From patchwork Mon Mar 12 16:36:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexey Kodanev <alexey.kodanev@oracle.com>
X-Patchwork-Id: 884592
Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=lists.linux.it
	(client-ip=2001:1418:10:5::2; helo=picard.linux.it;
	envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=oracle.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=oracle.com header.i=@oracle.com
	header.b="T1J17QfH"; dkim-atps=neutral
Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 400Ngb46dkz9sST
	for <incoming@patchwork.ozlabs.org>;
	Tue, 13 Mar 2018 03:27:38 +1100 (AEDT)
Received: from picard.linux.it (localhost [IPv6:::1])
	by picard.linux.it (Postfix) with ESMTP id 193CF3E6ED6
	for <incoming@patchwork.ozlabs.org>;
	Mon, 12 Mar 2018 17:27:36 +0100 (CET)
X-Original-To: ltp@lists.linux.it
Delivered-To: ltp@picard.linux.it
Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it
	[IPv6:2001:4b78:1:20::4])
	by picard.linux.it (Postfix) with ESMTP id 20DCA3E6AC9
	for <ltp@lists.linux.it>; Mon, 12 Mar 2018 17:27:34 +0100 (CET)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 02DB01000B3A
	for <ltp@lists.linux.it>; Mon, 12 Mar 2018 17:27:32 +0100 (CET)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1])
	by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id
	w2CGQeIp089121
	for <ltp@lists.linux.it>; Mon, 12 Mar 2018 16:27:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
	h=from : to : cc :
	subject : date : message-id; s=corp-2017-10-26;
	bh=29/2XGUhitM6AajKCJrFjNsSoxxxjQsyDlhbumSnVjw=;
	b=T1J17QfH1ejpGyssyRGyQlowjkPQkRqKs88fe5Nq3JvYqTx8+/GA4pePylVBqm/JQKEw
	tpgxs+IwR9g5eonUxMrEm9lzK96GoatA2JCXsT+fwe7gEqNCBMhXsY1IyzKshbOMIT1Y
	S63rFtX1m6XvDeSlyzd/KIIJfA8tJUkYuLTcP2mO28a5eWMBBj79apQSAaQ/CS+lIGxG
	/FlyTaOEcrXDD6hlNY+aOtMJiR8TRMCqKENQA/uzqI4KTi5eDznOOHjC0S4weO9iHY1U
	KPKZcK/A9R5KF517kVyHuP2/YVPGCujMRqmMzAOU65deLnbYyHSbPjKSoXHWyvxdwVRz
	CQ==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by userp2120.oracle.com with ESMTP id 2gntb7962b-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK)
	for <ltp@lists.linux.it>; Mon, 12 Mar 2018 16:27:30 +0000
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])
	by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id
	w2CGRTem016869
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=OK) for <ltp@lists.linux.it>; Mon, 12 Mar 2018 16:27:29 GMT
Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24])
	by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id
	w2CGRS3s001511
	for <ltp@lists.linux.it>; Mon, 12 Mar 2018 16:27:28 GMT
Received: from ak.ru.oracle.com (/10.162.80.29)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Mon, 12 Mar 2018 09:27:28 -0700
From: Alexey Kodanev <alexey.kodanev@oracle.com>
To: ltp@lists.linux.it
Date: Mon, 12 Mar 2018 19:36:53 +0300
Message-Id: <1520872613-30423-1-git-send-email-alexey.kodanev@oracle.com>
X-Mailer: git-send-email 1.7.1
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8830
	signatures=668690
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1
	malwarescore=0
	phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999
	adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.0.1-1711220000 definitions=main-1803120187
X-Virus-Scanned: clamav-milter 0.99.2 at in-4.smtp.seeweb.it
X-Virus-Status: Clean
X-Spam-Status: No, score=0.1 required=7.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU, SPF_PASS,
	T_RP_MATCHES_RCVD autolearn=disabled version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	in-4.smtp.seeweb.it
Subject: [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
X-BeenThere: ltp@lists.linux.it
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Linux Test Project <ltp.lists.linux.it>
List-Unsubscribe: <https://lists.linux.it/options/ltp>,
	<mailto:ltp-request@lists.linux.it?subject=unsubscribe>
List-Archive: <http://lists.linux.it/pipermail/ltp/>
List-Post: <mailto:ltp@lists.linux.it>
List-Help: <mailto:ltp-request@lists.linux.it?subject=help>
List-Subscribe: <https://lists.linux.it/listinfo/ltp>,
	<mailto:ltp-request@lists.linux.it?subject=subscribe>
MIME-Version: 1.0
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

There are two test-cases in runtest/cve:
* cve-2018-5803 - for over-sized INIT_ACK packet
* cve-2018-5803_2 - for over-sized INIT packet

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Tested-by: Petr Vorel <pvorel@suse.cz>
---
 include/lapi/socket.h         |    4 +
 runtest/cve                   |    2 +
 testcases/cve/.gitignore      |    1 +
 testcases/cve/cve-2018-5803.c |  124 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 131 insertions(+), 0 deletions(-)
 create mode 100644 testcases/cve/cve-2018-5803.c

diff --git a/include/lapi/socket.h b/include/lapi/socket.h
index 426906f..d58c460 100644
--- a/include/lapi/socket.h
+++ b/include/lapi/socket.h
@@ -45,6 +45,10 @@
 # define SOCK_CLOEXEC 02000000
 #endif
 
+#ifndef SOL_SCTP
+# define SOL_SCTP	132
+#endif
+
 #ifndef SOL_UDPLITE
 # define SOL_UDPLITE		136 /* UDP-Lite (RFC 3828) */
 #endif
diff --git a/runtest/cve b/runtest/cve
index 0c385c6..826bb0b 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -30,3 +30,5 @@ cve-2017-17807 request_key04
 cve-2017-1000364 stack_clash
 cve-2017-5754 meltdown
 cve-2017-17052 cve-2017-17052
+cve-2018-5803 cve-2018-5803
+cve-2018-5803_2 cve-2018-5803 -a 10000
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index c878069..31200c6 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -12,3 +12,4 @@ cve-2017-5669
 meltdown
 stack_clash
 cve-2017-17052
+cve-2018-5803
diff --git a/testcases/cve/cve-2018-5803.c b/testcases/cve/cve-2018-5803.c
new file mode 100644
index 0000000..3f03d8a
--- /dev/null
+++ b/testcases/cve/cve-2018-5803.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Regression test-case for the crash caused by over-sized SCTP chunk,
+ * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new
+ * chunk in _sctp_make_chunk()")
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <sys/syscall.h>
+#include <fcntl.h>
+
+#include "tst_test.h"
+#include "tst_safe_stdio.h"
+#include "lapi/netinet_in.h"
+#include "lapi/socket.h"
+
+static int port;
+static int sfd, cfd;
+static struct sockaddr_in6 rmt, loc;
+
+static char *addr_param;
+static int addr_num = 3273;
+
+#ifndef SCTP_SOCKOPT_BINDX_ADD
+# define SCTP_SOCKOPT_BINDX_ADD	100
+#endif
+
+static void setup_server(void)
+{
+	loc.sin6_family = AF_INET6;
+	loc.sin6_addr = in6addr_loopback;
+
+	sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
+	SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc));
+
+	port = TST_GETSOCKPORT(sfd);
+	tst_res(TINFO, "sctp server listen on %d", port);
+
+	SAFE_LISTEN(sfd, 1);
+}
+
+static void setup_client(void)
+{
+	struct sockaddr_in6 addr_buf[addr_num];
+	int i;
+
+	cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
+	rmt.sin6_family = AF_INET6;
+	rmt.sin6_addr = in6addr_loopback;
+	rmt.sin6_port = htons(port);
+
+	tst_res(TINFO, "bind %d additional IP addresses", addr_num);
+
+	memset(addr_buf, 0, sizeof(addr_buf));
+	for (i = 0; i < addr_num; ++i) {
+		addr_buf[i].sin6_family = AF_INET6;
+		addr_buf[i].sin6_addr = in6addr_loopback;
+	}
+
+	SAFE_SETSOCKOPT(cfd, SOL_SCTP, SCTP_SOCKOPT_BINDX_ADD, addr_buf,
+			sizeof(addr_buf));
+}
+
+static void setup(void)
+{
+	if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
+		tst_brk(TBROK, "wrong address number '%s'", addr_param);
+
+	setup_server();
+	setup_client();
+}
+
+static void run(void)
+{
+	int pid = SAFE_FORK();
+
+	if (!pid) {
+		struct sockaddr_in6 addr6;
+		socklen_t addr_size = sizeof(addr6);
+
+		if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0)
+			tst_brk(TBROK | TERRNO, "accept() failed");
+		exit(0);
+	}
+
+	fcntl(cfd, F_SETFL, O_NONBLOCK);
+	connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt));
+
+	SAFE_KILL(pid, SIGKILL);
+	SAFE_WAITPID(pid, NULL, 0);
+
+	tst_res(TPASS, "test doesn't cause crash");
+}
+
+static struct tst_option options[] = {
+	{"a:", &addr_param, "-a       number of additional IP address params"},
+	{NULL, NULL, NULL}
+};
+
+static struct tst_test test = {
+	.setup = setup,
+	.forks_child = 1,
+	.test_all = run,
+	.options = options
+};