1 /* $NetBSD: t_bpfilter.c,v 1.11 2017/01/13 21:30:42 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2012 The NetBSD Foundation, Inc. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS 16 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 17 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 18 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 21 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 #include <sys/cdefs.h> 28 __RCSID("$NetBSD: t_bpfilter.c,v 1.11 2017/01/13 21:30:42 christos Exp $"); 29 30 #include <sys/param.h> 31 #include <sys/ioctl.h> 32 #include <sys/socket.h> 33 #include <sys/mbuf.h> 34 #include <sys/sysctl.h> 35 #include <sys/mman.h> 36 #include <sys/wait.h> 37 #include <unistd.h> 38 39 #include <net/if.h> 40 #include <net/if_ether.h> 41 #include <net/bpf.h> 42 43 #include <fcntl.h> 44 #include <stdint.h> 45 #include <stdio.h> 46 #include <string.h> 47 48 #include <rump/rump.h> 49 #include <rump/rump_syscalls.h> 50 51 /* XXX: atf-c.h has collisions with mbuf */ 52 #undef m_type 53 #undef m_data 54 #include <atf-c.h> 55 56 #include "h_macros.h" 57 #include "../config/netconfig.c" 58 59 60 #define SNAPLEN UINT32_MAX 61 62 #define BMAGIC UINT32_C(0x37) 63 #define HMAGIC UINT32_C(0xc2c2) 64 #define WMAGIC UINT32_C(0x7d7d7d7d) 65 66 static const char magic_echo_reply_tail[7] = { 67 BMAGIC, 68 HMAGIC & 0xff, 69 HMAGIC & 0xff, 70 WMAGIC & 0xff, 71 WMAGIC & 0xff, 72 WMAGIC & 0xff, 73 WMAGIC & 0xff 74 }; 75 76 /* 77 * Match ICMP_ECHOREPLY packet with 7 magic bytes at the end. 78 */ 79 static struct bpf_insn magic_echo_reply_prog[] = { 80 BPF_STMT(BPF_LD+BPF_ABS+BPF_B, 81 sizeof(struct ip) + offsetof(struct icmp, icmp_type)), 82 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ICMP_ECHOREPLY, 1, 0), 83 BPF_STMT(BPF_RET+BPF_K, 0), 84 85 BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), /* A <- len */ 86 BPF_STMT(BPF_ALU+BPF_SUB+BPF_K, 7), /* A <- A - 7 */ 87 BPF_STMT(BPF_MISC+BPF_TAX, 0), /* X <- A */ 88 89 BPF_STMT(BPF_LD+BPF_IND+BPF_B, 0), 90 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, BMAGIC, 1, 0), 91 BPF_STMT(BPF_RET+BPF_K, 0), 92 93 BPF_STMT(BPF_LD+BPF_IND+BPF_H, 1), 94 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, HMAGIC, 1, 0), 95 BPF_STMT(BPF_RET+BPF_K, 0), 96 97 BPF_STMT(BPF_LD+BPF_IND+BPF_W, 3), 98 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, WMAGIC, 1, 0), 99 BPF_STMT(BPF_RET+BPF_K, 0), 100 101 BPF_STMT(BPF_RET+BPF_K, SNAPLEN) 102 }; 103 104 static struct bpf_insn badmem_prog[] = { 105 BPF_STMT(BPF_LD+BPF_MEM, 5), 106 BPF_STMT(BPF_RET+BPF_A, 0), 107 }; 108 109 static struct bpf_insn noinitA_prog[] = { 110 BPF_STMT(BPF_RET+BPF_A, 0), 111 }; 112 113 static struct bpf_insn noinitX_prog[] = { 114 BPF_STMT(BPF_MISC+BPF_TXA, 0), 115 BPF_STMT(BPF_RET+BPF_A, 0), 116 }; 117 118 static struct bpf_insn badjmp_prog[] = { 119 BPF_STMT(BPF_JMP+BPF_JA, 5), 120 BPF_STMT(BPF_RET+BPF_A, 0), 121 }; 122 123 static struct bpf_insn negjmp_prog[] = { 124 BPF_STMT(BPF_JMP+BPF_JA, 0), 125 BPF_STMT(BPF_JMP+BPF_JA, UINT32_MAX - 1), // -2 126 BPF_STMT(BPF_RET+BPF_A, 0), 127 }; 128 129 static struct bpf_insn badret_prog[] = { 130 BPF_STMT(BPF_RET+BPF_A+0x8000, 0), 131 }; 132 133 static uint16_t 134 in_cksum(void *data, size_t len) 135 { 136 uint16_t *buf = data; 137 unsigned sum; 138 139 for (sum = 0; len > 1; len -= 2) 140 sum += *buf++; 141 if (len) 142 sum += *(uint8_t *)buf; 143 144 sum = (sum >> 16) + (sum & 0xffff); 145 sum += (sum >> 16); 146 147 return ~sum; 148 } 149 150 /* 151 * Based on netcfg_rump_pingtest(). 152 */ 153 static bool __unused 154 pingtest(const char *dst, unsigned int wirelen, const char tail[7]) 155 { 156 struct timeval tv; 157 struct sockaddr_in sin; 158 struct icmp *icmp; 159 char *pkt; 160 unsigned int pktsize; 161 socklen_t slen; 162 int s; 163 bool rv = false; 164 165 if (wirelen < ETHER_HDR_LEN + sizeof(struct ip)) 166 return false; 167 168 pktsize = wirelen - ETHER_HDR_LEN - sizeof(struct ip); 169 if (pktsize < sizeof(struct icmp) + 7) 170 return false; 171 172 s = rump_sys_socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); 173 if (s == -1) 174 return false; 175 176 pkt = NULL; 177 178 tv.tv_sec = 1; 179 tv.tv_usec = 0; 180 if (rump_sys_setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, 181 &tv, sizeof(tv)) == -1) 182 goto out; 183 184 memset(&sin, 0, sizeof(sin)); 185 sin.sin_len = sizeof(sin); 186 sin.sin_family = AF_INET; 187 sin.sin_addr.s_addr = inet_addr(dst); 188 189 pkt = calloc(1, pktsize); 190 icmp = (struct icmp *)pkt; 191 if (pkt == NULL) 192 goto out; 193 194 memcpy(pkt + pktsize - 7, tail, 7); 195 icmp->icmp_type = ICMP_ECHO; 196 icmp->icmp_id = htons(37); 197 icmp->icmp_seq = htons(1); 198 icmp->icmp_cksum = in_cksum(pkt, pktsize); 199 200 slen = sizeof(sin); 201 if (rump_sys_sendto(s, pkt, pktsize, 0, 202 (struct sockaddr *)&sin, slen) == -1) { 203 goto out; 204 } 205 206 if (rump_sys_recvfrom(s, pkt, pktsize, 0, 207 (struct sockaddr *)&sin, &slen) == -1) 208 goto out; 209 210 rv = true; 211 out: 212 if (pkt != NULL) 213 free(pkt); 214 rump_sys_close(s); 215 return rv; 216 } 217 218 static void 219 magic_ping_test(const char *name, unsigned int wirelen) 220 { 221 struct bpf_program prog; 222 struct bpf_stat bstat; 223 struct ifreq ifr; 224 struct timeval tv; 225 unsigned int bufsize; 226 bool pinged; 227 ssize_t n; 228 char *buf; 229 pid_t child; 230 int bpfd; 231 char token; 232 int channel[2]; 233 234 struct bpf_hdr *hdr; 235 236 RL(pipe(channel)); 237 238 prog.bf_len = __arraycount(magic_echo_reply_prog); 239 prog.bf_insns = magic_echo_reply_prog; 240 241 child = fork(); 242 RZ(rump_init()); 243 netcfg_rump_makeshmif(name, ifr.ifr_name); 244 245 switch (child) { 246 case -1: 247 atf_tc_fail_errno("fork failed"); 248 case 0: 249 netcfg_rump_if(ifr.ifr_name, "10.1.1.10", "255.0.0.0"); 250 close(channel[0]); 251 ATF_CHECK(write(channel[1], "U", 1) == 1); 252 close(channel[1]); 253 pause(); 254 return; 255 default: 256 break; 257 } 258 259 netcfg_rump_if(ifr.ifr_name, "10.1.1.20", "255.0.0.0"); 260 261 RL(bpfd = rump_sys_open("/dev/bpf", O_RDONLY)); 262 263 tv.tv_sec = 0; 264 tv.tv_usec = 500; 265 RL(rump_sys_ioctl(bpfd, BIOCSRTIMEOUT, &tv)); 266 267 RL(rump_sys_ioctl(bpfd, BIOCGBLEN, &bufsize)); 268 RL(rump_sys_ioctl(bpfd, BIOCSETF, &prog)); 269 RL(rump_sys_ioctl(bpfd, BIOCSETIF, &ifr)); 270 271 close(channel[1]); 272 ATF_CHECK(read(channel[0], &token, 1) == 1 && token == 'U'); 273 274 pinged = pingtest("10.1.1.10", wirelen, magic_echo_reply_tail); 275 ATF_CHECK(pinged); 276 277 buf = malloc(bufsize); 278 hdr = (struct bpf_hdr *)buf; 279 ATF_REQUIRE(buf != NULL); 280 ATF_REQUIRE(bufsize > sizeof(struct bpf_hdr)); 281 282 n = rump_sys_read(bpfd, buf, bufsize); 283 284 ATF_CHECK(n > (int)sizeof(struct bpf_hdr)); 285 ATF_CHECK(hdr->bh_caplen == MIN(SNAPLEN, wirelen)); 286 287 RL(rump_sys_ioctl(bpfd, BIOCGSTATS, &bstat)); 288 ATF_CHECK(bstat.bs_capt >= 1); /* XXX == 1 */ 289 290 rump_sys_close(bpfd); 291 free(buf); 292 293 close(channel[0]); 294 295 kill(child, SIGKILL); 296 } 297 298 static int 299 send_bpf_prog(const char *ifname, struct bpf_program *prog) 300 { 301 struct ifreq ifr; 302 int bpfd, e, rv; 303 304 RZ(rump_init()); 305 netcfg_rump_makeshmif(ifname, ifr.ifr_name); 306 netcfg_rump_if(ifr.ifr_name, "10.1.1.20", "255.0.0.0"); 307 308 RL(bpfd = rump_sys_open("/dev/bpf", O_RDONLY)); 309 310 rv = rump_sys_ioctl(bpfd, BIOCSETF, prog); 311 e = errno; 312 313 rump_sys_close(bpfd); 314 errno = e; 315 316 return rv; 317 } 318 319 ATF_TC(bpfiltercontig); 320 ATF_TC_HEAD(bpfiltercontig, tc) 321 { 322 323 atf_tc_set_md_var(tc, "descr", "Checks that bpf program " 324 "can read bytes from contiguous buffer."); 325 atf_tc_set_md_var(tc, "timeout", "30"); 326 } 327 328 ATF_TC_BODY(bpfiltercontig, tc) 329 { 330 331 magic_ping_test("bpfiltercontig", 128); 332 } 333 334 335 ATF_TC(bpfiltermchain); 336 ATF_TC_HEAD(bpfiltermchain, tc) 337 { 338 339 atf_tc_set_md_var(tc, "descr", "Checks that bpf program " 340 "can read bytes from mbuf chain."); 341 atf_tc_set_md_var(tc, "timeout", "30"); 342 } 343 344 ATF_TC_BODY(bpfiltermchain, tc) 345 { 346 347 magic_ping_test("bpfiltermchain", MINCLSIZE + 1); 348 } 349 350 351 ATF_TC(bpfilterbadmem); 352 ATF_TC_HEAD(bpfilterbadmem, tc) 353 { 354 355 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 356 "doesn't initialize memomy store is rejected by the kernel"); 357 atf_tc_set_md_var(tc, "timeout", "30"); 358 } 359 360 ATF_TC_BODY(bpfilterbadmem, tc) 361 { 362 struct bpf_program prog; 363 364 prog.bf_len = __arraycount(badmem_prog); 365 prog.bf_insns = badmem_prog; 366 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadmem", &prog) == -1); 367 } 368 369 ATF_TC(bpfilternoinitA); 370 ATF_TC_HEAD(bpfilternoinitA, tc) 371 { 372 373 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 374 "doesn't initialize the A register is accepted by the kernel"); 375 atf_tc_set_md_var(tc, "timeout", "30"); 376 } 377 378 ATF_TC_BODY(bpfilternoinitA, tc) 379 { 380 struct bpf_program prog; 381 382 prog.bf_len = __arraycount(noinitA_prog); 383 prog.bf_insns = noinitA_prog; 384 RL(send_bpf_prog("bpfilternoinitA", &prog)); 385 } 386 387 ATF_TC(bpfilternoinitX); 388 ATF_TC_HEAD(bpfilternoinitX, tc) 389 { 390 391 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 392 "doesn't initialize the X register is accepted by the kernel"); 393 atf_tc_set_md_var(tc, "timeout", "30"); 394 } 395 396 ATF_TC_BODY(bpfilternoinitX, tc) 397 { 398 struct bpf_program prog; 399 400 prog.bf_len = __arraycount(noinitX_prog); 401 prog.bf_insns = noinitX_prog; 402 RL(send_bpf_prog("bpfilternoinitX", &prog)); 403 } 404 405 ATF_TC(bpfilterbadjmp); 406 ATF_TC_HEAD(bpfilterbadjmp, tc) 407 { 408 409 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 410 "jumps to invalid destination is rejected by the kernel"); 411 atf_tc_set_md_var(tc, "timeout", "30"); 412 } 413 414 ATF_TC_BODY(bpfilterbadjmp, tc) 415 { 416 struct bpf_program prog; 417 418 prog.bf_len = __arraycount(badjmp_prog); 419 prog.bf_insns = badjmp_prog; 420 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadjmp", &prog) == -1); 421 } 422 423 ATF_TC(bpfilternegjmp); 424 ATF_TC_HEAD(bpfilternegjmp, tc) 425 { 426 427 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 428 "jumps backwards is rejected by the kernel"); 429 atf_tc_set_md_var(tc, "timeout", "30"); 430 } 431 432 ATF_TC_BODY(bpfilternegjmp, tc) 433 { 434 struct bpf_program prog; 435 436 prog.bf_len = __arraycount(negjmp_prog); 437 prog.bf_insns = negjmp_prog; 438 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilternegjmp", &prog) == -1); 439 } 440 441 ATF_TC(bpfilterbadret); 442 ATF_TC_HEAD(bpfilterbadret, tc) 443 { 444 445 atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " 446 "ends with invalid BPF_RET instruction is rejected by the kernel"); 447 atf_tc_set_md_var(tc, "timeout", "30"); 448 } 449 450 ATF_TC_BODY(bpfilterbadret, tc) 451 { 452 struct bpf_program prog; 453 struct bpf_insn *last; 454 455 prog.bf_len = __arraycount(badret_prog); 456 prog.bf_insns = badret_prog; 457 458 /* 459 * The point of this test is checking a bad instruction of 460 * a valid class and with a valid BPF_RVAL data. 461 */ 462 last = &prog.bf_insns[prog.bf_len - 1]; 463 ATF_CHECK(BPF_CLASS(last->code) == BPF_RET && 464 (BPF_RVAL(last->code) == BPF_K || BPF_RVAL(last->code) == BPF_A)); 465 466 ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadret", &prog) == -1); 467 } 468 469 ATF_TP_ADD_TCS(tp) 470 { 471 472 ATF_TP_ADD_TC(tp, bpfiltercontig); 473 ATF_TP_ADD_TC(tp, bpfiltermchain); 474 ATF_TP_ADD_TC(tp, bpfilterbadmem); 475 ATF_TP_ADD_TC(tp, bpfilternoinitA); 476 ATF_TP_ADD_TC(tp, bpfilternoinitX); 477 ATF_TP_ADD_TC(tp, bpfilterbadjmp); 478 ATF_TP_ADD_TC(tp, bpfilternegjmp); 479 ATF_TP_ADD_TC(tp, bpfilterbadret); 480 481 return atf_no_error(); 482 } 483