From 9eb98b3bd5cf21fcbef04c46cfc078579e56ff17 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 22 Feb 2022 13:51:09 +0100
Subject: tests: add test case for flowtable with owner flag

BUG: KASAN: use-after-free in nf_hook_entries_grow+0x675/0x980
Read of size 4 at ... nft/19662
 nf_hook_entries_grow+0x675/0x980

This is fixed by kernel commit 6069da443bf
("netfilter: nf_tables: unregister flowtable hooks on netns exit").

The test case here uses owner flag, netlink event handler doesn't
release the flowtable, next attempt to add one then causes uaf because
of dangling ingress hook reference.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/shell/testcases/owner/0001-flowtable-uaf | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100755 tests/shell/testcases/owner/0001-flowtable-uaf

(limited to 'tests/shell/testcases/owner')

diff --git a/tests/shell/testcases/owner/0001-flowtable-uaf b/tests/shell/testcases/owner/0001-flowtable-uaf
new file mode 100755
index 00000000..4efbe75c
--- /dev/null
+++ b/tests/shell/testcases/owner/0001-flowtable-uaf
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+$NFT -f - <<EOF
+table t {
+ flags owner
+ flowtable f {
+  devices = { lo }
+ }
+}
+EOF
+
+# trigger uaf.
+$NFT -f - <<EOF
+table t {
+ flags owner
+ flowtable f {
+  devices = { lo }
+ }
+}
+EOF
-- 
cgit v1.2.3