18c2ecf20Sopenharmony_ci{ 28c2ecf20Sopenharmony_ci "context stores via ST", 38c2ecf20Sopenharmony_ci .insns = { 48c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 58c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0), 68c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 78c2ecf20Sopenharmony_ci }, 88c2ecf20Sopenharmony_ci .errstr = "BPF_ST stores into R1 ctx is not allowed", 98c2ecf20Sopenharmony_ci .result = REJECT, 108c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 118c2ecf20Sopenharmony_ci}, 128c2ecf20Sopenharmony_ci{ 138c2ecf20Sopenharmony_ci "context stores via XADD", 148c2ecf20Sopenharmony_ci .insns = { 158c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 168c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1, 178c2ecf20Sopenharmony_ci BPF_REG_0, offsetof(struct __sk_buff, mark), 0), 188c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 198c2ecf20Sopenharmony_ci }, 208c2ecf20Sopenharmony_ci .errstr = "BPF_XADD stores into R1 ctx is not allowed", 218c2ecf20Sopenharmony_ci .result = REJECT, 228c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 238c2ecf20Sopenharmony_ci}, 248c2ecf20Sopenharmony_ci{ 258c2ecf20Sopenharmony_ci "arithmetic ops make PTR_TO_CTX unusable", 268c2ecf20Sopenharmony_ci .insns = { 278c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 288c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data) - 298c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 308c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 318c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 328c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 338c2ecf20Sopenharmony_ci }, 348c2ecf20Sopenharmony_ci .errstr = "dereference of modified ctx ptr", 358c2ecf20Sopenharmony_ci .result = REJECT, 368c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 378c2ecf20Sopenharmony_ci}, 388c2ecf20Sopenharmony_ci{ 398c2ecf20Sopenharmony_ci "pass unmodified ctx pointer to helper", 408c2ecf20Sopenharmony_ci .insns = { 418c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 428c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 438c2ecf20Sopenharmony_ci BPF_FUNC_csum_update), 448c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 458c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 468c2ecf20Sopenharmony_ci }, 478c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 488c2ecf20Sopenharmony_ci .result = ACCEPT, 498c2ecf20Sopenharmony_ci}, 508c2ecf20Sopenharmony_ci{ 518c2ecf20Sopenharmony_ci "pass modified ctx pointer to helper, 1", 528c2ecf20Sopenharmony_ci .insns = { 538c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 548c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 558c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 568c2ecf20Sopenharmony_ci BPF_FUNC_csum_update), 578c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 588c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 598c2ecf20Sopenharmony_ci }, 608c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 618c2ecf20Sopenharmony_ci .result = REJECT, 628c2ecf20Sopenharmony_ci .errstr = "dereference of modified ctx ptr", 638c2ecf20Sopenharmony_ci}, 648c2ecf20Sopenharmony_ci{ 658c2ecf20Sopenharmony_ci "pass modified ctx pointer to helper, 2", 668c2ecf20Sopenharmony_ci .insns = { 678c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 688c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 698c2ecf20Sopenharmony_ci BPF_FUNC_get_socket_cookie), 708c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 718c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 728c2ecf20Sopenharmony_ci }, 738c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 748c2ecf20Sopenharmony_ci .result = REJECT, 758c2ecf20Sopenharmony_ci .errstr_unpriv = "dereference of modified ctx ptr", 768c2ecf20Sopenharmony_ci .errstr = "dereference of modified ctx ptr", 778c2ecf20Sopenharmony_ci}, 788c2ecf20Sopenharmony_ci{ 798c2ecf20Sopenharmony_ci "pass modified ctx pointer to helper, 3", 808c2ecf20Sopenharmony_ci .insns = { 818c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0), 828c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4), 838c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 848c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 858c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 868c2ecf20Sopenharmony_ci BPF_FUNC_csum_update), 878c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 888c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 898c2ecf20Sopenharmony_ci }, 908c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 918c2ecf20Sopenharmony_ci .result = REJECT, 928c2ecf20Sopenharmony_ci .errstr = "variable ctx access var_off=(0x0; 0x4)", 938c2ecf20Sopenharmony_ci}, 948c2ecf20Sopenharmony_ci{ 958c2ecf20Sopenharmony_ci "pass ctx or null check, 1: ctx", 968c2ecf20Sopenharmony_ci .insns = { 978c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 988c2ecf20Sopenharmony_ci BPF_FUNC_get_netns_cookie), 998c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1008c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1018c2ecf20Sopenharmony_ci }, 1028c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 1038c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 1048c2ecf20Sopenharmony_ci .result = ACCEPT, 1058c2ecf20Sopenharmony_ci}, 1068c2ecf20Sopenharmony_ci{ 1078c2ecf20Sopenharmony_ci "pass ctx or null check, 2: null", 1088c2ecf20Sopenharmony_ci .insns = { 1098c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 0), 1108c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1118c2ecf20Sopenharmony_ci BPF_FUNC_get_netns_cookie), 1128c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1138c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1148c2ecf20Sopenharmony_ci }, 1158c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 1168c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 1178c2ecf20Sopenharmony_ci .result = ACCEPT, 1188c2ecf20Sopenharmony_ci}, 1198c2ecf20Sopenharmony_ci{ 1208c2ecf20Sopenharmony_ci "pass ctx or null check, 3: 1", 1218c2ecf20Sopenharmony_ci .insns = { 1228c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 1), 1238c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1248c2ecf20Sopenharmony_ci BPF_FUNC_get_netns_cookie), 1258c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1268c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1278c2ecf20Sopenharmony_ci }, 1288c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 1298c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 1308c2ecf20Sopenharmony_ci .result = REJECT, 1318c2ecf20Sopenharmony_ci .errstr = "R1 type=inv expected=ctx", 1328c2ecf20Sopenharmony_ci}, 1338c2ecf20Sopenharmony_ci{ 1348c2ecf20Sopenharmony_ci "pass ctx or null check, 4: ctx - const", 1358c2ecf20Sopenharmony_ci .insns = { 1368c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 1378c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1388c2ecf20Sopenharmony_ci BPF_FUNC_get_netns_cookie), 1398c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1408c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1418c2ecf20Sopenharmony_ci }, 1428c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 1438c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 1448c2ecf20Sopenharmony_ci .result = REJECT, 1458c2ecf20Sopenharmony_ci .errstr = "dereference of modified ctx ptr", 1468c2ecf20Sopenharmony_ci}, 1478c2ecf20Sopenharmony_ci{ 1488c2ecf20Sopenharmony_ci "pass ctx or null check, 5: null (connect)", 1498c2ecf20Sopenharmony_ci .insns = { 1508c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 0), 1518c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1528c2ecf20Sopenharmony_ci BPF_FUNC_get_netns_cookie), 1538c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1548c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1558c2ecf20Sopenharmony_ci }, 1568c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 1578c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_INET4_CONNECT, 1588c2ecf20Sopenharmony_ci .result = ACCEPT, 1598c2ecf20Sopenharmony_ci}, 1608c2ecf20Sopenharmony_ci{ 1618c2ecf20Sopenharmony_ci "pass ctx or null check, 6: null (bind)", 1628c2ecf20Sopenharmony_ci .insns = { 1638c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 0), 1648c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1658c2ecf20Sopenharmony_ci BPF_FUNC_get_netns_cookie), 1668c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1678c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1688c2ecf20Sopenharmony_ci }, 1698c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1708c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 1718c2ecf20Sopenharmony_ci .result = ACCEPT, 1728c2ecf20Sopenharmony_ci}, 1738c2ecf20Sopenharmony_ci{ 1748c2ecf20Sopenharmony_ci "pass ctx or null check, 7: ctx (bind)", 1758c2ecf20Sopenharmony_ci .insns = { 1768c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1778c2ecf20Sopenharmony_ci BPF_FUNC_get_socket_cookie), 1788c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1798c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1808c2ecf20Sopenharmony_ci }, 1818c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1828c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 1838c2ecf20Sopenharmony_ci .result = ACCEPT, 1848c2ecf20Sopenharmony_ci}, 1858c2ecf20Sopenharmony_ci{ 1868c2ecf20Sopenharmony_ci "pass ctx or null check, 8: null (bind)", 1878c2ecf20Sopenharmony_ci .insns = { 1888c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_1, 0), 1898c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1908c2ecf20Sopenharmony_ci BPF_FUNC_get_socket_cookie), 1918c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 1928c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1938c2ecf20Sopenharmony_ci }, 1948c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 1958c2ecf20Sopenharmony_ci .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 1968c2ecf20Sopenharmony_ci .result = REJECT, 1978c2ecf20Sopenharmony_ci .errstr = "R1 type=inv expected=ctx", 1988c2ecf20Sopenharmony_ci}, 199