2d2be8cab2
LLVM can generate code that tests for direct packet access via
skb->data/data_end in a way that currently gets rejected by the
verifier, example:
[...]
7: (61) r3 = *(u32 *)(r6 +80)
8: (61) r9 = *(u32 *)(r6 +76)
9: (bf) r2 = r9
10: (07) r2 += 54
11: (3d) if r3 >= r2 goto pc+12
R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx
R9=pkt(id=0,off=0,r=0) R10=fp
12: (18) r4 = 0xffffff7a
14: (05) goto pc+430
[...]
from 11 to 24: R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv
R6=ctx R9=pkt(id=0,off=0,r=0) R10=fp
24: (7b) *(u64 *)(r10 -40) = r1
25: (b7) r1 = 0
26: (63) *(u32 *)(r6 +56) = r1
27: (b7) r2 = 40
28: (71) r8 = *(u8 *)(r9 +20)
invalid access to packet, off=20 size=1, R9(id=0,off=0,r=0)
The reason why this gets rejected despite a proper test is that we
currently call find_good_pkt_pointers() only in case where we detect
tests like rX > pkt_end, where rX is of type pkt(id=Y,off=Z,r=0) and
derived, for example, from a register of type pkt(id=Y,off=0,r=0)
pointing to skb->data. find_good_pkt_pointers() then fills the range
in the current branch to pkt(id=Y,off=0,r=Z) on success.
For above case, we need to extend that to recognize pkt_end >= rX
pattern and mark the other branch that is taken on success with the
appropriate pkt(id=Y,off=0,r=Z) type via find_good_pkt_pointers().
Since eBPF operates on BPF_JGT (>) and BPF_JGE (>=), these are the
only two practical options to test for from what LLVM could have
generated, since there's no such thing as BPF_JLT (<) or BPF_JLE (<=)
that we would need to take into account as well.
After the fix:
[...]
7: (61) r3 = *(u32 *)(r6 +80)
8: (61) r9 = *(u32 *)(r6 +76)
9: (bf) r2 = r9
10: (07) r2 += 54
11: (3d) if r3 >= r2 goto pc+12
R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx
R9=pkt(id=0,off=0,r=0) R10=fp
12: (18) r4 = 0xffffff7a
14: (05) goto pc+430
[...]
from 11 to 24: R1=inv R2=pkt(id=0,off=54,r=54) R3=pkt_end R4=inv
R6=ctx R9=pkt(id=0,off=0,r=54) R10=fp
24: (7b) *(u64 *)(r10 -40) = r1
25: (b7) r1 = 0
26: (63) *(u32 *)(r6 +56) = r1
27: (b7) r2 = 40
28: (71) r8 = *(u8 *)(r9 +20)
29: (bf) r1 = r8
30: (25) if r8 > 0x3c goto pc+47
R1=inv56 R2=imm40 R3=pkt_end R4=inv R6=ctx R8=inv56
R9=pkt(id=0,off=0,r=54) R10=fp
31: (b7) r1 = 1
[...]
Verifier test cases are also added in this work, one that demonstrates
the mentioned example here and one that tries a bad packet access for
the current/fall-through branch (the one with types pkt(id=X,off=Y,r=0),
pkt(id=X,off=0,r=0)), then a case with good and bad accesses, and two
with both test variants (>, >=).
Fixes:
|
||
---|---|---|
.. | ||
bpf_helpers.h | ||
bpf_load.c | ||
bpf_load.h | ||
fds_example.c | ||
lathist_kern.c | ||
lathist_user.c | ||
libbpf.c | ||
libbpf.h | ||
Makefile | ||
map_perf_test_kern.c | ||
map_perf_test_user.c | ||
offwaketime_kern.c | ||
offwaketime_user.c | ||
parse_ldabs.c | ||
parse_simple.c | ||
parse_varlen.c | ||
README.rst | ||
sampleip_kern.c | ||
sampleip_user.c | ||
sock_example.c | ||
sockex1_kern.c | ||
sockex1_user.c | ||
sockex2_kern.c | ||
sockex2_user.c | ||
sockex3_kern.c | ||
sockex3_user.c | ||
spintest_kern.c | ||
spintest_user.c | ||
tcbpf1_kern.c | ||
tcbpf2_kern.c | ||
test_cgrp2_array_pin.c | ||
test_cgrp2_tc_kern.c | ||
test_cgrp2_tc.sh | ||
test_cls_bpf.sh | ||
test_current_task_under_cgroup_kern.c | ||
test_current_task_under_cgroup_user.c | ||
test_maps.c | ||
test_overhead_kprobe_kern.c | ||
test_overhead_tp_kern.c | ||
test_overhead_user.c | ||
test_probe_write_user_kern.c | ||
test_probe_write_user_user.c | ||
test_tunnel_bpf.sh | ||
test_verifier.c | ||
trace_event_kern.c | ||
trace_event_user.c | ||
trace_output_kern.c | ||
trace_output_user.c | ||
tracex1_kern.c | ||
tracex1_user.c | ||
tracex2_kern.c | ||
tracex2_user.c | ||
tracex3_kern.c | ||
tracex3_user.c | ||
tracex4_kern.c | ||
tracex4_user.c | ||
tracex5_kern.c | ||
tracex5_user.c | ||
tracex6_kern.c | ||
tracex6_user.c | ||
xdp1_kern.c | ||
xdp1_user.c | ||
xdp2_kern.c |
eBPF sample programs ==================== This directory contains a mini eBPF library, test stubs, verifier test-suite and examples for using eBPF. Build dependencies ================== Compiling requires having installed: * clang >= version 3.4.0 * llvm >= version 3.7.1 Note that LLVM's tool 'llc' must support target 'bpf', list version and supported targets with command: ``llc --version`` Kernel headers -------------- There are usually dependencies to header files of the current kernel. To avoid installing devel kernel headers system wide, as a normal user, simply call:: make headers_install This will creates a local "usr/include" directory in the git/build top level directory, that the make system automatically pickup first. Compiling ========= For building the BPF samples, issue the below command from the kernel top level directory:: make samples/bpf/ Do notice the "/" slash after the directory name. It is also possible to call make from this directory. This will just hide the the invocation of make as above with the appended "/". Manually compiling LLVM with 'bpf' support ------------------------------------------ Since version 3.7.0, LLVM adds a proper LLVM backend target for the BPF bytecode architecture. By default llvm will build all non-experimental backends including bpf. To generate a smaller llc binary one can use:: -DLLVM_TARGETS_TO_BUILD="BPF" Quick sniplet for manually compiling LLVM and clang (build dependencies are cmake and gcc-c++):: $ git clone http://llvm.org/git/llvm.git $ cd llvm/tools $ git clone --depth 1 http://llvm.org/git/clang.git $ cd ..; mkdir build; cd build $ cmake .. -DLLVM_TARGETS_TO_BUILD="BPF;X86" $ make -j $(getconf _NPROCESSORS_ONLN) It is also possible to point make to the newly compiled 'llc' or 'clang' command via redefining LLC or CLANG on the make command line:: make samples/bpf/ LLC=~/git/llvm/build/bin/llc CLANG=~/git/llvm/build/bin/clang