1 { 2 "check valid spill/fill", 3 .insns = { 4 /* spill R1(ctx) into stack */ 5 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 6 /* fill it back into R2 */ 7 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 8 /* should be able to access R0 = *(R2 + 8) */ 9 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 10 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11 BPF_EXIT_INSN(), 12 }, 13 .errstr_unpriv = "R0 leaks addr", 14 .result = ACCEPT, 15 .result_unpriv = REJECT, 16 .retval = POINTER_VALUE, 17 }, 18 { 19 "check valid spill/fill, skb mark", 20 .insns = { 21 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 22 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 23 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 24 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 25 offsetof(struct __sk_buff, mark)), 26 BPF_EXIT_INSN(), 27 }, 28 .result = ACCEPT, 29 .result_unpriv = ACCEPT, 30 }, 31 { 32 "check valid spill/fill, ptr to mem", 33 .insns = { 34 /* reserve 8 byte ringbuf memory */ 35 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 36 BPF_LD_MAP_FD(BPF_REG_1, 0), 37 BPF_MOV64_IMM(BPF_REG_2, 8), 38 BPF_MOV64_IMM(BPF_REG_3, 0), 39 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), 40 /* store a pointer to the reserved memory in R6 */ 41 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 42 /* check whether the reservation was successful */ 43 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 44 /* spill R6(mem) into the stack */ 45 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 46 /* fill it back in R7 */ 47 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8), 48 /* should be able to access *(R7) = 0 */ 49 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0), 50 /* submit the reserved ringbuf memory */ 51 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 52 BPF_MOV64_IMM(BPF_REG_2, 0), 53 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), 54 BPF_MOV64_IMM(BPF_REG_0, 0), 55 BPF_EXIT_INSN(), 56 }, 57 .fixup_map_ringbuf = { 1 }, 58 .result = ACCEPT, 59 .result_unpriv = ACCEPT, 60 }, 61 { 62 "check corrupted spill/fill", 63 .insns = { 64 /* spill R1(ctx) into stack */ 65 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 66 /* mess up with R1 pointer on stack */ 67 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 68 /* fill back into R0 is fine for priv. 69 * R0 now becomes SCALAR_VALUE. 70 */ 71 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 72 /* Load from R0 should fail. */ 73 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 74 BPF_EXIT_INSN(), 75 }, 76 .errstr_unpriv = "attempt to corrupt spilled", 77 .errstr = "R0 invalid mem access 'inv", 78 .result = REJECT, 79 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 80 }, 81 { 82 "check corrupted spill/fill, LSB", 83 .insns = { 84 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 85 BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe), 86 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 87 BPF_EXIT_INSN(), 88 }, 89 .errstr_unpriv = "attempt to corrupt spilled", 90 .result_unpriv = REJECT, 91 .result = ACCEPT, 92 .retval = POINTER_VALUE, 93 }, 94 { 95 "check corrupted spill/fill, MSB", 96 .insns = { 97 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 98 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678), 99 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 100 BPF_EXIT_INSN(), 101 }, 102 .errstr_unpriv = "attempt to corrupt spilled", 103 .result_unpriv = REJECT, 104 .result = ACCEPT, 105 .retval = POINTER_VALUE, 106 }, 107