| Message ID | 20180517155409.21250.77305.stgit@john-Precision-Tower-5810 |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | SK_MSG programs: read sock fields | expand |
On Thu, May 17, 2018 at 08:54:10AM -0700, John Fastabend wrote: > Add tests for BPF_PROG_TYPE_SK_MSG to test_verifier for read access > to new sk fields. > > Signed-off-by: John Fastabend <john.fastabend@gmail.com> > --- > tools/include/uapi/linux/bpf.h | 8 ++ > tools/testing/selftests/bpf/test_verifier.c | 115 +++++++++++++++++++++++++++ > 2 files changed, 123 insertions(+) > > diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h > index d94d333..97446bb 100644 > --- a/tools/include/uapi/linux/bpf.h > +++ b/tools/include/uapi/linux/bpf.h > @@ -2176,6 +2176,14 @@ enum sk_action { > struct sk_msg_md { > void *data; > void *data_end; > + > + __u32 family; > + __u32 remote_ip4; /* Stored in network byte order */ > + __u32 local_ip4; /* Stored in network byte order */ > + __u32 remote_ip6[4]; /* Stored in network byte order */ > + __u32 local_ip6[4]; /* Stored in network byte order */ > + __u32 remote_port; /* Stored in network byte order */ > + __u32 local_port; /* stored in host byte order */ > }; > > #define BPF_TAG_SIZE 8 > diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c > index a877af0..1ac7630 100644 > --- a/tools/testing/selftests/bpf/test_verifier.c > +++ b/tools/testing/selftests/bpf/test_verifier.c > @@ -1686,6 +1686,121 @@ static void bpf_fill_rand_ld_dw(struct bpf_test *self) > .prog_type = BPF_PROG_TYPE_SK_SKB, > }, > { > + "valid access family in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, family)), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "valid access remote_ip4 in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, remote_ip4)), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "valid access local_ip4 in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, local_ip4)), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "valid access remote_port in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, remote_port)), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "valid access local_port in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, local_port)), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "valid access remote_ip6 in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, remote_ip6[0])), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, remote_ip6[1])), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, remote_ip6[2])), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, remote_ip6[3])), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_SKB, > + }, > + { > + "valid access local_ip6 in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, local_ip6[0])), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, local_ip6[1])), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, local_ip6[2])), > + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, > + offsetof(struct sk_msg_md, local_ip6[3])), > + BPF_EXIT_INSN(), > + }, > + .result = ACCEPT, > + .prog_type = BPF_PROG_TYPE_SK_SKB, > + }, > + { > + "invalid 64B read of family in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, > + offsetof(struct sk_msg_md, family)), > + BPF_EXIT_INSN(), > + }, > + .errstr = "invalid bpf_context access", > + .result = REJECT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "invalid read past end of SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, > + offsetof(struct sk_msg_md, local_port) + 4), > + BPF_EXIT_INSN(), > + }, > + .errstr = "", no errstr in this case? > + .result = REJECT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > + "invalid read offset in SK_MSG", > + .insns = { > + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, > + offsetof(struct sk_msg_md, family) + 1), > + BPF_EXIT_INSN(), > + }, > + .errstr = "", same here. > + .result = REJECT, > + .prog_type = BPF_PROG_TYPE_SK_MSG, > + }, > + { > "direct packet read for SK_MSG", > .insns = { > BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, > Other than the above, Acked-by: Martin KaFai Lau <kafai@fb.com>
On 05/17/2018 11:57 AM, Martin KaFai Lau wrote: > On Thu, May 17, 2018 at 08:54:10AM -0700, John Fastabend wrote: >> Add tests for BPF_PROG_TYPE_SK_MSG to test_verifier for read access >> to new sk fields. >> >> Signed-off-by: John Fastabend <john.fastabend@gmail.com> >> --- [...] >> + { >> + "invalid read past end of SK_MSG", >> + .insns = { >> + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, >> + offsetof(struct sk_msg_md, local_port) + 4), >> + BPF_EXIT_INSN(), >> + }, >> + .errstr = "", > no errstr in this case? > >> + .result = REJECT, >> + .prog_type = BPF_PROG_TYPE_SK_MSG, >> + }, >> + { >> + "invalid read offset in SK_MSG", >> + .insns = { >> + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, >> + offsetof(struct sk_msg_md, family) + 1), >> + BPF_EXIT_INSN(), >> + }, >> + .errstr = "", > same here. > >> + .result = REJECT, >> + .prog_type = BPF_PROG_TYPE_SK_MSG, >> + }, >> + { >> "direct packet read for SK_MSG", >> .insns = { >> BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, >> > Other than the above, > For completeness I guess we should have the err string included. I'll send a v2 and push ACKs forward. > Acked-by: Martin KaFai Lau <kafai@fb.com> >
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index d94d333..97446bb 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -2176,6 +2176,14 @@ enum sk_action { struct sk_msg_md { void *data; void *data_end; + + __u32 family; + __u32 remote_ip4; /* Stored in network byte order */ + __u32 local_ip4; /* Stored in network byte order */ + __u32 remote_ip6[4]; /* Stored in network byte order */ + __u32 local_ip6[4]; /* Stored in network byte order */ + __u32 remote_port; /* Stored in network byte order */ + __u32 local_port; /* stored in host byte order */ }; #define BPF_TAG_SIZE 8 diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index a877af0..1ac7630 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -1686,6 +1686,121 @@ static void bpf_fill_rand_ld_dw(struct bpf_test *self) .prog_type = BPF_PROG_TYPE_SK_SKB, }, { + "valid access family in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, family)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "valid access remote_ip4 in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, remote_ip4)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "valid access local_ip4 in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, local_ip4)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "valid access remote_port in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, remote_port)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "valid access local_port in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, local_port)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "valid access remote_ip6 in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, remote_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, remote_ip6[1])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, remote_ip6[2])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, remote_ip6[3])), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_SKB, + }, + { + "valid access local_ip6 in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, local_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, local_ip6[1])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, local_ip6[2])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct sk_msg_md, local_ip6[3])), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_SKB, + }, + { + "invalid 64B read of family in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, + offsetof(struct sk_msg_md, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "invalid read past end of SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct sk_msg_md, local_port) + 4), + BPF_EXIT_INSN(), + }, + .errstr = "", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { + "invalid read offset in SK_MSG", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, + offsetof(struct sk_msg_md, family) + 1), + BPF_EXIT_INSN(), + }, + .errstr = "", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_MSG, + }, + { "direct packet read for SK_MSG", .insns = { BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
Add tests for BPF_PROG_TYPE_SK_MSG to test_verifier for read access to new sk fields. Signed-off-by: John Fastabend <john.fastabend@gmail.com> --- tools/include/uapi/linux/bpf.h | 8 ++ tools/testing/selftests/bpf/test_verifier.c | 115 +++++++++++++++++++++++++++ 2 files changed, 123 insertions(+)