18c2ecf20Sopenharmony_ci{ 28c2ecf20Sopenharmony_ci "subtraction bounds (map value) variant 1", 38c2ecf20Sopenharmony_ci .insns = { 48c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 58c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 68c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 78c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 88c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 98c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 108c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 118c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), 128c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 138c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), 148c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 158c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), 168c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 178c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 188c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 198c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 208c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 218c2ecf20Sopenharmony_ci }, 228c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 238c2ecf20Sopenharmony_ci .errstr = "R0 max value is outside of the allowed memory range", 248c2ecf20Sopenharmony_ci .result = REJECT, 258c2ecf20Sopenharmony_ci}, 268c2ecf20Sopenharmony_ci{ 278c2ecf20Sopenharmony_ci "subtraction bounds (map value) variant 2", 288c2ecf20Sopenharmony_ci .insns = { 298c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 308c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 318c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 328c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 338c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 348c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 358c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 368c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6), 378c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 388c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4), 398c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 408c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 418c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 428c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 438c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 448c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 458c2ecf20Sopenharmony_ci }, 468c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 478c2ecf20Sopenharmony_ci .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 488c2ecf20Sopenharmony_ci .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", 498c2ecf20Sopenharmony_ci .result = REJECT, 508c2ecf20Sopenharmony_ci}, 518c2ecf20Sopenharmony_ci{ 528c2ecf20Sopenharmony_ci "check subtraction on pointers for unpriv", 538c2ecf20Sopenharmony_ci .insns = { 548c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 558c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_ARG1, 0), 568c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), 578c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8), 588c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9), 598c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 608c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP), 618c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0), 628c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_ARG1, 0), 638c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), 648c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8), 658c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0), 668c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 678c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 688c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 698c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0), 708c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 718c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 728c2ecf20Sopenharmony_ci }, 738c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 1, 9 }, 748c2ecf20Sopenharmony_ci .result = ACCEPT, 758c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 768c2ecf20Sopenharmony_ci .errstr_unpriv = "R9 pointer -= pointer prohibited", 778c2ecf20Sopenharmony_ci}, 788c2ecf20Sopenharmony_ci{ 798c2ecf20Sopenharmony_ci "bounds check based on zero-extended MOV", 808c2ecf20Sopenharmony_ci .insns = { 818c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 828c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 838c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 848c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 858c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 868c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 878c2ecf20Sopenharmony_ci /* r2 = 0x0000'0000'ffff'ffff */ 888c2ecf20Sopenharmony_ci BPF_MOV32_IMM(BPF_REG_2, 0xffffffff), 898c2ecf20Sopenharmony_ci /* r2 = 0 */ 908c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 918c2ecf20Sopenharmony_ci /* no-op */ 928c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 938c2ecf20Sopenharmony_ci /* access at offset 0 */ 948c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 958c2ecf20Sopenharmony_ci /* exit */ 968c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 978c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 988c2ecf20Sopenharmony_ci }, 998c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 1008c2ecf20Sopenharmony_ci .result = ACCEPT 1018c2ecf20Sopenharmony_ci}, 1028c2ecf20Sopenharmony_ci{ 1038c2ecf20Sopenharmony_ci "bounds check based on sign-extended MOV. test1", 1048c2ecf20Sopenharmony_ci .insns = { 1058c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1068c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1078c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1088c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 1098c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1108c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 1118c2ecf20Sopenharmony_ci /* r2 = 0xffff'ffff'ffff'ffff */ 1128c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 1138c2ecf20Sopenharmony_ci /* r2 = 0xffff'ffff */ 1148c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 1158c2ecf20Sopenharmony_ci /* r0 = <oob pointer> */ 1168c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 1178c2ecf20Sopenharmony_ci /* access to OOB pointer */ 1188c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 1198c2ecf20Sopenharmony_ci /* exit */ 1208c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1218c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1228c2ecf20Sopenharmony_ci }, 1238c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 1248c2ecf20Sopenharmony_ci .errstr = "map_value pointer and 4294967295", 1258c2ecf20Sopenharmony_ci .result = REJECT 1268c2ecf20Sopenharmony_ci}, 1278c2ecf20Sopenharmony_ci{ 1288c2ecf20Sopenharmony_ci "bounds check based on sign-extended MOV. test2", 1298c2ecf20Sopenharmony_ci .insns = { 1308c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1318c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1328c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1338c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 1348c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1358c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 1368c2ecf20Sopenharmony_ci /* r2 = 0xffff'ffff'ffff'ffff */ 1378c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 1388c2ecf20Sopenharmony_ci /* r2 = 0xfff'ffff */ 1398c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36), 1408c2ecf20Sopenharmony_ci /* r0 = <oob pointer> */ 1418c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 1428c2ecf20Sopenharmony_ci /* access to OOB pointer */ 1438c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 1448c2ecf20Sopenharmony_ci /* exit */ 1458c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1468c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1478c2ecf20Sopenharmony_ci }, 1488c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 1498c2ecf20Sopenharmony_ci .errstr = "R0 min value is outside of the allowed memory range", 1508c2ecf20Sopenharmony_ci .result = REJECT 1518c2ecf20Sopenharmony_ci}, 1528c2ecf20Sopenharmony_ci{ 1538c2ecf20Sopenharmony_ci "bounds check based on reg_off + var_off + insn_off. test1", 1548c2ecf20Sopenharmony_ci .insns = { 1558c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 1568c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 1578c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1588c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1598c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1608c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 1618c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1628c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 1638c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 1648c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1), 1658c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 1668c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 1678c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 1688c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1698c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1708c2ecf20Sopenharmony_ci }, 1718c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 4 }, 1728c2ecf20Sopenharmony_ci .errstr = "value_size=8 off=1073741825", 1738c2ecf20Sopenharmony_ci .result = REJECT, 1748c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1758c2ecf20Sopenharmony_ci}, 1768c2ecf20Sopenharmony_ci{ 1778c2ecf20Sopenharmony_ci "bounds check based on reg_off + var_off + insn_off. test2", 1788c2ecf20Sopenharmony_ci .insns = { 1798c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 1808c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 1818c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1828c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1838c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1848c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 1858c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 1868c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 1878c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 1888c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1), 1898c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 1908c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 1918c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 1928c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1938c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1948c2ecf20Sopenharmony_ci }, 1958c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 4 }, 1968c2ecf20Sopenharmony_ci .errstr = "value 1073741823", 1978c2ecf20Sopenharmony_ci .result = REJECT, 1988c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1998c2ecf20Sopenharmony_ci}, 2008c2ecf20Sopenharmony_ci{ 2018c2ecf20Sopenharmony_ci "bounds check after truncation of non-boundary-crossing range", 2028c2ecf20Sopenharmony_ci .insns = { 2038c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2048c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2058c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2068c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 2078c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 2088c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 2098c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] */ 2108c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 2118c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 1), 2128c2ecf20Sopenharmony_ci /* r2 = 0x10'0000'0000 */ 2138c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36), 2148c2ecf20Sopenharmony_ci /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */ 2158c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 2168c2ecf20Sopenharmony_ci /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */ 2178c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 2188c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] */ 2198c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff), 2208c2ecf20Sopenharmony_ci /* r1 = 0 */ 2218c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 2228c2ecf20Sopenharmony_ci /* no-op */ 2238c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 2248c2ecf20Sopenharmony_ci /* access at offset 0 */ 2258c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 2268c2ecf20Sopenharmony_ci /* exit */ 2278c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 2288c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2298c2ecf20Sopenharmony_ci }, 2308c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 2318c2ecf20Sopenharmony_ci .result = ACCEPT 2328c2ecf20Sopenharmony_ci}, 2338c2ecf20Sopenharmony_ci{ 2348c2ecf20Sopenharmony_ci "bounds check after truncation of boundary-crossing range (1)", 2358c2ecf20Sopenharmony_ci .insns = { 2368c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2378c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2388c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2398c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 2408c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 2418c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 2428c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] */ 2438c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 2448c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 2458c2ecf20Sopenharmony_ci /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 2468c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 2478c2ecf20Sopenharmony_ci /* r1 = [0xffff'ff80, 0xffff'ffff] or 2488c2ecf20Sopenharmony_ci * [0x0000'0000, 0x0000'007f] 2498c2ecf20Sopenharmony_ci */ 2508c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0), 2518c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 2528c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] or 2538c2ecf20Sopenharmony_ci * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 2548c2ecf20Sopenharmony_ci */ 2558c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 2568c2ecf20Sopenharmony_ci /* error on OOB pointer computation */ 2578c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 2588c2ecf20Sopenharmony_ci /* exit */ 2598c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 2608c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2618c2ecf20Sopenharmony_ci }, 2628c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 2638c2ecf20Sopenharmony_ci /* not actually fully unbounded, but the bound is very high */ 2648c2ecf20Sopenharmony_ci .errstr = "value -4294967168 makes map_value pointer be out of bounds", 2658c2ecf20Sopenharmony_ci .result = REJECT, 2668c2ecf20Sopenharmony_ci}, 2678c2ecf20Sopenharmony_ci{ 2688c2ecf20Sopenharmony_ci "bounds check after truncation of boundary-crossing range (2)", 2698c2ecf20Sopenharmony_ci .insns = { 2708c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2718c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2728c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2738c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 2748c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 2758c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 2768c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] */ 2778c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 2788c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 2798c2ecf20Sopenharmony_ci /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 2808c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 2818c2ecf20Sopenharmony_ci /* r1 = [0xffff'ff80, 0xffff'ffff] or 2828c2ecf20Sopenharmony_ci * [0x0000'0000, 0x0000'007f] 2838c2ecf20Sopenharmony_ci * difference to previous test: truncation via MOV32 2848c2ecf20Sopenharmony_ci * instead of ALU32. 2858c2ecf20Sopenharmony_ci */ 2868c2ecf20Sopenharmony_ci BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), 2878c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 2888c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] or 2898c2ecf20Sopenharmony_ci * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 2908c2ecf20Sopenharmony_ci */ 2918c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 2928c2ecf20Sopenharmony_ci /* error on OOB pointer computation */ 2938c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 2948c2ecf20Sopenharmony_ci /* exit */ 2958c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 2968c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2978c2ecf20Sopenharmony_ci }, 2988c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 2998c2ecf20Sopenharmony_ci .errstr = "value -4294967168 makes map_value pointer be out of bounds", 3008c2ecf20Sopenharmony_ci .result = REJECT, 3018c2ecf20Sopenharmony_ci}, 3028c2ecf20Sopenharmony_ci{ 3038c2ecf20Sopenharmony_ci "bounds check after wrapping 32-bit addition", 3048c2ecf20Sopenharmony_ci .insns = { 3058c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3068c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3078c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3088c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 3098c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3108c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 3118c2ecf20Sopenharmony_ci /* r1 = 0x7fff'ffff */ 3128c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff), 3138c2ecf20Sopenharmony_ci /* r1 = 0xffff'fffe */ 3148c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 3158c2ecf20Sopenharmony_ci /* r1 = 0 */ 3168c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2), 3178c2ecf20Sopenharmony_ci /* no-op */ 3188c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3198c2ecf20Sopenharmony_ci /* access at offset 0 */ 3208c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 3218c2ecf20Sopenharmony_ci /* exit */ 3228c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 3238c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3248c2ecf20Sopenharmony_ci }, 3258c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 3268c2ecf20Sopenharmony_ci .result = ACCEPT 3278c2ecf20Sopenharmony_ci}, 3288c2ecf20Sopenharmony_ci{ 3298c2ecf20Sopenharmony_ci "bounds check after shift with oversized count operand", 3308c2ecf20Sopenharmony_ci .insns = { 3318c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3328c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3338c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3348c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 3358c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3368c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3378c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 32), 3388c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 1), 3398c2ecf20Sopenharmony_ci /* r1 = (u32)1 << (u32)32 = ? */ 3408c2ecf20Sopenharmony_ci BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2), 3418c2ecf20Sopenharmony_ci /* r1 = [0x0000, 0xffff] */ 3428c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff), 3438c2ecf20Sopenharmony_ci /* computes unknown pointer, potentially OOB */ 3448c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3458c2ecf20Sopenharmony_ci /* potentially OOB access */ 3468c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 3478c2ecf20Sopenharmony_ci /* exit */ 3488c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 3498c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3508c2ecf20Sopenharmony_ci }, 3518c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 3528c2ecf20Sopenharmony_ci .errstr = "R0 max value is outside of the allowed memory range", 3538c2ecf20Sopenharmony_ci .result = REJECT 3548c2ecf20Sopenharmony_ci}, 3558c2ecf20Sopenharmony_ci{ 3568c2ecf20Sopenharmony_ci "bounds check after right shift of maybe-negative number", 3578c2ecf20Sopenharmony_ci .insns = { 3588c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3598c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3608c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3618c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 3628c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3638c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3648c2ecf20Sopenharmony_ci /* r1 = [0x00, 0xff] */ 3658c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 3668c2ecf20Sopenharmony_ci /* r1 = [-0x01, 0xfe] */ 3678c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1), 3688c2ecf20Sopenharmony_ci /* r1 = 0 or 0xff'ffff'ffff'ffff */ 3698c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 3708c2ecf20Sopenharmony_ci /* r1 = 0 or 0xffff'ffff'ffff */ 3718c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 3728c2ecf20Sopenharmony_ci /* computes unknown pointer, potentially OOB */ 3738c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 3748c2ecf20Sopenharmony_ci /* potentially OOB access */ 3758c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 3768c2ecf20Sopenharmony_ci /* exit */ 3778c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 3788c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3798c2ecf20Sopenharmony_ci }, 3808c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 3818c2ecf20Sopenharmony_ci .errstr = "R0 unbounded memory access", 3828c2ecf20Sopenharmony_ci .result = REJECT 3838c2ecf20Sopenharmony_ci}, 3848c2ecf20Sopenharmony_ci{ 3858c2ecf20Sopenharmony_ci "bounds check after 32-bit right shift with 64-bit input", 3868c2ecf20Sopenharmony_ci .insns = { 3878c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 3888c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 3898c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 3908c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 3918c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 3928c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 3938c2ecf20Sopenharmony_ci /* r1 = 2 */ 3948c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 2), 3958c2ecf20Sopenharmony_ci /* r1 = 1<<32 */ 3968c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31), 3978c2ecf20Sopenharmony_ci /* r1 = 0 (NOT 2!) */ 3988c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31), 3998c2ecf20Sopenharmony_ci /* r1 = 0xffff'fffe (NOT 0!) */ 4008c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2), 4018c2ecf20Sopenharmony_ci /* error on computing OOB pointer */ 4028c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4038c2ecf20Sopenharmony_ci /* exit */ 4048c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 4058c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4068c2ecf20Sopenharmony_ci }, 4078c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 4088c2ecf20Sopenharmony_ci .errstr = "math between map_value pointer and 4294967294 is not allowed", 4098c2ecf20Sopenharmony_ci .result = REJECT, 4108c2ecf20Sopenharmony_ci}, 4118c2ecf20Sopenharmony_ci{ 4128c2ecf20Sopenharmony_ci "bounds check map access with off+size signed 32bit overflow. test1", 4138c2ecf20Sopenharmony_ci .insns = { 4148c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4158c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4168c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4178c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 4188c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4198c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 4208c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4218c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe), 4228c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 4238c2ecf20Sopenharmony_ci BPF_JMP_A(0), 4248c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4258c2ecf20Sopenharmony_ci }, 4268c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 4278c2ecf20Sopenharmony_ci .errstr = "map_value pointer and 2147483646", 4288c2ecf20Sopenharmony_ci .result = REJECT 4298c2ecf20Sopenharmony_ci}, 4308c2ecf20Sopenharmony_ci{ 4318c2ecf20Sopenharmony_ci "bounds check map access with off+size signed 32bit overflow. test2", 4328c2ecf20Sopenharmony_ci .insns = { 4338c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4348c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4358c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4368c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 4378c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4388c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 4398c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4408c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 4418c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 4428c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 4438c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 4448c2ecf20Sopenharmony_ci BPF_JMP_A(0), 4458c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4468c2ecf20Sopenharmony_ci }, 4478c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 4488c2ecf20Sopenharmony_ci .errstr = "pointer offset 1073741822", 4498c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 4508c2ecf20Sopenharmony_ci .result = REJECT 4518c2ecf20Sopenharmony_ci}, 4528c2ecf20Sopenharmony_ci{ 4538c2ecf20Sopenharmony_ci "bounds check map access with off+size signed 32bit overflow. test3", 4548c2ecf20Sopenharmony_ci .insns = { 4558c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4568c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4578c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4588c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 4598c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4608c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 4618c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4628c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 4638c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 4648c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 4658c2ecf20Sopenharmony_ci BPF_JMP_A(0), 4668c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4678c2ecf20Sopenharmony_ci }, 4688c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 4698c2ecf20Sopenharmony_ci .errstr = "pointer offset -1073741822", 4708c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", 4718c2ecf20Sopenharmony_ci .result = REJECT 4728c2ecf20Sopenharmony_ci}, 4738c2ecf20Sopenharmony_ci{ 4748c2ecf20Sopenharmony_ci "bounds check map access with off+size signed 32bit overflow. test4", 4758c2ecf20Sopenharmony_ci .insns = { 4768c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4778c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4788c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4798c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 4808c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4818c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 4828c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4838c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 1000000), 4848c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000), 4858c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4868c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 4878c2ecf20Sopenharmony_ci BPF_JMP_A(0), 4888c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4898c2ecf20Sopenharmony_ci }, 4908c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 4918c2ecf20Sopenharmony_ci .errstr = "map_value pointer and 1000000000000", 4928c2ecf20Sopenharmony_ci .result = REJECT 4938c2ecf20Sopenharmony_ci}, 4948c2ecf20Sopenharmony_ci{ 4958c2ecf20Sopenharmony_ci "bounds check mixed 32bit and 64bit arithmetic. test1", 4968c2ecf20Sopenharmony_ci .insns = { 4978c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 4988c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, -1), 4998c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), 5008c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 5018c2ecf20Sopenharmony_ci /* r1 = 0xffffFFFF00000001 */ 5028c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 1, 3), 5038c2ecf20Sopenharmony_ci /* check ALU64 op keeps 32bit bounds */ 5048c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 5058c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 2, 1), 5068c2ecf20Sopenharmony_ci BPF_JMP_A(1), 5078c2ecf20Sopenharmony_ci /* invalid ldx if bounds are lost above */ 5088c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), 5098c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5108c2ecf20Sopenharmony_ci }, 5118c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 invalid mem access 'inv'", 5128c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 5138c2ecf20Sopenharmony_ci .result = ACCEPT 5148c2ecf20Sopenharmony_ci}, 5158c2ecf20Sopenharmony_ci{ 5168c2ecf20Sopenharmony_ci "bounds check mixed 32bit and 64bit arithmetic. test2", 5178c2ecf20Sopenharmony_ci .insns = { 5188c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 5198c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, -1), 5208c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), 5218c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 5228c2ecf20Sopenharmony_ci /* r1 = 0xffffFFFF00000001 */ 5238c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 3), 5248c2ecf20Sopenharmony_ci /* r1 = 0x2 */ 5258c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 5268c2ecf20Sopenharmony_ci /* check ALU32 op zero extends 64bit bounds */ 5278c2ecf20Sopenharmony_ci BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 1), 5288c2ecf20Sopenharmony_ci BPF_JMP_A(1), 5298c2ecf20Sopenharmony_ci /* invalid ldx if bounds are lost above */ 5308c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), 5318c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5328c2ecf20Sopenharmony_ci }, 5338c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 invalid mem access 'inv'", 5348c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 5358c2ecf20Sopenharmony_ci .result = ACCEPT 5368c2ecf20Sopenharmony_ci}, 5378c2ecf20Sopenharmony_ci{ 5388c2ecf20Sopenharmony_ci "assigning 32bit bounds to 64bit for wA = 0, wB = wA", 5398c2ecf20Sopenharmony_ci .insns = { 5408c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, 5418c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data_end)), 5428c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 5438c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data)), 5448c2ecf20Sopenharmony_ci BPF_MOV32_IMM(BPF_REG_9, 0), 5458c2ecf20Sopenharmony_ci BPF_MOV32_REG(BPF_REG_2, BPF_REG_9), 5468c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 5478c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_2), 5488c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 5498c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8), 5508c2ecf20Sopenharmony_ci BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_8, 1), 5518c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_6, 0), 5528c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 5538c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5548c2ecf20Sopenharmony_ci }, 5558c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5568c2ecf20Sopenharmony_ci .result = ACCEPT, 5578c2ecf20Sopenharmony_ci .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 5588c2ecf20Sopenharmony_ci}, 5598c2ecf20Sopenharmony_ci{ 5608c2ecf20Sopenharmony_ci "bounds check for reg = 0, reg xor 1", 5618c2ecf20Sopenharmony_ci .insns = { 5628c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5638c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5648c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5658c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 5668c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 5678c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 5688c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5698c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 0), 5708c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_XOR, BPF_REG_1, 1), 5718c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 5728c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 5738c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 5748c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5758c2ecf20Sopenharmony_ci }, 5768c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 min value is outside of the allowed memory range", 5778c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 5788c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 5798c2ecf20Sopenharmony_ci .result = ACCEPT, 5808c2ecf20Sopenharmony_ci}, 5818c2ecf20Sopenharmony_ci{ 5828c2ecf20Sopenharmony_ci "bounds check for reg32 = 0, reg32 xor 1", 5838c2ecf20Sopenharmony_ci .insns = { 5848c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5858c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5868c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5878c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 5888c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 5898c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 5908c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5918c2ecf20Sopenharmony_ci BPF_MOV32_IMM(BPF_REG_1, 0), 5928c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_XOR, BPF_REG_1, 1), 5938c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JNE, BPF_REG_1, 0, 1), 5948c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 5958c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 5968c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5978c2ecf20Sopenharmony_ci }, 5988c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 min value is outside of the allowed memory range", 5998c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 6008c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 6018c2ecf20Sopenharmony_ci .result = ACCEPT, 6028c2ecf20Sopenharmony_ci}, 6038c2ecf20Sopenharmony_ci{ 6048c2ecf20Sopenharmony_ci "bounds check for reg = 2, reg xor 3", 6058c2ecf20Sopenharmony_ci .insns = { 6068c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6078c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6088c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6098c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 6108c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 6118c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 6128c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6138c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 2), 6148c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_XOR, BPF_REG_1, 3), 6158c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0, 1), 6168c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 6178c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 6188c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6198c2ecf20Sopenharmony_ci }, 6208c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 min value is outside of the allowed memory range", 6218c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 6228c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 6238c2ecf20Sopenharmony_ci .result = ACCEPT, 6248c2ecf20Sopenharmony_ci}, 6258c2ecf20Sopenharmony_ci{ 6268c2ecf20Sopenharmony_ci "bounds check for reg = any, reg xor 3", 6278c2ecf20Sopenharmony_ci .insns = { 6288c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6298c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6308c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6318c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 6328c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 6338c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 6348c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6358c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6368c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_XOR, BPF_REG_1, 3), 6378c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 6388c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 6398c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 6408c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6418c2ecf20Sopenharmony_ci }, 6428c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 6438c2ecf20Sopenharmony_ci .result = REJECT, 6448c2ecf20Sopenharmony_ci .errstr = "invalid access to map value", 6458c2ecf20Sopenharmony_ci .errstr_unpriv = "invalid access to map value", 6468c2ecf20Sopenharmony_ci}, 6478c2ecf20Sopenharmony_ci{ 6488c2ecf20Sopenharmony_ci "bounds check for reg32 = any, reg32 xor 3", 6498c2ecf20Sopenharmony_ci .insns = { 6508c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6518c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6528c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6538c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 6548c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 6558c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 6568c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6578c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6588c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_XOR, BPF_REG_1, 3), 6598c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JNE, BPF_REG_1, 0, 1), 6608c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 6618c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 6628c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6638c2ecf20Sopenharmony_ci }, 6648c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 6658c2ecf20Sopenharmony_ci .result = REJECT, 6668c2ecf20Sopenharmony_ci .errstr = "invalid access to map value", 6678c2ecf20Sopenharmony_ci .errstr_unpriv = "invalid access to map value", 6688c2ecf20Sopenharmony_ci}, 6698c2ecf20Sopenharmony_ci{ 6708c2ecf20Sopenharmony_ci "bounds check for reg > 0, reg xor 3", 6718c2ecf20Sopenharmony_ci .insns = { 6728c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6738c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6748c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6758c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 6768c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 6778c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 6788c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6798c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6808c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JLE, BPF_REG_1, 0, 3), 6818c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_XOR, BPF_REG_1, 3), 6828c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 1), 6838c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 6848c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 6858c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6868c2ecf20Sopenharmony_ci }, 6878c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 min value is outside of the allowed memory range", 6888c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 6898c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 6908c2ecf20Sopenharmony_ci .result = ACCEPT, 6918c2ecf20Sopenharmony_ci}, 6928c2ecf20Sopenharmony_ci{ 6938c2ecf20Sopenharmony_ci "bounds check for reg32 > 0, reg32 xor 3", 6948c2ecf20Sopenharmony_ci .insns = { 6958c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6968c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6978c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6988c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 6998c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 7008c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7018c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7028c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 7038c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JLE, BPF_REG_1, 0, 3), 7048c2ecf20Sopenharmony_ci BPF_ALU32_IMM(BPF_XOR, BPF_REG_1, 3), 7058c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JGE, BPF_REG_1, 0, 1), 7068c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 7078c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 7088c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7098c2ecf20Sopenharmony_ci }, 7108c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 min value is outside of the allowed memory range", 7118c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 7128c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 7138c2ecf20Sopenharmony_ci .result = ACCEPT, 7148c2ecf20Sopenharmony_ci}, 7158c2ecf20Sopenharmony_ci{ 7168c2ecf20Sopenharmony_ci "bounds checks after 32-bit truncation. test 1", 7178c2ecf20Sopenharmony_ci .insns = { 7188c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7198c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7208c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7218c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 7228c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 7238c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7248c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 7258c2ecf20Sopenharmony_ci /* This used to reduce the max bound to 0x7fffffff */ 7268c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 7278c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0x7fffffff, 1), 7288c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 7298c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7308c2ecf20Sopenharmony_ci }, 7318c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 7328c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 leaks addr", 7338c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 7348c2ecf20Sopenharmony_ci .result = ACCEPT, 7358c2ecf20Sopenharmony_ci}, 7368c2ecf20Sopenharmony_ci{ 7378c2ecf20Sopenharmony_ci "bounds checks after 32-bit truncation. test 2", 7388c2ecf20Sopenharmony_ci .insns = { 7398c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7408c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7418c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7428c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 7438c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 7448c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7458c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 7468c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JSLT, BPF_REG_1, 1, 1), 7478c2ecf20Sopenharmony_ci BPF_JMP32_IMM(BPF_JSLT, BPF_REG_1, 0, 1), 7488c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 7498c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7508c2ecf20Sopenharmony_ci }, 7518c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 3 }, 7528c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 leaks addr", 7538c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 7548c2ecf20Sopenharmony_ci .result = ACCEPT, 7558c2ecf20Sopenharmony_ci}, 756