From: Florian Westphal <fw@strlen.de>
Date: Tue, 22 Feb 2022 12:51:09 +0000 (+0100)
Subject: tests: add test case for flowtable with owner flag
X-Git-Tag: v1.0.3~87
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9eb98b3bd5cf21fcbef04c46cfc078579e56ff17;p=thirdparty%2Fnftables.git

tests: add test case for flowtable with owner flag

BUG: KASAN: use-after-free in nf_hook_entries_grow+0x675/0x980
Read of size 4 at ... nft/19662
 nf_hook_entries_grow+0x675/0x980

This is fixed by kernel commit 6069da443bf
("netfilter: nf_tables: unregister flowtable hooks on netns exit").

The test case here uses owner flag, netlink event handler doesn't
release the flowtable, next attempt to add one then causes uaf because
of dangling ingress hook reference.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf
new file mode 100755
index 00000000..4efbe75c
--- /dev/null
+++ b/tests/shell/testcases/owner/0001-flowtable-uaf
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+$NFT -f - <<EOF
+table t {
+ flags owner
+ flowtable f {
+  devices = { lo }
+ }
+}
+EOF
+
+# trigger uaf.
+$NFT -f - <<EOF
+table t {
+ flags owner
+ flowtable f {
+  devices = { lo }
+ }
+}
+EOF