Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Linux Socket Filter - Kernel level socket filtering | |
3 | * | |
bd4cf0ed AS |
4 | * Based on the design of the Berkeley Packet Filter. The new |
5 | * internal format has been designed by PLUMgrid: | |
1da177e4 | 6 | * |
bd4cf0ed AS |
7 | * Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com |
8 | * | |
9 | * Authors: | |
10 | * | |
11 | * Jay Schulist <jschlst@samba.org> | |
12 | * Alexei Starovoitov <ast@plumgrid.com> | |
13 | * Daniel Borkmann <dborkman@redhat.com> | |
1da177e4 LT |
14 | * |
15 | * This program is free software; you can redistribute it and/or | |
16 | * modify it under the terms of the GNU General Public License | |
17 | * as published by the Free Software Foundation; either version | |
18 | * 2 of the License, or (at your option) any later version. | |
19 | * | |
20 | * Andi Kleen - Fix a few bad bugs and races. | |
4df95ff4 | 21 | * Kris Katterjohn - Added many additional checks in bpf_check_classic() |
1da177e4 LT |
22 | */ |
23 | ||
24 | #include <linux/module.h> | |
25 | #include <linux/types.h> | |
1da177e4 LT |
26 | #include <linux/mm.h> |
27 | #include <linux/fcntl.h> | |
28 | #include <linux/socket.h> | |
29 | #include <linux/in.h> | |
30 | #include <linux/inet.h> | |
31 | #include <linux/netdevice.h> | |
32 | #include <linux/if_packet.h> | |
5a0e3ad6 | 33 | #include <linux/gfp.h> |
1da177e4 LT |
34 | #include <net/ip.h> |
35 | #include <net/protocol.h> | |
4738c1db | 36 | #include <net/netlink.h> |
1da177e4 LT |
37 | #include <linux/skbuff.h> |
38 | #include <net/sock.h> | |
39 | #include <linux/errno.h> | |
40 | #include <linux/timer.h> | |
1da177e4 | 41 | #include <asm/uaccess.h> |
40daafc8 | 42 | #include <asm/unaligned.h> |
1da177e4 | 43 | #include <linux/filter.h> |
86e4ca66 | 44 | #include <linux/ratelimit.h> |
46b325c7 | 45 | #include <linux/seccomp.h> |
f3335031 | 46 | #include <linux/if_vlan.h> |
1da177e4 | 47 | |
43db6d65 SH |
48 | /** |
49 | * sk_filter - run a packet through a socket filter | |
50 | * @sk: sock associated with &sk_buff | |
51 | * @skb: buffer to filter | |
43db6d65 SH |
52 | * |
53 | * Run the filter code and then cut skb->data to correct size returned by | |
54 | * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller | |
55 | * than pkt_len we keep whole skb->data. This is the socket level | |
56 | * wrapper to sk_run_filter. It returns 0 if the packet should | |
57 | * be accepted or -EPERM if the packet should be tossed. | |
58 | * | |
59 | */ | |
60 | int sk_filter(struct sock *sk, struct sk_buff *skb) | |
61 | { | |
62 | int err; | |
63 | struct sk_filter *filter; | |
64 | ||
c93bdd0e MG |
65 | /* |
66 | * If the skb was allocated from pfmemalloc reserves, only | |
67 | * allow SOCK_MEMALLOC sockets to use it as this socket is | |
68 | * helping free memory | |
69 | */ | |
70 | if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) | |
71 | return -ENOMEM; | |
72 | ||
43db6d65 SH |
73 | err = security_sock_rcv_skb(sk, skb); |
74 | if (err) | |
75 | return err; | |
76 | ||
80f8f102 ED |
77 | rcu_read_lock(); |
78 | filter = rcu_dereference(sk->sk_filter); | |
43db6d65 | 79 | if (filter) { |
0a14842f | 80 | unsigned int pkt_len = SK_RUN_FILTER(filter, skb); |
0d7da9dd | 81 | |
43db6d65 SH |
82 | err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM; |
83 | } | |
80f8f102 | 84 | rcu_read_unlock(); |
43db6d65 SH |
85 | |
86 | return err; | |
87 | } | |
88 | EXPORT_SYMBOL(sk_filter); | |
89 | ||
30743837 | 90 | static u64 __skb_get_pay_offset(u64 ctx, u64 a, u64 x, u64 r4, u64 r5) |
bd4cf0ed | 91 | { |
56193d1b | 92 | return skb_get_poff((struct sk_buff *)(unsigned long) ctx); |
bd4cf0ed AS |
93 | } |
94 | ||
30743837 | 95 | static u64 __skb_get_nlattr(u64 ctx, u64 a, u64 x, u64 r4, u64 r5) |
bd4cf0ed | 96 | { |
eb9672f4 | 97 | struct sk_buff *skb = (struct sk_buff *)(unsigned long) ctx; |
bd4cf0ed AS |
98 | struct nlattr *nla; |
99 | ||
100 | if (skb_is_nonlinear(skb)) | |
101 | return 0; | |
102 | ||
05ab8f26 MK |
103 | if (skb->len < sizeof(struct nlattr)) |
104 | return 0; | |
105 | ||
30743837 | 106 | if (a > skb->len - sizeof(struct nlattr)) |
bd4cf0ed AS |
107 | return 0; |
108 | ||
30743837 | 109 | nla = nla_find((struct nlattr *) &skb->data[a], skb->len - a, x); |
bd4cf0ed AS |
110 | if (nla) |
111 | return (void *) nla - (void *) skb->data; | |
112 | ||
113 | return 0; | |
114 | } | |
115 | ||
30743837 | 116 | static u64 __skb_get_nlattr_nest(u64 ctx, u64 a, u64 x, u64 r4, u64 r5) |
bd4cf0ed | 117 | { |
eb9672f4 | 118 | struct sk_buff *skb = (struct sk_buff *)(unsigned long) ctx; |
bd4cf0ed AS |
119 | struct nlattr *nla; |
120 | ||
121 | if (skb_is_nonlinear(skb)) | |
122 | return 0; | |
123 | ||
05ab8f26 MK |
124 | if (skb->len < sizeof(struct nlattr)) |
125 | return 0; | |
126 | ||
30743837 | 127 | if (a > skb->len - sizeof(struct nlattr)) |
bd4cf0ed AS |
128 | return 0; |
129 | ||
30743837 DB |
130 | nla = (struct nlattr *) &skb->data[a]; |
131 | if (nla->nla_len > skb->len - a) | |
bd4cf0ed AS |
132 | return 0; |
133 | ||
30743837 | 134 | nla = nla_find_nested(nla, x); |
bd4cf0ed AS |
135 | if (nla) |
136 | return (void *) nla - (void *) skb->data; | |
137 | ||
138 | return 0; | |
139 | } | |
140 | ||
30743837 | 141 | static u64 __get_raw_cpu_id(u64 ctx, u64 a, u64 x, u64 r4, u64 r5) |
bd4cf0ed AS |
142 | { |
143 | return raw_smp_processor_id(); | |
144 | } | |
145 | ||
4cd3675e | 146 | /* note that this only generates 32-bit random numbers */ |
30743837 | 147 | static u64 __get_random_u32(u64 ctx, u64 a, u64 x, u64 r4, u64 r5) |
4cd3675e | 148 | { |
eb9672f4 | 149 | return prandom_u32(); |
4cd3675e CG |
150 | } |
151 | ||
bd4cf0ed | 152 | static bool convert_bpf_extensions(struct sock_filter *fp, |
2695fb55 | 153 | struct bpf_insn **insnp) |
bd4cf0ed | 154 | { |
2695fb55 | 155 | struct bpf_insn *insn = *insnp; |
bd4cf0ed AS |
156 | |
157 | switch (fp->k) { | |
158 | case SKF_AD_OFF + SKF_AD_PROTOCOL: | |
159 | BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, protocol) != 2); | |
160 | ||
e430f34e | 161 | /* A = *(u16 *) (CTX + offsetof(protocol)) */ |
f8f6d679 DB |
162 | *insn++ = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX, |
163 | offsetof(struct sk_buff, protocol)); | |
bd4cf0ed | 164 | /* A = ntohs(A) [emitting a nop or swap16] */ |
f8f6d679 | 165 | *insn = BPF_ENDIAN(BPF_FROM_BE, BPF_REG_A, 16); |
bd4cf0ed AS |
166 | break; |
167 | ||
168 | case SKF_AD_OFF + SKF_AD_PKTTYPE: | |
233577a2 HFS |
169 | *insn++ = BPF_LDX_MEM(BPF_B, BPF_REG_A, BPF_REG_CTX, |
170 | PKT_TYPE_OFFSET()); | |
9739eef1 | 171 | *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, PKT_TYPE_MAX); |
0dcceabb AS |
172 | #ifdef __BIG_ENDIAN_BITFIELD |
173 | insn++; | |
f666f87b | 174 | *insn = BPF_ALU32_IMM(BPF_RSH, BPF_REG_A, 5); |
0dcceabb | 175 | #endif |
bd4cf0ed AS |
176 | break; |
177 | ||
178 | case SKF_AD_OFF + SKF_AD_IFINDEX: | |
179 | case SKF_AD_OFF + SKF_AD_HATYPE: | |
bd4cf0ed AS |
180 | BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4); |
181 | BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, type) != 2); | |
f8f6d679 DB |
182 | BUILD_BUG_ON(bytes_to_bpf_size(FIELD_SIZEOF(struct sk_buff, dev)) < 0); |
183 | ||
184 | *insn++ = BPF_LDX_MEM(bytes_to_bpf_size(FIELD_SIZEOF(struct sk_buff, dev)), | |
185 | BPF_REG_TMP, BPF_REG_CTX, | |
186 | offsetof(struct sk_buff, dev)); | |
187 | /* if (tmp != 0) goto pc + 1 */ | |
188 | *insn++ = BPF_JMP_IMM(BPF_JNE, BPF_REG_TMP, 0, 1); | |
189 | *insn++ = BPF_EXIT_INSN(); | |
190 | if (fp->k == SKF_AD_OFF + SKF_AD_IFINDEX) | |
191 | *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_TMP, | |
192 | offsetof(struct net_device, ifindex)); | |
193 | else | |
194 | *insn = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_TMP, | |
195 | offsetof(struct net_device, type)); | |
bd4cf0ed AS |
196 | break; |
197 | ||
198 | case SKF_AD_OFF + SKF_AD_MARK: | |
199 | BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4); | |
200 | ||
9739eef1 AS |
201 | *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX, |
202 | offsetof(struct sk_buff, mark)); | |
bd4cf0ed AS |
203 | break; |
204 | ||
205 | case SKF_AD_OFF + SKF_AD_RXHASH: | |
206 | BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, hash) != 4); | |
207 | ||
9739eef1 AS |
208 | *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX, |
209 | offsetof(struct sk_buff, hash)); | |
bd4cf0ed AS |
210 | break; |
211 | ||
212 | case SKF_AD_OFF + SKF_AD_QUEUE: | |
213 | BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, queue_mapping) != 2); | |
214 | ||
9739eef1 AS |
215 | *insn = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX, |
216 | offsetof(struct sk_buff, queue_mapping)); | |
bd4cf0ed AS |
217 | break; |
218 | ||
219 | case SKF_AD_OFF + SKF_AD_VLAN_TAG: | |
220 | case SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT: | |
221 | BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_tci) != 2); | |
bd4cf0ed AS |
222 | BUILD_BUG_ON(VLAN_TAG_PRESENT != 0x1000); |
223 | ||
e430f34e | 224 | /* A = *(u16 *) (CTX + offsetof(vlan_tci)) */ |
f8f6d679 DB |
225 | *insn++ = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX, |
226 | offsetof(struct sk_buff, vlan_tci)); | |
bd4cf0ed | 227 | if (fp->k == SKF_AD_OFF + SKF_AD_VLAN_TAG) { |
9739eef1 AS |
228 | *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, |
229 | ~VLAN_TAG_PRESENT); | |
bd4cf0ed | 230 | } else { |
9739eef1 | 231 | /* A >>= 12 */ |
f8f6d679 | 232 | *insn++ = BPF_ALU32_IMM(BPF_RSH, BPF_REG_A, 12); |
9739eef1 AS |
233 | /* A &= 1 */ |
234 | *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, 1); | |
bd4cf0ed AS |
235 | } |
236 | break; | |
237 | ||
238 | case SKF_AD_OFF + SKF_AD_PAY_OFFSET: | |
239 | case SKF_AD_OFF + SKF_AD_NLATTR: | |
240 | case SKF_AD_OFF + SKF_AD_NLATTR_NEST: | |
241 | case SKF_AD_OFF + SKF_AD_CPU: | |
4cd3675e | 242 | case SKF_AD_OFF + SKF_AD_RANDOM: |
e430f34e | 243 | /* arg1 = CTX */ |
f8f6d679 | 244 | *insn++ = BPF_MOV64_REG(BPF_REG_ARG1, BPF_REG_CTX); |
bd4cf0ed | 245 | /* arg2 = A */ |
f8f6d679 | 246 | *insn++ = BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_A); |
bd4cf0ed | 247 | /* arg3 = X */ |
f8f6d679 | 248 | *insn++ = BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_X); |
e430f34e | 249 | /* Emit call(arg1=CTX, arg2=A, arg3=X) */ |
bd4cf0ed AS |
250 | switch (fp->k) { |
251 | case SKF_AD_OFF + SKF_AD_PAY_OFFSET: | |
f8f6d679 | 252 | *insn = BPF_EMIT_CALL(__skb_get_pay_offset); |
bd4cf0ed AS |
253 | break; |
254 | case SKF_AD_OFF + SKF_AD_NLATTR: | |
f8f6d679 | 255 | *insn = BPF_EMIT_CALL(__skb_get_nlattr); |
bd4cf0ed AS |
256 | break; |
257 | case SKF_AD_OFF + SKF_AD_NLATTR_NEST: | |
f8f6d679 | 258 | *insn = BPF_EMIT_CALL(__skb_get_nlattr_nest); |
bd4cf0ed AS |
259 | break; |
260 | case SKF_AD_OFF + SKF_AD_CPU: | |
f8f6d679 | 261 | *insn = BPF_EMIT_CALL(__get_raw_cpu_id); |
bd4cf0ed | 262 | break; |
4cd3675e | 263 | case SKF_AD_OFF + SKF_AD_RANDOM: |
f8f6d679 | 264 | *insn = BPF_EMIT_CALL(__get_random_u32); |
4cd3675e | 265 | break; |
bd4cf0ed AS |
266 | } |
267 | break; | |
268 | ||
269 | case SKF_AD_OFF + SKF_AD_ALU_XOR_X: | |
9739eef1 AS |
270 | /* A ^= X */ |
271 | *insn = BPF_ALU32_REG(BPF_XOR, BPF_REG_A, BPF_REG_X); | |
bd4cf0ed AS |
272 | break; |
273 | ||
274 | default: | |
275 | /* This is just a dummy call to avoid letting the compiler | |
276 | * evict __bpf_call_base() as an optimization. Placed here | |
277 | * where no-one bothers. | |
278 | */ | |
279 | BUG_ON(__bpf_call_base(0, 0, 0, 0, 0) != 0); | |
280 | return false; | |
281 | } | |
282 | ||
283 | *insnp = insn; | |
284 | return true; | |
285 | } | |
286 | ||
287 | /** | |
8fb575ca | 288 | * bpf_convert_filter - convert filter program |
bd4cf0ed AS |
289 | * @prog: the user passed filter program |
290 | * @len: the length of the user passed filter program | |
291 | * @new_prog: buffer where converted program will be stored | |
292 | * @new_len: pointer to store length of converted program | |
293 | * | |
294 | * Remap 'sock_filter' style BPF instruction set to 'sock_filter_ext' style. | |
295 | * Conversion workflow: | |
296 | * | |
297 | * 1) First pass for calculating the new program length: | |
8fb575ca | 298 | * bpf_convert_filter(old_prog, old_len, NULL, &new_len) |
bd4cf0ed AS |
299 | * |
300 | * 2) 2nd pass to remap in two passes: 1st pass finds new | |
301 | * jump offsets, 2nd pass remapping: | |
2695fb55 | 302 | * new_prog = kmalloc(sizeof(struct bpf_insn) * new_len); |
8fb575ca | 303 | * bpf_convert_filter(old_prog, old_len, new_prog, &new_len); |
bd4cf0ed AS |
304 | * |
305 | * User BPF's register A is mapped to our BPF register 6, user BPF | |
306 | * register X is mapped to BPF register 7; frame pointer is always | |
307 | * register 10; Context 'void *ctx' is stored in register 1, that is, | |
308 | * for socket filters: ctx == 'struct sk_buff *', for seccomp: | |
309 | * ctx == 'struct seccomp_data *'. | |
310 | */ | |
8fb575ca AS |
311 | int bpf_convert_filter(struct sock_filter *prog, int len, |
312 | struct bpf_insn *new_prog, int *new_len) | |
bd4cf0ed AS |
313 | { |
314 | int new_flen = 0, pass = 0, target, i; | |
2695fb55 | 315 | struct bpf_insn *new_insn; |
bd4cf0ed AS |
316 | struct sock_filter *fp; |
317 | int *addrs = NULL; | |
318 | u8 bpf_src; | |
319 | ||
320 | BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK); | |
30743837 | 321 | BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG); |
bd4cf0ed | 322 | |
6f9a093b | 323 | if (len <= 0 || len > BPF_MAXINSNS) |
bd4cf0ed AS |
324 | return -EINVAL; |
325 | ||
326 | if (new_prog) { | |
99e72a0f | 327 | addrs = kcalloc(len, sizeof(*addrs), GFP_KERNEL); |
bd4cf0ed AS |
328 | if (!addrs) |
329 | return -ENOMEM; | |
330 | } | |
331 | ||
332 | do_pass: | |
333 | new_insn = new_prog; | |
334 | fp = prog; | |
335 | ||
f8f6d679 DB |
336 | if (new_insn) |
337 | *new_insn = BPF_MOV64_REG(BPF_REG_CTX, BPF_REG_ARG1); | |
bd4cf0ed AS |
338 | new_insn++; |
339 | ||
340 | for (i = 0; i < len; fp++, i++) { | |
2695fb55 AS |
341 | struct bpf_insn tmp_insns[6] = { }; |
342 | struct bpf_insn *insn = tmp_insns; | |
bd4cf0ed AS |
343 | |
344 | if (addrs) | |
345 | addrs[i] = new_insn - new_prog; | |
346 | ||
347 | switch (fp->code) { | |
348 | /* All arithmetic insns and skb loads map as-is. */ | |
349 | case BPF_ALU | BPF_ADD | BPF_X: | |
350 | case BPF_ALU | BPF_ADD | BPF_K: | |
351 | case BPF_ALU | BPF_SUB | BPF_X: | |
352 | case BPF_ALU | BPF_SUB | BPF_K: | |
353 | case BPF_ALU | BPF_AND | BPF_X: | |
354 | case BPF_ALU | BPF_AND | BPF_K: | |
355 | case BPF_ALU | BPF_OR | BPF_X: | |
356 | case BPF_ALU | BPF_OR | BPF_K: | |
357 | case BPF_ALU | BPF_LSH | BPF_X: | |
358 | case BPF_ALU | BPF_LSH | BPF_K: | |
359 | case BPF_ALU | BPF_RSH | BPF_X: | |
360 | case BPF_ALU | BPF_RSH | BPF_K: | |
361 | case BPF_ALU | BPF_XOR | BPF_X: | |
362 | case BPF_ALU | BPF_XOR | BPF_K: | |
363 | case BPF_ALU | BPF_MUL | BPF_X: | |
364 | case BPF_ALU | BPF_MUL | BPF_K: | |
365 | case BPF_ALU | BPF_DIV | BPF_X: | |
366 | case BPF_ALU | BPF_DIV | BPF_K: | |
367 | case BPF_ALU | BPF_MOD | BPF_X: | |
368 | case BPF_ALU | BPF_MOD | BPF_K: | |
369 | case BPF_ALU | BPF_NEG: | |
370 | case BPF_LD | BPF_ABS | BPF_W: | |
371 | case BPF_LD | BPF_ABS | BPF_H: | |
372 | case BPF_LD | BPF_ABS | BPF_B: | |
373 | case BPF_LD | BPF_IND | BPF_W: | |
374 | case BPF_LD | BPF_IND | BPF_H: | |
375 | case BPF_LD | BPF_IND | BPF_B: | |
376 | /* Check for overloaded BPF extension and | |
377 | * directly convert it if found, otherwise | |
378 | * just move on with mapping. | |
379 | */ | |
380 | if (BPF_CLASS(fp->code) == BPF_LD && | |
381 | BPF_MODE(fp->code) == BPF_ABS && | |
382 | convert_bpf_extensions(fp, &insn)) | |
383 | break; | |
384 | ||
f8f6d679 | 385 | *insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k); |
bd4cf0ed AS |
386 | break; |
387 | ||
f8f6d679 DB |
388 | /* Jump transformation cannot use BPF block macros |
389 | * everywhere as offset calculation and target updates | |
390 | * require a bit more work than the rest, i.e. jump | |
391 | * opcodes map as-is, but offsets need adjustment. | |
392 | */ | |
393 | ||
394 | #define BPF_EMIT_JMP \ | |
bd4cf0ed AS |
395 | do { \ |
396 | if (target >= len || target < 0) \ | |
397 | goto err; \ | |
398 | insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0; \ | |
399 | /* Adjust pc relative offset for 2nd or 3rd insn. */ \ | |
400 | insn->off -= insn - tmp_insns; \ | |
401 | } while (0) | |
402 | ||
f8f6d679 DB |
403 | case BPF_JMP | BPF_JA: |
404 | target = i + fp->k + 1; | |
405 | insn->code = fp->code; | |
406 | BPF_EMIT_JMP; | |
bd4cf0ed AS |
407 | break; |
408 | ||
409 | case BPF_JMP | BPF_JEQ | BPF_K: | |
410 | case BPF_JMP | BPF_JEQ | BPF_X: | |
411 | case BPF_JMP | BPF_JSET | BPF_K: | |
412 | case BPF_JMP | BPF_JSET | BPF_X: | |
413 | case BPF_JMP | BPF_JGT | BPF_K: | |
414 | case BPF_JMP | BPF_JGT | BPF_X: | |
415 | case BPF_JMP | BPF_JGE | BPF_K: | |
416 | case BPF_JMP | BPF_JGE | BPF_X: | |
417 | if (BPF_SRC(fp->code) == BPF_K && (int) fp->k < 0) { | |
418 | /* BPF immediates are signed, zero extend | |
419 | * immediate into tmp register and use it | |
420 | * in compare insn. | |
421 | */ | |
f8f6d679 | 422 | *insn++ = BPF_MOV32_IMM(BPF_REG_TMP, fp->k); |
bd4cf0ed | 423 | |
e430f34e AS |
424 | insn->dst_reg = BPF_REG_A; |
425 | insn->src_reg = BPF_REG_TMP; | |
bd4cf0ed AS |
426 | bpf_src = BPF_X; |
427 | } else { | |
e430f34e AS |
428 | insn->dst_reg = BPF_REG_A; |
429 | insn->src_reg = BPF_REG_X; | |
bd4cf0ed AS |
430 | insn->imm = fp->k; |
431 | bpf_src = BPF_SRC(fp->code); | |
1da177e4 | 432 | } |
bd4cf0ed AS |
433 | |
434 | /* Common case where 'jump_false' is next insn. */ | |
435 | if (fp->jf == 0) { | |
436 | insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src; | |
437 | target = i + fp->jt + 1; | |
f8f6d679 | 438 | BPF_EMIT_JMP; |
bd4cf0ed | 439 | break; |
1da177e4 | 440 | } |
bd4cf0ed AS |
441 | |
442 | /* Convert JEQ into JNE when 'jump_true' is next insn. */ | |
443 | if (fp->jt == 0 && BPF_OP(fp->code) == BPF_JEQ) { | |
444 | insn->code = BPF_JMP | BPF_JNE | bpf_src; | |
445 | target = i + fp->jf + 1; | |
f8f6d679 | 446 | BPF_EMIT_JMP; |
bd4cf0ed | 447 | break; |
0b05b2a4 | 448 | } |
bd4cf0ed AS |
449 | |
450 | /* Other jumps are mapped into two insns: Jxx and JA. */ | |
451 | target = i + fp->jt + 1; | |
452 | insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src; | |
f8f6d679 | 453 | BPF_EMIT_JMP; |
bd4cf0ed AS |
454 | insn++; |
455 | ||
456 | insn->code = BPF_JMP | BPF_JA; | |
457 | target = i + fp->jf + 1; | |
f8f6d679 | 458 | BPF_EMIT_JMP; |
bd4cf0ed AS |
459 | break; |
460 | ||
461 | /* ldxb 4 * ([14] & 0xf) is remaped into 6 insns. */ | |
462 | case BPF_LDX | BPF_MSH | BPF_B: | |
9739eef1 | 463 | /* tmp = A */ |
f8f6d679 | 464 | *insn++ = BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_A); |
1268e253 | 465 | /* A = BPF_R0 = *(u8 *) (skb->data + K) */ |
f8f6d679 | 466 | *insn++ = BPF_LD_ABS(BPF_B, fp->k); |
9739eef1 | 467 | /* A &= 0xf */ |
f8f6d679 | 468 | *insn++ = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, 0xf); |
9739eef1 | 469 | /* A <<= 2 */ |
f8f6d679 | 470 | *insn++ = BPF_ALU32_IMM(BPF_LSH, BPF_REG_A, 2); |
9739eef1 | 471 | /* X = A */ |
f8f6d679 | 472 | *insn++ = BPF_MOV64_REG(BPF_REG_X, BPF_REG_A); |
9739eef1 | 473 | /* A = tmp */ |
f8f6d679 | 474 | *insn = BPF_MOV64_REG(BPF_REG_A, BPF_REG_TMP); |
bd4cf0ed AS |
475 | break; |
476 | ||
477 | /* RET_K, RET_A are remaped into 2 insns. */ | |
478 | case BPF_RET | BPF_A: | |
479 | case BPF_RET | BPF_K: | |
f8f6d679 DB |
480 | *insn++ = BPF_MOV32_RAW(BPF_RVAL(fp->code) == BPF_K ? |
481 | BPF_K : BPF_X, BPF_REG_0, | |
482 | BPF_REG_A, fp->k); | |
9739eef1 | 483 | *insn = BPF_EXIT_INSN(); |
bd4cf0ed AS |
484 | break; |
485 | ||
486 | /* Store to stack. */ | |
487 | case BPF_ST: | |
488 | case BPF_STX: | |
f8f6d679 DB |
489 | *insn = BPF_STX_MEM(BPF_W, BPF_REG_FP, BPF_CLASS(fp->code) == |
490 | BPF_ST ? BPF_REG_A : BPF_REG_X, | |
491 | -(BPF_MEMWORDS - fp->k) * 4); | |
bd4cf0ed AS |
492 | break; |
493 | ||
494 | /* Load from stack. */ | |
495 | case BPF_LD | BPF_MEM: | |
496 | case BPF_LDX | BPF_MEM: | |
f8f6d679 DB |
497 | *insn = BPF_LDX_MEM(BPF_W, BPF_CLASS(fp->code) == BPF_LD ? |
498 | BPF_REG_A : BPF_REG_X, BPF_REG_FP, | |
499 | -(BPF_MEMWORDS - fp->k) * 4); | |
bd4cf0ed AS |
500 | break; |
501 | ||
502 | /* A = K or X = K */ | |
503 | case BPF_LD | BPF_IMM: | |
504 | case BPF_LDX | BPF_IMM: | |
f8f6d679 DB |
505 | *insn = BPF_MOV32_IMM(BPF_CLASS(fp->code) == BPF_LD ? |
506 | BPF_REG_A : BPF_REG_X, fp->k); | |
bd4cf0ed AS |
507 | break; |
508 | ||
509 | /* X = A */ | |
510 | case BPF_MISC | BPF_TAX: | |
f8f6d679 | 511 | *insn = BPF_MOV64_REG(BPF_REG_X, BPF_REG_A); |
bd4cf0ed AS |
512 | break; |
513 | ||
514 | /* A = X */ | |
515 | case BPF_MISC | BPF_TXA: | |
f8f6d679 | 516 | *insn = BPF_MOV64_REG(BPF_REG_A, BPF_REG_X); |
bd4cf0ed AS |
517 | break; |
518 | ||
519 | /* A = skb->len or X = skb->len */ | |
520 | case BPF_LD | BPF_W | BPF_LEN: | |
521 | case BPF_LDX | BPF_W | BPF_LEN: | |
f8f6d679 DB |
522 | *insn = BPF_LDX_MEM(BPF_W, BPF_CLASS(fp->code) == BPF_LD ? |
523 | BPF_REG_A : BPF_REG_X, BPF_REG_CTX, | |
524 | offsetof(struct sk_buff, len)); | |
bd4cf0ed AS |
525 | break; |
526 | ||
f8f6d679 | 527 | /* Access seccomp_data fields. */ |
bd4cf0ed | 528 | case BPF_LDX | BPF_ABS | BPF_W: |
9739eef1 AS |
529 | /* A = *(u32 *) (ctx + K) */ |
530 | *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX, fp->k); | |
bd4cf0ed AS |
531 | break; |
532 | ||
f8f6d679 | 533 | /* Unkown instruction. */ |
1da177e4 | 534 | default: |
bd4cf0ed | 535 | goto err; |
1da177e4 | 536 | } |
bd4cf0ed AS |
537 | |
538 | insn++; | |
539 | if (new_prog) | |
540 | memcpy(new_insn, tmp_insns, | |
541 | sizeof(*insn) * (insn - tmp_insns)); | |
bd4cf0ed | 542 | new_insn += insn - tmp_insns; |
1da177e4 LT |
543 | } |
544 | ||
bd4cf0ed AS |
545 | if (!new_prog) { |
546 | /* Only calculating new length. */ | |
547 | *new_len = new_insn - new_prog; | |
548 | return 0; | |
549 | } | |
550 | ||
551 | pass++; | |
552 | if (new_flen != new_insn - new_prog) { | |
553 | new_flen = new_insn - new_prog; | |
554 | if (pass > 2) | |
555 | goto err; | |
bd4cf0ed AS |
556 | goto do_pass; |
557 | } | |
558 | ||
559 | kfree(addrs); | |
560 | BUG_ON(*new_len != new_flen); | |
1da177e4 | 561 | return 0; |
bd4cf0ed AS |
562 | err: |
563 | kfree(addrs); | |
564 | return -EINVAL; | |
1da177e4 LT |
565 | } |
566 | ||
bd4cf0ed AS |
567 | /* Security: |
568 | * | |
2d5311e4 | 569 | * A BPF program is able to use 16 cells of memory to store intermediate |
bd4cf0ed AS |
570 | * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter()). |
571 | * | |
2d5311e4 ED |
572 | * As we dont want to clear mem[] array for each packet going through |
573 | * sk_run_filter(), we check that filter loaded by user never try to read | |
574 | * a cell if not previously written, and we check all branches to be sure | |
25985edc | 575 | * a malicious user doesn't try to abuse us. |
2d5311e4 | 576 | */ |
ec31a05c | 577 | static int check_load_and_stores(const struct sock_filter *filter, int flen) |
2d5311e4 | 578 | { |
34805931 | 579 | u16 *masks, memvalid = 0; /* One bit per cell, 16 cells */ |
2d5311e4 ED |
580 | int pc, ret = 0; |
581 | ||
582 | BUILD_BUG_ON(BPF_MEMWORDS > 16); | |
34805931 | 583 | |
99e72a0f | 584 | masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL); |
2d5311e4 ED |
585 | if (!masks) |
586 | return -ENOMEM; | |
34805931 | 587 | |
2d5311e4 ED |
588 | memset(masks, 0xff, flen * sizeof(*masks)); |
589 | ||
590 | for (pc = 0; pc < flen; pc++) { | |
591 | memvalid &= masks[pc]; | |
592 | ||
593 | switch (filter[pc].code) { | |
34805931 DB |
594 | case BPF_ST: |
595 | case BPF_STX: | |
2d5311e4 ED |
596 | memvalid |= (1 << filter[pc].k); |
597 | break; | |
34805931 DB |
598 | case BPF_LD | BPF_MEM: |
599 | case BPF_LDX | BPF_MEM: | |
2d5311e4 ED |
600 | if (!(memvalid & (1 << filter[pc].k))) { |
601 | ret = -EINVAL; | |
602 | goto error; | |
603 | } | |
604 | break; | |
34805931 DB |
605 | case BPF_JMP | BPF_JA: |
606 | /* A jump must set masks on target */ | |
2d5311e4 ED |
607 | masks[pc + 1 + filter[pc].k] &= memvalid; |
608 | memvalid = ~0; | |
609 | break; | |
34805931 DB |
610 | case BPF_JMP | BPF_JEQ | BPF_K: |
611 | case BPF_JMP | BPF_JEQ | BPF_X: | |
612 | case BPF_JMP | BPF_JGE | BPF_K: | |
613 | case BPF_JMP | BPF_JGE | BPF_X: | |
614 | case BPF_JMP | BPF_JGT | BPF_K: | |
615 | case BPF_JMP | BPF_JGT | BPF_X: | |
616 | case BPF_JMP | BPF_JSET | BPF_K: | |
617 | case BPF_JMP | BPF_JSET | BPF_X: | |
618 | /* A jump must set masks on targets */ | |
2d5311e4 ED |
619 | masks[pc + 1 + filter[pc].jt] &= memvalid; |
620 | masks[pc + 1 + filter[pc].jf] &= memvalid; | |
621 | memvalid = ~0; | |
622 | break; | |
623 | } | |
624 | } | |
625 | error: | |
626 | kfree(masks); | |
627 | return ret; | |
628 | } | |
629 | ||
34805931 DB |
630 | static bool chk_code_allowed(u16 code_to_probe) |
631 | { | |
632 | static const bool codes[] = { | |
633 | /* 32 bit ALU operations */ | |
634 | [BPF_ALU | BPF_ADD | BPF_K] = true, | |
635 | [BPF_ALU | BPF_ADD | BPF_X] = true, | |
636 | [BPF_ALU | BPF_SUB | BPF_K] = true, | |
637 | [BPF_ALU | BPF_SUB | BPF_X] = true, | |
638 | [BPF_ALU | BPF_MUL | BPF_K] = true, | |
639 | [BPF_ALU | BPF_MUL | BPF_X] = true, | |
640 | [BPF_ALU | BPF_DIV | BPF_K] = true, | |
641 | [BPF_ALU | BPF_DIV | BPF_X] = true, | |
642 | [BPF_ALU | BPF_MOD | BPF_K] = true, | |
643 | [BPF_ALU | BPF_MOD | BPF_X] = true, | |
644 | [BPF_ALU | BPF_AND | BPF_K] = true, | |
645 | [BPF_ALU | BPF_AND | BPF_X] = true, | |
646 | [BPF_ALU | BPF_OR | BPF_K] = true, | |
647 | [BPF_ALU | BPF_OR | BPF_X] = true, | |
648 | [BPF_ALU | BPF_XOR | BPF_K] = true, | |
649 | [BPF_ALU | BPF_XOR | BPF_X] = true, | |
650 | [BPF_ALU | BPF_LSH | BPF_K] = true, | |
651 | [BPF_ALU | BPF_LSH | BPF_X] = true, | |
652 | [BPF_ALU | BPF_RSH | BPF_K] = true, | |
653 | [BPF_ALU | BPF_RSH | BPF_X] = true, | |
654 | [BPF_ALU | BPF_NEG] = true, | |
655 | /* Load instructions */ | |
656 | [BPF_LD | BPF_W | BPF_ABS] = true, | |
657 | [BPF_LD | BPF_H | BPF_ABS] = true, | |
658 | [BPF_LD | BPF_B | BPF_ABS] = true, | |
659 | [BPF_LD | BPF_W | BPF_LEN] = true, | |
660 | [BPF_LD | BPF_W | BPF_IND] = true, | |
661 | [BPF_LD | BPF_H | BPF_IND] = true, | |
662 | [BPF_LD | BPF_B | BPF_IND] = true, | |
663 | [BPF_LD | BPF_IMM] = true, | |
664 | [BPF_LD | BPF_MEM] = true, | |
665 | [BPF_LDX | BPF_W | BPF_LEN] = true, | |
666 | [BPF_LDX | BPF_B | BPF_MSH] = true, | |
667 | [BPF_LDX | BPF_IMM] = true, | |
668 | [BPF_LDX | BPF_MEM] = true, | |
669 | /* Store instructions */ | |
670 | [BPF_ST] = true, | |
671 | [BPF_STX] = true, | |
672 | /* Misc instructions */ | |
673 | [BPF_MISC | BPF_TAX] = true, | |
674 | [BPF_MISC | BPF_TXA] = true, | |
675 | /* Return instructions */ | |
676 | [BPF_RET | BPF_K] = true, | |
677 | [BPF_RET | BPF_A] = true, | |
678 | /* Jump instructions */ | |
679 | [BPF_JMP | BPF_JA] = true, | |
680 | [BPF_JMP | BPF_JEQ | BPF_K] = true, | |
681 | [BPF_JMP | BPF_JEQ | BPF_X] = true, | |
682 | [BPF_JMP | BPF_JGE | BPF_K] = true, | |
683 | [BPF_JMP | BPF_JGE | BPF_X] = true, | |
684 | [BPF_JMP | BPF_JGT | BPF_K] = true, | |
685 | [BPF_JMP | BPF_JGT | BPF_X] = true, | |
686 | [BPF_JMP | BPF_JSET | BPF_K] = true, | |
687 | [BPF_JMP | BPF_JSET | BPF_X] = true, | |
688 | }; | |
689 | ||
690 | if (code_to_probe >= ARRAY_SIZE(codes)) | |
691 | return false; | |
692 | ||
693 | return codes[code_to_probe]; | |
694 | } | |
695 | ||
1da177e4 | 696 | /** |
4df95ff4 | 697 | * bpf_check_classic - verify socket filter code |
1da177e4 LT |
698 | * @filter: filter to verify |
699 | * @flen: length of filter | |
700 | * | |
701 | * Check the user's filter code. If we let some ugly | |
702 | * filter code slip through kaboom! The filter must contain | |
93699863 KK |
703 | * no references or jumps that are out of range, no illegal |
704 | * instructions, and must end with a RET instruction. | |
1da177e4 | 705 | * |
7b11f69f KK |
706 | * All jumps are forward as they are not signed. |
707 | * | |
708 | * Returns 0 if the rule set is legal or -EINVAL if not. | |
1da177e4 | 709 | */ |
4df95ff4 | 710 | int bpf_check_classic(const struct sock_filter *filter, unsigned int flen) |
1da177e4 | 711 | { |
aa1113d9 | 712 | bool anc_found; |
34805931 | 713 | int pc; |
1da177e4 | 714 | |
1b93ae64 | 715 | if (flen == 0 || flen > BPF_MAXINSNS) |
1da177e4 LT |
716 | return -EINVAL; |
717 | ||
34805931 | 718 | /* Check the filter code now */ |
1da177e4 | 719 | for (pc = 0; pc < flen; pc++) { |
ec31a05c | 720 | const struct sock_filter *ftest = &filter[pc]; |
93699863 | 721 | |
34805931 DB |
722 | /* May we actually operate on this code? */ |
723 | if (!chk_code_allowed(ftest->code)) | |
cba328fc | 724 | return -EINVAL; |
34805931 | 725 | |
93699863 | 726 | /* Some instructions need special checks */ |
34805931 DB |
727 | switch (ftest->code) { |
728 | case BPF_ALU | BPF_DIV | BPF_K: | |
729 | case BPF_ALU | BPF_MOD | BPF_K: | |
730 | /* Check for division by zero */ | |
b6069a95 ED |
731 | if (ftest->k == 0) |
732 | return -EINVAL; | |
733 | break; | |
34805931 DB |
734 | case BPF_LD | BPF_MEM: |
735 | case BPF_LDX | BPF_MEM: | |
736 | case BPF_ST: | |
737 | case BPF_STX: | |
738 | /* Check for invalid memory addresses */ | |
93699863 KK |
739 | if (ftest->k >= BPF_MEMWORDS) |
740 | return -EINVAL; | |
741 | break; | |
34805931 DB |
742 | case BPF_JMP | BPF_JA: |
743 | /* Note, the large ftest->k might cause loops. | |
93699863 KK |
744 | * Compare this with conditional jumps below, |
745 | * where offsets are limited. --ANK (981016) | |
746 | */ | |
34805931 | 747 | if (ftest->k >= (unsigned int)(flen - pc - 1)) |
93699863 | 748 | return -EINVAL; |
01f2f3f6 | 749 | break; |
34805931 DB |
750 | case BPF_JMP | BPF_JEQ | BPF_K: |
751 | case BPF_JMP | BPF_JEQ | BPF_X: | |
752 | case BPF_JMP | BPF_JGE | BPF_K: | |
753 | case BPF_JMP | BPF_JGE | BPF_X: | |
754 | case BPF_JMP | BPF_JGT | BPF_K: | |
755 | case BPF_JMP | BPF_JGT | BPF_X: | |
756 | case BPF_JMP | BPF_JSET | BPF_K: | |
757 | case BPF_JMP | BPF_JSET | BPF_X: | |
758 | /* Both conditionals must be safe */ | |
e35bedf3 | 759 | if (pc + ftest->jt + 1 >= flen || |
93699863 KK |
760 | pc + ftest->jf + 1 >= flen) |
761 | return -EINVAL; | |
cba328fc | 762 | break; |
34805931 DB |
763 | case BPF_LD | BPF_W | BPF_ABS: |
764 | case BPF_LD | BPF_H | BPF_ABS: | |
765 | case BPF_LD | BPF_B | BPF_ABS: | |
aa1113d9 | 766 | anc_found = false; |
34805931 DB |
767 | if (bpf_anc_helper(ftest) & BPF_ANC) |
768 | anc_found = true; | |
769 | /* Ancillary operation unknown or unsupported */ | |
aa1113d9 DB |
770 | if (anc_found == false && ftest->k >= SKF_AD_OFF) |
771 | return -EINVAL; | |
01f2f3f6 HPP |
772 | } |
773 | } | |
93699863 | 774 | |
34805931 | 775 | /* Last instruction must be a RET code */ |
01f2f3f6 | 776 | switch (filter[flen - 1].code) { |
34805931 DB |
777 | case BPF_RET | BPF_K: |
778 | case BPF_RET | BPF_A: | |
2d5311e4 | 779 | return check_load_and_stores(filter, flen); |
cba328fc | 780 | } |
34805931 | 781 | |
cba328fc | 782 | return -EINVAL; |
1da177e4 | 783 | } |
4df95ff4 | 784 | EXPORT_SYMBOL(bpf_check_classic); |
1da177e4 | 785 | |
7ae457c1 AS |
786 | static int bpf_prog_store_orig_filter(struct bpf_prog *fp, |
787 | const struct sock_fprog *fprog) | |
a3ea269b | 788 | { |
009937e7 | 789 | unsigned int fsize = bpf_classic_proglen(fprog); |
a3ea269b DB |
790 | struct sock_fprog_kern *fkprog; |
791 | ||
792 | fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL); | |
793 | if (!fp->orig_prog) | |
794 | return -ENOMEM; | |
795 | ||
796 | fkprog = fp->orig_prog; | |
797 | fkprog->len = fprog->len; | |
798 | fkprog->filter = kmemdup(fp->insns, fsize, GFP_KERNEL); | |
799 | if (!fkprog->filter) { | |
800 | kfree(fp->orig_prog); | |
801 | return -ENOMEM; | |
802 | } | |
803 | ||
804 | return 0; | |
805 | } | |
806 | ||
7ae457c1 | 807 | static void bpf_release_orig_filter(struct bpf_prog *fp) |
a3ea269b DB |
808 | { |
809 | struct sock_fprog_kern *fprog = fp->orig_prog; | |
810 | ||
811 | if (fprog) { | |
812 | kfree(fprog->filter); | |
813 | kfree(fprog); | |
814 | } | |
815 | } | |
816 | ||
7ae457c1 AS |
817 | static void __bpf_prog_release(struct bpf_prog *prog) |
818 | { | |
819 | bpf_release_orig_filter(prog); | |
820 | bpf_prog_free(prog); | |
821 | } | |
822 | ||
34c5bd66 PN |
823 | static void __sk_filter_release(struct sk_filter *fp) |
824 | { | |
7ae457c1 AS |
825 | __bpf_prog_release(fp->prog); |
826 | kfree(fp); | |
34c5bd66 PN |
827 | } |
828 | ||
47e958ea | 829 | /** |
46bcf14f | 830 | * sk_filter_release_rcu - Release a socket filter by rcu_head |
47e958ea PE |
831 | * @rcu: rcu_head that contains the sk_filter to free |
832 | */ | |
fbc907f0 | 833 | static void sk_filter_release_rcu(struct rcu_head *rcu) |
47e958ea PE |
834 | { |
835 | struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); | |
836 | ||
34c5bd66 | 837 | __sk_filter_release(fp); |
47e958ea | 838 | } |
fbc907f0 DB |
839 | |
840 | /** | |
841 | * sk_filter_release - release a socket filter | |
842 | * @fp: filter to remove | |
843 | * | |
844 | * Remove a filter from a socket and release its resources. | |
845 | */ | |
846 | static void sk_filter_release(struct sk_filter *fp) | |
847 | { | |
848 | if (atomic_dec_and_test(&fp->refcnt)) | |
849 | call_rcu(&fp->rcu, sk_filter_release_rcu); | |
850 | } | |
851 | ||
852 | void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp) | |
853 | { | |
7ae457c1 | 854 | u32 filter_size = bpf_prog_size(fp->prog->len); |
fbc907f0 | 855 | |
278571ba AS |
856 | atomic_sub(filter_size, &sk->sk_omem_alloc); |
857 | sk_filter_release(fp); | |
fbc907f0 | 858 | } |
47e958ea | 859 | |
278571ba AS |
860 | /* try to charge the socket memory if there is space available |
861 | * return true on success | |
862 | */ | |
863 | bool sk_filter_charge(struct sock *sk, struct sk_filter *fp) | |
bd4cf0ed | 864 | { |
7ae457c1 | 865 | u32 filter_size = bpf_prog_size(fp->prog->len); |
278571ba AS |
866 | |
867 | /* same check as in sock_kmalloc() */ | |
868 | if (filter_size <= sysctl_optmem_max && | |
869 | atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) { | |
870 | atomic_inc(&fp->refcnt); | |
871 | atomic_add(filter_size, &sk->sk_omem_alloc); | |
872 | return true; | |
bd4cf0ed | 873 | } |
278571ba | 874 | return false; |
bd4cf0ed AS |
875 | } |
876 | ||
7ae457c1 | 877 | static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp) |
bd4cf0ed AS |
878 | { |
879 | struct sock_filter *old_prog; | |
7ae457c1 | 880 | struct bpf_prog *old_fp; |
34805931 | 881 | int err, new_len, old_len = fp->len; |
bd4cf0ed AS |
882 | |
883 | /* We are free to overwrite insns et al right here as it | |
884 | * won't be used at this point in time anymore internally | |
885 | * after the migration to the internal BPF instruction | |
886 | * representation. | |
887 | */ | |
888 | BUILD_BUG_ON(sizeof(struct sock_filter) != | |
2695fb55 | 889 | sizeof(struct bpf_insn)); |
bd4cf0ed | 890 | |
bd4cf0ed AS |
891 | /* Conversion cannot happen on overlapping memory areas, |
892 | * so we need to keep the user BPF around until the 2nd | |
893 | * pass. At this time, the user BPF is stored in fp->insns. | |
894 | */ | |
895 | old_prog = kmemdup(fp->insns, old_len * sizeof(struct sock_filter), | |
896 | GFP_KERNEL); | |
897 | if (!old_prog) { | |
898 | err = -ENOMEM; | |
899 | goto out_err; | |
900 | } | |
901 | ||
902 | /* 1st pass: calculate the new program length. */ | |
8fb575ca | 903 | err = bpf_convert_filter(old_prog, old_len, NULL, &new_len); |
bd4cf0ed AS |
904 | if (err) |
905 | goto out_err_free; | |
906 | ||
907 | /* Expand fp for appending the new filter representation. */ | |
908 | old_fp = fp; | |
60a3b225 | 909 | fp = bpf_prog_realloc(old_fp, bpf_prog_size(new_len), 0); |
bd4cf0ed AS |
910 | if (!fp) { |
911 | /* The old_fp is still around in case we couldn't | |
912 | * allocate new memory, so uncharge on that one. | |
913 | */ | |
914 | fp = old_fp; | |
915 | err = -ENOMEM; | |
916 | goto out_err_free; | |
917 | } | |
918 | ||
bd4cf0ed AS |
919 | fp->len = new_len; |
920 | ||
2695fb55 | 921 | /* 2nd pass: remap sock_filter insns into bpf_insn insns. */ |
8fb575ca | 922 | err = bpf_convert_filter(old_prog, old_len, fp->insnsi, &new_len); |
bd4cf0ed | 923 | if (err) |
8fb575ca | 924 | /* 2nd bpf_convert_filter() can fail only if it fails |
bd4cf0ed AS |
925 | * to allocate memory, remapping must succeed. Note, |
926 | * that at this time old_fp has already been released | |
278571ba | 927 | * by krealloc(). |
bd4cf0ed AS |
928 | */ |
929 | goto out_err_free; | |
930 | ||
7ae457c1 | 931 | bpf_prog_select_runtime(fp); |
5fe821a9 | 932 | |
bd4cf0ed AS |
933 | kfree(old_prog); |
934 | return fp; | |
935 | ||
936 | out_err_free: | |
937 | kfree(old_prog); | |
938 | out_err: | |
7ae457c1 | 939 | __bpf_prog_release(fp); |
bd4cf0ed AS |
940 | return ERR_PTR(err); |
941 | } | |
942 | ||
7ae457c1 | 943 | static struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp) |
302d6637 JP |
944 | { |
945 | int err; | |
946 | ||
bd4cf0ed | 947 | fp->bpf_func = NULL; |
286aad3c | 948 | fp->jited = false; |
302d6637 | 949 | |
4df95ff4 | 950 | err = bpf_check_classic(fp->insns, fp->len); |
418c96ac | 951 | if (err) { |
7ae457c1 | 952 | __bpf_prog_release(fp); |
bd4cf0ed | 953 | return ERR_PTR(err); |
418c96ac | 954 | } |
302d6637 | 955 | |
bd4cf0ed AS |
956 | /* Probe if we can JIT compile the filter and if so, do |
957 | * the compilation of the filter. | |
958 | */ | |
302d6637 | 959 | bpf_jit_compile(fp); |
bd4cf0ed AS |
960 | |
961 | /* JIT compiler couldn't process this filter, so do the | |
962 | * internal BPF translation for the optimized interpreter. | |
963 | */ | |
5fe821a9 | 964 | if (!fp->jited) |
7ae457c1 | 965 | fp = bpf_migrate_filter(fp); |
bd4cf0ed AS |
966 | |
967 | return fp; | |
302d6637 JP |
968 | } |
969 | ||
970 | /** | |
7ae457c1 | 971 | * bpf_prog_create - create an unattached filter |
c6c4b97c | 972 | * @pfp: the unattached filter that is created |
677a9fd3 | 973 | * @fprog: the filter program |
302d6637 | 974 | * |
c6c4b97c | 975 | * Create a filter independent of any socket. We first run some |
302d6637 JP |
976 | * sanity checks on it to make sure it does not explode on us later. |
977 | * If an error occurs or there is insufficient memory for the filter | |
978 | * a negative errno code is returned. On success the return is zero. | |
979 | */ | |
7ae457c1 | 980 | int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog) |
302d6637 | 981 | { |
009937e7 | 982 | unsigned int fsize = bpf_classic_proglen(fprog); |
7ae457c1 | 983 | struct bpf_prog *fp; |
302d6637 JP |
984 | |
985 | /* Make sure new filter is there and in the right amounts. */ | |
986 | if (fprog->filter == NULL) | |
987 | return -EINVAL; | |
988 | ||
60a3b225 | 989 | fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); |
302d6637 JP |
990 | if (!fp) |
991 | return -ENOMEM; | |
a3ea269b | 992 | |
302d6637 JP |
993 | memcpy(fp->insns, fprog->filter, fsize); |
994 | ||
302d6637 | 995 | fp->len = fprog->len; |
a3ea269b DB |
996 | /* Since unattached filters are not copied back to user |
997 | * space through sk_get_filter(), we do not need to hold | |
998 | * a copy here, and can spare us the work. | |
999 | */ | |
1000 | fp->orig_prog = NULL; | |
302d6637 | 1001 | |
7ae457c1 | 1002 | /* bpf_prepare_filter() already takes care of freeing |
bd4cf0ed AS |
1003 | * memory in case something goes wrong. |
1004 | */ | |
7ae457c1 | 1005 | fp = bpf_prepare_filter(fp); |
bd4cf0ed AS |
1006 | if (IS_ERR(fp)) |
1007 | return PTR_ERR(fp); | |
302d6637 JP |
1008 | |
1009 | *pfp = fp; | |
1010 | return 0; | |
302d6637 | 1011 | } |
7ae457c1 | 1012 | EXPORT_SYMBOL_GPL(bpf_prog_create); |
302d6637 | 1013 | |
7ae457c1 | 1014 | void bpf_prog_destroy(struct bpf_prog *fp) |
302d6637 | 1015 | { |
7ae457c1 | 1016 | __bpf_prog_release(fp); |
302d6637 | 1017 | } |
7ae457c1 | 1018 | EXPORT_SYMBOL_GPL(bpf_prog_destroy); |
302d6637 | 1019 | |
1da177e4 LT |
1020 | /** |
1021 | * sk_attach_filter - attach a socket filter | |
1022 | * @fprog: the filter program | |
1023 | * @sk: the socket to use | |
1024 | * | |
1025 | * Attach the user's filter code. We first run some sanity checks on | |
1026 | * it to make sure it does not explode on us later. If an error | |
1027 | * occurs or there is insufficient memory for the filter a negative | |
1028 | * errno code is returned. On success the return is zero. | |
1029 | */ | |
1030 | int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk) | |
1031 | { | |
d3904b73 | 1032 | struct sk_filter *fp, *old_fp; |
009937e7 | 1033 | unsigned int fsize = bpf_classic_proglen(fprog); |
7ae457c1 AS |
1034 | unsigned int bpf_fsize = bpf_prog_size(fprog->len); |
1035 | struct bpf_prog *prog; | |
1da177e4 LT |
1036 | int err; |
1037 | ||
d59577b6 VB |
1038 | if (sock_flag(sk, SOCK_FILTER_LOCKED)) |
1039 | return -EPERM; | |
1040 | ||
1da177e4 | 1041 | /* Make sure new filter is there and in the right amounts. */ |
e35bedf3 KK |
1042 | if (fprog->filter == NULL) |
1043 | return -EINVAL; | |
1da177e4 | 1044 | |
60a3b225 | 1045 | prog = bpf_prog_alloc(bpf_fsize, 0); |
7ae457c1 | 1046 | if (!prog) |
1da177e4 | 1047 | return -ENOMEM; |
a3ea269b | 1048 | |
7ae457c1 AS |
1049 | if (copy_from_user(prog->insns, fprog->filter, fsize)) { |
1050 | kfree(prog); | |
1da177e4 LT |
1051 | return -EFAULT; |
1052 | } | |
1053 | ||
7ae457c1 | 1054 | prog->len = fprog->len; |
1da177e4 | 1055 | |
7ae457c1 | 1056 | err = bpf_prog_store_orig_filter(prog, fprog); |
a3ea269b | 1057 | if (err) { |
7ae457c1 | 1058 | kfree(prog); |
a3ea269b DB |
1059 | return -ENOMEM; |
1060 | } | |
1061 | ||
7ae457c1 | 1062 | /* bpf_prepare_filter() already takes care of freeing |
bd4cf0ed AS |
1063 | * memory in case something goes wrong. |
1064 | */ | |
7ae457c1 AS |
1065 | prog = bpf_prepare_filter(prog); |
1066 | if (IS_ERR(prog)) | |
1067 | return PTR_ERR(prog); | |
1068 | ||
1069 | fp = kmalloc(sizeof(*fp), GFP_KERNEL); | |
1070 | if (!fp) { | |
1071 | __bpf_prog_release(prog); | |
1072 | return -ENOMEM; | |
1073 | } | |
1074 | fp->prog = prog; | |
1da177e4 | 1075 | |
278571ba AS |
1076 | atomic_set(&fp->refcnt, 0); |
1077 | ||
1078 | if (!sk_filter_charge(sk, fp)) { | |
1079 | __sk_filter_release(fp); | |
1080 | return -ENOMEM; | |
1081 | } | |
1082 | ||
f91ff5b9 ED |
1083 | old_fp = rcu_dereference_protected(sk->sk_filter, |
1084 | sock_owned_by_user(sk)); | |
d3904b73 | 1085 | rcu_assign_pointer(sk->sk_filter, fp); |
d3904b73 | 1086 | |
9b013e05 | 1087 | if (old_fp) |
46bcf14f | 1088 | sk_filter_uncharge(sk, old_fp); |
a3ea269b | 1089 | |
d3904b73 | 1090 | return 0; |
1da177e4 | 1091 | } |
5ff3f073 | 1092 | EXPORT_SYMBOL_GPL(sk_attach_filter); |
1da177e4 | 1093 | |
55b33325 PE |
1094 | int sk_detach_filter(struct sock *sk) |
1095 | { | |
1096 | int ret = -ENOENT; | |
1097 | struct sk_filter *filter; | |
1098 | ||
d59577b6 VB |
1099 | if (sock_flag(sk, SOCK_FILTER_LOCKED)) |
1100 | return -EPERM; | |
1101 | ||
f91ff5b9 ED |
1102 | filter = rcu_dereference_protected(sk->sk_filter, |
1103 | sock_owned_by_user(sk)); | |
55b33325 | 1104 | if (filter) { |
a9b3cd7f | 1105 | RCU_INIT_POINTER(sk->sk_filter, NULL); |
46bcf14f | 1106 | sk_filter_uncharge(sk, filter); |
55b33325 PE |
1107 | ret = 0; |
1108 | } | |
a3ea269b | 1109 | |
55b33325 PE |
1110 | return ret; |
1111 | } | |
5ff3f073 | 1112 | EXPORT_SYMBOL_GPL(sk_detach_filter); |
a8fc9277 | 1113 | |
a3ea269b DB |
1114 | int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf, |
1115 | unsigned int len) | |
a8fc9277 | 1116 | { |
a3ea269b | 1117 | struct sock_fprog_kern *fprog; |
a8fc9277 | 1118 | struct sk_filter *filter; |
a3ea269b | 1119 | int ret = 0; |
a8fc9277 PE |
1120 | |
1121 | lock_sock(sk); | |
1122 | filter = rcu_dereference_protected(sk->sk_filter, | |
a3ea269b | 1123 | sock_owned_by_user(sk)); |
a8fc9277 PE |
1124 | if (!filter) |
1125 | goto out; | |
a3ea269b DB |
1126 | |
1127 | /* We're copying the filter that has been originally attached, | |
1128 | * so no conversion/decode needed anymore. | |
1129 | */ | |
7ae457c1 | 1130 | fprog = filter->prog->orig_prog; |
a3ea269b DB |
1131 | |
1132 | ret = fprog->len; | |
a8fc9277 | 1133 | if (!len) |
a3ea269b | 1134 | /* User space only enquires number of filter blocks. */ |
a8fc9277 | 1135 | goto out; |
a3ea269b | 1136 | |
a8fc9277 | 1137 | ret = -EINVAL; |
a3ea269b | 1138 | if (len < fprog->len) |
a8fc9277 PE |
1139 | goto out; |
1140 | ||
1141 | ret = -EFAULT; | |
009937e7 | 1142 | if (copy_to_user(ubuf, fprog->filter, bpf_classic_proglen(fprog))) |
a3ea269b | 1143 | goto out; |
a8fc9277 | 1144 | |
a3ea269b DB |
1145 | /* Instead of bytes, the API requests to return the number |
1146 | * of filter blocks. | |
1147 | */ | |
1148 | ret = fprog->len; | |
a8fc9277 PE |
1149 | out: |
1150 | release_sock(sk); | |
1151 | return ret; | |
1152 | } |