Loading...
1{
2 "context stores via ST",
3 .insns = {
4 BPF_MOV64_IMM(BPF_REG_0, 0),
5 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
6 BPF_EXIT_INSN(),
7 },
8 .errstr = "BPF_ST stores into R1 ctx is not allowed",
9 .result = REJECT,
10 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11},
12{
13 "context stores via XADD",
14 .insns = {
15 BPF_MOV64_IMM(BPF_REG_0, 0),
16 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
17 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
18 BPF_EXIT_INSN(),
19 },
20 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
21 .result = REJECT,
22 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
23},
24{
25 "arithmetic ops make PTR_TO_CTX unusable",
26 .insns = {
27 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
28 offsetof(struct __sk_buff, data) -
29 offsetof(struct __sk_buff, mark)),
30 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
31 offsetof(struct __sk_buff, mark)),
32 BPF_EXIT_INSN(),
33 },
34 .errstr = "dereference of modified ctx ptr",
35 .result = REJECT,
36 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
37},
38{
39 "pass unmodified ctx pointer to helper",
40 .insns = {
41 BPF_MOV64_IMM(BPF_REG_2, 0),
42 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
43 BPF_FUNC_csum_update),
44 BPF_MOV64_IMM(BPF_REG_0, 0),
45 BPF_EXIT_INSN(),
46 },
47 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
48 .result = ACCEPT,
49},
50{
51 "pass modified ctx pointer to helper, 1",
52 .insns = {
53 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
54 BPF_MOV64_IMM(BPF_REG_2, 0),
55 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
56 BPF_FUNC_csum_update),
57 BPF_MOV64_IMM(BPF_REG_0, 0),
58 BPF_EXIT_INSN(),
59 },
60 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
61 .result = REJECT,
62 .errstr = "dereference of modified ctx ptr",
63},
64{
65 "pass modified ctx pointer to helper, 2",
66 .insns = {
67 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
69 BPF_FUNC_get_socket_cookie),
70 BPF_MOV64_IMM(BPF_REG_0, 0),
71 BPF_EXIT_INSN(),
72 },
73 .result_unpriv = REJECT,
74 .result = REJECT,
75 .errstr_unpriv = "dereference of modified ctx ptr",
76 .errstr = "dereference of modified ctx ptr",
77},
78{
79 "pass modified ctx pointer to helper, 3",
80 .insns = {
81 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
82 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
83 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
84 BPF_MOV64_IMM(BPF_REG_2, 0),
85 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
86 BPF_FUNC_csum_update),
87 BPF_MOV64_IMM(BPF_REG_0, 0),
88 BPF_EXIT_INSN(),
89 },
90 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
91 .result = REJECT,
92 .errstr = "variable ctx access var_off=(0x0; 0x4)",
93},
94{
95 "pass ctx or null check, 1: ctx",
96 .insns = {
97 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
98 BPF_FUNC_get_netns_cookie),
99 BPF_MOV64_IMM(BPF_REG_0, 0),
100 BPF_EXIT_INSN(),
101 },
102 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
103 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
104 .result = ACCEPT,
105},
106{
107 "pass ctx or null check, 2: null",
108 .insns = {
109 BPF_MOV64_IMM(BPF_REG_1, 0),
110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
111 BPF_FUNC_get_netns_cookie),
112 BPF_MOV64_IMM(BPF_REG_0, 0),
113 BPF_EXIT_INSN(),
114 },
115 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
116 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
117 .result = ACCEPT,
118},
119{
120 "pass ctx or null check, 3: 1",
121 .insns = {
122 BPF_MOV64_IMM(BPF_REG_1, 1),
123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 BPF_FUNC_get_netns_cookie),
125 BPF_MOV64_IMM(BPF_REG_0, 0),
126 BPF_EXIT_INSN(),
127 },
128 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
129 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
130 .result = REJECT,
131 .errstr = "R1 type=inv expected=ctx",
132},
133{
134 "pass ctx or null check, 4: ctx - const",
135 .insns = {
136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
138 BPF_FUNC_get_netns_cookie),
139 BPF_MOV64_IMM(BPF_REG_0, 0),
140 BPF_EXIT_INSN(),
141 },
142 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
143 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
144 .result = REJECT,
145 .errstr = "dereference of modified ctx ptr",
146},
147{
148 "pass ctx or null check, 5: null (connect)",
149 .insns = {
150 BPF_MOV64_IMM(BPF_REG_1, 0),
151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
152 BPF_FUNC_get_netns_cookie),
153 BPF_MOV64_IMM(BPF_REG_0, 0),
154 BPF_EXIT_INSN(),
155 },
156 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
157 .expected_attach_type = BPF_CGROUP_INET4_CONNECT,
158 .result = ACCEPT,
159},
160{
161 "pass ctx or null check, 6: null (bind)",
162 .insns = {
163 BPF_MOV64_IMM(BPF_REG_1, 0),
164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
165 BPF_FUNC_get_netns_cookie),
166 BPF_MOV64_IMM(BPF_REG_0, 0),
167 BPF_EXIT_INSN(),
168 },
169 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
170 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
171 .result = ACCEPT,
172},
173{
174 "pass ctx or null check, 7: ctx (bind)",
175 .insns = {
176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
177 BPF_FUNC_get_socket_cookie),
178 BPF_MOV64_IMM(BPF_REG_0, 0),
179 BPF_EXIT_INSN(),
180 },
181 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
182 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
183 .result = ACCEPT,
184},
185{
186 "pass ctx or null check, 8: null (bind)",
187 .insns = {
188 BPF_MOV64_IMM(BPF_REG_1, 0),
189 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
190 BPF_FUNC_get_socket_cookie),
191 BPF_MOV64_IMM(BPF_REG_0, 0),
192 BPF_EXIT_INSN(),
193 },
194 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
195 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND,
196 .result = REJECT,
197 .errstr = "R1 type=inv expected=ctx",
198},