Gitiles
Code Review Sign In
192.168.1.100 / T108 / e958203796650e3959a43708d67534bf36f4c83b / . / marvell / linux / tools / testing / selftests / bpf / verifier / unpriv.c
blob: 593f5b586e8722080d5679cd469904a0c8157c69 [file] [log] [blame]
b.liue9582032025-04-17 19:18:16 +0800[diff] [blame^]1{
2 "unpriv: return pointer",
3 .insns = {
4 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
5 BPF_EXIT_INSN(),
6 },
7 .result = ACCEPT,
8 .result_unpriv = REJECT,
9 .errstr_unpriv = "R0 leaks addr",
10 .retval = POINTER_VALUE,
11},
12{
13 "unpriv: add const to pointer",
14 .insns = {
15 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
16 BPF_MOV64_IMM(BPF_REG_0, 0),
17 BPF_EXIT_INSN(),
18 },
19 .result = ACCEPT,
20},
21{
22 "unpriv: add pointer to pointer",
23 .insns = {
24 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
25 BPF_MOV64_IMM(BPF_REG_0, 0),
26 BPF_EXIT_INSN(),
27 },
28 .result = REJECT,
29 .errstr = "R1 pointer += pointer",
30},
31{
32 "unpriv: neg pointer",
33 .insns = {
34 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
35 BPF_MOV64_IMM(BPF_REG_0, 0),
36 BPF_EXIT_INSN(),
37 },
38 .result = ACCEPT,
39 .result_unpriv = REJECT,
40 .errstr_unpriv = "R1 pointer arithmetic",
41},
42{
43 "unpriv: cmp pointer with const",
44 .insns = {
45 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
46 BPF_MOV64_IMM(BPF_REG_0, 0),
47 BPF_EXIT_INSN(),
48 },
49 .result = ACCEPT,
50 .result_unpriv = REJECT,
51 .errstr_unpriv = "R1 pointer comparison",
52},
53{
54 "unpriv: cmp pointer with pointer",
55 .insns = {
56 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
57 BPF_MOV64_IMM(BPF_REG_0, 0),
58 BPF_EXIT_INSN(),
59 },
60 .result = ACCEPT,
61 .result_unpriv = REJECT,
62 .errstr_unpriv = "R10 pointer comparison",
63},
64{
65 "unpriv: check that printk is disallowed",
66 .insns = {
67 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
68 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
69 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
70 BPF_MOV64_IMM(BPF_REG_2, 8),
71 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
72 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_trace_printk),
73 BPF_MOV64_IMM(BPF_REG_0, 0),
74 BPF_EXIT_INSN(),
75 },
76 .errstr_unpriv = "unknown func bpf_trace_printk#6",
77 .result_unpriv = REJECT,
78 .result = ACCEPT,
79 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
80},
81{
82 "unpriv: pass pointer to helper function",
83 .insns = {
84 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
85 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
86 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
87 BPF_LD_MAP_FD(BPF_REG_1, 0),
88 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
89 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
90 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
91 BPF_MOV64_IMM(BPF_REG_0, 0),
92 BPF_EXIT_INSN(),
93 },
94 .fixup_map_hash_8b = { 3 },
95 .errstr_unpriv = "R4 leaks addr",
96 .result_unpriv = REJECT,
97 .result = ACCEPT,
98},
99{
100 "unpriv: indirectly pass pointer on stack to helper function",
101 .insns = {
102 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
105 BPF_LD_MAP_FD(BPF_REG_1, 0),
106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
107 BPF_MOV64_IMM(BPF_REG_0, 0),
108 BPF_EXIT_INSN(),
109 },
110 .fixup_map_hash_8b = { 3 },
111 .errstr = "invalid indirect read from stack off -8+0 size 8",
112 .result = REJECT,
113},
114{
115 "unpriv: mangle pointer on stack 1",
116 .insns = {
117 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
118 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
119 BPF_MOV64_IMM(BPF_REG_0, 0),
120 BPF_EXIT_INSN(),
121 },
122 .errstr_unpriv = "attempt to corrupt spilled",
123 .result_unpriv = REJECT,
124 .result = ACCEPT,
125},
126{
127 "unpriv: mangle pointer on stack 2",
128 .insns = {
129 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
130 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
131 BPF_MOV64_IMM(BPF_REG_0, 0),
132 BPF_EXIT_INSN(),
133 },
134 .errstr_unpriv = "attempt to corrupt spilled",
135 .result_unpriv = REJECT,
136 .result = ACCEPT,
137},
138{
139 "unpriv: read pointer from stack in small chunks",
140 .insns = {
141 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
142 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
143 BPF_MOV64_IMM(BPF_REG_0, 0),
144 BPF_EXIT_INSN(),
145 },
146 .errstr = "invalid size",
147 .result = REJECT,
148},
149{
150 "unpriv: write pointer into ctx",
151 .insns = {
152 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
153 BPF_MOV64_IMM(BPF_REG_0, 0),
154 BPF_EXIT_INSN(),
155 },
156 .errstr_unpriv = "R1 leaks addr",
157 .result_unpriv = REJECT,
158 .errstr = "invalid bpf_context access",
159 .result = REJECT,
160},
161{
162 "unpriv: spill/fill of ctx",
163 .insns = {
164 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
166 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
167 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
168 BPF_MOV64_IMM(BPF_REG_0, 0),
169 BPF_EXIT_INSN(),
170 },
171 .result = ACCEPT,
172},
173{
174 "unpriv: spill/fill of ctx 2",
175 .insns = {
176 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
178 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
179 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc),
181 BPF_MOV64_IMM(BPF_REG_0, 0),
182 BPF_EXIT_INSN(),
183 },
184 .result = ACCEPT,
185 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
186},
187{
188 "unpriv: spill/fill of ctx 3",
189 .insns = {
190 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
192 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
193 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
194 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
195 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc),
196 BPF_EXIT_INSN(),
197 },
198 .result = REJECT,
199 .errstr = "R1 type=fp expected=ctx",
200 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
201},
202{
203 "unpriv: spill/fill of ctx 4",
204 .insns = {
205 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
207 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
208 BPF_MOV64_IMM(BPF_REG_0, 1),
209 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, BPF_REG_0, -8, 0),
210 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_hash_recalc),
212 BPF_EXIT_INSN(),
213 },
214 .result = REJECT,
215 .errstr = "R1 type=inv expected=ctx",
216 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
217},
218{
219 "unpriv: spill/fill of different pointers stx",
220 .insns = {
221 BPF_MOV64_IMM(BPF_REG_3, 42),
222 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
227 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
228 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
229 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
230 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
231 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
232 offsetof(struct __sk_buff, mark)),
233 BPF_MOV64_IMM(BPF_REG_0, 0),
234 BPF_EXIT_INSN(),
235 },
236 .result = REJECT,
237 .errstr = "same insn cannot be used with different pointers",
238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
239},
240{
241 "unpriv: spill/fill of different pointers stx - ctx and sock",
242 .insns = {
243 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
244 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
245 BPF_SK_LOOKUP(sk_lookup_tcp),
246 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
247 /* u64 foo; */
248 /* void *target = &foo; */
249 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
252 /* if (skb == NULL) *target = sock; */
253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
254 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
255 /* else *target = skb; */
256 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
257 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
258 /* struct __sk_buff *skb = *target; */
259 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
260 /* skb->mark = 42; */
261 BPF_MOV64_IMM(BPF_REG_3, 42),
262 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
263 offsetof(struct __sk_buff, mark)),
264 /* if (sk) bpf_sk_release(sk) */
265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
266 BPF_EMIT_CALL(BPF_FUNC_sk_release),
267 BPF_MOV64_IMM(BPF_REG_0, 0),
268 BPF_EXIT_INSN(),
269 },
270 .result = REJECT,
271 .errstr = "type=ctx expected=sock",
272 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
273},
274{
275 "unpriv: spill/fill of different pointers stx - leak sock",
276 .insns = {
277 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
278 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
279 BPF_SK_LOOKUP(sk_lookup_tcp),
280 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
281 /* u64 foo; */
282 /* void *target = &foo; */
283 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
286 /* if (skb == NULL) *target = sock; */
287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
288 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
289 /* else *target = skb; */
290 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
291 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
292 /* struct __sk_buff *skb = *target; */
293 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
294 /* skb->mark = 42; */
295 BPF_MOV64_IMM(BPF_REG_3, 42),
296 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
297 offsetof(struct __sk_buff, mark)),
298 BPF_EXIT_INSN(),
299 },
300 .result = REJECT,
301 //.errstr = "same insn cannot be used with different pointers",
302 .errstr = "Unreleased reference",
303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
304},
305{
306 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
307 .insns = {
308 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
309 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
310 BPF_SK_LOOKUP(sk_lookup_tcp),
311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
312 /* u64 foo; */
313 /* void *target = &foo; */
314 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
316 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
317 /* if (skb) *target = skb */
318 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
319 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
320 /* else *target = sock */
321 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
322 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
323 /* struct bpf_sock *sk = *target; */
324 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
325 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
326 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
328 offsetof(struct bpf_sock, mark)),
329 BPF_EMIT_CALL(BPF_FUNC_sk_release),
330 BPF_MOV64_IMM(BPF_REG_0, 0),
331 BPF_EXIT_INSN(),
332 },
333 .result = REJECT,
334 .errstr = "same insn cannot be used with different pointers",
335 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
336},
337{
338 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
339 .insns = {
340 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
341 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
342 BPF_SK_LOOKUP(sk_lookup_tcp),
343 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
344 /* u64 foo; */
345 /* void *target = &foo; */
346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
348 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
349 /* if (skb) *target = skb */
350 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
351 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
352 /* else *target = sock */
353 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
354 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
355 /* struct bpf_sock *sk = *target; */
356 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
357 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
358 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
359 BPF_MOV64_IMM(BPF_REG_3, 42),
360 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
361 offsetof(struct bpf_sock, mark)),
362 BPF_EMIT_CALL(BPF_FUNC_sk_release),
363 BPF_MOV64_IMM(BPF_REG_0, 0),
364 BPF_EXIT_INSN(),
365 },
366 .result = REJECT,
367 //.errstr = "same insn cannot be used with different pointers",
368 .errstr = "cannot write into sock",
369 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
370},
371{
372 "unpriv: spill/fill of different pointers ldx",
373 .insns = {
374 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
376 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
377 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
379 -(__s32)offsetof(struct bpf_perf_event_data,
380 sample_period) - 8),
381 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
382 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
383 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
384 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
385 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
386 offsetof(struct bpf_perf_event_data, sample_period)),
387 BPF_MOV64_IMM(BPF_REG_0, 0),
388 BPF_EXIT_INSN(),
389 },
390 .result = REJECT,
391 .errstr = "same insn cannot be used with different pointers",
392 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
393},
394{
395 "unpriv: write pointer into map elem value",
396 .insns = {
397 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
398 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
400 BPF_LD_MAP_FD(BPF_REG_1, 0),
401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
403 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
404 BPF_EXIT_INSN(),
405 },
406 .fixup_map_hash_8b = { 3 },
407 .errstr_unpriv = "R0 leaks addr",
408 .result_unpriv = REJECT,
409 .result = ACCEPT,
410},
411{
412 "alu32: mov u32 const",
413 .insns = {
414 BPF_MOV32_IMM(BPF_REG_7, 0),
415 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
416 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
417 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
418 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
419 BPF_EXIT_INSN(),
420 },
421 .errstr_unpriv = "R7 invalid mem access 'inv'",
422 .result_unpriv = REJECT,
423 .result = ACCEPT,
424 .retval = 0,
425},
426{
427 "unpriv: partial copy of pointer",
428 .insns = {
429 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
430 BPF_MOV64_IMM(BPF_REG_0, 0),
431 BPF_EXIT_INSN(),
432 },
433 .errstr_unpriv = "R10 partial copy",
434 .result_unpriv = REJECT,
435 .result = ACCEPT,
436},
437{
438 "unpriv: pass pointer to tail_call",
439 .insns = {
440 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
441 BPF_LD_MAP_FD(BPF_REG_2, 0),
442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
443 BPF_MOV64_IMM(BPF_REG_0, 0),
444 BPF_EXIT_INSN(),
445 },
446 .fixup_prog1 = { 1 },
447 .errstr_unpriv = "R3 leaks addr into helper",
448 .result_unpriv = REJECT,
449 .result = ACCEPT,
450},
451{
452 "unpriv: cmp map pointer with zero",
453 .insns = {
454 BPF_MOV64_IMM(BPF_REG_1, 0),
455 BPF_LD_MAP_FD(BPF_REG_1, 0),
456 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
457 BPF_MOV64_IMM(BPF_REG_0, 0),
458 BPF_EXIT_INSN(),
459 },
460 .fixup_map_hash_8b = { 1 },
461 .errstr_unpriv = "R1 pointer comparison",
462 .result_unpriv = REJECT,
463 .result = ACCEPT,
464},
465{
466 "unpriv: write into frame pointer",
467 .insns = {
468 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
469 BPF_MOV64_IMM(BPF_REG_0, 0),
470 BPF_EXIT_INSN(),
471 },
472 .errstr = "frame pointer is read only",
473 .result = REJECT,
474},
475{
476 "unpriv: spill/fill frame pointer",
477 .insns = {
478 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
480 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
481 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
482 BPF_MOV64_IMM(BPF_REG_0, 0),
483 BPF_EXIT_INSN(),
484 },
485 .errstr = "frame pointer is read only",
486 .result = REJECT,
487},
488{
489 "unpriv: cmp of frame pointer",
490 .insns = {
491 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
492 BPF_MOV64_IMM(BPF_REG_0, 0),
493 BPF_EXIT_INSN(),
494 },
495 .errstr_unpriv = "R10 pointer comparison",
496 .result_unpriv = REJECT,
497 .result = ACCEPT,
498},
499{
500 "unpriv: adding of fp, reg",
501 .insns = {
502 BPF_MOV64_IMM(BPF_REG_0, 0),
503 BPF_MOV64_IMM(BPF_REG_1, 0),
504 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
505 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
506 BPF_EXIT_INSN(),
507 },
508 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
509 .result_unpriv = REJECT,
510 .result = ACCEPT,
511},
512{
513 "unpriv: adding of fp, imm",
514 .insns = {
515 BPF_MOV64_IMM(BPF_REG_0, 0),
516 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
518 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
519 BPF_EXIT_INSN(),
520 },
521 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
522 .result_unpriv = REJECT,
523 .result = ACCEPT,
524},
525{
526 "unpriv: cmp of stack pointer",
527 .insns = {
528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
530 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
531 BPF_MOV64_IMM(BPF_REG_0, 0),
532 BPF_EXIT_INSN(),
533 },
534 .errstr_unpriv = "R2 pointer comparison",
535 .result_unpriv = REJECT,
536 .result = ACCEPT,
537},