2 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
4 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6 BPF_MOV64_IMM(BPF_REG_0, 0),
7 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
9 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
10 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
11 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
12 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
13 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
14 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
15 BPF_MOV64_IMM(BPF_REG_2, 16),
16 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
17 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
18 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
19 BPF_MOV64_IMM(BPF_REG_4, 0),
20 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
21 BPF_MOV64_IMM(BPF_REG_3, 0),
22 BPF_EMIT_CALL(BPF_FUNC_probe_read),
23 BPF_MOV64_IMM(BPF_REG_0, 0),
27 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
30 "helper access to variable memory: stack, bitwise AND, zero included",
32 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
33 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
34 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
35 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
36 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
37 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
38 BPF_MOV64_IMM(BPF_REG_3, 0),
39 BPF_EMIT_CALL(BPF_FUNC_probe_read),
42 .errstr = "invalid indirect read from stack off -64+0 size 64",
44 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
47 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
49 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
50 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
52 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
53 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
54 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
55 BPF_MOV64_IMM(BPF_REG_4, 0),
56 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
57 BPF_MOV64_IMM(BPF_REG_3, 0),
58 BPF_EMIT_CALL(BPF_FUNC_probe_read),
59 BPF_MOV64_IMM(BPF_REG_0, 0),
62 .errstr = "invalid stack type R1 off=-64 access_size=65",
64 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
67 "helper access to variable memory: stack, JMP, correct bounds",
69 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
70 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
71 BPF_MOV64_IMM(BPF_REG_0, 0),
72 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
73 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
74 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
75 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
76 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
77 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
78 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
79 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
80 BPF_MOV64_IMM(BPF_REG_2, 16),
81 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
82 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
83 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
84 BPF_MOV64_IMM(BPF_REG_4, 0),
85 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
86 BPF_MOV64_IMM(BPF_REG_3, 0),
87 BPF_EMIT_CALL(BPF_FUNC_probe_read),
88 BPF_MOV64_IMM(BPF_REG_0, 0),
92 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
95 "helper access to variable memory: stack, JMP (signed), correct bounds",
97 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
98 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
99 BPF_MOV64_IMM(BPF_REG_0, 0),
100 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
101 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
103 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
104 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
105 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
106 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
107 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
108 BPF_MOV64_IMM(BPF_REG_2, 16),
109 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
110 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
111 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
112 BPF_MOV64_IMM(BPF_REG_4, 0),
113 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
114 BPF_MOV64_IMM(BPF_REG_3, 0),
115 BPF_EMIT_CALL(BPF_FUNC_probe_read),
116 BPF_MOV64_IMM(BPF_REG_0, 0),
120 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
123 "helper access to variable memory: stack, JMP, bounds + offset",
125 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
128 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
129 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
130 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
131 BPF_MOV64_IMM(BPF_REG_4, 0),
132 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
134 BPF_MOV64_IMM(BPF_REG_3, 0),
135 BPF_EMIT_CALL(BPF_FUNC_probe_read),
136 BPF_MOV64_IMM(BPF_REG_0, 0),
139 .errstr = "invalid stack type R1 off=-64 access_size=65",
141 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
144 "helper access to variable memory: stack, JMP, wrong max",
146 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
149 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
150 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
151 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
152 BPF_MOV64_IMM(BPF_REG_4, 0),
153 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
154 BPF_MOV64_IMM(BPF_REG_3, 0),
155 BPF_EMIT_CALL(BPF_FUNC_probe_read),
156 BPF_MOV64_IMM(BPF_REG_0, 0),
159 .errstr = "invalid stack type R1 off=-64 access_size=65",
161 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
164 "helper access to variable memory: stack, JMP, no max check",
166 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
169 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
170 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
171 BPF_MOV64_IMM(BPF_REG_4, 0),
172 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
173 BPF_MOV64_IMM(BPF_REG_3, 0),
174 BPF_EMIT_CALL(BPF_FUNC_probe_read),
175 BPF_MOV64_IMM(BPF_REG_0, 0),
178 /* because max wasn't checked, signed min is negative */
179 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
181 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
184 "helper access to variable memory: stack, JMP, no min check",
186 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
189 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
190 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
191 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
192 BPF_MOV64_IMM(BPF_REG_3, 0),
193 BPF_EMIT_CALL(BPF_FUNC_probe_read),
194 BPF_MOV64_IMM(BPF_REG_0, 0),
197 .errstr = "invalid indirect read from stack off -64+0 size 64",
199 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
202 "helper access to variable memory: stack, JMP (signed), no min check",
204 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
207 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
208 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
209 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
210 BPF_MOV64_IMM(BPF_REG_3, 0),
211 BPF_EMIT_CALL(BPF_FUNC_probe_read),
212 BPF_MOV64_IMM(BPF_REG_0, 0),
215 .errstr = "R2 min value is negative",
217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
220 "helper access to variable memory: map, JMP, correct bounds",
222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
225 BPF_LD_MAP_FD(BPF_REG_1, 0),
226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
229 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
230 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
231 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
232 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val), 4),
233 BPF_MOV64_IMM(BPF_REG_4, 0),
234 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
235 BPF_MOV64_IMM(BPF_REG_3, 0),
236 BPF_EMIT_CALL(BPF_FUNC_probe_read),
237 BPF_MOV64_IMM(BPF_REG_0, 0),
240 .fixup_map_hash_48b = { 3 },
242 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
245 "helper access to variable memory: map, JMP, wrong max",
247 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
251 BPF_LD_MAP_FD(BPF_REG_1, 0),
252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
256 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
257 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
258 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) + 1, 4),
259 BPF_MOV64_IMM(BPF_REG_4, 0),
260 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
261 BPF_MOV64_IMM(BPF_REG_3, 0),
262 BPF_EMIT_CALL(BPF_FUNC_probe_read),
263 BPF_MOV64_IMM(BPF_REG_0, 0),
266 .fixup_map_hash_48b = { 4 },
267 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
269 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
272 "helper access to variable memory: map adjusted, JMP, correct bounds",
274 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
275 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
276 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
277 BPF_LD_MAP_FD(BPF_REG_1, 0),
278 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
282 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
284 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
285 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 20, 4),
286 BPF_MOV64_IMM(BPF_REG_4, 0),
287 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
288 BPF_MOV64_IMM(BPF_REG_3, 0),
289 BPF_EMIT_CALL(BPF_FUNC_probe_read),
290 BPF_MOV64_IMM(BPF_REG_0, 0),
293 .fixup_map_hash_48b = { 3 },
295 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
298 "helper access to variable memory: map adjusted, JMP, wrong max",
300 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
301 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
303 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
304 BPF_LD_MAP_FD(BPF_REG_1, 0),
305 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
306 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_6),
310 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
311 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
312 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, sizeof(struct test_val) - 19, 4),
313 BPF_MOV64_IMM(BPF_REG_4, 0),
314 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
315 BPF_MOV64_IMM(BPF_REG_3, 0),
316 BPF_EMIT_CALL(BPF_FUNC_probe_read),
317 BPF_MOV64_IMM(BPF_REG_0, 0),
320 .fixup_map_hash_48b = { 4 },
321 .errstr = "R1 min value is outside of the array range",
323 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
326 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
328 BPF_MOV64_IMM(BPF_REG_1, 0),
329 BPF_MOV64_IMM(BPF_REG_2, 0),
330 BPF_MOV64_IMM(BPF_REG_3, 0),
331 BPF_MOV64_IMM(BPF_REG_4, 0),
332 BPF_MOV64_IMM(BPF_REG_5, 0),
333 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
340 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
342 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
343 BPF_MOV64_IMM(BPF_REG_1, 0),
344 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
346 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
347 BPF_MOV64_IMM(BPF_REG_3, 0),
348 BPF_MOV64_IMM(BPF_REG_4, 0),
349 BPF_MOV64_IMM(BPF_REG_5, 0),
350 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
353 .errstr = "R1 type=inv expected=fp",
355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
358 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
362 BPF_MOV64_IMM(BPF_REG_2, 0),
363 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
364 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
365 BPF_MOV64_IMM(BPF_REG_3, 0),
366 BPF_MOV64_IMM(BPF_REG_4, 0),
367 BPF_MOV64_IMM(BPF_REG_5, 0),
368 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
372 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
375 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
377 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
378 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
380 BPF_LD_MAP_FD(BPF_REG_1, 0),
381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
382 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
384 BPF_MOV64_IMM(BPF_REG_2, 0),
385 BPF_MOV64_IMM(BPF_REG_3, 0),
386 BPF_MOV64_IMM(BPF_REG_4, 0),
387 BPF_MOV64_IMM(BPF_REG_5, 0),
388 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
391 .fixup_map_hash_8b = { 3 },
393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
396 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
401 BPF_LD_MAP_FD(BPF_REG_1, 0),
402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
404 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
405 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
408 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
409 BPF_MOV64_IMM(BPF_REG_3, 0),
410 BPF_MOV64_IMM(BPF_REG_4, 0),
411 BPF_MOV64_IMM(BPF_REG_5, 0),
412 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
415 .fixup_map_hash_8b = { 3 },
417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
420 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
425 BPF_LD_MAP_FD(BPF_REG_1, 0),
426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
429 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
430 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
431 BPF_MOV64_IMM(BPF_REG_3, 0),
432 BPF_MOV64_IMM(BPF_REG_4, 0),
433 BPF_MOV64_IMM(BPF_REG_5, 0),
434 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
437 .fixup_map_hash_8b = { 3 },
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
442 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
444 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
445 offsetof(struct __sk_buff, data)),
446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
447 offsetof(struct __sk_buff, data_end)),
448 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
450 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
452 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
453 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
454 BPF_MOV64_IMM(BPF_REG_3, 0),
455 BPF_MOV64_IMM(BPF_REG_4, 0),
456 BPF_MOV64_IMM(BPF_REG_5, 0),
457 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
462 .retval = 0 /* csum_diff of 64-byte packet */,
463 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
466 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
468 BPF_MOV64_IMM(BPF_REG_1, 0),
469 BPF_MOV64_IMM(BPF_REG_2, 0),
470 BPF_MOV64_IMM(BPF_REG_3, 0),
471 BPF_EMIT_CALL(BPF_FUNC_probe_read),
474 .errstr = "R1 type=inv expected=fp",
476 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
479 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
481 BPF_MOV64_IMM(BPF_REG_1, 0),
482 BPF_MOV64_IMM(BPF_REG_2, 1),
483 BPF_MOV64_IMM(BPF_REG_3, 0),
484 BPF_EMIT_CALL(BPF_FUNC_probe_read),
487 .errstr = "R1 type=inv expected=fp",
489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
492 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
496 BPF_MOV64_IMM(BPF_REG_2, 0),
497 BPF_MOV64_IMM(BPF_REG_3, 0),
498 BPF_EMIT_CALL(BPF_FUNC_probe_read),
502 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
505 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
507 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
508 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
510 BPF_LD_MAP_FD(BPF_REG_1, 0),
511 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
514 BPF_MOV64_IMM(BPF_REG_2, 0),
515 BPF_MOV64_IMM(BPF_REG_3, 0),
516 BPF_EMIT_CALL(BPF_FUNC_probe_read),
519 .fixup_map_hash_8b = { 3 },
521 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
524 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
526 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
529 BPF_LD_MAP_FD(BPF_REG_1, 0),
530 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
531 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
532 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
533 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
536 BPF_MOV64_IMM(BPF_REG_3, 0),
537 BPF_EMIT_CALL(BPF_FUNC_probe_read),
540 .fixup_map_hash_8b = { 3 },
542 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
545 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
550 BPF_LD_MAP_FD(BPF_REG_1, 0),
551 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
553 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
554 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
555 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
556 BPF_MOV64_IMM(BPF_REG_3, 0),
557 BPF_EMIT_CALL(BPF_FUNC_probe_read),
560 .fixup_map_hash_8b = { 3 },
562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
565 "helper access to variable memory: 8 bytes leak",
567 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 8),
568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
570 BPF_MOV64_IMM(BPF_REG_0, 0),
571 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
572 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
573 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
574 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
575 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
576 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
578 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
579 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
580 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
582 BPF_MOV64_IMM(BPF_REG_3, 0),
583 BPF_EMIT_CALL(BPF_FUNC_probe_read),
584 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
587 .errstr = "invalid indirect read from stack off -64+32 size 64",
589 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
592 "helper access to variable memory: 8 bytes no leak (init memory)",
594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
595 BPF_MOV64_IMM(BPF_REG_0, 0),
596 BPF_MOV64_IMM(BPF_REG_0, 0),
597 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
598 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
599 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
600 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
601 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
602 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
604 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
606 BPF_MOV64_IMM(BPF_REG_2, 0),
607 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
609 BPF_MOV64_IMM(BPF_REG_3, 0),
610 BPF_EMIT_CALL(BPF_FUNC_probe_read),
611 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
615 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
projects / librecmc / linux-libre.git / blob