1 { 2 "invalid direct packet write for LWT_IN", 3 .insns = { 4 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 5 offsetof(struct __sk_buff, data)), 6 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 7 offsetof(struct __sk_buff, data_end)), 8 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 9 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 10 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 11 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 12 BPF_MOV64_IMM(BPF_REG_0, 0), 13 BPF_EXIT_INSN(), 14 }, 15 .errstr = "cannot write into packet", 16 .result = REJECT, 17 .prog_type = BPF_PROG_TYPE_LWT_IN, 18 }, 19 { 20 "invalid direct packet write for LWT_OUT", 21 .insns = { 22 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 23 offsetof(struct __sk_buff, data)), 24 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 25 offsetof(struct __sk_buff, data_end)), 26 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 27 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 28 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 29 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 30 BPF_MOV64_IMM(BPF_REG_0, 0), 31 BPF_EXIT_INSN(), 32 }, 33 .errstr = "cannot write into packet", 34 .result = REJECT, 35 .prog_type = BPF_PROG_TYPE_LWT_OUT, 36 }, 37 { 38 "direct packet write for LWT_XMIT", 39 .insns = { 40 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 41 offsetof(struct __sk_buff, data)), 42 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 43 offsetof(struct __sk_buff, data_end)), 44 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 45 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 46 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 47 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 48 BPF_MOV64_IMM(BPF_REG_0, 0), 49 BPF_EXIT_INSN(), 50 }, 51 .result = ACCEPT, 52 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 53 }, 54 { 55 "direct packet read for LWT_IN", 56 .insns = { 57 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 58 offsetof(struct __sk_buff, data)), 59 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 60 offsetof(struct __sk_buff, data_end)), 61 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 62 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 63 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 64 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 65 BPF_MOV64_IMM(BPF_REG_0, 0), 66 BPF_EXIT_INSN(), 67 }, 68 .result = ACCEPT, 69 .prog_type = BPF_PROG_TYPE_LWT_IN, 70 }, 71 { 72 "direct packet read for LWT_OUT", 73 .insns = { 74 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 75 offsetof(struct __sk_buff, data)), 76 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 77 offsetof(struct __sk_buff, data_end)), 78 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 79 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 80 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 81 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 82 BPF_MOV64_IMM(BPF_REG_0, 0), 83 BPF_EXIT_INSN(), 84 }, 85 .result = ACCEPT, 86 .prog_type = BPF_PROG_TYPE_LWT_OUT, 87 }, 88 { 89 "direct packet read for LWT_XMIT", 90 .insns = { 91 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 92 offsetof(struct __sk_buff, data)), 93 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 94 offsetof(struct __sk_buff, data_end)), 95 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 96 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 97 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 98 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 99 BPF_MOV64_IMM(BPF_REG_0, 0), 100 BPF_EXIT_INSN(), 101 }, 102 .result = ACCEPT, 103 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 104 }, 105 { 106 "overlapping checks for direct packet access", 107 .insns = { 108 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 109 offsetof(struct __sk_buff, data)), 110 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 111 offsetof(struct __sk_buff, data_end)), 112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 114 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 117 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 119 BPF_MOV64_IMM(BPF_REG_0, 0), 120 BPF_EXIT_INSN(), 121 }, 122 .result = ACCEPT, 123 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 124 }, 125 { 126 "make headroom for LWT_XMIT", 127 .insns = { 128 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 129 BPF_MOV64_IMM(BPF_REG_2, 34), 130 BPF_MOV64_IMM(BPF_REG_3, 0), 131 BPF_EMIT_CALL(BPF_FUNC_skb_change_head), 132 /* split for s390 to succeed */ 133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 134 BPF_MOV64_IMM(BPF_REG_2, 42), 135 BPF_MOV64_IMM(BPF_REG_3, 0), 136 BPF_EMIT_CALL(BPF_FUNC_skb_change_head), 137 BPF_MOV64_IMM(BPF_REG_0, 0), 138 BPF_EXIT_INSN(), 139 }, 140 .result = ACCEPT, 141 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 142 }, 143 { 144 "invalid access of tc_classid for LWT_IN", 145 .insns = { 146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 147 offsetof(struct __sk_buff, tc_classid)), 148 BPF_EXIT_INSN(), 149 }, 150 .result = REJECT, 151 .errstr = "invalid bpf_context access", 152 }, 153 { 154 "invalid access of tc_classid for LWT_OUT", 155 .insns = { 156 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 157 offsetof(struct __sk_buff, tc_classid)), 158 BPF_EXIT_INSN(), 159 }, 160 .result = REJECT, 161 .errstr = "invalid bpf_context access", 162 }, 163 { 164 "invalid access of tc_classid for LWT_XMIT", 165 .insns = { 166 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 167 offsetof(struct __sk_buff, tc_classid)), 168 BPF_EXIT_INSN(), 169 }, 170 .result = REJECT, 171 .errstr = "invalid bpf_context access", 172 }, 173 { 174 "check skb->tc_classid half load not permitted for lwt prog", 175 .insns = { 176 BPF_MOV64_IMM(BPF_REG_0, 0), 177 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ 178 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 179 offsetof(struct __sk_buff, tc_classid)), 180 #else 181 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 182 offsetof(struct __sk_buff, tc_classid) + 2), 183 #endif 184 BPF_EXIT_INSN(), 185 }, 186 .result = REJECT, 187 .errstr = "invalid bpf_context access", 188 .prog_type = BPF_PROG_TYPE_LWT_IN, 189 }, 190
