* [PATCH bpf v2 0/2] Enlarge offset check value in bpf_skb_load_bytes @ 2022-04-13 6:21 Liu Jian 2022-04-13 6:21 ` [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian 2022-04-13 6:21 ` [PATCH bpf v2 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian 0 siblings, 2 replies; 5+ messages in thread From: Liu Jian @ 2022-04-13 6:21 UTC (permalink / raw) To: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh, davem, kuba, sdf, netdev, bpf Cc: liujian56 The data length of skb frags + frag_list may be greater than 0xffff, and skb_header_pointer can not handle negative offset and negative len. So here INT_MAX is used to check the validity of offset and len. And add the test case for the change. Liu Jian (2): net: Enlarge offset check value from 0xffff to INT_MAX in bpf_skb_load_bytes selftests: bpf: add test for skb_load_bytes net/core/filter.c | 4 +- .../selftests/bpf/prog_tests/skb_load_bytes.c | 45 +++++++++++++++++++ .../selftests/bpf/progs/skb_load_bytes.c | 19 ++++++++ 3 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c create mode 100644 tools/testing/selftests/bpf/progs/skb_load_bytes.c -- 2.17.1 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to INT_MAX in bpf_skb_load_bytes 2022-04-13 6:21 [PATCH bpf v2 0/2] Enlarge offset check value in bpf_skb_load_bytes Liu Jian @ 2022-04-13 6:21 ` Liu Jian 2022-04-13 22:23 ` Daniel Borkmann 2022-04-13 6:21 ` [PATCH bpf v2 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian 1 sibling, 1 reply; 5+ messages in thread From: Liu Jian @ 2022-04-13 6:21 UTC (permalink / raw) To: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh, davem, kuba, sdf, netdev, bpf Cc: liujian56 The data length of skb frags + frag_list may be greater than 0xffff, and skb_header_pointer can not handle negative offset and negative len. So here INT_MAX is used to check the validity of offset and len. Add the same change to the related function skb_store_bytes. Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper") Signed-off-by: Liu Jian <liujian56@huawei.com> Acked-by: Song Liu <songliubraving@fb.com> --- v1->v2: change nothing, only add Acked-by tag net/core/filter.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 64470a727ef7..1571b6bc51ea 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1687,7 +1687,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset, if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH))) return -EINVAL; - if (unlikely(offset > 0xffff)) + if (unlikely(offset > INT_MAX || len > INT_MAX)) return -EFAULT; if (unlikely(bpf_try_make_writable(skb, offset + len))) return -EFAULT; @@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset, { void *ptr; - if (unlikely(offset > 0xffff)) + if (unlikely(offset > INT_MAX || len > INT_MAX)) goto err_clear; ptr = skb_header_pointer(skb, offset, len, to); -- 2.17.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to INT_MAX in bpf_skb_load_bytes 2022-04-13 6:21 ` [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian @ 2022-04-13 22:23 ` Daniel Borkmann 0 siblings, 0 replies; 5+ messages in thread From: Daniel Borkmann @ 2022-04-13 22:23 UTC (permalink / raw) To: Liu Jian, ast, andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh, davem, kuba, sdf, netdev, bpf On 4/13/22 8:21 AM, Liu Jian wrote: > The data length of skb frags + frag_list may be greater than 0xffff, > and skb_header_pointer can not handle negative offset and negative len. > So here INT_MAX is used to check the validity of offset and len. > Add the same change to the related function skb_store_bytes. > > Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper") > Signed-off-by: Liu Jian <liujian56@huawei.com> > Acked-by: Song Liu <songliubraving@fb.com> > --- > v1->v2: change nothing, only add Acked-by tag > net/core/filter.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/core/filter.c b/net/core/filter.c > index 64470a727ef7..1571b6bc51ea 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -1687,7 +1687,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset, > > if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH))) > return -EINVAL; > - if (unlikely(offset > 0xffff)) > + if (unlikely(offset > INT_MAX || len > INT_MAX)) > return -EFAULT; > if (unlikely(bpf_try_make_writable(skb, offset + len))) > return -EFAULT; > @@ -1722,7 +1722,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset, > { > void *ptr; > > - if (unlikely(offset > 0xffff)) > + if (unlikely(offset > INT_MAX || len > INT_MAX)) > goto err_clear; > > ptr = skb_header_pointer(skb, offset, len, to); > While at it, lets also change skb_ensure_writable()'s write_len param to unsigned int type. Both pskb_may_pull() and skb_clone_writable()'s length parameters are of type unsigned int already. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf v2 2/2] selftests: bpf: add test for skb_load_bytes 2022-04-13 6:21 [PATCH bpf v2 0/2] Enlarge offset check value in bpf_skb_load_bytes Liu Jian 2022-04-13 6:21 ` [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian @ 2022-04-13 6:21 ` Liu Jian 2022-04-13 21:11 ` Song Liu 1 sibling, 1 reply; 5+ messages in thread From: Liu Jian @ 2022-04-13 6:21 UTC (permalink / raw) To: ast, daniel, andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh, davem, kuba, sdf, netdev, bpf Cc: liujian56 Use bpf_prog_test_run_opts to test the skb_load_bytes function. Tests the behavior when offset is greater than INT_MAX or a normal value. Signed-off-by: Liu Jian <liujian56@huawei.com> --- v1->v2: As Liu Song's review comments, use bpf skeleton and global variable. .../selftests/bpf/prog_tests/skb_load_bytes.c | 45 +++++++++++++++++++ .../selftests/bpf/progs/skb_load_bytes.c | 19 ++++++++ 2 files changed, 64 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c create mode 100644 tools/testing/selftests/bpf/progs/skb_load_bytes.c diff --git a/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c new file mode 100644 index 000000000000..81cc224a0c69 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c @@ -0,0 +1,45 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <test_progs.h> +#include <network_helpers.h> +#include "skb_load_bytes.skel.h" + +void test_skb_load_bytes(void) +{ + struct skb_load_bytes *skel; + int err, prog_fd, test_result; + struct __sk_buff skb = { 0 }; + + LIBBPF_OPTS(bpf_test_run_opts, tattr, + .data_in = &pkt_v4, + .data_size_in = sizeof(pkt_v4), + .ctx_in = &skb, + .ctx_size_in = sizeof(skb), + ); + + skel = skb_load_bytes__open_and_load(); + if (!ASSERT_OK_PTR(skel, "skel_open_and_load")) + return; + + prog_fd = bpf_program__fd(skel->progs.skb_process); + if (prog_fd < 0) + goto out; + + skel->bss->load_offset = (uint32_t)(-1); + tattr.data_out = NULL; + tattr.data_size_out = 0; + err = bpf_prog_test_run_opts(prog_fd, &tattr); + CHECK_ATTR(err != 0, "offset -1", "err %d errno %d\n", err, errno); + test_result = skel->bss->test_result; + CHECK_ATTR(test_result != -EFAULT, "offset -1", "test error\n"); + + skel->bss->load_offset = (uint32_t)10; + tattr.data_out = NULL; + tattr.data_size_out = 0; + err = bpf_prog_test_run_opts(prog_fd, &tattr); + CHECK_ATTR(err != 0, "offset 10", "err %d errno %d\n", err, errno); + test_result = skel->bss->test_result; + CHECK_ATTR(test_result != 0, "offset 10", "test error\n"); + +out: + skb_load_bytes__destroy(skel); +} diff --git a/tools/testing/selftests/bpf/progs/skb_load_bytes.c b/tools/testing/selftests/bpf/progs/skb_load_bytes.c new file mode 100644 index 000000000000..e4252fd973be --- /dev/null +++ b/tools/testing/selftests/bpf/progs/skb_load_bytes.c @@ -0,0 +1,19 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/bpf.h> +#include <bpf/bpf_helpers.h> + +char _license[] SEC("license") = "GPL"; + +__u32 load_offset = 0; +int test_result = 0; + +SEC("tc") +int skb_process(struct __sk_buff *skb) +{ + char buf[16]; + + test_result = bpf_skb_load_bytes(skb, load_offset, buf, 10); + + return 0; +} -- 2.17.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH bpf v2 2/2] selftests: bpf: add test for skb_load_bytes 2022-04-13 6:21 ` [PATCH bpf v2 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian @ 2022-04-13 21:11 ` Song Liu 0 siblings, 0 replies; 5+ messages in thread From: Song Liu @ 2022-04-13 21:11 UTC (permalink / raw) To: Liu Jian Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin Lau, Yonghong Song, John Fastabend, KP Singh, David S . Miller, Jakub Kicinski, Stanislav Fomichev, Networking, bpf I guess this should go via bpf-next instead? Please mark the patches with prefix "PATCH bpf-next". > On Apr 12, 2022, at 11:21 PM, Liu Jian <liujian56@huawei.com> wrote: > > Use bpf_prog_test_run_opts to test the skb_load_bytes function. > Tests the behavior when offset is greater than INT_MAX or a normal value. > > Signed-off-by: Liu Jian <liujian56@huawei.com> > --- > v1->v2: As Liu Song's review comments, use bpf skeleton and global variable. > .../selftests/bpf/prog_tests/skb_load_bytes.c | 45 +++++++++++++++++++ > .../selftests/bpf/progs/skb_load_bytes.c | 19 ++++++++ > 2 files changed, 64 insertions(+) > create mode 100644 tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c > create mode 100644 tools/testing/selftests/bpf/progs/skb_load_bytes.c > > diff --git a/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c > new file mode 100644 > index 000000000000..81cc224a0c69 > --- /dev/null > +++ b/tools/testing/selftests/bpf/prog_tests/skb_load_bytes.c > @@ -0,0 +1,45 @@ > +// SPDX-License-Identifier: GPL-2.0 > +#include <test_progs.h> > +#include <network_helpers.h> > +#include "skb_load_bytes.skel.h" > + > +void test_skb_load_bytes(void) > +{ > + struct skb_load_bytes *skel; > + int err, prog_fd, test_result; > + struct __sk_buff skb = { 0 }; > + > + LIBBPF_OPTS(bpf_test_run_opts, tattr, > + .data_in = &pkt_v4, > + .data_size_in = sizeof(pkt_v4), > + .ctx_in = &skb, > + .ctx_size_in = sizeof(skb), > + ); > + > + skel = skb_load_bytes__open_and_load(); > + if (!ASSERT_OK_PTR(skel, "skel_open_and_load")) > + return; > + > + prog_fd = bpf_program__fd(skel->progs.skb_process); > + if (prog_fd < 0) > + goto out; I guess we should report error here? like if (ASSERT_GE(prog_fd, 0, "prog_fd")) goto out; > + > + skel->bss->load_offset = (uint32_t)(-1); > + tattr.data_out = NULL; > + tattr.data_size_out = 0; > + err = bpf_prog_test_run_opts(prog_fd, &tattr); > + CHECK_ATTR(err != 0, "offset -1", "err %d errno %d\n", err, errno); We can use ASSERT_OK() here. > + test_result = skel->bss->test_result; > + CHECK_ATTR(test_result != -EFAULT, "offset -1", "test error\n"); And ASSERT_NEQ > + > + skel->bss->load_offset = (uint32_t)10; > + tattr.data_out = NULL; > + tattr.data_size_out = 0; I guess = NULL and = 0 are not needed here. > + err = bpf_prog_test_run_opts(prog_fd, &tattr); > + CHECK_ATTR(err != 0, "offset 10", "err %d errno %d\n", err, errno); > + test_result = skel->bss->test_result; > + CHECK_ATTR(test_result != 0, "offset 10", "test error\n"); > + > +out: > + skb_load_bytes__destroy(skel); > +} > diff --git a/tools/testing/selftests/bpf/progs/skb_load_bytes.c b/tools/testing/selftests/bpf/progs/skb_load_bytes.c > new file mode 100644 > index 000000000000..e4252fd973be > --- /dev/null > +++ b/tools/testing/selftests/bpf/progs/skb_load_bytes.c > @@ -0,0 +1,19 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +#include <linux/bpf.h> > +#include <bpf/bpf_helpers.h> > + > +char _license[] SEC("license") = "GPL"; > + > +__u32 load_offset = 0; > +int test_result = 0; > + > +SEC("tc") > +int skb_process(struct __sk_buff *skb) > +{ > + char buf[16]; > + > + test_result = bpf_skb_load_bytes(skb, load_offset, buf, 10); > + > + return 0; > +} > -- > 2.17.1 > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-04-13 23:07 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-04-13 6:21 [PATCH bpf v2 0/2] Enlarge offset check value in bpf_skb_load_bytes Liu Jian 2022-04-13 6:21 ` [PATCH bpf v2 1/2] net: Enlarge offset check value from 0xffff to INT_MAX " Liu Jian 2022-04-13 22:23 ` Daniel Borkmann 2022-04-13 6:21 ` [PATCH bpf v2 2/2] selftests: bpf: add test for skb_load_bytes Liu Jian 2022-04-13 21:11 ` Song Liu
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.