1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Testsuite for eBPF verifier
4 *
5 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * Copyright (c) 2017 Facebook
7 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 */
9
10 #include <endian.h>
11 #include <asm/types.h>
12 #include <linux/types.h>
13 #include <stdint.h>
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <unistd.h>
17 #include <errno.h>
18 #include <string.h>
19 #include <stddef.h>
20 #include <stdbool.h>
21 #include <sched.h>
22 #include <limits.h>
23 #include <assert.h>
24
25 #include <sys/capability.h>
26
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
31 #include <linux/if_ether.h>
32 #include <linux/btf.h>
33
34 #include <bpf/bpf.h>
35 #include <bpf/libbpf.h>
36
37 #ifdef HAVE_GENHDR
38 # include "autoconf.h"
39 #else
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 # endif
43 #endif
44 #include "bpf_rlimit.h"
45 #include "bpf_rand.h"
46 #include "bpf_util.h"
47 #include "test_btf.h"
48 #include "../../../include/linux/filter.h"
49
50 #define MAX_INSNS BPF_MAXINSNS
51 #define MAX_TEST_INSNS 1000000
52 #define MAX_FIXUPS 8
53 #define MAX_NR_MAPS 19
54 #define MAX_TEST_RUNS 8
55 #define POINTER_VALUE 0xcafe4all
56 #define TEST_DATA_LEN 64
57
58 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
59 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
60
61 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
62 static bool unpriv_disabled = false;
63 static int skips;
64 static bool verbose = false;
65
66 struct bpf_test {
67 const char *descr;
68 struct bpf_insn insns[MAX_INSNS];
69 struct bpf_insn *fill_insns;
70 int fixup_map_hash_8b[MAX_FIXUPS];
71 int fixup_map_hash_48b[MAX_FIXUPS];
72 int fixup_map_hash_16b[MAX_FIXUPS];
73 int fixup_map_array_48b[MAX_FIXUPS];
74 int fixup_map_sockmap[MAX_FIXUPS];
75 int fixup_map_sockhash[MAX_FIXUPS];
76 int fixup_map_xskmap[MAX_FIXUPS];
77 int fixup_map_stacktrace[MAX_FIXUPS];
78 int fixup_prog1[MAX_FIXUPS];
79 int fixup_prog2[MAX_FIXUPS];
80 int fixup_map_in_map[MAX_FIXUPS];
81 int fixup_cgroup_storage[MAX_FIXUPS];
82 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
83 int fixup_map_spin_lock[MAX_FIXUPS];
84 int fixup_map_array_ro[MAX_FIXUPS];
85 int fixup_map_array_wo[MAX_FIXUPS];
86 int fixup_map_array_small[MAX_FIXUPS];
87 int fixup_sk_storage_map[MAX_FIXUPS];
88 int fixup_map_event_output[MAX_FIXUPS];
89 const char *errstr;
90 const char *errstr_unpriv;
91 uint32_t insn_processed;
92 int prog_len;
93 enum {
94 UNDEF,
95 ACCEPT,
96 REJECT,
97 VERBOSE_ACCEPT,
98 } result, result_unpriv;
99 enum bpf_prog_type prog_type;
100 uint8_t flags;
101 void (*fill_helper)(struct bpf_test *self);
102 uint8_t runs;
103 #define bpf_testdata_struct_t \
104 struct { \
105 uint32_t retval, retval_unpriv; \
106 union { \
107 __u8 data[TEST_DATA_LEN]; \
108 __u64 data64[TEST_DATA_LEN / 8]; \
109 }; \
110 }
111 union {
112 bpf_testdata_struct_t;
113 bpf_testdata_struct_t retvals[MAX_TEST_RUNS];
114 };
115 enum bpf_attach_type expected_attach_type;
116 };
117
118 /* Note we want this to be 64 bit aligned so that the end of our array is
119 * actually the end of the structure.
120 */
121 #define MAX_ENTRIES 11
122
123 struct test_val {
124 unsigned int index;
125 int foo[MAX_ENTRIES];
126 };
127
128 struct other_val {
129 long long foo;
130 long long bar;
131 };
132
bpf_fill_ld_abs_vlan_push_pop(struct bpf_test * self)133 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
134 {
135 /* test: {skb->data[0], vlan_push} x 51 + {skb->data[0], vlan_pop} x 51 */
136 #define PUSH_CNT 51
137 /* jump range is limited to 16 bit. PUSH_CNT of ld_abs needs room */
138 unsigned int len = (1 << 15) - PUSH_CNT * 2 * 5 * 6;
139 struct bpf_insn *insn = self->fill_insns;
140 int i = 0, j, k = 0;
141
142 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
143 loop:
144 for (j = 0; j < PUSH_CNT; j++) {
145 insn[i++] = BPF_LD_ABS(BPF_B, 0);
146 /* jump to error label */
147 insn[i] = BPF_JMP32_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 3);
148 i++;
149 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
150 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
151 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
152 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
153 BPF_FUNC_skb_vlan_push),
154 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 3);
155 i++;
156 }
157
158 for (j = 0; j < PUSH_CNT; j++) {
159 insn[i++] = BPF_LD_ABS(BPF_B, 0);
160 insn[i] = BPF_JMP32_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 3);
161 i++;
162 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
163 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
164 BPF_FUNC_skb_vlan_pop),
165 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 3);
166 i++;
167 }
168 if (++k < 5)
169 goto loop;
170
171 for (; i < len - 3; i++)
172 insn[i] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 0xbef);
173 insn[len - 3] = BPF_JMP_A(1);
174 /* error label */
175 insn[len - 2] = BPF_MOV32_IMM(BPF_REG_0, 0);
176 insn[len - 1] = BPF_EXIT_INSN();
177 self->prog_len = len;
178 }
179
bpf_fill_jump_around_ld_abs(struct bpf_test * self)180 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
181 {
182 struct bpf_insn *insn = self->fill_insns;
183 /* jump range is limited to 16 bit. every ld_abs is replaced by 6 insns,
184 * but on arches like arm, ppc etc, there will be one BPF_ZEXT inserted
185 * to extend the error value of the inlined ld_abs sequence which then
186 * contains 7 insns. so, set the dividend to 7 so the testcase could
187 * work on all arches.
188 */
189 unsigned int len = (1 << 15) / 7;
190 int i = 0;
191
192 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
193 insn[i++] = BPF_LD_ABS(BPF_B, 0);
194 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
195 i++;
196 while (i < len - 1)
197 insn[i++] = BPF_LD_ABS(BPF_B, 1);
198 insn[i] = BPF_EXIT_INSN();
199 self->prog_len = i + 1;
200 }
201
bpf_fill_rand_ld_dw(struct bpf_test * self)202 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
203 {
204 struct bpf_insn *insn = self->fill_insns;
205 uint64_t res = 0;
206 int i = 0;
207
208 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
209 while (i < self->retval) {
210 uint64_t val = bpf_semi_rand_get();
211 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
212
213 res ^= val;
214 insn[i++] = tmp[0];
215 insn[i++] = tmp[1];
216 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
217 }
218 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
219 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
220 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
221 insn[i] = BPF_EXIT_INSN();
222 self->prog_len = i + 1;
223 res ^= (res >> 32);
224 self->retval = (uint32_t)res;
225 }
226
227 #define MAX_JMP_SEQ 8192
228
229 /* test the sequence of 8k jumps */
bpf_fill_scale1(struct bpf_test * self)230 static void bpf_fill_scale1(struct bpf_test *self)
231 {
232 struct bpf_insn *insn = self->fill_insns;
233 int i = 0, k = 0;
234
235 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
236 /* test to check that the long sequence of jumps is acceptable */
237 while (k++ < MAX_JMP_SEQ) {
238 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
239 BPF_FUNC_get_prandom_u32);
240 insn[i++] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, bpf_semi_rand_get(), 2);
241 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10);
242 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6,
243 -8 * (k % 64 + 1));
244 }
245 /* is_state_visited() doesn't allocate state for pruning for every jump.
246 * Hence multiply jmps by 4 to accommodate that heuristic
247 */
248 while (i < MAX_TEST_INSNS - MAX_JMP_SEQ * 4)
249 insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 42);
250 insn[i] = BPF_EXIT_INSN();
251 self->prog_len = i + 1;
252 self->retval = 42;
253 }
254
255 /* test the sequence of 8k jumps in inner most function (function depth 8)*/
bpf_fill_scale2(struct bpf_test * self)256 static void bpf_fill_scale2(struct bpf_test *self)
257 {
258 struct bpf_insn *insn = self->fill_insns;
259 int i = 0, k = 0;
260
261 #define FUNC_NEST 7
262 for (k = 0; k < FUNC_NEST; k++) {
263 insn[i++] = BPF_CALL_REL(1);
264 insn[i++] = BPF_EXIT_INSN();
265 }
266 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
267 /* test to check that the long sequence of jumps is acceptable */
268 k = 0;
269 while (k++ < MAX_JMP_SEQ) {
270 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
271 BPF_FUNC_get_prandom_u32);
272 insn[i++] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, bpf_semi_rand_get(), 2);
273 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10);
274 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6,
275 -8 * (k % (64 - 4 * FUNC_NEST) + 1));
276 }
277 while (i < MAX_TEST_INSNS - MAX_JMP_SEQ * 4)
278 insn[i++] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_0, 42);
279 insn[i] = BPF_EXIT_INSN();
280 self->prog_len = i + 1;
281 self->retval = 42;
282 }
283
bpf_fill_scale(struct bpf_test * self)284 static void bpf_fill_scale(struct bpf_test *self)
285 {
286 switch (self->retval) {
287 case 1:
288 return bpf_fill_scale1(self);
289 case 2:
290 return bpf_fill_scale2(self);
291 default:
292 self->prog_len = 0;
293 break;
294 }
295 }
296
297 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
298 #define BPF_SK_LOOKUP(func) \
299 /* struct bpf_sock_tuple tuple = {} */ \
300 BPF_MOV64_IMM(BPF_REG_2, 0), \
301 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
307 /* sk = func(ctx, &tuple, sizeof tuple, 0, 0) */ \
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
310 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
311 BPF_MOV64_IMM(BPF_REG_4, 0), \
312 BPF_MOV64_IMM(BPF_REG_5, 0), \
313 BPF_EMIT_CALL(BPF_FUNC_ ## func)
314
315 /* BPF_DIRECT_PKT_R2 contains 7 instructions, it initializes default return
316 * value into 0 and does necessary preparation for direct packet access
317 * through r2. The allowed access range is 8 bytes.
318 */
319 #define BPF_DIRECT_PKT_R2 \
320 BPF_MOV64_IMM(BPF_REG_0, 0), \
321 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, \
322 offsetof(struct __sk_buff, data)), \
323 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, \
324 offsetof(struct __sk_buff, data_end)), \
325 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), \
326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), \
327 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1), \
328 BPF_EXIT_INSN()
329
330 /* BPF_RAND_UEXT_R7 contains 4 instructions, it initializes R7 into a random
331 * positive u32, and zero-extend it into 64-bit.
332 */
333 #define BPF_RAND_UEXT_R7 \
334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \
335 BPF_FUNC_get_prandom_u32), \
336 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \
337 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 33), \
338 BPF_ALU64_IMM(BPF_RSH, BPF_REG_7, 33)
339
340 /* BPF_RAND_SEXT_R7 contains 5 instructions, it initializes R7 into a random
341 * negative u32, and sign-extend it into 64-bit.
342 */
343 #define BPF_RAND_SEXT_R7 \
344 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \
345 BPF_FUNC_get_prandom_u32), \
346 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \
347 BPF_ALU64_IMM(BPF_OR, BPF_REG_7, 0x80000000), \
348 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 32), \
349 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_7, 32)
350
351 static struct bpf_test tests[] = {
352 #define FILL_ARRAY
353 #include <verifier/tests.h>
354 #undef FILL_ARRAY
355 };
356
probe_filter_length(const struct bpf_insn * fp)357 static int probe_filter_length(const struct bpf_insn *fp)
358 {
359 int len;
360
361 for (len = MAX_INSNS - 1; len > 0; --len)
362 if (fp[len].code != 0 || fp[len].imm != 0)
363 break;
364 return len + 1;
365 }
366
skip_unsupported_map(enum bpf_map_type map_type)367 static bool skip_unsupported_map(enum bpf_map_type map_type)
368 {
369 if (!bpf_probe_map_type(map_type, 0)) {
370 printf("SKIP (unsupported map type %d)\n", map_type);
371 skips++;
372 return true;
373 }
374 return false;
375 }
376
__create_map(uint32_t type,uint32_t size_key,uint32_t size_value,uint32_t max_elem,uint32_t extra_flags)377 static int __create_map(uint32_t type, uint32_t size_key,
378 uint32_t size_value, uint32_t max_elem,
379 uint32_t extra_flags)
380 {
381 int fd;
382
383 fd = bpf_create_map(type, size_key, size_value, max_elem,
384 (type == BPF_MAP_TYPE_HASH ?
385 BPF_F_NO_PREALLOC : 0) | extra_flags);
386 if (fd < 0) {
387 if (skip_unsupported_map(type))
388 return -1;
389 printf("Failed to create hash map '%s'!\n", strerror(errno));
390 }
391
392 return fd;
393 }
394
create_map(uint32_t type,uint32_t size_key,uint32_t size_value,uint32_t max_elem)395 static int create_map(uint32_t type, uint32_t size_key,
396 uint32_t size_value, uint32_t max_elem)
397 {
398 return __create_map(type, size_key, size_value, max_elem, 0);
399 }
400
update_map(int fd,int index)401 static void update_map(int fd, int index)
402 {
403 struct test_val value = {
404 .index = (6 + 1) * sizeof(int),
405 .foo[6] = 0xabcdef12,
406 };
407
408 assert(!bpf_map_update_elem(fd, &index, &value, 0));
409 }
410
create_prog_dummy1(enum bpf_prog_type prog_type)411 static int create_prog_dummy1(enum bpf_prog_type prog_type)
412 {
413 struct bpf_insn prog[] = {
414 BPF_MOV64_IMM(BPF_REG_0, 42),
415 BPF_EXIT_INSN(),
416 };
417
418 return bpf_load_program(prog_type, prog,
419 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
420 }
421
create_prog_dummy2(enum bpf_prog_type prog_type,int mfd,int idx)422 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx)
423 {
424 struct bpf_insn prog[] = {
425 BPF_MOV64_IMM(BPF_REG_3, idx),
426 BPF_LD_MAP_FD(BPF_REG_2, mfd),
427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
428 BPF_FUNC_tail_call),
429 BPF_MOV64_IMM(BPF_REG_0, 41),
430 BPF_EXIT_INSN(),
431 };
432
433 return bpf_load_program(prog_type, prog,
434 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
435 }
436
create_prog_array(enum bpf_prog_type prog_type,uint32_t max_elem,int p1key)437 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem,
438 int p1key)
439 {
440 int p2key = 1;
441 int mfd, p1fd, p2fd;
442
443 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
444 sizeof(int), max_elem, 0);
445 if (mfd < 0) {
446 if (skip_unsupported_map(BPF_MAP_TYPE_PROG_ARRAY))
447 return -1;
448 printf("Failed to create prog array '%s'!\n", strerror(errno));
449 return -1;
450 }
451
452 p1fd = create_prog_dummy1(prog_type);
453 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
454 if (p1fd < 0 || p2fd < 0)
455 goto out;
456 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
457 goto out;
458 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
459 goto out;
460 close(p2fd);
461 close(p1fd);
462
463 return mfd;
464 out:
465 close(p2fd);
466 close(p1fd);
467 close(mfd);
468 return -1;
469 }
470
create_map_in_map(void)471 static int create_map_in_map(void)
472 {
473 int inner_map_fd, outer_map_fd;
474
475 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
476 sizeof(int), 1, 0);
477 if (inner_map_fd < 0) {
478 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY))
479 return -1;
480 printf("Failed to create array '%s'!\n", strerror(errno));
481 return inner_map_fd;
482 }
483
484 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
485 sizeof(int), inner_map_fd, 1, 0);
486 if (outer_map_fd < 0) {
487 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY_OF_MAPS))
488 return -1;
489 printf("Failed to create array of maps '%s'!\n",
490 strerror(errno));
491 }
492
493 close(inner_map_fd);
494
495 return outer_map_fd;
496 }
497
create_cgroup_storage(bool percpu)498 static int create_cgroup_storage(bool percpu)
499 {
500 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
501 BPF_MAP_TYPE_CGROUP_STORAGE;
502 int fd;
503
504 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
505 TEST_DATA_LEN, 0, 0);
506 if (fd < 0) {
507 if (skip_unsupported_map(type))
508 return -1;
509 printf("Failed to create cgroup storage '%s'!\n",
510 strerror(errno));
511 }
512
513 return fd;
514 }
515
516 /* struct bpf_spin_lock {
517 * int val;
518 * };
519 * struct val {
520 * int cnt;
521 * struct bpf_spin_lock l;
522 * };
523 */
524 static const char btf_str_sec[] = "\0bpf_spin_lock\0val\0cnt\0l";
525 static __u32 btf_raw_types[] = {
526 /* int */
527 BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */
528 /* struct bpf_spin_lock */ /* [2] */
529 BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 1), 4),
530 BTF_MEMBER_ENC(15, 1, 0), /* int val; */
531 /* struct val */ /* [3] */
532 BTF_TYPE_ENC(15, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 2), 8),
533 BTF_MEMBER_ENC(19, 1, 0), /* int cnt; */
534 BTF_MEMBER_ENC(23, 2, 32),/* struct bpf_spin_lock l; */
535 };
536
load_btf(void)537 static int load_btf(void)
538 {
539 struct btf_header hdr = {
540 .magic = BTF_MAGIC,
541 .version = BTF_VERSION,
542 .hdr_len = sizeof(struct btf_header),
543 .type_len = sizeof(btf_raw_types),
544 .str_off = sizeof(btf_raw_types),
545 .str_len = sizeof(btf_str_sec),
546 };
547 void *ptr, *raw_btf;
548 int btf_fd;
549
550 ptr = raw_btf = malloc(sizeof(hdr) + sizeof(btf_raw_types) +
551 sizeof(btf_str_sec));
552
553 memcpy(ptr, &hdr, sizeof(hdr));
554 ptr += sizeof(hdr);
555 memcpy(ptr, btf_raw_types, hdr.type_len);
556 ptr += hdr.type_len;
557 memcpy(ptr, btf_str_sec, hdr.str_len);
558 ptr += hdr.str_len;
559
560 btf_fd = bpf_load_btf(raw_btf, ptr - raw_btf, 0, 0, 0);
561 free(raw_btf);
562 if (btf_fd < 0)
563 return -1;
564 return btf_fd;
565 }
566
create_map_spin_lock(void)567 static int create_map_spin_lock(void)
568 {
569 struct bpf_create_map_attr attr = {
570 .name = "test_map",
571 .map_type = BPF_MAP_TYPE_ARRAY,
572 .key_size = 4,
573 .value_size = 8,
574 .max_entries = 1,
575 .btf_key_type_id = 1,
576 .btf_value_type_id = 3,
577 };
578 int fd, btf_fd;
579
580 btf_fd = load_btf();
581 if (btf_fd < 0)
582 return -1;
583 attr.btf_fd = btf_fd;
584 fd = bpf_create_map_xattr(&attr);
585 if (fd < 0)
586 printf("Failed to create map with spin_lock\n");
587 return fd;
588 }
589
create_sk_storage_map(void)590 static int create_sk_storage_map(void)
591 {
592 struct bpf_create_map_attr attr = {
593 .name = "test_map",
594 .map_type = BPF_MAP_TYPE_SK_STORAGE,
595 .key_size = 4,
596 .value_size = 8,
597 .max_entries = 0,
598 .map_flags = BPF_F_NO_PREALLOC,
599 .btf_key_type_id = 1,
600 .btf_value_type_id = 3,
601 };
602 int fd, btf_fd;
603
604 btf_fd = load_btf();
605 if (btf_fd < 0)
606 return -1;
607 attr.btf_fd = btf_fd;
608 fd = bpf_create_map_xattr(&attr);
609 close(attr.btf_fd);
610 if (fd < 0)
611 printf("Failed to create sk_storage_map\n");
612 return fd;
613 }
614
615 static char bpf_vlog[UINT_MAX >> 8];
616
do_test_fixup(struct bpf_test * test,enum bpf_prog_type prog_type,struct bpf_insn * prog,int * map_fds)617 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
618 struct bpf_insn *prog, int *map_fds)
619 {
620 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
621 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
622 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
623 int *fixup_map_array_48b = test->fixup_map_array_48b;
624 int *fixup_map_sockmap = test->fixup_map_sockmap;
625 int *fixup_map_sockhash = test->fixup_map_sockhash;
626 int *fixup_map_xskmap = test->fixup_map_xskmap;
627 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
628 int *fixup_prog1 = test->fixup_prog1;
629 int *fixup_prog2 = test->fixup_prog2;
630 int *fixup_map_in_map = test->fixup_map_in_map;
631 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
632 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
633 int *fixup_map_spin_lock = test->fixup_map_spin_lock;
634 int *fixup_map_array_ro = test->fixup_map_array_ro;
635 int *fixup_map_array_wo = test->fixup_map_array_wo;
636 int *fixup_map_array_small = test->fixup_map_array_small;
637 int *fixup_sk_storage_map = test->fixup_sk_storage_map;
638 int *fixup_map_event_output = test->fixup_map_event_output;
639
640 if (test->fill_helper) {
641 test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn));
642 test->fill_helper(test);
643 }
644
645 /* Allocating HTs with 1 elem is fine here, since we only test
646 * for verifier and not do a runtime lookup, so the only thing
647 * that really matters is value size in this case.
648 */
649 if (*fixup_map_hash_8b) {
650 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
651 sizeof(long long), 1);
652 do {
653 prog[*fixup_map_hash_8b].imm = map_fds[0];
654 fixup_map_hash_8b++;
655 } while (*fixup_map_hash_8b);
656 }
657
658 if (*fixup_map_hash_48b) {
659 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
660 sizeof(struct test_val), 1);
661 do {
662 prog[*fixup_map_hash_48b].imm = map_fds[1];
663 fixup_map_hash_48b++;
664 } while (*fixup_map_hash_48b);
665 }
666
667 if (*fixup_map_hash_16b) {
668 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
669 sizeof(struct other_val), 1);
670 do {
671 prog[*fixup_map_hash_16b].imm = map_fds[2];
672 fixup_map_hash_16b++;
673 } while (*fixup_map_hash_16b);
674 }
675
676 if (*fixup_map_array_48b) {
677 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
678 sizeof(struct test_val), 1);
679 update_map(map_fds[3], 0);
680 do {
681 prog[*fixup_map_array_48b].imm = map_fds[3];
682 fixup_map_array_48b++;
683 } while (*fixup_map_array_48b);
684 }
685
686 if (*fixup_prog1) {
687 map_fds[4] = create_prog_array(prog_type, 4, 0);
688 do {
689 prog[*fixup_prog1].imm = map_fds[4];
690 fixup_prog1++;
691 } while (*fixup_prog1);
692 }
693
694 if (*fixup_prog2) {
695 map_fds[5] = create_prog_array(prog_type, 8, 7);
696 do {
697 prog[*fixup_prog2].imm = map_fds[5];
698 fixup_prog2++;
699 } while (*fixup_prog2);
700 }
701
702 if (*fixup_map_in_map) {
703 map_fds[6] = create_map_in_map();
704 do {
705 prog[*fixup_map_in_map].imm = map_fds[6];
706 fixup_map_in_map++;
707 } while (*fixup_map_in_map);
708 }
709
710 if (*fixup_cgroup_storage) {
711 map_fds[7] = create_cgroup_storage(false);
712 do {
713 prog[*fixup_cgroup_storage].imm = map_fds[7];
714 fixup_cgroup_storage++;
715 } while (*fixup_cgroup_storage);
716 }
717
718 if (*fixup_percpu_cgroup_storage) {
719 map_fds[8] = create_cgroup_storage(true);
720 do {
721 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
722 fixup_percpu_cgroup_storage++;
723 } while (*fixup_percpu_cgroup_storage);
724 }
725 if (*fixup_map_sockmap) {
726 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
727 sizeof(int), 1);
728 do {
729 prog[*fixup_map_sockmap].imm = map_fds[9];
730 fixup_map_sockmap++;
731 } while (*fixup_map_sockmap);
732 }
733 if (*fixup_map_sockhash) {
734 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
735 sizeof(int), 1);
736 do {
737 prog[*fixup_map_sockhash].imm = map_fds[10];
738 fixup_map_sockhash++;
739 } while (*fixup_map_sockhash);
740 }
741 if (*fixup_map_xskmap) {
742 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
743 sizeof(int), 1);
744 do {
745 prog[*fixup_map_xskmap].imm = map_fds[11];
746 fixup_map_xskmap++;
747 } while (*fixup_map_xskmap);
748 }
749 if (*fixup_map_stacktrace) {
750 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
751 sizeof(u64), 1);
752 do {
753 prog[*fixup_map_stacktrace].imm = map_fds[12];
754 fixup_map_stacktrace++;
755 } while (*fixup_map_stacktrace);
756 }
757 if (*fixup_map_spin_lock) {
758 map_fds[13] = create_map_spin_lock();
759 do {
760 prog[*fixup_map_spin_lock].imm = map_fds[13];
761 fixup_map_spin_lock++;
762 } while (*fixup_map_spin_lock);
763 }
764 if (*fixup_map_array_ro) {
765 map_fds[14] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
766 sizeof(struct test_val), 1,
767 BPF_F_RDONLY_PROG);
768 update_map(map_fds[14], 0);
769 do {
770 prog[*fixup_map_array_ro].imm = map_fds[14];
771 fixup_map_array_ro++;
772 } while (*fixup_map_array_ro);
773 }
774 if (*fixup_map_array_wo) {
775 map_fds[15] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
776 sizeof(struct test_val), 1,
777 BPF_F_WRONLY_PROG);
778 update_map(map_fds[15], 0);
779 do {
780 prog[*fixup_map_array_wo].imm = map_fds[15];
781 fixup_map_array_wo++;
782 } while (*fixup_map_array_wo);
783 }
784 if (*fixup_map_array_small) {
785 map_fds[16] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
786 1, 1, 0);
787 update_map(map_fds[16], 0);
788 do {
789 prog[*fixup_map_array_small].imm = map_fds[16];
790 fixup_map_array_small++;
791 } while (*fixup_map_array_small);
792 }
793 if (*fixup_sk_storage_map) {
794 map_fds[17] = create_sk_storage_map();
795 do {
796 prog[*fixup_sk_storage_map].imm = map_fds[17];
797 fixup_sk_storage_map++;
798 } while (*fixup_sk_storage_map);
799 }
800 if (*fixup_map_event_output) {
801 map_fds[18] = __create_map(BPF_MAP_TYPE_PERF_EVENT_ARRAY,
802 sizeof(int), sizeof(int), 1, 0);
803 do {
804 prog[*fixup_map_event_output].imm = map_fds[18];
805 fixup_map_event_output++;
806 } while (*fixup_map_event_output);
807 }
808 }
809
set_admin(bool admin)810 static int set_admin(bool admin)
811 {
812 cap_t caps;
813 const cap_value_t cap_val = CAP_SYS_ADMIN;
814 int ret = -1;
815
816 caps = cap_get_proc();
817 if (!caps) {
818 perror("cap_get_proc");
819 return -1;
820 }
821 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
822 admin ? CAP_SET : CAP_CLEAR)) {
823 perror("cap_set_flag");
824 goto out;
825 }
826 if (cap_set_proc(caps)) {
827 perror("cap_set_proc");
828 goto out;
829 }
830 ret = 0;
831 out:
832 if (cap_free(caps))
833 perror("cap_free");
834 return ret;
835 }
836
do_prog_test_run(int fd_prog,bool unpriv,uint32_t expected_val,void * data,size_t size_data)837 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val,
838 void *data, size_t size_data)
839 {
840 __u8 tmp[TEST_DATA_LEN << 2];
841 __u32 size_tmp = sizeof(tmp);
842 uint32_t retval;
843 int err;
844
845 if (unpriv)
846 set_admin(true);
847 err = bpf_prog_test_run(fd_prog, 1, data, size_data,
848 tmp, &size_tmp, &retval, NULL);
849 if (unpriv)
850 set_admin(false);
851 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
852 printf("Unexpected bpf_prog_test_run error ");
853 return err;
854 }
855 if (!err && retval != expected_val &&
856 expected_val != POINTER_VALUE) {
857 printf("FAIL retval %d != %d ", retval, expected_val);
858 return 1;
859 }
860
861 return 0;
862 }
863
cmp_str_seq(const char * log,const char * exp)864 static bool cmp_str_seq(const char *log, const char *exp)
865 {
866 char needle[80];
867 const char *p, *q;
868 int len;
869
870 do {
871 p = strchr(exp, '\t');
872 if (!p)
873 p = exp + strlen(exp);
874
875 len = p - exp;
876 if (len >= sizeof(needle) || !len) {
877 printf("FAIL\nTestcase bug\n");
878 return false;
879 }
880 strncpy(needle, exp, len);
881 needle[len] = 0;
882 q = strstr(log, needle);
883 if (!q) {
884 printf("FAIL\nUnexpected verifier log in successful load!\n"
885 "EXP: %s\nRES:\n", needle);
886 return false;
887 }
888 log = q + len;
889 exp = p + 1;
890 } while (*p);
891 return true;
892 }
893
do_test_single(struct bpf_test * test,bool unpriv,int * passes,int * errors)894 static void do_test_single(struct bpf_test *test, bool unpriv,
895 int *passes, int *errors)
896 {
897 int fd_prog, expected_ret, alignment_prevented_execution;
898 int prog_len, prog_type = test->prog_type;
899 struct bpf_insn *prog = test->insns;
900 struct bpf_load_program_attr attr;
901 int run_errs, run_successes;
902 int map_fds[MAX_NR_MAPS];
903 const char *expected_err;
904 int fixup_skips;
905 __u32 pflags;
906 int i, err;
907
908 for (i = 0; i < MAX_NR_MAPS; i++)
909 map_fds[i] = -1;
910
911 if (!prog_type)
912 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
913 fixup_skips = skips;
914 do_test_fixup(test, prog_type, prog, map_fds);
915 if (test->fill_insns) {
916 prog = test->fill_insns;
917 prog_len = test->prog_len;
918 } else {
919 prog_len = probe_filter_length(prog);
920 }
921 /* If there were some map skips during fixup due to missing bpf
922 * features, skip this test.
923 */
924 if (fixup_skips != skips)
925 return;
926
927 pflags = BPF_F_TEST_RND_HI32;
928 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT)
929 pflags |= BPF_F_STRICT_ALIGNMENT;
930 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)
931 pflags |= BPF_F_ANY_ALIGNMENT;
932 if (test->flags & ~3)
933 pflags |= test->flags;
934
935 expected_ret = unpriv && test->result_unpriv != UNDEF ?
936 test->result_unpriv : test->result;
937 expected_err = unpriv && test->errstr_unpriv ?
938 test->errstr_unpriv : test->errstr;
939 memset(&attr, 0, sizeof(attr));
940 attr.prog_type = prog_type;
941 attr.expected_attach_type = test->expected_attach_type;
942 attr.insns = prog;
943 attr.insns_cnt = prog_len;
944 attr.license = "GPL";
945 attr.log_level = verbose || expected_ret == VERBOSE_ACCEPT ? 1 : 4;
946 attr.prog_flags = pflags;
947
948 fd_prog = bpf_load_program_xattr(&attr, bpf_vlog, sizeof(bpf_vlog));
949 if (fd_prog < 0 && !bpf_probe_prog_type(prog_type, 0)) {
950 printf("SKIP (unsupported program type %d)\n", prog_type);
951 skips++;
952 goto close_fds;
953 }
954
955 alignment_prevented_execution = 0;
956
957 if (expected_ret == ACCEPT || expected_ret == VERBOSE_ACCEPT) {
958 if (fd_prog < 0) {
959 printf("FAIL\nFailed to load prog '%s'!\n",
960 strerror(errno));
961 goto fail_log;
962 }
963 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
964 if (fd_prog >= 0 &&
965 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS))
966 alignment_prevented_execution = 1;
967 #endif
968 if (expected_ret == VERBOSE_ACCEPT && !cmp_str_seq(bpf_vlog, expected_err)) {
969 goto fail_log;
970 }
971 } else {
972 if (fd_prog >= 0) {
973 printf("FAIL\nUnexpected success to load!\n");
974 goto fail_log;
975 }
976 if (!expected_err || !strstr(bpf_vlog, expected_err)) {
977 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
978 expected_err, bpf_vlog);
979 goto fail_log;
980 }
981 }
982
983 if (!unpriv && test->insn_processed) {
984 uint32_t insn_processed;
985 char *proc;
986
987 proc = strstr(bpf_vlog, "processed ");
988 insn_processed = atoi(proc + 10);
989 if (test->insn_processed != insn_processed) {
990 printf("FAIL\nUnexpected insn_processed %u vs %u\n",
991 insn_processed, test->insn_processed);
992 goto fail_log;
993 }
994 }
995
996 if (verbose)
997 printf(", verifier log:\n%s", bpf_vlog);
998
999 run_errs = 0;
1000 run_successes = 0;
1001 if (!alignment_prevented_execution && fd_prog >= 0) {
1002 uint32_t expected_val;
1003 int i;
1004
1005 if (!test->runs)
1006 test->runs = 1;
1007
1008 for (i = 0; i < test->runs; i++) {
1009 if (unpriv && test->retvals[i].retval_unpriv)
1010 expected_val = test->retvals[i].retval_unpriv;
1011 else
1012 expected_val = test->retvals[i].retval;
1013
1014 err = do_prog_test_run(fd_prog, unpriv, expected_val,
1015 test->retvals[i].data,
1016 sizeof(test->retvals[i].data));
1017 if (err) {
1018 printf("(run %d/%d) ", i + 1, test->runs);
1019 run_errs++;
1020 } else {
1021 run_successes++;
1022 }
1023 }
1024 }
1025
1026 if (!run_errs) {
1027 (*passes)++;
1028 if (run_successes > 1)
1029 printf("%d cases ", run_successes);
1030 printf("OK");
1031 if (alignment_prevented_execution)
1032 printf(" (NOTE: not executed due to unknown alignment)");
1033 printf("\n");
1034 } else {
1035 printf("\n");
1036 goto fail_log;
1037 }
1038 close_fds:
1039 if (test->fill_insns)
1040 free(test->fill_insns);
1041 close(fd_prog);
1042 for (i = 0; i < MAX_NR_MAPS; i++)
1043 close(map_fds[i]);
1044 sched_yield();
1045 return;
1046 fail_log:
1047 (*errors)++;
1048 printf("%s", bpf_vlog);
1049 goto close_fds;
1050 }
1051
is_admin(void)1052 static bool is_admin(void)
1053 {
1054 cap_t caps;
1055 cap_flag_value_t sysadmin = CAP_CLEAR;
1056 const cap_value_t cap_val = CAP_SYS_ADMIN;
1057
1058 #ifdef CAP_IS_SUPPORTED
1059 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
1060 perror("cap_get_flag");
1061 return false;
1062 }
1063 #endif
1064 caps = cap_get_proc();
1065 if (!caps) {
1066 perror("cap_get_proc");
1067 return false;
1068 }
1069 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
1070 perror("cap_get_flag");
1071 if (cap_free(caps))
1072 perror("cap_free");
1073 return (sysadmin == CAP_SET);
1074 }
1075
get_unpriv_disabled()1076 static void get_unpriv_disabled()
1077 {
1078 char buf[2];
1079 FILE *fd;
1080
1081 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
1082 if (!fd) {
1083 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
1084 unpriv_disabled = true;
1085 return;
1086 }
1087 if (fgets(buf, 2, fd) == buf && atoi(buf))
1088 unpriv_disabled = true;
1089 fclose(fd);
1090 }
1091
test_as_unpriv(struct bpf_test * test)1092 static bool test_as_unpriv(struct bpf_test *test)
1093 {
1094 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
1095 /* Some architectures have strict alignment requirements. In
1096 * that case, the BPF verifier detects if a program has
1097 * unaligned accesses and rejects them. A user can pass
1098 * BPF_F_ANY_ALIGNMENT to a program to override this
1099 * check. That, however, will only work when a privileged user
1100 * loads a program. An unprivileged user loading a program
1101 * with this flag will be rejected prior entering the
1102 * verifier.
1103 */
1104 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)
1105 return false;
1106 #endif
1107 return !test->prog_type ||
1108 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
1109 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
1110 }
1111
do_test(bool unpriv,unsigned int from,unsigned int to)1112 static int do_test(bool unpriv, unsigned int from, unsigned int to)
1113 {
1114 int i, passes = 0, errors = 0;
1115
1116 for (i = from; i < to; i++) {
1117 struct bpf_test *test = &tests[i];
1118
1119 /* Program types that are not supported by non-root we
1120 * skip right away.
1121 */
1122 if (test_as_unpriv(test) && unpriv_disabled) {
1123 printf("#%d/u %s SKIP\n", i, test->descr);
1124 skips++;
1125 } else if (test_as_unpriv(test)) {
1126 if (!unpriv)
1127 set_admin(false);
1128 printf("#%d/u %s ", i, test->descr);
1129 do_test_single(test, true, &passes, &errors);
1130 if (!unpriv)
1131 set_admin(true);
1132 }
1133
1134 if (unpriv) {
1135 printf("#%d/p %s SKIP\n", i, test->descr);
1136 skips++;
1137 } else {
1138 printf("#%d/p %s ", i, test->descr);
1139 do_test_single(test, false, &passes, &errors);
1140 }
1141 }
1142
1143 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
1144 skips, errors);
1145 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
1146 }
1147
main(int argc,char ** argv)1148 int main(int argc, char **argv)
1149 {
1150 unsigned int from = 0, to = ARRAY_SIZE(tests);
1151 bool unpriv = !is_admin();
1152 int arg = 1;
1153
1154 if (argc > 1 && strcmp(argv[1], "-v") == 0) {
1155 arg++;
1156 verbose = true;
1157 argc--;
1158 }
1159
1160 if (argc == 3) {
1161 unsigned int l = atoi(argv[arg]);
1162 unsigned int u = atoi(argv[arg + 1]);
1163
1164 if (l < to && u < to) {
1165 from = l;
1166 to = u + 1;
1167 }
1168 } else if (argc == 2) {
1169 unsigned int t = atoi(argv[arg]);
1170
1171 if (t < to) {
1172 from = t;
1173 to = t + 1;
1174 }
1175 }
1176
1177 get_unpriv_disabled();
1178 if (unpriv && unpriv_disabled) {
1179 printf("Cannot run as unprivileged user with sysctl %s.\n",
1180 UNPRIV_SYSCTL);
1181 return EXIT_FAILURE;
1182 }
1183
1184 bpf_semi_rand_init();
1185 return do_test(unpriv, from, to);
1186 }
1187