1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2020 SUSE LLC <mdoucha@suse.cz>
4 *
5 * CVE-2017-17712
6 *
7 * Test for race condition vulnerability in sendmsg() on SOCK_RAW sockets.
8 * Changing the value of IP_HDRINCL socket option in parallel with sendmsg()
9 * call may lead to uninitialized stack pointer usage, allowing arbitrary code
10 * execution or privilege escalation. Fixed in:
11 *
12 * commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
13 * Author: Mohamed Ghannam <simo.ghannam@gmail.com>
14 * Date: Sun Dec 10 03:50:58 2017 +0000
15 *
16 * net: ipv4: fix for a race condition in raw_sendmsg
17 */
18 #define _GNU_SOURCE
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <sched.h>
23 #include "tst_test.h"
24 #include "tst_fuzzy_sync.h"
25 #include "tst_taint.h"
26
27 #define IOVEC_COUNT 4
28 #define PACKET_SIZE 100
29
30 static int sockfd = -1;
31 static struct msghdr msg;
32 /* addr must be full of zeroes to trigger the kernel bug */
33 static struct sockaddr_in addr;
34 static struct iovec iov[IOVEC_COUNT];
35 static unsigned char buf[PACKET_SIZE];
36 static struct tst_fzsync_pair fzsync_pair;
37
setup(void)38 static void setup(void)
39 {
40 int i;
41
42 tst_taint_init(TST_TAINT_W | TST_TAINT_D);
43 SAFE_UNSHARE(CLONE_NEWUSER);
44 SAFE_UNSHARE(CLONE_NEWNET);
45 sockfd = SAFE_SOCKET(AF_INET, SOCK_RAW, IPPROTO_ICMP);
46
47 memset(buf, 0xcc, PACKET_SIZE);
48
49 for (i = 0; i < IOVEC_COUNT; i++) {
50 iov[i].iov_base = buf;
51 iov[i].iov_len = PACKET_SIZE;
52 }
53
54 msg.msg_name = &addr;
55 msg.msg_namelen = sizeof(addr);
56 msg.msg_iov = iov;
57 msg.msg_iovlen = IOVEC_COUNT;
58
59 fzsync_pair.exec_loops = 100000;
60 tst_fzsync_pair_init(&fzsync_pair);
61 }
62
cleanup(void)63 static void cleanup(void)
64 {
65 if (sockfd > 0)
66 SAFE_CLOSE(sockfd);
67 tst_fzsync_pair_cleanup(&fzsync_pair);
68 }
69
thread_run(void * arg)70 static void *thread_run(void *arg)
71 {
72 int val = 0;
73
74 while (tst_fzsync_run_b(&fzsync_pair)) {
75 tst_fzsync_start_race_b(&fzsync_pair);
76 setsockopt(sockfd, SOL_IP, IP_HDRINCL, &val, sizeof(val));
77 tst_fzsync_end_race_b(&fzsync_pair);
78 }
79
80 return arg;
81 }
82
run(void)83 static void run(void)
84 {
85 int hdrincl = 1;
86
87 tst_fzsync_pair_reset(&fzsync_pair, thread_run);
88
89 while (tst_fzsync_run_a(&fzsync_pair)) {
90 SAFE_SETSOCKOPT_INT(sockfd, SOL_IP, IP_HDRINCL, hdrincl);
91
92 tst_fzsync_start_race_a(&fzsync_pair);
93 sendmsg(sockfd, &msg, 0);
94 tst_fzsync_end_race_a(&fzsync_pair);
95
96 if (tst_taint_check()) {
97 tst_res(TFAIL, "Kernel is vulnerable");
98 return;
99 }
100 }
101
102 tst_res(TPASS, "Nothing bad happened, probably");
103 }
104
105 static struct tst_test test = {
106 .test_all = run,
107 .setup = setup,
108 .cleanup = cleanup,
109 .tags = (const struct tst_tag[]) {
110 {"linux-git", "8f659a03a0ba"},
111 {"CVE", "2017-17712"},
112 {}
113 }
114 };
115