1{
  2	"variable-offset ctx access",
  3	.insns = {
  4	/* Get an unknown value */
  5	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
  6	/* Make it small and 4-byte aligned */
  7	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
  8	/* add it to skb.  We now have either &skb->len or
  9	 * &skb->pkt_type, but we don't know which
 10	 */
 11	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
 12	/* dereference it */
 13	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
 14	BPF_EXIT_INSN(),
 15	},
 16	.errstr = "variable ctx access var_off=(0x0; 0x4)",
 17	.result = REJECT,
 18	.prog_type = BPF_PROG_TYPE_LWT_IN,
 19},
 20{
 21	"variable-offset stack access",
 22	.insns = {
 23	/* Fill the top 8 bytes of the stack */
 24	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
 25	/* Get an unknown value */
 26	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
 27	/* Make it small and 4-byte aligned */
 28	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
 29	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
 30	/* add it to fp.  We now have either fp-4 or fp-8, but
 31	 * we don't know which
 32	 */
 33	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
 34	/* dereference it */
 35	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
 36	BPF_EXIT_INSN(),
 37	},
 38	.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
 39	.result = REJECT,
 40	.prog_type = BPF_PROG_TYPE_LWT_IN,
 41},
 42{
 43	"indirect variable-offset stack access, unbounded",
 44	.insns = {
 45	BPF_MOV64_IMM(BPF_REG_2, 6),
 46	BPF_MOV64_IMM(BPF_REG_3, 28),
 47	/* Fill the top 16 bytes of the stack. */
 48	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
 49	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
 50	/* Get an unknown value. */
 51	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops,
 52							   bytes_received)),
 53	/* Check the lower bound but don't check the upper one. */
 54	BPF_JMP_IMM(BPF_JSLT, BPF_REG_4, 0, 4),
 55	/* Point the lower bound to initialized stack. Offset is now in range
 56	 * from fp-16 to fp+0x7fffffffffffffef, i.e. max value is unbounded.
 57	 */
 58	BPF_ALU64_IMM(BPF_SUB, BPF_REG_4, 16),
 59	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_10),
 60	BPF_MOV64_IMM(BPF_REG_5, 8),
 61	/* Dereference it indirectly. */
 62	BPF_EMIT_CALL(BPF_FUNC_getsockopt),
 63	BPF_MOV64_IMM(BPF_REG_0, 0),
 64	BPF_EXIT_INSN(),
 65	},
 66	.errstr = "R4 unbounded indirect variable offset stack access",
 67	.result = REJECT,
 68	.prog_type = BPF_PROG_TYPE_SOCK_OPS,
 69},
 70{
 71	"indirect variable-offset stack access, max out of bound",
 72	.insns = {
 73	/* Fill the top 8 bytes of the stack */
 74	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
 75	/* Get an unknown value */
 76	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
 77	/* Make it small and 4-byte aligned */
 78	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
 79	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
 80	/* add it to fp.  We now have either fp-4 or fp-8, but
 81	 * we don't know which
 82	 */
 83	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
 84	/* dereference it indirectly */
 85	BPF_LD_MAP_FD(BPF_REG_1, 0),
 86	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
 87	BPF_MOV64_IMM(BPF_REG_0, 0),
 88	BPF_EXIT_INSN(),
 89	},
 90	.fixup_map_hash_8b = { 5 },
 91	.errstr = "R2 max value is outside of stack bound",
 92	.result = REJECT,
 93	.prog_type = BPF_PROG_TYPE_LWT_IN,
 94},
 95{
 96	"indirect variable-offset stack access, min out of bound",
 97	.insns = {
 98	/* Fill the top 8 bytes of the stack */
 99	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
100	/* Get an unknown value */
101	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
102	/* Make it small and 4-byte aligned */
103	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
104	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 516),
105	/* add it to fp.  We now have either fp-516 or fp-512, but
106	 * we don't know which
107	 */
108	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
109	/* dereference it indirectly */
110	BPF_LD_MAP_FD(BPF_REG_1, 0),
111	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
112	BPF_MOV64_IMM(BPF_REG_0, 0),
113	BPF_EXIT_INSN(),
114	},
115	.fixup_map_hash_8b = { 5 },
116	.errstr = "R2 min value is outside of stack bound",
117	.result = REJECT,
118	.prog_type = BPF_PROG_TYPE_LWT_IN,
119},
120{
121	"indirect variable-offset stack access, max_off+size > max_initialized",
122	.insns = {
123	/* Fill only the second from top 8 bytes of the stack. */
124	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
125	/* Get an unknown value. */
126	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
127	/* Make it small and 4-byte aligned. */
128	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
129	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16),
130	/* Add it to fp.  We now have either fp-12 or fp-16, but we don't know
131	 * which. fp-12 size 8 is partially uninitialized stack.
132	 */
133	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
134	/* Dereference it indirectly. */
135	BPF_LD_MAP_FD(BPF_REG_1, 0),
136	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
137	BPF_MOV64_IMM(BPF_REG_0, 0),
138	BPF_EXIT_INSN(),
139	},
140	.fixup_map_hash_8b = { 5 },
141	.errstr = "invalid indirect read from stack var_off",
142	.result = REJECT,
143	.prog_type = BPF_PROG_TYPE_LWT_IN,
144},
145{
146	"indirect variable-offset stack access, min_off < min_initialized",
147	.insns = {
148	/* Fill only the top 8 bytes of the stack. */
149	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
150	/* Get an unknown value */
151	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
152	/* Make it small and 4-byte aligned. */
153	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
154	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16),
155	/* Add it to fp.  We now have either fp-12 or fp-16, but we don't know
156	 * which. fp-16 size 8 is partially uninitialized stack.
157	 */
158	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
159	/* Dereference it indirectly. */
160	BPF_LD_MAP_FD(BPF_REG_1, 0),
161	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
162	BPF_MOV64_IMM(BPF_REG_0, 0),
163	BPF_EXIT_INSN(),
164	},
165	.fixup_map_hash_8b = { 5 },
166	.errstr = "invalid indirect read from stack var_off",
167	.result = REJECT,
168	.prog_type = BPF_PROG_TYPE_LWT_IN,
169},
170{
171	"indirect variable-offset stack access, priv vs unpriv",
172	.insns = {
173	/* Fill the top 16 bytes of the stack. */
174	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
175	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
176	/* Get an unknown value. */
177	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
178	/* Make it small and 4-byte aligned. */
179	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
180	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16),
181	/* Add it to fp.  We now have either fp-12 or fp-16, we don't know
182	 * which, but either way it points to initialized stack.
183	 */
184	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
185	/* Dereference it indirectly. */
186	BPF_LD_MAP_FD(BPF_REG_1, 0),
187	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
188	BPF_MOV64_IMM(BPF_REG_0, 0),
189	BPF_EXIT_INSN(),
190	},
191	.fixup_map_hash_8b = { 6 },
192	.errstr_unpriv = "R2 stack pointer arithmetic goes out of range, prohibited for !root",
193	.result_unpriv = REJECT,
194	.result = ACCEPT,
195	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
196},
197{
198	"indirect variable-offset stack access, uninitialized",
199	.insns = {
200	BPF_MOV64_IMM(BPF_REG_2, 6),
201	BPF_MOV64_IMM(BPF_REG_3, 28),
202	/* Fill the top 16 bytes of the stack. */
203	BPF_ST_MEM(BPF_W, BPF_REG_10, -16, 0),
204	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
205	/* Get an unknown value. */
206	BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 0),
207	/* Make it small and 4-byte aligned. */
208	BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 4),
209	BPF_ALU64_IMM(BPF_SUB, BPF_REG_4, 16),
210	/* Add it to fp.  We now have either fp-12 or fp-16, we don't know
211	 * which, but either way it points to initialized stack.
212	 */
213	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_10),
214	BPF_MOV64_IMM(BPF_REG_5, 8),
215	/* Dereference it indirectly. */
216	BPF_EMIT_CALL(BPF_FUNC_getsockopt),
217	BPF_MOV64_IMM(BPF_REG_0, 0),
218	BPF_EXIT_INSN(),
219	},
220	.errstr = "invalid indirect read from stack var_off",
221	.result = REJECT,
222	.prog_type = BPF_PROG_TYPE_SOCK_OPS,
223},
224{
225	"indirect variable-offset stack access, ok",
226	.insns = {
227	/* Fill the top 16 bytes of the stack. */
228	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
229	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
230	/* Get an unknown value. */
231	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
232	/* Make it small and 4-byte aligned. */
233	BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
234	BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 16),
235	/* Add it to fp.  We now have either fp-12 or fp-16, we don't know
236	 * which, but either way it points to initialized stack.
237	 */
238	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
239	/* Dereference it indirectly. */
240	BPF_LD_MAP_FD(BPF_REG_1, 0),
241	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
242	BPF_MOV64_IMM(BPF_REG_0, 0),
243	BPF_EXIT_INSN(),
244	},
245	.fixup_map_hash_8b = { 6 },
246	.result = ACCEPT,
247	.prog_type = BPF_PROG_TYPE_LWT_IN,
248},