEPT, 426 .retval = 0, 427 }, 428 { 429 "unpriv: partial copy of pointer", 430 .insns = { 431 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 432 BPF_MOV64_IMM(BPF_REG_0, 0), 433 BPF_EXIT_INSN(), 434 }, 435 .errstr_unpriv = "R10 partial copy", 436 .result_unpriv = REJECT, 437 .result = ACCEPT, 438 }, 439 { 440 "unpriv: pass pointer to tail_call", 441 .insns = { 442 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 443 BPF_LD_MAP_FD(BPF_REG_2, 0), 444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call), 445 BPF_MOV64_IMM(BPF_REG_0, 0), 446 BPF_EXIT_INSN(), 447 }, 448 .fixup_prog1 = { 1 }, 449 .errstr_unpriv = "R3 leaks addr into helper", 450 .result_unpriv = REJECT, 451 .result = ACCEPT, 452 }, 453 { 454 "unpriv: cmp map pointer with zero", 455 .insns = { 456 BPF_MOV64_IMM(BPF_REG_1, 0), 457 BPF_LD_MAP_FD(BPF_REG_1, 0), 458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 459 BPF_MOV64_IMM(BPF_REG_0, 0), 460 BPF_EXIT_INSN(), 461 }, 462 .fixup_map_hash_8b = { 1 }, 463 .errstr_unpriv = "R1 pointer comparison", 464 .result_unpriv = REJECT, 465 .result = ACCEPT, 466 }, 467 { 468 "unpriv: write into frame pointer", 469 .insns = { 470 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 471 BPF_MOV64_IMM(BPF_REG_0, 0), 472 BPF_EXIT_INSN(), 473 }, 474 .errstr = "frame pointer is read only", 475 .result = REJECT, 476 }, 477 { 478 "unpriv: spill/fill frame pointer", 479 .insns = { 480 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 482 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 483 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 484 BPF_MOV64_IMM(BPF_REG_0, 0), 485 BPF_EXIT_INSN(), 486 }, 487 .errstr = "frame pointer is read only", 488 .result = REJECT, 489 }, 490 { 491 "unpriv: cmp of frame pointer", 492 .insns = { 493 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 494 BPF_MOV64_IMM(BPF_REG_0, 0), 495 BPF_EXIT_INSN(), 496 }, 497 .errstr_unpriv = "R10 pointer comparison", 498 .result_unpriv = REJECT, 499 .result = ACCEPT, 500 }, 501 { 502 "unpriv: adding of fp, reg", 503 .insns = { 504 BPF_MOV64_IMM(BPF_REG_0, 0), 505 BPF_MOV64_IMM(BPF_REG_1, 0), 506 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 507 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 508 BPF_EXIT_INSN(), 509 }, 510 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 511 .result_unpriv = REJECT, 512 .result = ACCEPT, 513 }, 514 { 515 "unpriv: adding of fp, imm", 516 .insns = { 517 BPF_MOV64_IMM(BPF_REG_0, 0), 518 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), 520 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 521 BPF_EXIT_INSN(), 522 }, 523 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 524 .result_unpriv = REJECT, 525 .result = ACCEPT, 526 }, 527 { 528 "unpriv: cmp of stack pointer", 529 .insns = { 530 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 533 BPF_MOV64_IMM(BPF_REG_0, 0), 534 BPF_EXIT_INSN(), 535 }, 536 .errstr_unpriv = "R2 pointer comparison", 537 .result_unpriv = REJECT, 538 .result = ACCEPT, 539 }, 540