samples/bpf: add verifier tests for the helper access to the packet

test various corner cases of the helper function access to the packet via crafted XDP programs. Signed-off-by: Aaron Yue <haoxuany@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Aaron Yue <haoxuany@fb.com> 2016-08-11 21:17:17 -0400
committer: David S. Miller <davem@davemloft.net> 2016-08-13 00:56:18 -0400
commit: 1633ac0a2e774a9af339b9290ef33cd97a918c54 (patch)
tree: 85008f33388ef2f04b03fc57e5eb2dc7d91523fd /samples/bpf
parent: 6841de8b0d03cc9a4e0e928453623c13ee754f77 (diff)
1 files changed, 110 insertions, 4 deletions
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c
index fe2fcec98c1f..78c6f131d94f 100644
--- a/samples/bpf/test_verifier.c
+++ b/samples/bpf/test_verifier.c
@@ -1449,7 +1449,7 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
-                "pkt: test1",
+                "direct packet access: test1",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
                                    offsetof(struct __sk_buff, data)),
@@ -1466,7 +1466,7 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
-                "pkt: test2",
+                "direct packet access: test2",
                .insns = {
                        BPF_MOV64_IMM(BPF_REG_0, 1),
                        BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
@@ -1499,7 +1499,7 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
-                "pkt: test3",
+                "direct packet access: test3",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
                                    offsetof(struct __sk_buff, data)),
@@ -1511,7 +1511,7 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
        },
        {
-                "pkt: test4",
+                "direct packet access: test4",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
                                    offsetof(struct __sk_buff, data)),
@@ -1528,6 +1528,112 @@ static struct bpf_test tests[] = {
                .result = REJECT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
+        {
+                "helper access to packet: test1, valid packet_ptr range",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {5},
+                .result_unpriv = ACCEPT,
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "helper access to packet: test2, unchecked packet_ptr",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {1},
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "helper access to packet: test3, variable add",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                        offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                        offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
+                        BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {11},
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "helper access to packet: test4, packet_ptr with bad range",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {7},
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "helper access to packet: test5, packet_ptr with too short range",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {6},
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
 };
 static int probe_filter_length(struct bpf_insn *fp)
author	Aaron Yue <haoxuany@fb.com>	2016-08-11 21:17:17 -0400
committer	David S. Miller <davem@davemloft.net>	2016-08-13 00:56:18 -0400
commit	1633ac0a2e774a9af339b9290ef33cd97a918c54 (patch)
tree	85008f33388ef2f04b03fc57e5eb2dc7d91523fd /samples/bpf
parent	6841de8b0d03cc9a4e0e928453623c13ee754f77 (diff)

diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index fe2fcec98c1f..78c6f131d94f 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c
@@ -1449,7 +1449,7 @@ static struct bpf_test tests[] = {
1449	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1449	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1450	},	1450	},
1451	{	1451	{
1452	"pkt: test1",	1452	"direct packet access: test1",
1453	.insns = {	1453	.insns = {
1454	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,	1454	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1455	offsetof(struct __sk_buff, data)),	1455	offsetof(struct __sk_buff, data)),
@@ -1466,7 +1466,7 @@ static struct bpf_test tests[] = {
1466	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1466	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1467	},	1467	},
1468	{	1468	{
1469	"pkt: test2",	1469	"direct packet access: test2",
1470	.insns = {	1470	.insns = {
1471	BPF_MOV64_IMM(BPF_REG_0, 1),	1471	BPF_MOV64_IMM(BPF_REG_0, 1),
1472	BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,	1472	BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
@@ -1499,7 +1499,7 @@ static struct bpf_test tests[] = {
1499	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1499	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1500	},	1500	},
1501	{	1501	{
1502	"pkt: test3",	1502	"direct packet access: test3",
1503	.insns = {	1503	.insns = {
1504	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,	1504	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1505	offsetof(struct __sk_buff, data)),	1505	offsetof(struct __sk_buff, data)),
@@ -1511,7 +1511,7 @@ static struct bpf_test tests[] = {
1511	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,	1511	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
1512	},	1512	},
1513	{	1513	{
1514	"pkt: test4",	1514	"direct packet access: test4",
1515	.insns = {	1515	.insns = {
1516	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,	1516	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1517	offsetof(struct __sk_buff, data)),	1517	offsetof(struct __sk_buff, data)),
@@ -1528,6 +1528,112 @@ static struct bpf_test tests[] = {
1528	.result = REJECT,	1528	.result = REJECT,
1529	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1529	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1530	},	1530	},
		1531	{
		1532	"helper access to packet: test1, valid packet_ptr range",
		1533	.insns = {
		1534	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1535	offsetof(struct xdp_md, data)),
		1536	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1537	offsetof(struct xdp_md, data_end)),
		1538	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		1539	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		1540	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
		1541	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1542	BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
		1543	BPF_MOV64_IMM(BPF_REG_4, 0),
		1544	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
		1545	BPF_MOV64_IMM(BPF_REG_0, 0),
		1546	BPF_EXIT_INSN(),
		1547	},
		1548	.fixup = {5},
		1549	.result_unpriv = ACCEPT,
		1550	.result = ACCEPT,
		1551	.prog_type = BPF_PROG_TYPE_XDP,
		1552	},
		1553	{
		1554	"helper access to packet: test2, unchecked packet_ptr",
		1555	.insns = {
		1556	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1557	offsetof(struct xdp_md, data)),
		1558	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1559	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1560	BPF_MOV64_IMM(BPF_REG_0, 0),
		1561	BPF_EXIT_INSN(),
		1562	},
		1563	.fixup = {1},
		1564	.result = REJECT,
		1565	.errstr = "invalid access to packet",
		1566	.prog_type = BPF_PROG_TYPE_XDP,
		1567	},
		1568	{
		1569	"helper access to packet: test3, variable add",
		1570	.insns = {
		1571	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1572	offsetof(struct xdp_md, data)),
		1573	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1574	offsetof(struct xdp_md, data_end)),
		1575	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1576	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
		1577	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
		1578	BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
		1579	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1580	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
		1581	BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
		1582	BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
		1583	BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
		1584	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1585	BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
		1586	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1587	BPF_MOV64_IMM(BPF_REG_0, 0),
		1588	BPF_EXIT_INSN(),
		1589	},
		1590	.fixup = {11},
		1591	.result = ACCEPT,
		1592	.prog_type = BPF_PROG_TYPE_XDP,
		1593	},
		1594	{
		1595	"helper access to packet: test4, packet_ptr with bad range",
		1596	.insns = {
		1597	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1598	offsetof(struct xdp_md, data)),
		1599	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1600	offsetof(struct xdp_md, data_end)),
		1601	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1602	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
		1603	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
		1604	BPF_MOV64_IMM(BPF_REG_0, 0),
		1605	BPF_EXIT_INSN(),
		1606	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1607	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1608	BPF_MOV64_IMM(BPF_REG_0, 0),
		1609	BPF_EXIT_INSN(),
		1610	},
		1611	.fixup = {7},
		1612	.result = REJECT,
		1613	.errstr = "invalid access to packet",
		1614	.prog_type = BPF_PROG_TYPE_XDP,
		1615	},
		1616	{
		1617	"helper access to packet: test5, packet_ptr with too short range",
		1618	.insns = {
		1619	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1620	offsetof(struct xdp_md, data)),
		1621	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1622	offsetof(struct xdp_md, data_end)),
		1623	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
		1624	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1625	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
		1626	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
		1627	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1628	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1629	BPF_MOV64_IMM(BPF_REG_0, 0),
		1630	BPF_EXIT_INSN(),
		1631	},
		1632	.fixup = {6},
		1633	.result = REJECT,
		1634	.errstr = "invalid access to packet",
		1635	.prog_type = BPF_PROG_TYPE_XDP,
		1636	},
1531	};	1637	};
1532		1638
1533	static int probe_filter_length(struct bpf_insn *fp)	1639	static int probe_filter_length(struct bpf_insn *fp)