From: Jan Seiffert <kaffeemonster@googlemail.com>
To: <netdev@vger.kernel.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
Matt Evans <matt@ozlabs.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [REGRESSION][PATCH V4 0/3] bpf jit drops the ball on negative memory references
Date: Fri, 30 Mar 2012 17:00:25 +0200 [thread overview]
Message-ID: <4F75CA89.4010709@googlemail.com> (raw)
Consider the following test program:
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <pcap-bpf.h>
#define die(x) do {perror(x); return 1;} while (0)
struct bpf_insn udp_filter[] = {
/* 0 */ BPF_STMT(BPF_LDX|BPF_W|BPF_IMM, -1048576+(0)), /* leax net[0] */
/* 1 */ BPF_STMT(BPF_LD|BPF_B|BPF_IND, 0), /* ldb [x+0] */
/* 2 */ BPF_STMT(BPF_RET|BPF_A, 0), /* ret a */
};
int main(int argc, char *argv[])
{
char buf[512];
struct sockaddr_in addr;
struct bpf_program prg;
socklen_t addr_s;
ssize_t res;
int fd;
addr.sin_family = AF_INET;
addr.sin_port = htons(5000);
addr.sin_addr.s_addr = 0;
addr_s = sizeof(addr);
prg.bf_len = sizeof(udp_filter)/sizeof(udp_filter[0]);
prg.bf_insns = udp_filter;
if(-1 == (fd = socket(AF_INET, SOCK_DGRAM, 0)))
die("socket");
if(-1 == bind(fd, (struct sockaddr *)&addr, sizeof(addr)))
die("bind");
if(-1 == setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &prg, sizeof(prg)))
die("setsockopt");
res = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *)&addr, &addr_s);
if(res != -1)
printf("packet received: %zi bytes\n", res);
else
die("recvfrom");
return 0;
}
when used with the bpf jit disabled works:
console 1 $ ./bpf
console 2 $ echo "hello" | nc -u localhost 5000
console 1: packet received: 6 bytes
When the bpf jit gets enabled (echo 100 >
/proc/sys/net/core/bpf_jit_enable) the same program stops working:
console 1 $ ./bpf
console 2 $ echo "hello" | nc -u localhost 5000
console 1:
The reason is that both jits (x86 and powerpc) do not handle negative
memory references like SKF_NET_OFF or SKF_LL_OFF, only the simple
ancillary data references are supported (by mapping to special
instructions).
In the case of an absolute reference, the jit aborts the translation
if a negative reference is seen, also a negative k on the indirect
load aborts the translation, but if X is negative to begin with, only
the error handler is reached at runtime which drops the whole packet.
Such a setup is useful to say filter bogus source addresses on an UDP
socket.
I propose the following patch series to fix this situation.
Patch 1 exports the helper function the interpreter uses.
Patch 2 incorporates the helper into the x86 jit (so it depends on patch 1).
Patch 3 incorporates the helper into the powerpc jit (so it depends on patch 1).
Lightly tested on x86, but the powerpc asm part is prop. wrong, could
need assistance.
Signed-of-by: Jan Seiffert <kaffeemonster@googlemail.com>
WARNING: multiple messages have this Message-ID (diff)
From: Jan Seiffert <kaffeemonster@googlemail.com>
To: <netdev@vger.kernel.org>
Cc: <linux-kernel@vger.kernel.org>, <linuxppc-dev@lists.ozlabs.org>,
"Matt Evans" <matt@ozlabs.org>,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [REGRESSION][PATCH V4 0/3] bpf jit drops the ball on negative memory references
Date: Fri, 30 Mar 2012 17:00:25 +0200 [thread overview]
Message-ID: <4F75CA89.4010709@googlemail.com> (raw)
Consider the following test program:
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <pcap-bpf.h>
#define die(x) do {perror(x); return 1;} while (0)
struct bpf_insn udp_filter[] = {
/* 0 */ BPF_STMT(BPF_LDX|BPF_W|BPF_IMM, -1048576+(0)), /* leax net[0] */
/* 1 */ BPF_STMT(BPF_LD|BPF_B|BPF_IND, 0), /* ldb [x+0] */
/* 2 */ BPF_STMT(BPF_RET|BPF_A, 0), /* ret a */
};
int main(int argc, char *argv[])
{
char buf[512];
struct sockaddr_in addr;
struct bpf_program prg;
socklen_t addr_s;
ssize_t res;
int fd;
addr.sin_family = AF_INET;
addr.sin_port = htons(5000);
addr.sin_addr.s_addr = 0;
addr_s = sizeof(addr);
prg.bf_len = sizeof(udp_filter)/sizeof(udp_filter[0]);
prg.bf_insns = udp_filter;
if(-1 == (fd = socket(AF_INET, SOCK_DGRAM, 0)))
die("socket");
if(-1 == bind(fd, (struct sockaddr *)&addr, sizeof(addr)))
die("bind");
if(-1 == setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, &prg, sizeof(prg)))
die("setsockopt");
res = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *)&addr, &addr_s);
if(res != -1)
printf("packet received: %zi bytes\n", res);
else
die("recvfrom");
return 0;
}
when used with the bpf jit disabled works:
console 1 $ ./bpf
console 2 $ echo "hello" | nc -u localhost 5000
console 1: packet received: 6 bytes
When the bpf jit gets enabled (echo 100 >
/proc/sys/net/core/bpf_jit_enable) the same program stops working:
console 1 $ ./bpf
console 2 $ echo "hello" | nc -u localhost 5000
console 1:
The reason is that both jits (x86 and powerpc) do not handle negative
memory references like SKF_NET_OFF or SKF_LL_OFF, only the simple
ancillary data references are supported (by mapping to special
instructions).
In the case of an absolute reference, the jit aborts the translation
if a negative reference is seen, also a negative k on the indirect
load aborts the translation, but if X is negative to begin with, only
the error handler is reached at runtime which drops the whole packet.
Such a setup is useful to say filter bogus source addresses on an UDP
socket.
I propose the following patch series to fix this situation.
Patch 1 exports the helper function the interpreter uses.
Patch 2 incorporates the helper into the x86 jit (so it depends on patch 1).
Patch 3 incorporates the helper into the powerpc jit (so it depends on patch 1).
Lightly tested on x86, but the powerpc asm part is prop. wrong, could
need assistance.
Signed-of-by: Jan Seiffert <kaffeemonster@googlemail.com>
next reply other threads:[~2012-03-30 17:13 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-30 15:00 Jan Seiffert [this message]
2012-03-30 15:00 ` [REGRESSION][PATCH V4 0/3] bpf jit drops the ball on negative memory references Jan Seiffert
2012-03-30 15:08 ` [REGRESSION][PATCH V4 1/3] bpf jit: Make the filter.c::__load_pointer helper non-static for the jits Jan Seiffert
2012-03-30 15:08 ` Jan Seiffert
2012-03-30 18:56 ` Eric Dumazet
2012-03-30 18:56 ` Eric Dumazet
2012-04-02 9:18 ` David Laight
2012-04-02 9:18 ` David Laight
2012-04-02 13:02 ` Jan Seiffert
2012-04-02 13:02 ` Jan Seiffert
2012-04-03 22:02 ` David Miller
2012-04-03 22:02 ` David Miller
2012-04-03 22:26 ` Jan Seiffert
2012-04-03 22:28 ` David Miller
2012-04-03 22:41 ` Jan Seiffert
2012-03-30 15:24 ` [REGRESSION][PATCH V4 2/3] bpf jit: Let the x86 jit handle negative offsets Jan Seiffert
2012-03-30 18:58 ` Eric Dumazet
2012-04-03 22:02 ` David Miller
2012-03-30 15:35 ` [REGRESSION][PATCH V4 3/3] bpf jit: Let the powerpc " Jan Seiffert
2012-03-30 15:35 ` Jan Seiffert
2012-04-03 22:03 ` David Miller
2012-04-03 22:03 ` David Miller
2012-04-03 22:11 ` Benjamin Herrenschmidt
2012-04-03 22:11 ` Benjamin Herrenschmidt
2012-04-30 2:43 ` Benjamin Herrenschmidt
2012-04-30 3:40 ` Benjamin Herrenschmidt
2012-04-30 3:43 ` Jan Seiffert
2012-04-30 3:43 ` Jan Seiffert
2012-04-30 4:11 ` Benjamin Herrenschmidt
2012-04-30 4:27 ` Jan Seiffert
2012-04-30 4:27 ` Jan Seiffert
2012-04-30 4:29 ` Benjamin Herrenschmidt
2012-04-30 4:29 ` Benjamin Herrenschmidt
2012-04-30 4:43 ` Jan Seiffert
2012-04-30 4:43 ` Jan Seiffert
2012-04-30 5:26 ` Benjamin Herrenschmidt
2012-04-30 5:26 ` Benjamin Herrenschmidt
2012-04-30 17:41 ` David Miller
2012-04-30 21:55 ` Benjamin Herrenschmidt
2012-04-30 21:57 ` Benjamin Herrenschmidt
2012-04-30 22:32 ` Jan Seiffert
2012-05-01 0:26 ` Benjamin Herrenschmidt
2012-05-01 0:44 ` Jan Seiffert
2012-05-01 0:47 ` Benjamin Herrenschmidt
2012-05-01 1:03 ` David Miller
2012-04-30 5:02 ` [REGRESSION][PATCH V5 " Jan Seiffert
2012-04-30 5:02 ` Jan Seiffert
2012-04-30 17:41 ` David Miller
2012-04-30 17:41 ` David Miller
2012-04-03 22:31 ` [REGRESSION][PATCH V4 " Jan Seiffert
2012-04-03 22:35 ` David Miller
2012-04-02 19:51 ` [PATCH V1 1/1] NET: add a bpf jit for Alpha Jan Seiffert
2012-04-02 19:51 ` Jan Seiffert
2012-04-02 20:43 ` Matt Turner
2012-04-02 21:04 ` Jan Seiffert
2012-04-02 21:04 ` Jan Seiffert
2012-04-04 14:27 ` Richard Henderson
2012-04-05 0:24 ` Jan Seiffert
2012-04-05 0:24 ` Jan Seiffert
2012-04-05 0:24 ` Jan Seiffert
2012-04-05 0:24 ` Jan Seiffert
2012-04-06 18:57 ` [REGRESSION][PATCH v1] bpf jit: Let the arm jit handle negative memory references Jan Seiffert
2012-04-06 21:48 ` [REGRESSION][PATCH v2] " Jan Seiffert
2012-04-06 22:28 ` [REGRESSION][PATCH v1] " Mircea Gherzan
2012-04-06 23:30 ` Jan Seiffert
2012-04-07 3:41 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F75CA89.4010709@googlemail.com \
--to=kaffeemonster@googlemail.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=matt@ozlabs.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.