From patchwork Mon May 27 09:41:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Amann X-Patchwork-Id: 1105716 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.com Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45CBpQ0KPxz9s5c for ; Mon, 27 May 2019 19:42:22 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 851B4294ACB for ; Mon, 27 May 2019 11:42:19 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [IPv6:2001:4b78:1:20::6]) by picard.linux.it (Postfix) with ESMTP id 0D9223EA96E for ; Mon, 27 May 2019 11:42:18 +0200 (CEST) Received: from mx1.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 00B6614016B6 for ; Mon, 27 May 2019 11:42:16 +0200 (CEST) Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 1B0C4AF1B for ; Mon, 27 May 2019 09:42:15 +0000 (UTC) From: Christian Amann To: ltp@lists.linux.it Date: Mon, 27 May 2019 11:41:46 +0200 Message-Id: <20190527094146.13561-1-camann@suse.com> X-Mailer: git-send-email 2.16.4 X-Virus-Scanned: clamav-milter 0.99.2 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Kernels between version 3.11 and 4.8 missing commit b98b0bc8 are vulnerable to a priviglege escalation exploit by overflowing a socket send buffer size integer. This test checks if the system is vulnerable by testing if a negative buffer size can be set. Signed-off-by: Christian Amann --- runtest/syscalls | 1 + testcases/kernel/syscalls/setsockopt/.gitignore | 1 + .../kernel/syscalls/setsockopt/setsockopt04.c | 65 ++++++++++++++++++++++ 3 files changed, 67 insertions(+) create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt04.c diff --git a/runtest/syscalls b/runtest/syscalls index 04558a580..b06ad949e 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -1233,6 +1233,7 @@ setsid01 setsid01 setsockopt01 setsockopt01 setsockopt02 setsockopt02 setsockopt03 setsockopt03 +setsockopt04 setsockopt04 settimeofday01 settimeofday01 settimeofday02 settimeofday02 diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore index d8fb0f3b4..603e2ad7a 100644 --- a/testcases/kernel/syscalls/setsockopt/.gitignore +++ b/testcases/kernel/syscalls/setsockopt/.gitignore @@ -1,3 +1,4 @@ /setsockopt01 /setsockopt02 /setsockopt03 +/setsockopt04 diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt04.c b/testcases/kernel/syscalls/setsockopt/setsockopt04.c new file mode 100644 index 000000000..6cb4199ab --- /dev/null +++ b/testcases/kernel/syscalls/setsockopt/setsockopt04.c @@ -0,0 +1,65 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2019 SUSE LLC + * Author: Christian Amann + */ +/* Test for CVE-2016-9793 + * + * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it + * is possible to pass a very high unsigned integer as send buffer size + * to a socket which is then interpreted as a negative value. + * + * This can be used to escalate privileges by every user that has the + * CAP_NET_ADMIN capability. + * + * For additional information about this CVE see: + * https://www.suse.com/security/cve/CVE-2016-9793/ + */ + +#include +#include "tst_test.h" +#include "tst_safe_net.h" + +#define SNDBUF (0xffffff00) + +static int sockfd; + +static void run(void) +{ + unsigned int sndbuf, rec_sndbuf; + socklen_t optlen; + + sndbuf = SNDBUF; + rec_sndbuf = 0; + optlen = sizeof(sndbuf); + + SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen); + SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen); + + tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf); + tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf); + + if ((int)rec_sndbuf < 0) + tst_res(TFAIL, "Was able to set negative send buffer size!"); + else + tst_res(TPASS, "Was unable to set negative send buffer size!"); +} + +static void setup(void) +{ + sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0); +} + +static void cleanup(void) +{ + if (sockfd > 0) + SAFE_CLOSE(sockfd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .needs_root = 1, + .timeout = 20, +};