bpf_dbg.c 28 KB


  1. /*
  2. * Minimal BPF debugger
  3. *
  4. * Minimal BPF debugger that mimics the kernel's engine (w/o extensions)
  5. * and allows for single stepping through selected packets from a pcap
  6. * with a provided user filter in order to facilitate verification of a
  7. * BPF program. Besides others, this is useful to verify BPF programs
  8. * before attaching to a live system, and can be used in socket filters,
  9. * cls_bpf, xt_bpf, team driver and e.g. PTP code; in particular when a
  10. * single more complex BPF program is being used. Reasons for a more
  11. * complex BPF program are likely primarily to optimize execution time
  12. * for making a verdict when multiple simple BPF programs are combined
  13. * into one in order to prevent parsing same headers multiple times.
  14. *
  15. * More on how to debug BPF opcodes see Documentation/networking/filter.txt
  16. * which is the main document on BPF. Mini howto for getting started:
  17. *
  18. * 1) `./bpf_dbg` to enter the shell (shell cmds denoted with '>'):
  19. * 2) > load bpf 6,40 0 0 12,21 0 3 20... (output from `bpf_asm` or
  20. * `tcpdump -iem1 -ddd port 22 | tr '\n' ','` to load as filter)
  21. * 3) > load pcap foo.pcap
  22. * 4) > run <n>/disassemble/dump/quit (self-explanatory)
  23. * 5) > breakpoint 2 (sets bp at loaded BPF insns 2, do `run` then;
  24. * multiple bps can be set, of course, a call to `breakpoint`
  25. * w/o args shows currently loaded bps, `breakpoint reset` for
  26. * resetting all breakpoints)
  27. * 6) > select 3 (`run` etc will start from the 3rd packet in the pcap)
  28. * 7) > step [-<n>, +<n>] (performs single stepping through the BPF)
  29. *
  30. * Copyright 2013 Daniel Borkmann <[email protected]>
  31. * Licensed under the GNU General Public License, version 2.0 (GPLv2)
  32. */
  33. #include <stdio.h>
  34. #include <unistd.h>
  35. #include <stdlib.h>
  36. #include <ctype.h>
  37. #include <stdbool.h>
  38. #include <stdarg.h>
  39. #include <setjmp.h>
  40. #include <linux/filter.h>
  41. #include <linux/if_packet.h>
  42. #include <readline/readline.h>
  43. #include <readline/history.h>
  44. #include <sys/types.h>
  45. #include <sys/socket.h>
  46. #include <sys/stat.h>
  47. #include <sys/mman.h>
  48. #include <fcntl.h>
  49. #include <errno.h>
  50. #include <signal.h>
  51. #include <arpa/inet.h>
  52. #include <net/ethernet.h>
  53. #define TCPDUMP_MAGIC 0xa1b2c3d4
  54. #define BPF_LDX_B (BPF_LDX | BPF_B)
  55. #define BPF_LDX_W (BPF_LDX | BPF_W)
  56. #define BPF_JMP_JA (BPF_JMP | BPF_JA)
  57. #define BPF_JMP_JEQ (BPF_JMP | BPF_JEQ)
  58. #define BPF_JMP_JGT (BPF_JMP | BPF_JGT)
  59. #define BPF_JMP_JGE (BPF_JMP | BPF_JGE)
  60. #define BPF_JMP_JSET (BPF_JMP | BPF_JSET)
  61. #define BPF_ALU_ADD (BPF_ALU | BPF_ADD)
  62. #define BPF_ALU_SUB (BPF_ALU | BPF_SUB)
  63. #define BPF_ALU_MUL (BPF_ALU | BPF_MUL)
  64. #define BPF_ALU_DIV (BPF_ALU | BPF_DIV)
  65. #define BPF_ALU_MOD (BPF_ALU | BPF_MOD)
  66. #define BPF_ALU_NEG (BPF_ALU | BPF_NEG)
  67. #define BPF_ALU_AND (BPF_ALU | BPF_AND)
  68. #define BPF_ALU_OR (BPF_ALU | BPF_OR)
  69. #define BPF_ALU_XOR (BPF_ALU | BPF_XOR)
  70. #define BPF_ALU_LSH (BPF_ALU | BPF_LSH)
  71. #define BPF_ALU_RSH (BPF_ALU | BPF_RSH)
  72. #define BPF_MISC_TAX (BPF_MISC | BPF_TAX)
  73. #define BPF_MISC_TXA (BPF_MISC | BPF_TXA)
  74. #define BPF_LD_B (BPF_LD | BPF_B)
  75. #define BPF_LD_H (BPF_LD | BPF_H)
  76. #define BPF_LD_W (BPF_LD | BPF_W)
  77. #ifndef array_size
  78. # define array_size(x) (sizeof(x) / sizeof((x)[0]))
  79. #endif
  80. #ifndef __check_format_printf
  81. # define __check_format_printf(pos_fmtstr, pos_fmtargs) \
  82. __attribute__ ((format (printf, (pos_fmtstr), (pos_fmtargs))))
  83. #endif
  84. enum {
  85. CMD_OK,
  86. CMD_ERR,
  87. CMD_EX,
  88. };
  89. struct shell_cmd {
  90. const char *name;
  91. int (*func)(char *args);
  92. };
  93. struct pcap_filehdr {
  94. uint32_t magic;
  95. uint16_t version_major;
  96. uint16_t version_minor;
  97. int32_t thiszone;
  98. uint32_t sigfigs;
  99. uint32_t snaplen;
  100. uint32_t linktype;
  101. };
  102. struct pcap_timeval {
  103. int32_t tv_sec;
  104. int32_t tv_usec;
  105. };
  106. struct pcap_pkthdr {
  107. struct pcap_timeval ts;
  108. uint32_t caplen;
  109. uint32_t len;
  110. };
  111. struct bpf_regs {
  112. uint32_t A;
  113. uint32_t X;
  114. uint32_t M[BPF_MEMWORDS];
  115. uint32_t R;
  116. bool Rs;
  117. uint16_t Pc;
  118. };
  119. static struct sock_filter bpf_image[BPF_MAXINSNS + 1];
  120. static unsigned int bpf_prog_len;
  121. static int bpf_breakpoints[64];
  122. static struct bpf_regs bpf_regs[BPF_MAXINSNS + 1];
  123. static struct bpf_regs bpf_curr;
  124. static unsigned int bpf_regs_len;
  125. static int pcap_fd = -1;
  126. static unsigned int pcap_packet;
  127. static size_t pcap_map_size;
  128. static char *pcap_ptr_va_start, *pcap_ptr_va_curr;
  129. static const char * const op_table[] = {
  130. [BPF_ST] = "st",
  131. [BPF_STX] = "stx",
  132. [BPF_LD_B] = "ldb",
  133. [BPF_LD_H] = "ldh",
  134. [BPF_LD_W] = "ld",
  135. [BPF_LDX] = "ldx",
  136. [BPF_LDX_B] = "ldxb",
  137. [BPF_JMP_JA] = "ja",
  138. [BPF_JMP_JEQ] = "jeq",
  139. [BPF_JMP_JGT] = "jgt",
  140. [BPF_JMP_JGE] = "jge",
  141. [BPF_JMP_JSET] = "jset",
  142. [BPF_ALU_ADD] = "add",
  143. [BPF_ALU_SUB] = "sub",
  144. [BPF_ALU_MUL] = "mul",
  145. [BPF_ALU_DIV] = "div",
  146. [BPF_ALU_MOD] = "mod",
  147. [BPF_ALU_NEG] = "neg",
  148. [BPF_ALU_AND] = "and",
  149. [BPF_ALU_OR] = "or",
  150. [BPF_ALU_XOR] = "xor",
  151. [BPF_ALU_LSH] = "lsh",
  152. [BPF_ALU_RSH] = "rsh",
  153. [BPF_MISC_TAX] = "tax",
  154. [BPF_MISC_TXA] = "txa",
  155. [BPF_RET] = "ret",
  156. };
  157. static __check_format_printf(1, 2) int rl_printf(const char *fmt, ...)
  158. {
  159. int ret;
  160. va_list vl;
  161. va_start(vl, fmt);
  162. ret = vfprintf(rl_outstream, fmt, vl);
  163. va_end(vl);
  164. return ret;
  165. }
  166. static int matches(const char *cmd, const char *pattern)
  167. {
  168. int len = strlen(cmd);
  169. if (len > strlen(pattern))
  170. return -1;
  171. return memcmp(pattern, cmd, len);
  172. }
  173. static void hex_dump(const uint8_t *buf, size_t len)
  174. {
  175. int i;
  176. rl_printf("%3u: ", 0);
  177. for (i = 0; i < len; i++) {
  178. if (i && !(i % 16))
  179. rl_printf("\n%3u: ", i);
  180. rl_printf("%02x ", buf[i]);
  181. }
  182. rl_printf("\n");
  183. }
  184. static bool bpf_prog_loaded(void)
  185. {
  186. if (bpf_prog_len == 0)
  187. rl_printf("no bpf program loaded!\n");
  188. return bpf_prog_len > 0;
  189. }
  190. static void bpf_disasm(const struct sock_filter f, unsigned int i)
  191. {
  192. const char *op, *fmt;
  193. int val = f.k;
  194. char buf[256];
  195. switch (f.code) {
  196. case BPF_RET | BPF_K:
  197. op = op_table[BPF_RET];
  198. fmt = "#%#x";
  199. break;
  200. case BPF_RET | BPF_A:
  201. op = op_table[BPF_RET];
  202. fmt = "a";
  203. break;
  204. case BPF_RET | BPF_X:
  205. op = op_table[BPF_RET];
  206. fmt = "x";
  207. break;
  208. case BPF_MISC_TAX:
  209. op = op_table[BPF_MISC_TAX];
  210. fmt = "";
  211. break;
  212. case BPF_MISC_TXA:
  213. op = op_table[BPF_MISC_TXA];
  214. fmt = "";
  215. break;
  216. case BPF_ST:
  217. op = op_table[BPF_ST];
  218. fmt = "M[%d]";
  219. break;
  220. case BPF_STX:
  221. op = op_table[BPF_STX];
  222. fmt = "M[%d]";
  223. break;
  224. case BPF_LD_W | BPF_ABS:
  225. op = op_table[BPF_LD_W];
  226. fmt = "[%d]";
  227. break;
  228. case BPF_LD_H | BPF_ABS:
  229. op = op_table[BPF_LD_H];
  230. fmt = "[%d]";
  231. break;
  232. case BPF_LD_B | BPF_ABS:
  233. op = op_table[BPF_LD_B];
  234. fmt = "[%d]";
  235. break;
  236. case BPF_LD_W | BPF_LEN:
  237. op = op_table[BPF_LD_W];
  238. fmt = "#len";
  239. break;
  240. case BPF_LD_W | BPF_IND:
  241. op = op_table[BPF_LD_W];
  242. fmt = "[x+%d]";
  243. break;
  244. case BPF_LD_H | BPF_IND:
  245. op = op_table[BPF_LD_H];
  246. fmt = "[x+%d]";
  247. break;
  248. case BPF_LD_B | BPF_IND:
  249. op = op_table[BPF_LD_B];
  250. fmt = "[x+%d]";
  251. break;
  252. case BPF_LD | BPF_IMM:
  253. op = op_table[BPF_LD_W];
  254. fmt = "#%#x";
  255. break;
  256. case BPF_LDX | BPF_IMM:
  257. op = op_table[BPF_LDX];
  258. fmt = "#%#x";
  259. break;
  260. case BPF_LDX_B | BPF_MSH:
  261. op = op_table[BPF_LDX_B];
  262. fmt = "4*([%d]&0xf)";
  263. break;
  264. case BPF_LD | BPF_MEM:
  265. op = op_table[BPF_LD_W];
  266. fmt = "M[%d]";
  267. break;
  268. case BPF_LDX | BPF_MEM:
  269. op = op_table[BPF_LDX];
  270. fmt = "M[%d]";
  271. break;
  272. case BPF_JMP_JA:
  273. op = op_table[BPF_JMP_JA];
  274. fmt = "%d";
  275. val = i + 1 + f.k;
  276. break;
  277. case BPF_JMP_JGT | BPF_X:
  278. op = op_table[BPF_JMP_JGT];
  279. fmt = "x";
  280. break;
  281. case BPF_JMP_JGT | BPF_K:
  282. op = op_table[BPF_JMP_JGT];
  283. fmt = "#%#x";
  284. break;
  285. case BPF_JMP_JGE | BPF_X:
  286. op = op_table[BPF_JMP_JGE];
  287. fmt = "x";
  288. break;
  289. case BPF_JMP_JGE | BPF_K:
  290. op = op_table[BPF_JMP_JGE];
  291. fmt = "#%#x";
  292. break;
  293. case BPF_JMP_JEQ | BPF_X:
  294. op = op_table[BPF_JMP_JEQ];
  295. fmt = "x";
  296. break;
  297. case BPF_JMP_JEQ | BPF_K:
  298. op = op_table[BPF_JMP_JEQ];
  299. fmt = "#%#x";
  300. break;
  301. case BPF_JMP_JSET | BPF_X:
  302. op = op_table[BPF_JMP_JSET];
  303. fmt = "x";
  304. break;
  305. case BPF_JMP_JSET | BPF_K:
  306. op = op_table[BPF_JMP_JSET];
  307. fmt = "#%#x";
  308. break;
  309. case BPF_ALU_NEG:
  310. op = op_table[BPF_ALU_NEG];
  311. fmt = "";
  312. break;
  313. case BPF_ALU_LSH | BPF_X:
  314. op = op_table[BPF_ALU_LSH];
  315. fmt = "x";
  316. break;
  317. case BPF_ALU_LSH | BPF_K:
  318. op = op_table[BPF_ALU_LSH];
  319. fmt = "#%d";
  320. break;
  321. case BPF_ALU_RSH | BPF_X:
  322. op = op_table[BPF_ALU_RSH];
  323. fmt = "x";
  324. break;
  325. case BPF_ALU_RSH | BPF_K:
  326. op = op_table[BPF_ALU_RSH];
  327. fmt = "#%d";
  328. break;
  329. case BPF_ALU_ADD | BPF_X:
  330. op = op_table[BPF_ALU_ADD];
  331. fmt = "x";
  332. break;
  333. case BPF_ALU_ADD | BPF_K:
  334. op = op_table[BPF_ALU_ADD];
  335. fmt = "#%d";
  336. break;
  337. case BPF_ALU_SUB | BPF_X:
  338. op = op_table[BPF_ALU_SUB];
  339. fmt = "x";
  340. break;
  341. case BPF_ALU_SUB | BPF_K:
  342. op = op_table[BPF_ALU_SUB];
  343. fmt = "#%d";
  344. break;
  345. case BPF_ALU_MUL | BPF_X:
  346. op = op_table[BPF_ALU_MUL];
  347. fmt = "x";
  348. break;
  349. case BPF_ALU_MUL | BPF_K:
  350. op = op_table[BPF_ALU_MUL];
  351. fmt = "#%d";
  352. break;
  353. case BPF_ALU_DIV | BPF_X:
  354. op = op_table[BPF_ALU_DIV];
  355. fmt = "x";
  356. break;
  357. case BPF_ALU_DIV | BPF_K:
  358. op = op_table[BPF_ALU_DIV];
  359. fmt = "#%d";
  360. break;
  361. case BPF_ALU_MOD | BPF_X:
  362. op = op_table[BPF_ALU_MOD];
  363. fmt = "x";
  364. break;
  365. case BPF_ALU_MOD | BPF_K:
  366. op = op_table[BPF_ALU_MOD];
  367. fmt = "#%d";
  368. break;
  369. case BPF_ALU_AND | BPF_X:
  370. op = op_table[BPF_ALU_AND];
  371. fmt = "x";
  372. break;
  373. case BPF_ALU_AND | BPF_K:
  374. op = op_table[BPF_ALU_AND];
  375. fmt = "#%#x";
  376. break;
  377. case BPF_ALU_OR | BPF_X:
  378. op = op_table[BPF_ALU_OR];
  379. fmt = "x";
  380. break;
  381. case BPF_ALU_OR | BPF_K:
  382. op = op_table[BPF_ALU_OR];
  383. fmt = "#%#x";
  384. break;
  385. case BPF_ALU_XOR | BPF_X:
  386. op = op_table[BPF_ALU_XOR];
  387. fmt = "x";
  388. break;
  389. case BPF_ALU_XOR | BPF_K:
  390. op = op_table[BPF_ALU_XOR];
  391. fmt = "#%#x";
  392. break;
  393. default:
  394. op = "nosup";
  395. fmt = "%#x";
  396. val = f.code;
  397. break;
  398. }
  399. memset(buf, 0, sizeof(buf));
  400. snprintf(buf, sizeof(buf), fmt, val);
  401. buf[sizeof(buf) - 1] = 0;
  402. if ((BPF_CLASS(f.code) == BPF_JMP && BPF_OP(f.code) != BPF_JA))
  403. rl_printf("l%d:\t%s %s, l%d, l%d\n", i, op, buf,
  404. i + 1 + f.jt, i + 1 + f.jf);
  405. else
  406. rl_printf("l%d:\t%s %s\n", i, op, buf);
  407. }
  408. static void bpf_dump_curr(struct bpf_regs *r, struct sock_filter *f)
  409. {
  410. int i, m = 0;
  411. rl_printf("pc: [%u]\n", r->Pc);
  412. rl_printf("code: [%u] jt[%u] jf[%u] k[%u]\n",
  413. f->code, f->jt, f->jf, f->k);
  414. rl_printf("curr: ");
  415. bpf_disasm(*f, r->Pc);
  416. if (f->jt || f->jf) {
  417. rl_printf("jt: ");
  418. bpf_disasm(*(f + f->jt + 1), r->Pc + f->jt + 1);
  419. rl_printf("jf: ");
  420. bpf_disasm(*(f + f->jf + 1), r->Pc + f->jf + 1);
  421. }
  422. rl_printf("A: [%#08x][%u]\n", r->A, r->A);
  423. rl_printf("X: [%#08x][%u]\n", r->X, r->X);
  424. if (r->Rs)
  425. rl_printf("ret: [%#08x][%u]!\n", r->R, r->R);
  426. for (i = 0; i < BPF_MEMWORDS; i++) {
  427. if (r->M[i]) {
  428. m++;
  429. rl_printf("M[%d]: [%#08x][%u]\n", i, r->M[i], r->M[i]);
  430. }
  431. }
  432. if (m == 0)
  433. rl_printf("M[0,%d]: [%#08x][%u]\n", BPF_MEMWORDS - 1, 0, 0);
  434. }
  435. static void bpf_dump_pkt(uint8_t *pkt, uint32_t pkt_caplen, uint32_t pkt_len)
  436. {
  437. if (pkt_caplen != pkt_len)
  438. rl_printf("cap: %u, len: %u\n", pkt_caplen, pkt_len);
  439. else
  440. rl_printf("len: %u\n", pkt_len);
  441. hex_dump(pkt, pkt_caplen);
  442. }
  443. static void bpf_disasm_all(const struct sock_filter *f, unsigned int len)
  444. {
  445. unsigned int i;
  446. for (i = 0; i < len; i++)
  447. bpf_disasm(f[i], i);
  448. }
  449. static void bpf_dump_all(const struct sock_filter *f, unsigned int len)
  450. {
  451. unsigned int i;
  452. rl_printf("/* { op, jt, jf, k }, */\n");
  453. for (i = 0; i < len; i++)
  454. rl_printf("{ %#04x, %2u, %2u, %#010x },\n",
  455. f[i].code, f[i].jt, f[i].jf, f[i].k);
  456. }
  457. static bool bpf_runnable(struct sock_filter *f, unsigned int len)
  458. {
  459. int sock, ret, i;
  460. struct sock_fprog bpf = {
  461. .filter = f,
  462. .len = len,
  463. };
  464. sock = socket(AF_INET, SOCK_DGRAM, 0);
  465. if (sock < 0) {
  466. rl_printf("cannot open socket!\n");
  467. return false;
  468. }
  469. ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
  470. close(sock);
  471. if (ret < 0) {
  472. rl_printf("program not allowed to run by kernel!\n");
  473. return false;
  474. }
  475. for (i = 0; i < len; i++) {
  476. if (BPF_CLASS(f[i].code) == BPF_LD &&
  477. f[i].k > SKF_AD_OFF) {
  478. rl_printf("extensions currently not supported!\n");
  479. return false;
  480. }
  481. }
  482. return true;
  483. }
  484. static void bpf_reset_breakpoints(void)
  485. {
  486. int i;
  487. for (i = 0; i < array_size(bpf_breakpoints); i++)
  488. bpf_breakpoints[i] = -1;
  489. }
  490. static void bpf_set_breakpoints(unsigned int where)
  491. {
  492. int i;
  493. bool set = false;
  494. for (i = 0; i < array_size(bpf_breakpoints); i++) {
  495. if (bpf_breakpoints[i] == (int) where) {
  496. rl_printf("breakpoint already set!\n");
  497. set = true;
  498. break;
  499. }
  500. if (bpf_breakpoints[i] == -1 && set == false) {
  501. bpf_breakpoints[i] = where;
  502. set = true;
  503. }
  504. }
  505. if (!set)
  506. rl_printf("too many breakpoints set, reset first!\n");
  507. }
  508. static void bpf_dump_breakpoints(void)
  509. {
  510. int i;
  511. rl_printf("breakpoints: ");
  512. for (i = 0; i < array_size(bpf_breakpoints); i++) {
  513. if (bpf_breakpoints[i] < 0)
  514. continue;
  515. rl_printf("%d ", bpf_breakpoints[i]);
  516. }
  517. rl_printf("\n");
  518. }
  519. static void bpf_reset(void)
  520. {
  521. bpf_regs_len = 0;
  522. memset(bpf_regs, 0, sizeof(bpf_regs));
  523. memset(&bpf_curr, 0, sizeof(bpf_curr));
  524. }
  525. static void bpf_safe_regs(void)
  526. {
  527. memcpy(&bpf_regs[bpf_regs_len++], &bpf_curr, sizeof(bpf_curr));
  528. }
  529. static bool bpf_restore_regs(int off)
  530. {
  531. unsigned int index = bpf_regs_len - 1 + off;
  532. if (index == 0) {
  533. bpf_reset();
  534. return true;
  535. } else if (index < bpf_regs_len) {
  536. memcpy(&bpf_curr, &bpf_regs[index], sizeof(bpf_curr));
  537. bpf_regs_len = index;
  538. return true;
  539. } else {
  540. rl_printf("reached bottom of register history stack!\n");
  541. return false;
  542. }
  543. }
  544. static uint32_t extract_u32(uint8_t *pkt, uint32_t off)
  545. {
  546. uint32_t r;
  547. memcpy(&r, &pkt[off], sizeof(r));
  548. return ntohl(r);
  549. }
  550. static uint16_t extract_u16(uint8_t *pkt, uint32_t off)
  551. {
  552. uint16_t r;
  553. memcpy(&r, &pkt[off], sizeof(r));
  554. return ntohs(r);
  555. }
  556. static uint8_t extract_u8(uint8_t *pkt, uint32_t off)
  557. {
  558. return pkt[off];
  559. }
  560. static void set_return(struct bpf_regs *r)
  561. {
  562. r->R = 0;
  563. r->Rs = true;
  564. }
  565. static void bpf_single_step(struct bpf_regs *r, struct sock_filter *f,
  566. uint8_t *pkt, uint32_t pkt_caplen,
  567. uint32_t pkt_len)
  568. {
  569. uint32_t K = f->k;
  570. int d;
  571. switch (f->code) {
  572. case BPF_RET | BPF_K:
  573. r->R = K;
  574. r->Rs = true;
  575. break;
  576. case BPF_RET | BPF_A:
  577. r->R = r->A;
  578. r->Rs = true;
  579. break;
  580. case BPF_RET | BPF_X:
  581. r->R = r->X;
  582. r->Rs = true;
  583. break;
  584. case BPF_MISC_TAX:
  585. r->X = r->A;
  586. break;
  587. case BPF_MISC_TXA:
  588. r->A = r->X;
  589. break;
  590. case BPF_ST:
  591. r->M[K] = r->A;
  592. break;
  593. case BPF_STX:
  594. r->M[K] = r->X;
  595. break;
  596. case BPF_LD_W | BPF_ABS:
  597. d = pkt_caplen - K;
  598. if (d >= sizeof(uint32_t))
  599. r->A = extract_u32(pkt, K);
  600. else
  601. set_return(r);
  602. break;
  603. case BPF_LD_H | BPF_ABS:
  604. d = pkt_caplen - K;
  605. if (d >= sizeof(uint16_t))
  606. r->A = extract_u16(pkt, K);
  607. else
  608. set_return(r);
  609. break;
  610. case BPF_LD_B | BPF_ABS:
  611. d = pkt_caplen - K;
  612. if (d >= sizeof(uint8_t))
  613. r->A = extract_u8(pkt, K);
  614. else
  615. set_return(r);
  616. break;
  617. case BPF_LD_W | BPF_IND:
  618. d = pkt_caplen - (r->X + K);
  619. if (d >= sizeof(uint32_t))
  620. r->A = extract_u32(pkt, r->X + K);
  621. break;
  622. case BPF_LD_H | BPF_IND:
  623. d = pkt_caplen - (r->X + K);
  624. if (d >= sizeof(uint16_t))
  625. r->A = extract_u16(pkt, r->X + K);
  626. else
  627. set_return(r);
  628. break;
  629. case BPF_LD_B | BPF_IND:
  630. d = pkt_caplen - (r->X + K);
  631. if (d >= sizeof(uint8_t))
  632. r->A = extract_u8(pkt, r->X + K);
  633. else
  634. set_return(r);
  635. break;
  636. case BPF_LDX_B | BPF_MSH:
  637. d = pkt_caplen - K;
  638. if (d >= sizeof(uint8_t)) {
  639. r->X = extract_u8(pkt, K);
  640. r->X = (r->X & 0xf) << 2;
  641. } else
  642. set_return(r);
  643. break;
  644. case BPF_LD_W | BPF_LEN:
  645. r->A = pkt_len;
  646. break;
  647. case BPF_LDX_W | BPF_LEN:
  648. r->A = pkt_len;
  649. break;
  650. case BPF_LD | BPF_IMM:
  651. r->A = K;
  652. break;
  653. case BPF_LDX | BPF_IMM:
  654. r->X = K;
  655. break;
  656. case BPF_LD | BPF_MEM:
  657. r->A = r->M[K];
  658. break;
  659. case BPF_LDX | BPF_MEM:
  660. r->X = r->M[K];
  661. break;
  662. case BPF_JMP_JA:
  663. r->Pc += K;
  664. break;
  665. case BPF_JMP_JGT | BPF_X:
  666. r->Pc += r->A > r->X ? f->jt : f->jf;
  667. break;
  668. case BPF_JMP_JGT | BPF_K:
  669. r->Pc += r->A > K ? f->jt : f->jf;
  670. break;
  671. case BPF_JMP_JGE | BPF_X:
  672. r->Pc += r->A >= r->X ? f->jt : f->jf;
  673. break;
  674. case BPF_JMP_JGE | BPF_K:
  675. r->Pc += r->A >= K ? f->jt : f->jf;
  676. break;
  677. case BPF_JMP_JEQ | BPF_X:
  678. r->Pc += r->A == r->X ? f->jt : f->jf;
  679. break;
  680. case BPF_JMP_JEQ | BPF_K:
  681. r->Pc += r->A == K ? f->jt : f->jf;
  682. break;
  683. case BPF_JMP_JSET | BPF_X:
  684. r->Pc += r->A & r->X ? f->jt : f->jf;
  685. break;
  686. case BPF_JMP_JSET | BPF_K:
  687. r->Pc += r->A & K ? f->jt : f->jf;
  688. break;
  689. case BPF_ALU_NEG:
  690. r->A = -r->A;
  691. break;
  692. case BPF_ALU_LSH | BPF_X:
  693. r->A <<= r->X;
  694. break;
  695. case BPF_ALU_LSH | BPF_K:
  696. r->A <<= K;
  697. break;
  698. case BPF_ALU_RSH | BPF_X:
  699. r->A >>= r->X;
  700. break;
  701. case BPF_ALU_RSH | BPF_K:
  702. r->A >>= K;
  703. break;
  704. case BPF_ALU_ADD | BPF_X:
  705. r->A += r->X;
  706. break;
  707. case BPF_ALU_ADD | BPF_K:
  708. r->A += K;
  709. break;
  710. case BPF_ALU_SUB | BPF_X:
  711. r->A -= r->X;
  712. break;
  713. case BPF_ALU_SUB | BPF_K:
  714. r->A -= K;
  715. break;
  716. case BPF_ALU_MUL | BPF_X:
  717. r->A *= r->X;
  718. break;
  719. case BPF_ALU_MUL | BPF_K:
  720. r->A *= K;
  721. break;
  722. case BPF_ALU_DIV | BPF_X:
  723. case BPF_ALU_MOD | BPF_X:
  724. if (r->X == 0) {
  725. set_return(r);
  726. break;
  727. }
  728. goto do_div;
  729. case BPF_ALU_DIV | BPF_K:
  730. case BPF_ALU_MOD | BPF_K:
  731. if (K == 0) {
  732. set_return(r);
  733. break;
  734. }
  735. do_div:
  736. switch (f->code) {
  737. case BPF_ALU_DIV | BPF_X:
  738. r->A /= r->X;
  739. break;
  740. case BPF_ALU_DIV | BPF_K:
  741. r->A /= K;
  742. break;
  743. case BPF_ALU_MOD | BPF_X:
  744. r->A %= r->X;
  745. break;
  746. case BPF_ALU_MOD | BPF_K:
  747. r->A %= K;
  748. break;
  749. }
  750. break;
  751. case BPF_ALU_AND | BPF_X:
  752. r->A &= r->X;
  753. break;
  754. case BPF_ALU_AND | BPF_K:
  755. r->A &= K;
  756. break;
  757. case BPF_ALU_OR | BPF_X:
  758. r->A |= r->X;
  759. break;
  760. case BPF_ALU_OR | BPF_K:
  761. r->A |= K;
  762. break;
  763. case BPF_ALU_XOR | BPF_X:
  764. r->A ^= r->X;
  765. break;
  766. case BPF_ALU_XOR | BPF_K:
  767. r->A ^= K;
  768. break;
  769. }
  770. }
  771. static bool bpf_pc_has_breakpoint(uint16_t pc)
  772. {
  773. int i;
  774. for (i = 0; i < array_size(bpf_breakpoints); i++) {
  775. if (bpf_breakpoints[i] < 0)
  776. continue;
  777. if (bpf_breakpoints[i] == pc)
  778. return true;
  779. }
  780. return false;
  781. }
  782. static bool bpf_handle_breakpoint(struct bpf_regs *r, struct sock_filter *f,
  783. uint8_t *pkt, uint32_t pkt_caplen,
  784. uint32_t pkt_len)
  785. {
  786. rl_printf("-- register dump --\n");
  787. bpf_dump_curr(r, &f[r->Pc]);
  788. rl_printf("-- packet dump --\n");
  789. bpf_dump_pkt(pkt, pkt_caplen, pkt_len);
  790. rl_printf("(breakpoint)\n");
  791. return true;
  792. }
  793. static int bpf_run_all(struct sock_filter *f, uint16_t bpf_len, uint8_t *pkt,
  794. uint32_t pkt_caplen, uint32_t pkt_len)
  795. {
  796. bool stop = false;
  797. while (bpf_curr.Rs == false && stop == false) {
  798. bpf_safe_regs();
  799. if (bpf_pc_has_breakpoint(bpf_curr.Pc))
  800. stop = bpf_handle_breakpoint(&bpf_curr, f, pkt,
  801. pkt_caplen, pkt_len);
  802. bpf_single_step(&bpf_curr, &f[bpf_curr.Pc], pkt, pkt_caplen,
  803. pkt_len);
  804. bpf_curr.Pc++;
  805. }
  806. return stop ? -1 : bpf_curr.R;
  807. }
  808. static int bpf_run_stepping(struct sock_filter *f, uint16_t bpf_len,
  809. uint8_t *pkt, uint32_t pkt_caplen,
  810. uint32_t pkt_len, int next)
  811. {
  812. bool stop = false;
  813. int i = 1;
  814. while (bpf_curr.Rs == false && stop == false) {
  815. bpf_safe_regs();
  816. if (i++ == next)
  817. stop = bpf_handle_breakpoint(&bpf_curr, f, pkt,
  818. pkt_caplen, pkt_len);
  819. bpf_single_step(&bpf_curr, &f[bpf_curr.Pc], pkt, pkt_caplen,
  820. pkt_len);
  821. bpf_curr.Pc++;
  822. }
  823. return stop ? -1 : bpf_curr.R;
  824. }
  825. static bool pcap_loaded(void)
  826. {
  827. if (pcap_fd < 0)
  828. rl_printf("no pcap file loaded!\n");
  829. return pcap_fd >= 0;
  830. }
  831. static struct pcap_pkthdr *pcap_curr_pkt(void)
  832. {
  833. return (void *) pcap_ptr_va_curr;
  834. }
  835. static bool pcap_next_pkt(void)
  836. {
  837. struct pcap_pkthdr *hdr = pcap_curr_pkt();
  838. if (pcap_ptr_va_curr + sizeof(*hdr) -
  839. pcap_ptr_va_start >= pcap_map_size)
  840. return false;
  841. if (hdr->caplen == 0 || hdr->len == 0 || hdr->caplen > hdr->len)
  842. return false;
  843. if (pcap_ptr_va_curr + sizeof(*hdr) + hdr->caplen -
  844. pcap_ptr_va_start >= pcap_map_size)
  845. return false;
  846. pcap_ptr_va_curr += (sizeof(*hdr) + hdr->caplen);
  847. return true;
  848. }
  849. static void pcap_reset_pkt(void)
  850. {
  851. pcap_ptr_va_curr = pcap_ptr_va_start + sizeof(struct pcap_filehdr);
  852. }
  853. static int try_load_pcap(const char *file)
  854. {
  855. struct pcap_filehdr *hdr;
  856. struct stat sb;
  857. int ret;
  858. pcap_fd = open(file, O_RDONLY);
  859. if (pcap_fd < 0) {
  860. rl_printf("cannot open pcap [%s]!\n", strerror(errno));
  861. return CMD_ERR;
  862. }
  863. ret = fstat(pcap_fd, &sb);
  864. if (ret < 0) {
  865. rl_printf("cannot fstat pcap file!\n");
  866. return CMD_ERR;
  867. }
  868. if (!S_ISREG(sb.st_mode)) {
  869. rl_printf("not a regular pcap file, duh!\n");
  870. return CMD_ERR;
  871. }
  872. pcap_map_size = sb.st_size;
  873. if (pcap_map_size <= sizeof(struct pcap_filehdr)) {
  874. rl_printf("pcap file too small!\n");
  875. return CMD_ERR;
  876. }
  877. pcap_ptr_va_start = mmap(NULL, pcap_map_size, PROT_READ,
  878. MAP_SHARED | MAP_LOCKED, pcap_fd, 0);
  879. if (pcap_ptr_va_start == MAP_FAILED) {
  880. rl_printf("mmap of file failed!");
  881. return CMD_ERR;
  882. }
  883. hdr = (void *) pcap_ptr_va_start;
  884. if (hdr->magic != TCPDUMP_MAGIC) {
  885. rl_printf("wrong pcap magic!\n");
  886. return CMD_ERR;
  887. }
  888. pcap_reset_pkt();
  889. return CMD_OK;
  890. }
  891. static void try_close_pcap(void)
  892. {
  893. if (pcap_fd >= 0) {
  894. munmap(pcap_ptr_va_start, pcap_map_size);
  895. close(pcap_fd);
  896. pcap_ptr_va_start = pcap_ptr_va_curr = NULL;
  897. pcap_map_size = 0;
  898. pcap_packet = 0;
  899. pcap_fd = -1;
  900. }
  901. }
  902. static int cmd_load_bpf(char *bpf_string)
  903. {
  904. char sp, *token, separator = ',';
  905. unsigned short bpf_len, i = 0;
  906. struct sock_filter tmp;
  907. bpf_prog_len = 0;
  908. memset(bpf_image, 0, sizeof(bpf_image));
  909. if (sscanf(bpf_string, "%hu%c", &bpf_len, &sp) != 2 ||
  910. sp != separator || bpf_len > BPF_MAXINSNS || bpf_len == 0) {
  911. rl_printf("syntax error in head length encoding!\n");
  912. return CMD_ERR;
  913. }
  914. token = bpf_string;
  915. while ((token = strchr(token, separator)) && (++token)[0]) {
  916. if (i >= bpf_len) {
  917. rl_printf("program exceeds encoded length!\n");
  918. return CMD_ERR;
  919. }
  920. if (sscanf(token, "%hu %hhu %hhu %u,",
  921. &tmp.code, &tmp.jt, &tmp.jf, &tmp.k) != 4) {
  922. rl_printf("syntax error at instruction %d!\n", i);
  923. return CMD_ERR;
  924. }
  925. bpf_image[i].code = tmp.code;
  926. bpf_image[i].jt = tmp.jt;
  927. bpf_image[i].jf = tmp.jf;
  928. bpf_image[i].k = tmp.k;
  929. i++;
  930. }
  931. if (i != bpf_len) {
  932. rl_printf("syntax error exceeding encoded length!\n");
  933. return CMD_ERR;
  934. } else
  935. bpf_prog_len = bpf_len;
  936. if (!bpf_runnable(bpf_image, bpf_prog_len))
  937. bpf_prog_len = 0;
  938. return CMD_OK;
  939. }
  940. static int cmd_load_pcap(char *file)
  941. {
  942. char *file_trim, *tmp;
  943. file_trim = strtok_r(file, " ", &tmp);
  944. if (file_trim == NULL)
  945. return CMD_ERR;
  946. try_close_pcap();
  947. return try_load_pcap(file_trim);
  948. }
  949. static int cmd_load(char *arg)
  950. {
  951. char *subcmd, *cont, *tmp = strdup(arg);
  952. int ret = CMD_OK;
  953. subcmd = strtok_r(tmp, " ", &cont);
  954. if (subcmd == NULL)
  955. goto out;
  956. if (matches(subcmd, "bpf") == 0) {
  957. bpf_reset();
  958. bpf_reset_breakpoints();
  959. ret = cmd_load_bpf(cont);
  960. } else if (matches(subcmd, "pcap") == 0) {
  961. ret = cmd_load_pcap(cont);
  962. } else {
  963. out:
  964. rl_printf("bpf <code>: load bpf code\n");
  965. rl_printf("pcap <file>: load pcap file\n");
  966. ret = CMD_ERR;
  967. }
  968. free(tmp);
  969. return ret;
  970. }
  971. static int cmd_step(char *num)
  972. {
  973. struct pcap_pkthdr *hdr;
  974. int steps, ret;
  975. if (!bpf_prog_loaded() || !pcap_loaded())
  976. return CMD_ERR;
  977. steps = strtol(num, NULL, 10);
  978. if (steps == 0 || strlen(num) == 0)
  979. steps = 1;
  980. if (steps < 0) {
  981. if (!bpf_restore_regs(steps))
  982. return CMD_ERR;
  983. steps = 1;
  984. }
  985. hdr = pcap_curr_pkt();
  986. ret = bpf_run_stepping(bpf_image, bpf_prog_len,
  987. (uint8_t *) hdr + sizeof(*hdr),
  988. hdr->caplen, hdr->len, steps);
  989. if (ret >= 0 || bpf_curr.Rs) {
  990. bpf_reset();
  991. if (!pcap_next_pkt()) {
  992. rl_printf("(going back to first packet)\n");
  993. pcap_reset_pkt();
  994. } else {
  995. rl_printf("(next packet)\n");
  996. }
  997. }
  998. return CMD_OK;
  999. }
  1000. static int cmd_select(char *num)
  1001. {
  1002. unsigned int which, i;
  1003. bool have_next = true;
  1004. if (!pcap_loaded() || strlen(num) == 0)
  1005. return CMD_ERR;
  1006. which = strtoul(num, NULL, 10);
  1007. if (which == 0) {
  1008. rl_printf("packet count starts with 1, clamping!\n");
  1009. which = 1;
  1010. }
  1011. pcap_reset_pkt();
  1012. bpf_reset();
  1013. for (i = 0; i < which && (have_next = pcap_next_pkt()); i++)
  1014. /* noop */;
  1015. if (!have_next || pcap_curr_pkt() == NULL) {
  1016. rl_printf("no packet #%u available!\n", which);
  1017. pcap_reset_pkt();
  1018. return CMD_ERR;
  1019. }
  1020. return CMD_OK;
  1021. }
  1022. static int cmd_breakpoint(char *subcmd)
  1023. {
  1024. if (!bpf_prog_loaded())
  1025. return CMD_ERR;
  1026. if (strlen(subcmd) == 0)
  1027. bpf_dump_breakpoints();
  1028. else if (matches(subcmd, "reset") == 0)
  1029. bpf_reset_breakpoints();
  1030. else {
  1031. unsigned int where = strtoul(subcmd, NULL, 10);
  1032. if (where < bpf_prog_len) {
  1033. bpf_set_breakpoints(where);
  1034. rl_printf("breakpoint at: ");
  1035. bpf_disasm(bpf_image[where], where);
  1036. }
  1037. }
  1038. return CMD_OK;
  1039. }
  1040. static int cmd_run(char *num)
  1041. {
  1042. static uint32_t pass, fail;
  1043. bool has_limit = true;
  1044. int pkts = 0, i = 0;
  1045. if (!bpf_prog_loaded() || !pcap_loaded())
  1046. return CMD_ERR;
  1047. pkts = strtol(num, NULL, 10);
  1048. if (pkts == 0 || strlen(num) == 0)
  1049. has_limit = false;
  1050. do {
  1051. struct pcap_pkthdr *hdr = pcap_curr_pkt();
  1052. int ret = bpf_run_all(bpf_image, bpf_prog_len,
  1053. (uint8_t *) hdr + sizeof(*hdr),
  1054. hdr->caplen, hdr->len);
  1055. if (ret > 0)
  1056. pass++;
  1057. else if (ret == 0)
  1058. fail++;
  1059. else
  1060. return CMD_OK;
  1061. bpf_reset();
  1062. } while (pcap_next_pkt() && (!has_limit || (has_limit && ++i < pkts)));
  1063. rl_printf("bpf passes:%u fails:%u\n", pass, fail);
  1064. pcap_reset_pkt();
  1065. bpf_reset();
  1066. pass = fail = 0;
  1067. return CMD_OK;
  1068. }
  1069. static int cmd_disassemble(char *line_string)
  1070. {
  1071. bool single_line = false;
  1072. unsigned long line;
  1073. if (!bpf_prog_loaded())
  1074. return CMD_ERR;
  1075. if (strlen(line_string) > 0 &&
  1076. (line = strtoul(line_string, NULL, 10)) < bpf_prog_len)
  1077. single_line = true;
  1078. if (single_line)
  1079. bpf_disasm(bpf_image[line], line);
  1080. else
  1081. bpf_disasm_all(bpf_image, bpf_prog_len);
  1082. return CMD_OK;
  1083. }
  1084. static int cmd_dump(char *dontcare)
  1085. {
  1086. if (!bpf_prog_loaded())
  1087. return CMD_ERR;
  1088. bpf_dump_all(bpf_image, bpf_prog_len);
  1089. return CMD_OK;
  1090. }
  1091. static int cmd_quit(char *dontcare)
  1092. {
  1093. return CMD_EX;
  1094. }
  1095. static const struct shell_cmd cmds[] = {
  1096. { .name = "load", .func = cmd_load },
  1097. { .name = "select", .func = cmd_select },
  1098. { .name = "step", .func = cmd_step },
  1099. { .name = "run", .func = cmd_run },
  1100. { .name = "breakpoint", .func = cmd_breakpoint },
  1101. { .name = "disassemble", .func = cmd_disassemble },
  1102. { .name = "dump", .func = cmd_dump },
  1103. { .name = "quit", .func = cmd_quit },
  1104. };
  1105. static int execf(char *arg)
  1106. {
  1107. char *cmd, *cont, *tmp = strdup(arg);
  1108. int i, ret = 0, len;
  1109. cmd = strtok_r(tmp, " ", &cont);
  1110. if (cmd == NULL)
  1111. goto out;
  1112. len = strlen(cmd);
  1113. for (i = 0; i < array_size(cmds); i++) {
  1114. if (len != strlen(cmds[i].name))
  1115. continue;
  1116. if (strncmp(cmds[i].name, cmd, len) == 0) {
  1117. ret = cmds[i].func(cont);
  1118. break;
  1119. }
  1120. }
  1121. out:
  1122. free(tmp);
  1123. return ret;
  1124. }
  1125. static char *shell_comp_gen(const char *buf, int state)
  1126. {
  1127. static int list_index, len;
  1128. if (!state) {
  1129. list_index = 0;
  1130. len = strlen(buf);
  1131. }
  1132. for (; list_index < array_size(cmds); ) {
  1133. const char *name = cmds[list_index].name;
  1134. list_index++;
  1135. if (strncmp(name, buf, len) == 0)
  1136. return strdup(name);
  1137. }
  1138. return NULL;
  1139. }
  1140. static char **shell_completion(const char *buf, int start, int end)
  1141. {
  1142. char **matches = NULL;
  1143. if (start == 0)
  1144. matches = rl_completion_matches(buf, shell_comp_gen);
  1145. return matches;
  1146. }
  1147. static void intr_shell(int sig)
  1148. {
  1149. if (rl_end)
  1150. rl_kill_line(-1, 0);
  1151. rl_crlf();
  1152. rl_refresh_line(0, 0);
  1153. rl_free_line_state();
  1154. }
  1155. static void init_shell(FILE *fin, FILE *fout)
  1156. {
  1157. char file[128];
  1158. snprintf(file, sizeof(file), "%s/.bpf_dbg_history", getenv("HOME"));
  1159. read_history(file);
  1160. rl_instream = fin;
  1161. rl_outstream = fout;
  1162. rl_readline_name = "bpf_dbg";
  1163. rl_terminal_name = getenv("TERM");
  1164. rl_catch_signals = 0;
  1165. rl_catch_sigwinch = 1;
  1166. rl_attempted_completion_function = shell_completion;
  1167. rl_bind_key('\t', rl_complete);
  1168. rl_bind_key_in_map('\t', rl_complete, emacs_meta_keymap);
  1169. rl_bind_key_in_map('\033', rl_complete, emacs_meta_keymap);
  1170. snprintf(file, sizeof(file), "%s/.bpf_dbg_init", getenv("HOME"));
  1171. rl_read_init_file(file);
  1172. rl_prep_terminal(0);
  1173. rl_set_signals();
  1174. signal(SIGINT, intr_shell);
  1175. }
  1176. static void exit_shell(FILE *fin, FILE *fout)
  1177. {
  1178. char file[128];
  1179. snprintf(file, sizeof(file), "%s/.bpf_dbg_history", getenv("HOME"));
  1180. write_history(file);
  1181. clear_history();
  1182. rl_deprep_terminal();
  1183. try_close_pcap();
  1184. if (fin != stdin)
  1185. fclose(fin);
  1186. if (fout != stdout)
  1187. fclose(fout);
  1188. }
  1189. static int run_shell_loop(FILE *fin, FILE *fout)
  1190. {
  1191. char *buf;
  1192. init_shell(fin, fout);
  1193. while ((buf = readline("> ")) != NULL) {
  1194. int ret = execf(buf);
  1195. if (ret == CMD_EX)
  1196. break;
  1197. if (ret == CMD_OK && strlen(buf) > 0)
  1198. add_history(buf);
  1199. free(buf);
  1200. }
  1201. exit_shell(fin, fout);
  1202. return 0;
  1203. }
  1204. int main(int argc, char **argv)
  1205. {
  1206. FILE *fin = NULL, *fout = NULL;
  1207. if (argc >= 2)
  1208. fin = fopen(argv[1], "r");
  1209. if (argc >= 3)
  1210. fout = fopen(argv[2], "w");
  1211. return run_shell_loop(fin ? : stdin, fout ? : stdout);
  1212. }