1 { 2 "context stores via ST", 3 .insns = { 4 BPF_MOV64_IMM(BPF_REG_0, 0), 5 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0), 6 BPF_EXIT_INSN(), 7 }, 8 .errstr = "BPF_ST stores into R1 ctx is not allowed", 9 .result = REJECT, 10 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11 }, 12 { 13 "context stores via BPF_ATOMIC", 14 .insns = { 15 BPF_MOV64_IMM(BPF_REG_0, 0), 16 BPF_ATOMIC_OP(BPF_W, BPF_ADD, BPF_REG_1, BPF_REG_0, offsetof(struct __sk_buff, mark)), 17 BPF_EXIT_INSN(), 18 }, 19 .errstr = "BPF_ATOMIC stores into R1 ctx is not allowed", 20 .result = REJECT, 21 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 22 }, 23 { 24 "arithmetic ops make PTR_TO_CTX unusable", 25 .insns = { 26 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 27 offsetof(struct __sk_buff, data) - 28 offsetof(struct __sk_buff, mark)), 29 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 30 offsetof(struct __sk_buff, mark)), 31 BPF_EXIT_INSN(), 32 }, 33 .errstr = "dereference of modified ctx ptr", 34 .result = REJECT, 35 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 36 }, 37 { 38 "pass unmodified ctx pointer to helper", 39 .insns = { 40 BPF_MOV64_IMM(BPF_REG_2, 0), 41 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 42 BPF_FUNC_csum_update), 43 BPF_MOV64_IMM(BPF_REG_0, 0), 44 BPF_EXIT_INSN(), 45 }, 46 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 47 .result = ACCEPT, 48 }, 49 { 50 "pass modified ctx pointer to helper, 1", 51 .insns = { 52 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 53 BPF_MOV64_IMM(BPF_REG_2, 0), 54 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 55 BPF_FUNC_csum_update), 56 BPF_MOV64_IMM(BPF_REG_0, 0), 57 BPF_EXIT_INSN(), 58 }, 59 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 60 .result = REJECT, 61 .errstr = "dereference of modified ctx ptr", 62 }, 63 { 64 "pass modified ctx pointer to helper, 2", 65 .insns = { 66 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 67 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 68 BPF_FUNC_get_socket_cookie), 69 BPF_MOV64_IMM(BPF_REG_0, 0), 70 BPF_EXIT_INSN(), 71 }, 72 .result_unpriv = REJECT, 73 .result = REJECT, 74 .errstr_unpriv = "dereference of modified ctx ptr", 75 .errstr = "dereference of modified ctx ptr", 76 }, 77 { 78 "pass modified ctx pointer to helper, 3", 79 .insns = { 80 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0), 81 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4), 82 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 83 BPF_MOV64_IMM(BPF_REG_2, 0), 84 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 85 BPF_FUNC_csum_update), 86 BPF_MOV64_IMM(BPF_REG_0, 0), 87 BPF_EXIT_INSN(), 88 }, 89 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 90 .result = REJECT, 91 .errstr = "variable ctx access var_off=(0x0; 0x4)", 92 }, 93 { 94 "pass ctx or null check, 1: ctx", 95 .insns = { 96 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 97 BPF_FUNC_get_netns_cookie), 98 BPF_MOV64_IMM(BPF_REG_0, 0), 99 BPF_EXIT_INSN(), 100 }, 101 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 102 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 103 .result = ACCEPT, 104 }, 105 { 106 "pass ctx or null check, 2: null", 107 .insns = { 108 BPF_MOV64_IMM(BPF_REG_1, 0), 109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 110 BPF_FUNC_get_netns_cookie), 111 BPF_MOV64_IMM(BPF_REG_0, 0), 112 BPF_EXIT_INSN(), 113 }, 114 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 115 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 116 .result = ACCEPT, 117 }, 118 { 119 "pass ctx or null check, 3: 1", 120 .insns = { 121 BPF_MOV64_IMM(BPF_REG_1, 1), 122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 123 BPF_FUNC_get_netns_cookie), 124 BPF_MOV64_IMM(BPF_REG_0, 0), 125 BPF_EXIT_INSN(), 126 }, 127 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 128 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 129 .result = REJECT, 130 .errstr = "R1 type=inv expected=ctx", 131 }, 132 { 133 "pass ctx or null check, 4: ctx - const", 134 .insns = { 135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 137 BPF_FUNC_get_netns_cookie), 138 BPF_MOV64_IMM(BPF_REG_0, 0), 139 BPF_EXIT_INSN(), 140 }, 141 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 142 .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, 143 .result = REJECT, 144 .errstr = "dereference of modified ctx ptr", 145 }, 146 { 147 "pass ctx or null check, 5: null (connect)", 148 .insns = { 149 BPF_MOV64_IMM(BPF_REG_1, 0), 150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 151 BPF_FUNC_get_netns_cookie), 152 BPF_MOV64_IMM(BPF_REG_0, 0), 153 BPF_EXIT_INSN(), 154 }, 155 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, 156 .expected_attach_type = BPF_CGROUP_INET4_CONNECT, 157 .result = ACCEPT, 158 }, 159 { 160 "pass ctx or null check, 6: null (bind)", 161 .insns = { 162 BPF_MOV64_IMM(BPF_REG_1, 0), 163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 164 BPF_FUNC_get_netns_cookie), 165 BPF_MOV64_IMM(BPF_REG_0, 0), 166 BPF_EXIT_INSN(), 167 }, 168 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 169 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 170 .result = ACCEPT, 171 }, 172 { 173 "pass ctx or null check, 7: ctx (bind)", 174 .insns = { 175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 176 BPF_FUNC_get_socket_cookie), 177 BPF_MOV64_IMM(BPF_REG_0, 0), 178 BPF_EXIT_INSN(), 179 }, 180 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 181 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 182 .result = ACCEPT, 183 }, 184 { 185 "pass ctx or null check, 8: null (bind)", 186 .insns = { 187 BPF_MOV64_IMM(BPF_REG_1, 0), 188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 189 BPF_FUNC_get_socket_cookie), 190 BPF_MOV64_IMM(BPF_REG_0, 0), 191 BPF_EXIT_INSN(), 192 }, 193 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 194 .expected_attach_type = BPF_CGROUP_INET4_POST_BIND, 195 .result = REJECT, 196 .errstr = "R1 type=inv expected=ctx", 197 }, 198