1 { 2 "check valid spill/fill", 3 .insns = { 4 /* spill R1(ctx) into stack */ 5 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 6 /* fill it back into R2 */ 7 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 8 /* should be able to access R0 = *(R2 + 8) */ 9 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 10 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11 BPF_EXIT_INSN(), 12 }, 13 .errstr_unpriv = "R0 leaks addr", 14 .result = ACCEPT, 15 .result_unpriv = REJECT, 16 .retval = POINTER_VALUE, 17 }, 18 { 19 "check valid spill/fill, skb mark", 20 .insns = { 21 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 22 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 23 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 24 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 25 offsetof(struct __sk_buff, mark)), 26 BPF_EXIT_INSN(), 27 }, 28 .result = ACCEPT, 29 .result_unpriv = ACCEPT, 30 }, 31 { 32 "check corrupted spill/fill", 33 .insns = { 34 /* spill R1(ctx) into stack */ 35 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 36 /* mess up with R1 pointer on stack */ 37 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 38 /* fill back into R0 is fine for priv. 39 * R0 now becomes SCALAR_VALUE. 40 */ 41 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 42 /* Load from R0 should fail. */ 43 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8), 44 BPF_EXIT_INSN(), 45 }, 46 .errstr_unpriv = "attempt to corrupt spilled", 47 .errstr = "R0 invalid mem access 'inv", 48 .result = REJECT, 49 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 50 }, 51 { 52 "check corrupted spill/fill, LSB", 53 .insns = { 54 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 55 BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe), 56 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 57 BPF_EXIT_INSN(), 58 }, 59 .errstr_unpriv = "attempt to corrupt spilled", 60 .result_unpriv = REJECT, 61 .result = ACCEPT, 62 .retval = POINTER_VALUE, 63 }, 64 { 65 "check corrupted spill/fill, MSB", 66 .insns = { 67 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 68 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678), 69 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 70 BPF_EXIT_INSN(), 71 }, 72 .errstr_unpriv = "attempt to corrupt spilled", 73 .result_unpriv = REJECT, 74 .result = ACCEPT, 75 .retval = POINTER_VALUE, 76 }, 77
