network: new regression test for over-sized chunks in SCTP
diff mbox series

Message ID 1520337452-10137-1-git-send-email-alexey.kodanev@oracle.com
State Changes Requested
Headers show
Series
  • network: new regression test for over-sized chunks in SCTP
Related show

Commit Message

Alexey Kodanev March 6, 2018, 11:57 a.m. UTC
Fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a
new chunk in _sctp_make_chunk()")

CVE-2018-5803

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
 runtest/net.features             |    1 +
 testcases/network/sctp/Makefile  |    2 +-
 testcases/network/sctp/sctp02.sh |   66 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+), 1 deletions(-)
 create mode 100755 testcases/network/sctp/sctp02.sh

Comments

Petr Vorel March 6, 2018, 6:20 p.m. UTC | #1
> Fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a
> new chunk in _sctp_make_chunk()")

> CVE-2018-5803
I wonder whether to add it also into runtest/cve. But these aren't usually run with
/opt/ltp/testscripts/network.sh. Don't we want to create something like runtest/cve-network?

This is one of several tests in runtest/net.features which runs "forever", generating
impressive load and blocking link making it impossible even to log in.
Actually I wasn't able to pass it with any of my virtual machines (various distros).
What is the prerequisite for the test? Separate "safe" link to SUT (not to be affected by
the test)? It'd be great if the test wasn't too resource demanding.
None of my virtual machines contain commit 07f2c7ab6f8d.

> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
> ---
>  runtest/net.features             |    1 +
>  testcases/network/sctp/Makefile  |    2 +-
>  testcases/network/sctp/sctp02.sh |   66 ++++++++++++++++++++++++++++++++++++++
>  3 files changed, 68 insertions(+), 1 deletions(-)
>  create mode 100755 testcases/network/sctp/sctp02.sh

> diff --git a/runtest/net.features b/runtest/net.features
> index b9250dc..81e9a43 100644
> --- a/runtest/net.features
> +++ b/runtest/net.features
> @@ -19,6 +19,7 @@ dccp01_ipv6 dccp01.sh -6

>  sctp01 sctp01.sh
>  sctp01_ipv6 sctp01.sh -6
> +sctp02 sctp02.sh -6

>  tcp_fastopen tcp_fastopen_run.sh
>  tcp_fastopen6 tcp_fastopen_run.sh -6
> diff --git a/testcases/network/sctp/Makefile b/testcases/network/sctp/Makefile
> index 914e389..5f014d8 100644
> --- a/testcases/network/sctp/Makefile
> +++ b/testcases/network/sctp/Makefile
> @@ -17,6 +17,6 @@ top_srcdir		?= ../../..

>  include $(top_srcdir)/include/mk/env_pre.mk

> -INSTALL_TARGETS		:= sctp01.sh
> +INSTALL_TARGETS		:= *.sh

>  include $(top_srcdir)/include/mk/generic_leaf_target.mk
> diff --git a/testcases/network/sctp/sctp02.sh b/testcases/network/sctp/sctp02.sh
> new file mode 100755
> index 0000000..f8386dd
> --- /dev/null
> +++ b/testcases/network/sctp/sctp02.sh
> @@ -0,0 +1,66 @@
> +#!/bin/sh
> +# Copyright (c) 2018 Oracle and/or its affiliates.
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2 of
> +# the License, or (at your option) any later version.
> +#
> +# This program is distributed in the hope that it would be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +# Regression test for the crash caused by over-sized SCTP chunk, fixed by
> +# commit 07f2c7ab6f8d ("sctp: verify size of a new chunk in _sctp_make_chunk()")
> +#
> +# CVE-2018-5803
Maybe say this at least in TINFO, when it's not in TCID?
> +
> +TCID=sctp02
> +TST_TOTAL=1
> +TST_CLEANUP="cleanup"
> +TST_NEEDS_TMPDIR=1
> +
> +. test_net.sh
> +
> +cleanup()
> +{
> +	for i in $(seq 1 16); do
Why 16?

> +		tst_rhost_run -s -c "ip a del $(tst_ipaddr_un -c $i rhost) \
> +				     dev $(tst_iface rhost)"
Minor nit: I wish we used in scripts 'ip addr' instead of 'ip a' (better for grepping).

> +	done
> +	for i in $(seq 17 3260); do
Why 3260? Would it make sense to have it in some env variable?

> +		ROD ip a del $(tst_ipaddr_un -c $i lhost) dev $(tst_iface)
> +	done
> +}
> +
> +setup()
> +{
> +	tst_require_root
> +
> +	tst_resm TINFO "adding several addresses to remote host"
> +	for i in $(seq 1 16); do
> +		tst_rhost_run -s -c "ip a add $(tst_ipaddr_un -c $i rhost) \
> +				     dev $(tst_iface rhost) nodad"
> +	done
> +
> +	tst_resm TINFO "adding addresses to local host to make big INIT packet"
> +	for i in $(seq 17 3260); do
> +		ROD ip a add $(tst_ipaddr_un -c $i lhost) dev $(tst_iface) nodad
> +	done
> +}
> +
> +test_run()
> +{
> +	tst_resm TINFO "sending almost over-sized INIT packet to remote host"
> +	tst_netload -H $(tst_ipaddr rhost) -T sctp
> +	tst_resm TPASS "test doesn't cause the crash"
> +}
> +
> +setup
> +test_run
> +
> +tst_exit

Otherwise looks good to me.


Kind regards,
Petr
Alexey Kodanev March 7, 2018, 9:17 a.m. UTC | #2
On 06.03.2018 21:20, Petr Vorel wrote:
>> Fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a
>> new chunk in _sctp_make_chunk()")
> 
>> CVE-2018-5803
> I wonder whether to add it also into runtest/cve. But these aren't usually run with
> /opt/ltp/testscripts/network.sh. Don't we want to create something like runtest/cve-network?
> 
> This is one of several tests in runtest/net.features which runs "forever", generating
> impressive load and blocking link making it impossible even to log in.
> Actually I wasn't able to pass it with any of my virtual machines (various distros).
> What is the prerequisite for the test? Separate "safe" link to SUT (not to be affected by
> the test)? It'd be great if the test wasn't too resource demanding.

There is no prerequisite for the test, adding addresses is needed
to construct a big INIT packets that will eventually include
all this variable size parameters, then send it to the server.

We can construct it manually though, it should be much faster.
I'll try to come up with another version.

Thanks,
Alexey

Patch
diff mbox series

diff --git a/runtest/net.features b/runtest/net.features
index b9250dc..81e9a43 100644
--- a/runtest/net.features
+++ b/runtest/net.features
@@ -19,6 +19,7 @@  dccp01_ipv6 dccp01.sh -6
 
 sctp01 sctp01.sh
 sctp01_ipv6 sctp01.sh -6
+sctp02 sctp02.sh -6
 
 tcp_fastopen tcp_fastopen_run.sh
 tcp_fastopen6 tcp_fastopen_run.sh -6
diff --git a/testcases/network/sctp/Makefile b/testcases/network/sctp/Makefile
index 914e389..5f014d8 100644
--- a/testcases/network/sctp/Makefile
+++ b/testcases/network/sctp/Makefile
@@ -17,6 +17,6 @@  top_srcdir		?= ../../..
 
 include $(top_srcdir)/include/mk/env_pre.mk
 
-INSTALL_TARGETS		:= sctp01.sh
+INSTALL_TARGETS		:= *.sh
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/network/sctp/sctp02.sh b/testcases/network/sctp/sctp02.sh
new file mode 100755
index 0000000..f8386dd
--- /dev/null
+++ b/testcases/network/sctp/sctp02.sh
@@ -0,0 +1,66 @@ 
+#!/bin/sh
+# Copyright (c) 2018 Oracle and/or its affiliates.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# Regression test for the crash caused by over-sized SCTP chunk, fixed by
+# commit 07f2c7ab6f8d ("sctp: verify size of a new chunk in _sctp_make_chunk()")
+#
+# CVE-2018-5803
+
+TCID=sctp02
+TST_TOTAL=1
+TST_CLEANUP="cleanup"
+TST_NEEDS_TMPDIR=1
+
+. test_net.sh
+
+cleanup()
+{
+	for i in $(seq 1 16); do
+		tst_rhost_run -s -c "ip a del $(tst_ipaddr_un -c $i rhost) \
+				     dev $(tst_iface rhost)"
+	done
+	for i in $(seq 17 3260); do
+		ROD ip a del $(tst_ipaddr_un -c $i lhost) dev $(tst_iface)
+	done
+}
+
+setup()
+{
+	tst_require_root
+
+	tst_resm TINFO "adding several addresses to remote host"
+	for i in $(seq 1 16); do
+		tst_rhost_run -s -c "ip a add $(tst_ipaddr_un -c $i rhost) \
+				     dev $(tst_iface rhost) nodad"
+	done
+
+	tst_resm TINFO "adding addresses to local host to make big INIT packet"
+	for i in $(seq 17 3260); do
+		ROD ip a add $(tst_ipaddr_un -c $i lhost) dev $(tst_iface) nodad
+	done
+}
+
+test_run()
+{
+	tst_resm TINFO "sending almost over-sized INIT packet to remote host"
+	tst_netload -H $(tst_ipaddr rhost) -T sctp
+	tst_resm TPASS "test doesn't cause the crash"
+}
+
+setup
+test_run
+
+tst_exit