t_bpfilter.c revision 313498
1/* $NetBSD: t_bpfilter.c,v 1.10 2015/02/11 23:39:07 alnsn Exp $ */ 2 3/*- 4 * Copyright (c) 2012 The NetBSD Foundation, Inc. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS 16 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27#include <sys/cdefs.h> 28__RCSID("$NetBSD: t_bpfilter.c,v 1.10 2015/02/11 23:39:07 alnsn Exp $"); 29 30#include <sys/param.h> 31#include <sys/ioctl.h> 32#include <sys/socket.h> 33#include <sys/mbuf.h> 34#include <sys/sysctl.h> 35#include <sys/mman.h> 36#include <sys/wait.h> 37#include <unistd.h> 38 39#include <net/if.h> 40#include <net/if_ether.h> 41#include <net/bpf.h> 42 43#include <fcntl.h> 44#include <stdint.h> 45#include <stdio.h> 46#include <string.h> 47 48#include <rump/rump.h> 49#include <rump/rump_syscalls.h> 50 51/* XXX: atf-c.h has collisions with mbuf */ 52#undef m_type 53#undef m_data 54#include <atf-c.h> 55 56#include "../../h_macros.h" 57#include "../config/netconfig.c" 58 59 60#define SNAPLEN UINT32_MAX 61 62#define BMAGIC UINT32_C(0x37) 63#define HMAGIC UINT32_C(0xc2c2) 64#define WMAGIC UINT32_C(0x7d7d7d7d) 65 66static const char magic_echo_reply_tail[7] = { 67 BMAGIC, 68 HMAGIC & 0xff, 69 HMAGIC & 0xff, 70 WMAGIC & 0xff, 71 WMAGIC & 0xff, 72 WMAGIC & 0xff, 73 WMAGIC & 0xff 74}; 75 76/* 77 * Match ICMP_ECHOREPLY packet with 7 magic bytes at the end. 78 */ 79static struct bpf_insn magic_echo_reply_prog[] = { 80 BPF_STMT(BPF_LD+BPF_ABS+BPF_B, 81 sizeof(struct ip) + offsetof(struct icmp, icmp_type)), 82 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ICMP_ECHOREPLY, 1, 0), 83 BPF_STMT(BPF_RET+BPF_K, 0), 84 85 BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), /* A <- len */ 86 BPF_STMT(BPF_ALU+BPF_SUB+BPF_K, 7), /* A <- A - 7 */ 87 BPF_STMT(BPF_MISC+BPF_TAX, 0), /* X <- A */ 88 89 BPF_STMT(BPF_LD+BPF_IND+BPF_B, 0), 90 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, BMAGIC, 1, 0), 91 BPF_STMT(BPF_RET+BPF_K, 0), 92 93 BPF_STMT(BPF_LD+BPF_IND+BPF_H, 1), 94 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, HMAGIC, 1, 0), 95 BPF_STMT(BPF_RET+BPF_K, 0), 96 97 BPF_STMT(BPF_LD+BPF_IND+BPF_W, 3), 98 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, WMAGIC, 1, 0), 99 BPF_STMT(BPF_RET+BPF_K, 0), 100 101 BPF_STMT(BPF_RET+BPF_K, SNAPLEN) 102}; 103 104static struct bpf_insn badmem_prog[] = { 105 BPF_STMT(BPF_LD+BPF_MEM, 5), 106 BPF_STMT(BPF_RET+BPF_A, 0), 107}; 108 109static struct bpf_insn noinitA_prog[] = { 110 BPF_STMT(BPF_RET+BPF_A, 0), 111}; 112 113static struct bpf_insn noinitX_prog[] = { 114 BPF_STMT(BPF_MISC+BPF_TXA, 0), 115 BPF_STMT(BPF_RET+BPF_A, 0), 116}; 117 118static struct bpf_insn badjmp_prog[] = { 119 BPF_STMT(BPF_JMP+BPF_JA, 5), 120 BPF_STMT(BPF_RET+BPF_A, 0), 121}; 122 123static struct bpf_insn negjmp_prog[] = { 124 BPF_STMT(BPF_JMP+BPF_JA, 0), 125 BPF_STMT(BPF_JMP+BPF_JA, UINT32_MAX - 1), // -2 126 BPF_STMT(BPF_RET+BPF_A, 0), 127}; 128 129static struct bpf_insn badret_prog[] = { 130 BPF_STMT(BPF_RET+BPF_A+0x8000, 0), 131}; 132 133static uint16_t 134in_cksum(void *data, size_t len) 135{ 136 uint16_t *buf = data; 137 unsigned sum; 138 139 for (sum = 0; len > 1; len -= 2) 140 sum += *buf++; 141 if (len) 142 sum += *(uint8_t *)buf; 143 144 sum = (sum >> 16) + (sum & 0xffff); 145 sum += (sum >> 16); 146 147 return ~sum; 148} 149 150/* 151 * Based on netcfg_rump_pingtest(). 152 */ 153static bool __unused 154pingtest(const char *dst, unsigned int wirelen, const char tail[7]) 155{ 156 struct timeval tv; 157 struct sockaddr_in sin; 158 struct icmp *icmp; 159 char *pkt; 160 unsigned int pktsize; 161 socklen_t slen; 162 int s; 163 bool rv = false; 164 165 if (wirelen < ETHER_HDR_LEN + sizeof(struct ip)) 166 return false; 167 168 pktsize = wirelen - ETHER_HDR_LEN - sizeof(struct ip); 169 if (pktsize < sizeof(struct icmp) + 7) 170 return false; 171 172 s = rump_sys_socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); 173 if (s == -1) 174 return false; 175 176 pkt = NULL; 177 178 tv.tv_sec = 1; 179 tv.tv_usec = 0; 180 if (rump_sys_setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, 181 &tv, sizeof(tv)) == -1) 182 goto out; 183 184 memset(&sin, 0, sizeof(sin)); 185 sin.sin_len = sizeof(sin); 186 sin.sin_family = AF_INET; 187 sin.sin_addr.s_addr = inet_addr(dst); 188 189 pkt = calloc(1, pktsize); 190 icmp = (struct icmp *)pkt; 191 if (pkt == NULL) 192 goto out; 193 194 memcpy(pkt + pktsize - 7, tail, 7); 195 icmp->icmp_type = ICMP_ECHO; 196 icmp->icmp_id = htons(37); 197 icmp->icmp_seq = htons(1); 198 icmp->icmp_cksum = in_cksum(pkt, pktsize); 199 200 slen = sizeof(sin); 201 if (rump_sys_sendto(s, pkt, pktsize, 0, 202 (struct sockaddr *)&sin, slen) == -1) { 203 goto out; 204 } 205 206 if (rump_sys_recvfrom(s, pkt, pktsize, 0, 207 (struct sockaddr *)&sin, &slen) == -1) 208 goto out; 209 210 rv = true; 211 out: 212 if (pkt != NULL) 213 free(pkt); 214 rump_sys_close(s); 215 return rv; 216} 217 218static void 219magic_ping_test(const char *name, unsigned int wirelen) 220{ 221 struct bpf_program prog; 222 struct bpf_stat bstat; 223 struct ifreq ifr; 224 struct timeval tv; 225 unsigned int bufsize; 226 bool pinged; 227 ssize_t n; 228 char *buf; 229 pid_t child; 230 int bpfd; 231 char token; 232 int channel[2]; 233 234 struct bpf_hdr *hdr; 235 236 RL(pipe(channel)); 237 238 prog.bf_len = __arraycount(magic_echo_reply_prog); 239 prog.bf_insns = magic_echo_reply_prog; 240 241 child = fork(); 242 RZ(rump_init()); 243 netcfg_rump_makeshmif(name, ifr.ifr_name); 244 245 switch (child) { 246 case -1: 247 atf_tc_fail_errno("fork failed"); 248 case 0: 249 netcfg_rump_if(ifr.ifr_name, "10.1.1.10", "255.0.0.0"); 250 close(channel[0]); 251 ATF_CHECK(write(channel[1], "U", 1) == 1); 252 close(channel[1]); 253 pause(); 254 return; 255 default: 256 break; 257 } 258 259 netcfg_rump_if(ifr.ifr_name, "10.1.1.20", "255.0.0.0"); 260 261 RL(bpfd = rump_sys_open("/dev/bpf", O_RDONLY)); 262 263 tv.tv_sec = 0; 264 tv.tv_usec = 500; 265 RL(rump_sys_ioctl(bpfd, BIOCSRTIMEOUT, &tv)); 266 267 RL(rump_sys_ioctl(bpfd, BIOCGBLEN, &bufsize)); 268 RL(rump_sys_ioctl(bpfd, BIOCSETF, &prog)); 269 RL(rump_sys_ioctl(bpfd, BIOCSETIF, &ifr)); 270 271 close(channel[1]); 272 ATF_CHECK(read(channel[0], &token, 1) == 1 && token == 'U'); 273 274 pinged = pingtest("10.1.1.10", wirelen, magic_echo_reply_tail); 275 ATF_CHECK(pinged); 276 277 buf = malloc(bufsize); 278 hdr = (struct bpf_hdr *)buf; 279 ATF_REQUIRE(buf != NULL); 280 ATF_REQUIRE(bufsize > sizeof(struct bpf_hdr)); 281 282 n = rump_sys_read(bpfd, buf, bufsize); 283 284 ATF_CHECK(n > (int)sizeof(struct bpf_hdr)); 285 ATF_CHECK(hdr->bh_caplen == MIN(SNAPLEN, wirelen)); 286 287 RL(rump_sys_ioctl(bpfd, BIOCGSTATS, &bstat)); 288 ATF_CHECK(bstat.bs_capt >= 1); /* XXX == 1 */ 289 290 rump_sys_close(bpfd); 291 free(buf); 292 293 close(channel[0]); 294 295 kill(child, SIGKILL); 296} 297 298static int 299send_bpf_prog(const char *ifname, struct bpf_program *prog) 300{ 301 struct ifreq ifr; 302 int bpfd, e, rv; 303 304 RZ(rump_init()); 305 netcfg_rump_makeshmif(ifname, ifr.ifr_name); 306 netcfg_rump_if(ifr.ifr_name, "10.1.1.20", "255.0.0.0"); 307 308 RL(bpfd = rump_sys_open("/dev/bpf", O_RDONLY)); 309 310 rv = rump_sys_ioctl(bpfd, BIOCSETF, prog); 311 e = errno; 312 313 rump_sys_close(bpfd); 314 errno = e; 315 316 return rv; 317} 318 319ATF_TC(bpfiltercontig); 320ATF_TC_HEAD(bpfiltercontig, tc) 321{ 322 323 atf_tc_set_md_var(tc, "descr", "Checks that bpf program " 324 "can read bytes from contiguous buffer."); 325 atf_tc_set_md_var(tc, "timeout", "30"); 326} 327 328ATF_TC_BODY(bpfiltercontig, tc) 329{ 330 331 magic_ping_test("bpfiltercontig", 128); 332} 333 334 335ATF_TC(bpfiltermchain); 336ATF_TC_HEAD(bpfiltermchain, tc) 337{ 338 339 atf_tc_set_md_var(tc, "descr", "Checks that bpf program " 340 "can read bytes from mbuf chain."); 341 atf_tc_set_md_var(tc, "timeout", "30"); 342} 343 344ATF_TC_BODY(bpfiltermchain, tc) 345{ 346 347 magic_ping_test("bpfiltermchain", MINCLSIZE + 1); 348} 349 350 351ATF_TC(bpfilterbadmem); 352ATF_TC_HEAD(bpfilterbadmem, tc) 353{ 354 355 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 356 "doesn't initialize memomy store is rejected by the kernel"); 357 atf_tc_set_md_var(tc, "timeout", "30"); 358} 359 360ATF_TC_BODY(bpfilterbadmem, tc) 361{ 362 struct bpf_program prog; 363 364 prog.bf_len = __arraycount(badmem_prog); 365 prog.bf_insns = badmem_prog; 366 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadmem", &prog) == -1); 367} 368 369ATF_TC(bpfilternoinitA); 370ATF_TC_HEAD(bpfilternoinitA, tc) 371{ 372 373 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 374 "doesn't initialize the A register is accepted by the kernel"); 375 atf_tc_set_md_var(tc, "timeout", "30"); 376} 377 378ATF_TC_BODY(bpfilternoinitA, tc) 379{ 380 struct bpf_program prog; 381 382 prog.bf_len = __arraycount(noinitA_prog); 383 prog.bf_insns = noinitA_prog; 384 RL(send_bpf_prog("bpfilternoinitA", &prog)); 385} 386 387ATF_TC(bpfilternoinitX); 388ATF_TC_HEAD(bpfilternoinitX, tc) 389{ 390 391 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 392 "doesn't initialize the X register is accepted by the kernel"); 393 atf_tc_set_md_var(tc, "timeout", "30"); 394} 395 396ATF_TC_BODY(bpfilternoinitX, tc) 397{ 398 struct bpf_program prog; 399 400 prog.bf_len = __arraycount(noinitX_prog); 401 prog.bf_insns = noinitX_prog; 402 RL(send_bpf_prog("bpfilternoinitX", &prog)); 403} 404 405ATF_TC(bpfilterbadjmp); 406ATF_TC_HEAD(bpfilterbadjmp, tc) 407{ 408 409 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 410 "jumps to invalid destination is rejected by the kernel"); 411 atf_tc_set_md_var(tc, "timeout", "30"); 412} 413 414ATF_TC_BODY(bpfilterbadjmp, tc) 415{ 416 struct bpf_program prog; 417 418 prog.bf_len = __arraycount(badjmp_prog); 419 prog.bf_insns = badjmp_prog; 420 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadjmp", &prog) == -1); 421} 422 423ATF_TC(bpfilternegjmp); 424ATF_TC_HEAD(bpfilternegjmp, tc) 425{ 426 427 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 428 "jumps backwards is rejected by the kernel"); 429 atf_tc_set_md_var(tc, "timeout", "30"); 430} 431 432ATF_TC_BODY(bpfilternegjmp, tc) 433{ 434 struct bpf_program prog; 435 436 prog.bf_len = __arraycount(negjmp_prog); 437 prog.bf_insns = negjmp_prog; 438 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilternegjmp", &prog) == -1); 439} 440 441ATF_TC(bpfilterbadret); 442ATF_TC_HEAD(bpfilterbadret, tc) 443{ 444 445 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 446 "ends with invalid BPF_RET instruction is rejected by the kernel"); 447 atf_tc_set_md_var(tc, "timeout", "30"); 448} 449 450ATF_TC_BODY(bpfilterbadret, tc) 451{ 452 struct bpf_program prog; 453 struct bpf_insn *last; 454 455 prog.bf_len = __arraycount(badret_prog); 456 prog.bf_insns = badret_prog; 457 458 /* 459 * The point of this test is checking a bad instruction of 460 * a valid class and with a valid BPF_RVAL data. 461 */ 462 last = &prog.bf_insns[prog.bf_len - 1]; 463 ATF_CHECK(BPF_CLASS(last->code) == BPF_RET && 464 (BPF_RVAL(last->code) == BPF_K || BPF_RVAL(last->code) == BPF_A)); 465 466 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadret", &prog) == -1); 467} 468 469ATF_TP_ADD_TCS(tp) 470{ 471 472 ATF_TP_ADD_TC(tp, bpfiltercontig); 473 ATF_TP_ADD_TC(tp, bpfiltermchain); 474 ATF_TP_ADD_TC(tp, bpfilterbadmem); 475 ATF_TP_ADD_TC(tp, bpfilternoinitA); 476 ATF_TP_ADD_TC(tp, bpfilternoinitX); 477 ATF_TP_ADD_TC(tp, bpfilterbadjmp); 478 ATF_TP_ADD_TC(tp, bpfilternegjmp); 479 ATF_TP_ADD_TC(tp, bpfilterbadret); 480 481 return atf_no_error(); 482} 483