ltp/testcases/kernel/syscalls/sendmsg/sendmsg03.c at master · linux-test-project/ltp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Copyright (C) 2020 SUSE LLC <mdoucha@suse.cz>
 */

/*\
 * CVE-2017-17712
 *
 * Test for race condition vulnerability in sendmsg() on SOCK_RAW sockets.
 * Changing the value of IP_HDRINCL socket option in parallel with sendmsg()
 * call may lead to uninitialized stack pointer usage, allowing arbitrary code
 * execution or privilege escalation.
 *
 * Fixed in 4.15
 * 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg")
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include "tst_test.h"
#include "tst_fuzzy_sync.h"

#define IOVEC_COUNT 4
#define PACKET_SIZE 100

static int sockfd = -1;
static struct msghdr msg;
/* addr must be full of zeroes to trigger the kernel bug */
static struct sockaddr_in addr;
static struct iovec iov[IOVEC_COUNT];
static unsigned char buf[PACKET_SIZE];
static struct tst_fzsync_pair fzsync_pair;

static void setup(void)
{
	int i;

	tst_setup_netns();

	sockfd = SAFE_SOCKET(AF_INET, SOCK_RAW, IPPROTO_ICMP);

	memset(buf, 0xcc, PACKET_SIZE);

	for (i = 0; i < IOVEC_COUNT; i++) {
		iov[i].iov_base = buf;
		iov[i].iov_len = PACKET_SIZE;
	}

	msg.msg_name = &addr;
	msg.msg_namelen = sizeof(addr);
	msg.msg_iov = iov;
	msg.msg_iovlen = IOVEC_COUNT;

	fzsync_pair.exec_loops = 100000;
	tst_fzsync_pair_init(&fzsync_pair);
}

static void cleanup(void)
{
	if (sockfd > 0)
		SAFE_CLOSE(sockfd);
	tst_fzsync_pair_cleanup(&fzsync_pair);
}

static void *thread_run(void *arg)
{
	int val = 0;

	while (tst_fzsync_run_b(&fzsync_pair)) {
		tst_fzsync_start_race_b(&fzsync_pair);
		setsockopt(sockfd, SOL_IP, IP_HDRINCL, &val, sizeof(val));
		tst_fzsync_end_race_b(&fzsync_pair);
	}

	return arg;
}

static void run(void)
{
	int hdrincl = 1;

	tst_fzsync_pair_reset(&fzsync_pair, thread_run);

	while (tst_fzsync_run_a(&fzsync_pair)) {
		SAFE_SETSOCKOPT_INT(sockfd, SOL_IP, IP_HDRINCL, hdrincl);

		tst_fzsync_start_race_a(&fzsync_pair);
		sendmsg(sockfd, &msg, 0);
		tst_fzsync_end_race_a(&fzsync_pair);

		if (tst_taint_check()) {
			tst_res(TFAIL, "Kernel is vulnerable");
			return;
		}
	}

	tst_res(TPASS, "Nothing bad happened, probably");
}

static struct tst_test test = {
	.test_all = run,
	.setup = setup,
	.cleanup = cleanup,
	.taint_check = TST_TAINT_W | TST_TAINT_D,
	.runtime = 150,
	.min_runtime = 2,
	.needs_kconfigs = (const char *[]) {
		"CONFIG_USER_NS=y",
		"CONFIG_NET_NS=y",
		NULL
	},
	.save_restore = (const struct tst_path_val[]) {
		{PATH_USER_MAX_USER_NAMESPACES, "1024", TST_SR_SKIP},
		{}
	},
	.tags = (const struct tst_tag[]) {
		{"linux-git", "8f659a03a0ba"},
		{"CVE", "2017-17712"},
		{}
	}
};