From nobody Tue Jun 13 13:54:25 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QgVR55SWmz4cVf2; Tue, 13 Jun 2023 13:54:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QgVR548lRz3yfD; Tue, 13 Jun 2023 13:54:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1686664465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CMAcsOG3c0sruoGVsGDsRwjVmX9FU03EaUtOFTQCuUo=; b=fdZf3u8/JgPosBdcQV0WR4K+RkzHZvOomtNIn/2bJW5sAlBVPpifJq2u8w8Xm0pZF6bv6I Xk1c2SXE0LS1EeXYBitgSl5Wz5VceCKr51nmXOPoDpbqBvyiUoWwBMXpve0FbZIzD51+fL eeYFK9NmgkhdBH23jNnCg4QWP46ccxsnWsPSGEj7XC8U2VooMgaoj1C9HFduYTApWunORe uJI+9NP3VY3h2ekE7Zg+l0r/rrd046CCFlc6CbKUAyW64ID8yUiBgJVi9436vIaCrvbtPv B9LvOYTUCRZ6PcFl2GLirhxcIBBN/N+RTPLGB9BGm/HcdDAVdNLPFdU90rY4gA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1686664465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=CMAcsOG3c0sruoGVsGDsRwjVmX9FU03EaUtOFTQCuUo=; b=W2aQ06cKFfrmicChGPNe/3T3LbJnHLPBZPbnhyrD5Sv2xtQB/jP6snCHxxzQTukXtWuotk lcWF2IZp5EHgy618wMhxmYdLuA14F1LYxN5nb2zT5YPknBM4BB92GKqeqDxjbvjb1S02ZV 5PuvnJJv8oxDC5yg8ENC7q/4824twvd95L6LRl0+u2gYsQCN6oLnPTTnsCSXnYjy3MldmE BWEbbpFbczySZ12Kqwd/2u8hDWlClAM6IshxTgunmun9Z0RGE3s6WDBrgcXNIFbNGVTBIw QbDjYRSrww3QCkxsga6nxUyNgcRGnT17kz1YqMH7pZnmZelxd4UYZBN+GL+0mw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1686664465; a=rsa-sha256; cv=none; b=sfHy85myAUf8UxTLO2R+3j1AE+22ejEZTMxoW9GydPkFGmOrTX0YVrdtewlqEoIigiPhjH CUTBQkSgXvi6Sg2Aeg0H9IvCIzqXih+VEfWGqF7FdBheb2rmaeaqK9iKtC1/jfdpTAqUZD 4z1N3deTyRK6mkgofKha4VtMDgtSVo1iBVXHEj0pKD7LTI6g0rHv3oTZSBtEHcdEiFGkHZ RZFZHARZYY28RQObyxrFvifRDfpqKLr3toYO5+CxVUmeZUHNcp2AwqHlIwUuEXxWlaAfd/ FCFyj6ppNvL0sjPT1sxT2U5JSJ7PL1HYpKT0+QT8AOcQRhg/+6BQ1Bz/QxVkqA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QgVR52wZRzPnq; Tue, 13 Jun 2023 13:54:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 35DDsPXr073435; Tue, 13 Jun 2023 13:54:25 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 35DDsPSC073434; Tue, 13 Jun 2023 13:54:25 GMT (envelope-from git) Date: Tue, 13 Jun 2023 13:54:25 GMT Message-Id: <202306131354.35DDsPSC073434@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 1e1bb5780c31 - main - dummynet tests: attempt to provoke wf2q+ use-after-free List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1e1bb5780c31d28ae041769b611b70b4f35c7ede Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=1e1bb5780c31d28ae041769b611b70b4f35c7ede commit 1e1bb5780c31d28ae041769b611b70b4f35c7ede Author: Kristof Provost AuthorDate: 2023-06-12 13:12:37 +0000 Commit: Kristof Provost CommitDate: 2023-06-13 13:51:48 +0000 dummynet tests: attempt to provoke wf2q+ use-after-free Attempt to provoke known use-after-free issues with WF2Q+. Sponsored by: Rubicon Communications, LLC ("Netgate") --- tests/sys/netpfil/common/dummynet.sh | 55 ++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/tests/sys/netpfil/common/dummynet.sh b/tests/sys/netpfil/common/dummynet.sh index 6f7981a043a8..9b8a93cba365 100644 --- a/tests/sys/netpfil/common/dummynet.sh +++ b/tests/sys/netpfil/common/dummynet.sh @@ -203,6 +203,59 @@ codel_cleanup() firewall_cleanup $1 } +wf2q_heap_head() +{ + atf_set descr 'Test WF2Q+, attempting to provoke use-after-free' + atf_set require.user root +} + +wf2q_heap_body() +{ + fw=$1 + firewall_init $fw + dummynet_init $fw + + j=dummynet_wf2q_heap_${fw}_ + + epair=$(vnet_mkepair) + epair_other=$(vnet_mkepair) + vnet_mkjail ${j}a ${epair}a + vnet_mkjail ${j}b ${epair}b ${epair_other}b + + jexec ${j}a ifconfig ${epair}a up mtu 9000 + va=$(jexec ${j}a ifconfig vlan create vlan 42 vlandev ${epair}a) + jexec ${j}a ifconfig ${va} 192.0.2.1/24 up #mtu 8000 + + jexec ${j}b ifconfig ${epair}b up mtu 9000 + vb=$(jexec ${j}b ifconfig vlan create vlan 42 vlandev ${epair}b) + jexec ${j}b ifconfig ${vb} 192.0.2.2/24 up #mtu 8000 + jexec ${j}b ifconfig ${epair_other}b up + + # Sanity check + atf_check -s exit:0 -o ignore \ + jexec ${j}b ping -c 1 192.0.2.1 + + jexec ${j}b dnctl pipe 1 config bw 10Mb queue 100 delay 500 droptail + jexec ${j}b dnctl sched 1 config pipe 1 type wf2q+ + jexec ${j}b dnctl queue 1 config pipe 1 droptail + + firewall_config ${j}b ${fw} \ + "pf" \ + "pass dnqueue 1" + + jexec ${j}a ping -f 192.0.2.2 & + sleep 1 + + jexec ${j}b ifconfig ${vb} destroy + + sleep 2 +} + +wf2q_heap_cleanup() +{ + firewall_cleanup $1 +} + queue_head() { atf_set descr 'Basic queue test' @@ -478,6 +531,8 @@ setup_tests \ codel \ ipfw \ pf \ + wf2q_heap \ + pf \ queue \ ipfw \ pf \