diff options
author | Florian Westphal <fw@strlen.de> | 2024-09-10 11:47:44 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2024-09-10 11:47:56 +0200 |
commit | 359a2fd62f924d1b3899ffe26f0b635ffa7a0448 (patch) | |
tree | 19902214a7206cbd42aaf0ff1c7a8f02cfb48348 /tests | |
parent | d361be1f8734461e27117f6c569acf2189fcf81e (diff) |
tests: shell: add test for kernel stack recursion bug
Validate that such ruleset updates get rejected.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump | 0 | ||||
-rwxr-xr-x | tests/shell/testcases/transactions/validation_recursion.sh | 39 |
2 files changed, 39 insertions, 0 deletions
diff --git a/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/transactions/dumps/validation_recursion.sh.nodump diff --git a/tests/shell/testcases/transactions/validation_recursion.sh b/tests/shell/testcases/transactions/validation_recursion.sh new file mode 100755 index 00000000..bc3ebcc1 --- /dev/null +++ b/tests/shell/testcases/transactions/validation_recursion.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# regression check for kernel commit +# cff3bd012a95 ("netfilter: nf_tables: prefer nft_chain_validate") + +chains=100 + +# first create skeleton, linear list +# of 1k jumps, c1 -> c2 .. -> c100. +# +# not caught, commit phase validation doesn't care about +# non-base chains. +( + echo add table ip t + + for i in $(seq 1 $chains);do + echo add chain t c$i + done + + for i in $(seq 1 $((chains-1)) );do + echo add rule t c$i jump c$((i+1)) + done +) | $NFT -f - + +# now link up c0 to c1. This triggers register-store validation for +# c1. Old algorithm is recursive and will blindly chase the entire +# list of chains created above. On older kernels, this will cause kernel +# stack overflow/guard page crash. +$NFT -f - <<EOF +add chain t c0 { type filter hook input priority 0; } +add rule t c0 jump c1 +EOF + +if [ $? -eq 0 ] ; then + echo "E: loaded bogus ruleset" >&2 + exit 1 +fi + +$NFT delete table ip t |