1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC
4 * Author: Christian Amann <camann@suse.com>
5 */
6 /* Test for CVE-2016-9793
7 *
8 * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it
9 * is possible to pass a very high unsigned integer as send buffer size
10 * to a socket which is then interpreted as a negative value.
11 *
12 * This can be used to escalate privileges by every user that has the
13 * CAP_NET_ADMIN capability.
14 *
15 * For additional information about this CVE see:
16 * https://www.suse.com/security/cve/CVE-2016-9793/
17 */
18
19 #include <sys/socket.h>
20 #include "tst_test.h"
21 #include "tst_safe_net.h"
22
23 #define SNDBUF (0xffffff00)
24
25 static int sockfd;
26
run(void)27 static void run(void)
28 {
29 unsigned int sndbuf, rec_sndbuf;
30 socklen_t optlen;
31
32 sndbuf = SNDBUF;
33 rec_sndbuf = 0;
34 optlen = sizeof(sndbuf);
35
36 SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen);
37 SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen);
38
39 tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf);
40 tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf);
41
42 if ((int)rec_sndbuf < 0)
43 tst_res(TFAIL, "Was able to set negative send buffer size!");
44 else
45 tst_res(TPASS, "Was unable to set negative send buffer size!");
46 }
47
setup(void)48 static void setup(void)
49 {
50 sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
51 }
52
cleanup(void)53 static void cleanup(void)
54 {
55 if (sockfd > 0)
56 SAFE_CLOSE(sockfd);
57 }
58
59 static struct tst_test test = {
60 .test_all = run,
61 .setup = setup,
62 .cleanup = cleanup,
63 .needs_root = 1,
64 .tags = (const struct tst_tag[]) {
65 {"linux-git", "b98b0bc8c431"},
66 {"CVE", "2016-9793"},
67 {}
68 }
69 };
70