• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2018 Michael Moese <mmoese@suse.de>
4  */
5 /* Regression test for commit:
6  * 1137b5e2529a ipsec: Fix aborted xfrm policy dump crash aka CVE-2017-16939
7  *
8  * Based on the reproducing code from Mohammed Ghannam, published on
9  * https://blogs.securiteam.com/index.php/archives/3535
10  *
11  * CAUTION! If your system is vulnerable to this CVE, the kernel
12  * WILL DIE!
13  */
14 
15 #include <unistd.h>
16 #include <sched.h>
17 #include <stdlib.h>
18 #include <string.h>
19 #include <sys/socket.h>
20 #include <sys/wait.h>
21 #include <netinet/in.h>
22 #include <linux/netlink.h>
23 
24 #include "lapi/xfrm.h"
25 #include "tst_test.h"
26 #include "tst_res_flags.h"
27 #include "tst_safe_macros.h"
28 #include "tst_safe_net.h"
29 #include "lapi/namespaces_constants.h"
30 
31 #define BUFSIZE 2048
32 
33 static int fd;
34 static struct sockaddr_nl addr;
35 
36 struct msg_policy {
37 	struct nlmsghdr msg;
38 	char buf[BUFSIZE];
39 };
40 static struct msg_policy *p;
41 
setup(void)42 static void setup(void)
43 {
44 	if (unshare(CLONE_NEWUSER) != 0)
45 		tst_brk(TCONF, "unshare(CLONE_NEWUSER) failed");
46 	if (unshare(CLONE_NEWNET) != 0)
47 		tst_brk(TCONF, "unshare(CLONE_NEWNET) failed");
48 
49 	fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
50 	memset(&addr, 0, sizeof(struct sockaddr_nl));
51 	addr.nl_family = AF_NETLINK;
52 	addr.nl_pid = 0; /* packet goes into the kernel */
53 	addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
54 
55 	p = SAFE_MALLOC(sizeof(struct msg_policy));
56 	memset(p, 0, sizeof(struct msg_policy));
57 
58 	p->msg.nlmsg_len = 0x10;
59 	p->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
60 	p->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI |  NLM_F_REQUEST;
61 	p->msg.nlmsg_seq = 0x1;
62 	p->msg.nlmsg_pid = 2;
63 }
64 
run(void)65 static void run(void)
66 {
67 	int var = 0x100;
68 
69 	SAFE_SETSOCKOPT(fd, SOL_SOCKET, SO_RCVBUF, &var, sizeof(int));
70 	SAFE_SENDTO(1, fd, (void *) &p->msg, p->msg.nlmsg_len, 0,
71 		    (struct sockaddr *) &addr,
72 		    sizeof(struct sockaddr_nl));
73 
74 	tst_res(TPASS, "Kernel seems to have survived");
75 }
76 
77 static struct tst_test test = {
78 	.setup = setup,
79 	.test_all = run,
80 	.tags = (const struct tst_tag[]) {
81 		{"linux-git", "1137b5e2529a"},
82 		{"CVE", "2017-16939"},
83 		{}
84 	}
85 };
86