• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
4  * Based on repro-compatReleaseEntry.c by NCC group
5  */
6 
7 /*\
8  * [Description]
9  *
10  * Test for CVE-2016-4997
11  *
12  * For a full explanation of how the vulnerability works see:
13  * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
14  *
15  * The original vulnerability was present in the 32-bit compatibility system
16  * call, so the test should be compiled with -m32 and run on a 64-bit kernel.
17  * For simplicities sake the test requests root privileges instead of creating
18  * a user namespace.
19  */
20 
21 #include <stdint.h>
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #include <limits.h>
26 
27 #include "tst_test.h"
28 #include "tst_safe_net.h"
29 #include "tst_kernel.h"
30 
31 #include "lapi/ip_tables.h"
32 
33 #define TOO_SMALL_OFFSET 74
34 #define OFFSET_OVERWRITE 0xFFFF
35 #define NEXT_OFFSET (sizeof(struct ipt_entry)		\
36 		     + sizeof(struct xt_entry_match)	\
37 		     + sizeof(struct xt_entry_target))
38 #define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET)
39 
40 struct payload {
41 	struct ipt_replace repl;
42 	struct ipt_entry ent;
43 	struct xt_entry_match match;
44 	struct xt_entry_target targ;
45 	char padding[PADDING];
46 	struct xt_entry_target targ2;
47 };
48 
setup(void)49 static void setup(void)
50 {
51 	if (!tst_is_compat_mode())
52 		tst_res(TINFO, "The vulnerability was only present in 32-bit compat mode");
53 }
54 
run(void)55 static void run(void)
56 {
57 	int ret, sock_fd;
58 	struct payload p = { 0 };
59 
60 	sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
61 
62 	strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name));
63 	p.match.u.match_size = OFFSET_OVERWRITE;
64 
65 	p.ent.next_offset = NEXT_OFFSET;
66 	p.ent.target_offset = TOO_SMALL_OFFSET;
67 
68 	p.repl.num_entries = 2;
69 	p.repl.num_counters = 1;
70 	p.repl.size = sizeof(struct payload);
71 	p.repl.valid_hooks = 0;
72 
73 	ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE,
74 			 &p, sizeof(struct payload));
75 	tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret);
76 }
77 
78 static struct tst_test test = {
79 	.setup = setup,
80 	.test_all = run,
81 	.needs_root = 1,
82 	.tags = (const struct tst_tag[]){
83 		{"linux-git", "ce683e5f9d04"},
84 		{"CVE", "CVE-2016-4997"},
85 		{}
86 	}
87 };
88