Commit Graph

2560 Commits

Author SHA1 Message Date
Mark Johnston 75b23c102e tests/jaildesc: Use a more efficient mechanism to block
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D57148
2026-06-12 14:58:43 +00:00
Mark Johnston fe03a78c5d tests/jaildesc: Add some more test scenarios
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D57147
2026-06-12 14:58:19 +00:00
Siva Mahadevan 64b053f879 memfd_test: skip hugetlb testcase when large page requests are not supported
Fixes this CI test failure: https://ci.freebsd.org/view/Test/job/FreeBSD-main-riscv64-test/16606/testReport/junit/sys.posixshm/memfd_test/hugetlb/

Reviewed by:	kevans
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D57289
2026-06-10 20:08:37 -04:00
K Rin ce08af6378 mac_portacl tests: rewrite the test program and test unspecific family.
Reviewed by: imp,emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1659
2026-06-10 06:35:03 -06:00
Mark Johnston ebb0ea9f4f imgact_elf: Clear no-ASLR and -WXORX flags earlier for setugid images
Otherwise an unprivileged user can disable randomization of the base
address for PIEs even if they are setugid.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:32.elf
Security:	CVE-2026-49414
Reported by:	David Berard
Reviewed by:	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57397
2026-06-09 19:13:21 +00:00
Mark Johnston 1b775b9ea4 sound: Fix software buffer lifetime issues
The channel buffer mapped by dsp_mmap_single() may be freed when the
device handle is closed, but the mapping persists beyond that, allowing
userspace to read or write memory owned by a different consumer.

Fix the problem by adding a reference counter to the sound buffer.
Define pager ops for the VM object returned by dsp_mmap_single() and use
them to manage the extra reference.

Add a regression test.

Approved by:	so
Security:	FreeBSD-SA-26:27.sound
Security:	CVE-2026-49417
Reported by:	Lexpl0it, 75Acol, Liyw979, Rob1n
Reviewed by	kib
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57393
2026-06-09 19:13:21 +00:00
Christos Margiolis 1bb8212df1 sound: Check for offset overflow in dsp_mmap_single()
Approved by:	so
Security:	FreeBSD-SA-26:27.sound
Security:	CVE-2026-45258
Reviewed by:	markj
Sponsored by:	The FreeBSD Foundation
2026-06-09 19:13:21 +00:00
John Baldwin 3444414cb4 ktls: Don't attempt to modify non-anonymous mbufs on the receive path
Normally, data processed on the KTLS receive path is contained in
anonymous mbufs that can be modified in place.  Either the data
originates in receive buffers from a NIC driver, or for loopback
connections the data is anonymous-backed mbufs created when writing to
a socket.  One potential source of non-anonymous mbufs are mbufs
created by sendfile(2) which borrow the pages of the underlying file,
either via M_EXTPG or EXT_SFBUF that are sent over a loopback
connection.  For a well-formed loopback TLS session, the sender should
only use sendfile(2) if KTLS is enabled.  If TLS is fully handled in
userspace, the sender must use write(2) or send(2) which allocate
anonymous mbufs.  If KTLS transmit is enabled, then sendfile(2) on a
loopback connection will always use crypto via OCF and will allocate
anonymous pages to hold the encrypted data.

However, if sendfile(2) is used to send file-backed data directly over
a loopback connection where KTLS is not enabled on the sender side,
the KTLS receive path can modify the file-backed pages in place
overwriting the file's data.  One potential fix would be to replace
non-anonymous mbufs in a received TLS record with anonymous mbufs
(e.g. via m_dup()) before passing the record to OCF.  However, there
is no legitimate use case for using sendfile(2) over a loopback TLS
connection without using KTLS on the sender side, so instead simply
fail decryption requests and close the connection if non-anonymous
mbufs are encountered in the RX decryption path.

Add a test for this that verifies that the original data backing the
file descriptor used as the source for sendfile() is unchanged after
being processed.

Approved by:	so
Security:	FreeBSD-SA-26:26.ktls
Security:	CVE-2026-45257
Co-authored-by:	Drew Gallatin <gallatin@FreeBSD.org>
Sponsored by:	Chelsio Communications
Sponsored by:	Netflix
2026-06-09 19:13:21 +00:00
Mark Johnston 6cd8a1bf4f tests/ptrace: Validate PT_SC_REMOTE with some tricky syscalls
Reviewed by:	kib
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D57485
2026-06-08 22:49:51 +00:00
Olivier Certner 79d0dbc9c6 MAC/do: Fix double-free on parse error after "executable paths" feature
parse_rules() has been calling toast_rules() in case of a parse error in
order to deallocate the 'struct rule' objects it has constructed up to
that point.

toast_rules() would take a pointer to a full 'struct rules' object, and
besides freeing all 'struct rule' referenced by it, would also free the
holding 'struct rules' itself.

With the introduction of the "executable paths" feature, and the
embedding of 'struct rules' into 'struct conf', meaning that the
lifecycle for 'struct rules' was no longer independent, toast_rules()
was changed not to free the passed 'struct rules' (as it was a field of
a 'struct conf' object).  Unfortunately, this change was not completed
with a reinitialization of the rules list head, so the 'struct conf'
object would continue to reference just-freed rules, which then would be
freed a second time on destruction of that container.

So, make toast_rules() re-initialize the rules list in 'struct rules',
which it logically has been having to do since not freeing the enclosing
'struct rules'.  This alone is enough to fix the bug, but let's use the
occasion to change the contract of parse_rules() and bring its herald
comment up-to-date: On error, parse_rules() now simply leaves already
constructed 'struct rule' objects in 'conf'.  The latter is eventually
destroyed and the rule objects reclaimed at that point.

Add a test trying to set an invalid rules configuration with the first
rule being valid and the second being invalid, which triggers the bug
(and an immediate panic() on an INVARIANTS kernel).

Reported by:    impost0r(ret2plt) <impostor@ret2p.lt>
Reviewed by:    markj
Fixes:          9818224174 ("MAC/do: Executable paths feature (GSoC 2025's final state)")
Sponsored by:   The FreeBSD Foundation
2026-06-01 17:23:51 +02:00
Mark Johnston f048a1a1de tests/ipsec: Run in parallel
Use execenv=jail to enable this.

MFC after:	1 week
2026-05-30 01:16:51 +00:00
Olivier Certner 851499046d MAC/do: Add consistency tests
Test that:
1. Concurrent changes to different parameters on the same jail are
   independent/atomic.
2. Inheritance works.
3. Relaxing only parent jail rules does not leak to a subjail thanks to
   sequential consistency.
4. Sysctl knobs and jail parameters stay consistent.

Some of these tests may be extended in the future with several layers of
jails (there is only a single subjail currently).

Reviewed by:    bapt
MFC after:      1 month
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
2026-05-29 17:41:51 +02:00
Olivier Certner a95ff5ef7d MAC/do: Tests: Add support for exec paths, jail parameters, subjails
And also allow configuration of the mdo(1) executable path.

This commit only contains new or modified infrastructure.  No functional
change intended at this point.

Reviewed by:    bapt
MFC after:      1 month
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
2026-05-29 17:41:36 +02:00
Olivier Certner 33daea3f86 MAC/do: Tests: Quote the source directory
In a standard test suite installation, this is not necessary, but be
bullet-proof to custom ones, however improbable.

Reviewed by:    bapt
MFC after:      3 days
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
2026-05-29 17:41:29 +02:00
Olivier Certner 6159187329 MAC/do: Tests: Declare required programs closer to use
Reviewed by:    bapt
MFC after:      3 days
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
2026-05-29 17:41:24 +02:00
Olivier Certner b0c948fe92 MAC/do: Tests: Fix copyrights
No comma needed after a single year.  Add SPDX.

Reviewed by:    bapt
MFC after:      3 days
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
2026-05-29 17:41:17 +02:00
Olivier Certner 79a987aba1 MAC/do: Tests: Remove shebang lines
They are automatically added by <bsd.test.mk>.

Reviewed by:    bapt
MFC after:      3 days
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
2026-05-29 17:41:02 +02:00
Siva Mahadevan a7df326619 ptrace_test: expect PT_STEP tests to fail on riscv
ptrace_single_step currently returns EOPNOTSUPP on riscv.

This temporarily fixes the following CI failures:
https://ci.freebsd.org/job/FreeBSD-main-riscv64-test/16606/testReport/sys.kern/ptrace_test/ptrace__PT_STEP_with_signal/
https://ci.freebsd.org/job/FreeBSD-main-riscv64-test/16606/testReport/sys.kern/ptrace_test/ptrace__step_siginfo/

Reviewed by:	kib
Approved by:	emaste (mentor)
Differential Revision:	https://reviews.freebsd.org/D57288
2026-05-28 12:32:42 -04:00
Dag-Erling Smørgrav 05039fda7e tests: Fix reliability issues in POSIX ACL tests
The ACL tests use UIDs and GIDs 41 through 49 and expect them to be
unassigned.  Since GID 43 is now assigned to the audio group, some
tests have begun to fail.

While here, also fix a benign Perl syntax issue in the test runner.

MFC after:	1 week
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D57297
2026-05-28 14:26:26 +02:00
Ed Maste b9d16b7fd2 sigqueue: In capability mode, only allow signalling self
This is copied from the check in kern_kill.

Reviewed by:	markj, oshogbo
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57244
2026-05-26 15:18:56 -04:00
Mark Johnston c9546bb619 tests/procdesc: Use a more efficient mechanism to block
Reviewed by:	kib
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D57149
2026-05-22 14:56:47 +00:00
Mark Johnston 6ab30433a7 tests/net: Run all tests with execenv=jail and enable parallelism
This has been stable in my testing, and enabling parallelism speeds up
test runs considerably.  In particular, with -v parallelism=16 in a
16-vcpu bhyve VM my test runs go from ~50m to ~40m; the exact numbers
depend on the kernel config in use.

Reviewed by:	pouria
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D57094
2026-05-22 14:44:08 +00:00
Olivier Certner cba191e291 MAC/do: Add basic tests on setting rules
MFC after:      1 minute
Sponsored by:   The FreeBSD Foundation
2026-05-21 21:18:56 +02:00
Siva Mahadevan a8c74d6c64 tests/ndp: fix ndp_routeinfo_option testcase flakiness
Since we are sleeping for an indefinite period of time waiting
for the default route to appear, the expire times may be gone
past 1+ seconds, causing the Expire column to show <1800 or <600.

Fixes:	f6bcc0925f

Reviewed by:	pouria
Approved by:	lwhsu (mentor)
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D56712
2026-05-21 10:22:22 -04:00
Vyacheslav Terehov 6eba055fcf ipfw: fix parsing error in nat config port_range
Also fix the corresponding tests.

PR:		263240
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D57010
2026-05-21 10:15:22 +03:00
Pouria Mousavizadeh Tehrani bc301fee4c routing: Add tests for metric
Add tests to make sure:
* Default metric is enforced.
* Lowest metric wins.
* Deleting routes by specifying gateway/metric works.

Reviewed by:	markj
Differential Revision: https://reviews.freebsd.org/D57016
2026-05-21 00:25:11 +03:30
Mark Johnston dea055a0e8 ptrace: Fix validation of PT_SC_REMOTE arguments
- Fix an off-by-one in the system call number check.  A value of
  SYS_MAXSYSCALL was permitted.
- Validate the system call number after we've dealt with
  syscall(2)/__syscall(2), since they pass the syscall number as an
  argument.
- When the syscall number is for syscall(2) or __syscall(2), we must
  make sure that nargs > 0 to avoid an underflow when shifting arguments
  down.

Add regression tests.

Approved by:	so
Security:	FreeBSD-SA-26:21.ptrace
Security:	CVE-2026-45253
Fixes:		140ceb5d95 ("ptrace(2): add PT_SC_REMOTE remote syscall request")
Reported by:	Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by:	kib, emaste
Differential Revision:	https://reviews.freebsd.org/D56978
2026-05-20 19:34:50 +00:00
Alan Somers d91c459a93 fusefs: Handle buggy servers' LISTXATTR response
The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string.  If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.

Approved by:	so
Security:	FreeBSD-SA-26:20.fusefs
Security:	CVE-2026-45252
admbugs:	1039
Reported by:	Joshua Rogers
Sponsored by:	ConnectWise
2026-05-20 19:34:50 +00:00
Mark Johnston f95da272b8 jaildesc: Make sure to drain selinfo sleepers in jaildesc_close()
Otherwise they may be left on a freed selinfo list after the
corresponding jaildesc struct is freed.  This can be exploited to
elevate privileges.

Remove the JDF_SELECTED micro-optimization.  doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.

Add some regression tests.

Approved by:	so
Security:	FreeBSD-SA-26:19.file
Security:	CVE-2026-45251
Fixes:		66d8ffe304 ("jaildesc: add kevent support")
Reviewed by:	kib, jamie
Differential Revision:	https://reviews.freebsd.org/D56945
2026-05-20 19:34:50 +00:00
Mark Johnston 4b6a23eb8a procdesc: Make sure to drain selinfo sleepers in procdesc_free()
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.

Remove the PDF_SELECTED micro-optimization.  doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.

Add some regression tests.

Approved by:	so
Security:	FreeBSD-SA-26:19.file
Security:	CVE-2026-45251
Reported by:	75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by:	kib, oshogbo
Fixes:		cfb5f76865 ("Add experimental support for process descriptors")
Differential Revision:	https://reviews.freebsd.org/D56887
2026-05-20 19:34:50 +00:00
Mark Johnston eeffed5aa0 tests/if_carp: Run all tests with execenv=jail
Otherwise failures can occur when running tests in parallel since some
tests reuse jail names.

MFC after:	1 week
2026-05-19 14:29:12 +00:00
Andrey V. Elsukov 2872268c7f ipfw: treat ipv6 address with zero mask as 'any'
Make the behaviour similar for both IPv4 and IPv6. Also add
the corresponding tests.

PR:             294733
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56618
2026-05-17 13:12:20 +03:00
Alex S 8dd43304b3 amd64/ptrace-sce-tamper test: get rid of PT_TRACE_ME
PT_TRACE_ME is only useful in combination with exec and there is no
exec in this test.

Signed-off-by:	Alex S <iwtcex@gmail.com>
MFC after:	1 week
2026-05-16 22:41:26 +03:00
Alex S 96f262dcac tests/sys/arch/amd64: Add a basic ptrace syscall tampering test
Signed-off-by: Alex S <iwtcex@gmail.com>
Reviewed-by: kib
Pull-request: https://github.com/freebsd/freebsd-src/pull/2190
2026-05-13 16:40:16 -04:00
Pouria Mousavizadeh Tehrani 188631e43a rtnetlink: Check for allocation failure in nlattr_get_multipath()
Check for alloction failure on `npt_alloc()` for RTA_MULTIPATH
attributes in `nlattr_get_multipath()`.
Also, add tests for maximum number of rtnexthop in rtnetlink.

Reported by:	Joshua Rogers of AISLE Research Team
Reviewed by:	markj
MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D56954
2026-05-13 13:14:19 +03:30
Mark Johnston 3b16e96b00 tests/ip_mroute: Remove test timeouts
The configured timeout of 30s is a bit too low for a couple of tests
which create 4+ VNET jails when running tests in parallel and with
kernel sanitizers enabled.  There's no reason to have custom timeouts,
just use the default.

MFC after:	1 week
2026-05-12 20:05:18 +00:00
Sarah Walker f9ba99eaa2 physmem: Add a way to read all memory
In Arm CCA we need to find all memory to protect it. This needs to find
all memory, ignoring any excluded memory to protect it from the host.

Add physmem_all that reads all physical memory regions.

Co-developed-by: Andrew Turner <andrew@> (writing tests & commit message)
Sponsored by:	Arm Ltd
2026-05-12 17:54:40 +01:00
Boris Lytochkin 3d39eadcde ipfw: fix IPv6 flow label matching
* do not require just only ip6 proto for flow-id opcode in ipfw(8).
  ipv6-icmp, tcp, udp should be fine too.
* fix off-by-one bug leading to out-of-bounds read.
* apply IPV6_FLOWLABEL_MASK before comparison in flow6id_match(),
  so flow-id opcode will match a specified flow label. No need to
  take protocol version and traffic class into account.
* add the test to verify that opcode is working correctly.

Reviewed by:	pouria
Obtained from:	Yandex LLC
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D56869
2026-05-12 10:44:10 +03:00
Kristof Provost 4e7c1ff95a pfctl: relax interface name requirement
The FreeBSD network stack, for better or worse, does not impose any
requirements on interface names. As such it's valid for an interface
name to start with a number (or indeed, be something like '').

Allow this in pfctl, and add a test case for the specific case of
interface names starting with a number.

Note that we don't support UTF-8 names fully, so those may still fail.

PR:		295064
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
2026-05-07 17:07:23 +02:00
Kristof Provost 726ff260ec pfctl: optionally print the rule in the state overview
When dumping states optionally (at '-vv') also show the rule which
created the state. This can be helpful if the ruleset changed and we
want to know what rule created the state.

Sponsored by:	Rubicon Communications, LLC ("Netgate")
2026-05-07 17:06:56 +02:00
Enji Cooper 3348fa7a45 Revert "Skip sys.netinet6.frag6.frag6_19.frag6_19 in CI"
Per [siva@'s comment on the PR][1], this testcase now passes cleanly in CI.

PR:	274941
MFC after:	1 week

[1]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274941#c6

This reverts commit 86e87c3bd1.
2026-05-06 16:08:26 -07:00
Kristof Provost a0e4c65f18 pf: do not reject rules with colliding hashes
We insert rules in pf_krule_global solely for the benefit of the
'keepcounters' feature. Failing to insert (beause the rule hash
collides, or an identical rule already exists) would be worse than
restoring counts to the wrong rule (or failing to restore them at all).

PR:		282863, 294860, 294859, 294858
MFC after:	3 days
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D56745
2026-05-05 22:20:42 +02:00
Mark Johnston 41b03932e5 tests: Add a simple regression test for an execve overflow bug
MFC after:	2 weeks
2026-05-04 17:28:02 +00:00
Ryan Libby d5728351a5 amd/int0x80 test: fix inline asm for gcc
Gcc complained about the unused %0 asm argument.

Fixes:	2c2ec6bbc9 ("tests/sys/arch/amd64: add a program to check INT $0x80 behavior on amd64")
Reviewed by:	kib, markj
Differential Revision:	https://reviews.freebsd.org/D56781
2026-05-04 09:34:41 -07:00
Mark Johnston 47ae0135d4 tests/if_lagg: Minor improvements
- Set require.kmods instead of relying on ifconfig to load if_lagg.ko,
  as this doesn't work when running within a jail.
- Simplify helper functions which create tap and lagg devices.

MFC after:	1 week
2026-05-03 21:51:50 +00:00
Mark Johnston 001cfc7b8a tests/timerfd: Serialize
At least one of these tests changes the system clock, which potentially
interferes with concurrently running tests and causes them to fail.

MFC after:	1 week
2026-05-03 21:51:49 +00:00
Mark Johnston 476805133f unix: Make sure we signal EOF on the write side when disconnecting
Add a regression test.

PR:		294014
Reported by:	diizzy
Reviewed by:	glebius
MFC after:	1 week
Fixes:		d157927807 ("unix: new implementation of unix/stream & unix/seqpacket")
Differential Revision:	https://reviews.freebsd.org/D56764
2026-05-03 21:51:49 +00:00
Zhenlei Huang 9137c66c2e tests/carp: Rework unicast_v4
For unicast tests, it is sufficient to use wait_for_carp() to verify
the setup is sane. Additional sanity checks are not necessarily
required but can serve purpose for redundancy.

For some unclear reason routed(8) is advertising route to carp BACKUP.
That makes the test flaky. Also routed(8) is marked deprecated and may
be removed from base in the future. Let's just add static route entry
manually for additional sanity checks.

Other noticeable changes:
  1. Add atf_check to configuration steps to prevent potential failure
on setup. That helps diagnosing on failure.
  2. Shorten the names of jails to improve readability.
  3. Prefer `[ifconfig|route|sysctl] -j` over `jexec [ifconfig|route|sysctl]`
to make the lines shorter.

PR:		294817
Reviewed by:	glebius (previous version), pouria, markj
Fixes:		93fbdef51a tests: carp: Update test case unicast_v4 to catch PR 284872
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D56761
2026-05-03 19:02:15 +08:00
Kyle Evans 910f78a514 tests: fix remaining test failures under _FORTIFY_SOURCE
The getgroups test is a NetBSD tests, so just apply our larger hammer
and disable the feature entirely.  The audit test can take a more
surgical approach and use __ssp_real() appropriately, since it's a local
one.

PR:		294881
Reviewed by:	markj
Differential Revision:	https://reviews.freebsd.org/D56735
2026-04-30 21:58:48 -05:00
Pouria Mousavizadeh Tehrani 23b8d16c66 tests/netlink: Add nexthop group tests for multipath
Added tests:
* Test for creating multiple routes.
* Test for merge multiple nexthops into a single nexthop group.
* Test for nexthop expirations from a nexthop group.

Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D56190
2026-05-01 01:36:20 +03:30