Google Git
Sign in
android / kernel / tests / refs/heads/android14-tests-dev / . / net / test / policy_crash_test.py
blob: dbd68928fe262bbf054c835f8d4e3f530daaa9a6 [file] [log] [blame]
Krzysztof Kosiński3dee82d2022-11-30 09:34:05 +0000[diff] [blame]1#!/usr/bin/python3
Maciej Żenczykowskiccad07c2019-03-21 13:33:37 -0700[diff] [blame]2#
3# Copyright 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# ----------------------------------------------------------------------
18
19# This triggers a kernel panic on 4.9.114+ which is fixed in 4.9.136
20#
21# Crash was introduced by ad8b1ffc3efae2f65080bdb11145c87d299b8f9a
22# and reverted in 2edec22d18758c9b29301ded2291f051d65422e9
23
24# ----------------------------------------------------------------------
25
26# Modules linked in:
27# Pid: 305, comm: python Not tainted 4.9.114
28# RIP: 0033:[<0000000060272d73>]
29# RSP: 000000007fd09a10 EFLAGS: 00010246
30# RAX: 0000000060492fa8 RBX: 0000000060272b18 RCX: 000000007ff412a8
31# RDX: 000000007ff41288 RSI: 000000007fd09a98 RDI: 000000007ff14a00
32# RBP: 000000007fd09a40 R08: 0000000000000001 R09: 0100000000000000
33# R10: 0000000000000000 R11: 000000007ff412a8 R12: 0000000000010002
34# R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000
35# Kernel panic - not syncing: Kernel mode fault at addr 0x48, ip 0x60272d73
36# CPU: 0 PID: 305 Comm: python Not tainted 4.9.114 #7
37# Stack:
38# 7fcd5000 7ff411e0 7ff14a00 7ff41000
39# 00000000 00000000 7fd09b00 6031acd9
40# 00000000 7ff41288 7ff4100c 100000003
41# Call Trace:
42# [<6031acd9>] ip6t_do_table+0x2a3/0x3d4
43# [<6026d300>] ? netfilter_net_init+0xd5/0x14f
44# [<6026d37a>] ? nf_iterate+0x0/0x5c
45# [<6031c99d>] ip6table_filter_hook+0x21/0x23
46# [<6026d3b2>] nf_iterate+0x38/0x5c
47# [<6026d40a>] nf_hook_slow+0x34/0xa2
48# [<6003166c>] ? set_signals+0x0/0x3f
49# [<6003165d>] ? get_signals+0x0/0xf
50# [<603045d4>] rawv6_sendmsg+0x842/0xc4b
51# [<60033d15>] ? wait_stub_done+0x40/0x10a
52# [<60021176>] ? copy_chunk_from_user+0x23/0x2e
53# [<60021153>] ? copy_chunk_from_user+0x0/0x2e
54# [<60302da3>] ? dst_output+0x0/0x11
55# [<602b063a>] inet_sendmsg+0x1e/0x5c
56# [<600fe142>] ? __fdget+0x15/0x17
57# [<6022636c>] sock_sendmsg+0xf/0x62
58# [<6022785d>] SyS_sendto+0x108/0x140
59# [<600389c2>] ? arch_switch_to+0x2b/0x2e
60# [<60367ce4>] ? __schedule+0x428/0x44f
61# [<603678bc>] ? __schedule+0x0/0x44f
62# [<60021125>] handle_syscall+0x79/0xa7
63# [<6003445c>] userspace+0x3bb/0x453
64# [<6001dd92>] ? interrupt_end+0x0/0x94
65# [<6001dc42>] fork_handler+0x85/0x87
66#
67# /android/kernel/tests/net/test/run_net_test.sh: line 397: 50828 Aborted
68# $KERNEL_BINARY umid=net_test mem=512M $blockdevice=$SCRIPT_DIR/$ROOTFS $netconfig $consolemode $cmdline 1>&2
69# Returning exit code 134.
70
71# ----------------------------------------------------------------------
72
Lorenzo Colitti77f0d742022-11-18 22:14:18 +0900[diff] [blame]73import binascii
Maciej Żenczykowskiccad07c2019-03-21 13:33:37 -0700[diff] [blame]74import os
75import socket
76import unittest
77
78import net_test
79
80class RemovedFeatureTest(net_test.NetworkTest):
81
82 def setUp(self):
83 net_test.RunIptablesCommand(6, "-I OUTPUT 1 -m policy --dir out --pol ipsec")
84
85 def tearDown(self):
86 net_test.RunIptablesCommand(6, "-D OUTPUT -m policy --dir out --pol ipsec")
87
88 def testPolicyNetfilterFragPanic(self):
89 ipv6_min_mtu = 1280
90 ipv6_header_size = 40
91 ipv6_frag_header_size = 8
92
93 pkt1_frag_len = ipv6_min_mtu - ipv6_header_size - ipv6_frag_header_size
94 pkt2_frag_len = 1
95
96 ip6loopback = '00000000000000000000000000000001' # ::1
97
98 # 40 byte IPv6 header
99 ver6 = '6'
100 tclass = '00'
101 flowlbl = '00000'
102 # (uint16) payload length - of rest of packets in octets
103 pkt1_plen = '%04x' % (ipv6_frag_header_size + pkt1_frag_len)
104 pkt2_plen = '%04x' % (ipv6_frag_header_size + pkt2_frag_len)
105 nexthdr = '2c' # = 44 IPv6-Frag
106 hoplimit = '00'
107 src = ip6loopback
108 dst = ip6loopback
109
110 # 8 byte IPv6 fragmentation header
Seongsikb07153b2021-08-19 14:25:33 +0900[diff] [blame]111 frag_nexthdr = '3b'
Maciej Żenczykowskiccad07c2019-03-21 13:33:37 -0700[diff] [blame]112 frag_reserved = '00'
113 # 13-bit offset, 2-bit reserved, 1-bit M[ore] flag
114 pkt1_frag_offset = '0001'
115 pkt2_frag_offset = '%04x' % pkt1_frag_len
116 frag_identification = '00000000'
117
118 # Fragmentation payload
119 pkt1_frag_payload = '00' * pkt1_frag_len
120 pkt2_frag_payload = '00' * pkt2_frag_len
121
122 pkt1 = (ver6 + tclass + flowlbl + pkt1_plen + nexthdr + hoplimit + src + dst
123 + frag_nexthdr + frag_reserved + pkt1_frag_offset + frag_identification
124 + pkt1_frag_payload)
125 pkt2 = (ver6 + tclass + flowlbl + pkt2_plen + nexthdr + hoplimit + src + dst
126 + frag_nexthdr + frag_reserved + pkt2_frag_offset + frag_identification
127 + pkt2_frag_payload)
128
129 s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_RAW)
Lorenzo Colitti77f0d742022-11-18 22:14:18 +0900[diff] [blame]130 s.sendto(binascii.unhexlify(pkt1), ('::1', 0))
131 s.sendto(binascii.unhexlify(pkt2), ('::1', 0))
Maciej Żenczykowskiccad07c2019-03-21 13:33:37 -0700[diff] [blame]132 s.close()
133
134
135if __name__ == "__main__":
136 unittest.main()