From patchwork Fri Mar 23 15:37:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Kodanev X-Patchwork-Id: 890026 X-Patchwork-Delegate: akodanev@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="KUBEKO0M"; dkim-atps=neutral Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4076rZ0ZGPz9s08 for ; Sat, 24 Mar 2018 02:28:46 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 781D23E7040 for ; Fri, 23 Mar 2018 16:28:43 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [217.194.8.4]) by picard.linux.it (Postfix) with ESMTP id DF5AB3E6646 for ; Fri, 23 Mar 2018 16:28:41 +0100 (CET) Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id CCECF11E5DB8 for ; Fri, 23 Mar 2018 16:28:20 +0100 (CET) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2NFP37B147501 for ; Fri, 23 Mar 2018 15:28:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references; s=corp-2017-10-26; bh=yPC5Y8QQpw4+1kuYfeMEjN1QJUjUAsfT4qOJAJ8B8No=; b=KUBEKO0MDuFKThuBCANpEOFDUU1CYONHNLzAc3OSa3Rmvu31L/jeqEOLWY/VZARnnJIt rSndR79mqBMHW9vJI99LN7OBZ8PdDUgdxGVy1xlDWDHGWsjOa7ruEU1gPvkKhERrpdRu Bear08uF6Cvt6uxO23PpDhkZt5Oxzf2jfFkCkAZUfpvNcV0aAB9UTW6jhjAibLHOVnMM 0oGJFbWs35vTL6unDQtES4j/twvYcpLRcnj/ryaOZhnqaegqu+lkjeMttFc2vyl/D4No Tz9vN1tnPcxfzcQcdzY1QsNGhOBo2HkNneKCF/+diDEM3/q4Z9BeFCB+jsO/oaDdbAjZ qg== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2130.oracle.com with ESMTP id 2gw47180j3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 23 Mar 2018 15:28:19 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w2NFSIA9023060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 23 Mar 2018 15:28:18 GMT Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w2NFSIRl028592 for ; Fri, 23 Mar 2018 15:28:18 GMT Received: from ak.ru.oracle.com (/10.162.80.29) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 23 Mar 2018 08:28:18 -0700 From: Alexey Kodanev To: ltp@lists.linux.it Date: Fri, 23 Mar 2018 18:37:29 +0300 Message-Id: <1521819449-27489-3-git-send-email-alexey.kodanev@oracle.com> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1521819449-27489-1-git-send-email-alexey.kodanev@oracle.com> References: <1521819449-27489-1-git-send-email-alexey.kodanev@oracle.com> X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8840 signatures=668695 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803200127 X-Virus-Scanned: clamav-milter 0.99.2 at in-4.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU, SPF_PASS, T_RP_MATCHES_RCVD autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-4.smtp.seeweb.it Subject: [LTP] [PATCH v2 2/2] sctp: new regression test sctp_big_chunk for CVE-2018-5803 X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Added two test-cases in runtest/cve: * cve-2018-5803 - over-sized INIT_ACK packet * cve-2018-5803_2 - over-sized INIT packet Signed-off-by: Alexey Kodanev Acked-by: Petr Vorel --- v2: rename the test file and move it to testcases/network/sctp/ include/lapi/socket.h | 4 + runtest/cve | 2 + testcases/network/.gitignore | 1 + testcases/network/sctp/Makefile | 2 +- testcases/network/sctp/sctp_big_chunk.c | 121 +++++++++++++++++++++++++++++++ 5 files changed, 129 insertions(+), 1 deletions(-) create mode 100644 testcases/network/sctp/sctp_big_chunk.c diff --git a/include/lapi/socket.h b/include/lapi/socket.h index 426906f..d58c460 100644 --- a/include/lapi/socket.h +++ b/include/lapi/socket.h @@ -45,6 +45,10 @@ # define SOCK_CLOEXEC 02000000 #endif +#ifndef SOL_SCTP +# define SOL_SCTP 132 +#endif + #ifndef SOL_UDPLITE # define SOL_UDPLITE 136 /* UDP-Lite (RFC 3828) */ #endif diff --git a/runtest/cve b/runtest/cve index 8b7cbe5..1d9569a 100644 --- a/runtest/cve +++ b/runtest/cve @@ -32,3 +32,5 @@ cve-2017-5754 meltdown cve-2017-17052 cve-2017-17052 cve-2017-16939 cve-2017-16939 cve-2017-17053 cve-2017-17053 +cve-2018-5803 sctp_big_chunk +cve-2018-5803_2 sctp_big_chunk -a 10000 diff --git a/testcases/network/.gitignore b/testcases/network/.gitignore index d4ed925..e952f6f 100644 --- a/testcases/network/.gitignore +++ b/testcases/network/.gitignore @@ -22,6 +22,7 @@ /nfsv4/locks/locktests /rpc/basic_tests/rpc01/rpc1 /rpc/basic_tests/rpc01/rpc_server +/sctp/sctp_big_chunk /sockets/ltpClient /sockets/ltpServer /stress/ns-tools/ns-icmp_redirector diff --git a/testcases/network/sctp/Makefile b/testcases/network/sctp/Makefile index 914e389..0fa9125 100644 --- a/testcases/network/sctp/Makefile +++ b/testcases/network/sctp/Makefile @@ -15,7 +15,7 @@ top_srcdir ?= ../../.. -include $(top_srcdir)/include/mk/env_pre.mk +include $(top_srcdir)/include/mk/testcases.mk INSTALL_TARGETS := sctp01.sh diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c new file mode 100644 index 0000000..55a2969 --- /dev/null +++ b/testcases/network/sctp/sctp_big_chunk.c @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it would be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + * + * Regression test-case for the crash caused by over-sized SCTP chunk, + * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new + * chunk in _sctp_make_chunk()") + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tst_test.h" +#include "tst_safe_stdio.h" +#include "lapi/netinet_in.h" +#include "lapi/socket.h" +#include "lapi/sctp.h" + +static int port; +static int sfd, cfd; +static struct sockaddr_in6 rmt, loc; + +static char *addr_param; +static int addr_num = 3273; + +static void setup_server(void) +{ + loc.sin6_family = AF_INET6; + loc.sin6_addr = in6addr_loopback; + + sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP); + SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc)); + + port = TST_GETSOCKPORT(sfd); + tst_res(TINFO, "sctp server listen on %d", port); + + SAFE_LISTEN(sfd, 1); +} + +static void setup_client(void) +{ + struct sockaddr_in6 addr_buf[addr_num]; + int i; + + cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP); + rmt.sin6_family = AF_INET6; + rmt.sin6_addr = in6addr_loopback; + rmt.sin6_port = htons(port); + + tst_res(TINFO, "bind %d additional IP addresses", addr_num); + + memset(addr_buf, 0, sizeof(addr_buf)); + for (i = 0; i < addr_num; ++i) { + addr_buf[i].sin6_family = AF_INET6; + addr_buf[i].sin6_addr = in6addr_loopback; + } + + SAFE_SETSOCKOPT(cfd, SOL_SCTP, SCTP_SOCKOPT_BINDX_ADD, addr_buf, + sizeof(addr_buf)); +} + +static void setup(void) +{ + if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX)) + tst_brk(TBROK, "wrong address number '%s'", addr_param); + + setup_server(); + setup_client(); +} + +static void run(void) +{ + int pid = SAFE_FORK(); + + if (!pid) { + struct sockaddr_in6 addr6; + socklen_t addr_size = sizeof(addr6); + + if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0) + tst_brk(TBROK | TERRNO, "accept() failed"); + exit(0); + } + + fcntl(cfd, F_SETFL, O_NONBLOCK); + connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt)); + + SAFE_KILL(pid, SIGKILL); + SAFE_WAITPID(pid, NULL, 0); + + tst_res(TPASS, "test doesn't cause crash"); +} + +static struct tst_option options[] = { + {"a:", &addr_param, "-a number of additional IP address params"}, + {NULL, NULL, NULL} +}; + +static struct tst_test test = { + .setup = setup, + .forks_child = 1, + .test_all = run, + .options = options +};