1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Minimal BPF debugger
4 *
5 * Minimal BPF debugger that mimics the kernel's engine (w/o extensions)
6 * and allows for single stepping through selected packets from a pcap
7 * with a provided user filter in order to facilitate verification of a
8 * BPF program. Besides others, this is useful to verify BPF programs
9 * before attaching to a live system, and can be used in socket filters,
10 * cls_bpf, xt_bpf, team driver and e.g. PTP code; in particular when a
11 * single more complex BPF program is being used. Reasons for a more
12 * complex BPF program are likely primarily to optimize execution time
13 * for making a verdict when multiple simple BPF programs are combined
14 * into one in order to prevent parsing same headers multiple times.
15 *
16 * More on how to debug BPF opcodes see Documentation/networking/filter.rst
17 * which is the main document on BPF. Mini howto for getting started:
18 *
19 * 1) `./bpf_dbg` to enter the shell (shell cmds denoted with '>'):
20 * 2) > load bpf 6,40 0 0 12,21 0 3 20... (output from `bpf_asm` or
21 * `tcpdump -iem1 -ddd port 22 | tr '\n' ','` to load as filter)
22 * 3) > load pcap foo.pcap
23 * 4) > run <n>/disassemble/dump/quit (self-explanatory)
24 * 5) > breakpoint 2 (sets bp at loaded BPF insns 2, do `run` then;
25 * multiple bps can be set, of course, a call to `breakpoint`
26 * w/o args shows currently loaded bps, `breakpoint reset` for
27 * resetting all breakpoints)
28 * 6) > select 3 (`run` etc will start from the 3rd packet in the pcap)
29 * 7) > step [-<n>, +<n>] (performs single stepping through the BPF)
30 *
31 * Copyright 2013 Daniel Borkmann <borkmann@redhat.com>
32 */
33
34 #include <stdio.h>
35 #include <unistd.h>
36 #include <stdlib.h>
37 #include <ctype.h>
38 #include <stdbool.h>
39 #include <stdarg.h>
40 #include <setjmp.h>
41 #include <linux/filter.h>
42 #include <linux/if_packet.h>
43 #include <readline/readline.h>
44 #include <readline/history.h>
45 #include <sys/types.h>
46 #include <sys/socket.h>
47 #include <sys/stat.h>
48 #include <sys/mman.h>
49 #include <fcntl.h>
50 #include <errno.h>
51 #include <signal.h>
52 #include <arpa/inet.h>
53 #include <net/ethernet.h>
54
55 #define TCPDUMP_MAGIC 0xa1b2c3d4
56
57 #define BPF_LDX_B (BPF_LDX | BPF_B)
58 #define BPF_LDX_W (BPF_LDX | BPF_W)
59 #define BPF_JMP_JA (BPF_JMP | BPF_JA)
60 #define BPF_JMP_JEQ (BPF_JMP | BPF_JEQ)
61 #define BPF_JMP_JGT (BPF_JMP | BPF_JGT)
62 #define BPF_JMP_JGE (BPF_JMP | BPF_JGE)
63 #define BPF_JMP_JSET (BPF_JMP | BPF_JSET)
64 #define BPF_ALU_ADD (BPF_ALU | BPF_ADD)
65 #define BPF_ALU_SUB (BPF_ALU | BPF_SUB)
66 #define BPF_ALU_MUL (BPF_ALU | BPF_MUL)
67 #define BPF_ALU_DIV (BPF_ALU | BPF_DIV)
68 #define BPF_ALU_MOD (BPF_ALU | BPF_MOD)
69 #define BPF_ALU_NEG (BPF_ALU | BPF_NEG)
70 #define BPF_ALU_AND (BPF_ALU | BPF_AND)
71 #define BPF_ALU_OR (BPF_ALU | BPF_OR)
72 #define BPF_ALU_XOR (BPF_ALU | BPF_XOR)
73 #define BPF_ALU_LSH (BPF_ALU | BPF_LSH)
74 #define BPF_ALU_RSH (BPF_ALU | BPF_RSH)
75 #define BPF_MISC_TAX (BPF_MISC | BPF_TAX)
76 #define BPF_MISC_TXA (BPF_MISC | BPF_TXA)
77 #define BPF_LD_B (BPF_LD | BPF_B)
78 #define BPF_LD_H (BPF_LD | BPF_H)
79 #define BPF_LD_W (BPF_LD | BPF_W)
80
81 #ifndef array_size
82 # define array_size(x) (sizeof(x) / sizeof((x)[0]))
83 #endif
84
85 #ifndef __check_format_printf
86 # define __check_format_printf(pos_fmtstr, pos_fmtargs) \
87 __attribute__ ((format (printf, (pos_fmtstr), (pos_fmtargs))))
88 #endif
89
90 enum {
91 CMD_OK,
92 CMD_ERR,
93 CMD_EX,
94 };
95
96 struct shell_cmd {
97 const char *name;
98 int (*func)(char *args);
99 };
100
101 struct pcap_filehdr {
102 uint32_t magic;
103 uint16_t version_major;
104 uint16_t version_minor;
105 int32_t thiszone;
106 uint32_t sigfigs;
107 uint32_t snaplen;
108 uint32_t linktype;
109 };
110
111 struct pcap_timeval {
112 int32_t tv_sec;
113 int32_t tv_usec;
114 };
115
116 struct pcap_pkthdr {
117 struct pcap_timeval ts;
118 uint32_t caplen;
119 uint32_t len;
120 };
121
122 struct bpf_regs {
123 uint32_t A;
124 uint32_t X;
125 uint32_t M[BPF_MEMWORDS];
126 uint32_t R;
127 bool Rs;
128 uint16_t Pc;
129 };
130
131 static struct sock_filter bpf_image[BPF_MAXINSNS + 1];
132 static unsigned int bpf_prog_len;
133
134 static int bpf_breakpoints[64];
135 static struct bpf_regs bpf_regs[BPF_MAXINSNS + 1];
136 static struct bpf_regs bpf_curr;
137 static unsigned int bpf_regs_len;
138
139 static int pcap_fd = -1;
140 static unsigned int pcap_packet;
141 static size_t pcap_map_size;
142 static char *pcap_ptr_va_start, *pcap_ptr_va_curr;
143
144 static const char * const op_table[] = {
145 [BPF_ST] = "st",
146 [BPF_STX] = "stx",
147 [BPF_LD_B] = "ldb",
148 [BPF_LD_H] = "ldh",
149 [BPF_LD_W] = "ld",
150 [BPF_LDX] = "ldx",
151 [BPF_LDX_B] = "ldxb",
152 [BPF_JMP_JA] = "ja",
153 [BPF_JMP_JEQ] = "jeq",
154 [BPF_JMP_JGT] = "jgt",
155 [BPF_JMP_JGE] = "jge",
156 [BPF_JMP_JSET] = "jset",
157 [BPF_ALU_ADD] = "add",
158 [BPF_ALU_SUB] = "sub",
159 [BPF_ALU_MUL] = "mul",
160 [BPF_ALU_DIV] = "div",
161 [BPF_ALU_MOD] = "mod",
162 [BPF_ALU_NEG] = "neg",
163 [BPF_ALU_AND] = "and",
164 [BPF_ALU_OR] = "or",
165 [BPF_ALU_XOR] = "xor",
166 [BPF_ALU_LSH] = "lsh",
167 [BPF_ALU_RSH] = "rsh",
168 [BPF_MISC_TAX] = "tax",
169 [BPF_MISC_TXA] = "txa",
170 [BPF_RET] = "ret",
171 };
172
rl_printf(const char * fmt,...)173 static __check_format_printf(1, 2) int rl_printf(const char *fmt, ...)
174 {
175 int ret;
176 va_list vl;
177
178 va_start(vl, fmt);
179 ret = vfprintf(rl_outstream, fmt, vl);
180 va_end(vl);
181
182 return ret;
183 }
184
matches(const char * cmd,const char * pattern)185 static int matches(const char *cmd, const char *pattern)
186 {
187 int len = strlen(cmd);
188
189 if (len > strlen(pattern))
190 return -1;
191
192 return memcmp(pattern, cmd, len);
193 }
194
hex_dump(const uint8_t * buf,size_t len)195 static void hex_dump(const uint8_t *buf, size_t len)
196 {
197 int i;
198
199 rl_printf("%3u: ", 0);
200 for (i = 0; i < len; i++) {
201 if (i && !(i % 16))
202 rl_printf("\n%3u: ", i);
203 rl_printf("%02x ", buf[i]);
204 }
205 rl_printf("\n");
206 }
207
bpf_prog_loaded(void)208 static bool bpf_prog_loaded(void)
209 {
210 if (bpf_prog_len == 0)
211 rl_printf("no bpf program loaded!\n");
212
213 return bpf_prog_len > 0;
214 }
215
bpf_disasm(const struct sock_filter f,unsigned int i)216 static void bpf_disasm(const struct sock_filter f, unsigned int i)
217 {
218 const char *op, *fmt;
219 int val = f.k;
220 char buf[256];
221
222 switch (f.code) {
223 case BPF_RET | BPF_K:
224 op = op_table[BPF_RET];
225 fmt = "#%#x";
226 break;
227 case BPF_RET | BPF_A:
228 op = op_table[BPF_RET];
229 fmt = "a";
230 break;
231 case BPF_RET | BPF_X:
232 op = op_table[BPF_RET];
233 fmt = "x";
234 break;
235 case BPF_MISC_TAX:
236 op = op_table[BPF_MISC_TAX];
237 fmt = "";
238 break;
239 case BPF_MISC_TXA:
240 op = op_table[BPF_MISC_TXA];
241 fmt = "";
242 break;
243 case BPF_ST:
244 op = op_table[BPF_ST];
245 fmt = "M[%d]";
246 break;
247 case BPF_STX:
248 op = op_table[BPF_STX];
249 fmt = "M[%d]";
250 break;
251 case BPF_LD_W | BPF_ABS:
252 op = op_table[BPF_LD_W];
253 fmt = "[%d]";
254 break;
255 case BPF_LD_H | BPF_ABS:
256 op = op_table[BPF_LD_H];
257 fmt = "[%d]";
258 break;
259 case BPF_LD_B | BPF_ABS:
260 op = op_table[BPF_LD_B];
261 fmt = "[%d]";
262 break;
263 case BPF_LD_W | BPF_LEN:
264 op = op_table[BPF_LD_W];
265 fmt = "#len";
266 break;
267 case BPF_LD_W | BPF_IND:
268 op = op_table[BPF_LD_W];
269 fmt = "[x+%d]";
270 break;
271 case BPF_LD_H | BPF_IND:
272 op = op_table[BPF_LD_H];
273 fmt = "[x+%d]";
274 break;
275 case BPF_LD_B | BPF_IND:
276 op = op_table[BPF_LD_B];
277 fmt = "[x+%d]";
278 break;
279 case BPF_LD | BPF_IMM:
280 op = op_table[BPF_LD_W];
281 fmt = "#%#x";
282 break;
283 case BPF_LDX | BPF_IMM:
284 op = op_table[BPF_LDX];
285 fmt = "#%#x";
286 break;
287 case BPF_LDX_B | BPF_MSH:
288 op = op_table[BPF_LDX_B];
289 fmt = "4*([%d]&0xf)";
290 break;
291 case BPF_LD | BPF_MEM:
292 op = op_table[BPF_LD_W];
293 fmt = "M[%d]";
294 break;
295 case BPF_LDX | BPF_MEM:
296 op = op_table[BPF_LDX];
297 fmt = "M[%d]";
298 break;
299 case BPF_JMP_JA:
300 op = op_table[BPF_JMP_JA];
301 fmt = "%d";
302 val = i + 1 + f.k;
303 break;
304 case BPF_JMP_JGT | BPF_X:
305 op = op_table[BPF_JMP_JGT];
306 fmt = "x";
307 break;
308 case BPF_JMP_JGT | BPF_K:
309 op = op_table[BPF_JMP_JGT];
310 fmt = "#%#x";
311 break;
312 case BPF_JMP_JGE | BPF_X:
313 op = op_table[BPF_JMP_JGE];
314 fmt = "x";
315 break;
316 case BPF_JMP_JGE | BPF_K:
317 op = op_table[BPF_JMP_JGE];
318 fmt = "#%#x";
319 break;
320 case BPF_JMP_JEQ | BPF_X:
321 op = op_table[BPF_JMP_JEQ];
322 fmt = "x";
323 break;
324 case BPF_JMP_JEQ | BPF_K:
325 op = op_table[BPF_JMP_JEQ];
326 fmt = "#%#x";
327 break;
328 case BPF_JMP_JSET | BPF_X:
329 op = op_table[BPF_JMP_JSET];
330 fmt = "x";
331 break;
332 case BPF_JMP_JSET | BPF_K:
333 op = op_table[BPF_JMP_JSET];
334 fmt = "#%#x";
335 break;
336 case BPF_ALU_NEG:
337 op = op_table[BPF_ALU_NEG];
338 fmt = "";
339 break;
340 case BPF_ALU_LSH | BPF_X:
341 op = op_table[BPF_ALU_LSH];
342 fmt = "x";
343 break;
344 case BPF_ALU_LSH | BPF_K:
345 op = op_table[BPF_ALU_LSH];
346 fmt = "#%d";
347 break;
348 case BPF_ALU_RSH | BPF_X:
349 op = op_table[BPF_ALU_RSH];
350 fmt = "x";
351 break;
352 case BPF_ALU_RSH | BPF_K:
353 op = op_table[BPF_ALU_RSH];
354 fmt = "#%d";
355 break;
356 case BPF_ALU_ADD | BPF_X:
357 op = op_table[BPF_ALU_ADD];
358 fmt = "x";
359 break;
360 case BPF_ALU_ADD | BPF_K:
361 op = op_table[BPF_ALU_ADD];
362 fmt = "#%d";
363 break;
364 case BPF_ALU_SUB | BPF_X:
365 op = op_table[BPF_ALU_SUB];
366 fmt = "x";
367 break;
368 case BPF_ALU_SUB | BPF_K:
369 op = op_table[BPF_ALU_SUB];
370 fmt = "#%d";
371 break;
372 case BPF_ALU_MUL | BPF_X:
373 op = op_table[BPF_ALU_MUL];
374 fmt = "x";
375 break;
376 case BPF_ALU_MUL | BPF_K:
377 op = op_table[BPF_ALU_MUL];
378 fmt = "#%d";
379 break;
380 case BPF_ALU_DIV | BPF_X:
381 op = op_table[BPF_ALU_DIV];
382 fmt = "x";
383 break;
384 case BPF_ALU_DIV | BPF_K:
385 op = op_table[BPF_ALU_DIV];
386 fmt = "#%d";
387 break;
388 case BPF_ALU_MOD | BPF_X:
389 op = op_table[BPF_ALU_MOD];
390 fmt = "x";
391 break;
392 case BPF_ALU_MOD | BPF_K:
393 op = op_table[BPF_ALU_MOD];
394 fmt = "#%d";
395 break;
396 case BPF_ALU_AND | BPF_X:
397 op = op_table[BPF_ALU_AND];
398 fmt = "x";
399 break;
400 case BPF_ALU_AND | BPF_K:
401 op = op_table[BPF_ALU_AND];
402 fmt = "#%#x";
403 break;
404 case BPF_ALU_OR | BPF_X:
405 op = op_table[BPF_ALU_OR];
406 fmt = "x";
407 break;
408 case BPF_ALU_OR | BPF_K:
409 op = op_table[BPF_ALU_OR];
410 fmt = "#%#x";
411 break;
412 case BPF_ALU_XOR | BPF_X:
413 op = op_table[BPF_ALU_XOR];
414 fmt = "x";
415 break;
416 case BPF_ALU_XOR | BPF_K:
417 op = op_table[BPF_ALU_XOR];
418 fmt = "#%#x";
419 break;
420 default:
421 op = "nosup";
422 fmt = "%#x";
423 val = f.code;
424 break;
425 }
426
427 memset(buf, 0, sizeof(buf));
428 snprintf(buf, sizeof(buf), fmt, val);
429 buf[sizeof(buf) - 1] = 0;
430
431 if ((BPF_CLASS(f.code) == BPF_JMP && BPF_OP(f.code) != BPF_JA))
432 rl_printf("l%d:\t%s %s, l%d, l%d\n", i, op, buf,
433 i + 1 + f.jt, i + 1 + f.jf);
434 else
435 rl_printf("l%d:\t%s %s\n", i, op, buf);
436 }
437
bpf_dump_curr(struct bpf_regs * r,struct sock_filter * f)438 static void bpf_dump_curr(struct bpf_regs *r, struct sock_filter *f)
439 {
440 int i, m = 0;
441
442 rl_printf("pc: [%u]\n", r->Pc);
443 rl_printf("code: [%u] jt[%u] jf[%u] k[%u]\n",
444 f->code, f->jt, f->jf, f->k);
445 rl_printf("curr: ");
446 bpf_disasm(*f, r->Pc);
447
448 if (f->jt || f->jf) {
449 rl_printf("jt: ");
450 bpf_disasm(*(f + f->jt + 1), r->Pc + f->jt + 1);
451 rl_printf("jf: ");
452 bpf_disasm(*(f + f->jf + 1), r->Pc + f->jf + 1);
453 }
454
455 rl_printf("A: [%#08x][%u]\n", r->A, r->A);
456 rl_printf("X: [%#08x][%u]\n", r->X, r->X);
457 if (r->Rs)
458 rl_printf("ret: [%#08x][%u]!\n", r->R, r->R);
459
460 for (i = 0; i < BPF_MEMWORDS; i++) {
461 if (r->M[i]) {
462 m++;
463 rl_printf("M[%d]: [%#08x][%u]\n", i, r->M[i], r->M[i]);
464 }
465 }
466 if (m == 0)
467 rl_printf("M[0,%d]: [%#08x][%u]\n", BPF_MEMWORDS - 1, 0, 0);
468 }
469
bpf_dump_pkt(uint8_t * pkt,uint32_t pkt_caplen,uint32_t pkt_len)470 static void bpf_dump_pkt(uint8_t *pkt, uint32_t pkt_caplen, uint32_t pkt_len)
471 {
472 if (pkt_caplen != pkt_len)
473 rl_printf("cap: %u, len: %u\n", pkt_caplen, pkt_len);
474 else
475 rl_printf("len: %u\n", pkt_len);
476
477 hex_dump(pkt, pkt_caplen);
478 }
479
bpf_disasm_all(const struct sock_filter * f,unsigned int len)480 static void bpf_disasm_all(const struct sock_filter *f, unsigned int len)
481 {
482 unsigned int i;
483
484 for (i = 0; i < len; i++)
485 bpf_disasm(f[i], i);
486 }
487
bpf_dump_all(const struct sock_filter * f,unsigned int len)488 static void bpf_dump_all(const struct sock_filter *f, unsigned int len)
489 {
490 unsigned int i;
491
492 rl_printf("/* { op, jt, jf, k }, */\n");
493 for (i = 0; i < len; i++)
494 rl_printf("{ %#04x, %2u, %2u, %#010x },\n",
495 f[i].code, f[i].jt, f[i].jf, f[i].k);
496 }
497
bpf_runnable(struct sock_filter * f,unsigned int len)498 static bool bpf_runnable(struct sock_filter *f, unsigned int len)
499 {
500 int sock, ret, i;
501 struct sock_fprog bpf = {
502 .filter = f,
503 .len = len,
504 };
505
506 sock = socket(AF_INET, SOCK_DGRAM, 0);
507 if (sock < 0) {
508 rl_printf("cannot open socket!\n");
509 return false;
510 }
511 ret = setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf));
512 close(sock);
513 if (ret < 0) {
514 rl_printf("program not allowed to run by kernel!\n");
515 return false;
516 }
517 for (i = 0; i < len; i++) {
518 if (BPF_CLASS(f[i].code) == BPF_LD &&
519 f[i].k > SKF_AD_OFF) {
520 rl_printf("extensions currently not supported!\n");
521 return false;
522 }
523 }
524
525 return true;
526 }
527
bpf_reset_breakpoints(void)528 static void bpf_reset_breakpoints(void)
529 {
530 int i;
531
532 for (i = 0; i < array_size(bpf_breakpoints); i++)
533 bpf_breakpoints[i] = -1;
534 }
535
bpf_set_breakpoints(unsigned int where)536 static void bpf_set_breakpoints(unsigned int where)
537 {
538 int i;
539 bool set = false;
540
541 for (i = 0; i < array_size(bpf_breakpoints); i++) {
542 if (bpf_breakpoints[i] == (int) where) {
543 rl_printf("breakpoint already set!\n");
544 set = true;
545 break;
546 }
547
548 if (bpf_breakpoints[i] == -1 && set == false) {
549 bpf_breakpoints[i] = where;
550 set = true;
551 }
552 }
553
554 if (!set)
555 rl_printf("too many breakpoints set, reset first!\n");
556 }
557
bpf_dump_breakpoints(void)558 static void bpf_dump_breakpoints(void)
559 {
560 int i;
561
562 rl_printf("breakpoints: ");
563
564 for (i = 0; i < array_size(bpf_breakpoints); i++) {
565 if (bpf_breakpoints[i] < 0)
566 continue;
567 rl_printf("%d ", bpf_breakpoints[i]);
568 }
569
570 rl_printf("\n");
571 }
572
bpf_reset(void)573 static void bpf_reset(void)
574 {
575 bpf_regs_len = 0;
576
577 memset(bpf_regs, 0, sizeof(bpf_regs));
578 memset(&bpf_curr, 0, sizeof(bpf_curr));
579 }
580
bpf_safe_regs(void)581 static void bpf_safe_regs(void)
582 {
583 memcpy(&bpf_regs[bpf_regs_len++], &bpf_curr, sizeof(bpf_curr));
584 }
585
bpf_restore_regs(int off)586 static bool bpf_restore_regs(int off)
587 {
588 unsigned int index = bpf_regs_len - 1 + off;
589
590 if (index == 0) {
591 bpf_reset();
592 return true;
593 } else if (index < bpf_regs_len) {
594 memcpy(&bpf_curr, &bpf_regs[index], sizeof(bpf_curr));
595 bpf_regs_len = index;
596 return true;
597 } else {
598 rl_printf("reached bottom of register history stack!\n");
599 return false;
600 }
601 }
602
extract_u32(uint8_t * pkt,uint32_t off)603 static uint32_t extract_u32(uint8_t *pkt, uint32_t off)
604 {
605 uint32_t r;
606
607 memcpy(&r, &pkt[off], sizeof(r));
608
609 return ntohl(r);
610 }
611
extract_u16(uint8_t * pkt,uint32_t off)612 static uint16_t extract_u16(uint8_t *pkt, uint32_t off)
613 {
614 uint16_t r;
615
616 memcpy(&r, &pkt[off], sizeof(r));
617
618 return ntohs(r);
619 }
620
extract_u8(uint8_t * pkt,uint32_t off)621 static uint8_t extract_u8(uint8_t *pkt, uint32_t off)
622 {
623 return pkt[off];
624 }
625
set_return(struct bpf_regs * r)626 static void set_return(struct bpf_regs *r)
627 {
628 r->R = 0;
629 r->Rs = true;
630 }
631
bpf_single_step(struct bpf_regs * r,struct sock_filter * f,uint8_t * pkt,uint32_t pkt_caplen,uint32_t pkt_len)632 static void bpf_single_step(struct bpf_regs *r, struct sock_filter *f,
633 uint8_t *pkt, uint32_t pkt_caplen,
634 uint32_t pkt_len)
635 {
636 uint32_t K = f->k;
637 int d;
638
639 switch (f->code) {
640 case BPF_RET | BPF_K:
641 r->R = K;
642 r->Rs = true;
643 break;
644 case BPF_RET | BPF_A:
645 r->R = r->A;
646 r->Rs = true;
647 break;
648 case BPF_RET | BPF_X:
649 r->R = r->X;
650 r->Rs = true;
651 break;
652 case BPF_MISC_TAX:
653 r->X = r->A;
654 break;
655 case BPF_MISC_TXA:
656 r->A = r->X;
657 break;
658 case BPF_ST:
659 r->M[K] = r->A;
660 break;
661 case BPF_STX:
662 r->M[K] = r->X;
663 break;
664 case BPF_LD_W | BPF_ABS:
665 d = pkt_caplen - K;
666 if (d >= sizeof(uint32_t))
667 r->A = extract_u32(pkt, K);
668 else
669 set_return(r);
670 break;
671 case BPF_LD_H | BPF_ABS:
672 d = pkt_caplen - K;
673 if (d >= sizeof(uint16_t))
674 r->A = extract_u16(pkt, K);
675 else
676 set_return(r);
677 break;
678 case BPF_LD_B | BPF_ABS:
679 d = pkt_caplen - K;
680 if (d >= sizeof(uint8_t))
681 r->A = extract_u8(pkt, K);
682 else
683 set_return(r);
684 break;
685 case BPF_LD_W | BPF_IND:
686 d = pkt_caplen - (r->X + K);
687 if (d >= sizeof(uint32_t))
688 r->A = extract_u32(pkt, r->X + K);
689 break;
690 case BPF_LD_H | BPF_IND:
691 d = pkt_caplen - (r->X + K);
692 if (d >= sizeof(uint16_t))
693 r->A = extract_u16(pkt, r->X + K);
694 else
695 set_return(r);
696 break;
697 case BPF_LD_B | BPF_IND:
698 d = pkt_caplen - (r->X + K);
699 if (d >= sizeof(uint8_t))
700 r->A = extract_u8(pkt, r->X + K);
701 else
702 set_return(r);
703 break;
704 case BPF_LDX_B | BPF_MSH:
705 d = pkt_caplen - K;
706 if (d >= sizeof(uint8_t)) {
707 r->X = extract_u8(pkt, K);
708 r->X = (r->X & 0xf) << 2;
709 } else
710 set_return(r);
711 break;
712 case BPF_LD_W | BPF_LEN:
713 r->A = pkt_len;
714 break;
715 case BPF_LDX_W | BPF_LEN:
716 r->A = pkt_len;
717 break;
718 case BPF_LD | BPF_IMM:
719 r->A = K;
720 break;
721 case BPF_LDX | BPF_IMM:
722 r->X = K;
723 break;
724 case BPF_LD | BPF_MEM:
725 r->A = r->M[K];
726 break;
727 case BPF_LDX | BPF_MEM:
728 r->X = r->M[K];
729 break;
730 case BPF_JMP_JA:
731 r->Pc += K;
732 break;
733 case BPF_JMP_JGT | BPF_X:
734 r->Pc += r->A > r->X ? f->jt : f->jf;
735 break;
736 case BPF_JMP_JGT | BPF_K:
737 r->Pc += r->A > K ? f->jt : f->jf;
738 break;
739 case BPF_JMP_JGE | BPF_X:
740 r->Pc += r->A >= r->X ? f->jt : f->jf;
741 break;
742 case BPF_JMP_JGE | BPF_K:
743 r->Pc += r->A >= K ? f->jt : f->jf;
744 break;
745 case BPF_JMP_JEQ | BPF_X:
746 r->Pc += r->A == r->X ? f->jt : f->jf;
747 break;
748 case BPF_JMP_JEQ | BPF_K:
749 r->Pc += r->A == K ? f->jt : f->jf;
750 break;
751 case BPF_JMP_JSET | BPF_X:
752 r->Pc += r->A & r->X ? f->jt : f->jf;
753 break;
754 case BPF_JMP_JSET | BPF_K:
755 r->Pc += r->A & K ? f->jt : f->jf;
756 break;
757 case BPF_ALU_NEG:
758 r->A = -r->A;
759 break;
760 case BPF_ALU_LSH | BPF_X:
761 r->A <<= r->X;
762 break;
763 case BPF_ALU_LSH | BPF_K:
764 r->A <<= K;
765 break;
766 case BPF_ALU_RSH | BPF_X:
767 r->A >>= r->X;
768 break;
769 case BPF_ALU_RSH | BPF_K:
770 r->A >>= K;
771 break;
772 case BPF_ALU_ADD | BPF_X:
773 r->A += r->X;
774 break;
775 case BPF_ALU_ADD | BPF_K:
776 r->A += K;
777 break;
778 case BPF_ALU_SUB | BPF_X:
779 r->A -= r->X;
780 break;
781 case BPF_ALU_SUB | BPF_K:
782 r->A -= K;
783 break;
784 case BPF_ALU_MUL | BPF_X:
785 r->A *= r->X;
786 break;
787 case BPF_ALU_MUL | BPF_K:
788 r->A *= K;
789 break;
790 case BPF_ALU_DIV | BPF_X:
791 case BPF_ALU_MOD | BPF_X:
792 if (r->X == 0) {
793 set_return(r);
794 break;
795 }
796 goto do_div;
797 case BPF_ALU_DIV | BPF_K:
798 case BPF_ALU_MOD | BPF_K:
799 if (K == 0) {
800 set_return(r);
801 break;
802 }
803 do_div:
804 switch (f->code) {
805 case BPF_ALU_DIV | BPF_X:
806 r->A /= r->X;
807 break;
808 case BPF_ALU_DIV | BPF_K:
809 r->A /= K;
810 break;
811 case BPF_ALU_MOD | BPF_X:
812 r->A %= r->X;
813 break;
814 case BPF_ALU_MOD | BPF_K:
815 r->A %= K;
816 break;
817 }
818 break;
819 case BPF_ALU_AND | BPF_X:
820 r->A &= r->X;
821 break;
822 case BPF_ALU_AND | BPF_K:
823 r->A &= K;
824 break;
825 case BPF_ALU_OR | BPF_X:
826 r->A |= r->X;
827 break;
828 case BPF_ALU_OR | BPF_K:
829 r->A |= K;
830 break;
831 case BPF_ALU_XOR | BPF_X:
832 r->A ^= r->X;
833 break;
834 case BPF_ALU_XOR | BPF_K:
835 r->A ^= K;
836 break;
837 }
838 }
839
bpf_pc_has_breakpoint(uint16_t pc)840 static bool bpf_pc_has_breakpoint(uint16_t pc)
841 {
842 int i;
843
844 for (i = 0; i < array_size(bpf_breakpoints); i++) {
845 if (bpf_breakpoints[i] < 0)
846 continue;
847 if (bpf_breakpoints[i] == pc)
848 return true;
849 }
850
851 return false;
852 }
853
bpf_handle_breakpoint(struct bpf_regs * r,struct sock_filter * f,uint8_t * pkt,uint32_t pkt_caplen,uint32_t pkt_len)854 static bool bpf_handle_breakpoint(struct bpf_regs *r, struct sock_filter *f,
855 uint8_t *pkt, uint32_t pkt_caplen,
856 uint32_t pkt_len)
857 {
858 rl_printf("-- register dump --\n");
859 bpf_dump_curr(r, &f[r->Pc]);
860 rl_printf("-- packet dump --\n");
861 bpf_dump_pkt(pkt, pkt_caplen, pkt_len);
862 rl_printf("(breakpoint)\n");
863 return true;
864 }
865
bpf_run_all(struct sock_filter * f,uint16_t bpf_len,uint8_t * pkt,uint32_t pkt_caplen,uint32_t pkt_len)866 static int bpf_run_all(struct sock_filter *f, uint16_t bpf_len, uint8_t *pkt,
867 uint32_t pkt_caplen, uint32_t pkt_len)
868 {
869 bool stop = false;
870
871 while (bpf_curr.Rs == false && stop == false) {
872 bpf_safe_regs();
873
874 if (bpf_pc_has_breakpoint(bpf_curr.Pc))
875 stop = bpf_handle_breakpoint(&bpf_curr, f, pkt,
876 pkt_caplen, pkt_len);
877
878 bpf_single_step(&bpf_curr, &f[bpf_curr.Pc], pkt, pkt_caplen,
879 pkt_len);
880 bpf_curr.Pc++;
881 }
882
883 return stop ? -1 : bpf_curr.R;
884 }
885
bpf_run_stepping(struct sock_filter * f,uint16_t bpf_len,uint8_t * pkt,uint32_t pkt_caplen,uint32_t pkt_len,int next)886 static int bpf_run_stepping(struct sock_filter *f, uint16_t bpf_len,
887 uint8_t *pkt, uint32_t pkt_caplen,
888 uint32_t pkt_len, int next)
889 {
890 bool stop = false;
891 int i = 1;
892
893 while (!bpf_curr.Rs && !stop) {
894 bpf_safe_regs();
895
896 if (i++ == next)
897 stop = bpf_handle_breakpoint(&bpf_curr, f, pkt,
898 pkt_caplen, pkt_len);
899
900 bpf_single_step(&bpf_curr, &f[bpf_curr.Pc], pkt, pkt_caplen,
901 pkt_len);
902 bpf_curr.Pc++;
903 }
904
905 return stop ? -1 : bpf_curr.R;
906 }
907
pcap_loaded(void)908 static bool pcap_loaded(void)
909 {
910 if (pcap_fd < 0)
911 rl_printf("no pcap file loaded!\n");
912
913 return pcap_fd >= 0;
914 }
915
pcap_curr_pkt(void)916 static struct pcap_pkthdr *pcap_curr_pkt(void)
917 {
918 return (void *) pcap_ptr_va_curr;
919 }
920
pcap_next_pkt(void)921 static bool pcap_next_pkt(void)
922 {
923 struct pcap_pkthdr *hdr = pcap_curr_pkt();
924
925 if (pcap_ptr_va_curr + sizeof(*hdr) -
926 pcap_ptr_va_start >= pcap_map_size)
927 return false;
928 if (hdr->caplen == 0 || hdr->len == 0 || hdr->caplen > hdr->len)
929 return false;
930 if (pcap_ptr_va_curr + sizeof(*hdr) + hdr->caplen -
931 pcap_ptr_va_start >= pcap_map_size)
932 return false;
933
934 pcap_ptr_va_curr += (sizeof(*hdr) + hdr->caplen);
935 return true;
936 }
937
pcap_reset_pkt(void)938 static void pcap_reset_pkt(void)
939 {
940 pcap_ptr_va_curr = pcap_ptr_va_start + sizeof(struct pcap_filehdr);
941 }
942
try_load_pcap(const char * file)943 static int try_load_pcap(const char *file)
944 {
945 struct pcap_filehdr *hdr;
946 struct stat sb;
947 int ret;
948
949 pcap_fd = open(file, O_RDONLY);
950 if (pcap_fd < 0) {
951 rl_printf("cannot open pcap [%s]!\n", strerror(errno));
952 return CMD_ERR;
953 }
954
955 ret = fstat(pcap_fd, &sb);
956 if (ret < 0) {
957 rl_printf("cannot fstat pcap file!\n");
958 return CMD_ERR;
959 }
960
961 if (!S_ISREG(sb.st_mode)) {
962 rl_printf("not a regular pcap file, duh!\n");
963 return CMD_ERR;
964 }
965
966 pcap_map_size = sb.st_size;
967 if (pcap_map_size <= sizeof(struct pcap_filehdr)) {
968 rl_printf("pcap file too small!\n");
969 return CMD_ERR;
970 }
971
972 pcap_ptr_va_start = mmap(NULL, pcap_map_size, PROT_READ,
973 MAP_SHARED | MAP_LOCKED, pcap_fd, 0);
974 if (pcap_ptr_va_start == MAP_FAILED) {
975 rl_printf("mmap of file failed!");
976 return CMD_ERR;
977 }
978
979 hdr = (void *) pcap_ptr_va_start;
980 if (hdr->magic != TCPDUMP_MAGIC) {
981 rl_printf("wrong pcap magic!\n");
982 return CMD_ERR;
983 }
984
985 pcap_reset_pkt();
986
987 return CMD_OK;
988
989 }
990
try_close_pcap(void)991 static void try_close_pcap(void)
992 {
993 if (pcap_fd >= 0) {
994 munmap(pcap_ptr_va_start, pcap_map_size);
995 close(pcap_fd);
996
997 pcap_ptr_va_start = pcap_ptr_va_curr = NULL;
998 pcap_map_size = 0;
999 pcap_packet = 0;
1000 pcap_fd = -1;
1001 }
1002 }
1003
cmd_load_bpf(char * bpf_string)1004 static int cmd_load_bpf(char *bpf_string)
1005 {
1006 char sp, *token, separator = ',';
1007 unsigned short bpf_len, i = 0;
1008 struct sock_filter tmp;
1009
1010 bpf_prog_len = 0;
1011 memset(bpf_image, 0, sizeof(bpf_image));
1012
1013 if (sscanf(bpf_string, "%hu%c", &bpf_len, &sp) != 2 ||
1014 sp != separator || bpf_len > BPF_MAXINSNS || bpf_len == 0) {
1015 rl_printf("syntax error in head length encoding!\n");
1016 return CMD_ERR;
1017 }
1018
1019 token = bpf_string;
1020 while ((token = strchr(token, separator)) && (++token)[0]) {
1021 if (i >= bpf_len) {
1022 rl_printf("program exceeds encoded length!\n");
1023 return CMD_ERR;
1024 }
1025
1026 if (sscanf(token, "%hu %hhu %hhu %u,",
1027 &tmp.code, &tmp.jt, &tmp.jf, &tmp.k) != 4) {
1028 rl_printf("syntax error at instruction %d!\n", i);
1029 return CMD_ERR;
1030 }
1031
1032 bpf_image[i].code = tmp.code;
1033 bpf_image[i].jt = tmp.jt;
1034 bpf_image[i].jf = tmp.jf;
1035 bpf_image[i].k = tmp.k;
1036
1037 i++;
1038 }
1039
1040 if (i != bpf_len) {
1041 rl_printf("syntax error exceeding encoded length!\n");
1042 return CMD_ERR;
1043 } else
1044 bpf_prog_len = bpf_len;
1045 if (!bpf_runnable(bpf_image, bpf_prog_len))
1046 bpf_prog_len = 0;
1047
1048 return CMD_OK;
1049 }
1050
cmd_load_pcap(char * file)1051 static int cmd_load_pcap(char *file)
1052 {
1053 char *file_trim, *tmp;
1054
1055 file_trim = strtok_r(file, " ", &tmp);
1056 if (file_trim == NULL)
1057 return CMD_ERR;
1058
1059 try_close_pcap();
1060
1061 return try_load_pcap(file_trim);
1062 }
1063
cmd_load(char * arg)1064 static int cmd_load(char *arg)
1065 {
1066 char *subcmd, *cont = NULL, *tmp = strdup(arg);
1067 int ret = CMD_OK;
1068
1069 subcmd = strtok_r(tmp, " ", &cont);
1070 if (subcmd == NULL)
1071 goto out;
1072 if (matches(subcmd, "bpf") == 0) {
1073 bpf_reset();
1074 bpf_reset_breakpoints();
1075
1076 if (!cont)
1077 ret = CMD_ERR;
1078 else
1079 ret = cmd_load_bpf(cont);
1080 } else if (matches(subcmd, "pcap") == 0) {
1081 ret = cmd_load_pcap(cont);
1082 } else {
1083 out:
1084 rl_printf("bpf <code>: load bpf code\n");
1085 rl_printf("pcap <file>: load pcap file\n");
1086 ret = CMD_ERR;
1087 }
1088
1089 free(tmp);
1090 return ret;
1091 }
1092
cmd_step(char * num)1093 static int cmd_step(char *num)
1094 {
1095 struct pcap_pkthdr *hdr;
1096 int steps, ret;
1097
1098 if (!bpf_prog_loaded() || !pcap_loaded())
1099 return CMD_ERR;
1100
1101 steps = strtol(num, NULL, 10);
1102 if (steps == 0 || strlen(num) == 0)
1103 steps = 1;
1104 if (steps < 0) {
1105 if (!bpf_restore_regs(steps))
1106 return CMD_ERR;
1107 steps = 1;
1108 }
1109
1110 hdr = pcap_curr_pkt();
1111 ret = bpf_run_stepping(bpf_image, bpf_prog_len,
1112 (uint8_t *) hdr + sizeof(*hdr),
1113 hdr->caplen, hdr->len, steps);
1114 if (ret >= 0 || bpf_curr.Rs) {
1115 bpf_reset();
1116 if (!pcap_next_pkt()) {
1117 rl_printf("(going back to first packet)\n");
1118 pcap_reset_pkt();
1119 } else {
1120 rl_printf("(next packet)\n");
1121 }
1122 }
1123
1124 return CMD_OK;
1125 }
1126
cmd_select(char * num)1127 static int cmd_select(char *num)
1128 {
1129 unsigned int which, i;
1130 bool have_next = true;
1131
1132 if (!pcap_loaded() || strlen(num) == 0)
1133 return CMD_ERR;
1134
1135 which = strtoul(num, NULL, 10);
1136 if (which == 0) {
1137 rl_printf("packet count starts with 1, clamping!\n");
1138 which = 1;
1139 }
1140
1141 pcap_reset_pkt();
1142 bpf_reset();
1143
1144 for (i = 0; i < which && (have_next = pcap_next_pkt()); i++)
1145 /* noop */;
1146 if (!have_next || pcap_curr_pkt() == NULL) {
1147 rl_printf("no packet #%u available!\n", which);
1148 pcap_reset_pkt();
1149 return CMD_ERR;
1150 }
1151
1152 return CMD_OK;
1153 }
1154
cmd_breakpoint(char * subcmd)1155 static int cmd_breakpoint(char *subcmd)
1156 {
1157 if (!bpf_prog_loaded())
1158 return CMD_ERR;
1159 if (strlen(subcmd) == 0)
1160 bpf_dump_breakpoints();
1161 else if (matches(subcmd, "reset") == 0)
1162 bpf_reset_breakpoints();
1163 else {
1164 unsigned int where = strtoul(subcmd, NULL, 10);
1165
1166 if (where < bpf_prog_len) {
1167 bpf_set_breakpoints(where);
1168 rl_printf("breakpoint at: ");
1169 bpf_disasm(bpf_image[where], where);
1170 }
1171 }
1172
1173 return CMD_OK;
1174 }
1175
cmd_run(char * num)1176 static int cmd_run(char *num)
1177 {
1178 static uint32_t pass, fail;
1179 bool has_limit = true;
1180 int pkts = 0, i = 0;
1181
1182 if (!bpf_prog_loaded() || !pcap_loaded())
1183 return CMD_ERR;
1184
1185 pkts = strtol(num, NULL, 10);
1186 if (pkts == 0 || strlen(num) == 0)
1187 has_limit = false;
1188
1189 do {
1190 struct pcap_pkthdr *hdr = pcap_curr_pkt();
1191 int ret = bpf_run_all(bpf_image, bpf_prog_len,
1192 (uint8_t *) hdr + sizeof(*hdr),
1193 hdr->caplen, hdr->len);
1194 if (ret > 0)
1195 pass++;
1196 else if (ret == 0)
1197 fail++;
1198 else
1199 return CMD_OK;
1200 bpf_reset();
1201 } while (pcap_next_pkt() && (!has_limit || (++i < pkts)));
1202
1203 rl_printf("bpf passes:%u fails:%u\n", pass, fail);
1204
1205 pcap_reset_pkt();
1206 bpf_reset();
1207
1208 pass = fail = 0;
1209 return CMD_OK;
1210 }
1211
cmd_disassemble(char * line_string)1212 static int cmd_disassemble(char *line_string)
1213 {
1214 bool single_line = false;
1215 unsigned long line;
1216
1217 if (!bpf_prog_loaded())
1218 return CMD_ERR;
1219 if (strlen(line_string) > 0 &&
1220 (line = strtoul(line_string, NULL, 10)) < bpf_prog_len)
1221 single_line = true;
1222 if (single_line)
1223 bpf_disasm(bpf_image[line], line);
1224 else
1225 bpf_disasm_all(bpf_image, bpf_prog_len);
1226
1227 return CMD_OK;
1228 }
1229
cmd_dump(char * dontcare)1230 static int cmd_dump(char *dontcare)
1231 {
1232 if (!bpf_prog_loaded())
1233 return CMD_ERR;
1234
1235 bpf_dump_all(bpf_image, bpf_prog_len);
1236
1237 return CMD_OK;
1238 }
1239
cmd_quit(char * dontcare)1240 static int cmd_quit(char *dontcare)
1241 {
1242 return CMD_EX;
1243 }
1244
1245 static const struct shell_cmd cmds[] = {
1246 { .name = "load", .func = cmd_load },
1247 { .name = "select", .func = cmd_select },
1248 { .name = "step", .func = cmd_step },
1249 { .name = "run", .func = cmd_run },
1250 { .name = "breakpoint", .func = cmd_breakpoint },
1251 { .name = "disassemble", .func = cmd_disassemble },
1252 { .name = "dump", .func = cmd_dump },
1253 { .name = "quit", .func = cmd_quit },
1254 };
1255
execf(char * arg)1256 static int execf(char *arg)
1257 {
1258 char *cmd, *cont, *tmp = strdup(arg);
1259 int i, ret = 0, len;
1260
1261 cmd = strtok_r(tmp, " ", &cont);
1262 if (cmd == NULL)
1263 goto out;
1264 len = strlen(cmd);
1265 for (i = 0; i < array_size(cmds); i++) {
1266 if (len != strlen(cmds[i].name))
1267 continue;
1268 if (strncmp(cmds[i].name, cmd, len) == 0) {
1269 ret = cmds[i].func(cont);
1270 break;
1271 }
1272 }
1273 out:
1274 free(tmp);
1275 return ret;
1276 }
1277
shell_comp_gen(const char * buf,int state)1278 static char *shell_comp_gen(const char *buf, int state)
1279 {
1280 static int list_index, len;
1281
1282 if (!state) {
1283 list_index = 0;
1284 len = strlen(buf);
1285 }
1286
1287 for (; list_index < array_size(cmds); ) {
1288 const char *name = cmds[list_index].name;
1289
1290 list_index++;
1291 if (strncmp(name, buf, len) == 0)
1292 return strdup(name);
1293 }
1294
1295 return NULL;
1296 }
1297
shell_completion(const char * buf,int start,int end)1298 static char **shell_completion(const char *buf, int start, int end)
1299 {
1300 char **matches = NULL;
1301
1302 if (start == 0)
1303 matches = rl_completion_matches(buf, shell_comp_gen);
1304
1305 return matches;
1306 }
1307
intr_shell(int sig)1308 static void intr_shell(int sig)
1309 {
1310 if (rl_end)
1311 rl_kill_line(-1, 0);
1312
1313 rl_crlf();
1314 rl_refresh_line(0, 0);
1315 rl_free_line_state();
1316 }
1317
init_shell(FILE * fin,FILE * fout)1318 static void init_shell(FILE *fin, FILE *fout)
1319 {
1320 char file[128];
1321
1322 snprintf(file, sizeof(file), "%s/.bpf_dbg_history", getenv("HOME"));
1323 read_history(file);
1324
1325 rl_instream = fin;
1326 rl_outstream = fout;
1327
1328 rl_readline_name = "bpf_dbg";
1329 rl_terminal_name = getenv("TERM");
1330
1331 rl_catch_signals = 0;
1332 rl_catch_sigwinch = 1;
1333
1334 rl_attempted_completion_function = shell_completion;
1335
1336 rl_bind_key('\t', rl_complete);
1337
1338 rl_bind_key_in_map('\t', rl_complete, emacs_meta_keymap);
1339 rl_bind_key_in_map('\033', rl_complete, emacs_meta_keymap);
1340
1341 snprintf(file, sizeof(file), "%s/.bpf_dbg_init", getenv("HOME"));
1342 rl_read_init_file(file);
1343
1344 rl_prep_terminal(0);
1345 rl_set_signals();
1346
1347 signal(SIGINT, intr_shell);
1348 }
1349
exit_shell(FILE * fin,FILE * fout)1350 static void exit_shell(FILE *fin, FILE *fout)
1351 {
1352 char file[128];
1353
1354 snprintf(file, sizeof(file), "%s/.bpf_dbg_history", getenv("HOME"));
1355 write_history(file);
1356
1357 clear_history();
1358 rl_deprep_terminal();
1359
1360 try_close_pcap();
1361
1362 if (fin != stdin)
1363 fclose(fin);
1364 if (fout != stdout)
1365 fclose(fout);
1366 }
1367
run_shell_loop(FILE * fin,FILE * fout)1368 static int run_shell_loop(FILE *fin, FILE *fout)
1369 {
1370 char *buf;
1371
1372 init_shell(fin, fout);
1373
1374 while ((buf = readline("> ")) != NULL) {
1375 int ret = execf(buf);
1376 if (ret == CMD_EX)
1377 break;
1378 if (ret == CMD_OK && strlen(buf) > 0)
1379 add_history(buf);
1380
1381 free(buf);
1382 }
1383
1384 exit_shell(fin, fout);
1385 return 0;
1386 }
1387
main(int argc,char ** argv)1388 int main(int argc, char **argv)
1389 {
1390 FILE *fin = NULL, *fout = NULL;
1391
1392 if (argc >= 2)
1393 fin = fopen(argv[1], "r");
1394 if (argc >= 3)
1395 fout = fopen(argv[2], "w");
1396
1397 return run_shell_loop(fin ? : stdin, fout ? : stdout);
1398 }
1399