Cannot compile backwards jump

[jschwinger233]

libpcap in some cases generates "backwards jump" in cbpf, e.g. tcpdump -d ip6 protochain 17:

~ $ tcpdump -d ip6 protochain 17 
Warning: assuming Ethernet
(000) ldh      [12]
(001) jeq      #0x86dd          jt 2       jf 35
(002) ldb      [20]
(003) ldx      #0x28
(004) jeq      #0x11            jt 32     jf 5
(005) jeq      #0x3b            jt 32     jf 6
(006) jeq      #0x0             jt 10     jf 7
(007) jeq      #0x3c            jt 10     jf 8
(008) jeq      #0x2b            jt 10     jf 9
(009) jeq      #0x2c            jt 10     jf 19
(010) ldb      [x + 14]
(011) st       M[0]
(012) ldb      [x + 15]
(013) add      #1
(014) mul      #8
(015) add      x
(016) tax      
(017) ld       M[0]
(018) ja       4
(019) jeq      #0x33            jt 20     jf 32
(020) txa      
(021) ldb      [x + 14]
(022) st       M[0]
(023) txa      
(024) add      #1
(025) tax      
(026) ldb      [x + 14]
(027) add      #2
(028) mul      #4
(029) tax      
(030) ld       M[0]
(031) ja       4
(032) add      #0
(033) jeq      #0x11            jt 34     jf 35
(034) ret      #262144
(035) ret      #0

The (018) ja 4 jumps to (004), so called "backwards jump".

Currenly cbpfc has two issues handling backwards jump:

1. The pos and skip are of type uint (uint64 in 64-bit system), leading to wrong jump destination calculation: Fix jump calculation #36
2. Even with the Fix jump calculation #36, cbpfc spins in the loop inside splitBlocks forever:

   cbpfc/cbpfc.go

   Line 470 in ff978e9

   for len(targets) > 0 {

   .

The libpcap generated backwards jump in my opinion is safe and mustn't cause infinite loop, because reg X gets increased in each loop.

[arthurfabre]

libpcap generates backwards jumps, but they aren't supported by the linux kernel:

> sudo tcpdump ip6 protochain 58
Warning: Kernel filter failed: Invalid argument

They're rejected by bpf_convert_filter, which does (added some types and expanded the macro manually):

int target = i + fp->k + 1;
...
if (target >= len || target < 0)
	goto err;

target is a signed 32 bit int on most platforms, so overflowing it will make it negative and return EINVAL.

The goal of this library is only to convert classic BPF as supported by the kernel, so I think this is out of scope.

[jschwinger233]

@arthurfabre Thanks for the feedback, can you share your kernel version and distro?

On my ubuntu 2404 6.11.0-26-generic, tcpdump ip6 protochain 58 seems to be working well:

$ sudo tcpdump ip6 protochain 58
Warning: Kernel filter failed: Invalid argument
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
[...]
^C
10 packets captured
133 packets received by filter
0 packets dropped by kernel

[jschwinger233]

Regarding the kernel source, I think in this case the target is not negative?

#include <stdio.h>
#include <stdint.h>

void main()
{
	int target, i;
	uint32_t fp_k;

	i = 18;
	fp_k = 0xfffffff1;

	target = i + fp_k + 1;

	printf("target = %d\n", target);
}

And the result is:

$ gcc main.c && ./a.out
target = 4

I think this is because fp->k is of type u32, so (s32) i + (u32) fp->k + 1 will be promoted to (u32) i + (u32) fp->k + 1

This is because the target is not actually overflowed. fp->k is overflowed and seen as -14 in 2's complement. After adding to 18, the result is 4.

[arthurfabre]

On my ubuntu 2404 6.11.0-26-generic, tcpdump ip6 protochain 58 seems to be working well:

$ sudo tcpdump ip6 protochain 58
Warning: Kernel filter failed: Invalid argument
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wlp0s20f3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
[...]
^C
10 packets captured
133 packets received by filter
0 packets dropped by kernel

The Warning: Kernel filter failed: Invalid argument message means libpcap couldn't load the filter in the kernel, so it instead captures all packets and filters them in userspace: https://github.com/the-tcpdump-group/libpcap/blob/0276de45b4a6037a31dc557a557d7b8723571d01/pcap-linux.c#L4719

This doesn't seem to be a bug, the man page (https://www.tcpdump.org/manpages/pcap-filter.7.html) says:

ip6 protochain protocol
[...] The BPF code emitted by this primitive is complex and cannot be optimized by the BPF optimizer code, and is not supported by filter engines in the kernel [...]

Regarding the kernel source, I think in this case the target is not negative?

You're right, with i it can be non-negative. This is the check that actually catches it: https://elixir.bootlin.com/linux/v6.15.1/source/net/core/filter.c#L1113.

[jschwinger233]

The Warning: Kernel filter failed: Invalid argument message means libpcap couldn't load the filter in the kernel, so it instead captures all packets and filters them in userspace

Yes you are right, I'm so blind 🙀 Thank you for pointing out. Then I agree with your conclusion of "out of scope".