Browse Source

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  assert that td_lk_slocks is not leaked upon return from kernel
  netpfil tests: Move pft_ping.py and sniffer.py to the common test directory
  sys.kern.pdeathsig.signal_delivered_ptrace: fix startup.
  sys.kern.pdeathsig.signal_delivered_ptrace: fix debugger detach
hardened/current/master
Oliver Pinter + 9 months ago
parent
commit
b19116bfbc
9 changed files with 41 additions and 19 deletions
  1. +3
    -0
      ObsoleteFiles.inc
  2. +3
    -0
      sys/kern/subr_trap.c
  3. +12
    -1
      tests/sys/kern/pdeathsig.c
  4. +5
    -1
      tests/sys/netpfil/common/Makefile
  5. +0
    -0
      tests/sys/netpfil/common/pft_ping.py
  6. +0
    -0
      tests/sys/netpfil/common/sniffer.py
  7. +0
    -3
      tests/sys/netpfil/pf/Makefile
  8. +10
    -8
      tests/sys/netpfil/pf/forward.sh
  9. +8
    -6
      tests/sys/netpfil/pf/set_tos.sh

+ 3
- 0
ObsoleteFiles.inc View File

@@ -38,6 +38,9 @@
# xargs -n1 | sort | uniq -d;
# done

# 20190817: pft_ping.py and sniffer.py moved to /usr/tests/sys/netpfil/common
OLD_FILES+=usr/tests/sys/netpfil/pf/sniffer.py
OLD_FILES+=usr/tests/sys/netpfil/pf/pft_ping.py
# 20190816: dir.h removed from POSIX
OLD_FILES+=usr/include/sys/dir.h
# 20190729: gzip'ed a.out support removed

+ 3
- 0
sys/kern/subr_trap.c View File

@@ -176,6 +176,9 @@ userret(struct thread *td, struct trapframe *frame)
KASSERT(td->td_sx_slocks == 0,
("userret: Returning with %d sx locks held in shared mode",
td->td_sx_slocks));
KASSERT(td->td_lk_slocks == 0,
("userret: Returning with %d lockmanager locks held in shared mode",
td->td_lk_slocks));
KASSERT((td->td_pflags & TDP_NOFAULTING) == 0,
("userret: Returning with pagefaults disabled"));
KASSERT(td->td_no_sleeping == 0,

+ 12
- 1
tests/sys/kern/pdeathsig.c View File

@@ -229,6 +229,7 @@ ATF_TC_BODY(signal_delivered_ptrace, tc)
int rc;
int pipe_ca[2];
int pipe_db[2];
int pipe_cd[2];
char buffer;
int status;

@@ -236,6 +237,8 @@ ATF_TC_BODY(signal_delivered_ptrace, tc)
ATF_REQUIRE(rc == 0);
rc = pipe(pipe_db);
ATF_REQUIRE(rc == 0);
rc = pipe(pipe_cd);
assert(rc == 0);

rc = fork();
ATF_REQUIRE(rc != -1);
@@ -263,6 +266,9 @@ ATF_TC_BODY(signal_delivered_ptrace, tc)
rc = procctl(P_PID, 0, PROC_PDEATHSIG_CTL, &signum);
assert(rc == 0);

rc = write(pipe_cd[1], "x", 1);
assert(rc == 1);

/* wait for B to die and signal us... */
signum = 0xdeadbeef;
rc = sigwait(&sigset, &signum);
@@ -293,6 +299,9 @@ ATF_TC_BODY(signal_delivered_ptrace, tc)
rc = ptrace(PT_CONTINUE, c_pid, (caddr_t) 1, 0);
assert(rc == 0);

rc = read(pipe_cd[0], &buffer, 1);
assert(rc == 1);

/* tell B that we're ready for it to exit now */
rc = write(pipe_db[1], ".", 1);
assert(rc == 1);
@@ -305,7 +314,9 @@ ATF_TC_BODY(signal_delivered_ptrace, tc)
WSTOPSIG(status));
assert(rc == 0);

ptrace(PT_DETACH, c_pid, 0, 0);
waitpid(c_pid, &status, 0);
if (!WIFEXITED(status))
ptrace(PT_DETACH, c_pid, 0, 0);

_exit(0);
}

+ 5
- 1
tests/sys/netpfil/common/Makefile View File

@@ -11,6 +11,10 @@ ATF_TESTS_SH+= \

${PACKAGE}FILES+= \
utils.subr \
runner.subr
runner.subr \
pft_ping.py \
sniffer.py

${PACKAGE}FILESMODE_pft_ping.py= 0555

.include <bsd.test.mk>

tests/sys/netpfil/pf/pft_ping.py → tests/sys/netpfil/common/pft_ping.py View File


tests/sys/netpfil/pf/sniffer.py → tests/sys/netpfil/common/sniffer.py View File


+ 0
- 3
tests/sys/netpfil/pf/Makefile View File

@@ -21,12 +21,9 @@ ATF_TESTS_SH+= anchor \

${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
sniffer.py \
pft_ping.py \
CVE-2019-5597.py \
CVE-2019-5598.py

${PACKAGE}FILESMODE_pft_ping.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555


+ 10
- 8
tests/sys/netpfil/pf/forward.sh View File

@@ -2,6 +2,8 @@

. $(atf_get_srcdir)/utils.subr

common_dir=$(atf_get_srcdir)/../common

atf_test_case "v4" "cleanup"
v4_head()
{
@@ -43,20 +45,20 @@ v4_body()

# Forward with pf enabled
pft_set_rules alcatraz "block in"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a

pft_set_rules alcatraz "block out"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recv ${epair_recv}a

# Allow ICMP
pft_set_rules alcatraz "block in" "pass in proto icmp"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a
@@ -98,7 +100,7 @@ v6_body()
route add -6 2001:db8:43::/64 2001:db8:42::2

# Sanity check, can we forward ICMP echo requests without pf?
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@@ -109,7 +111,7 @@ v6_body()
# Block incoming echo request packets
pft_set_rules alcatraz \
"block in inet6 proto icmp6 icmp6-type echoreq"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@@ -118,7 +120,7 @@ v6_body()
# Block outgoing echo request packets
pft_set_rules alcatraz \
"block out inet6 proto icmp6 icmp6-type echoreq"
atf_check -s exit:1 -e ignore $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 -e ignore ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@@ -128,7 +130,7 @@ v6_body()
pft_set_rules alcatraz \
"block out" \
"pass out inet6 proto icmp6"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \
@@ -138,7 +140,7 @@ v6_body()
pft_set_rules alcatraz \
"block out inet6 proto icmp6 icmp6-type echoreq" \
"pass in proto icmp"
atf_check -s exit:1 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 ${common_dir}/pft_ping.py \
--ip6 \
--sendif ${epair_send}a \
--to 2001:db8:43::3 \

+ 8
- 6
tests/sys/netpfil/pf/set_tos.sh View File

@@ -2,6 +2,8 @@

. $(atf_get_srcdir)/utils.subr

common_dir=$(atf_get_srcdir)/../common

atf_test_case "v4" "cleanup"
v4_head()
{
@@ -37,7 +39,7 @@ v4_body()

# No change is done if not requested
pft_set_rules alcatraz "scrub out proto icmp"
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@@ -45,7 +47,7 @@ v4_body()

# The requested ToS is set
pft_set_rules alcatraz "scrub out proto icmp set-tos 42"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@@ -53,7 +55,7 @@ v4_body()

# ToS is not changed if the scrub rule does not match
pft_set_rules alcatraz "scrub out proto tcp set-tos 42"
atf_check -s exit:1 -o ignore $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:1 -o ignore ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@@ -62,14 +64,14 @@ v4_body()
# Multiple scrub rules match as expected
pft_set_rules alcatraz "scrub out proto tcp set-tos 13" \
"scrub out proto icmp set-tos 14"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
--expect-tos 14

# And this works even if the packet already has ToS values set
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \
@@ -78,7 +80,7 @@ v4_body()

# ToS values are unmolested if the packets do not match a scrub rule
pft_set_rules alcatraz "scrub out proto tcp set-tos 13"
atf_check -s exit:0 $(atf_get_srcdir)/pft_ping.py \
atf_check -s exit:0 ${common_dir}/pft_ping.py \
--sendif ${epair_send}a \
--to 198.51.100.3 \
--recvif ${epair_recv}a \

Loading…
Cancel
Save