mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-11-01 17:08:10 +00:00
bf5088773f
Add new tests samples/bpf/test_verifier:
unpriv: return pointer
checks that pointer cannot be returned from the eBPF program
unpriv: add const to pointer
unpriv: add pointer to pointer
unpriv: neg pointer
checks that pointer arithmetic is disallowed
unpriv: cmp pointer with const
unpriv: cmp pointer with pointer
checks that comparison of pointers is disallowed
Only one case allowed 'void *value = bpf_map_lookup_elem(..); if (value == 0) ...'
unpriv: check that printk is disallowed
since bpf_trace_printk is not available to unprivileged
unpriv: pass pointer to helper function
checks that pointers cannot be passed to functions that expect integers
If function expects a pointer the verifier allows only that type of pointer.
Like 1st argument of bpf_map_lookup_elem() must be pointer to map.
(applies to non-root as well)
unpriv: indirectly pass pointer on stack to helper function
checks that pointer stored into stack cannot be used as part of key
passed into bpf_map_lookup_elem()
unpriv: mangle pointer on stack 1
unpriv: mangle pointer on stack 2
checks that writing into stack slot that already contains a pointer
is disallowed
unpriv: read pointer from stack in small chunks
checks that < 8 byte read from stack slot that contains a pointer is
disallowed
unpriv: write pointer into ctx
checks that storing pointers into skb->fields is disallowed
unpriv: write pointer into map elem value
checks that storing pointers into element values is disallowed
For example:
int bpf_prog(struct __sk_buff *skb)
{
u32 key = 0;
u64 *value = bpf_map_lookup_elem(&map, &key);
if (value)
*value = (u64) skb;
}
will be rejected.
unpriv: partial copy of pointer
checks that doing 32-bit register mov from register containing
a pointer is disallowed
unpriv: pass pointer to tail_call
checks that passing pointer as an index into bpf_tail_call
is disallowed
unpriv: cmp map pointer with zero
checks that comparing map pointer with constant is disallowed
unpriv: write into frame pointer
checks that frame pointer is read-only (applies to root too)
unpriv: cmp of frame pointer
checks that R10 cannot be using in comparison
unpriv: cmp of stack pointer
checks that Rx = R10 - imm is ok, but comparing Rx is not
unpriv: obfuscate stack pointer
checks that Rx = R10 - imm is ok, but Rx -= imm is not
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1311 lines
33 KiB
C
1311 lines
33 KiB
C
/*
|
|
* Testsuite for eBPF verifier
|
|
*
|
|
* Copyright (c) 2014 PLUMgrid, http://plumgrid.com
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
* License as published by the Free Software Foundation.
|
|
*/
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
#include <linux/bpf.h>
|
|
#include <errno.h>
|
|
#include <linux/unistd.h>
|
|
#include <string.h>
|
|
#include <linux/filter.h>
|
|
#include <stddef.h>
|
|
#include <stdbool.h>
|
|
#include <sys/resource.h>
|
|
#include "libbpf.h"
|
|
|
|
#define MAX_INSNS 512
|
|
#define ARRAY_SIZE(x) (sizeof(x) / sizeof(*(x)))
|
|
|
|
#define MAX_FIXUPS 8
|
|
|
|
struct bpf_test {
|
|
const char *descr;
|
|
struct bpf_insn insns[MAX_INSNS];
|
|
int fixup[MAX_FIXUPS];
|
|
int prog_array_fixup[MAX_FIXUPS];
|
|
const char *errstr;
|
|
const char *errstr_unpriv;
|
|
enum {
|
|
UNDEF,
|
|
ACCEPT,
|
|
REJECT
|
|
} result, result_unpriv;
|
|
enum bpf_prog_type prog_type;
|
|
};
|
|
|
|
static struct bpf_test tests[] = {
|
|
{
|
|
"add+sub+mul",
|
|
.insns = {
|
|
BPF_MOV64_IMM(BPF_REG_1, 1),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
|
|
BPF_MOV64_IMM(BPF_REG_2, 3),
|
|
BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
|
|
BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unreachable",
|
|
.insns = {
|
|
BPF_EXIT_INSN(),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "unreachable",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"unreachable2",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 1),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "unreachable",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"out of range jump",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "jump out of range",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"out of range jump2",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, -2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "jump out of range",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"test1 ld_imm64",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
|
|
BPF_LD_IMM64(BPF_REG_0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 1),
|
|
BPF_LD_IMM64(BPF_REG_0, 1),
|
|
BPF_MOV64_IMM(BPF_REG_0, 2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid BPF_LD_IMM insn",
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"test2 ld_imm64",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
|
|
BPF_LD_IMM64(BPF_REG_0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 1),
|
|
BPF_LD_IMM64(BPF_REG_0, 1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid BPF_LD_IMM insn",
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"test3 ld_imm64",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
|
|
BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 0),
|
|
BPF_LD_IMM64(BPF_REG_0, 1),
|
|
BPF_LD_IMM64(BPF_REG_0, 1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_ld_imm64 insn",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"test4 ld_imm64",
|
|
.insns = {
|
|
BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_ld_imm64 insn",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"test5 ld_imm64",
|
|
.insns = {
|
|
BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
|
|
},
|
|
.errstr = "invalid bpf_ld_imm64 insn",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"no bpf_exit",
|
|
.insns = {
|
|
BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
|
|
},
|
|
.errstr = "jump out of range",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"loop (back-edge)",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "back-edge",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"loop2 (back-edge)",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
|
|
BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, -4),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "back-edge",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"conditional loop",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
|
|
BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "back-edge",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"read uninitialized register",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R2 !read_ok",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"read invalid register",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_0, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R15 is invalid",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"program doesn't init R0 before exit",
|
|
.insns = {
|
|
BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R0 !read_ok",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"program doesn't init R0 before exit in all branches",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_MOV64_IMM(BPF_REG_0, 1),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R0 !read_ok",
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"stack out of bounds",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid stack",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid call insn1",
|
|
.insns = {
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "BPF_CALL uses reserved",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid call insn2",
|
|
.insns = {
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "BPF_CALL uses reserved",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid function call",
|
|
.insns = {
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid func 1234567",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"uninitialized stack1",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {2},
|
|
.errstr = "invalid indirect read from stack",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"uninitialized stack2",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid read from stack",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"check valid spill/fill",
|
|
.insns = {
|
|
/* spill R1(ctx) into stack */
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
|
|
|
|
/* fill it back into R2 */
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
|
|
|
|
/* should be able to access R0 = *(R2 + 8) */
|
|
/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
|
|
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R0 leaks addr",
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
},
|
|
{
|
|
"check corrupted spill/fill",
|
|
.insns = {
|
|
/* spill R1(ctx) into stack */
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
|
|
|
|
/* mess up with R1 pointer on stack */
|
|
BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
|
|
|
|
/* fill back into R0 should fail */
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
|
|
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "attempt to corrupt spilled",
|
|
.errstr = "corrupted spill",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid src register in STX",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R15 is invalid",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid dst register in STX",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R14 is invalid",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid dst register in ST",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_B, 14, -1, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R14 is invalid",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid src register in LDX",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R12 is invalid",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid dst register in LDX",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "R11 is invalid",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"junk insn",
|
|
.insns = {
|
|
BPF_RAW_INSN(0, 0, 0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid BPF_LD_IMM",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"junk insn2",
|
|
.insns = {
|
|
BPF_RAW_INSN(1, 0, 0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "BPF_LDX uses reserved fields",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"junk insn3",
|
|
.insns = {
|
|
BPF_RAW_INSN(-1, 0, 0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid BPF_ALU opcode f0",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"junk insn4",
|
|
.insns = {
|
|
BPF_RAW_INSN(-1, -1, -1, -1, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid BPF_ALU opcode f0",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"junk insn5",
|
|
.insns = {
|
|
BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "BPF_ALU uses reserved fields",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"misaligned read from stack",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "misaligned access",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"invalid map_fd for function call",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "fd 0 is not pointing to valid bpf_map",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"don't check return value before access",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {3},
|
|
.errstr = "R0 invalid mem access 'map_value_or_null'",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"access memory with incorrect alignment",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {3},
|
|
.errstr = "misaligned access",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"sometimes access memory with incorrect alignment",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {3},
|
|
.errstr = "R0 invalid mem access",
|
|
.errstr_unpriv = "R0 leaks addr",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"jump test 1",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"jump test 2",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 14),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 11),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 8),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 5),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"jump test 3",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 19),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 15),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 11),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 7),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {24},
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"jump test 4",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"jump test 5",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 2),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"access skb fields ok",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, len)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, mark)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, pkt_type)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, queue_mapping)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, protocol)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, vlan_present)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, vlan_tci)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"access skb fields bad1",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_context access",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"access skb fields bad2",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
|
|
BPF_EXIT_INSN(),
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, pkt_type)),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {4},
|
|
.errstr = "different pointers",
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"access skb fields bad3",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, pkt_type)),
|
|
BPF_EXIT_INSN(),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
|
|
BPF_EXIT_INSN(),
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, -12),
|
|
},
|
|
.fixup = {6},
|
|
.errstr = "different pointers",
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"access skb fields bad4",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
|
|
offsetof(struct __sk_buff, len)),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
|
|
BPF_EXIT_INSN(),
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
|
|
BPF_JMP_IMM(BPF_JA, 0, 0, -13),
|
|
},
|
|
.fixup = {7},
|
|
.errstr = "different pointers",
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"check skb->mark is not writeable by sockets",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
|
|
offsetof(struct __sk_buff, mark)),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_context access",
|
|
.errstr_unpriv = "R1 leaks addr",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"check skb->tc_index is not writeable by sockets",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
|
|
offsetof(struct __sk_buff, tc_index)),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_context access",
|
|
.errstr_unpriv = "R1 leaks addr",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"check non-u32 access to cb",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_1,
|
|
offsetof(struct __sk_buff, cb[0])),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_context access",
|
|
.errstr_unpriv = "R1 leaks addr",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"check out of range skb->cb access",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, cb[0]) + 256),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid bpf_context access",
|
|
.errstr_unpriv = "",
|
|
.result = REJECT,
|
|
.prog_type = BPF_PROG_TYPE_SCHED_ACT,
|
|
},
|
|
{
|
|
"write skb fields from socket prog",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, cb[4])),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, mark)),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, tc_index)),
|
|
BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
|
|
offsetof(struct __sk_buff, cb[0])),
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
|
|
offsetof(struct __sk_buff, cb[2])),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.errstr_unpriv = "R1 leaks addr",
|
|
.result_unpriv = REJECT,
|
|
},
|
|
{
|
|
"write skb fields from tc_cls_act prog",
|
|
.insns = {
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, cb[0])),
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
|
|
offsetof(struct __sk_buff, mark)),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
|
|
offsetof(struct __sk_buff, tc_index)),
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
|
|
offsetof(struct __sk_buff, tc_index)),
|
|
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
|
|
offsetof(struct __sk_buff, cb[3])),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
},
|
|
{
|
|
"PTR_TO_STACK store/load",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"PTR_TO_STACK store/load - bad alignment on off",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = REJECT,
|
|
.errstr = "misaligned access off -6 size 8",
|
|
},
|
|
{
|
|
"PTR_TO_STACK store/load - bad alignment on reg",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = REJECT,
|
|
.errstr = "misaligned access off -2 size 8",
|
|
},
|
|
{
|
|
"PTR_TO_STACK store/load - out of bounds low",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = REJECT,
|
|
.errstr = "invalid stack off=-79992 size=8",
|
|
},
|
|
{
|
|
"PTR_TO_STACK store/load - out of bounds high",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
|
|
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = REJECT,
|
|
.errstr = "invalid stack off=0 size=8",
|
|
},
|
|
{
|
|
"unpriv: return pointer",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
.errstr_unpriv = "R0 leaks addr",
|
|
},
|
|
{
|
|
"unpriv: add const to pointer",
|
|
.insns = {
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
.errstr_unpriv = "R1 pointer arithmetic",
|
|
},
|
|
{
|
|
"unpriv: add pointer to pointer",
|
|
.insns = {
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
.errstr_unpriv = "R1 pointer arithmetic",
|
|
},
|
|
{
|
|
"unpriv: neg pointer",
|
|
.insns = {
|
|
BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
.errstr_unpriv = "R1 pointer arithmetic",
|
|
},
|
|
{
|
|
"unpriv: cmp pointer with const",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
},
|
|
{
|
|
"unpriv: cmp pointer with pointer",
|
|
.insns = {
|
|
BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.result = ACCEPT,
|
|
.result_unpriv = REJECT,
|
|
.errstr_unpriv = "R10 pointer comparison",
|
|
},
|
|
{
|
|
"unpriv: check that printk is disallowed",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
|
|
BPF_MOV64_IMM(BPF_REG_2, 8),
|
|
BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "unknown func 6",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: pass pointer to helper function",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {3},
|
|
.errstr_unpriv = "R4 leaks addr",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: indirectly pass pointer on stack to helper function",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {3},
|
|
.errstr = "invalid indirect read from stack off -8+0 size 8",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"unpriv: mangle pointer on stack 1",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
|
|
BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "attempt to corrupt spilled",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: mangle pointer on stack 2",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
|
|
BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "attempt to corrupt spilled",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: read pointer from stack in small chunks",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "invalid size",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"unpriv: write pointer into ctx",
|
|
.insns = {
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R1 leaks addr",
|
|
.result_unpriv = REJECT,
|
|
.errstr = "invalid bpf_context access",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"unpriv: write pointer into map elem value",
|
|
.insns = {
|
|
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {3},
|
|
.errstr_unpriv = "R0 leaks addr",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: partial copy of pointer",
|
|
.insns = {
|
|
BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R10 partial copy",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: pass pointer to tail_call",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
|
|
BPF_LD_MAP_FD(BPF_REG_2, 0),
|
|
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.prog_array_fixup = {1},
|
|
.errstr_unpriv = "R3 leaks addr into helper",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: cmp map pointer with zero",
|
|
.insns = {
|
|
BPF_MOV64_IMM(BPF_REG_1, 0),
|
|
BPF_LD_MAP_FD(BPF_REG_1, 0),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.fixup = {1},
|
|
.errstr_unpriv = "R1 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: write into frame pointer",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr = "frame pointer is read only",
|
|
.result = REJECT,
|
|
},
|
|
{
|
|
"unpriv: cmp of frame pointer",
|
|
.insns = {
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R10 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: cmp of stack pointer",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R2 pointer comparison",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
{
|
|
"unpriv: obfuscate stack pointer",
|
|
.insns = {
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN(),
|
|
},
|
|
.errstr_unpriv = "R2 pointer arithmetic",
|
|
.result_unpriv = REJECT,
|
|
.result = ACCEPT,
|
|
},
|
|
};
|
|
|
|
static int probe_filter_length(struct bpf_insn *fp)
|
|
{
|
|
int len = 0;
|
|
|
|
for (len = MAX_INSNS - 1; len > 0; --len)
|
|
if (fp[len].code != 0 || fp[len].imm != 0)
|
|
break;
|
|
|
|
return len + 1;
|
|
}
|
|
|
|
static int create_map(void)
|
|
{
|
|
int map_fd;
|
|
|
|
map_fd = bpf_create_map(BPF_MAP_TYPE_HASH,
|
|
sizeof(long long), sizeof(long long), 1024);
|
|
if (map_fd < 0)
|
|
printf("failed to create map '%s'\n", strerror(errno));
|
|
|
|
return map_fd;
|
|
}
|
|
|
|
static int create_prog_array(void)
|
|
{
|
|
int map_fd;
|
|
|
|
map_fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY,
|
|
sizeof(int), sizeof(int), 4);
|
|
if (map_fd < 0)
|
|
printf("failed to create prog_array '%s'\n", strerror(errno));
|
|
|
|
return map_fd;
|
|
}
|
|
|
|
static int test(void)
|
|
{
|
|
int prog_fd, i, pass_cnt = 0, err_cnt = 0;
|
|
bool unpriv = geteuid() != 0;
|
|
|
|
for (i = 0; i < ARRAY_SIZE(tests); i++) {
|
|
struct bpf_insn *prog = tests[i].insns;
|
|
int prog_type = tests[i].prog_type;
|
|
int prog_len = probe_filter_length(prog);
|
|
int *fixup = tests[i].fixup;
|
|
int *prog_array_fixup = tests[i].prog_array_fixup;
|
|
int expected_result;
|
|
const char *expected_errstr;
|
|
int map_fd = -1, prog_array_fd = -1;
|
|
|
|
if (*fixup) {
|
|
map_fd = create_map();
|
|
|
|
do {
|
|
prog[*fixup].imm = map_fd;
|
|
fixup++;
|
|
} while (*fixup);
|
|
}
|
|
if (*prog_array_fixup) {
|
|
prog_array_fd = create_prog_array();
|
|
|
|
do {
|
|
prog[*prog_array_fixup].imm = prog_array_fd;
|
|
prog_array_fixup++;
|
|
} while (*prog_array_fixup);
|
|
}
|
|
printf("#%d %s ", i, tests[i].descr);
|
|
|
|
prog_fd = bpf_prog_load(prog_type ?: BPF_PROG_TYPE_SOCKET_FILTER,
|
|
prog, prog_len * sizeof(struct bpf_insn),
|
|
"GPL", 0);
|
|
|
|
if (unpriv && tests[i].result_unpriv != UNDEF)
|
|
expected_result = tests[i].result_unpriv;
|
|
else
|
|
expected_result = tests[i].result;
|
|
|
|
if (unpriv && tests[i].errstr_unpriv)
|
|
expected_errstr = tests[i].errstr_unpriv;
|
|
else
|
|
expected_errstr = tests[i].errstr;
|
|
|
|
if (expected_result == ACCEPT) {
|
|
if (prog_fd < 0) {
|
|
printf("FAIL\nfailed to load prog '%s'\n",
|
|
strerror(errno));
|
|
printf("%s", bpf_log_buf);
|
|
err_cnt++;
|
|
goto fail;
|
|
}
|
|
} else {
|
|
if (prog_fd >= 0) {
|
|
printf("FAIL\nunexpected success to load\n");
|
|
printf("%s", bpf_log_buf);
|
|
err_cnt++;
|
|
goto fail;
|
|
}
|
|
if (strstr(bpf_log_buf, expected_errstr) == 0) {
|
|
printf("FAIL\nunexpected error message: %s",
|
|
bpf_log_buf);
|
|
err_cnt++;
|
|
goto fail;
|
|
}
|
|
}
|
|
|
|
pass_cnt++;
|
|
printf("OK\n");
|
|
fail:
|
|
if (map_fd >= 0)
|
|
close(map_fd);
|
|
if (prog_array_fd >= 0)
|
|
close(prog_array_fd);
|
|
close(prog_fd);
|
|
|
|
}
|
|
printf("Summary: %d PASSED, %d FAILED\n", pass_cnt, err_cnt);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
struct rlimit r = {1 << 20, 1 << 20};
|
|
|
|
setrlimit(RLIMIT_MEMLOCK, &r);
|
|
return test();
|
|
}
|