• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
4  * Based on repro-compatReleaseEntry.c by NCC group
5  */
6 /*
7  * Test for CVE-2016-4997
8  *
9  * For a full explanation of how the vulnerability works see:
10  * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
11  *
12  * The original vulnerability was present in the 32-bit compatibility system
13  * call, so the test should be compiled with -m32 and run on a 64-bit kernel.
14  * For simplicities sake the test requests root privliges instead of creating
15  * a user namespace.
16  */
17 
18 #include <stdint.h>
19 #include <sys/types.h>
20 #include <sys/socket.h>
21 #include <netinet/in.h>
22 #include <limits.h>
23 
24 #include "tst_test.h"
25 #include "tst_safe_net.h"
26 #include "tst_kernel.h"
27 
28 #include "lapi/ip_tables.h"
29 
30 #define TOO_SMALL_OFFSET 74
31 #define OFFSET_OVERWRITE 0xFFFF
32 #define NEXT_OFFSET (sizeof(struct ipt_entry)		\
33 		     + sizeof(struct xt_entry_match)	\
34 		     + sizeof(struct xt_entry_target))
35 #define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET)
36 
37 struct payload {
38 	struct ipt_replace repl;
39 	struct ipt_entry ent;
40 	struct xt_entry_match match;
41 	struct xt_entry_target targ;
42 	char padding[PADDING];
43 	struct xt_entry_target targ2;
44 };
45 
setup(void)46 static void setup(void)
47 {
48 	if (tst_kernel_bits() == 32 || sizeof(long) > 4)
49 		tst_res(TCONF,
50 			"The vulnerability was only present in 32-bit compat mode");
51 }
52 
run(void)53 static void run(void)
54 {
55 	int ret, sock_fd;
56 	struct payload p = { 0 };
57 
58 	sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
59 
60 	strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name));
61 	p.match.u.match_size = OFFSET_OVERWRITE;
62 
63 	p.ent.next_offset = NEXT_OFFSET;
64 	p.ent.target_offset = TOO_SMALL_OFFSET;
65 
66 	p.repl.num_entries = 2;
67 	p.repl.num_counters = 1;
68 	p.repl.size = sizeof(struct payload);
69 	p.repl.valid_hooks = 0;
70 
71 	ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE,
72 			 &p, sizeof(struct payload));
73 	tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret);
74 }
75 
76 static struct tst_test test = {
77 	.min_kver = "2.6.32",
78 	.setup = setup,
79 	.test_all = run,
80 	.needs_root = 1,
81 	.tags = (const struct tst_tag[]){
82 		{"linux-git", "ce683e5f9d04"},
83 		{"CVE", "CVE-2016-4997"},
84 		{}
85 	}
86 };
87