Skip to content

Commit

Permalink
Fuzzing bug fixes (#3989)
Browse files Browse the repository at this point in the history
* wip

* Merged PR 28837: Fix CICD

Fix CICD build failures.

* wip

* wip

* Revert "wip"

This reverts commit e7311fe.

* sync

* sync

* sync

* feedback

* draft

* sync

* sync

* draft

* wip

* nit

* wip

* wip

* wip

* wip

* wip

* wip

* nit

* add AKS evn detection, add TBD check eBPF usage on uninstall

* wip

* Merged PR 30605: Bump bpf_conformance to 0.6.0 to unblock conformance testing

Bump bpf_conformance to 0.6.0 to unblock conformance testing

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30598: Add new onefuzz task to perform continual fuzzing of eBPF for Windows

Add new onefuzz task to perform continual fuzzing of eBPF for Windows

* Merged PR 30633: Add missing bug filing info for netebpfext

Add missing bug filing info for netebpfext

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30634: Add codecoverage for fuzzing pipeline

Add codecoverage for fuzzing pipeline

Signed-off-by: Alan Jowett <[email protected]>

* wip

* Merged PR 30808: Apply correct fuzzer settings

Apply correct fuzzer settings

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30804: Fix division by zero in batch delete.

Fix division by zero in batch delete:
`input_count = key_length / map_definition->key_size;`

Related work items: #159139

* Merged PR 30814: Fix OneFuzzConfig.json to fuzz feature/security_fix and correctly assign bugs

Fix OneFuzzConfig.json to fuzz feature/security_fix and correctly assign bugs

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30825: Reformat IOCTL fuzzing seed to include reply length

Reformat IOCTL fuzzing seed to include reply length and regenerate corpus.

Issue:
The fuzzer was always setting an invalid reply length, even for "good" cases. This results in many paths being blocked because reply length != expected reply length in ebpf_core_invoke_protocol_handler.

By including the correct reply length in the seed, we permit the fuzzer to explore more code spaces.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30880: Add ASAN_OPTIONS=allocator_may_return_null=1

Add ASAN_OPTIONS=allocator_may_return_null=1

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30890: Run all libfuzzers in OneFuzz on the feature/security_fix branch

Run all libfuzzers in OneFuzz on the feature/security_fix branch

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30897: _ebpf_program_load_byte_code should reject zero length eBPF programs

_ebpf_program_load_byte_code should reject zero length eBPF programs

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30922: Improve verifier coverage by permitting more program types to run.

Improve verifier coverage by permitting more program types to run.

Due to context create for sample program type, all calls to prog run for a sample program fail with minimal coverage.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30905: Prevent fuzzer from triggering long running bpf_prog_test_run

The execution_context_fuzzer can get hung on executing a BPF program if it fuzzes the iteration count to a huge value, resulting in the test timing out after several minutes. This slows the rate of useful fuzzing.

Signed-off-by: Alan Jowett <[email protected]>

* Fix buffer overflow in ebpf_program_get_info

Signed-off-by: Alan Jowett <[email protected]>

* Workaround for verifier bug

Signed-off-by: Alan Jowett <[email protected]>

* Fix division by zero in _ebpf_core_protocol_map_update_element_batch

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30956: Improve code coverage of execution context fuzzer

During creation of the various map types, creation of several map types was failing, preventing fuzzing of those maps.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30819: Check LPM key length

Check LPM key length

Signed-off-by: Alan Jowett <[email protected]>

Related work items: #159141

* Merged PR 30971: Remove PATs from onefuzz task.

As per guidance from the OneFuzz team, a PAT is no longer required, so switch to the new option.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30991: Prevent ebpf_program_t from switching between JIT and interpreter

Prevent ebpf_program_t from switching between JIT and interpreter.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30992: Improve execution context fuzzer - add link object and speed up fuzzing

Improve execution context fuzzer - add link object and speed up fuzzing

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30993: Make helper fuzzer more generic

1. Remove dependency on ebpf_program_t.
2. Bind directly to program info provider.
3. Move ebpf_core_initiate/terminate to global.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 31238: Fix assigned to in .onefuzz\OneFuzzConfig.json

Fix assigned to in .onefuzz\OneFuzzConfig.json

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 31250: Merge main into feature/security_fix

* Merged PR 31358: Add HLK playlist link to the HLK documentation.

Add playlist link, whitespace optimizations.

* Merged PR 31516: Disable onefuzz on main

Disable onefuzz on main

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30823: Quick-guide: how to debug an eBPF program

This is a quick guide on how to use WinDbg to debug kernel code on a target machine.

* add checks for code_type

* Merged PR 31674: Update netebpfext bind context app_id truncation logic for safety

_net_ebpf_ext_resource_truncate_appid made some assumptions about the input data it received. In theory, improper data could be passed into ebpf, which could potentially cause a buffer overrun/crash. Additional checks were added to ensure safety of the truncation logic, even if improper input was passed.

Additional test cases were added to ensure the truncation logic was safe and validating improper input.

Related work items: #159406

* Merged PR 30986: Add LPM map unit tests, fix lookup and input checking bugs

## Description

This improves and adds ebpf map unit testing and fixes some bugs.

Changes:
- `_create_lpm_map`: fixes length calculation for key size bitmap
  - `max_prefix` should be the passed value, bitmap size gets `+1` to account for max length keys
- `_find_lpm_map_entry`: initialize search from search key bit length instead of maximum stored key length
  - reduces number of hashes to try during lookup (for short keys) and fixes bug of looking for map key longer than passed search key
  - adds `ebpf_bitmap_start_reverse_search_at` to initialize set bit search to a specific bit index
- `_create_array_map_with_map_struct_size`: argument check for value size/capacity combination that allocates >128GB
- `_next_lpm_map_key_and_value`/`_next_hash_map_key_and_value` - fix SAL annotation for `next_key` (should be `_Inout_`)
- Refactor lpm key handling to use new `ebpf_core_lpm_key_t` struct instead of pointer to prefix length
- Add, fix, and extend LPM map unit tests

## Testing

Extends the `map_crud_operations_lpm_trie_32` test case and adds a second `[negative]` tagged version which tests operations that shouldn't work (including some edge cases that were previously missed).

`map_create_invalid` test case added to try creating various maps with invalid parameters.

Extends and refactors `map_crud_operations_lpm_trie_128`

## Documentation

Comments in new unit testing functions, and more documentation added in LPM and bitmap code.

## Installation

N/A

Related work items: #159137, #159144, #159270, #159273

* Merged PR 31697: Add map type validation in debug mode

This PR adds map type validation in debug mode.

The map type was already checked on creation and is never user-writeable, so these checks are just against code bugs or outside code modifying the type field.

In ebpf_maps.c lookup into `ebpf_map_metadata_tables` is now factored out into calls to `ebpf_map_get_table()`, which validates the map type with a debug assert.

Related work items: #159405

* Merged PR 31809: Update VM extension script to invoke `export_program_info`

This PR contains changes to the VM extension scripts to invoke `export_program_info.exe`. The invocation is kept optional based on whether the file is present or not. This is for 2 reasons:

1. ebpf v0.11 released earlier to IMDS does not contain this exe. So in case of cleanup or rollback, it is possible that the exe is not available.
2. We should ideally change the store implementation to move from registry to file based. Keeping the new code optional allows to change store implementation without requiring the script to mandatorily updated at the same time.

* Merged PR 32086: Update ADO pipeline

This PR updates the clang version to be used in ADO pipeline. Since the clang version has been updated in GitHub, and correspnding tests have also been updated, CICD is now failing in ADO since then.

#### PR Summary
This pull request updates the ADO pipeline to use Visual Studio LLVM tools instead of installing LLVM via Chocolatey.
- `.pipelines/reusable-build.yml`: Replaced Chocolatey installation of LLVM with Visual Studio LLVM tools installation using PowerShell tasks.
- `.pipelines/reusable-build.yml`: Added MSVC LLVM Clang to PATH and logged the CLANG version.
- `.pipelines/reusable-build.yml`: Set `VSINSTALLDIR` environment variable.

* Merged PR 32085: VM extension script fixes

This PR contains 2 changes:
1. Fix the source path for upgrade flow. The script was incorrectly using a hardcoded path.
2. Suppress error messages from `Get-ItemProperty` when querying for registry path. This change is only cosmetic and has no functional impact.

----
#### AI description  (iteration 1)
#### PR Classification
Bug fix for VM extension scripts.

#### PR Summary
This pull request addresses several issues in the VM extension scripts, primarily focusing on error handling and parameter corrections.
- `/.internal/vm-extension/src/scripts/common.ps1`: Added `-ErrorAction SilentlyContinue` to `Get-ItemProperty` to handle missing registry keys gracefully.
- Corrected parameter usage in `Update-eBPF` and `InstallOrUpdate-eBPF` functions to ensure the correct source path is used during installation.
- Removed trailing whitespace in multiple functions for code cleanliness.

* Merged PR 30804: Fix division by zero in batch delete.

Fix division by zero in batch delete:
`input_count = key_length / map_definition->key_size;`

Related work items: #159139

* Merged PR 30814: Fix OneFuzzConfig.json to fuzz feature/security_fix and correctly assign bugs

Fix OneFuzzConfig.json to fuzz feature/security_fix and correctly assign bugs

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30825: Reformat IOCTL fuzzing seed to include reply length

Reformat IOCTL fuzzing seed to include reply length and regenerate corpus.

Issue:
The fuzzer was always setting an invalid reply length, even for "good" cases. This results in many paths being blocked because reply length != expected reply length in ebpf_core_invoke_protocol_handler.

By including the correct reply length in the seed, we permit the fuzzer to explore more code spaces.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30890: Run all libfuzzers in OneFuzz on the feature/security_fix branch

Run all libfuzzers in OneFuzz on the feature/security_fix branch

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30897: _ebpf_program_load_byte_code should reject zero length eBPF programs

_ebpf_program_load_byte_code should reject zero length eBPF programs

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30922: Improve verifier coverage by permitting more program types to run.

Improve verifier coverage by permitting more program types to run.

Due to context create for sample program type, all calls to prog run for a sample program fail with minimal coverage.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30905: Prevent fuzzer from triggering long running bpf_prog_test_run

The execution_context_fuzzer can get hung on executing a BPF program if it fuzzes the iteration count to a huge value, resulting in the test timing out after several minutes. This slows the rate of useful fuzzing.

Signed-off-by: Alan Jowett <[email protected]>

* Fix division by zero in _ebpf_core_protocol_map_update_element_batch

Signed-off-by: Alan Jowett <[email protected]>

* Fix buffer overflow in ebpf_program_get_info

Signed-off-by: Alan Jowett <[email protected]>

* Workaround for verifier bug

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30956: Improve code coverage of execution context fuzzer

During creation of the various map types, creation of several map types was failing, preventing fuzzing of those maps.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30819: Check LPM key length

Check LPM key length

Signed-off-by: Alan Jowett <[email protected]>

Related work items: #159141

* Merged PR 30991: Prevent ebpf_program_t from switching between JIT and interpreter

Prevent ebpf_program_t from switching between JIT and interpreter.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30992: Improve execution context fuzzer - add link object and speed up fuzzing

Improve execution context fuzzer - add link object and speed up fuzzing

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 30993: Make helper fuzzer more generic

1. Remove dependency on ebpf_program_t.
2. Bind directly to program info provider.
3. Move ebpf_core_initiate/terminate to global.

Signed-off-by: Alan Jowett <[email protected]>

* Merged PR 31250: Merge main into feature/security_fix

* Merged PR 31674: Update netebpfext bind context app_id truncation logic for safety

_net_ebpf_ext_resource_truncate_appid made some assumptions about the input data it received. In theory, improper data could be passed into ebpf, which could potentially cause a buffer overrun/crash. Additional checks were added to ensure safety of the truncation logic, even if improper input was passed.

Additional test cases were added to ensure the truncation logic was safe and validating improper input.

Related work items: #159406

* Merged PR 30986: Add LPM map unit tests, fix lookup and input checking bugs

## Description

This improves and adds ebpf map unit testing and fixes some bugs.

Changes:
- `_create_lpm_map`: fixes length calculation for key size bitmap
  - `max_prefix` should be the passed value, bitmap size gets `+1` to account for max length keys
- `_find_lpm_map_entry`: initialize search from search key bit length instead of maximum stored key length
  - reduces number of hashes to try during lookup (for short keys) and fixes bug of looking for map key longer than passed search key
  - adds `ebpf_bitmap_start_reverse_search_at` to initialize set bit search to a specific bit index
- `_create_array_map_with_map_struct_size`: argument check for value size/capacity combination that allocates >128GB
- `_next_lpm_map_key_and_value`/`_next_hash_map_key_and_value` - fix SAL annotation for `next_key` (should be `_Inout_`)
- Refactor lpm key handling to use new `ebpf_core_lpm_key_t` struct instead of pointer to prefix length
- Add, fix, and extend LPM map unit tests

## Testing

Extends the `map_crud_operations_lpm_trie_32` test case and adds a second `[negative]` tagged version which tests operations that shouldn't work (including some edge cases that were previously missed).

`map_create_invalid` test case added to try creating various maps with invalid parameters.

Extends and refactors `map_crud_operations_lpm_trie_128`

## Documentation

Comments in new unit testing functions, and more documentation added in LPM and bitmap code.

## Installation

N/A

Related work items: #159137, #159144, #159270, #159273

* Merged PR 31697: Add map type validation in debug mode

This PR adds map type validation in debug mode.

The map type was already checked on creation and is never user-writeable, so these checks are just against code bugs or outside code modifying the type field.

In ebpf_maps.c lookup into `ebpf_map_metadata_tables` is now factored out into calls to `ebpf_map_get_table()`, which validates the map type with a debug assert.

Related work items: #159405

* add checks for code_type

* fix bad merge

* Override `bpf_get_current_pid_tgid` for sock_ops hook. (#3765)

* initial changes.

* sock_addr.

* fixes.

* Update include/ebpf_nethooks.h

Co-authored-by: Dave Thaler <[email protected]>

---------

Co-authored-by: Dave Thaler <[email protected]>

* Add ADO pipelines (#3741)

Signed-off-by: Alan Jowett <[email protected]>
Co-authored-by: Alan Jowett <[email protected]>

* Bump external/ubpf from `19cd22c` to `762a98d` (#3783)

Bumps [external/ubpf](https://github.com/iovisor/ubpf) from `19cd22c` to `762a98d`.
- [Commits](iovisor/ubpf@19cd22c...762a98d)

---
updated-dependencies:
- dependency-name: external/ubpf
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump external/usersim from `46c6b4a` to `ca8f2de` (#3782)

Bumps [external/usersim](https://github.com/microsoft/usersim) from `46c6b4a` to `ca8f2de`.
- [Commits](microsoft/usersim@46c6b4a...ca8f2de)

---
updated-dependencies:
- dependency-name: external/usersim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump external/ebpf-verifier from `dc2d6ea` to `cd9344b` (#3784)

Bumps [external/ebpf-verifier](https://github.com/vbpf/ebpf-verifier) from `dc2d6ea` to `cd9344b`.
- [Release notes](https://github.com/vbpf/ebpf-verifier/releases)
- [Commits](vbpf/ebpf-verifier@dc2d6ea...cd9344b)

---
updated-dependencies:
- dependency-name: external/ebpf-verifier
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github/codeql-action from 3.26.2 to 3.26.5 in the actions group (#3790)

Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 3.26.2 to 3.26.5
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@429e197...2c779ab)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Stamp all tools with version information. (#3792)

* Stamp all tools with version information.

Signed-off-by: Alan Jowett <[email protected]>

* Add commit id to nuget package

Signed-off-by: Alan Jowett <[email protected]>

* Move versioning to Directory.Build.props

Signed-off-by: Alan Jowett <[email protected]>

* Set correct project type in sample.vcxproj

Signed-off-by: Alan Jowett <[email protected]>

* Add version info to fuzz tests

Signed-off-by: Alan Jowett <[email protected]>

* PR feedback

Signed-off-by: Alan Jowett <[email protected]>

* Update tests/socket/resource.h

Co-authored-by: Dave Thaler <[email protected]>

* Revert editor change

Signed-off-by: Alan Jowett <[email protected]>

---------

Signed-off-by: Alan Jowett <[email protected]>
Co-authored-by: Alan Jowett <[email protected]>
Co-authored-by: Dave Thaler <[email protected]>

* First string functions for ebpf general helpers. (#3780)

* Initial progress on function implementations.

* Moved code.

* Updated kernel project.

* Working on parallel user and kernel mode versions.

* Work in Progress.

* Added tests, added a lot.

* Cleaned up test code some, still doesn't build.

* Re-enabled some tests.

* Got a working set of tests, now to figure out what to do with this in the interim.

* Removing as-yet-unimplemented functions for now.

* Fixed a name.

* Doxygen fixes. Also removed a function header that'll be needed another time.

* Got down to one source file, got a build working in user mode.

* Renamed string_opts to ebpf_strings

* Corrected build issues, removed other extraneous comments.

* Fixed the test selection name, and suppressed an analysis error in a Windows header.

---------

Co-authored-by: Ben Lewis (REDMOND) <[email protected]>

* Bump external/ubpf from `762a98d` to `f1ecb7a` (#3797)

Bumps [external/ubpf](https://github.com/iovisor/ubpf) from `762a98d` to `f1ecb7a`.
- [Commits](iovisor/ubpf@762a98d...f1ecb7a)

---
updated-dependencies:
- dependency-name: external/ubpf
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump external/usersim from `ca8f2de` to `bded12c` (#3796)

Bumps [external/usersim](https://github.com/microsoft/usersim) from `ca8f2de` to `bded12c`.
- [Commits](microsoft/usersim@ca8f2de...bded12c)

---
updated-dependencies:
- dependency-name: external/usersim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added ntosext extensions in the GettingStarted.md document. (#3785)

* Added ntosext extension in the doc

* Addressed PR comment

* Update docs/GettingStarted.md

Co-authored-by: Dave Thaler <[email protected]>

---------

Co-authored-by: Dave Thaler <[email protected]>

* relocate installer license to avoid "multiple licenses" text on GitHub (#3802)

* Inline _ebpf_adjust_value_pointer to reduce cost of ebpf_map_find_entry (#3804)

Signed-off-by: Alan Jowett <[email protected]>
Co-authored-by: Alan Jowett <[email protected]>

* Bump external/ebpf-verifier from `cd9344b` to `559482c` (#3807)

Bumps [external/ebpf-verifier](https://github.com/vbpf/ebpf-verifier) from `cd9344b` to `559482c`.
- [Release notes](https://github.com/vbpf/ebpf-verifier/releases)
- [Commits](vbpf/ebpf-verifier@cd9344b...559482c)

---
updated-dependencies:
- dependency-name: external/ebpf-verifier
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump the actions group with 2 updates (#3806)

Bumps the actions group with 2 updates: [actions/upload-artifact](https://github.com/actions/upload-artifact) and [github/codeql-action](https://github.com/github/codeql-action).


Updates `actions/upload-artifact` from 4.3.6 to 4.4.0
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@834a144...5076954)

Updates `github/codeql-action` from 3.26.5 to 3.26.6
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@2c779ab...4dd1613)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Switch to crc32 if available for hashing function (#3803)

* Switch to crc32 if available for hashing function

Signed-off-by: Alan Jowett <[email protected]>

* Only do crc32 when keys are directly accessible

Signed-off-by: Alan Jowett <[email protected]>

* Minimize branches and extra ALU ops

Signed-off-by: Alan Jowett <[email protected]>

---------

Signed-off-by: Alan Jowett <[email protected]>
Co-authored-by: Alan Jowett <[email protected]>

* Multi-attach support for SOCK_ADDR programs (#3751)

* initial commit

* second commit

* third commit

* update lock logic

* fix analysis errors

* backup

* Add tests

* fix

* fix

* fix

* code refactor

* update test

* Revert "update test"

This reverts commit 6770269.

* Revert "code refactor"

This reverts commit fae36a7.

* Revert "Revert "code refactor""

This reverts commit 3b8e762.

* Revert "Revert "update test""

This reverts commit 11610f0.

* fix capability in xdp

* add tests, remove filter weight

* invoke wildcard programs, update tests

* fix wildcard invocation logic

* fix wildcard invocation logic, remove sleep from concurrency tests

* move invocation out of the lock, fix tests

* code cleanup, update test

* code cleanup

* remove trace

* cleanup

* update wildcard invocation logic

* code cleanup

* code cleanup

* code cleanup, CR comments

* cr comments, code cleanup

* Update netebpfext/net_ebpf_ext_hook_provider.h

Co-authored-by: Dave Thaler <[email protected]>

* cr comments

* add tests

* cr comments

* code cleanup

* tracing changes

* fix sal

* code cleanup

* code cleanup

* Update netebpfext/net_ebpf_ext.h

Co-authored-by: Dave Thaler <[email protected]>

---------

Co-authored-by: Dave Thaler <[email protected]>

fix.

* Updated onebranch.vcxproj

* Updated post-build.ps1

* Stack expansion in netebpfext (#3817)

* expand stack

* update usersim submodule

* fix analysis build

* cr comments

* fix analysis failure

* cr comments

* Update netebpfext/net_ebpf_ext_hook_provider.h

Co-authored-by: Dave Thaler <[email protected]>

---------

Co-authored-by: Dave Thaler <[email protected]>

* Bump external/usersim from `bded12c` to `a1ba035` (#3818)

Bumps [external/usersim](https://github.com/microsoft/usersim) from `bded12c` to `a1ba035`.
- [Commits](microsoft/usersim@bded12c...a1ba035)

---
updated-dependencies:
- dependency-name: external/usersim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* change expanded stack size to 16KB.

* Merged PR 11480212: Update store APIs to also update HKLM (#3660) (#3853)

Update store APIs to also update HKLM (#3660) (#3853)

Cherry-picked from commit `462b8e3c`.

----
#### AI description  (iteration 1)
#### PR Classification
API change to update store APIs to also update HKLM.

#### PR Summary
This pull request updates the store APIs to handle both HKCU and HKLM registry keys, ensuring that operations are attempted on both keys and errors are suppressed if access to HKLM is denied.
- `ebpf_store_helper.c`: Added functions to update and delete program and section information for both HKCU and HKLM.
- `store_helper_internal.cpp`: Modified functions to handle both HKCU and HKLM registry keys.
- `Product.wxs`: Updated installer scripts to clear and set up eBPF store for both HKCU and HKLM.
- `ebpf_store_helper.h` and `ebpf_registry_helper.cpp`: Introduced separate variables for HKCU and HKLM root keys.

* Merged PR 11486801: Update version to 0.19.1

update version to 0.19.1

* remove .internal

* Miscellaneous fixes.

* PR Feedback.

---------

Signed-off-by: Alan Jowett <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Gianni Trevisiol <[email protected]>
Co-authored-by: Anurag Saxena <[email protected]>
Co-authored-by: Microsoft.VisualStudio.Services.TFS <[email protected]>
Co-authored-by: Gianni Trevisiol <[email protected]>
Co-authored-by: Alan Jowett <[email protected]>
Co-authored-by: Alan Jowett <Alan [email protected]>
Co-authored-by: Igor Klemenski <[email protected]>
Co-authored-by: Shankar Seal <Shankar [email protected]>
Co-authored-by: Alan Jowett <[email protected]>
Co-authored-by: Matt Ige <[email protected]>
Co-authored-by: Michael Agun <[email protected]>
Co-authored-by: Dave Thaler <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ben Lewis <[email protected]>
Co-authored-by: Ben Lewis (REDMOND) <[email protected]>
Co-authored-by: Sharmi <[email protected]>
Co-authored-by: Michael Friesen <[email protected]>
Co-authored-by: Anurag Saxena <[email protected]>
  • Loading branch information
19 people authored Nov 19, 2024
1 parent 0a14ab3 commit b2757bc
Show file tree
Hide file tree
Showing 1,321 changed files with 1,918 additions and 779 deletions.
12 changes: 6 additions & 6 deletions Directory.Build.props
Original file line number Diff line number Diff line change
Expand Up @@ -71,13 +71,13 @@
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64' Or '$(Configuration)|$(Platform)'=='FuzzerDebug|x64' Or '$(Configuration)|$(Platform)'=='NativeOnlyDebug|x64'">
<FuzzerLibs>libsancov.lib;clang_rt.fuzzer_MDd-x86_64.lib</FuzzerLibs>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Fuzzer)'=='Release|True'">
<PropertyGroup Condition="'$(Fuzzer)'=='True' OR '$(Configuration)'=='FuzzerDebug'">
<EnableASAN>true</EnableASAN>
<AdditionalOptions>/fsanitize-coverage=inline-bool-flag /fsanitize-coverage=edge /fsanitize-coverage=trace-cmp /fsanitize-coverage=trace-div /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Fuzzer)'=='Debug|True' Or '$(Configuration)'=='FuzzerDebug'">
<EnableASAN>true</EnableASAN>
<AdditionalOptions>/fsanitize-coverage=inline-bool-flag /fsanitize-coverage=edge /fsanitize-coverage=trace-cmp /fsanitize-coverage=trace-div /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
<EnableFuzzer>true</EnableFuzzer>
<FuzzerLibs>libsancov.lib;clang_rt.fuzzer_MDd-x86_64.lib</FuzzerLibs>
<ClCompile>
<AdditionalOptions>/fsanitize-coverage=inline-bool-flag /fsanitize-coverage=edge /fsanitize-coverage=trace-cmp /fsanitize-coverage=trace-div /DFUZZER_BUILD %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
</PropertyGroup>
<PropertyGroup Condition="'$(Fuzzer)'!='True' And '$(Configuration)'!='FuzzerDebug'">
<SpectreMitigation>Spectre</SpectreMitigation>
Expand Down
2 changes: 1 addition & 1 deletion ebpfcore/usersim/EbpfCore_Usersim.vcxproj.filters
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,4 @@
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>
</Project>
5 changes: 4 additions & 1 deletion external/Directory.Build.props
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,11 @@
<EnableASAN>true</EnableASAN>
</PropertyGroup>
<PropertyGroup Condition="'$(Fuzzer)'=='True' OR '$(Configuration)'=='FuzzerDebug'">
<AdditionalOptions>/fsanitize-coverage=inline-bool-flag /fsanitize-coverage=edge /fsanitize-coverage=trace-cmp /fsanitize-coverage=trace-div /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
<EnableASAN>true</EnableASAN>
<FuzzerLibs>libsancov.lib;clang_rt.fuzzer_MDd-x86_64.lib</FuzzerLibs>
<ClCompile>
<AdditionalOptions>/fsanitize=fuzzer /fsanitize-coverage=inline-bool-flag /fsanitize-coverage=edge /fsanitize-coverage=trace-cmp /fsanitize-coverage=trace-div /ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
</ClCompile>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)'=='Release'">
<ClCompile>
Expand Down
2 changes: 1 addition & 1 deletion include/ebpf_extension.h
Original file line number Diff line number Diff line change
Expand Up @@ -126,4 +126,4 @@ typedef struct _ebpf_execution_context_state
} tail_call_state;
} ebpf_execution_context_state_t;

#define EBPF_CONTEXT_HEADER uint64_t context_header[8]
#define EBPF_CONTEXT_HEADER uint64_t context_header[8]
120 changes: 110 additions & 10 deletions libs/execution_context/ebpf_core.c
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,11 @@ _ebpf_core_trace_printk5(
static int
_ebpf_core_ring_buffer_output(
_Inout_ ebpf_map_t* map, _In_reads_bytes_(length) uint8_t* data, size_t length, uint64_t flags);
static uint64_t
static int
_ebpf_core_map_push_elem(_Inout_ ebpf_map_t* map, _In_ const uint8_t* value, uint64_t flags);
static uint64_t
static int
_ebpf_core_map_pop_elem(_Inout_ ebpf_map_t* map, _Out_ uint8_t* value);
static uint64_t
static int
_ebpf_core_map_peek_elem(_Inout_ ebpf_map_t* map, _Out_ uint8_t* value);
static uint64_t
_ebpf_core_get_pid_tgid();
Expand Down Expand Up @@ -359,6 +359,13 @@ _ebpf_core_protocol_load_code(_In_ const ebpf_operation_load_code_request_t* req
uint8_t* code = NULL;
size_t code_length = 0;

if (request->code_type <= EBPF_CODE_NONE || request->code_type >= EBPF_CODE_MAX) {
retval = EBPF_INVALID_ARGUMENT;
EBPF_LOG_MESSAGE_UINT64(
EBPF_TRACELOG_LEVEL_ERROR, EBPF_TRACELOG_KEYWORD_CORE, "load_code: Invalid code type", request->code_type);
goto Done;
}

if (request->code_type == EBPF_CODE_NATIVE) {
retval = EBPF_INVALID_ARGUMENT;
EBPF_LOG_MESSAGE(
Expand Down Expand Up @@ -898,6 +905,11 @@ _ebpf_core_protocol_map_update_element_batch(

key_and_value_length = (size_t)map_definition->key_size + (size_t)map_definition->value_size;

if (key_and_value_length == 0) {
retval = EBPF_INVALID_ARGUMENT;
goto Done;
}

if ((data_length % key_and_value_length) != 0) {
retval = EBPF_INVALID_ARGUMENT;
goto Done;
Expand Down Expand Up @@ -1007,7 +1019,7 @@ _ebpf_core_protocol_map_delete_element_batch(

const ebpf_map_definition_in_memory_t* map_definition = ebpf_map_get_definition(map);

if (key_length % map_definition->key_size != 0) {
if (map_definition->key_size == 0 || key_length % map_definition->key_size != 0) {
retval = EBPF_INVALID_ARGUMENT;
goto Done;
}
Expand Down Expand Up @@ -1839,6 +1851,24 @@ ebpf_core_get_handle_by_id(ebpf_object_type_t type, ebpf_id_t id, _Out_ ebpf_han
EBPF_RETURN_RESULT(result);
}

_Must_inspect_result_ ebpf_result_t
ebpf_core_get_id_and_type_from_handle(ebpf_handle_t handle, _Out_ ebpf_id_t* id, _Out_ ebpf_object_type_t* type)
{
EBPF_LOG_ENTRY();
ebpf_core_object_t* object;
ebpf_result_t result = EBPF_OBJECT_REFERENCE_BY_HANDLE(handle, EBPF_OBJECT_UNKNOWN, &object);
if (result != EBPF_SUCCESS) {
return result;
}

*id = object->id;
*type = object->type;

EBPF_OBJECT_RELEASE_REFERENCE(object);

return EBPF_SUCCESS;
}

static ebpf_result_t
_get_handle_by_id(
ebpf_object_type_t type,
Expand Down Expand Up @@ -1978,10 +2008,31 @@ _ebpf_core_protocol_get_object_info(
uint16_t reply_length)
{
EBPF_LOG_ENTRY();
uint16_t info_size = reply_length - FIELD_OFFSET(ebpf_operation_get_object_info_reply_t, info);
size_t output_buffer_size = reply_length;
size_t input_buffer_size = request->header.length;

ebpf_result_t result = ebpf_safe_size_t_subtract(
output_buffer_size, FIELD_OFFSET(ebpf_operation_get_object_info_reply_t, info), &output_buffer_size);

if (result != EBPF_SUCCESS) {
return result;
}

result = ebpf_safe_size_t_subtract(
input_buffer_size, FIELD_OFFSET(ebpf_operation_get_object_info_request_t, info), &input_buffer_size);

if (result != EBPF_SUCCESS) {
return result;
}

if (input_buffer_size > UINT16_MAX || output_buffer_size > UINT16_MAX) {
return EBPF_INVALID_ARGUMENT;
}

uint16_t info_size = (uint16_t)output_buffer_size;

ebpf_core_object_t* object;
ebpf_result_t result = EBPF_OBJECT_REFERENCE_BY_HANDLE(request->handle, EBPF_OBJECT_UNKNOWN, &object);
result = EBPF_OBJECT_REFERENCE_BY_HANDLE(request->handle, EBPF_OBJECT_UNKNOWN, &object);
if (result != EBPF_SUCCESS) {
return result;
}
Expand All @@ -1995,7 +2046,8 @@ _ebpf_core_protocol_get_object_info(
result = ebpf_map_get_info((ebpf_map_t*)object, reply->info, &info_size);
break;
case EBPF_OBJECT_PROGRAM:
result = ebpf_program_get_info((ebpf_program_t*)object, request->info, reply->info, &info_size);
result = ebpf_program_get_info(
(ebpf_program_t*)object, request->info, (uint16_t)input_buffer_size, reply->info, &info_size);
break;
default:
result = EBPF_INVALID_ARGUMENT;
Expand Down Expand Up @@ -2124,6 +2176,12 @@ _ebpf_core_map_find_element(ebpf_map_t* map, const uint8_t* key)
{
ebpf_result_t retval;
uint8_t* value;
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return NULL;
}

retval = ebpf_map_find_entry(map, 0, key, sizeof(&value), (uint8_t*)&value, EBPF_MAP_FLAG_HELPER);
if (retval != EBPF_SUCCESS) {
return NULL;
Expand All @@ -2135,12 +2193,22 @@ _ebpf_core_map_find_element(ebpf_map_t* map, const uint8_t* key)
static int64_t
_ebpf_core_map_update_element(ebpf_map_t* map, const uint8_t* key, const uint8_t* value, uint64_t flags)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}
return -ebpf_map_update_entry(map, 0, key, 0, value, flags, EBPF_MAP_FLAG_HELPER);
}

static int64_t
_ebpf_core_map_delete_element(ebpf_map_t* map, const uint8_t* key)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}
return -ebpf_map_delete_entry(map, 0, key, EBPF_MAP_FLAG_HELPER);
}

Expand All @@ -2149,6 +2217,11 @@ _ebpf_core_map_find_and_delete_element(_Inout_ ebpf_map_t* map, _In_ const uint8
{
ebpf_result_t retval;
uint8_t* value;
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return NULL;
}
retval = ebpf_map_find_entry(
map, 0, key, sizeof(&value), (uint8_t*)&value, EBPF_MAP_FLAG_HELPER | EBPF_MAP_FIND_FLAG_DELETE);
if (retval != EBPF_SUCCESS) {
Expand All @@ -2161,6 +2234,12 @@ _ebpf_core_map_find_and_delete_element(_Inout_ ebpf_map_t* map, _In_ const uint8
static int64_t
_ebpf_core_tail_call(void* context, ebpf_map_t* map, uint32_t index)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}

// Get program from map[index].
ebpf_program_t* callee = ebpf_map_get_program_from_entry(map, sizeof(index), (uint8_t*)&index);
if (callee == NULL) {
Expand Down Expand Up @@ -2387,26 +2466,47 @@ static int
_ebpf_core_ring_buffer_output(
_Inout_ ebpf_map_t* map, _In_reads_bytes_(length) uint8_t* data, size_t length, uint64_t flags)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}

// This function implements bpf_ringbuf_output helper function, which returns negative error in case of failure.
UNREFERENCED_PARAMETER(flags);
return -ebpf_ring_buffer_map_output(map, data, length);
}

static uint64_t
static int
_ebpf_core_map_push_elem(_Inout_ ebpf_map_t* map, _In_ const uint8_t* value, uint64_t flags)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}
return -ebpf_map_push_entry(map, 0, value, (int)flags | EBPF_MAP_FLAG_HELPER);
}

static uint64_t
static int
_ebpf_core_map_pop_elem(_Inout_ ebpf_map_t* map, _Out_ uint8_t* value)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}
return -ebpf_map_pop_entry(map, 0, value, EBPF_MAP_FLAG_HELPER);
}

static uint64_t
static int
_ebpf_core_map_peek_elem(_Inout_ ebpf_map_t* map, _Out_ uint8_t* value)
{
// Workadound for bug (https://github.com/microsoft/ebpf-for-windows/issues/4017) in bpf2c_fuzzer that crashes with
// null map pointer. Remove when fixed.
if (map == NULL) {
return -EBPF_INVALID_ARGUMENT;
}
return -ebpf_map_peek_entry(map, 0, value, EBPF_MAP_FLAG_HELPER);
}

Expand Down
12 changes: 12 additions & 0 deletions libs/execution_context/ebpf_core.h
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,18 @@ extern "C"
_Must_inspect_result_ ebpf_result_t
ebpf_core_get_handle_by_id(ebpf_object_type_t type, ebpf_id_t id, _Out_ ebpf_handle_t* handle);

/**
* @brief Query the ID and type of the object associated with the provided handle.
*
* @param[in] handle Handle of the object to query.
* @param[out] id The ID of the object.
* @param[out] type The type of the object.
* @retval EBPF_SUCCESS The operation was successful.
* @retval EBPF_INVALID_OBJECT The provided handle is not valid.
*/
_Must_inspect_result_ ebpf_result_t
ebpf_core_get_id_and_type_from_handle(ebpf_handle_t handle, _Out_ ebpf_id_t* id, _Out_ ebpf_object_type_t* type);

/**
* @brief Resolve the provided map handles to map addresses and associate the
* maps to the program object.
Expand Down
Loading

0 comments on commit b2757bc

Please sign in to comment.