165d553b0SKristof Provost# 24d846d26SWarner Losh# SPDX-License-Identifier: BSD-2-Clause 365d553b0SKristof Provost# 465d553b0SKristof Provost# Copyright (c) 2019 Kristof Provost <kp@FreeBSD.org> 565d553b0SKristof Provost# 665d553b0SKristof Provost# Redistribution and use in source and binary forms, with or without 765d553b0SKristof Provost# modification, are permitted provided that the following conditions 865d553b0SKristof Provost# are met: 965d553b0SKristof Provost# 1. Redistributions of source code must retain the above copyright 1065d553b0SKristof Provost# notice, this list of conditions and the following disclaimer. 1165d553b0SKristof Provost# 2. Redistributions in binary form must reproduce the above copyright 1265d553b0SKristof Provost# notice, this list of conditions and the following disclaimer in the 1365d553b0SKristof Provost# documentation and/or other materials provided with the distribution. 1465d553b0SKristof Provost# 1565d553b0SKristof Provost# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1665d553b0SKristof Provost# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1765d553b0SKristof Provost# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1865d553b0SKristof Provost# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1965d553b0SKristof Provost# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2065d553b0SKristof Provost# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2165d553b0SKristof Provost# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2265d553b0SKristof Provost# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2365d553b0SKristof Provost# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2465d553b0SKristof Provost# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2565d553b0SKristof Provost# SUCH DAMAGE. 267de4bd92SKristof Provost 277de4bd92SKristof Provost. $(atf_get_srcdir)/utils.subr 287de4bd92SKristof Provost 29cdac7169SLi-Wen Hsucommon_dir=$(atf_get_srcdir)/../common 30cdac7169SLi-Wen Hsu 317de4bd92SKristof Provostatf_test_case "cve_2019_5598" "cleanup" 327de4bd92SKristof Provostcve_2019_5598_head() 337de4bd92SKristof Provost{ 347de4bd92SKristof Provost atf_set descr 'Test CVE-2019-5598' 357de4bd92SKristof Provost atf_set require.user root 36*c46af893SJose Luis Duran atf_set require.progs python3 scapy 377de4bd92SKristof Provost} 387de4bd92SKristof Provost 397de4bd92SKristof Provostcve_2019_5598_body() 407de4bd92SKristof Provost{ 417de4bd92SKristof Provost pft_init 427de4bd92SKristof Provost 437de4bd92SKristof Provost epair_in=$(vnet_mkepair) 447de4bd92SKristof Provost epair_out=$(vnet_mkepair) 457de4bd92SKristof Provost ifconfig ${epair_in}a 192.0.2.1/24 up 467de4bd92SKristof Provost ifconfig ${epair_out}a up 477de4bd92SKristof Provost 487de4bd92SKristof Provost vnet_mkjail alcatraz ${epair_in}b ${epair_out}b 497de4bd92SKristof Provost jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up 507de4bd92SKristof Provost jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up 517de4bd92SKristof Provost jexec alcatraz sysctl net.inet.ip.forwarding=1 527de4bd92SKristof Provost jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 537de4bd92SKristof Provost jexec alcatraz route add default 198.51.100.3 547de4bd92SKristof Provost route add -net 198.51.100.0/24 192.0.2.2 557de4bd92SKristof Provost 567de4bd92SKristof Provost jexec alcatraz pfctl -e 577de4bd92SKristof Provost pft_set_rules alcatraz "block all" \ 587de4bd92SKristof Provost "pass in proto udp to 198.51.100.3 port 53" \ 597de4bd92SKristof Provost "pass out proto udp to 198.51.100.3 port 53" 607de4bd92SKristof Provost 61cdac7169SLi-Wen Hsu atf_check -s exit:0 env PYTHONPATH=${common_dir} \ 62cdac7169SLi-Wen Hsu $(atf_get_srcdir)/CVE-2019-5598.py \ 637de4bd92SKristof Provost --sendif ${epair_in}a \ 647de4bd92SKristof Provost --recvif ${epair_out}a \ 657de4bd92SKristof Provost --src 192.0.2.1 \ 667de4bd92SKristof Provost --to 198.51.100.3 677de4bd92SKristof Provost} 687de4bd92SKristof Provost 697de4bd92SKristof Provostcve_2019_5598_cleanup() 707de4bd92SKristof Provost{ 717de4bd92SKristof Provost pft_cleanup 727de4bd92SKristof Provost} 737de4bd92SKristof Provost 7434063cb7SKristof Provostatf_test_case "ttl_exceeded" "cleanup" 7534063cb7SKristof Provostttl_exceeded_head() 7634063cb7SKristof Provost{ 7734063cb7SKristof Provost atf_set descr 'Test that we correctly translate TTL exceeded back' 7834063cb7SKristof Provost atf_set require.user root 7934063cb7SKristof Provost} 8034063cb7SKristof Provost 8134063cb7SKristof Provostttl_exceeded_body() 8234063cb7SKristof Provost{ 8334063cb7SKristof Provost pft_init 8434063cb7SKristof Provost 8534063cb7SKristof Provost epair_srv=$(vnet_mkepair) 8634063cb7SKristof Provost epair_int=$(vnet_mkepair) 8734063cb7SKristof Provost epair_cl=$(vnet_mkepair) 8834063cb7SKristof Provost 8934063cb7SKristof Provost vnet_mkjail srv ${epair_srv}a 9034063cb7SKristof Provost jexec srv ifconfig ${epair_srv}a 192.0.2.1/24 up 9134063cb7SKristof Provost jexec srv route add default 192.0.2.2 9234063cb7SKristof Provost 9334063cb7SKristof Provost vnet_mkjail int ${epair_srv}b ${epair_int}a 9434063cb7SKristof Provost jexec int sysctl net.inet.ip.forwarding=1 9534063cb7SKristof Provost jexec int ifconfig ${epair_srv}b 192.0.2.2/24 up 9634063cb7SKristof Provost jexec int ifconfig ${epair_int}a 203.0.113.2/24 up 9734063cb7SKristof Provost 9834063cb7SKristof Provost vnet_mkjail nat ${epair_int}b ${epair_cl}b 9934063cb7SKristof Provost jexec nat ifconfig ${epair_int}b 203.0.113.1/24 up 10034063cb7SKristof Provost jexec nat ifconfig ${epair_cl}b 198.51.100.2/24 up 10134063cb7SKristof Provost jexec nat sysctl net.inet.ip.forwarding=1 10234063cb7SKristof Provost jexec nat route add default 203.0.113.2 10334063cb7SKristof Provost 10434063cb7SKristof Provost vnet_mkjail cl ${epair_cl}a 10534063cb7SKristof Provost jexec cl ifconfig ${epair_cl}a 198.51.100.1/24 up 10634063cb7SKristof Provost jexec cl route add default 198.51.100.2 10734063cb7SKristof Provost 10834063cb7SKristof Provost jexec nat pfctl -e 10934063cb7SKristof Provost pft_set_rules nat \ 11034063cb7SKristof Provost "nat on ${epair_int}b from 198.51.100.0/24 -> (${epair_int}b)" \ 11189f67232SKristof Provost "block" \ 11289f67232SKristof Provost "pass inet proto udp" \ 11389f67232SKristof Provost "pass inet proto icmp icmp-type { echoreq }" 11434063cb7SKristof Provost 11534063cb7SKristof Provost # Sanity checks 11634063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 11734063cb7SKristof Provost jexec cl ping -c 1 198.51.100.2 11834063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 11934063cb7SKristof Provost jexec cl ping -c 1 203.0.113.1 12034063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 12134063cb7SKristof Provost jexec cl ping -c 1 203.0.113.2 12234063cb7SKristof Provost atf_check -s exit:0 -o ignore \ 12334063cb7SKristof Provost jexec cl ping -c 1 192.0.2.1 12434063cb7SKristof Provost 12534063cb7SKristof Provost echo "UDP" 12634063cb7SKristof Provost atf_check -s exit:0 -e ignore -o match:".*203.0.113.2.*" \ 12734063cb7SKristof Provost jexec cl traceroute 192.0.2.1 12834063cb7SKristof Provost jexec nat pfctl -Fs 12934063cb7SKristof Provost 13034063cb7SKristof Provost echo "ICMP" 13134063cb7SKristof Provost atf_check -s exit:0 -e ignore -o match:".*203.0.113.2.*" \ 13234063cb7SKristof Provost jexec cl traceroute -I 192.0.2.1 13334063cb7SKristof Provost} 13434063cb7SKristof Provost 13534063cb7SKristof Provostttl_exceeded_cleanup() 13634063cb7SKristof Provost{ 13734063cb7SKristof Provost pft_cleanup 13834063cb7SKristof Provost} 13934063cb7SKristof Provost 1407de4bd92SKristof Provostatf_init_test_cases() 1417de4bd92SKristof Provost{ 1427de4bd92SKristof Provost atf_add_test_case "cve_2019_5598" 14334063cb7SKristof Provost atf_add_test_case "ttl_exceeded" 1447de4bd92SKristof Provost} 145