Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
1
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
e3effcd
Breadcrumbs
linux
/
tools
/
testing
/
selftests
/
bpf
/
verifier
/
bounds.c
Copy path
Blame
Blame
Latest commit
History
History
537 lines (537 loc) · 17.3 KB
Breadcrumbs
linux
/
tools
/
testing
/
selftests
/
bpf
/
verifier
/
bounds.c
Top
File metadata and controls
Code
Blame
537 lines (537 loc) · 17.3 KB
Raw
{ "subtraction bounds (map value) variant 1", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 max value is outside of the array range", .result = REJECT, }, { "subtraction bounds (map value) variant 2", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6), BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4), BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), BPF_EXIT_INSN(), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { "check subtraction on pointers for unpriv", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_LD_MAP_FD(BPF_REG_ARG1, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP), BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0), BPF_LD_MAP_FD(BPF_REG_ARG1, 0), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8), BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 1, 9 }, .result = ACCEPT, .result_unpriv = REJECT, .errstr_unpriv = "R9 pointer -= pointer prohibited", }, { "bounds check based on zero-extended MOV", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), /* r2 = 0x0000'0000'ffff'ffff */ BPF_MOV32_IMM(BPF_REG_2, 0xffffffff), /* r2 = 0 */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), /* no-op */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), /* access at offset 0 */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .result = ACCEPT }, { "bounds check based on sign-extended MOV. test1", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), /* r2 = 0xffff'ffff'ffff'ffff */ BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), /* r2 = 0xffff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), /* r0 = <oob pointer> */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), /* access to OOB pointer */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "map_value pointer and 4294967295", .result = REJECT }, { "bounds check based on sign-extended MOV. test2", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), /* r2 = 0xffff'ffff'ffff'ffff */ BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), /* r2 = 0xfff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36), /* r0 = <oob pointer> */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), /* access to OOB pointer */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 min value is outside of the array range", .result = REJECT }, { "bounds check based on reg_off + var_off + insn_off. test1", .insns = { BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct __sk_buff, mark)), BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 4 }, .errstr = "value_size=8 off=1073741825", .result = REJECT, .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, { "bounds check based on reg_off + var_off + insn_off. test2", .insns = { BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct __sk_buff, mark)), BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 4 }, .errstr = "value 1073741823", .result = REJECT, .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, { "bounds check after truncation of non-boundary-crossing range", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_2, 1), /* r2 = 0x10'0000'0000 */ BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36), /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */ BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), /* r1 = [0x00, 0xff] */ BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff), /* r1 = 0 */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), /* no-op */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* access at offset 0 */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .result = ACCEPT }, { "bounds check after truncation of boundary-crossing range (1)", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0x1'0000'007f] */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0xffff'ffff] or * [0x0000'0000, 0x0000'007f] */ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0), BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0x00, 0xff] or * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] */ BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* error on OOB pointer computation */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, /* not actually fully unbounded, but the bound is very high */ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root", .result_unpriv = REJECT, .errstr = "value -4294967168 makes map_value pointer be out of bounds", .result = REJECT, }, { "bounds check after truncation of boundary-crossing range (2)", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0x1'0000'007f] */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0xffff'ff80, 0xffff'ffff] or * [0x0000'0000, 0x0000'007f] * difference to previous test: truncation via MOV32 * instead of ALU32. */ BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* r1 = [0x00, 0xff] or * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] */ BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), /* error on OOB pointer computation */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, /* not actually fully unbounded, but the bound is very high */ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root", .result_unpriv = REJECT, .errstr = "value -4294967168 makes map_value pointer be out of bounds", .result = REJECT, }, { "bounds check after wrapping 32-bit addition", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), /* r1 = 0x7fff'ffff */ BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff), /* r1 = 0xffff'fffe */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), /* r1 = 0 */ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2), /* no-op */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* access at offset 0 */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .result = ACCEPT }, { "bounds check after shift with oversized count operand", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), BPF_MOV64_IMM(BPF_REG_2, 32), BPF_MOV64_IMM(BPF_REG_1, 1), /* r1 = (u32)1 << (u32)32 = ? */ BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2), /* r1 = [0x0000, 0xffff] */ BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff), /* computes unknown pointer, potentially OOB */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* potentially OOB access */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 max value is outside of the array range", .result = REJECT }, { "bounds check after right shift of maybe-negative number", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), /* r1 = [0x00, 0xff] */ BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), /* r1 = [-0x01, 0xfe] */ BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1), /* r1 = 0 or 0xff'ffff'ffff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), /* r1 = 0 or 0xffff'ffff'ffff */ BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), /* computes unknown pointer, potentially OOB */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* potentially OOB access */ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "R0 unbounded memory access", .result = REJECT }, { "bounds check after 32-bit right shift with 64-bit input", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), /* r1 = 2 */ BPF_MOV64_IMM(BPF_REG_1, 2), /* r1 = 1<<32 */ BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31), /* r1 = 0 (NOT 2!) */ BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31), /* r1 = 0xffff'fffe (NOT 0!) */ BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2), /* error on computing OOB pointer */ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), /* exit */ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "math between map_value pointer and 4294967294 is not allowed", .result = REJECT, }, { "bounds check map access with off+size signed 32bit overflow. test1", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "map_value pointer and 2147483646", .result = REJECT }, { "bounds check map access with off+size signed 32bit overflow. test2", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "pointer offset 1073741822", .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", .result = REJECT }, { "bounds check map access with off+size signed 32bit overflow. test3", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "pointer offset -1073741822", .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", .result = REJECT }, { "bounds check map access with off+size signed 32bit overflow. test4", .insns = { BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), BPF_LD_MAP_FD(BPF_REG_1, 0), BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_MOV64_IMM(BPF_REG_1, 1000000), BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000), BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), BPF_JMP_A(0), BPF_EXIT_INSN(), }, .fixup_map_hash_8b = { 3 }, .errstr = "map_value pointer and 1000000000000", .result = REJECT }, { "bounds check mixed 32bit and 64bit arithmetic. test1", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_1, -1), BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), /* r1 = 0xffffFFFF00000001 */ BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 1, 3), /* check ALU64 op keeps 32bit bounds */ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), BPF_JMP32_IMM(BPF_JGT, BPF_REG_1, 2, 1), BPF_JMP_A(1), /* invalid ldx if bounds are lost above */ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), BPF_EXIT_INSN(), }, .result = ACCEPT }, { "bounds check mixed 32bit and 64bit arithmetic. test2", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_1, -1), BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), /* r1 = 0xffffFFFF00000001 */ BPF_MOV64_IMM(BPF_REG_2, 3), /* r1 = 0x2 */ BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), /* check ALU32 op zero extends 64bit bounds */ BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 1), BPF_JMP_A(1), /* invalid ldx if bounds are lost above */ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1), BPF_EXIT_INSN(), }, .result = ACCEPT },
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
You can’t perform that action at this time.