Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 751f05bc authored by Jakub Sitnicki's avatar Jakub Sitnicki Committed by Greg Kroah-Hartman
Browse files

selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads 



commit 8f50f16ff39dd4e2d43d1548ca66925652f8aff7 upstream.

Add coverage to the verifier tests and tests for reading bpf_sock fields to
ensure that 32-bit, 16-bit, and 8-bit loads from dst_port field are allowed
only at intended offsets and produce expected values.

While 16-bit and 8-bit access to dst_port field is straight-forward, 32-bit
wide loads need be allowed and produce a zero-padded 16-bit value for
backward compatibility.

Signed-off-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20220130115518.213259-3-jakub@cloudflare.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
[OP: backport to 5.4: cherry-pick verifier changes only]
Signed-off-by: default avatarOvidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7c1134c7

tools/include/uapi/linux/bpf.h

+2 −1
Original line number Diff line number Diff line
@@ -3068,7 +3068,8 @@ struct bpf_sock { 
	__u32 src_ip4;

	__u32 src_ip6[4];

	__u32 src_port;		/* host byte order */

	__u32 dst_port;		/* network byte order */

	__be16 dst_port;	/* network byte order */

	__u16 :16;		/* zero padding */

	__u32 dst_ip4;

	__u32 dst_ip6[4];

	__u32 state;

tools/testing/selftests/bpf/verifier/sock.c

+78 −3
Original line number Diff line number Diff line
@@ -121,7 +121,25 @@ 
	.result = ACCEPT,

},

{

	"sk_fullsock(skb->sk): sk->dst_port [narrow load]",

	"sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,

	.result = ACCEPT,

},

{

	"sk_fullsock(skb->sk): sk->dst_port [half load]",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
@@ -139,7 +157,64 @@ 
	.result = ACCEPT,

},

{

	"sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]",

	"sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,

	.result = REJECT,

	.errstr = "invalid sock access",

},

{

	"sk_fullsock(skb->sk): sk->dst_port [byte load]",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),

	BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,

	.result = ACCEPT,

},

{

	"sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},

	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,

	.result = REJECT,

	.errstr = "invalid sock access",

},

{

	"sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)",

	.insns = {

	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),

	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
@@ -149,7 +224,7 @@ 
	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),

	BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)),

	BPF_MOV64_IMM(BPF_REG_0, 0),

	BPF_EXIT_INSN(),

	},