]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a2a7fbd)
tests: shell: add regression test for double-free crash bug
authorFlorian Westphal <fw@strlen.de>
Fri, 8 Mar 2024 19:57:26 +0000 (20:57 +0100)
committerFlorian Westphal <fw@strlen.de>
Tue, 2 Apr 2024 13:46:14 +0000 (15:46 +0200)
BUG: KASAN: slab-use-after-free in nf_tables_set_elem_destroy+0x55/0x160
Call Trace:
 nf_tables_set_elem_destroy+0x55/0x160
 nf_tables_set_elem_destroy+0x55/0x160
 nft_pipapo_destroy+0x3b4/0x5a0
 nft_set_destroy+0x118/0x3a0
 nf_tables_trans_destroy_work+0x4f2/0xa80

This is a test case for the bug fiex with kernel commit
b0e256f3dd2b ("netfilter: nft_set_pipapo: release elements in clone only from destroy path").

Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
tests/shell/testcases/transactions/concat_range_abort [new file with mode: 0755] patch | blob
tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft [new file with mode: 0644] patch | blob
tests/shell/testcases/transactions/dumps/concat_range_abort.nft [new file with mode: 0644] patch | blob

diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort
new file mode 100755 (executable)
index 0000000..b2bbe37
--- /dev/null
+++ b/tests/shell/testcases/transactions/concat_range_abort
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo)
+
+set -e
+
+$NFT -f /dev/stdin <<EOF
+table ip x {
+        map m {
+                typeof ip saddr . meta mark : verdict
+                flags interval
+                counter
+                elements = {
+                        127.0.0.1-127.0.0.4 . 0x123434-0xb00122 : jump foo,
+                }
+        }
+
+       chain foo {
+               accept
+       }
+}
+EOF
+
+$NFT -f /dev/stdin <<EOF
+add chain ip x bar
+add element ip x m { 1.2.3.4 . 42 : jump bar }
+delete set ip x m
+EOF
diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft
new file mode 100644 (file)
index 0000000..8db7189
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft
@@ -0,0 +1,47 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "x",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "x",
+        "name": "foo",
+        "handle": 0
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "x",
+        "name": "bar",
+        "handle": 0
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "x",
+        "chain": "foo",
+        "handle": 0,
+        "expr": [
+          {
+            "accept": null
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/shell/testcases/transactions/dumps/concat_range_abort.nft b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft
new file mode 100644 (file)
index 0000000..06adca7
--- /dev/null
+++ b/tests/shell/testcases/transactions/dumps/concat_range_abort.nft
@@ -0,0 +1,8 @@
+table ip x {
+       chain foo {
+               accept
+       }
+
+       chain bar {
+       }
+}
Mirror of git://git.netfilter.org/nftables