1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2020 SUSE LLC <mdoucha@suse.cz>
4 *
5 * CVE-2017-17712
6 *
7 * Test for race condition vulnerability in sendmsg() on SOCK_RAW sockets.
8 * Changing the value of IP_HDRINCL socket option in parallel with sendmsg()
9 * call may lead to uninitialized stack pointer usage, allowing arbitrary code
10 * execution or privilege escalation. Fixed in:
11 *
12 * commit 8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
13 * Author: Mohamed Ghannam <simo.ghannam@gmail.com>
14 * Date: Sun Dec 10 03:50:58 2017 +0000
15 *
16 * net: ipv4: fix for a race condition in raw_sendmsg
17 */
18 #define _GNU_SOURCE
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <sched.h>
23 #include "tst_test.h"
24 #include "tst_fuzzy_sync.h"
25
26 #define IOVEC_COUNT 4
27 #define PACKET_SIZE 100
28
29 static int sockfd = -1;
30 static struct msghdr msg;
31 /* addr must be full of zeroes to trigger the kernel bug */
32 static struct sockaddr_in addr;
33 static struct iovec iov[IOVEC_COUNT];
34 static unsigned char buf[PACKET_SIZE];
35 static struct tst_fzsync_pair fzsync_pair;
36
setup(void)37 static void setup(void)
38 {
39 int i;
40
41 SAFE_UNSHARE(CLONE_NEWUSER);
42 SAFE_UNSHARE(CLONE_NEWNET);
43 sockfd = SAFE_SOCKET(AF_INET, SOCK_RAW, IPPROTO_ICMP);
44
45 memset(buf, 0xcc, PACKET_SIZE);
46
47 for (i = 0; i < IOVEC_COUNT; i++) {
48 iov[i].iov_base = buf;
49 iov[i].iov_len = PACKET_SIZE;
50 }
51
52 msg.msg_name = &addr;
53 msg.msg_namelen = sizeof(addr);
54 msg.msg_iov = iov;
55 msg.msg_iovlen = IOVEC_COUNT;
56
57 fzsync_pair.exec_loops = 100000;
58 tst_fzsync_pair_init(&fzsync_pair);
59 }
60
cleanup(void)61 static void cleanup(void)
62 {
63 if (sockfd > 0)
64 SAFE_CLOSE(sockfd);
65 tst_fzsync_pair_cleanup(&fzsync_pair);
66 }
67
thread_run(void * arg)68 static void *thread_run(void *arg)
69 {
70 int val = 0;
71
72 while (tst_fzsync_run_b(&fzsync_pair)) {
73 tst_fzsync_start_race_b(&fzsync_pair);
74 setsockopt(sockfd, SOL_IP, IP_HDRINCL, &val, sizeof(val));
75 tst_fzsync_end_race_b(&fzsync_pair);
76 }
77
78 return arg;
79 }
80
run(void)81 static void run(void)
82 {
83 int hdrincl = 1;
84
85 tst_fzsync_pair_reset(&fzsync_pair, thread_run);
86
87 while (tst_fzsync_run_a(&fzsync_pair)) {
88 SAFE_SETSOCKOPT_INT(sockfd, SOL_IP, IP_HDRINCL, hdrincl);
89
90 tst_fzsync_start_race_a(&fzsync_pair);
91 sendmsg(sockfd, &msg, 0);
92 tst_fzsync_end_race_a(&fzsync_pair);
93
94 if (tst_taint_check()) {
95 tst_res(TFAIL, "Kernel is vulnerable");
96 return;
97 }
98 }
99
100 tst_res(TPASS, "Nothing bad happened, probably");
101 }
102
103 static struct tst_test test = {
104 .test_all = run,
105 .setup = setup,
106 .cleanup = cleanup,
107 .taint_check = TST_TAINT_W | TST_TAINT_D,
108 .tags = (const struct tst_tag[]) {
109 {"linux-git", "8f659a03a0ba"},
110 {"CVE", "2017-17712"},
111 {}
112 }
113 };
114