1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2023 SUSE LLC
4 * Author: Marcos Paulo de Souza <mpdesouza@suse.com>
5 * LTP port: Martin Doucha <mdoucha@suse.cz>
6 */
7
8 /*\
9 * CVE-2023-1829
10 *
11 * Test for use-after-free after removing tcindex traffic filter with certain
12 * parameters.
13 *
14 * Tcindex filter removed in:
15 *
16 * commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
17 * Author: Jamal Hadi Salim <jhs@mojatatu.com>
18 * Date: Tue Feb 14 08:49:14 2023 -0500
19 *
20 * net/sched: Retire tcindex classifier
21 */
22
23 #include <linux/netlink.h>
24 #include <linux/pkt_sched.h>
25 #include <linux/pkt_cls.h>
26 #include "tst_test.h"
27 #include "tst_rtnetlink.h"
28 #include "tst_netdevice.h"
29 #include "lapi/sched.h"
30 #include "lapi/if_ether.h"
31 #include "lapi/rtnetlink.h"
32
33 #define DEVNAME "ltp_dummy1"
34
35 static const uint32_t qd_handle = TC_H_MAKE(1 << 16, 0);
36 static const uint32_t clsid = TC_H_MAKE(1 << 16, 1);
37 static const uint32_t shift = 10;
38 static const uint16_t mask = 0xffff;
39
40 /* rtnetlink payloads */
41 static const struct tc_htb_glob qd_opt = {
42 .rate2quantum = 10,
43 .version = 3,
44 .defcls = 30
45 };
46 static struct tc_htb_opt cls_opt = {};
47
48 /* htb qdisc and class options */
49 static const struct tst_rtnl_attr_list qd_config[] = {
50 {TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
51 {TCA_HTB_INIT, &qd_opt, sizeof(qd_opt), NULL},
52 {0, NULL, -1, NULL}
53 }},
54 {0, NULL, -1, NULL}
55 };
56 static const struct tst_rtnl_attr_list cls_config[] = {
57 {TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
58 {TCA_HTB_PARMS, &cls_opt, sizeof(cls_opt), NULL},
59 {0, NULL, -1, NULL}
60 }},
61 {0, NULL, -1, NULL}
62 };
63
64 /* tcindex filter options */
65 static const struct tst_rtnl_attr_list f_config[] = {
66 {TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
67 {TCA_TCINDEX_MASK, &mask, sizeof(mask), NULL},
68 {TCA_TCINDEX_SHIFT, &shift, sizeof(shift), NULL},
69 {TCA_TCINDEX_CLASSID, &clsid, sizeof(clsid), NULL},
70 {0, NULL, -1, NULL}
71 }},
72 {0, NULL, -1, NULL}
73 };
74
setup(void)75 static void setup(void)
76 {
77 tst_setup_netns();
78 NETDEV_ADD_DEVICE(DEVNAME, "dummy");
79
80 cls_opt.rate.rate = cls_opt.ceil.rate = 256000;
81 cls_opt.buffer = 1000000 * 1600 / cls_opt.rate.rate;
82 cls_opt.cbuffer = 1000000 * 1600 / cls_opt.ceil.rate;
83 }
84
run(void)85 static void run(void)
86 {
87 int ret;
88
89 NETDEV_ADD_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle, "htb",
90 qd_config);
91 NETDEV_ADD_TRAFFIC_CLASS(DEVNAME, qd_handle, clsid, "htb", cls_config);
92 NETDEV_ADD_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP, 1,
93 "tcindex", f_config);
94 NETDEV_REMOVE_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP,
95 1, "tcindex");
96 ret = tst_netdev_add_traffic_filter(__FILE__, __LINE__, 0, DEVNAME,
97 qd_handle, 10, ETH_P_IP, 1, "tcindex", f_config);
98 TST_ERR = tst_rtnl_errno;
99 NETDEV_REMOVE_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle, "htb");
100
101 if (ret)
102 tst_res(TPASS, "Removing tcindex filter works correctly");
103 else if (TST_ERR == EEXIST)
104 tst_res(TFAIL, "Kernel traffic filter list is corrupted");
105 else
106 tst_brk(TBROK | TTERRNO, "Unexpected rtnetlink error");
107 }
108
cleanup(void)109 static void cleanup(void)
110 {
111 NETDEV_REMOVE_DEVICE(DEVNAME);
112 }
113
114 static struct tst_test test = {
115 .test_all = run,
116 .setup = setup,
117 .cleanup = cleanup,
118 .taint_check = TST_TAINT_W | TST_TAINT_D,
119 .needs_kconfigs = (const char *[]) {
120 "CONFIG_VETH",
121 "CONFIG_USER_NS=y",
122 "CONFIG_NET_NS=y",
123 "CONFIG_NET_SCH_HTB",
124 "CONFIG_NET_CLS_TCINDEX",
125 NULL
126 },
127 .save_restore = (const struct tst_path_val[]) {
128 {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
129 {}
130 },
131 .tags = (const struct tst_tag[]) {
132 {"linux-git", "8c710f75256b"},
133 {"CVE", "2023-1829"},
134 {}
135 }
136 };
137