From 359a2fd62f924d1b3899ffe26f0b635ffa7a0448 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 10 Sep 2024 11:47:44 +0200 Subject: [PATCH] tests: shell: add test for kernel stack recursion bug Validate that such ruleset updates get rejected. Signed-off-by: Florian Westphal --- .../dumps/validation_recursion.sh.nodump | 0 .../transactions/validation_recursion.sh | 39 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump create mode 100755 tests/shell/testcases/transactions/validation_recursion.sh diff --git a/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump new file mode 100644 index 00000000..e69de29b diff --git a/tests/shell/testcases/transactions/validation_recursion.sh b/tests/shell/testcases/transactions/validation_recursion.sh new file mode 100755 index 00000000..bc3ebcc1 --- /dev/null +++ b/tests/shell/testcases/transactions/validation_recursion.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# regression check for kernel commit +# cff3bd012a95 ("netfilter: nf_tables: prefer nft_chain_validate") + +chains=100 + +# first create skeleton, linear list +# of 1k jumps, c1 -> c2 .. -> c100. +# +# not caught, commit phase validation doesn't care about +# non-base chains. +( + echo add table ip t + + for i in $(seq 1 $chains);do + echo add chain t c$i + done + + for i in $(seq 1 $((chains-1)) );do + echo add rule t c$i jump c$((i+1)) + done +) | $NFT -f - + +# now link up c0 to c1. This triggers register-store validation for +# c1. Old algorithm is recursive and will blindly chase the entire +# list of chains created above. On older kernels, this will cause kernel +# stack overflow/guard page crash. +$NFT -f - <&2 + exit 1 +fi + +$NFT delete table ip t -- 2.47.2