From patchwork Tue Apr 21 15:12:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1274330 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4966WM4FN8z9sSK for ; Wed, 22 Apr 2020 01:12:43 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id A50573C29C1 for ; Tue, 21 Apr 2020 17:12:38 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-7.smtp.seeweb.it (in-7.smtp.seeweb.it [IPv6:2001:4b78:1:20::7]) by picard.linux.it (Postfix) with ESMTP id B45183C2999 for ; Tue, 21 Apr 2020 17:12:36 +0200 (CEST) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-7.smtp.seeweb.it (Postfix) with ESMTPS id 2840A201080 for ; Tue, 21 Apr 2020 17:12:35 +0200 (CEST) Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id C30AFAEC8 for ; Tue, 21 Apr 2020 15:12:34 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Tue, 21 Apr 2020 17:12:33 +0200 Message-Id: <20200421151233.20726-1-mdoucha@suse.cz> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.99.2 at in-7.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-7.smtp.seeweb.it Subject: [LTP] [PATCH] Add test for CVE 2017-1000112 X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Fixes #494 Signed-off-by: Martin Doucha --- Oh noes! UFOs are attacking the kernel!!1! XD runtest/cve | 1 + runtest/syscalls | 1 + .../kernel/syscalls/setsockopt/.gitignore | 1 + .../kernel/syscalls/setsockopt/setsockopt05.c | 92 +++++++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt05.c diff --git a/runtest/cve b/runtest/cve index 629cf7035..e55b7a7e3 100644 --- a/runtest/cve +++ b/runtest/cve @@ -38,6 +38,7 @@ cve-2017-16939 cve-2017-16939 cve-2017-16995 bpf_prog03 cve-2017-17053 cve-2017-17053 cve-2017-18075 pcrypt_aead01 +cve-2017-1000112 setsockopt05 cve-2017-1000380 snd_timer01 cve-2018-5803 sctp_big_chunk cve-2018-7566 snd_seq01 diff --git a/runtest/syscalls b/runtest/syscalls index 9bb72beb2..b67968d95 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -1320,6 +1320,7 @@ setsockopt01 setsockopt01 setsockopt02 setsockopt02 setsockopt03 setsockopt03 setsockopt04 setsockopt04 +setsockopt05 setsockopt05 settimeofday01 settimeofday01 settimeofday02 settimeofday02 diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore index 603e2ad7a..f4eabd92b 100644 --- a/testcases/kernel/syscalls/setsockopt/.gitignore +++ b/testcases/kernel/syscalls/setsockopt/.gitignore @@ -2,3 +2,4 @@ /setsockopt02 /setsockopt03 /setsockopt04 +/setsockopt05 diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt05.c b/testcases/kernel/syscalls/setsockopt/setsockopt05.c new file mode 100644 index 000000000..23d96967f --- /dev/null +++ b/testcases/kernel/syscalls/setsockopt/setsockopt05.c @@ -0,0 +1,92 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2019 SUSE LLC + */ + +/* + * CVE-2017-1000112 + * + * Check that UDP fragmentation offload doesn't cause memory corruption + * if the userspace process turns off UFO in between two send() calls. + * Kernel crash fixed in: + * + * commit 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa + * Author: Willem de Bruijn + * Date: Thu Aug 10 12:29:19 2017 -0400 + * + * udp: consistently apply ufo or fragmentation + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include + +#include "tst_test.h" +#include "tst_net.h" +#include "tst_taint.h" + +#define BUFSIZE 4000 + +static struct sockaddr_in addr; + +static void setup(void) +{ + int real_uid = getuid(); + int real_gid = getgid(); + int sock; + struct ifreq ifr; + + tst_taint_init(TST_TAINT_W | TST_TAINT_D); + + SAFE_UNSHARE(CLONE_NEWUSER); + SAFE_UNSHARE(CLONE_NEWNET); + SAFE_FILE_PRINTF("/proc/self/setgroups", "deny"); + SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid); + SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid); + + tst_init_sockaddr_inet_bin(&addr, INADDR_LOOPBACK, 12345); + sock = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0); + strcpy(ifr.ifr_name, "lo"); + ifr.ifr_mtu = 1500; + SAFE_IOCTL(sock, SIOCSIFMTU, &ifr); + ifr.ifr_flags = IFF_UP; + SAFE_IOCTL(sock, SIOCSIFFLAGS, &ifr); + SAFE_CLOSE(sock); +} + +static void run(void) +{ + int sock, i; + char buf[BUFSIZE]; + memset(buf, 0x42, BUFSIZE); + + for (i = 0; i < 1000; i++) { + sock = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0); + SAFE_CONNECT(sock, (struct sockaddr *)&addr, sizeof(addr)); + SAFE_SEND(1, sock, buf, BUFSIZE, MSG_MORE); + SAFE_SETSOCKOPT_INT(sock, SOL_SOCKET, SO_NO_CHECK, 1); + send(sock, buf, 1, 0); + SAFE_CLOSE(sock); + + if (tst_taint_check()) { + tst_res(TFAIL, "Kernel is vulnerable"); + return; + } + } + + tst_res(TPASS, "Nothing bad happened, probably"); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .tags = (const struct tst_tag[]) { + {"linux-git", "85f1bd9a7b5a"}, + {"CVE", "2017-1000112"}, + {} + } +};