diff options
author | Aaron Yue <haoxuany@fb.com> | 2016-08-11 21:17:17 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-08-13 00:56:18 -0400 |
commit | 1633ac0a2e774a9af339b9290ef33cd97a918c54 (patch) | |
tree | 85008f33388ef2f04b03fc57e5eb2dc7d91523fd /samples/bpf | |
parent | 6841de8b0d03cc9a4e0e928453623c13ee754f77 (diff) |
samples/bpf: add verifier tests for the helper access to the packet
test various corner cases of the helper function access to the packet
via crafted XDP programs.
Signed-off-by: Aaron Yue <haoxuany@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'samples/bpf')
-rw-r--r-- | samples/bpf/test_verifier.c | 114 |
1 files changed, 110 insertions, 4 deletions
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index fe2fcec98c1f..78c6f131d94f 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c | |||
@@ -1449,7 +1449,7 @@ static struct bpf_test tests[] = { | |||
1449 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, | 1449 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1450 | }, | 1450 | }, |
1451 | { | 1451 | { |
1452 | "pkt: test1", | 1452 | "direct packet access: test1", |
1453 | .insns = { | 1453 | .insns = { |
1454 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | 1454 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, |
1455 | offsetof(struct __sk_buff, data)), | 1455 | offsetof(struct __sk_buff, data)), |
@@ -1466,7 +1466,7 @@ static struct bpf_test tests[] = { | |||
1466 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, | 1466 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1467 | }, | 1467 | }, |
1468 | { | 1468 | { |
1469 | "pkt: test2", | 1469 | "direct packet access: test2", |
1470 | .insns = { | 1470 | .insns = { |
1471 | BPF_MOV64_IMM(BPF_REG_0, 1), | 1471 | BPF_MOV64_IMM(BPF_REG_0, 1), |
1472 | BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, | 1472 | BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, |
@@ -1499,7 +1499,7 @@ static struct bpf_test tests[] = { | |||
1499 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, | 1499 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1500 | }, | 1500 | }, |
1501 | { | 1501 | { |
1502 | "pkt: test3", | 1502 | "direct packet access: test3", |
1503 | .insns = { | 1503 | .insns = { |
1504 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | 1504 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, |
1505 | offsetof(struct __sk_buff, data)), | 1505 | offsetof(struct __sk_buff, data)), |
@@ -1511,7 +1511,7 @@ static struct bpf_test tests[] = { | |||
1511 | .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, | 1511 | .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, |
1512 | }, | 1512 | }, |
1513 | { | 1513 | { |
1514 | "pkt: test4", | 1514 | "direct packet access: test4", |
1515 | .insns = { | 1515 | .insns = { |
1516 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | 1516 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, |
1517 | offsetof(struct __sk_buff, data)), | 1517 | offsetof(struct __sk_buff, data)), |
@@ -1528,6 +1528,112 @@ static struct bpf_test tests[] = { | |||
1528 | .result = REJECT, | 1528 | .result = REJECT, |
1529 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, | 1529 | .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1530 | }, | 1530 | }, |
1531 | { | ||
1532 | "helper access to packet: test1, valid packet_ptr range", | ||
1533 | .insns = { | ||
1534 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | ||
1535 | offsetof(struct xdp_md, data)), | ||
1536 | BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, | ||
1537 | offsetof(struct xdp_md, data_end)), | ||
1538 | BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), | ||
1539 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), | ||
1540 | BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), | ||
1541 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
1542 | BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), | ||
1543 | BPF_MOV64_IMM(BPF_REG_4, 0), | ||
1544 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem), | ||
1545 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
1546 | BPF_EXIT_INSN(), | ||
1547 | }, | ||
1548 | .fixup = {5}, | ||
1549 | .result_unpriv = ACCEPT, | ||
1550 | .result = ACCEPT, | ||
1551 | .prog_type = BPF_PROG_TYPE_XDP, | ||
1552 | }, | ||
1553 | { | ||
1554 | "helper access to packet: test2, unchecked packet_ptr", | ||
1555 | .insns = { | ||
1556 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | ||
1557 | offsetof(struct xdp_md, data)), | ||
1558 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
1559 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | ||
1560 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
1561 | BPF_EXIT_INSN(), | ||
1562 | }, | ||
1563 | .fixup = {1}, | ||
1564 | .result = REJECT, | ||
1565 | .errstr = "invalid access to packet", | ||
1566 | .prog_type = BPF_PROG_TYPE_XDP, | ||
1567 | }, | ||
1568 | { | ||
1569 | "helper access to packet: test3, variable add", | ||
1570 | .insns = { | ||
1571 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | ||
1572 | offsetof(struct xdp_md, data)), | ||
1573 | BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, | ||
1574 | offsetof(struct xdp_md, data_end)), | ||
1575 | BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), | ||
1576 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), | ||
1577 | BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), | ||
1578 | BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), | ||
1579 | BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), | ||
1580 | BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), | ||
1581 | BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), | ||
1582 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), | ||
1583 | BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), | ||
1584 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
1585 | BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), | ||
1586 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | ||
1587 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
1588 | BPF_EXIT_INSN(), | ||
1589 | }, | ||
1590 | .fixup = {11}, | ||
1591 | .result = ACCEPT, | ||
1592 | .prog_type = BPF_PROG_TYPE_XDP, | ||
1593 | }, | ||
1594 | { | ||
1595 | "helper access to packet: test4, packet_ptr with bad range", | ||
1596 | .insns = { | ||
1597 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | ||
1598 | offsetof(struct xdp_md, data)), | ||
1599 | BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, | ||
1600 | offsetof(struct xdp_md, data_end)), | ||
1601 | BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), | ||
1602 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), | ||
1603 | BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), | ||
1604 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
1605 | BPF_EXIT_INSN(), | ||
1606 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
1607 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | ||
1608 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
1609 | BPF_EXIT_INSN(), | ||
1610 | }, | ||
1611 | .fixup = {7}, | ||
1612 | .result = REJECT, | ||
1613 | .errstr = "invalid access to packet", | ||
1614 | .prog_type = BPF_PROG_TYPE_XDP, | ||
1615 | }, | ||
1616 | { | ||
1617 | "helper access to packet: test5, packet_ptr with too short range", | ||
1618 | .insns = { | ||
1619 | BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, | ||
1620 | offsetof(struct xdp_md, data)), | ||
1621 | BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, | ||
1622 | offsetof(struct xdp_md, data_end)), | ||
1623 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), | ||
1624 | BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), | ||
1625 | BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), | ||
1626 | BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), | ||
1627 | BPF_LD_MAP_FD(BPF_REG_1, 0), | ||
1628 | BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | ||
1629 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
1630 | BPF_EXIT_INSN(), | ||
1631 | }, | ||
1632 | .fixup = {6}, | ||
1633 | .result = REJECT, | ||
1634 | .errstr = "invalid access to packet", | ||
1635 | .prog_type = BPF_PROG_TYPE_XDP, | ||
1636 | }, | ||
1531 | }; | 1637 | }; |
1532 | 1638 | ||
1533 | static int probe_filter_length(struct bpf_insn *fp) | 1639 | static int probe_filter_length(struct bpf_insn *fp) |