Loading...
Note: File does not exist in v6.13.7.
1{
2 "map access: known scalar += value_ptr from different maps",
3 .insns = {
4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5 offsetof(struct __sk_buff, len)),
6 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
10 BPF_LD_MAP_FD(BPF_REG_1, 0),
11 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12 BPF_LD_MAP_FD(BPF_REG_1, 0),
13 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
14 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15 BPF_MOV64_IMM(BPF_REG_1, 4),
16 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
17 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
18 BPF_MOV64_IMM(BPF_REG_0, 1),
19 BPF_EXIT_INSN(),
20 },
21 .fixup_map_hash_16b = { 5 },
22 .fixup_map_array_48b = { 8 },
23 .result = ACCEPT,
24 .result_unpriv = REJECT,
25 .errstr_unpriv = "R1 tried to add from different maps",
26 .retval = 1,
27},
28{
29 "map access: value_ptr -= known scalar from different maps",
30 .insns = {
31 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
32 offsetof(struct __sk_buff, len)),
33 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
34 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
35 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
36 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
37 BPF_LD_MAP_FD(BPF_REG_1, 0),
38 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
39 BPF_LD_MAP_FD(BPF_REG_1, 0),
40 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
41 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
42 BPF_MOV64_IMM(BPF_REG_1, 4),
43 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
44 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
45 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
46 BPF_MOV64_IMM(BPF_REG_0, 1),
47 BPF_EXIT_INSN(),
48 },
49 .fixup_map_hash_16b = { 5 },
50 .fixup_map_array_48b = { 8 },
51 .result = ACCEPT,
52 .result_unpriv = REJECT,
53 .errstr_unpriv = "R0 min value is outside of the array range",
54 .retval = 1,
55},
56{
57 "map access: known scalar += value_ptr from different maps, but same value properties",
58 .insns = {
59 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
60 offsetof(struct __sk_buff, len)),
61 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
62 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
63 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
64 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
65 BPF_LD_MAP_FD(BPF_REG_1, 0),
66 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
67 BPF_LD_MAP_FD(BPF_REG_1, 0),
68 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
69 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
70 BPF_MOV64_IMM(BPF_REG_1, 4),
71 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
72 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
73 BPF_MOV64_IMM(BPF_REG_0, 1),
74 BPF_EXIT_INSN(),
75 },
76 .fixup_map_hash_48b = { 5 },
77 .fixup_map_array_48b = { 8 },
78 .result = ACCEPT,
79 .retval = 1,
80},
81{
82 "map access: mixing value pointer and scalar, 1",
83 .insns = {
84 // load map value pointer into r0 and r2
85 BPF_MOV64_IMM(BPF_REG_0, 1),
86 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
87 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
89 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
90 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
91 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
92 BPF_EXIT_INSN(),
93 // load some number from the map into r1
94 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
95 // depending on r1, branch:
96 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
97 // branch A
98 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
99 BPF_MOV64_IMM(BPF_REG_3, 0),
100 BPF_JMP_A(2),
101 // branch B
102 BPF_MOV64_IMM(BPF_REG_2, 0),
103 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
104 // common instruction
105 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
106 // depending on r1, branch:
107 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
108 // branch A
109 BPF_JMP_A(4),
110 // branch B
111 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
112 // verifier follows fall-through
113 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
114 BPF_MOV64_IMM(BPF_REG_0, 0),
115 BPF_EXIT_INSN(),
116 // fake-dead code; targeted from branch A to
117 // prevent dead code sanitization
118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
119 BPF_MOV64_IMM(BPF_REG_0, 0),
120 BPF_EXIT_INSN(),
121 },
122 .fixup_map_array_48b = { 1 },
123 .result = ACCEPT,
124 .result_unpriv = REJECT,
125 .errstr_unpriv = "R2 tried to add from different pointers or scalars",
126 .retval = 0,
127},
128{
129 "map access: mixing value pointer and scalar, 2",
130 .insns = {
131 // load map value pointer into r0 and r2
132 BPF_MOV64_IMM(BPF_REG_0, 1),
133 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
134 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
136 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
137 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
138 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
139 BPF_EXIT_INSN(),
140 // load some number from the map into r1
141 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
142 // depending on r1, branch:
143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
144 // branch A
145 BPF_MOV64_IMM(BPF_REG_2, 0),
146 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
147 BPF_JMP_A(2),
148 // branch B
149 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
150 BPF_MOV64_IMM(BPF_REG_3, 0),
151 // common instruction
152 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
153 // depending on r1, branch:
154 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
155 // branch A
156 BPF_JMP_A(4),
157 // branch B
158 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
159 // verifier follows fall-through
160 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
161 BPF_MOV64_IMM(BPF_REG_0, 0),
162 BPF_EXIT_INSN(),
163 // fake-dead code; targeted from branch A to
164 // prevent dead code sanitization
165 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
166 BPF_MOV64_IMM(BPF_REG_0, 0),
167 BPF_EXIT_INSN(),
168 },
169 .fixup_map_array_48b = { 1 },
170 .result = ACCEPT,
171 .result_unpriv = REJECT,
172 .errstr_unpriv = "R2 tried to add from different maps or paths",
173 .retval = 0,
174},
175{
176 "sanitation: alu with different scalars 1",
177 .insns = {
178 BPF_MOV64_IMM(BPF_REG_0, 1),
179 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
180 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
182 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
183 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
184 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
185 BPF_EXIT_INSN(),
186 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
187 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
188 BPF_MOV64_IMM(BPF_REG_2, 0),
189 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
190 BPF_JMP_A(2),
191 BPF_MOV64_IMM(BPF_REG_2, 42),
192 BPF_MOV64_IMM(BPF_REG_3, 0x100001),
193 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
194 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
195 BPF_EXIT_INSN(),
196 },
197 .fixup_map_array_48b = { 1 },
198 .result = ACCEPT,
199 .retval = 0x100000,
200},
201{
202 "sanitation: alu with different scalars 2",
203 .insns = {
204 BPF_MOV64_IMM(BPF_REG_0, 1),
205 BPF_LD_MAP_FD(BPF_REG_1, 0),
206 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
209 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
210 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
211 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
212 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
215 BPF_EMIT_CALL(BPF_FUNC_map_delete_elem),
216 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
217 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
218 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
219 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
220 BPF_EXIT_INSN(),
221 },
222 .fixup_map_array_48b = { 1 },
223 .result = ACCEPT,
224 .retval = -EINVAL * 2,
225},
226{
227 "sanitation: alu with different scalars 3",
228 .insns = {
229 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
230 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
231 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
232 BPF_MOV64_IMM(BPF_REG_0, EINVAL),
233 BPF_ALU64_IMM(BPF_MUL, BPF_REG_0, -1),
234 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
235 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
236 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_7),
237 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
238 BPF_EXIT_INSN(),
239 },
240 .result = ACCEPT,
241 .retval = -EINVAL * 2,
242},
243{
244 "map access: value_ptr += known scalar, upper oob arith, test 1",
245 .insns = {
246 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
247 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
249 BPF_LD_MAP_FD(BPF_REG_1, 0),
250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
252 BPF_MOV64_IMM(BPF_REG_1, 48),
253 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
254 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
255 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
256 BPF_MOV64_IMM(BPF_REG_0, 1),
257 BPF_EXIT_INSN(),
258 },
259 .fixup_map_array_48b = { 3 },
260 .result = ACCEPT,
261 .result_unpriv = REJECT,
262 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
263 .retval = 1,
264},
265{
266 "map access: value_ptr += known scalar, upper oob arith, test 2",
267 .insns = {
268 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
271 BPF_LD_MAP_FD(BPF_REG_1, 0),
272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
273 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
274 BPF_MOV64_IMM(BPF_REG_1, 49),
275 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
276 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
277 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
278 BPF_MOV64_IMM(BPF_REG_0, 1),
279 BPF_EXIT_INSN(),
280 },
281 .fixup_map_array_48b = { 3 },
282 .result = ACCEPT,
283 .result_unpriv = REJECT,
284 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
285 .retval = 1,
286},
287{
288 "map access: value_ptr += known scalar, upper oob arith, test 3",
289 .insns = {
290 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
291 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
293 BPF_LD_MAP_FD(BPF_REG_1, 0),
294 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
296 BPF_MOV64_IMM(BPF_REG_1, 47),
297 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
298 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
300 BPF_MOV64_IMM(BPF_REG_0, 1),
301 BPF_EXIT_INSN(),
302 },
303 .fixup_map_array_48b = { 3 },
304 .result = ACCEPT,
305 .result_unpriv = REJECT,
306 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
307 .retval = 1,
308},
309{
310 "map access: value_ptr -= known scalar, lower oob arith, test 1",
311 .insns = {
312 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
313 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
315 BPF_LD_MAP_FD(BPF_REG_1, 0),
316 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
317 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
318 BPF_MOV64_IMM(BPF_REG_1, 47),
319 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
320 BPF_MOV64_IMM(BPF_REG_1, 48),
321 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
322 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
323 BPF_MOV64_IMM(BPF_REG_0, 1),
324 BPF_EXIT_INSN(),
325 },
326 .fixup_map_array_48b = { 3 },
327 .result = REJECT,
328 .errstr = "R0 min value is outside of the array range",
329 .result_unpriv = REJECT,
330 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
331},
332{
333 "map access: value_ptr -= known scalar, lower oob arith, test 2",
334 .insns = {
335 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
338 BPF_LD_MAP_FD(BPF_REG_1, 0),
339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
341 BPF_MOV64_IMM(BPF_REG_1, 47),
342 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
343 BPF_MOV64_IMM(BPF_REG_1, 48),
344 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
345 BPF_MOV64_IMM(BPF_REG_1, 1),
346 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
347 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
348 BPF_MOV64_IMM(BPF_REG_0, 1),
349 BPF_EXIT_INSN(),
350 },
351 .fixup_map_array_48b = { 3 },
352 .result = ACCEPT,
353 .result_unpriv = REJECT,
354 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
355 .retval = 1,
356},
357{
358 "map access: value_ptr -= known scalar, lower oob arith, test 3",
359 .insns = {
360 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
361 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
363 BPF_LD_MAP_FD(BPF_REG_1, 0),
364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
366 BPF_MOV64_IMM(BPF_REG_1, 47),
367 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
368 BPF_MOV64_IMM(BPF_REG_1, 47),
369 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
370 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
371 BPF_MOV64_IMM(BPF_REG_0, 1),
372 BPF_EXIT_INSN(),
373 },
374 .fixup_map_array_48b = { 3 },
375 .result = ACCEPT,
376 .result_unpriv = REJECT,
377 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
378 .retval = 1,
379},
380{
381 "map access: known scalar += value_ptr",
382 .insns = {
383 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
386 BPF_LD_MAP_FD(BPF_REG_1, 0),
387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
388 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
389 BPF_MOV64_IMM(BPF_REG_1, 4),
390 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
391 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
392 BPF_MOV64_IMM(BPF_REG_0, 1),
393 BPF_EXIT_INSN(),
394 },
395 .fixup_map_array_48b = { 3 },
396 .result = ACCEPT,
397 .retval = 1,
398},
399{
400 "map access: value_ptr += known scalar, 1",
401 .insns = {
402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
405 BPF_LD_MAP_FD(BPF_REG_1, 0),
406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
407 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
408 BPF_MOV64_IMM(BPF_REG_1, 4),
409 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
410 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
411 BPF_MOV64_IMM(BPF_REG_0, 1),
412 BPF_EXIT_INSN(),
413 },
414 .fixup_map_array_48b = { 3 },
415 .result = ACCEPT,
416 .retval = 1,
417},
418{
419 "map access: value_ptr += known scalar, 2",
420 .insns = {
421 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
422 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
424 BPF_LD_MAP_FD(BPF_REG_1, 0),
425 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
426 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
427 BPF_MOV64_IMM(BPF_REG_1, 49),
428 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
429 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
430 BPF_MOV64_IMM(BPF_REG_0, 1),
431 BPF_EXIT_INSN(),
432 },
433 .fixup_map_array_48b = { 3 },
434 .result = REJECT,
435 .errstr = "invalid access to map value",
436},
437{
438 "map access: value_ptr += known scalar, 3",
439 .insns = {
440 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
443 BPF_LD_MAP_FD(BPF_REG_1, 0),
444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
445 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
446 BPF_MOV64_IMM(BPF_REG_1, -1),
447 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
448 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
449 BPF_MOV64_IMM(BPF_REG_0, 1),
450 BPF_EXIT_INSN(),
451 },
452 .fixup_map_array_48b = { 3 },
453 .result = REJECT,
454 .errstr = "invalid access to map value",
455},
456{
457 "map access: value_ptr += known scalar, 4",
458 .insns = {
459 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
462 BPF_LD_MAP_FD(BPF_REG_1, 0),
463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
464 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
465 BPF_MOV64_IMM(BPF_REG_1, 5),
466 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
467 BPF_MOV64_IMM(BPF_REG_1, -2),
468 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
469 BPF_MOV64_IMM(BPF_REG_1, -1),
470 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
471 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
472 BPF_MOV64_IMM(BPF_REG_0, 1),
473 BPF_EXIT_INSN(),
474 },
475 .fixup_map_array_48b = { 3 },
476 .result = ACCEPT,
477 .result_unpriv = REJECT,
478 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
479 .retval = 1,
480},
481{
482 "map access: value_ptr += known scalar, 5",
483 .insns = {
484 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
485 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
487 BPF_LD_MAP_FD(BPF_REG_1, 0),
488 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
489 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
490 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
491 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
493 BPF_EXIT_INSN(),
494 },
495 .fixup_map_array_48b = { 3 },
496 .result = ACCEPT,
497 .retval = 0xabcdef12,
498},
499{
500 "map access: value_ptr += known scalar, 6",
501 .insns = {
502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
505 BPF_LD_MAP_FD(BPF_REG_1, 0),
506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
507 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
508 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
509 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
510 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
511 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
512 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
513 BPF_EXIT_INSN(),
514 },
515 .fixup_map_array_48b = { 3 },
516 .result = ACCEPT,
517 .retval = 0xabcdef12,
518},
519{
520 "map access: unknown scalar += value_ptr, 1",
521 .insns = {
522 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
525 BPF_LD_MAP_FD(BPF_REG_1, 0),
526 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
528 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
529 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
530 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
531 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
532 BPF_MOV64_IMM(BPF_REG_0, 1),
533 BPF_EXIT_INSN(),
534 },
535 .fixup_map_array_48b = { 3 },
536 .result = ACCEPT,
537 .retval = 1,
538},
539{
540 "map access: unknown scalar += value_ptr, 2",
541 .insns = {
542 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
543 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
545 BPF_LD_MAP_FD(BPF_REG_1, 0),
546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
548 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
549 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
550 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
552 BPF_EXIT_INSN(),
553 },
554 .fixup_map_array_48b = { 3 },
555 .result = ACCEPT,
556 .retval = 0xabcdef12,
557 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
558},
559{
560 "map access: unknown scalar += value_ptr, 3",
561 .insns = {
562 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
563 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
565 BPF_LD_MAP_FD(BPF_REG_1, 0),
566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
567 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
568 BPF_MOV64_IMM(BPF_REG_1, -1),
569 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
570 BPF_MOV64_IMM(BPF_REG_1, 1),
571 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
572 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
573 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
574 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
576 BPF_EXIT_INSN(),
577 },
578 .fixup_map_array_48b = { 3 },
579 .result = ACCEPT,
580 .result_unpriv = REJECT,
581 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
582 .retval = 0xabcdef12,
583 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
584},
585{
586 "map access: unknown scalar += value_ptr, 4",
587 .insns = {
588 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
589 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
591 BPF_LD_MAP_FD(BPF_REG_1, 0),
592 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
594 BPF_MOV64_IMM(BPF_REG_1, 19),
595 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
596 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
597 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
598 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
599 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
600 BPF_EXIT_INSN(),
601 },
602 .fixup_map_array_48b = { 3 },
603 .result = REJECT,
604 .errstr = "R1 max value is outside of the array range",
605 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
606 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
607},
608{
609 "map access: value_ptr += unknown scalar, 1",
610 .insns = {
611 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
612 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
614 BPF_LD_MAP_FD(BPF_REG_1, 0),
615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
616 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
617 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
618 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
619 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
620 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
621 BPF_MOV64_IMM(BPF_REG_0, 1),
622 BPF_EXIT_INSN(),
623 },
624 .fixup_map_array_48b = { 3 },
625 .result = ACCEPT,
626 .retval = 1,
627},
628{
629 "map access: value_ptr += unknown scalar, 2",
630 .insns = {
631 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
634 BPF_LD_MAP_FD(BPF_REG_1, 0),
635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
636 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
637 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
638 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
639 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
640 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
641 BPF_EXIT_INSN(),
642 },
643 .fixup_map_array_48b = { 3 },
644 .result = ACCEPT,
645 .retval = 0xabcdef12,
646 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
647},
648{
649 "map access: value_ptr += unknown scalar, 3",
650 .insns = {
651 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
654 BPF_LD_MAP_FD(BPF_REG_1, 0),
655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
657 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
658 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
659 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
660 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
661 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
662 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
663 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
664 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
665 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
666 BPF_MOV64_IMM(BPF_REG_0, 1),
667 BPF_EXIT_INSN(),
668 BPF_MOV64_IMM(BPF_REG_0, 2),
669 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
670 },
671 .fixup_map_array_48b = { 3 },
672 .result = ACCEPT,
673 .retval = 1,
674},
675{
676 "map access: value_ptr += value_ptr",
677 .insns = {
678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
681 BPF_LD_MAP_FD(BPF_REG_1, 0),
682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
684 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
685 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
686 BPF_MOV64_IMM(BPF_REG_0, 1),
687 BPF_EXIT_INSN(),
688 },
689 .fixup_map_array_48b = { 3 },
690 .result = REJECT,
691 .errstr = "R0 pointer += pointer prohibited",
692},
693{
694 "map access: known scalar -= value_ptr",
695 .insns = {
696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
699 BPF_LD_MAP_FD(BPF_REG_1, 0),
700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
701 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
702 BPF_MOV64_IMM(BPF_REG_1, 4),
703 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
704 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
705 BPF_MOV64_IMM(BPF_REG_0, 1),
706 BPF_EXIT_INSN(),
707 },
708 .fixup_map_array_48b = { 3 },
709 .result = REJECT,
710 .errstr = "R1 tried to subtract pointer from scalar",
711},
712{
713 "map access: value_ptr -= known scalar",
714 .insns = {
715 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
716 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
718 BPF_LD_MAP_FD(BPF_REG_1, 0),
719 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
721 BPF_MOV64_IMM(BPF_REG_1, 4),
722 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
723 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
724 BPF_MOV64_IMM(BPF_REG_0, 1),
725 BPF_EXIT_INSN(),
726 },
727 .fixup_map_array_48b = { 3 },
728 .result = REJECT,
729 .errstr = "R0 min value is outside of the array range",
730},
731{
732 "map access: value_ptr -= known scalar, 2",
733 .insns = {
734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
737 BPF_LD_MAP_FD(BPF_REG_1, 0),
738 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
740 BPF_MOV64_IMM(BPF_REG_1, 6),
741 BPF_MOV64_IMM(BPF_REG_2, 4),
742 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
743 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
744 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
745 BPF_MOV64_IMM(BPF_REG_0, 1),
746 BPF_EXIT_INSN(),
747 },
748 .fixup_map_array_48b = { 3 },
749 .result = ACCEPT,
750 .result_unpriv = REJECT,
751 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
752 .retval = 1,
753},
754{
755 "map access: unknown scalar -= value_ptr",
756 .insns = {
757 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
760 BPF_LD_MAP_FD(BPF_REG_1, 0),
761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
762 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
763 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
764 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
765 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
766 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
767 BPF_MOV64_IMM(BPF_REG_0, 1),
768 BPF_EXIT_INSN(),
769 },
770 .fixup_map_array_48b = { 3 },
771 .result = REJECT,
772 .errstr = "R1 tried to subtract pointer from scalar",
773},
774{
775 "map access: value_ptr -= unknown scalar",
776 .insns = {
777 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
780 BPF_LD_MAP_FD(BPF_REG_1, 0),
781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
783 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
784 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
785 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
786 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
787 BPF_MOV64_IMM(BPF_REG_0, 1),
788 BPF_EXIT_INSN(),
789 },
790 .fixup_map_array_48b = { 3 },
791 .result = REJECT,
792 .errstr = "R0 min value is negative",
793},
794{
795 "map access: value_ptr -= unknown scalar, 2",
796 .insns = {
797 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
800 BPF_LD_MAP_FD(BPF_REG_1, 0),
801 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
803 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
804 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
805 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
806 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
807 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
808 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
809 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
810 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
811 BPF_MOV64_IMM(BPF_REG_0, 1),
812 BPF_EXIT_INSN(),
813 },
814 .fixup_map_array_48b = { 3 },
815 .result = ACCEPT,
816 .result_unpriv = REJECT,
817 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
818 .retval = 1,
819},
820{
821 "map access: value_ptr -= value_ptr",
822 .insns = {
823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
826 BPF_LD_MAP_FD(BPF_REG_1, 0),
827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
829 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
830 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
831 BPF_MOV64_IMM(BPF_REG_0, 1),
832 BPF_EXIT_INSN(),
833 },
834 .fixup_map_array_48b = { 3 },
835 .result = REJECT,
836 .errstr = "R0 invalid mem access 'inv'",
837 .errstr_unpriv = "R0 pointer -= pointer prohibited",
838},