From: Jakub Sitnicki <jakub@cloudflare.com> To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: dccp@vger.kernel.org, kernel-team@cloudflare.com, Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Gerrit Renker <gerrit@erg.abdn.ac.uk>, Jakub Kicinski <kuba@kernel.org>, Andrii Nakryiko <andrii.nakryiko@gmail.com>, Martin KaFai Lau <kafai@fb.com> Subject: [PATCH bpf-next v2 15/17] selftests/bpf: Add verifier tests for bpf_sk_lookup context access Date: Mon, 11 May 2020 20:52:16 +0200 [thread overview] Message-ID: <20200511185218.1422406-16-jakub@cloudflare.com> (raw) In-Reply-To: <20200511185218.1422406-1-jakub@cloudflare.com> Exercise verifier access checks for bpf_sk_lookup context fields. Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> --- Notes: v2: - Adjust for fields renames in struct bpf_sk_lookup. .../selftests/bpf/verifier/ctx_sk_lookup.c | 694 ++++++++++++++++++ 1 file changed, 694 insertions(+) create mode 100644 tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c diff --git a/tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c b/tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c new file mode 100644 index 000000000000..223163172fa9 --- /dev/null +++ b/tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c @@ -0,0 +1,694 @@ +{ + "valid 1,2,4-byte read bpf_sk_lookup remote_ip4", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4) + 3), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup remote_ip4", + .insns = { + /* 8-byte read */ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 4-byte write */ + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 4-byte write */ + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 2-byte write */ + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 1-byte write */ + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 1,2,4-byte read bpf_sk_lookup local_ip4", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4) + 3), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup local_ip4", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 1,2,4-byte read bpf_sk_lookup remote_ip6", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[3])), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[3]) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[3]) + 3), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup remote_ip6", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 1,2,4-byte read bpf_sk_lookup local_ip6", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[3])), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[3]) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[3]) + 3), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup local_ip6", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, -- 2.25.3
WARNING: multiple messages have this Message-ID (diff)
From: Jakub Sitnicki <jakub@cloudflare.com> To: dccp@vger.kernel.org Subject: [PATCH bpf-next v2 15/17] selftests/bpf: Add verifier tests for bpf_sk_lookup context access Date: Mon, 11 May 2020 18:52:16 +0000 [thread overview] Message-ID: <20200511185218.1422406-16-jakub@cloudflare.com> (raw) Exercise verifier access checks for bpf_sk_lookup context fields. Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> --- Notes: v2: - Adjust for fields renames in struct bpf_sk_lookup. .../selftests/bpf/verifier/ctx_sk_lookup.c | 694 ++++++++++++++++++ 1 file changed, 694 insertions(+) create mode 100644 tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c diff --git a/tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c b/tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c new file mode 100644 index 000000000000..223163172fa9 --- /dev/null +++ b/tools/testing/selftests/bpf/verifier/ctx_sk_lookup.c @@ -0,0 +1,694 @@ +{ + "valid 1,2,4-byte read bpf_sk_lookup remote_ip4", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4) + 3), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup remote_ip4", + .insns = { + /* 8-byte read */ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 4-byte write */ + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 4-byte write */ + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 2-byte write */ + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup remote_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + /* 1-byte write */ + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 1,2,4-byte read bpf_sk_lookup local_ip4", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4) + 3), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup local_ip4", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup local_ip4", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x7f000001U), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip4)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 1,2,4-byte read bpf_sk_lookup remote_ip6", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[3])), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[3]) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[3]) + 3), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup remote_ip6", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup remote_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 1,2,4-byte read bpf_sk_lookup local_ip6", + .insns = { + /* 4-byte read */ + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[3])), + /* 2-byte read */ + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[3]) + 2), + /* 1-byte read */ + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[3]) + 3), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup local_ip6", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup local_ip6", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0x00000001U), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_ip6[0])), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup remote_port", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup remote_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, remote_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup local_port", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup local_port", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, local_port)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup family", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup family", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, family)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "valid 4-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte read bpf_sk_lookup protocol", + .insns = { + BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 8-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 4-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 2-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, +{ + "invalid 1-byte write bpf_sk_lookup protocol", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 1234), + BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, + offsetof(struct bpf_sk_lookup, protocol)), + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + .prog_type = BPF_PROG_TYPE_SK_LOOKUP, +}, -- 2.25.3
next prev parent reply other threads:[~2020-05-11 18:52 UTC|newest] Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-05-11 18:52 [PATCH bpf-next v2 00/17] Run a BPF program on socket lookup Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 01/17] flow_dissector: Extract attach/detach/query helpers Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 02/17] bpf: Introduce SK_LOOKUP program type with a dedicated attach point Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 19:06 ` Jakub Sitnicki 2020-05-11 19:06 ` Jakub Sitnicki 2020-05-13 5:41 ` Martin KaFai Lau 2020-05-13 5:41 ` Martin KaFai Lau 2020-05-13 14:34 ` Jakub Sitnicki 2020-05-13 14:34 ` Jakub Sitnicki 2020-05-13 18:10 ` Martin KaFai Lau 2020-05-13 18:10 ` Martin KaFai Lau 2020-05-11 18:52 ` [PATCH bpf-next v2 03/17] inet: Store layer 4 protocol in inet_hashinfo Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 04/17] inet: Extract helper for selecting socket from reuseport group Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 05/17] inet: Run SK_LOOKUP BPF program on socket lookup Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 20:44 ` Alexei Starovoitov 2020-05-11 20:44 ` Alexei Starovoitov 2020-05-12 13:52 ` Jakub Sitnicki 2020-05-12 13:52 ` Jakub Sitnicki 2020-05-12 23:58 ` Alexei Starovoitov 2020-05-12 23:58 ` Alexei Starovoitov 2020-05-13 13:55 ` Jakub Sitnicki 2020-05-13 13:55 ` Jakub Sitnicki 2020-05-13 14:21 ` Lorenz Bauer 2020-05-13 14:21 ` Lorenz Bauer 2020-05-13 14:50 ` Jakub Sitnicki 2020-05-13 14:50 ` Jakub Sitnicki 2020-05-15 12:28 ` Jakub Sitnicki 2020-05-15 12:28 ` Jakub Sitnicki 2020-05-15 15:07 ` Alexei Starovoitov 2020-05-15 15:07 ` Alexei Starovoitov 2020-05-11 18:52 ` [PATCH bpf-next v2 06/17] inet6: Extract helper for selecting socket from reuseport group Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 07/17] inet6: Run SK_LOOKUP BPF program on socket lookup Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 08/17] udp: Store layer 4 protocol in udp_table Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 09/17] udp: Extract helper for selecting socket from reuseport group Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 10/17] udp: Run SK_LOOKUP BPF program on socket lookup Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 11/17] udp6: Extract helper for selecting socket from reuseport group Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 12/17] udp6: Run SK_LOOKUP BPF program on socket lookup Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 13/17] bpf: Sync linux/bpf.h to tools/ Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 14/17] libbpf: Add support for SK_LOOKUP program type Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki [this message] 2020-05-11 18:52 ` [PATCH bpf-next v2 15/17] selftests/bpf: Add verifier tests for bpf_sk_lookup context access Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 16/17] selftests/bpf: Rename test_sk_lookup_kern.c to test_ref_track_kern.c Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 18:52 ` [PATCH bpf-next v2 17/17] selftests/bpf: Tests for BPF_SK_LOOKUP attach point Jakub Sitnicki 2020-05-11 18:52 ` Jakub Sitnicki 2020-05-11 19:45 ` [PATCH bpf-next v2 00/17] Run a BPF program on socket lookup Martin KaFai Lau 2020-05-11 19:45 ` Martin KaFai Lau 2020-05-12 11:57 ` Jakub Sitnicki 2020-05-12 11:57 ` Jakub Sitnicki 2020-05-12 16:34 ` Martin KaFai Lau 2020-05-12 16:34 ` Martin KaFai Lau 2020-05-13 17:54 ` Jakub Sitnicki 2020-05-13 17:54 ` Jakub Sitnicki
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200511185218.1422406-16-jakub@cloudflare.com \ --to=jakub@cloudflare.com \ --cc=andrii.nakryiko@gmail.com \ --cc=ast@kernel.org \ --cc=bpf@vger.kernel.org \ --cc=daniel@iogearbox.net \ --cc=davem@davemloft.net \ --cc=dccp@vger.kernel.org \ --cc=edumazet@google.com \ --cc=gerrit@erg.abdn.ac.uk \ --cc=kafai@fb.com \ --cc=kernel-team@cloudflare.com \ --cc=kuba@kernel.org \ --cc=netdev@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.