Commit 71b500af authored by Alexei Starovoitov's avatar Alexei Starovoitov
Browse files

Merge branch 'bpf-fix-short-ipv4-ipv6-handling-in-test_run_skb' 

Sun Jian says:

====================
bpf: fix short IPv4/IPv6 handling in test_run_skb

bpf_prog_test_run_skb() may access IPv4/IPv6 network headers based on
skb->protocol even when the provided test input only contains an
Ethernet header.

Fix it by rejecting such short IPv4/IPv6 inputs before accessing the
L3 headers, and add a selftest that exercises the reported
bpf_skb_adjust_room() path on ETH_HLEN-sized IPv4/IPv6 EtherType
inputs.

Changes in v4:
- Split the selftests into a separate patch.
- Rework the selftest to actually execute a BPF program calling
  bpf_skb_adjust_room().
- Reuse a single struct ethhdr eth_hlen and initialize h_proto from
  the test case table.
- Add the Fixes tag to the test_run.c patch.

Link: https://lore.kernel.org/bpf/CABFUUZF_CWQZrRk=L9cNxO=8Z4iSgGfXi3J=hpzeyTKDbfE2-w@mail.gmail.com/T/#mfabfe7e86bb30c0141fbc9f751b8b1cb07767f01
====================

Link: https://patch.msgid.link/20260408034623.180320-1-sun.jian.kdev@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents 47687a29 f1cc9466

net/bpf/test_run.c

+12 −8
Original line number Diff line number Diff line
@@ -1137,19 +1137,23 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, 


	switch (skb->protocol) {

	case htons(ETH_P_IP):

		if (skb_headlen(skb) < sizeof(struct iphdr)) {

			ret = -EINVAL;

			goto out;

		}

		sk->sk_family = AF_INET;

		if (sizeof(struct iphdr) <= skb_headlen(skb)) {

		sk->sk_rcv_saddr = ip_hdr(skb)->saddr;

		sk->sk_daddr = ip_hdr(skb)->daddr;

		}

		break;

#if IS_ENABLED(CONFIG_IPV6)

	case htons(ETH_P_IPV6):

		if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {

			ret = -EINVAL;

			goto out;

		}

		sk->sk_family = AF_INET6;

		if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) {

		sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;

		sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;

		}

		break;

#endif

	default:

tools/testing/selftests/bpf/prog_tests/empty_skb.c

+37 −3
Original line number Diff line number Diff line
@@ -10,8 +10,8 @@ void test_empty_skb(void) 
	struct empty_skb *bpf_obj = NULL;

	struct nstoken *tok = NULL;

	struct bpf_program *prog;

	struct ethhdr eth_hlen;

	char eth_hlen_pp[15];

	char eth_hlen[14];

	int veth_ifindex;

	int ipip_ifindex;

	int err;
@@ -25,7 +25,9 @@ void test_empty_skb(void) 
		int err;

		int ret;

		int lwt_egress_ret; /* expected retval at lwt/egress */

		__be16 h_proto;

		bool success_on_tc;

		bool adjust_room;

	} tests[] = {

		/* Empty packets are always rejected. */
@@ -46,6 +48,28 @@ void test_empty_skb(void) 
			.err = -EINVAL,

		},



		/* ETH_HLEN-sized packets with IPv4/IPv6 EtherType but

		 * no L3 header are rejected.

		 */

		{

			.msg = "veth short IPv4 ingress packet",

			.data_in = &eth_hlen,

			.data_size_in = sizeof(eth_hlen),

			.ifindex = &veth_ifindex,

			.err = -EINVAL,

			.h_proto = htons(ETH_P_IP),

			.adjust_room = true,

		},

		{

			.msg = "veth short IPv6 ingress packet",

			.data_in = &eth_hlen,

			.data_size_in = sizeof(eth_hlen),

			.ifindex = &veth_ifindex,

			.err = -EINVAL,

			.h_proto = htons(ETH_P_IPV6),

			.adjust_room = true,

		},



		/* ETH_HLEN-sized packets:

		 * - can not be redirected at LWT_XMIT

		 * - can be redirected at TC to non-tunneling dest
@@ -54,7 +78,7 @@ void test_empty_skb(void) 
		{

			/* __bpf_redirect_common */

			.msg = "veth ETH_HLEN packet ingress",

			.data_in = eth_hlen,

			.data_in = &eth_hlen,

			.data_size_in = sizeof(eth_hlen),

			.ifindex = &veth_ifindex,

			.ret = -ERANGE,
@@ -68,7 +92,7 @@ void test_empty_skb(void) 
			 * tc: skb->len=14 <= skb_network_offset=14

			 */

			.msg = "ipip ETH_HLEN packet ingress",

			.data_in = eth_hlen,

			.data_in = &eth_hlen,

			.data_size_in = sizeof(eth_hlen),

			.ifindex = &ipip_ifindex,

			.ret = -ERANGE,
@@ -108,17 +132,27 @@ void test_empty_skb(void) 
	SYS(out, "ip addr add 192.168.1.1/16 dev ipip0");

	ipip_ifindex = if_nametoindex("ipip0");



	memset(eth_hlen_pp, 0, sizeof(eth_hlen_pp));

	memset(&eth_hlen, 0, sizeof(eth_hlen));



	bpf_obj = empty_skb__open_and_load();

	if (!ASSERT_OK_PTR(bpf_obj, "open skeleton"))

		goto out;



	for (i = 0; i < ARRAY_SIZE(tests); i++) {

		if (tests[i].data_in == &eth_hlen)

			eth_hlen.h_proto = tests[i].h_proto;



		bpf_object__for_each_program(prog, bpf_obj->obj) {

			bool at_egress = strstr(bpf_program__name(prog), "egress") != NULL;

			bool at_tc = !strncmp(bpf_program__section_name(prog), "tc", 2);

			bool is_adjust_room = !strcmp(bpf_program__name(prog), "tc_adjust_room");

			int expected_ret;

			char buf[128];



			if (tests[i].adjust_room != is_adjust_room)

				continue;



			expected_ret = at_egress && !at_tc ? tests[i].lwt_egress_ret : tests[i].ret;



			tattr.data_in = tests[i].data_in;

tools/testing/selftests/bpf/progs/empty_skb.c

+7 −0
Original line number Diff line number Diff line
@@ -35,3 +35,10 @@ int tc_redirect_egress(struct __sk_buff *skb) 
	ret = bpf_clone_redirect(skb, ifindex, 0);

	return 0;

}



SEC("tc")

int tc_adjust_room(struct __sk_buff *skb)

{

	ret = bpf_skb_adjust_room(skb, 4, BPF_ADJ_ROOM_NET, 0);

	return 0;

}