/* $NetBSD: t_bpfilter.c,v 1.11 2017/01/13 21:30:42 christos Exp $ */ /*- * Copyright (c) 2012 The NetBSD Foundation, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __RCSID("$NetBSD: t_bpfilter.c,v 1.11 2017/01/13 21:30:42 christos Exp $"); #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* XXX: atf-c.h has collisions with mbuf */ #undef m_type #undef m_data #include #include "h_macros.h" #include "../config/netconfig.c" #define SNAPLEN UINT32_MAX #define BMAGIC UINT32_C(0x37) #define HMAGIC UINT32_C(0xc2c2) #define WMAGIC UINT32_C(0x7d7d7d7d) static const char magic_echo_reply_tail[7] = { BMAGIC, HMAGIC & 0xff, HMAGIC & 0xff, WMAGIC & 0xff, WMAGIC & 0xff, WMAGIC & 0xff, WMAGIC & 0xff }; /* * Match ICMP_ECHOREPLY packet with 7 magic bytes at the end. */ static struct bpf_insn magic_echo_reply_prog[] = { BPF_STMT(BPF_LD+BPF_ABS+BPF_B, sizeof(struct ip) + offsetof(struct icmp, icmp_type)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ICMP_ECHOREPLY, 1, 0), BPF_STMT(BPF_RET+BPF_K, 0), BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), /* A <- len */ BPF_STMT(BPF_ALU+BPF_SUB+BPF_K, 7), /* A <- A - 7 */ BPF_STMT(BPF_MISC+BPF_TAX, 0), /* X <- A */ BPF_STMT(BPF_LD+BPF_IND+BPF_B, 0), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, BMAGIC, 1, 0), BPF_STMT(BPF_RET+BPF_K, 0), BPF_STMT(BPF_LD+BPF_IND+BPF_H, 1), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, HMAGIC, 1, 0), BPF_STMT(BPF_RET+BPF_K, 0), BPF_STMT(BPF_LD+BPF_IND+BPF_W, 3), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, WMAGIC, 1, 0), BPF_STMT(BPF_RET+BPF_K, 0), BPF_STMT(BPF_RET+BPF_K, SNAPLEN) }; static struct bpf_insn badmem_prog[] = { BPF_STMT(BPF_LD+BPF_MEM, 5), BPF_STMT(BPF_RET+BPF_A, 0), }; static struct bpf_insn noinitA_prog[] = { BPF_STMT(BPF_RET+BPF_A, 0), }; static struct bpf_insn noinitX_prog[] = { BPF_STMT(BPF_MISC+BPF_TXA, 0), BPF_STMT(BPF_RET+BPF_A, 0), }; static struct bpf_insn badjmp_prog[] = { BPF_STMT(BPF_JMP+BPF_JA, 5), BPF_STMT(BPF_RET+BPF_A, 0), }; static struct bpf_insn negjmp_prog[] = { BPF_STMT(BPF_JMP+BPF_JA, 0), BPF_STMT(BPF_JMP+BPF_JA, UINT32_MAX - 1), // -2 BPF_STMT(BPF_RET+BPF_A, 0), }; static struct bpf_insn badret_prog[] = { BPF_STMT(BPF_RET+BPF_A+0x8000, 0), }; static uint16_t in_cksum(void *data, size_t len) { uint16_t *buf = data; unsigned sum; for (sum = 0; len > 1; len -= 2) sum += *buf++; if (len) sum += *(uint8_t *)buf; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return ~sum; } /* * Based on netcfg_rump_pingtest(). */ static bool __unused pingtest(const char *dst, unsigned int wirelen, const char tail[7]) { struct timeval tv; struct sockaddr_in sin; struct icmp *icmp; char *pkt; unsigned int pktsize; socklen_t slen; int s; bool rv = false; if (wirelen < ETHER_HDR_LEN + sizeof(struct ip)) return false; pktsize = wirelen - ETHER_HDR_LEN - sizeof(struct ip); if (pktsize < sizeof(struct icmp) + 7) return false; s = rump_sys_socket(PF_INET, SOCK_RAW, IPPROTO_ICMP); if (s == -1) return false; pkt = NULL; tv.tv_sec = 1; tv.tv_usec = 0; if (rump_sys_setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) == -1) goto out; memset(&sin, 0, sizeof(sin)); sin.sin_len = sizeof(sin); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(dst); pkt = calloc(1, pktsize); icmp = (struct icmp *)pkt; if (pkt == NULL) goto out; memcpy(pkt + pktsize - 7, tail, 7); icmp->icmp_type = ICMP_ECHO; icmp->icmp_id = htons(37); icmp->icmp_seq = htons(1); icmp->icmp_cksum = in_cksum(pkt, pktsize); slen = sizeof(sin); if (rump_sys_sendto(s, pkt, pktsize, 0, (struct sockaddr *)&sin, slen) == -1) { goto out; } if (rump_sys_recvfrom(s, pkt, pktsize, 0, (struct sockaddr *)&sin, &slen) == -1) goto out; rv = true; out: if (pkt != NULL) free(pkt); rump_sys_close(s); return rv; } static void magic_ping_test(const char *name, unsigned int wirelen) { struct bpf_program prog; struct bpf_stat bstat; struct ifreq ifr; struct timeval tv; unsigned int bufsize; bool pinged; ssize_t n; char *buf; pid_t child; int bpfd; char token; int channel[2]; struct bpf_hdr *hdr; RL(pipe(channel)); prog.bf_len = __arraycount(magic_echo_reply_prog); prog.bf_insns = magic_echo_reply_prog; child = fork(); RZ(rump_init()); netcfg_rump_makeshmif(name, ifr.ifr_name); switch (child) { case -1: atf_tc_fail_errno("fork failed"); case 0: netcfg_rump_if(ifr.ifr_name, "10.1.1.10", "255.0.0.0"); close(channel[0]); ATF_CHECK(write(channel[1], "U", 1) == 1); close(channel[1]); pause(); return; default: break; } netcfg_rump_if(ifr.ifr_name, "10.1.1.20", "255.0.0.0"); RL(bpfd = rump_sys_open("/dev/bpf", O_RDONLY)); tv.tv_sec = 0; tv.tv_usec = 500; RL(rump_sys_ioctl(bpfd, BIOCSRTIMEOUT, &tv)); RL(rump_sys_ioctl(bpfd, BIOCGBLEN, &bufsize)); RL(rump_sys_ioctl(bpfd, BIOCSETF, &prog)); RL(rump_sys_ioctl(bpfd, BIOCSETIF, &ifr)); close(channel[1]); ATF_CHECK(read(channel[0], &token, 1) == 1 && token == 'U'); pinged = pingtest("10.1.1.10", wirelen, magic_echo_reply_tail); ATF_CHECK(pinged); buf = malloc(bufsize); hdr = (struct bpf_hdr *)buf; ATF_REQUIRE(buf != NULL); ATF_REQUIRE(bufsize > sizeof(struct bpf_hdr)); n = rump_sys_read(bpfd, buf, bufsize); ATF_CHECK(n > (int)sizeof(struct bpf_hdr)); ATF_CHECK(hdr->bh_caplen == MIN(SNAPLEN, wirelen)); RL(rump_sys_ioctl(bpfd, BIOCGSTATS, &bstat)); ATF_CHECK(bstat.bs_capt >= 1); /* XXX == 1 */ rump_sys_close(bpfd); free(buf); close(channel[0]); kill(child, SIGKILL); } static int send_bpf_prog(const char *ifname, struct bpf_program *prog) { struct ifreq ifr; int bpfd, e, rv; RZ(rump_init()); netcfg_rump_makeshmif(ifname, ifr.ifr_name); netcfg_rump_if(ifr.ifr_name, "10.1.1.20", "255.0.0.0"); RL(bpfd = rump_sys_open("/dev/bpf", O_RDONLY)); rv = rump_sys_ioctl(bpfd, BIOCSETF, prog); e = errno; rump_sys_close(bpfd); errno = e; return rv; } ATF_TC(bpfiltercontig); ATF_TC_HEAD(bpfiltercontig, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program " "can read bytes from contiguous buffer."); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfiltercontig, tc) { magic_ping_test("bpfiltercontig", 128); } ATF_TC(bpfiltermchain); ATF_TC_HEAD(bpfiltermchain, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program " "can read bytes from mbuf chain."); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfiltermchain, tc) { magic_ping_test("bpfiltermchain", MINCLSIZE + 1); } ATF_TC(bpfilterbadmem); ATF_TC_HEAD(bpfilterbadmem, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " "doesn't initialize memomy store is rejected by the kernel"); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfilterbadmem, tc) { struct bpf_program prog; prog.bf_len = __arraycount(badmem_prog); prog.bf_insns = badmem_prog; ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadmem", &prog) == -1); } ATF_TC(bpfilternoinitA); ATF_TC_HEAD(bpfilternoinitA, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " "doesn't initialize the A register is accepted by the kernel"); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfilternoinitA, tc) { struct bpf_program prog; prog.bf_len = __arraycount(noinitA_prog); prog.bf_insns = noinitA_prog; RL(send_bpf_prog("bpfilternoinitA", &prog)); } ATF_TC(bpfilternoinitX); ATF_TC_HEAD(bpfilternoinitX, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " "doesn't initialize the X register is accepted by the kernel"); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfilternoinitX, tc) { struct bpf_program prog; prog.bf_len = __arraycount(noinitX_prog); prog.bf_insns = noinitX_prog; RL(send_bpf_prog("bpfilternoinitX", &prog)); } ATF_TC(bpfilterbadjmp); ATF_TC_HEAD(bpfilterbadjmp, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " "jumps to invalid destination is rejected by the kernel"); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfilterbadjmp, tc) { struct bpf_program prog; prog.bf_len = __arraycount(badjmp_prog); prog.bf_insns = badjmp_prog; ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadjmp", &prog) == -1); } ATF_TC(bpfilternegjmp); ATF_TC_HEAD(bpfilternegjmp, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " "jumps backwards is rejected by the kernel"); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfilternegjmp, tc) { struct bpf_program prog; prog.bf_len = __arraycount(negjmp_prog); prog.bf_insns = negjmp_prog; ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilternegjmp", &prog) == -1); } ATF_TC(bpfilterbadret); ATF_TC_HEAD(bpfilterbadret, tc) { atf_tc_set_md_var(tc, "descr", "Checks that bpf program that " "ends with invalid BPF_RET instruction is rejected by the kernel"); atf_tc_set_md_var(tc, "timeout", "30"); } ATF_TC_BODY(bpfilterbadret, tc) { struct bpf_program prog; struct bpf_insn *last; prog.bf_len = __arraycount(badret_prog); prog.bf_insns = badret_prog; /* * The point of this test is checking a bad instruction of * a valid class and with a valid BPF_RVAL data. */ last = &prog.bf_insns[prog.bf_len - 1]; ATF_CHECK(BPF_CLASS(last->code) == BPF_RET && (BPF_RVAL(last->code) == BPF_K || BPF_RVAL(last->code) == BPF_A)); ATF_CHECK_ERRNO(EINVAL, send_bpf_prog("bpfilterbadret", &prog) == -1); } ATF_TP_ADD_TCS(tp) { ATF_TP_ADD_TC(tp, bpfiltercontig); ATF_TP_ADD_TC(tp, bpfiltermchain); ATF_TP_ADD_TC(tp, bpfilterbadmem); ATF_TP_ADD_TC(tp, bpfilternoinitA); ATF_TP_ADD_TC(tp, bpfilternoinitX); ATF_TP_ADD_TC(tp, bpfilterbadjmp); ATF_TP_ADD_TC(tp, bpfilternegjmp); ATF_TP_ADD_TC(tp, bpfilterbadret); return atf_no_error(); }