[LTP] [PATCH 1/3] tst_netdevice: Add missing rtnetlink context allocation checks

[LTP] [PATCH 1/3] tst_netdevice: Add missing rtnetlink context allocation checks

[Martin Doucha]

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 lib/tst_netdevice.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/tst_netdevice.c b/lib/tst_netdevice.c
index 4a0442932..a57f506e9 100644
--- a/lib/tst_netdevice.c
+++ b/lib/tst_netdevice.c
@@ -332,6 +332,9 @@ static int change_ns(const char *file, const int lineno, const char *ifname,
 
 	ctx = create_request(file, lineno, RTM_NEWLINK, 0, &info, sizeof(info));
 
+	if (!ctx)
+		return 0;
+
 	if (!tst_rtnl_add_attr_string(file, lineno, ctx, IFLA_IFNAME, ifname)) {
 		tst_rtnl_destroy_context(file, lineno, ctx);
 		return 0;
@@ -411,6 +414,9 @@ static int modify_route(const char *file, const int lineno, unsigned int action,
 
 	ctx = create_request(file, lineno, action, flags, &info, sizeof(info));
 
+	if (!ctx)
+		return 0;
+
 	if (srcaddr && !tst_rtnl_add_attr(file, lineno, ctx, RTA_SRC, srcaddr,
 		srclen)) {
 		tst_rtnl_destroy_context(file, lineno, ctx);
-- 
2.41.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 2/3] tst_netdevice: Add helper functions for qdisc and filter management

[Martin Doucha]

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 include/tst_netdevice.h |  62 ++++++++++++++++++++++
 lib/tst_netdevice.c     | 114 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 176 insertions(+)

diff --git a/include/tst_netdevice.h b/include/tst_netdevice.h
index f02661208..95544814e 100644
--- a/include/tst_netdevice.h
+++ b/include/tst_netdevice.h
@@ -5,6 +5,8 @@
 #ifndef TST_NETDEVICE_H
 #define TST_NETDEVICE_H
 
+#include "tst_rtnetlink.h"
+
 /* Find device index for given network interface name. */
 int tst_netdev_index_by_name(const char *file, const int lineno,
 	const char *ifname);
@@ -122,4 +124,64 @@ int tst_netdev_remove_route_inet(const char *file, const int lineno,
 	tst_netdev_remove_route_inet(__FILE__, __LINE__, (ifname), (srcaddr), \
 		(srcprefix), (dstaddr), (dstprefix), (gateway))
 
+/*
+ * Add queueing discipline. Network interface name is optional.
+ */
+int tst_netdev_add_qdisc(const char *file, const int lineno,
+	const char *ifname, unsigned int family, unsigned int parent,
+	unsigned int handle, const char *qd_kind,
+	const struct tst_rtnl_attr_list *config);
+#define NETDEV_ADD_QDISC(ifname, family, parent, handle, qd_kind, config) \
+	tst_netdev_add_qdisc(__FILE__, __LINE__, (ifname), (family), \
+		(parent), (handle), (qd_kind), (config))
+
+/*
+ * Remove queueing discipline.
+ */
+int tst_netdev_remove_qdisc(const char *file, const int lineno,
+	const char *ifname, unsigned int family, unsigned int parent,
+	unsigned int handle, const char *qd_kind);
+#define NETDEV_REMOVE_QDISC(ifname, family, parent, handle, qd_kind) \
+	tst_netdev_remove_qdisc(__FILE__, __LINE__, (ifname), (family), \
+		(parent), (handle), (qd_kind))
+
+/*
+ * Add traffic class to queueing discipline. Network interface name is
+ * optional.
+ */
+int tst_netdev_add_traffic_class(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	const char *qd_kind, const struct tst_rtnl_attr_list *config);
+#define NETDEV_ADD_TRAFFIC_CLASS(ifname, parent, handle, qd_kind, config) \
+	tst_netdev_add_traffic_class(__FILE__, __LINE__, (ifname), (parent), \
+		(handle), (qd_kind), (config))
+
+int tst_netdev_remove_traffic_class(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	const char *qd_kind);
+#define NETDEV_REMOVE_TRAFFIC_CLASS(ifname, parent, handle, qd_kind) \
+	tst_netdev_remove_traffic_class(__FILE__, __LINE__, (ifname), \
+		(parent), (handle), (qd_kind))
+
+/*
+ * Add traffic filter to queueing discipline. Protocol should be en ETH_P_*
+ * constant in host byte order. Network interface name is optional.
+ */
+int tst_netdev_add_traffic_filter(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	unsigned int protocol, unsigned int priority, const char *f_kind,
+	const struct tst_rtnl_attr_list *config);
+#define NETDEV_ADD_TRAFFIC_FILTER(ifname, parent, handle, protocol, priority, \
+	f_kind, config) \
+	tst_netdev_add_traffic_filter(__FILE__, __LINE__, (ifname), (parent), \
+		(handle), (protocol), (priority), (f_kind), (config))
+
+int tst_netdev_remove_traffic_filter(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	unsigned int protocol, unsigned int priority, const char *f_kind);
+#define NETDEV_REMOVE_TRAFFIC_FILTER(ifname, parent, handle, protocol, \
+	priority, f_kind) \
+	tst_netdev_remove_traffic_filter(__FILE__, __LINE__, (ifname), \
+		(parent), (handle), (protocol), (priority), (f_kind))
+
 #endif /* TST_NETDEVICE_H */
diff --git a/lib/tst_netdevice.c b/lib/tst_netdevice.c
index a57f506e9..9701110a4 100644
--- a/lib/tst_netdevice.c
+++ b/lib/tst_netdevice.c
@@ -7,6 +7,7 @@
 #include <linux/veth.h>
 #include <sys/socket.h>
 #include <net/if.h>
+#include <linux/pkt_sched.h>
 #include "lapi/rtnetlink.h"
 
 #define TST_NO_DEFAULT_MAIN
@@ -518,3 +519,116 @@ int tst_netdev_remove_route_inet(const char *file, const int lineno,
 	return modify_route_inet(file, lineno, RTM_DELROUTE, 0, ifname,
 		srcaddr, srcprefix, dstaddr, dstprefix, gateway);
 }
+
+static int modify_qdisc(const char *file, const int lineno, const char *object,
+	unsigned int action, unsigned int nl_flags, const char *ifname,
+	unsigned int family, unsigned int parent, unsigned int handle,
+	unsigned int info, const char *qd_kind,
+	const struct tst_rtnl_attr_list *config)
+{
+	struct tst_rtnl_context *ctx;
+	int ret;
+	struct tcmsg msg = {
+		.tcm_family = family,
+		.tcm_handle = handle,
+		.tcm_parent = parent,
+		.tcm_info = info
+	};
+
+	if (!qd_kind) {
+		tst_brk_(file, lineno, TBROK,
+			"Queueing discipline name required");
+		return 0;
+	}
+
+	if (ifname) {
+		msg.tcm_ifindex = tst_netdev_index_by_name(file, lineno,
+			ifname);
+
+		if (msg.tcm_ifindex < 0) {
+			tst_brk_(file, lineno, TBROK, "Interface %s not found",
+				ifname);
+			return 0;
+		}
+	}
+
+	ctx = create_request(file, lineno, action, nl_flags, &msg, sizeof(msg));
+
+	if (!ctx)
+		return 0;
+
+	if (!tst_rtnl_add_attr_string(file, lineno, ctx, TCA_KIND, qd_kind)) {
+		tst_rtnl_destroy_context(file, lineno, ctx);
+		return 0;
+	}
+
+	if (config && !tst_rtnl_add_attr_list(file, lineno, ctx, config)) {
+		tst_rtnl_destroy_context(file, lineno, ctx);
+		return 0;
+	}
+
+	ret = tst_rtnl_send_validate(file, lineno, ctx);
+	tst_rtnl_destroy_context(file, lineno, ctx);
+
+	if (!ret) {
+		tst_brk_(file, lineno, TBROK,
+			"Failed to modify %s: %s", object,
+			tst_strerrno(tst_rtnl_errno));
+	}
+
+	return ret;
+}
+
+int tst_netdev_add_qdisc(const char *file, const int lineno,
+	const char *ifname, unsigned int family, unsigned int parent,
+	unsigned int handle, const char *qd_kind,
+	const struct tst_rtnl_attr_list *config)
+{
+	return modify_qdisc(file, lineno, "queueing discipline", RTM_NEWQDISC,
+		NLM_F_CREATE | NLM_F_EXCL, ifname, family, parent, handle, 0,
+		qd_kind, config);
+}
+
+int tst_netdev_remove_qdisc(const char *file, const int lineno,
+	const char *ifname, unsigned int family, unsigned int parent,
+	unsigned int handle, const char *qd_kind)
+{
+	return modify_qdisc(file, lineno, "queueing discipline", RTM_DELQDISC,
+		0, ifname, family, parent, handle, 0, qd_kind, NULL);
+}
+
+int tst_netdev_add_traffic_class(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	const char *qd_kind, const struct tst_rtnl_attr_list *config)
+{
+	return modify_qdisc(file, lineno, "traffic class", RTM_NEWTCLASS,
+		NLM_F_CREATE | NLM_F_EXCL, ifname, AF_UNSPEC, parent, handle,
+		0, qd_kind, config);
+}
+
+int tst_netdev_remove_traffic_class(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	const char *qd_kind)
+{
+	return modify_qdisc(file, lineno, "traffic class", RTM_DELTCLASS, 0,
+		ifname, AF_UNSPEC, parent, handle, 0, qd_kind, NULL);
+}
+
+int tst_netdev_add_traffic_filter(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	unsigned int protocol, unsigned int priority, const char *f_kind,
+	const struct tst_rtnl_attr_list *config)
+{
+	return modify_qdisc(file, lineno, "traffic filter", RTM_NEWTFILTER,
+		NLM_F_CREATE | NLM_F_EXCL, ifname, AF_UNSPEC, parent, handle,
+		TC_H_MAKE(priority << 16, htons(protocol)), f_kind, config);
+}
+
+int tst_netdev_remove_traffic_filter(const char *file, const int lineno,
+	const char *ifname, unsigned int parent, unsigned int handle,
+	unsigned int protocol, unsigned int priority, const char *f_kind)
+{
+	return modify_qdisc(file, lineno, "traffic filter", RTM_DELTFILTER,
+		0, ifname, AF_UNSPEC, parent, handle,
+		TC_H_MAKE(priority << 16, htons(protocol)), f_kind, NULL);
+}
-- 
2.41.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH 3/3] Add test for CVE 2023-1829

[Martin Doucha]

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 runtest/cve               |   1 +
 testcases/cve/.gitignore  |   1 +
 testcases/cve/tcindex01.c | 156 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 158 insertions(+)
 create mode 100644 testcases/cve/tcindex01.c

diff --git a/runtest/cve b/runtest/cve
index 7d1e84f89..f9b36a182 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -84,6 +84,7 @@ cve-2021-38604 mq_notify03
 cve-2022-0847 dirtypipe
 cve-2022-2590 dirtyc0w_shmem
 cve-2022-23222 bpf_prog07
+cve-2023-1829 tcindex01
 # Tests below may cause kernel memory leak
 cve-2020-25704 perf_event_open03
 cve-2022-0185 fsconfig03
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 90e8b191c..389354eaf 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -12,3 +12,4 @@ cve-2017-16939
 cve-2017-17053
 cve-2022-4378
 icmp_rate_limit01
+tcindex01.c
diff --git a/testcases/cve/tcindex01.c b/testcases/cve/tcindex01.c
new file mode 100644
index 000000000..89569d1f7
--- /dev/null
+++ b/testcases/cve/tcindex01.c
@@ -0,0 +1,156 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2023 SUSE LLC <mdoucha@suse.cz>
+ */
+
+/*\
+ * CVE-2023-1829
+ *
+ * Test for use-after-free after removing tcindex traffic filter with certain
+ * parameters.
+ *
+ * Tcindex filter removed in:
+ *
+ *  commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
+ *  Author: Jamal Hadi Salim <jhs@mojatatu.com>
+ *  Date:   Tue Feb 14 08:49:14 2023 -0500
+ *
+ *  net/sched: Retire tcindex classifier
+ */
+
+#include <linux/netlink.h>
+#include <linux/pkt_sched.h>
+#include <linux/pkt_cls.h>
+#include <linux/tc_act/tc_gact.h>
+#include "tst_test.h"
+#include "tst_rtnetlink.h"
+#include "tst_netdevice.h"
+#include "lapi/sched.h"
+#include "lapi/if_ether.h"
+#include "lapi/rtnetlink.h"
+
+#define DEVNAME "ltp_dummy1"
+
+static const uint32_t qd_handle = TC_H_MAKE(1 << 16, 0);
+static const uint32_t clsid = TC_H_MAKE(1 << 16, 1);
+static const uint32_t shift = 10;
+static const uint16_t mask = 0xffff;
+
+/* rtnetlink payloads */
+static const struct tc_htb_glob qd_opt = {
+	.rate2quantum = 10,
+	.version = 3,
+	.defcls = 30
+};
+static const struct tc_gact f_gact_param = {
+	.action = TC_ACT_SHOT
+};
+static struct tc_htb_opt cls_opt = {};
+
+/* htb qdisc and class options */
+static const struct tst_rtnl_attr_list qd_config[] = {
+	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_HTB_INIT, &qd_opt, sizeof(qd_opt), NULL},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+static const struct tst_rtnl_attr_list cls_config[] = {
+	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_HTB_PARMS, &cls_opt, sizeof(cls_opt), NULL},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+
+/* tcindex filter options */
+static const struct tst_rtnl_attr_list f_actopts[] = {
+	{TCA_GACT_PARMS, &f_gact_param, sizeof(f_gact_param), NULL},
+	{0, NULL, -1, NULL}
+};
+static const struct tst_rtnl_attr_list f_action[] = {
+	{1, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_ACT_KIND, "gact", 5, NULL},
+		{TCA_ACT_OPTIONS | NLA_F_NESTED, NULL, 0, f_actopts},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+static const struct tst_rtnl_attr_list f_config[] = {
+	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_TCINDEX_MASK, &mask, sizeof(mask), NULL},
+		{TCA_TCINDEX_SHIFT, &shift, sizeof(shift), NULL},
+		{TCA_TCINDEX_CLASSID, &clsid, sizeof(clsid), NULL},
+		{TCA_TCINDEX_ACT, &clsid, sizeof(clsid), f_action},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+
+static void setup(void)
+{
+	tst_setup_netns();
+	NETDEV_ADD_DEVICE(DEVNAME, "dummy");
+
+	cls_opt.rate.rate = cls_opt.ceil.rate = 256000;
+	cls_opt.buffer = 1000000 * 1600 / cls_opt.rate.rate;
+	cls_opt.cbuffer = 1000000 * 1600 / cls_opt.ceil.rate;
+}
+
+static void run(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < 100; i++) {
+		NETDEV_ADD_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
+			"htb", qd_config);
+		NETDEV_ADD_TRAFFIC_CLASS(DEVNAME, qd_handle, clsid, "htb",
+			cls_config);
+		NETDEV_ADD_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP, 1,
+			"tcindex", f_config);
+		NETDEV_REMOVE_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP,
+			1, "tcindex");
+
+		/* Wait at least one jiffy for use-after-free */
+		usleep(10000);
+
+		NETDEV_REMOVE_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
+			"htb");
+	}
+
+	if (tst_taint_check()) {
+		tst_res(TFAIL, "Kernel is vulnerable");
+		return;
+	}
+
+	tst_res(TPASS, "Nothing bad happened (yet)");
+}
+
+static void cleanup(void)
+{
+	NETDEV_REMOVE_DEVICE(DEVNAME);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_VETH",
+		"CONFIG_USER_NS=y",
+		"CONFIG_NET_NS=y",
+		"CONFIG_NET_SCH_HTB",
+		"CONFIG_NET_CLS_TCINDEX",
+		NULL
+	},
+	.save_restore = (const struct tst_path_val[]) {
+		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+		{}
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "8c710f75256b"},
+		{"CVE", "2023-1829"},
+		{}
+	}
+};
-- 
2.41.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/3] tst_netdevice: Add missing rtnetlink context allocation checks

[Cyril Hrubis]

Hi!
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
>  lib/tst_netdevice.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/lib/tst_netdevice.c b/lib/tst_netdevice.c
> index 4a0442932..a57f506e9 100644
> --- a/lib/tst_netdevice.c
> +++ b/lib/tst_netdevice.c
> @@ -332,6 +332,9 @@ static int change_ns(const char *file, const int lineno, const char *ifname,
>  
>  	ctx = create_request(file, lineno, RTM_NEWLINK, 0, &info, sizeof(info));
>  
> +	if (!ctx)
> +		return 0;
> +
>  	if (!tst_rtnl_add_attr_string(file, lineno, ctx, IFLA_IFNAME, ifname)) {
>  		tst_rtnl_destroy_context(file, lineno, ctx);
>  		return 0;
> @@ -411,6 +414,9 @@ static int modify_route(const char *file, const int lineno, unsigned int action,
>  
>  	ctx = create_request(file, lineno, action, flags, &info, sizeof(info));
>  
> +	if (!ctx)
> +		return 0;
> +
>  	if (srcaddr && !tst_rtnl_add_attr(file, lineno, ctx, RTA_SRC, srcaddr,
>  		srclen)) {
>  		tst_rtnl_destroy_context(file, lineno, ctx);

Shouldn't we tst_brk_() in these cases? This function is a base for
NETDEV_CHANGE_NS_*() which is used as a safe macro without checking it's
return value.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/3] tst_netdevice: Add helper functions for qdisc and filter management

[Cyril Hrubis]

Hi!
> --- a/lib/tst_netdevice.c
> +++ b/lib/tst_netdevice.c
> @@ -7,6 +7,7 @@
>  #include <linux/veth.h>
>  #include <sys/socket.h>
>  #include <net/if.h>
> +#include <linux/pkt_sched.h>
>  #include "lapi/rtnetlink.h"
>  
>  #define TST_NO_DEFAULT_MAIN
> @@ -518,3 +519,116 @@ int tst_netdev_remove_route_inet(const char *file, const int lineno,
>  	return modify_route_inet(file, lineno, RTM_DELROUTE, 0, ifname,
>  		srcaddr, srcprefix, dstaddr, dstprefix, gateway);
>  }
> +
> +static int modify_qdisc(const char *file, const int lineno, const char *object,
> +	unsigned int action, unsigned int nl_flags, const char *ifname,
> +	unsigned int family, unsigned int parent, unsigned int handle,
> +	unsigned int info, const char *qd_kind,
> +	const struct tst_rtnl_attr_list *config)
> +{
> +	struct tst_rtnl_context *ctx;
> +	int ret;
> +	struct tcmsg msg = {
> +		.tcm_family = family,
> +		.tcm_handle = handle,
> +		.tcm_parent = parent,
> +		.tcm_info = info
> +	};
> +
> +	if (!qd_kind) {
> +		tst_brk_(file, lineno, TBROK,
> +			"Queueing discipline name required");
> +		return 0;
> +	}
> +
> +	if (ifname) {
> +		msg.tcm_ifindex = tst_netdev_index_by_name(file, lineno,
> +			ifname);
> +
> +		if (msg.tcm_ifindex < 0) {
> +			tst_brk_(file, lineno, TBROK, "Interface %s not found",
> +				ifname);
> +			return 0;
> +		}
> +	}
> +
> +	ctx = create_request(file, lineno, action, nl_flags, &msg, sizeof(msg));
> +
> +	if (!ctx)
> +		return 0;
> +
> +	if (!tst_rtnl_add_attr_string(file, lineno, ctx, TCA_KIND, qd_kind)) {
> +		tst_rtnl_destroy_context(file, lineno, ctx);
> +		return 0;
> +	}
> +
> +	if (config && !tst_rtnl_add_attr_list(file, lineno, ctx, config)) {
> +		tst_rtnl_destroy_context(file, lineno, ctx);
> +		return 0;
> +	}


Here as well, shouldn't we tst_brk_() consistently if we fail to prepare
the context?

> +	ret = tst_rtnl_send_validate(file, lineno, ctx);
> +	tst_rtnl_destroy_context(file, lineno, ctx);
> +
> +	if (!ret) {
> +		tst_brk_(file, lineno, TBROK,
> +			"Failed to modify %s: %s", object,
> +			tst_strerrno(tst_rtnl_errno));
> +	}
> +
> +	return ret;
> +}
> +
> +int tst_netdev_add_qdisc(const char *file, const int lineno,
> +	const char *ifname, unsigned int family, unsigned int parent,
> +	unsigned int handle, const char *qd_kind,
> +	const struct tst_rtnl_attr_list *config)
> +{
> +	return modify_qdisc(file, lineno, "queueing discipline", RTM_NEWQDISC,
> +		NLM_F_CREATE | NLM_F_EXCL, ifname, family, parent, handle, 0,
> +		qd_kind, config);
> +}
> +
> +int tst_netdev_remove_qdisc(const char *file, const int lineno,
> +	const char *ifname, unsigned int family, unsigned int parent,
> +	unsigned int handle, const char *qd_kind)
> +{
> +	return modify_qdisc(file, lineno, "queueing discipline", RTM_DELQDISC,
> +		0, ifname, family, parent, handle, 0, qd_kind, NULL);
> +}
> +
> +int tst_netdev_add_traffic_class(const char *file, const int lineno,
> +	const char *ifname, unsigned int parent, unsigned int handle,
> +	const char *qd_kind, const struct tst_rtnl_attr_list *config)
> +{
> +	return modify_qdisc(file, lineno, "traffic class", RTM_NEWTCLASS,
> +		NLM_F_CREATE | NLM_F_EXCL, ifname, AF_UNSPEC, parent, handle,
> +		0, qd_kind, config);
> +}
> +
> +int tst_netdev_remove_traffic_class(const char *file, const int lineno,
> +	const char *ifname, unsigned int parent, unsigned int handle,
> +	const char *qd_kind)
> +{
> +	return modify_qdisc(file, lineno, "traffic class", RTM_DELTCLASS, 0,
> +		ifname, AF_UNSPEC, parent, handle, 0, qd_kind, NULL);
> +}
> +
> +int tst_netdev_add_traffic_filter(const char *file, const int lineno,
> +	const char *ifname, unsigned int parent, unsigned int handle,
> +	unsigned int protocol, unsigned int priority, const char *f_kind,
> +	const struct tst_rtnl_attr_list *config)
> +{
> +	return modify_qdisc(file, lineno, "traffic filter", RTM_NEWTFILTER,
> +		NLM_F_CREATE | NLM_F_EXCL, ifname, AF_UNSPEC, parent, handle,
> +		TC_H_MAKE(priority << 16, htons(protocol)), f_kind, config);
> +}
> +
> +int tst_netdev_remove_traffic_filter(const char *file, const int lineno,
> +	const char *ifname, unsigned int parent, unsigned int handle,
> +	unsigned int protocol, unsigned int priority, const char *f_kind)
> +{
> +	return modify_qdisc(file, lineno, "traffic filter", RTM_DELTFILTER,
> +		0, ifname, AF_UNSPEC, parent, handle,
> +		TC_H_MAKE(priority << 16, htons(protocol)), f_kind, NULL);
> +}

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/3] tst_netdevice: Add missing rtnetlink context allocation checks

[Martin Doucha]

On 28. 07. 23 9:46, Cyril Hrubis wrote:
> Hi!
>> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
>> ---
>>   lib/tst_netdevice.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/lib/tst_netdevice.c b/lib/tst_netdevice.c
>> index 4a0442932..a57f506e9 100644
>> --- a/lib/tst_netdevice.c
>> +++ b/lib/tst_netdevice.c
>> @@ -332,6 +332,9 @@ static int change_ns(const char *file, const int lineno, const char *ifname,
>>   
>>   	ctx = create_request(file, lineno, RTM_NEWLINK, 0, &info, sizeof(info));
>>   
>> +	if (!ctx)
>> +		return 0;
>> +
>>   	if (!tst_rtnl_add_attr_string(file, lineno, ctx, IFLA_IFNAME, ifname)) {
>>   		tst_rtnl_destroy_context(file, lineno, ctx);
>>   		return 0;
>> @@ -411,6 +414,9 @@ static int modify_route(const char *file, const int lineno, unsigned int action,
>>   
>>   	ctx = create_request(file, lineno, action, flags, &info, sizeof(info));
>>   
>> +	if (!ctx)
>> +		return 0;
>> +
>>   	if (srcaddr && !tst_rtnl_add_attr(file, lineno, ctx, RTA_SRC, srcaddr,
>>   		srclen)) {
>>   		tst_rtnl_destroy_context(file, lineno, ctx);
> 
> Shouldn't we tst_brk_() in these cases? This function is a base for
> NETDEV_CHANGE_NS_*() which is used as a safe macro without checking it's
> return value.

The tst_brk_() gets called by the safe_*() functions deeper in the call 
tree. But tst_netdevice functions may be called from cleanup() where 
explicit return is necessary even after tst_brk_().

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/3] tst_netdevice: Add helper functions for qdisc and filter management

[Martin Doucha]

On 28. 07. 23 9:53, Cyril Hrubis wrote:
> Hi!
>> --- a/lib/tst_netdevice.c
>> +++ b/lib/tst_netdevice.c
>> @@ -7,6 +7,7 @@
>>   #include <linux/veth.h>
>>   #include <sys/socket.h>
>>   #include <net/if.h>
>> +#include <linux/pkt_sched.h>
>>   #include "lapi/rtnetlink.h"
>>   
>>   #define TST_NO_DEFAULT_MAIN
>> @@ -518,3 +519,116 @@ int tst_netdev_remove_route_inet(const char *file, const int lineno,
>>   	return modify_route_inet(file, lineno, RTM_DELROUTE, 0, ifname,
>>   		srcaddr, srcprefix, dstaddr, dstprefix, gateway);
>>   }
>> +
>> +static int modify_qdisc(const char *file, const int lineno, const char *object,
>> +	unsigned int action, unsigned int nl_flags, const char *ifname,
>> +	unsigned int family, unsigned int parent, unsigned int handle,
>> +	unsigned int info, const char *qd_kind,
>> +	const struct tst_rtnl_attr_list *config)
>> +{
>> +	struct tst_rtnl_context *ctx;
>> +	int ret;
>> +	struct tcmsg msg = {
>> +		.tcm_family = family,
>> +		.tcm_handle = handle,
>> +		.tcm_parent = parent,
>> +		.tcm_info = info
>> +	};
>> +
>> +	if (!qd_kind) {
>> +		tst_brk_(file, lineno, TBROK,
>> +			"Queueing discipline name required");
>> +		return 0;
>> +	}
>> +
>> +	if (ifname) {
>> +		msg.tcm_ifindex = tst_netdev_index_by_name(file, lineno,
>> +			ifname);
>> +
>> +		if (msg.tcm_ifindex < 0) {
>> +			tst_brk_(file, lineno, TBROK, "Interface %s not found",
>> +				ifname);
>> +			return 0;
>> +		}
>> +	}
>> +
>> +	ctx = create_request(file, lineno, action, nl_flags, &msg, sizeof(msg));
>> +
>> +	if (!ctx)
>> +		return 0;
>> +
>> +	if (!tst_rtnl_add_attr_string(file, lineno, ctx, TCA_KIND, qd_kind)) {
>> +		tst_rtnl_destroy_context(file, lineno, ctx);
>> +		return 0;
>> +	}
>> +
>> +	if (config && !tst_rtnl_add_attr_list(file, lineno, ctx, config)) {
>> +		tst_rtnl_destroy_context(file, lineno, ctx);
>> +		return 0;
>> +	}
> 
> 
> Here as well, shouldn't we tst_brk_() consistently if we fail to prepare
> the context?

Same as in the previous patch. If we get into the failure branch here, 
tst_brk_() was already called somewhere in create_request() or 
tst_rtnl_add_attr_*() and it didn't terminate the process because we're 
in the cleanup phase.

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 3/3] Add test for CVE 2023-1829

[Petr Vorel]

Hi Martin,

> +static struct tst_test test = {
> +	.test_all = run,
> +	.setup = setup,
> +	.cleanup = cleanup,
> +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> +	.needs_kconfigs = (const char *[]) {
> +		"CONFIG_VETH",
> +		"CONFIG_USER_NS=y",
> +		"CONFIG_NET_NS=y",
> +		"CONFIG_NET_SCH_HTB",
> +		"CONFIG_NET_CLS_TCINDEX",
Interesting, CONFIG_NET_CLS_TCINDEX has been removed in 8c710f75256b
(in v6.3-rc1), therefore the test is only for older kernels.

Kind regards,
Petr

> +		NULL
> +	},
> +	.save_restore = (const struct tst_path_val[]) {
> +		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
> +		{}
> +	},
> +	.tags = (const struct tst_tag[]) {
> +		{"linux-git", "8c710f75256b"},
> +		{"CVE", "2023-1829"},
> +		{}
> +	}
> +};

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/3] tst_netdevice: Add missing rtnetlink context allocation checks

[Cyril Hrubis]

Hi!
> The tst_brk_() gets called by the safe_*() functions deeper in the call 
> tree. But tst_netdevice functions may be called from cleanup() where 
> explicit return is necessary even after tst_brk_().

Ah, missed that. Checked once more and indeed it all ends up tst_brk_()
deeper in the call chain, or calls safe_malloc/safe_realloc.

For both patches:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/3] tst_netdevice: Add missing rtnetlink context allocation checks

[Petr Vorel]

Hi Martin,

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 2/3] tst_netdevice: Add helper functions for qdisc and filter management

[Petr Vorel]

Hi Martin,

...
nit: missing comment here, but the meaning is obvious. Also
NETDEV_REMOVE_TRAFFIC_CLASS() (and tst_netdev_remove_traffic_filter()) look to
be unused, but I guess you expect to use it in another reproducer.
> +int tst_netdev_remove_traffic_class(const char *file, const int lineno,
> +	const char *ifname, unsigned int parent, unsigned int handle,
> +	const char *qd_kind);
> +#define NETDEV_REMOVE_TRAFFIC_CLASS(ifname, parent, handle, qd_kind) \
> +	tst_netdev_remove_traffic_class(__FILE__, __LINE__, (ifname), \
> +		(parent), (handle), (qd_kind))

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 3/3] Add test for CVE 2023-1829

[Cyril Hrubis]

Hi!
> > +static struct tst_test test = {
> > +	.test_all = run,
> > +	.setup = setup,
> > +	.cleanup = cleanup,
> > +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> > +	.needs_kconfigs = (const char *[]) {
> > +		"CONFIG_VETH",
> > +		"CONFIG_USER_NS=y",
> > +		"CONFIG_NET_NS=y",
> > +		"CONFIG_NET_SCH_HTB",
> > +		"CONFIG_NET_CLS_TCINDEX",
> Interesting, CONFIG_NET_CLS_TCINDEX has been removed in 8c710f75256b
> (in v6.3-rc1), therefore the test is only for older kernels.

Nothing wrong with that I suppose, we will have to maintain kernels with
that module for a decade from now anyways...

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 3/3] Add test for CVE 2023-1829

[Martin Doucha]

Hi,
I've noticed some kernel messages complaining that there's leftover data 
at the end of the filter setup rtnetlink query. I need to investigate a 
bit more and I'll send v2 for this patch. The other two patches can be 
merged as is.

On 27. 07. 23 17:00, Martin Doucha wrote:
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
>   runtest/cve               |   1 +
>   testcases/cve/.gitignore  |   1 +
>   testcases/cve/tcindex01.c | 156 ++++++++++++++++++++++++++++++++++++++
>   3 files changed, 158 insertions(+)
>   create mode 100644 testcases/cve/tcindex01.c
> 
> diff --git a/runtest/cve b/runtest/cve
> index 7d1e84f89..f9b36a182 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -84,6 +84,7 @@ cve-2021-38604 mq_notify03
>   cve-2022-0847 dirtypipe
>   cve-2022-2590 dirtyc0w_shmem
>   cve-2022-23222 bpf_prog07
> +cve-2023-1829 tcindex01
>   # Tests below may cause kernel memory leak
>   cve-2020-25704 perf_event_open03
>   cve-2022-0185 fsconfig03
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index 90e8b191c..389354eaf 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -12,3 +12,4 @@ cve-2017-16939
>   cve-2017-17053
>   cve-2022-4378
>   icmp_rate_limit01
> +tcindex01.c
> diff --git a/testcases/cve/tcindex01.c b/testcases/cve/tcindex01.c
> new file mode 100644
> index 000000000..89569d1f7
> --- /dev/null
> +++ b/testcases/cve/tcindex01.c
> @@ -0,0 +1,156 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2023 SUSE LLC <mdoucha@suse.cz>
> + */
> +
> +/*\
> + * CVE-2023-1829
> + *
> + * Test for use-after-free after removing tcindex traffic filter with certain
> + * parameters.
> + *
> + * Tcindex filter removed in:
> + *
> + *  commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
> + *  Author: Jamal Hadi Salim <jhs@mojatatu.com>
> + *  Date:   Tue Feb 14 08:49:14 2023 -0500
> + *
> + *  net/sched: Retire tcindex classifier
> + */
> +
> +#include <linux/netlink.h>
> +#include <linux/pkt_sched.h>
> +#include <linux/pkt_cls.h>
> +#include <linux/tc_act/tc_gact.h>
> +#include "tst_test.h"
> +#include "tst_rtnetlink.h"
> +#include "tst_netdevice.h"
> +#include "lapi/sched.h"
> +#include "lapi/if_ether.h"
> +#include "lapi/rtnetlink.h"
> +
> +#define DEVNAME "ltp_dummy1"
> +
> +static const uint32_t qd_handle = TC_H_MAKE(1 << 16, 0);
> +static const uint32_t clsid = TC_H_MAKE(1 << 16, 1);
> +static const uint32_t shift = 10;
> +static const uint16_t mask = 0xffff;
> +
> +/* rtnetlink payloads */
> +static const struct tc_htb_glob qd_opt = {
> +	.rate2quantum = 10,
> +	.version = 3,
> +	.defcls = 30
> +};
> +static const struct tc_gact f_gact_param = {
> +	.action = TC_ACT_SHOT
> +};
> +static struct tc_htb_opt cls_opt = {};
> +
> +/* htb qdisc and class options */
> +static const struct tst_rtnl_attr_list qd_config[] = {
> +	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
> +		{TCA_HTB_INIT, &qd_opt, sizeof(qd_opt), NULL},
> +		{0, NULL, -1, NULL}
> +	}},
> +	{0, NULL, -1, NULL}
> +};
> +static const struct tst_rtnl_attr_list cls_config[] = {
> +	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
> +		{TCA_HTB_PARMS, &cls_opt, sizeof(cls_opt), NULL},
> +		{0, NULL, -1, NULL}
> +	}},
> +	{0, NULL, -1, NULL}
> +};
> +
> +/* tcindex filter options */
> +static const struct tst_rtnl_attr_list f_actopts[] = {
> +	{TCA_GACT_PARMS, &f_gact_param, sizeof(f_gact_param), NULL},
> +	{0, NULL, -1, NULL}
> +};
> +static const struct tst_rtnl_attr_list f_action[] = {
> +	{1, NULL, 0, (const struct tst_rtnl_attr_list[]){
> +		{TCA_ACT_KIND, "gact", 5, NULL},
> +		{TCA_ACT_OPTIONS | NLA_F_NESTED, NULL, 0, f_actopts},
> +		{0, NULL, -1, NULL}
> +	}},
> +	{0, NULL, -1, NULL}
> +};
> +static const struct tst_rtnl_attr_list f_config[] = {
> +	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
> +		{TCA_TCINDEX_MASK, &mask, sizeof(mask), NULL},
> +		{TCA_TCINDEX_SHIFT, &shift, sizeof(shift), NULL},
> +		{TCA_TCINDEX_CLASSID, &clsid, sizeof(clsid), NULL},
> +		{TCA_TCINDEX_ACT, &clsid, sizeof(clsid), f_action},
> +		{0, NULL, -1, NULL}
> +	}},
> +	{0, NULL, -1, NULL}
> +};
> +
> +static void setup(void)
> +{
> +	tst_setup_netns();
> +	NETDEV_ADD_DEVICE(DEVNAME, "dummy");
> +
> +	cls_opt.rate.rate = cls_opt.ceil.rate = 256000;
> +	cls_opt.buffer = 1000000 * 1600 / cls_opt.rate.rate;
> +	cls_opt.cbuffer = 1000000 * 1600 / cls_opt.ceil.rate;
> +}
> +
> +static void run(void)
> +{
> +	unsigned int i;
> +
> +	for (i = 0; i < 100; i++) {
> +		NETDEV_ADD_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
> +			"htb", qd_config);
> +		NETDEV_ADD_TRAFFIC_CLASS(DEVNAME, qd_handle, clsid, "htb",
> +			cls_config);
> +		NETDEV_ADD_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP, 1,
> +			"tcindex", f_config);
> +		NETDEV_REMOVE_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP,
> +			1, "tcindex");
> +
> +		/* Wait at least one jiffy for use-after-free */
> +		usleep(10000);
> +
> +		NETDEV_REMOVE_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
> +			"htb");
> +	}
> +
> +	if (tst_taint_check()) {
> +		tst_res(TFAIL, "Kernel is vulnerable");
> +		return;
> +	}
> +
> +	tst_res(TPASS, "Nothing bad happened (yet)");
> +}
> +
> +static void cleanup(void)
> +{
> +	NETDEV_REMOVE_DEVICE(DEVNAME);
> +}
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.setup = setup,
> +	.cleanup = cleanup,
> +	.taint_check = TST_TAINT_W | TST_TAINT_D,
> +	.needs_kconfigs = (const char *[]) {
> +		"CONFIG_VETH",
> +		"CONFIG_USER_NS=y",
> +		"CONFIG_NET_NS=y",
> +		"CONFIG_NET_SCH_HTB",
> +		"CONFIG_NET_CLS_TCINDEX",
> +		NULL
> +	},
> +	.save_restore = (const struct tst_path_val[]) {
> +		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
> +		{}
> +	},
> +	.tags = (const struct tst_tag[]) {
> +		{"linux-git", "8c710f75256b"},
> +		{"CVE", "2023-1829"},
> +		{}
> +	}
> +};

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v2 3/3] Add test for CVE 2023-1829

[Martin Doucha]

Fixes #1053

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

Changes since v1:
- Fixed typo in .gitignore
- Removed unnecessary TCA_TCINDEX_ACT attribute tree from filter config
- Added credit for the original reproducer

Reproducer was tested on both affected and fixed SLE-15SP5 kernels.

 runtest/cve               |   1 +
 testcases/cve/.gitignore  |   1 +
 testcases/cve/tcindex01.c | 141 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 143 insertions(+)
 create mode 100644 testcases/cve/tcindex01.c

diff --git a/runtest/cve b/runtest/cve
index 7d1e84f89..f9b36a182 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -84,6 +84,7 @@ cve-2021-38604 mq_notify03
 cve-2022-0847 dirtypipe
 cve-2022-2590 dirtyc0w_shmem
 cve-2022-23222 bpf_prog07
+cve-2023-1829 tcindex01
 # Tests below may cause kernel memory leak
 cve-2020-25704 perf_event_open03
 cve-2022-0185 fsconfig03
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 90e8b191c..3a2b2bed6 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -12,3 +12,4 @@ cve-2017-16939
 cve-2017-17053
 cve-2022-4378
 icmp_rate_limit01
+tcindex01
diff --git a/testcases/cve/tcindex01.c b/testcases/cve/tcindex01.c
new file mode 100644
index 000000000..9bd7de9dd
--- /dev/null
+++ b/testcases/cve/tcindex01.c
@@ -0,0 +1,141 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2023 SUSE LLC
+ * Author: Marcos Paulo de Souza <mpdesouza@suse.com>
+ * LTP port: Martin Doucha <mdoucha@suse.cz>
+ */
+
+/*\
+ * CVE-2023-1829
+ *
+ * Test for use-after-free after removing tcindex traffic filter with certain
+ * parameters.
+ *
+ * Tcindex filter removed in:
+ *
+ *  commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
+ *  Author: Jamal Hadi Salim <jhs@mojatatu.com>
+ *  Date:   Tue Feb 14 08:49:14 2023 -0500
+ *
+ *  net/sched: Retire tcindex classifier
+ */
+
+#include <linux/netlink.h>
+#include <linux/pkt_sched.h>
+#include <linux/pkt_cls.h>
+#include "tst_test.h"
+#include "tst_rtnetlink.h"
+#include "tst_netdevice.h"
+#include "lapi/sched.h"
+#include "lapi/if_ether.h"
+#include "lapi/rtnetlink.h"
+
+#define DEVNAME "ltp_dummy1"
+
+static const uint32_t qd_handle = TC_H_MAKE(1 << 16, 0);
+static const uint32_t clsid = TC_H_MAKE(1 << 16, 1);
+static const uint32_t shift = 10;
+static const uint16_t mask = 0xffff;
+
+/* rtnetlink payloads */
+static const struct tc_htb_glob qd_opt = {
+	.rate2quantum = 10,
+	.version = 3,
+	.defcls = 30
+};
+static struct tc_htb_opt cls_opt = {};
+
+/* htb qdisc and class options */
+static const struct tst_rtnl_attr_list qd_config[] = {
+	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_HTB_INIT, &qd_opt, sizeof(qd_opt), NULL},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+static const struct tst_rtnl_attr_list cls_config[] = {
+	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_HTB_PARMS, &cls_opt, sizeof(cls_opt), NULL},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+
+/* tcindex filter options */
+static const struct tst_rtnl_attr_list f_config[] = {
+	{TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+		{TCA_TCINDEX_MASK, &mask, sizeof(mask), NULL},
+		{TCA_TCINDEX_SHIFT, &shift, sizeof(shift), NULL},
+		{TCA_TCINDEX_CLASSID, &clsid, sizeof(clsid), NULL},
+		{0, NULL, -1, NULL}
+	}},
+	{0, NULL, -1, NULL}
+};
+
+static void setup(void)
+{
+	tst_setup_netns();
+	NETDEV_ADD_DEVICE(DEVNAME, "dummy");
+
+	cls_opt.rate.rate = cls_opt.ceil.rate = 256000;
+	cls_opt.buffer = 1000000 * 1600 / cls_opt.rate.rate;
+	cls_opt.cbuffer = 1000000 * 1600 / cls_opt.ceil.rate;
+}
+
+static void run(void)
+{
+	unsigned int i;
+
+	for (i = 0; i < 100; i++) {
+		NETDEV_ADD_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
+			"htb", qd_config);
+		NETDEV_ADD_TRAFFIC_CLASS(DEVNAME, qd_handle, clsid, "htb",
+			cls_config);
+		NETDEV_ADD_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP, 1,
+			"tcindex", f_config);
+		NETDEV_REMOVE_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP,
+			1, "tcindex");
+
+		/* Wait at least one jiffy for use-after-free */
+		usleep(10000);
+
+		NETDEV_REMOVE_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
+			"htb");
+	}
+
+	if (tst_taint_check()) {
+		tst_res(TFAIL, "Kernel is vulnerable");
+		return;
+	}
+
+	tst_res(TPASS, "Nothing bad happened (yet)");
+}
+
+static void cleanup(void)
+{
+	NETDEV_REMOVE_DEVICE(DEVNAME);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_VETH",
+		"CONFIG_USER_NS=y",
+		"CONFIG_NET_NS=y",
+		"CONFIG_NET_SCH_HTB",
+		"CONFIG_NET_CLS_TCINDEX",
+		NULL
+	},
+	.save_restore = (const struct tst_path_val[]) {
+		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+		{}
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "8c710f75256b"},
+		{"CVE", "2023-1829"},
+		{}
+	}
+};
-- 
2.41.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 3/3] Add test for CVE 2023-1829

[Cyril Hrubis]

Hi!
Patchset pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp