18c2ecf20Sopenharmony_ci{ 28c2ecf20Sopenharmony_ci "check valid spill/fill", 38c2ecf20Sopenharmony_ci .insns = { 48c2ecf20Sopenharmony_ci /* spill R1(ctx) into stack */ 58c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 68c2ecf20Sopenharmony_ci /* fill it back into R2 */ 78c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 88c2ecf20Sopenharmony_ci /* should be able to access R0 = *(R2 + 8) */ 98c2ecf20Sopenharmony_ci /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 108c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 118c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 128c2ecf20Sopenharmony_ci }, 138c2ecf20Sopenharmony_ci .errstr_unpriv = "R0 leaks addr", 148c2ecf20Sopenharmony_ci .result = ACCEPT, 158c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 168c2ecf20Sopenharmony_ci .retval = POINTER_VALUE, 178c2ecf20Sopenharmony_ci}, 188c2ecf20Sopenharmony_ci{ 198c2ecf20Sopenharmony_ci "check valid spill/fill, skb mark", 208c2ecf20Sopenharmony_ci .insns = { 218c2ecf20Sopenharmony_ci BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 228c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 238c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 248c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 258c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 268c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 278c2ecf20Sopenharmony_ci }, 288c2ecf20Sopenharmony_ci .result = ACCEPT, 298c2ecf20Sopenharmony_ci .result_unpriv = ACCEPT, 308c2ecf20Sopenharmony_ci}, 318c2ecf20Sopenharmony_ci{ 328c2ecf20Sopenharmony_ci "check valid spill/fill, ptr to mem", 338c2ecf20Sopenharmony_ci .insns = { 348c2ecf20Sopenharmony_ci /* reserve 8 byte ringbuf memory */ 358c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 368c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 378c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 8), 388c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 398c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), 408c2ecf20Sopenharmony_ci /* store a pointer to the reserved memory in R6 */ 418c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 428c2ecf20Sopenharmony_ci /* check whether the reservation was successful */ 438c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 448c2ecf20Sopenharmony_ci /* spill R6(mem) into the stack */ 458c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 468c2ecf20Sopenharmony_ci /* fill it back in R7 */ 478c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8), 488c2ecf20Sopenharmony_ci /* should be able to access *(R7) = 0 */ 498c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0), 508c2ecf20Sopenharmony_ci /* submit the reserved ringbuf memory */ 518c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 528c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 538c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), 548c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 558c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 568c2ecf20Sopenharmony_ci }, 578c2ecf20Sopenharmony_ci .fixup_map_ringbuf = { 1 }, 588c2ecf20Sopenharmony_ci .result = ACCEPT, 598c2ecf20Sopenharmony_ci .result_unpriv = ACCEPT, 608c2ecf20Sopenharmony_ci}, 618c2ecf20Sopenharmony_ci{ 628c2ecf20Sopenharmony_ci "check corrupted spill/fill", 638c2ecf20Sopenharmony_ci .insns = { 648c2ecf20Sopenharmony_ci /* spill R1(ctx) into stack */ 658c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 668c2ecf20Sopenharmony_ci /* mess up with R1 pointer on stack */ 678c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 688c2ecf20Sopenharmony_ci /* fill back into R0 is fine for priv. 698c2ecf20Sopenharmony_ci * R0 now becomes SCALAR_VALUE. 708c2ecf20Sopenharmony_ci */ 718c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 728c2ecf20Sopenharmony_ci /* Load from R0 should fail. */ 738c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 748c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 758c2ecf20Sopenharmony_ci }, 768c2ecf20Sopenharmony_ci .errstr_unpriv = "attempt to corrupt spilled", 778c2ecf20Sopenharmony_ci .errstr = "R0 invalid mem access 'inv", 788c2ecf20Sopenharmony_ci .result = REJECT, 798c2ecf20Sopenharmony_ci .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 808c2ecf20Sopenharmony_ci}, 818c2ecf20Sopenharmony_ci{ 828c2ecf20Sopenharmony_ci "check corrupted spill/fill, LSB", 838c2ecf20Sopenharmony_ci .insns = { 848c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 858c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe), 868c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 878c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 888c2ecf20Sopenharmony_ci }, 898c2ecf20Sopenharmony_ci .errstr_unpriv = "attempt to corrupt spilled", 908c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 918c2ecf20Sopenharmony_ci .result = ACCEPT, 928c2ecf20Sopenharmony_ci .retval = POINTER_VALUE, 938c2ecf20Sopenharmony_ci}, 948c2ecf20Sopenharmony_ci{ 958c2ecf20Sopenharmony_ci "check corrupted spill/fill, MSB", 968c2ecf20Sopenharmony_ci .insns = { 978c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 988c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678), 998c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 1008c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1018c2ecf20Sopenharmony_ci }, 1028c2ecf20Sopenharmony_ci .errstr_unpriv = "attempt to corrupt spilled", 1038c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 1048c2ecf20Sopenharmony_ci .result = ACCEPT, 1058c2ecf20Sopenharmony_ci .retval = POINTER_VALUE, 1068c2ecf20Sopenharmony_ci}, 107