1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC <mdoucha@suse.cz>
4 */
5
6 /*
7 * CVE-2017-1000112
8 *
9 * Check that UDP fragmentation offload doesn't cause memory corruption
10 * if the userspace process turns off UFO in between two send() calls.
11 * Kernel crash fixed in:
12 *
13 * commit 85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
14 * Author: Willem de Bruijn <willemb@google.com>
15 * Date: Thu Aug 10 12:29:19 2017 -0400
16 *
17 * udp: consistently apply ufo or fragmentation
18 */
19
20 #define _GNU_SOURCE
21 #include <sys/types.h>
22 #include <sys/socket.h>
23 #include <netinet/in.h>
24 #include <sys/ioctl.h>
25 #include <net/if.h>
26 #include <sched.h>
27
28 #include "tst_test.h"
29 #include "tst_net.h"
30
31 #define BUFSIZE 4000
32
33 static struct sockaddr_in addr;
34 static int dst_sock = -1;
35
setup(void)36 static void setup(void)
37 {
38 int real_uid = getuid();
39 int real_gid = getgid();
40 struct ifreq ifr;
41 socklen_t addrlen = sizeof(addr);
42
43 SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
44
45 SAFE_UNSHARE(CLONE_NEWUSER);
46 SAFE_UNSHARE(CLONE_NEWNET);
47 SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
48 SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
49 SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
50
51 tst_init_sockaddr_inet_bin(&addr, INADDR_LOOPBACK, 0);
52 dst_sock = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
53
54 strcpy(ifr.ifr_name, "lo");
55 ifr.ifr_mtu = 1500;
56 SAFE_IOCTL(dst_sock, SIOCSIFMTU, &ifr);
57 ifr.ifr_flags = IFF_UP;
58 SAFE_IOCTL(dst_sock, SIOCSIFFLAGS, &ifr);
59
60 SAFE_BIND(dst_sock, (struct sockaddr *)&addr, addrlen);
61 SAFE_GETSOCKNAME(dst_sock, (struct sockaddr*)&addr, &addrlen);
62 }
63
cleanup(void)64 static void cleanup(void)
65 {
66 if (dst_sock != -1)
67 SAFE_CLOSE(dst_sock);
68 }
69
run(void)70 static void run(void)
71 {
72 int sock, i;
73 char buf[BUFSIZE];
74
75 memset(buf, 0x42, BUFSIZE);
76
77 for (i = 0; i < 1000; i++) {
78 sock = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
79 SAFE_CONNECT(sock, (struct sockaddr *)&addr, sizeof(addr));
80 SAFE_SEND(1, sock, buf, BUFSIZE, MSG_MORE);
81 SAFE_SETSOCKOPT_INT(sock, SOL_SOCKET, SO_NO_CHECK, 1);
82 send(sock, buf, 1, 0);
83 SAFE_CLOSE(sock);
84
85 if (tst_taint_check()) {
86 tst_res(TFAIL, "Kernel is vulnerable");
87 return;
88 }
89 }
90
91 tst_res(TPASS, "Nothing bad happened, probably");
92 }
93
94 static struct tst_test test = {
95 .test_all = run,
96 .setup = setup,
97 .cleanup = cleanup,
98 .taint_check = TST_TAINT_W | TST_TAINT_D,
99 .needs_kconfigs = (const char *[]) {
100 "CONFIG_USER_NS=y",
101 "CONFIG_NET_NS=y",
102 NULL
103 },
104 .save_restore = (const char * const[]) {
105 "?/proc/sys/user/max_user_namespaces",
106 NULL,
107 },
108 .tags = (const struct tst_tag[]) {
109 {"linux-git", "85f1bd9a7b5a"},
110 {"CVE", "2017-1000112"},
111 {}
112 }
113 };
114