experiment01-tailgrow: add example that fail xdp_prog_fail1.c

netoptimizer · netoptimizer · commit 54c4d3338b4a · 2020-05-05T16:01:21.000+02:00
Signed-off-by: Jesper Dangaard Brouer &lt;brouer@redhat.com&gt;
diff --git a/experiment01-tailgrow/Makefile b/experiment01-tailgrow/Makefile
@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
 
 XDP_TARGETS  := xdp_prog_kern xdp_prog_kern2
+XDP_TARGETS  += xdp_prog_fail1
+
 # USER_TARGETS :=
 
 LIBBPF_DIR = ../libbpf/src/
diff --git a/experiment01-tailgrow/README.org b/experiment01-tailgrow/README.org
@@ -35,3 +35,18 @@ the overhead when doing =XDP_TX=.  Selecting others BPF programs via
  sudo ./xdp_loader --dev mlx5p1 --force --prog xdp_tailgrow
  sudo ./xdp_loader --dev mlx5p1 --force --prog xdp_tailgrow_tx
 #+end_src
+
+* Methods that fail
+
+Methods for accessing access BPF packet data at XDP =data_end=.
+
+** Fail#1: Using packet length
+
+In example [[file:xdp_prog_fail1.c]], we try to use the packet length
+(calculated as =data_end - data=) to access the last byte as an offset
+added to =data=.  The verifier rejects this, as the dynamic length
+calculation cannot be used for static analysis.
+
+#+begin_src sh
+ sudo ./xdp_loader --dev mlx5p1 --force --file xdp_prog_fail1.o
+#+end_src
diff --git a/experiment01-tailgrow/xdp_prog_fail1.c b/experiment01-tailgrow/xdp_prog_fail1.c
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+/*
+ * This BPF-prog will FAIL, due to verifier rejecting it.
+ *
+ * General idea: Use packet length to find and access last byte in
+ * packet.  The verifier cannot see this is safe, as it cannot deduce
+ * the packet length at verification time.
+ */
+
+SEC("xdp_fail1")
+int _xdp_fail1(struct xdp_md *ctx)
+{
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+	unsigned char *ptr;
+	void *pos;
+
+	/* (Correct me if I'm wrong)
+	 *
+	 * The verifier cannot use this packet length calculation as
+	 * part of its static analysis.  It chooses to use zero as the
+	 * offset value static value.
+	 */
+	unsigned int offset = data_end - data;
+
+	pos = data;
+
+	if (pos + offset > data_end)
+		goto out;
+
+	/* Fails at this line with:
+	 *   "invalid access to packet, off=-1 size=1, R1(id=2,off=0,r=0)"
+	 *   "R1 offset is outside of the packet"
+	 *
+	 * Because verifer used offset==0 it thinks that we are trying
+	 * to access (data - 1), which is not within [data,data_end)
+	 */
+	ptr = pos + (offset - sizeof(*ptr));
+	if (*ptr == 0xFF)
+		return XDP_ABORTED;
+out:
+	return XDP_PASS;
+}
diff --git a/experiment01-tailgrow/xdp_prog_kern2.c b/experiment01-tailgrow/xdp_prog_kern2.c
@@ -125,33 +125,6 @@ int _xdp_test2(struct xdp_md *ctx)
 	return xdp_stats_record_action(ctx, XDP_PASS);
 }
 
-/* Invalid:
-SEC("xdp_test3")
-int _xdp_test3(struct xdp_md *ctx)
-{
-	void *data_end = (void *)(long)ctx->data_end;
-	void *data = (void *)(long)ctx->data;
-	unsigned char *ptr;
-	void *pos;
-
-	unsigned int offset = data_end - data;
-
-	if (offset < 2)
-		goto out;
-
-	pos = data;
-
-	if (pos + offset > data_end)
-		goto out;
-
-	ptr = pos + (offset - sizeof(*ptr));
-	if (*ptr == 0xFF)
-		return XDP_ABORTED;
-out:
-	return XDP_PASS;
-}
-*/
-
 /* Also invalid
 SEC("xdp_test4")
 int _xdp_test4(struct xdp_md *ctx)
