diff mbox series

[v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase

Message ID 20190527094146.13561-1-camann@suse.com
State Accepted
Headers show
Series [v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase | expand

Commit Message

Christian Amann May 27, 2019, 9:41 a.m. UTC 
Kernels between version 3.11 and 4.8 missing commit b98b0bc8
are vulnerable to a priviglege escalation exploit by overflowing
a socket send buffer size integer.
This test checks if the system is vulnerable by testing if a
negative buffer size can be set.

Signed-off-by: Christian Amann <camann@suse.com>
---
 runtest/syscalls                                   |  1 +
 testcases/kernel/syscalls/setsockopt/.gitignore    |  1 +
 .../kernel/syscalls/setsockopt/setsockopt04.c      | 65 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt04.c

Comments

Cyril Hrubis May 27, 2019, 1:54 p.m. UTC | #1 
Hi!
I've removed the .timeout settings from the tst_test structure and
pushed, thanks.

As far as I can tell there is no point in tweaking the default timeout
for testcases that have runtime in miliseconds.
diff mbox series

Patch

diff --git a/runtest/syscalls b/runtest/syscalls
index 04558a580..b06ad949e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1233,6 +1233,7 @@  setsid01 setsid01
 setsockopt01 setsockopt01
 setsockopt02 setsockopt02
 setsockopt03 setsockopt03
+setsockopt04 setsockopt04
 
 settimeofday01 settimeofday01
 settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index d8fb0f3b4..603e2ad7a 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -1,3 +1,4 @@ 
 /setsockopt01
 /setsockopt02
 /setsockopt03
+/setsockopt04
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt04.c b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
new file mode 100644
index 000000000..6cb4199ab
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
@@ -0,0 +1,65 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 SUSE LLC
+ * Author: Christian Amann <camann@suse.com>
+ */
+/* Test for CVE-2016-9793
+ *
+ * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it
+ * is possible to pass a very high unsigned integer as send buffer size
+ * to a socket which is then interpreted as a negative value.
+ *
+ * This can be used to escalate privileges by every user that has the
+ * CAP_NET_ADMIN capability.
+ *
+ * For additional information about this CVE see:
+ * https://www.suse.com/security/cve/CVE-2016-9793/
+ */
+
+#include <sys/socket.h>
+#include "tst_test.h"
+#include "tst_safe_net.h"
+
+#define SNDBUF	(0xffffff00)
+
+static int sockfd;
+
+static void run(void)
+{
+	unsigned int sndbuf, rec_sndbuf;
+	socklen_t optlen;
+
+	sndbuf = SNDBUF;
+	rec_sndbuf = 0;
+	optlen = sizeof(sndbuf);
+
+	SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen);
+	SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen);
+
+	tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf);
+	tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf);
+
+	if ((int)rec_sndbuf < 0)
+		tst_res(TFAIL, "Was able to set negative send buffer size!");
+	else
+		tst_res(TPASS, "Was unable to set negative send buffer size!");
+}
+
+static void setup(void)
+{
+	sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
+}
+
+static void cleanup(void)
+{
+	if (sockfd > 0)
+		SAFE_CLOSE(sockfd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_root = 1,
+	.timeout = 20,
+};