1{ 2 "PTR_TO_STACK store/load", 3 .insns = { 4 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 6 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 7 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 8 BPF_EXIT_INSN(), 9 }, 10 .result = ACCEPT, 11 .retval = 0xfaceb00c, 12}, 13{ 14 "PTR_TO_STACK store/load - bad alignment on off", 15 .insns = { 16 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 17 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 18 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 19 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 20 BPF_EXIT_INSN(), 21 }, 22 .result = REJECT, 23 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8", 24}, 25{ 26 "PTR_TO_STACK store/load - bad alignment on reg", 27 .insns = { 28 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 29 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 30 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 31 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 32 BPF_EXIT_INSN(), 33 }, 34 .result = REJECT, 35 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8", 36}, 37{ 38 "PTR_TO_STACK store/load - out of bounds low", 39 .insns = { 40 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 41 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 42 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 43 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 44 BPF_EXIT_INSN(), 45 }, 46 .result = REJECT, 47 .errstr = "invalid write to stack R1 off=-79992 size=8", 48 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 49}, 50{ 51 "PTR_TO_STACK store/load - out of bounds high", 52 .insns = { 53 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 54 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 55 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 56 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 57 BPF_EXIT_INSN(), 58 }, 59 .result = REJECT, 60 .errstr = "invalid write to stack R1 off=0 size=8", 61}, 62{ 63 "PTR_TO_STACK check high 1", 64 .insns = { 65 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 67 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 68 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 69 BPF_EXIT_INSN(), 70 }, 71 .result = ACCEPT, 72 .retval = 42, 73}, 74{ 75 "PTR_TO_STACK check high 2", 76 .insns = { 77 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 78 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42), 79 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1), 80 BPF_EXIT_INSN(), 81 }, 82 .result = ACCEPT, 83 .retval = 42, 84}, 85{ 86 "PTR_TO_STACK check high 3", 87 .insns = { 88 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 89 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), 90 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42), 91 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1), 92 BPF_EXIT_INSN(), 93 }, 94 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 95 .result_unpriv = REJECT, 96 .result = ACCEPT, 97 .retval = 42, 98}, 99{ 100 "PTR_TO_STACK check high 4", 101 .insns = { 102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), 104 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 106 BPF_EXIT_INSN(), 107 }, 108 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 109 .errstr = "invalid write to stack R1 off=0 size=1", 110 .result = REJECT, 111}, 112{ 113 "PTR_TO_STACK check high 5", 114 .insns = { 115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 117 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 119 BPF_EXIT_INSN(), 120 }, 121 .result = REJECT, 122 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 123 .errstr = "invalid write to stack R1", 124}, 125{ 126 "PTR_TO_STACK check high 6", 127 .insns = { 128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 130 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42), 131 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX), 132 BPF_EXIT_INSN(), 133 }, 134 .result = REJECT, 135 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 136 .errstr = "invalid write to stack", 137}, 138{ 139 "PTR_TO_STACK check high 7", 140 .insns = { 141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1), 144 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42), 145 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX), 146 BPF_EXIT_INSN(), 147 }, 148 .result = REJECT, 149 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 150 .errstr = "fp pointer offset", 151}, 152{ 153 "PTR_TO_STACK check low 1", 154 .insns = { 155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512), 157 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 158 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 159 BPF_EXIT_INSN(), 160 }, 161 .result = ACCEPT, 162 .retval = 42, 163}, 164{ 165 "PTR_TO_STACK check low 2", 166 .insns = { 167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513), 169 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42), 170 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1), 171 BPF_EXIT_INSN(), 172 }, 173 .result_unpriv = REJECT, 174 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 175 .result = ACCEPT, 176 .retval = 42, 177}, 178{ 179 "PTR_TO_STACK check low 3", 180 .insns = { 181 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513), 183 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 185 BPF_EXIT_INSN(), 186 }, 187 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 188 .errstr = "invalid write to stack R1 off=-513 size=1", 189 .result = REJECT, 190}, 191{ 192 "PTR_TO_STACK check low 4", 193 .insns = { 194 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN), 196 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 197 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 198 BPF_EXIT_INSN(), 199 }, 200 .result = REJECT, 201 .errstr = "math between fp pointer", 202}, 203{ 204 "PTR_TO_STACK check low 5", 205 .insns = { 206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 208 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 209 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 210 BPF_EXIT_INSN(), 211 }, 212 .result = REJECT, 213 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 214 .errstr = "invalid write to stack", 215}, 216{ 217 "PTR_TO_STACK check low 6", 218 .insns = { 219 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 221 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42), 222 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN), 223 BPF_EXIT_INSN(), 224 }, 225 .result = REJECT, 226 .errstr = "invalid write to stack", 227 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 228}, 229{ 230 "PTR_TO_STACK check low 7", 231 .insns = { 232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)), 235 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42), 236 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN), 237 BPF_EXIT_INSN(), 238 }, 239 .result = REJECT, 240 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", 241 .errstr = "fp pointer offset", 242}, 243{ 244 "PTR_TO_STACK mixed reg/k, 1", 245 .insns = { 246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3), 248 BPF_MOV64_IMM(BPF_REG_2, -3), 249 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 250 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 251 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 252 BPF_EXIT_INSN(), 253 }, 254 .result = ACCEPT, 255 .retval = 42, 256}, 257{ 258 "PTR_TO_STACK mixed reg/k, 2", 259 .insns = { 260 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 261 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0), 262 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3), 264 BPF_MOV64_IMM(BPF_REG_2, -3), 265 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 266 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 267 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), 268 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6), 269 BPF_EXIT_INSN(), 270 }, 271 .result = ACCEPT, 272 .retval = 42, 273}, 274{ 275 "PTR_TO_STACK mixed reg/k, 3", 276 .insns = { 277 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3), 279 BPF_MOV64_IMM(BPF_REG_2, -3), 280 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 281 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 282 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 283 BPF_EXIT_INSN(), 284 }, 285 .result = ACCEPT, 286 .retval = -3, 287}, 288{ 289 "PTR_TO_STACK reg", 290 .insns = { 291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 292 BPF_MOV64_IMM(BPF_REG_2, -3), 293 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 294 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42), 295 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0), 296 BPF_EXIT_INSN(), 297 }, 298 .result = ACCEPT, 299 .retval = 42, 300}, 301{ 302 "stack pointer arithmetic", 303 .insns = { 304 BPF_MOV64_IMM(BPF_REG_1, 4), 305 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 306 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 310 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 311 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 314 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 315 BPF_MOV64_IMM(BPF_REG_0, 0), 316 BPF_EXIT_INSN(), 317 }, 318 .result = ACCEPT, 319}, 320{ 321 "store PTR_TO_STACK in R10 to array map using BPF_B", 322 .insns = { 323 /* Load pointer to map. */ 324 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 326 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 327 BPF_LD_MAP_FD(BPF_REG_1, 0), 328 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 329 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 330 BPF_MOV64_IMM(BPF_REG_0, 2), 331 BPF_EXIT_INSN(), 332 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 333 /* Copy R10 to R9. */ 334 BPF_MOV64_REG(BPF_REG_9, BPF_REG_10), 335 /* Pollute other registers with unaligned values. */ 336 BPF_MOV64_IMM(BPF_REG_2, -1), 337 BPF_MOV64_IMM(BPF_REG_3, -1), 338 BPF_MOV64_IMM(BPF_REG_4, -1), 339 BPF_MOV64_IMM(BPF_REG_5, -1), 340 BPF_MOV64_IMM(BPF_REG_6, -1), 341 BPF_MOV64_IMM(BPF_REG_7, -1), 342 BPF_MOV64_IMM(BPF_REG_8, -1), 343 /* Store both R9 and R10 with BPF_B and read back. */ 344 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_10, 0), 345 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_1, 0), 346 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_9, 0), 347 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_1, 0), 348 /* Should read back as same value. */ 349 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_3, 2), 350 BPF_MOV64_IMM(BPF_REG_0, 1), 351 BPF_EXIT_INSN(), 352 BPF_MOV64_IMM(BPF_REG_0, 42), 353 BPF_EXIT_INSN(), 354 }, 355 .fixup_map_array_48b = { 3 }, 356 .result = ACCEPT, 357 .retval = 42, 358 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 359}, 360