I'm trying to load an example BPF filter but I'm getting the following error:
Prog section 'classifier' rejected: Permission denied (13)!
- Type: 3
- Instructions: 58 (0 over limit)
- License: GPL
Verifier analysis:
0: (bf) r6 = r1
1: (61) r2 = *(u32 *)(r6 +80)
2: (61) r1 = *(u32 *)(r6 +76)
3: (bf) r3 = r1
4: (07) r3 += 14
5: (2d) if r3 > r2 goto pc+50
R1_w=pkt(id=0,off=0,r=14,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R10=fp0
6: (bf) r3 = r1
7: (07) r3 += 15
8: (2d) if r3 > r2 goto pc+47
R1_w=pkt(id=0,off=0,r=15,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=15,r=15,imm=0) R6_w=ctx(id=0,off=0,imm=0) R10=fp0
9: (71) r3 = *(u8 *)(r1 +13)
10: (67) r3 <<= 8
11: (71) r4 = *(u8 *)(r1 +12)
12: (4f) r3 |= r4
13: (57) r3 &= 65535
14: (55) if r3 != 0x8 goto pc+41
R1=pkt(id=0,off=0,r=15,imm=0) R2=pkt_end(id=0,off=0,imm=0) R3=inv8 R4=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6=ctx(id=0,off=0,imm=0) R10=fp0
15: (71) r3 = *(u8 *)(r1 +23)
invalid access to packet, off=23 size=1, R1(id=0,off=23,r=15)
R1 offset is outside of the packet
processed 16 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
Error fetching program/map!
Unable to load program
I'm using the following commands to compile and load:
# clang -O2 -Wall -I/usr/include/x86_64-linux-gnu -target bpf -c classifier.c -o classifier.o
# tc filter add dev wlp0s20f3 ingress bpf obj classifier.o flowid 0:
If I comment out the line trace_printk("Yes! It is HTTP!\n"); it loads. trace_printk() is a macro, I've also tried to call bpf_trace_printk() directly but with the same result.
#include <linux/if_ether.h>
#include <linux/tcp.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <linux/bpf.h>
#include <linux/pkt_cls.h>
//#include <bpf/bpf_helpers.h>
#define SEC(NAME) __attribute__((section(NAME), used))
#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
#define __bpf_htons(x) __builtin_bswap16(x)
#define __bpf_constant_htons(x) ___constant_swab16(x)
#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
#define __bpf_htons(x) (x)
#define __bpf_constant_htons(x) (x)
#else
#error "Fix your compiler's __BYTE_ORDER__?!"
#endif
#define bpf_htons(x) \
(__builtin_constant_p(x) ? __bpf_constant_htons(x) : __bpf_htons(x))
static long (*bpf_trace_printk)(const char *fmt, __u32 fmt_size,
...) = (void *)BPF_FUNC_trace_printk;
#define trace_printk(fmt, ...) \
do { \
char _fmt[] = fmt; \
bpf_trace_printk(_fmt, sizeof(_fmt), ##__VA_ARGS__); \
} while (0)
static inline int is_http(struct __sk_buff *skb, __u64 nh_off);
unsigned long long load_byte(void *skb,
unsigned long long off) asm("llvm.bpf.load.byte");
SEC("classifier")
static inline int classification(struct __sk_buff *skb) {
void *data_end = (void *)(long)skb->data_end;
void *data = (void *)(long)skb->data;
struct ethhdr *eth = data;
__u16 h_proto;
__u64 nh_off = 0;
nh_off = sizeof(*eth);
if (data + nh_off > data_end) {
return TC_ACT_OK;
}
h_proto = eth->h_proto;
if (h_proto == bpf_htons(ETH_P_IP)) {
if (is_http(skb, nh_off) == 1) {
trace_printk("Yes! It is HTTP!\n"); // (ERROR)
}
}
return TC_ACT_OK;
}
static inline int is_http(struct __sk_buff *skb, __u64 nh_off) {
void *data_end = (void *)(long)skb->data_end;
void *data = (void *)(long)skb->data;
struct iphdr *iph = data + nh_off;
if ((void*)iph + 1 > data_end) {
return 0;
}
if (iph->protocol != IPPROTO_TCP) {
return 0;
}
__u32 tcp_hlen = 0;
__u32 ip_hlen = 0;
__u32 poffset = 0;
__u32 plength = 0;
__u32 ip_total_length = iph->tot_len;
ip_hlen = iph->ihl << 2;
if (ip_hlen < sizeof(*iph)) {
return 0;
}
struct tcphdr *tcph = data + nh_off + sizeof(*iph);
if ((void*)tcph + 1 > data_end) {
return 0;
}
tcp_hlen = tcph->doff << 2;
poffset = ETH_HLEN + ip_hlen + tcp_hlen;
plength = ip_total_length - ip_hlen - tcp_hlen;
if (plength >= 7) {
unsigned long p[7];
int i = 0;
for (i = 0; i < 7; i++) {
p[i] = load_byte(skb, poffset + i);
}
if ((p[0] == 'H') && (p[1] == 'T') && (p[2] == 'T') && (p[3] == 'P')) {
return 1;
}
}
return 0;
}
char _license[] SEC("license") = "GPL";
trace_printk isn't actually the issue here. It just seems that way because once you comment that statement, the verifier optimizes out the call to is_http(); it's not needed anymore.
What's going on?
The verifier is rejecting your BPF program with the following error:
invalid access to packet, off=23 size=1, R1(id=0,off=23,r=15)
R1 offset is outside of the packet
That means you are trying to access the packet at offset 23 even though you only verified that it is 15 bytes long.
Where the bug?
I suspect the bug is in those lines:
if ((void*)iph + 1 > data_end) {
return 0;
}
Here, you are checking that data_end is larger or equal to iph plus one byte. We can see it in the verifier output:
3: (bf) r3 = r1
4: (07) r3 += 14
5: (2d) if r3 > r2 goto pc+50
R1_w=pkt(id=0,off=0,r=14,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R10=fp0
6: (bf) r3 = r1
7: (07) r3 += 15
8: (2d) if r3 > r2 goto pc+47
R1_w=pkt(id=0,off=0,r=15,imm=0) R2_w=pkt_end(id=0,off=0,imm=0) R3_w=pkt(id=0,off=15,r=15,imm=0) R6_w=ctx(id=0,off=0,imm=0) R10=fp0
The first comparison is for data + nh_off > data_end, the second is for (void*)iph + 1 > data_end. As you can see there's only one byte in difference.
What's the fix?
I think you want:
if ((void*)(iph + 1) > data_end) {
return 0;
}
And the same for the next packet bounds check (tcp).