* [PATCH bpf 0/2] Enlarge offset check value in bpf_skb_load_bytes
@ 2022-04-11 13:02 Liu Jian
2022-04-11 13:02 ` [PATCH bpf 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian
2022-04-11 13:02 ` [PATCH bpf 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian
0 siblings, 2 replies; 5+ messages in thread
From: Liu Jian @ 2022-04-11 13:02 UTC (permalink / raw)
To: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend,
kpsingh, davem, kuba, sdf, netdev, bpf
Cc: liujian56
The data length of skb frags + frag_list may be greater than 0xffff,
and skb_header_pointer can not handle negative offset and negative len.
So here INT_MAX is used to check the validity of offset and len.
And add the test case for the change.
Liu Jian (2):
net: Enlarge offset check value from 0xffff to INT_MAX in
bpf_skb_load_bytes
selftests: bpf: add test for skb_load_bytes
net/core/filter.c | 4 +-
.../selftests/bpf/prog_tests/skb_load_bytes.c | 65 +++++++++++++++++++
.../selftests/bpf/progs/skb_load_bytes.c | 37 +++++++++++
3 files changed, 104 insertions(+), 2 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
create mode 100644 tools/testing/selftests/bpf/progs/skb_load_bytes.c
--
2.17.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf 1/2] net: Enlarge offset check value from 0xffff to INT_MAX in bpf_skb_load_bytes
2022-04-11 13:02 [PATCH bpf 0/2] Enlarge offset check value in bpf_skb_load_bytes Liu Jian
@ 2022-04-11 13:02 ` Liu Jian
2022-04-11 16:29 ` Song Liu
2022-04-11 13:02 ` [PATCH bpf 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian
1 sibling, 1 reply; 5+ messages in thread
From: Liu Jian @ 2022-04-11 13:02 UTC (permalink / raw)
To: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend,
kpsingh, davem, kuba, sdf, netdev, bpf
Cc: liujian56
The data length of skb frags + frag_list may be greater than 0xffff,
and skb_header_pointer can not handle negative offset and negative len.
So here INT_MAX is used to check the validity of offset and len.
Add the same change to the related function skb_store_bytes.
Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
net/core/filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index a7044e98765e..b0a3b6489701 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1687,7 +1687,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset,
if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
return -EINVAL;
- if (unlikely(offset > 0xffff))
+ if (unlikely(offset > INT_MAX || len > INT_MAX))
return -EFAULT;
if (unlikely(bpf_try_make_writable(skb, offset + len)))
return -EFAULT;
@@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
{
void *ptr;
- if (unlikely(offset > 0xffff))
+ if (unlikely(offset > INT_MAX || len > INT_MAX))
goto err_clear;
ptr = skb_header_pointer(skb, offset, len, to);
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH bpf 2/2] selftests: bpf: add test for skb_load_bytes
2022-04-11 13:02 [PATCH bpf 0/2] Enlarge offset check value in bpf_skb_load_bytes Liu Jian
2022-04-11 13:02 ` [PATCH bpf 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian
@ 2022-04-11 13:02 ` Liu Jian
2022-04-11 16:37 ` Song Liu
1 sibling, 1 reply; 5+ messages in thread
From: Liu Jian @ 2022-04-11 13:02 UTC (permalink / raw)
To: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend,
kpsingh, davem, kuba, sdf, netdev, bpf
Cc: liujian56
Use bpf_prog_test_run_opts to test the skb_load_bytes function.
Tests behavior when offset is greater than INT_MAX or a normal value.
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
.../selftests/bpf/prog_tests/skb_load_bytes.c | 65 +++++++++++++++++++
.../selftests/bpf/progs/skb_load_bytes.c | 37 +++++++++++
2 files changed, 102 insertions(+)
create mode 100644 tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
create mode 100644 tools/testing/selftests/bpf/progs/skb_load_bytes.c
diff --git a/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
new file mode 100644
index 000000000000..2e86f81d85f1
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <test_progs.h>
+#include <network_helpers.h>
+
+void test_skb_load_bytes(void)
+{
+ struct bpf_map *test_result;
+
+ __u32 map_key = 0;
+ __u32 map_value = 0;
+
+ struct bpf_object *obj;
+ int err, map_fd, prog_fd;
+
+ struct __sk_buff skb = { 0 };
+
+ LIBBPF_OPTS(bpf_test_run_opts, tattr,
+ .data_in = &pkt_v4,
+ .data_size_in = sizeof(pkt_v4),
+ .ctx_in = &skb,
+ .ctx_size_in = sizeof(skb),
+ );
+
+ err = bpf_prog_test_load("./skb_load_bytes.o", BPF_PROG_TYPE_SCHED_CLS, &obj,
+ &prog_fd);
+ if (CHECK_ATTR(err, "load", "err %d errno %d\n", err, errno))
+ return;
+
+ test_result = bpf_object__find_map_by_name(obj, "test_result");
+ if (CHECK_FAIL(!test_result))
+ goto close_bpf_object;
+
+ map_fd = bpf_map__fd(test_result);
+ if (map_fd < 0)
+ goto close_bpf_object;
+
+ map_key = 0;
+ map_value = -1;
+ err = bpf_map_update_elem(map_fd, &map_key, &map_value, BPF_ANY);
+ if (CHECK_FAIL(err))
+ goto close_bpf_object;
+ tattr.data_out = NULL;
+ tattr.data_size_out = 0;
+ err = bpf_prog_test_run_opts(prog_fd, &tattr);
+ CHECK_ATTR(err != 0, "offset -1", "err %d errno %d\n", err, errno);
+ map_key = 1;
+ bpf_map_lookup_elem(map_fd, &map_key, &map_value);
+ CHECK_ATTR(map_value != -14, "offset -1", "get result error\n");
+
+ map_key = 0;
+ map_value = 10;
+ err = bpf_map_update_elem(map_fd, &map_key, &map_value, BPF_ANY);
+ if (CHECK_FAIL(err))
+ goto close_bpf_object;
+ tattr.data_out = NULL;
+ tattr.data_size_out = 0;
+ err = bpf_prog_test_run_opts(prog_fd, &tattr);
+ CHECK_ATTR(err != 0, "offset 10", "err %d errno %d\n", err, errno);
+ map_key = 1;
+ bpf_map_lookup_elem(map_fd, &map_key, &map_value);
+ CHECK_ATTR(map_value != 0, "offset 10", "get result error\n");
+
+close_bpf_object:
+ bpf_object__close(obj);
+}
diff --git a/tools/testing/selftests/bpf/progs/skb_load_bytes.c b/tools/testing/selftests/bpf/progs/skb_load_bytes.c
new file mode 100644
index 000000000000..1652540aa45d
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/skb_load_bytes.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+char _license[] SEC("license") = "GPL";
+
+struct {
+ __uint(type, BPF_MAP_TYPE_ARRAY);
+ __uint(max_entries, 2);
+ __type(key, __u32);
+ __type(value, __u32);
+} test_result SEC(".maps");
+
+SEC("tc")
+int skb_process(struct __sk_buff *skb)
+{
+ char buf[16];
+ int ret = 0;
+ __u32 map_key = 0;
+ __u32 *offset = NULL;
+
+ offset = bpf_map_lookup_elem(&test_result, &map_key);
+ if (offset == NULL) {
+ bpf_printk("get offset failed\n");
+ map_key = 1;
+ ret = -1;
+ bpf_map_update_elem(&test_result, &map_key, &ret, BPF_ANY);
+ return ret;
+ }
+
+ ret = bpf_skb_load_bytes(skb, *offset, buf, 10);
+ map_key = 1;
+ bpf_map_update_elem(&test_result, &map_key, &ret, BPF_ANY);
+
+ return 0;
+}
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH bpf 1/2] net: Enlarge offset check value from 0xffff to INT_MAX in bpf_skb_load_bytes
2022-04-11 13:02 ` [PATCH bpf 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian
@ 2022-04-11 16:29 ` Song Liu
0 siblings, 0 replies; 5+ messages in thread
From: Song Liu @ 2022-04-11 16:29 UTC (permalink / raw)
To: Liu Jian
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin Lau,
Yonghong Song, John Fastabend, KP Singh, David S . Miller,
Jakub Kicinski, sdf, netdev, bpf
> On Apr 11, 2022, at 6:02 AM, Liu Jian <liujian56@huawei.com> wrote:
>
> The data length of skb frags + frag_list may be greater than 0xffff,
> and skb_header_pointer can not handle negative offset and negative len.
> So here INT_MAX is used to check the validity of offset and len.
> Add the same change to the related function skb_store_bytes.
>
> Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper")
> Signed-off-by: Liu Jian <liujian56@huawei.com>
Acked-by: Song Liu <songliubraving@fb.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH bpf 2/2] selftests: bpf: add test for skb_load_bytes
2022-04-11 13:02 ` [PATCH bpf 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian
@ 2022-04-11 16:37 ` Song Liu
0 siblings, 0 replies; 5+ messages in thread
From: Song Liu @ 2022-04-11 16:37 UTC (permalink / raw)
To: Liu Jian
Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin Lau,
Yonghong Song, John Fastabend, KP Singh, David S . Miller,
Jakub Kicinski, Stanislav Fomichev, Networking, bpf
> On Apr 11, 2022, at 6:02 AM, Liu Jian <liujian56@huawei.com> wrote:
>
> Use bpf_prog_test_run_opts to test the skb_load_bytes function.
> Tests behavior when offset is greater than INT_MAX or a normal value.
>
> Signed-off-by: Liu Jian <liujian56@huawei.com>
> ---
> .../selftests/bpf/prog_tests/skb_load_bytes.c | 65 +++++++++++++++++++
> .../selftests/bpf/progs/skb_load_bytes.c | 37 +++++++++++
> 2 files changed, 102 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
> create mode 100644 tools/testing/selftests/bpf/progs/skb_load_bytes.c
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
> new file mode 100644
> index 000000000000..2e86f81d85f1
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c
> @@ -0,0 +1,65 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <test_progs.h>
> +#include <network_helpers.h>
> +
> +void test_skb_load_bytes(void)
> +{
> + struct bpf_map *test_result;
> +
> + __u32 map_key = 0;
> + __u32 map_value = 0;
> +
> + struct bpf_object *obj;
> + int err, map_fd, prog_fd;
> +
> + struct __sk_buff skb = { 0 };
> +
> + LIBBPF_OPTS(bpf_test_run_opts, tattr,
> + .data_in = &pkt_v4,
> + .data_size_in = sizeof(pkt_v4),
> + .ctx_in = &skb,
> + .ctx_size_in = sizeof(skb),
> + );
> +
> + err = bpf_prog_test_load("./skb_load_bytes.o", BPF_PROG_TYPE_SCHED_CLS, &obj,
> + &prog_fd);
Why don't we use bpf skeleton?
> + if (CHECK_ATTR(err, "load", "err %d errno %d\n", err, errno))
> + return;
> +
> + test_result = bpf_object__find_map_by_name(obj, "test_result");
> + if (CHECK_FAIL(!test_result))
> + goto close_bpf_object;
> +
> + map_fd = bpf_map__fd(test_result);
> + if (map_fd < 0)
> + goto close_bpf_object;
> +
> + map_key = 0;
> + map_value = -1;
> + err = bpf_map_update_elem(map_fd, &map_key, &map_value, BPF_ANY);
> + if (CHECK_FAIL(err))
> + goto close_bpf_object;
> + tattr.data_out = NULL;
> + tattr.data_size_out = 0;
> + err = bpf_prog_test_run_opts(prog_fd, &tattr);
> + CHECK_ATTR(err != 0, "offset -1", "err %d errno %d\n", err, errno);
> + map_key = 1;
> + bpf_map_lookup_elem(map_fd, &map_key, &map_value);
> + CHECK_ATTR(map_value != -14, "offset -1", "get result error\n");
> +
> + map_key = 0;
> + map_value = 10;
> + err = bpf_map_update_elem(map_fd, &map_key, &map_value, BPF_ANY);
> + if (CHECK_FAIL(err))
> + goto close_bpf_object;
> + tattr.data_out = NULL;
> + tattr.data_size_out = 0;
> + err = bpf_prog_test_run_opts(prog_fd, &tattr);
> + CHECK_ATTR(err != 0, "offset 10", "err %d errno %d\n", err, errno);
> + map_key = 1;
> + bpf_map_lookup_elem(map_fd, &map_key, &map_value);
> + CHECK_ATTR(map_value != 0, "offset 10", "get result error\n");
> +
> +close_bpf_object:
> + bpf_object__close(obj);
> +}
> diff --git a/tools/testing/selftests/bpf/progs/skb_load_bytes.c b/tools/testing/selftests/bpf/progs/skb_load_bytes.c
> new file mode 100644
> index 000000000000..1652540aa45d
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/skb_load_bytes.c
> @@ -0,0 +1,37 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +
> +char _license[] SEC("license") = "GPL";
> +
> +struct {
> + __uint(type, BPF_MAP_TYPE_ARRAY);
> + __uint(max_entries, 2);
> + __type(key, __u32);
> + __type(value, __u32);
> +} test_result SEC(".maps");
We can simplify the code with BPF global variable for these. It is
technical equivalent to a map, but much easier to use.
> +
> +SEC("tc")
> +int skb_process(struct __sk_buff *skb)
> +{
> + char buf[16];
> + int ret = 0;
> + __u32 map_key = 0;
> + __u32 *offset = NULL;
> +
> + offset = bpf_map_lookup_elem(&test_result, &map_key);
> + if (offset == NULL) {
> + bpf_printk("get offset failed\n");
bpf_printk doesn't add much value in selftests.
> + map_key = 1;
> + ret = -1;
> + bpf_map_update_elem(&test_result, &map_key, &ret, BPF_ANY);
> + return ret;
> + }
> +
> + ret = bpf_skb_load_bytes(skb, *offset, buf, 10);
> + map_key = 1;
> + bpf_map_update_elem(&test_result, &map_key, &ret, BPF_ANY);
> +
> + return 0;
> +}
> --
> 2.17.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-04-11 16:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-11 13:02 [PATCH bpf 0/2] Enlarge offset check value in bpf_skb_load_bytes Liu Jian
2022-04-11 13:02 ` [PATCH bpf 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian
2022-04-11 16:29 ` Song Liu
2022-04-11 13:02 ` [PATCH bpf 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian
2022-04-11 16:37 ` Song Liu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.