Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
2
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
cf66c29
Documentation
LICENSES
arch
block
certs
crypto
drivers
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
security
sound
tools
accounting
arch
bootconfig
bpf
build
cgroup
debugging
edid
firewire
firmware
gpio
hv
iio
include
io_uring
kvm/kvm_stat
laptop
leds
lib
memory-model
nfsd
objtool
pci
pcmcia
perf
power
scripts
spi
testing
fault-injection
ktest
kunit
nvdimm
radix-tree
scatterlist
selftests
android
arm64
bpf
gnu
map_tests
prog_tests
progs
verifier
.gitignore
and.c
array_access.c
basic.c
basic_call.c
basic_instr.c
basic_stack.c
basic_stx_ldx.c
bounds.c
bounds_deduction.c
bounds_mix_sign_unsign.c
bpf_get_stack.c
calls.c
cfg.c
cgroup_inv_retcode.c
cgroup_skb.c
cgroup_storage.c
const_or.c
ctx.c
ctx_sk_msg.c
ctx_skb.c
dead_code.c
direct_packet_access.c
direct_stack_access_wraparound.c
direct_value_access.c
div0.c
div_overflow.c
event_output.c
helper_access_var_len.c
helper_packet_access.c
helper_value_access.c
int_ptr.c
jit.c
jmp32.c
jset.c
jump.c
junk_insn.c
ld_abs.c
ld_dw.c
ld_imm64.c
ld_ind.c
leak_ptr.c
loops1.c
lwt.c
map_in_map.c
map_ptr_mixing.c
map_ret_val.c
masking.c
meta_access.c
perf_event_sample_period.c
precise.c
prevent_map_lookup.c
raw_stack.c
raw_tp_writable.c
ref_tracking.c
runtime_jit.c
scale.c
search_pruning.c
sock.c
spill_fill.c
spin_lock.c
stack_ptr.c
subreg.c
uninit.c
unpriv.c
value.c
value_adj_spill.c
value_illegal_alu.c
value_or_null.c
value_ptr_arith.c
var_off.c
wide_access.c
xadd.c
xdp.c
xdp_direct_packet_access.c
.gitignore
Makefile
bpf_legacy.h
bpf_rand.h
bpf_rlimit.h
bpf_tcp_helpers.h
bpf_util.h
cgroup_helpers.c
cgroup_helpers.h
config
flow_dissector_load.c
flow_dissector_load.h
get_cgroup_id_user.c
netcnt_common.h
tcp_client.py
tcp_server.py
test_align.c
test_bpftool.py
test_bpftool.sh
test_bpftool_build.sh
test_btf.c
test_btf.h
test_cgroup_storage.c
test_cpp.cpp
test_current_pid_tgid_new_ns.c
test_dev_cgroup.c
test_flow_dissector.c
test_flow_dissector.sh
test_ftrace.sh
test_hashmap.c
test_iptunnel_common.h
test_kmod.sh
test_lirc_mode2.sh
test_lirc_mode2_user.c
test_lpm_map.c
test_lru_map.c
test_lwt_ip_encap.sh
test_lwt_seg6local.sh
test_maps.c
test_maps.h
test_netcnt.c
test_offload.py
test_progs.c
test_progs.h
test_select_reuseport_common.h
test_skb_cgroup_id.sh
test_skb_cgroup_id_user.c
test_sock.c
test_sock_addr.c
test_sock_addr.sh
test_sock_fields.c
test_socket_cookie.c
test_sockmap.c
test_sockmap_kern.h
test_stub.c
test_sysctl.c
test_tag.c
test_tc_edt.sh
test_tc_tunnel.sh
test_tcp_check_syncookie.sh
test_tcp_check_syncookie_user.c
test_tcpbpf.h
test_tcpbpf_user.c
test_tcpnotify.h
test_tcpnotify_user.c
test_tunnel.sh
test_verifier.c
test_verifier_log.c
test_xdp_meta.sh
test_xdp_redirect.sh
test_xdp_veth.sh
test_xdp_vlan.sh
test_xdp_vlan_mode_generic.sh
test_xdp_vlan_mode_native.sh
test_xdping.sh
trace_helpers.c
trace_helpers.h
urandom_read.c
with_addr.sh
with_tunnels.sh
xdping.c
xdping.h
breakpoints
capabilities
cgroup
clone3
cpu-hotplug
cpufreq
dmabuf-heaps
drivers
efivarfs
exec
filesystems
firmware
ftrace
futex
gpio
ia64
intel_pstate
ipc
ir
kcmp
kexec
kmod
kselftest
kvm
lib
livepatch
lkdtm
locking
media_tests
membarrier
memfd
memory-hotplug
mount
mqueue
net
netfilter
nsfs
ntb
openat2
pid_namespace
pidfd
powerpc
prctl
proc
pstore
ptp
ptrace
rcutorture
resctrl
rseq
rtc
safesetid
seccomp
sigaltstack
size
sparc64
splice
static_keys
sync
sysctl
tc-testing
timens
timers
tmpfs
tpm2
uevent
user
vDSO
vm
watchdog
wireguard
x86
zram
.gitignore
Makefile
gen_kselftest_tar.sh
kselftest.h
kselftest_deps.sh
kselftest_harness.h
kselftest_install.sh
kselftest_module.h
lib.mk
vsock
thermal/tmon
time
usb
virtio
vm
wmi
Makefile
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
Breadcrumbs
linux
/
tools
/
testing
/
selftests
/
bpf
/
verifier
/
bounds.c
Copy path
Blame
Blame
Latest commit
History
History
559 lines (559 loc) · 18 KB
Breadcrumbs
linux
/
tools
/
testing
/
selftests
/
bpf
/
verifier
/
bounds.c
Top
File metadata and controls
Code
Blame
559 lines (559 loc) · 18 KB
Raw
{ "subtraction bounds (map value) variant 1", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 max value is outside of the array range", .result = REJECT, }, { "subtraction bounds (map value) variant 2", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6), BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4), BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { "check subtraction on pointers for unpriv", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_LD_MAP_FD(BPF_REG_ARG1, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP), BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0), BPF_LD_MAP_FD(BPF_REG_ARG1, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 1, 9 }, .result = ACCEPT, .result_unpriv = REJECT, .errstr_unpriv = "R9 pointer -= pointer prohibited", }, { "bounds check based on zero-extended MOV", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), /* r2 = 0x0000'0000'ffff'ffff */ BPF_MOV32_IMM(BPF_REG_2, 0xffffffff), /* r2 = 0 */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), /* no-op */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), /* access at offset 0 */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .result = ACCEPT }, { "bounds check based on sign-extended MOV. test1", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), /* r2 = 0xffff'ffff'ffff'ffff */ BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), /* r2 = 0xffff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), /* r0 = <oob pointer> */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), /* access to OOB pointer */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "map_value pointer and 4294967295", .result = REJECT }, { "bounds check based on sign-extended MOV. test2", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), /* r2 = 0xffff'ffff'ffff'ffff */ BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), /* r2 = 0xfff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36), /* r0 = <oob pointer> */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), /* access to OOB pointer */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 min value is outside of the array range", .result = REJECT }, { "bounds check based on reg_off + var_off + insn_off. test1", .insns = { BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct __sk_buff, mark)), BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 4 }, .errstr = "value_size=8 off=1073741825", .result = REJECT, .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, { "bounds check based on reg_off + var_off + insn_off. test2", .insns = { BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct __sk_buff, mark)), BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 4 }, .errstr = "value 1073741823", .result = REJECT, .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, { "bounds check after truncation of non-boundary-crossing range", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_2, 1), /* r2 = 0x10'0000'0000 */ BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36), /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */ BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), /* r1 = [0x00, 0xff] */ BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff), /* r1 = 0 */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), /* no-op */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* access at offset 0 */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .result = ACCEPT }, { "bounds check after truncation of boundary-crossing range (1)", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0x1'0000'007f] */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0xffff'ffff] or * [0x0000'0000, 0x0000'007f] */ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0), BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0x00, 0xff] or * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] */ BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* error on OOB pointer computation */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, /* not actually fully unbounded, but the bound is very high */ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root", .result_unpriv = REJECT, .errstr = "value -4294967168 makes map_value pointer be out of bounds", .result = REJECT, }, { "bounds check after truncation of boundary-crossing range (2)", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0x1'0000'007f] */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0xffff'ffff] or * [0x0000'0000, 0x0000'007f] * difference to previous test: truncation via MOV32 * instead of ALU32. */ BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0x00, 0xff] or * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] */ BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* error on OOB pointer computation */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, /* not actually fully unbounded, but the bound is very high */ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root", .result_unpriv = REJECT, .errstr = "value -4294967168 makes map_value pointer be out of bounds", .result = REJECT, }, { "bounds check after wrapping 32-bit addition", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), /* r1 = 0x7fff'ffff */ BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff), /* r1 = 0xffff'fffe */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), /* r1 = 0 */ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2), /* no-op */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* access at offset 0 */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .result = ACCEPT }, { "bounds check after shift with oversized count operand", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), BPF_MOV64_IMM(BPF_REG_2, 32), BPF_MOV64_IMM(BPF_REG_1, 1), /* r1 = (u32)1 << (u32)32 = ? */ BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2), /* r1 = [0x0000, 0xffff] */ BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff), /* computes unknown pointer, potentially OOB */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* potentially OOB access */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 max value is outside of the array range", .result = REJECT }, { "bounds check after right shift of maybe-negative number", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), /* r1 = [-0x01, 0xfe] */ BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1), /* r1 = 0 or 0xff'ffff'ffff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), /* r1 = 0 or 0xffff'ffff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), /* computes unknown pointer, potentially OOB */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* potentially OOB access */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 unbounded memory access", .result = REJECT }, { "bounds check after 32-bit right shift with 64-bit input", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), /* r1 = 2 */ BPF_MOV64_IMM(BPF_REG_1, 2), /* r1 = 1<<32 */ BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31), /* r1 = 0 (NOT 2!) */ BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31), /* r1 = 0xffff'fffe (NOT 0!) */ BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2), /* error on computing OOB pointer */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "math between map_value pointer and 4294967294 is not allowed", .result = REJECT, }, { "bounds check map access with off+size signed 32bit overflow. test1", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "map_value pointer and 2147483646", .result = REJECT }, { "bounds check map access with off+size signed 32bit overflow. test2", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "pointer offset 1073741822", .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", .result = REJECT }, { "bounds check map access with off+size signed 32bit overflow. test3", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "pointer offset -1073741822", .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", .result = REJECT }, { "bounds check map access with off+size signed 32bit overflow. test4", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_IMM(BPF_REG_1, 1000000), BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "map_value pointer and 1000000000000", .result = REJECT }, { "bounds check mixed 32bit and 64bit arithmetic. test1", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_1, -1), BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), /* r1 = 0xffffFFFF00000001 */ BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 1, 3), /* check ALU64 op keeps 32bit bounds */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 2, 1), BPF_JMP_A(1), /* invalid ldx if bounds are lost above */ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), BPF_EXIT_INSN(), }, .result = ACCEPT }, { "bounds check mixed 32bit and 64bit arithmetic. test2", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_1, -1), BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), /* r1 = 0xffffFFFF00000001 */ BPF_MOV64_IMM(BPF_REG_2, 3), /* r1 = 0x2 */ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), /* check ALU32 op zero extends 64bit bounds */ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 1), BPF_JMP_A(1), /* invalid ldx if bounds are lost above */ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), BPF_EXIT_INSN(), }, .result = ACCEPT }, { "assigning 32bit bounds to 64bit for wA = 0, wB = wA", .insns = { BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1, offsetof(struct __sk_buff, data_end)), BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, offsetof(struct __sk_buff, data)), BPF_MOV32_IMM(BPF_REG_9, 0), BPF_MOV32_REG(BPF_REG_2, BPF_REG_9), BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_2), BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8), BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_8, 1), BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_6, 0), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .prog_type = BPF_PROG_TYPE_SCHED_CLS, .result = ACCEPT, .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, },
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
You can’t perform that action at this time.