1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19#include <linux/module.h>
20#include <linux/types.h>
21#include <linux/mm.h>
22#include <linux/fcntl.h>
23#include <linux/socket.h>
24#include <linux/in.h>
25#include <linux/inet.h>
26#include <linux/netdevice.h>
27#include <linux/if_packet.h>
28#include <linux/gfp.h>
29#include <net/ip.h>
30#include <net/protocol.h>
31#include <net/netlink.h>
32#include <linux/skbuff.h>
33#include <net/sock.h>
34#include <linux/errno.h>
35#include <linux/timer.h>
36#include <asm/system.h>
37#include <asm/uaccess.h>
38#include <asm/unaligned.h>
39#include <linux/filter.h>
40#include <linux/reciprocal_div.h>
41
42enum {
43 BPF_S_RET_K = 1,
44 BPF_S_RET_A,
45 BPF_S_ALU_ADD_K,
46 BPF_S_ALU_ADD_X,
47 BPF_S_ALU_SUB_K,
48 BPF_S_ALU_SUB_X,
49 BPF_S_ALU_MUL_K,
50 BPF_S_ALU_MUL_X,
51 BPF_S_ALU_DIV_X,
52 BPF_S_ALU_AND_K,
53 BPF_S_ALU_AND_X,
54 BPF_S_ALU_OR_K,
55 BPF_S_ALU_OR_X,
56 BPF_S_ALU_LSH_K,
57 BPF_S_ALU_LSH_X,
58 BPF_S_ALU_RSH_K,
59 BPF_S_ALU_RSH_X,
60 BPF_S_ALU_NEG,
61 BPF_S_LD_W_ABS,
62 BPF_S_LD_H_ABS,
63 BPF_S_LD_B_ABS,
64 BPF_S_LD_W_LEN,
65 BPF_S_LD_W_IND,
66 BPF_S_LD_H_IND,
67 BPF_S_LD_B_IND,
68 BPF_S_LD_IMM,
69 BPF_S_LDX_W_LEN,
70 BPF_S_LDX_B_MSH,
71 BPF_S_LDX_IMM,
72 BPF_S_MISC_TAX,
73 BPF_S_MISC_TXA,
74 BPF_S_ALU_DIV_K,
75 BPF_S_LD_MEM,
76 BPF_S_LDX_MEM,
77 BPF_S_ST,
78 BPF_S_STX,
79 BPF_S_JMP_JA,
80 BPF_S_JMP_JEQ_K,
81 BPF_S_JMP_JEQ_X,
82 BPF_S_JMP_JGE_K,
83 BPF_S_JMP_JGE_X,
84 BPF_S_JMP_JGT_K,
85 BPF_S_JMP_JGT_X,
86 BPF_S_JMP_JSET_K,
87 BPF_S_JMP_JSET_X,
88
89 BPF_S_ANC_PROTOCOL,
90 BPF_S_ANC_PKTTYPE,
91 BPF_S_ANC_IFINDEX,
92 BPF_S_ANC_NLATTR,
93 BPF_S_ANC_NLATTR_NEST,
94 BPF_S_ANC_MARK,
95 BPF_S_ANC_QUEUE,
96 BPF_S_ANC_HATYPE,
97 BPF_S_ANC_RXHASH,
98 BPF_S_ANC_CPU,
99};
100
101
102static void *__load_pointer(const struct sk_buff *skb, int k, unsigned int size)
103{
104 u8 *ptr = NULL;
105
106 if (k >= SKF_NET_OFF)
107 ptr = skb_network_header(skb) + k - SKF_NET_OFF;
108 else if (k >= SKF_LL_OFF)
109 ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
110
111 if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb))
112 return ptr;
113 return NULL;
114}
115
116static inline void *load_pointer(const struct sk_buff *skb, int k,
117 unsigned int size, void *buffer)
118{
119 if (k >= 0)
120 return skb_header_pointer(skb, k, size, buffer);
121 return __load_pointer(skb, k, size);
122}
123
124
125
126
127
128
129
130
131
132
133
134
135
136int sk_filter(struct sock *sk, struct sk_buff *skb)
137{
138 int err;
139 struct sk_filter *filter;
140
141 err = security_sock_rcv_skb(sk, skb);
142 if (err)
143 return err;
144
145 rcu_read_lock_bh();
146 filter = rcu_dereference_bh(sk->sk_filter);
147 if (filter) {
148 unsigned int pkt_len = sk_run_filter(skb, filter->insns);
149
150 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
151 }
152 rcu_read_unlock_bh();
153
154 return err;
155}
156EXPORT_SYMBOL(sk_filter);
157
158
159
160
161
162
163
164
165
166
167
168
169
170unsigned int sk_run_filter(const struct sk_buff *skb,
171 const struct sock_filter *fentry)
172{
173 void *ptr;
174 u32 A = 0;
175 u32 X = 0;
176 u32 mem[BPF_MEMWORDS];
177 u32 tmp;
178 int k;
179
180
181
182
183 for (;; fentry++) {
184#if defined(CONFIG_X86_32)
185#define K (fentry->k)
186#else
187 const u32 K = fentry->k;
188#endif
189
190 switch (fentry->code) {
191 case BPF_S_ALU_ADD_X:
192 A += X;
193 continue;
194 case BPF_S_ALU_ADD_K:
195 A += K;
196 continue;
197 case BPF_S_ALU_SUB_X:
198 A -= X;
199 continue;
200 case BPF_S_ALU_SUB_K:
201 A -= K;
202 continue;
203 case BPF_S_ALU_MUL_X:
204 A *= X;
205 continue;
206 case BPF_S_ALU_MUL_K:
207 A *= K;
208 continue;
209 case BPF_S_ALU_DIV_X:
210 if (X == 0)
211 return 0;
212 A /= X;
213 continue;
214 case BPF_S_ALU_DIV_K:
215 A = reciprocal_divide(A, K);
216 continue;
217 case BPF_S_ALU_AND_X:
218 A &= X;
219 continue;
220 case BPF_S_ALU_AND_K:
221 A &= K;
222 continue;
223 case BPF_S_ALU_OR_X:
224 A |= X;
225 continue;
226 case BPF_S_ALU_OR_K:
227 A |= K;
228 continue;
229 case BPF_S_ALU_LSH_X:
230 A <<= X;
231 continue;
232 case BPF_S_ALU_LSH_K:
233 A <<= K;
234 continue;
235 case BPF_S_ALU_RSH_X:
236 A >>= X;
237 continue;
238 case BPF_S_ALU_RSH_K:
239 A >>= K;
240 continue;
241 case BPF_S_ALU_NEG:
242 A = -A;
243 continue;
244 case BPF_S_JMP_JA:
245 fentry += K;
246 continue;
247 case BPF_S_JMP_JGT_K:
248 fentry += (A > K) ? fentry->jt : fentry->jf;
249 continue;
250 case BPF_S_JMP_JGE_K:
251 fentry += (A >= K) ? fentry->jt : fentry->jf;
252 continue;
253 case BPF_S_JMP_JEQ_K:
254 fentry += (A == K) ? fentry->jt : fentry->jf;
255 continue;
256 case BPF_S_JMP_JSET_K:
257 fentry += (A & K) ? fentry->jt : fentry->jf;
258 continue;
259 case BPF_S_JMP_JGT_X:
260 fentry += (A > X) ? fentry->jt : fentry->jf;
261 continue;
262 case BPF_S_JMP_JGE_X:
263 fentry += (A >= X) ? fentry->jt : fentry->jf;
264 continue;
265 case BPF_S_JMP_JEQ_X:
266 fentry += (A == X) ? fentry->jt : fentry->jf;
267 continue;
268 case BPF_S_JMP_JSET_X:
269 fentry += (A & X) ? fentry->jt : fentry->jf;
270 continue;
271 case BPF_S_LD_W_ABS:
272 k = K;
273load_w:
274 ptr = load_pointer(skb, k, 4, &tmp);
275 if (ptr != NULL) {
276 A = get_unaligned_be32(ptr);
277 continue;
278 }
279 return 0;
280 case BPF_S_LD_H_ABS:
281 k = K;
282load_h:
283 ptr = load_pointer(skb, k, 2, &tmp);
284 if (ptr != NULL) {
285 A = get_unaligned_be16(ptr);
286 continue;
287 }
288 return 0;
289 case BPF_S_LD_B_ABS:
290 k = K;
291load_b:
292 ptr = load_pointer(skb, k, 1, &tmp);
293 if (ptr != NULL) {
294 A = *(u8 *)ptr;
295 continue;
296 }
297 return 0;
298 case BPF_S_LD_W_LEN:
299 A = skb->len;
300 continue;
301 case BPF_S_LDX_W_LEN:
302 X = skb->len;
303 continue;
304 case BPF_S_LD_W_IND:
305 k = X + K;
306 goto load_w;
307 case BPF_S_LD_H_IND:
308 k = X + K;
309 goto load_h;
310 case BPF_S_LD_B_IND:
311 k = X + K;
312 goto load_b;
313 case BPF_S_LDX_B_MSH:
314 ptr = load_pointer(skb, K, 1, &tmp);
315 if (ptr != NULL) {
316 X = (*(u8 *)ptr & 0xf) << 2;
317 continue;
318 }
319 return 0;
320 case BPF_S_LD_IMM:
321 A = K;
322 continue;
323 case BPF_S_LDX_IMM:
324 X = K;
325 continue;
326 case BPF_S_LD_MEM:
327 A = mem[K];
328 continue;
329 case BPF_S_LDX_MEM:
330 X = mem[K];
331 continue;
332 case BPF_S_MISC_TAX:
333 X = A;
334 continue;
335 case BPF_S_MISC_TXA:
336 A = X;
337 continue;
338 case BPF_S_RET_K:
339 return K;
340 case BPF_S_RET_A:
341 return A;
342 case BPF_S_ST:
343 mem[K] = A;
344 continue;
345 case BPF_S_STX:
346 mem[K] = X;
347 continue;
348 case BPF_S_ANC_PROTOCOL:
349 A = ntohs(skb->protocol);
350 continue;
351 case BPF_S_ANC_PKTTYPE:
352 A = skb->pkt_type;
353 continue;
354 case BPF_S_ANC_IFINDEX:
355 if (!skb->dev)
356 return 0;
357 A = skb->dev->ifindex;
358 continue;
359 case BPF_S_ANC_MARK:
360 A = skb->mark;
361 continue;
362 case BPF_S_ANC_QUEUE:
363 A = skb->queue_mapping;
364 continue;
365 case BPF_S_ANC_HATYPE:
366 if (!skb->dev)
367 return 0;
368 A = skb->dev->type;
369 continue;
370 case BPF_S_ANC_RXHASH:
371 A = skb->rxhash;
372 continue;
373 case BPF_S_ANC_CPU:
374 A = raw_smp_processor_id();
375 continue;
376 case BPF_S_ANC_NLATTR: {
377 struct nlattr *nla;
378
379 if (skb_is_nonlinear(skb))
380 return 0;
381 if (A > skb->len - sizeof(struct nlattr))
382 return 0;
383
384 nla = nla_find((struct nlattr *)&skb->data[A],
385 skb->len - A, X);
386 if (nla)
387 A = (void *)nla - (void *)skb->data;
388 else
389 A = 0;
390 continue;
391 }
392 case BPF_S_ANC_NLATTR_NEST: {
393 struct nlattr *nla;
394
395 if (skb_is_nonlinear(skb))
396 return 0;
397 if (A > skb->len - sizeof(struct nlattr))
398 return 0;
399
400 nla = (struct nlattr *)&skb->data[A];
401 if (nla->nla_len > A - skb->len)
402 return 0;
403
404 nla = nla_find_nested(nla, X);
405 if (nla)
406 A = (void *)nla - (void *)skb->data;
407 else
408 A = 0;
409 continue;
410 }
411 default:
412 WARN_ON(1);
413 return 0;
414 }
415 }
416
417 return 0;
418}
419EXPORT_SYMBOL(sk_run_filter);
420
421
422
423
424
425
426
427
428
429
430static int check_load_and_stores(struct sock_filter *filter, int flen)
431{
432 u16 *masks, memvalid = 0;
433 int pc, ret = 0;
434
435 BUILD_BUG_ON(BPF_MEMWORDS > 16);
436 masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
437 if (!masks)
438 return -ENOMEM;
439 memset(masks, 0xff, flen * sizeof(*masks));
440
441 for (pc = 0; pc < flen; pc++) {
442 memvalid &= masks[pc];
443
444 switch (filter[pc].code) {
445 case BPF_S_ST:
446 case BPF_S_STX:
447 memvalid |= (1 << filter[pc].k);
448 break;
449 case BPF_S_LD_MEM:
450 case BPF_S_LDX_MEM:
451 if (!(memvalid & (1 << filter[pc].k))) {
452 ret = -EINVAL;
453 goto error;
454 }
455 break;
456 case BPF_S_JMP_JA:
457
458 masks[pc + 1 + filter[pc].k] &= memvalid;
459 memvalid = ~0;
460 break;
461 case BPF_S_JMP_JEQ_K:
462 case BPF_S_JMP_JEQ_X:
463 case BPF_S_JMP_JGE_K:
464 case BPF_S_JMP_JGE_X:
465 case BPF_S_JMP_JGT_K:
466 case BPF_S_JMP_JGT_X:
467 case BPF_S_JMP_JSET_X:
468 case BPF_S_JMP_JSET_K:
469
470 masks[pc + 1 + filter[pc].jt] &= memvalid;
471 masks[pc + 1 + filter[pc].jf] &= memvalid;
472 memvalid = ~0;
473 break;
474 }
475 }
476error:
477 kfree(masks);
478 return ret;
479}
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495int sk_chk_filter(struct sock_filter *filter, int flen)
496{
497
498
499
500
501 static const u8 codes[] = {
502 [BPF_ALU|BPF_ADD|BPF_K] = BPF_S_ALU_ADD_K,
503 [BPF_ALU|BPF_ADD|BPF_X] = BPF_S_ALU_ADD_X,
504 [BPF_ALU|BPF_SUB|BPF_K] = BPF_S_ALU_SUB_K,
505 [BPF_ALU|BPF_SUB|BPF_X] = BPF_S_ALU_SUB_X,
506 [BPF_ALU|BPF_MUL|BPF_K] = BPF_S_ALU_MUL_K,
507 [BPF_ALU|BPF_MUL|BPF_X] = BPF_S_ALU_MUL_X,
508 [BPF_ALU|BPF_DIV|BPF_X] = BPF_S_ALU_DIV_X,
509 [BPF_ALU|BPF_AND|BPF_K] = BPF_S_ALU_AND_K,
510 [BPF_ALU|BPF_AND|BPF_X] = BPF_S_ALU_AND_X,
511 [BPF_ALU|BPF_OR|BPF_K] = BPF_S_ALU_OR_K,
512 [BPF_ALU|BPF_OR|BPF_X] = BPF_S_ALU_OR_X,
513 [BPF_ALU|BPF_LSH|BPF_K] = BPF_S_ALU_LSH_K,
514 [BPF_ALU|BPF_LSH|BPF_X] = BPF_S_ALU_LSH_X,
515 [BPF_ALU|BPF_RSH|BPF_K] = BPF_S_ALU_RSH_K,
516 [BPF_ALU|BPF_RSH|BPF_X] = BPF_S_ALU_RSH_X,
517 [BPF_ALU|BPF_NEG] = BPF_S_ALU_NEG,
518 [BPF_LD|BPF_W|BPF_ABS] = BPF_S_LD_W_ABS,
519 [BPF_LD|BPF_H|BPF_ABS] = BPF_S_LD_H_ABS,
520 [BPF_LD|BPF_B|BPF_ABS] = BPF_S_LD_B_ABS,
521 [BPF_LD|BPF_W|BPF_LEN] = BPF_S_LD_W_LEN,
522 [BPF_LD|BPF_W|BPF_IND] = BPF_S_LD_W_IND,
523 [BPF_LD|BPF_H|BPF_IND] = BPF_S_LD_H_IND,
524 [BPF_LD|BPF_B|BPF_IND] = BPF_S_LD_B_IND,
525 [BPF_LD|BPF_IMM] = BPF_S_LD_IMM,
526 [BPF_LDX|BPF_W|BPF_LEN] = BPF_S_LDX_W_LEN,
527 [BPF_LDX|BPF_B|BPF_MSH] = BPF_S_LDX_B_MSH,
528 [BPF_LDX|BPF_IMM] = BPF_S_LDX_IMM,
529 [BPF_MISC|BPF_TAX] = BPF_S_MISC_TAX,
530 [BPF_MISC|BPF_TXA] = BPF_S_MISC_TXA,
531 [BPF_RET|BPF_K] = BPF_S_RET_K,
532 [BPF_RET|BPF_A] = BPF_S_RET_A,
533 [BPF_ALU|BPF_DIV|BPF_K] = BPF_S_ALU_DIV_K,
534 [BPF_LD|BPF_MEM] = BPF_S_LD_MEM,
535 [BPF_LDX|BPF_MEM] = BPF_S_LDX_MEM,
536 [BPF_ST] = BPF_S_ST,
537 [BPF_STX] = BPF_S_STX,
538 [BPF_JMP|BPF_JA] = BPF_S_JMP_JA,
539 [BPF_JMP|BPF_JEQ|BPF_K] = BPF_S_JMP_JEQ_K,
540 [BPF_JMP|BPF_JEQ|BPF_X] = BPF_S_JMP_JEQ_X,
541 [BPF_JMP|BPF_JGE|BPF_K] = BPF_S_JMP_JGE_K,
542 [BPF_JMP|BPF_JGE|BPF_X] = BPF_S_JMP_JGE_X,
543 [BPF_JMP|BPF_JGT|BPF_K] = BPF_S_JMP_JGT_K,
544 [BPF_JMP|BPF_JGT|BPF_X] = BPF_S_JMP_JGT_X,
545 [BPF_JMP|BPF_JSET|BPF_K] = BPF_S_JMP_JSET_K,
546 [BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X,
547 };
548 int pc;
549
550 if (flen == 0 || flen > BPF_MAXINSNS)
551 return -EINVAL;
552
553
554 for (pc = 0; pc < flen; pc++) {
555 struct sock_filter *ftest = &filter[pc];
556 u16 code = ftest->code;
557
558 if (code >= ARRAY_SIZE(codes))
559 return -EINVAL;
560 code = codes[code];
561 if (!code)
562 return -EINVAL;
563
564 switch (code) {
565 case BPF_S_ALU_DIV_K:
566
567 if (ftest->k == 0)
568 return -EINVAL;
569 ftest->k = reciprocal_value(ftest->k);
570 break;
571 case BPF_S_LD_MEM:
572 case BPF_S_LDX_MEM:
573 case BPF_S_ST:
574 case BPF_S_STX:
575
576 if (ftest->k >= BPF_MEMWORDS)
577 return -EINVAL;
578 break;
579 case BPF_S_JMP_JA:
580
581
582
583
584
585 if (ftest->k >= (unsigned)(flen-pc-1))
586 return -EINVAL;
587 break;
588 case BPF_S_JMP_JEQ_K:
589 case BPF_S_JMP_JEQ_X:
590 case BPF_S_JMP_JGE_K:
591 case BPF_S_JMP_JGE_X:
592 case BPF_S_JMP_JGT_K:
593 case BPF_S_JMP_JGT_X:
594 case BPF_S_JMP_JSET_X:
595 case BPF_S_JMP_JSET_K:
596
597 if (pc + ftest->jt + 1 >= flen ||
598 pc + ftest->jf + 1 >= flen)
599 return -EINVAL;
600 break;
601 case BPF_S_LD_W_ABS:
602 case BPF_S_LD_H_ABS:
603 case BPF_S_LD_B_ABS:
604#define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE: \
605 code = BPF_S_ANC_##CODE; \
606 break
607 switch (ftest->k) {
608 ANCILLARY(PROTOCOL);
609 ANCILLARY(PKTTYPE);
610 ANCILLARY(IFINDEX);
611 ANCILLARY(NLATTR);
612 ANCILLARY(NLATTR_NEST);
613 ANCILLARY(MARK);
614 ANCILLARY(QUEUE);
615 ANCILLARY(HATYPE);
616 ANCILLARY(RXHASH);
617 ANCILLARY(CPU);
618 }
619 }
620 ftest->code = code;
621 }
622
623
624 switch (filter[flen - 1].code) {
625 case BPF_S_RET_K:
626 case BPF_S_RET_A:
627 return check_load_and_stores(filter, flen);
628 }
629 return -EINVAL;
630}
631EXPORT_SYMBOL(sk_chk_filter);
632
633
634
635
636
637void sk_filter_release_rcu(struct rcu_head *rcu)
638{
639 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
640
641 kfree(fp);
642}
643EXPORT_SYMBOL(sk_filter_release_rcu);
644
645
646
647
648
649
650
651
652
653
654
655int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
656{
657 struct sk_filter *fp, *old_fp;
658 unsigned int fsize = sizeof(struct sock_filter) * fprog->len;
659 int err;
660
661
662 if (fprog->filter == NULL)
663 return -EINVAL;
664
665 fp = sock_kmalloc(sk, fsize+sizeof(*fp), GFP_KERNEL);
666 if (!fp)
667 return -ENOMEM;
668 if (copy_from_user(fp->insns, fprog->filter, fsize)) {
669 sock_kfree_s(sk, fp, fsize+sizeof(*fp));
670 return -EFAULT;
671 }
672
673 atomic_set(&fp->refcnt, 1);
674 fp->len = fprog->len;
675
676 err = sk_chk_filter(fp->insns, fp->len);
677 if (err) {
678 sk_filter_uncharge(sk, fp);
679 return err;
680 }
681
682 old_fp = rcu_dereference_protected(sk->sk_filter,
683 sock_owned_by_user(sk));
684 rcu_assign_pointer(sk->sk_filter, fp);
685
686 if (old_fp)
687 sk_filter_uncharge(sk, old_fp);
688 return 0;
689}
690EXPORT_SYMBOL_GPL(sk_attach_filter);
691
692int sk_detach_filter(struct sock *sk)
693{
694 int ret = -ENOENT;
695 struct sk_filter *filter;
696
697 filter = rcu_dereference_protected(sk->sk_filter,
698 sock_owned_by_user(sk));
699 if (filter) {
700 rcu_assign_pointer(sk->sk_filter, NULL);
701 sk_filter_uncharge(sk, filter);
702 ret = 0;
703 }
704 return ret;
705}
706EXPORT_SYMBOL_GPL(sk_detach_filter);
707
