132 lines
3.4 KiB
Diff
132 lines
3.4 KiB
Diff
From b237aeff41840f0c7968d02ed3d461fa9fa8fb70 Mon Sep 17 00:00:00 2001
|
|
From: Florian Westphal <fw@strlen.de>
|
|
Date: Fri, 8 Mar 2024 20:57:26 +0100
|
|
Subject: [PATCH] tests: shell: add regression test for double-free crash bug
|
|
|
|
BUG: KASAN: slab-use-after-free in nf_tables_set_elem_destroy+0x55/0x160
|
|
Call Trace:
|
|
nf_tables_set_elem_destroy+0x55/0x160
|
|
nf_tables_set_elem_destroy+0x55/0x160
|
|
nft_pipapo_destroy+0x3b4/0x5a0
|
|
nft_set_destroy+0x118/0x3a0
|
|
nf_tables_trans_destroy_work+0x4f2/0xa80
|
|
|
|
This is a test case for the bug fiex with kernel commit
|
|
b0e256f3dd2b ("netfilter: nft_set_pipapo: release elements in clone only from destroy path").
|
|
|
|
Reported-by: lonial con <kongln9170@gmail.com>
|
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
---
|
|
.../testcases/transactions/concat_range_abort | 28 +++++++++++
|
|
.../dumps/concat_range_abort.json-nft | 47 +++++++++++++++++++
|
|
.../transactions/dumps/concat_range_abort.nft | 8 ++++
|
|
3 files changed, 83 insertions(+)
|
|
create mode 100755 tests/shell/testcases/transactions/concat_range_abort
|
|
create mode 100644 tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft
|
|
create mode 100644 tests/shell/testcases/transactions/dumps/concat_range_abort.nft
|
|
|
|
diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort
|
|
new file mode 100755
|
|
index 00000000..b2bbe37b
|
|
--- /dev/null
|
|
+++ b/tests/shell/testcases/transactions/concat_range_abort
|
|
@@ -0,0 +1,28 @@
|
|
+#!/bin/bash
|
|
+
|
|
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
|
|
+
|
|
+set -e
|
|
+
|
|
+$NFT -f /dev/stdin <<EOF
|
|
+table ip x {
|
|
+ map m {
|
|
+ typeof ip saddr . meta mark : verdict
|
|
+ flags interval
|
|
+ counter
|
|
+ elements = {
|
|
+ 127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : jump foo,
|
|
+ }
|
|
+ }
|
|
+
|
|
+ chain foo {
|
|
+ accept
|
|
+ }
|
|
+}
|
|
+EOF
|
|
+
|
|
+$NFT -f /dev/stdin <<EOF
|
|
+add chain ip x bar
|
|
+add element ip x m { 1.2.3.4 . 42 : jump bar }
|
|
+delete set ip x m
|
|
+EOF
|
|
diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft
|
|
new file mode 100644
|
|
index 00000000..8db71894
|
|
--- /dev/null
|
|
+++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft
|
|
@@ -0,0 +1,47 @@
|
|
+{
|
|
+ "nftables": [
|
|
+ {
|
|
+ "metainfo": {
|
|
+ "version": "VERSION",
|
|
+ "release_name": "RELEASE_NAME",
|
|
+ "json_schema_version": 1
|
|
+ }
|
|
+ },
|
|
+ {
|
|
+ "table": {
|
|
+ "family": "ip",
|
|
+ "name": "x",
|
|
+ "handle": 0
|
|
+ }
|
|
+ },
|
|
+ {
|
|
+ "chain": {
|
|
+ "family": "ip",
|
|
+ "table": "x",
|
|
+ "name": "foo",
|
|
+ "handle": 0
|
|
+ }
|
|
+ },
|
|
+ {
|
|
+ "chain": {
|
|
+ "family": "ip",
|
|
+ "table": "x",
|
|
+ "name": "bar",
|
|
+ "handle": 0
|
|
+ }
|
|
+ },
|
|
+ {
|
|
+ "rule": {
|
|
+ "family": "ip",
|
|
+ "table": "x",
|
|
+ "chain": "foo",
|
|
+ "handle": 0,
|
|
+ "expr": [
|
|
+ {
|
|
+ "accept": null
|
|
+ }
|
|
+ ]
|
|
+ }
|
|
+ }
|
|
+ ]
|
|
+}
|
|
diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft
|
|
new file mode 100644
|
|
index 00000000..06adca7a
|
|
--- /dev/null
|
|
+++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft
|
|
@@ -0,0 +1,8 @@
|
|
+table ip x {
|
|
+ chain foo {
|
|
+ accept
|
|
+ }
|
|
+
|
|
+ chain bar {
|
|
+ }
|
|
+}
|
|
--
|
|
2.33.0
|
|
|