From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Palethorpe Date: Fri, 23 Jun 2017 14:22:05 +0200 Subject: [LTP] [PATCH v3 3/9] Test for CVE-2016-4997 on setsockopt In-Reply-To: <20170623122211.29575-1-rpalethorpe@suse.com> References: <20170623122211.29575-1-rpalethorpe@suse.com> Message-ID: <20170623122211.29575-4-rpalethorpe@suse.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: ltp@lists.linux.it Signed-off-by: Richard Palethorpe --- testcases/cve/cve-2016-4997.c | 92 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 testcases/cve/cve-2016-4997.c diff --git a/testcases/cve/cve-2016-4997.c b/testcases/cve/cve-2016-4997.c new file mode 100644 index 000000000..a413b561e --- /dev/null +++ b/testcases/cve/cve-2016-4997.c @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2017 Richard Palethorpe + * Based on repro-compatReleaseEntry.c by NCC group + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +/* + * Test for CVE-2016-4997 + * + * For a full explanation of how the vulnerability works see: + * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt + * + * The original vulnerability was present in the 32-bit compatibility system + * call, so the test should be compiled with -m32 and run on a 64-bit kernel. + * For simplicities sake the test requests root privliges instead of creating + * a user namespace. + */ + +#include +#include +#include +#include +#include +#include + +#include "tst_test.h" +#include "tst_safe_net.h" +#include "tst_kernel.h" + +#define TOO_SMALL_OFFSET 74 +#define OFFSET_OVERWRITE 0xFFFF +#define NEXT_OFFSET (sizeof(struct ipt_entry) \ + + sizeof(struct xt_entry_match) \ + + sizeof(struct xt_entry_target)) +#define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET) + +struct payload { + struct ipt_replace repl; + struct ipt_entry ent; + struct xt_entry_match match; + struct xt_entry_target targ; + char padding[PADDING]; + struct xt_entry_target targ2; +}; + +static void setup(void) +{ + if (tst_kernel_bits() == 32 || sizeof(long) > 4) + tst_res(TCONF, + "The vulnerability was only present in 32-bit compat mode"); +} + +static void run(void) +{ + int ret, sock_fd; + struct payload p = { 0 }; + + sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0); + + strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name)); + p.match.u.match_size = OFFSET_OVERWRITE; + + p.ent.next_offset = NEXT_OFFSET; + p.ent.target_offset = TOO_SMALL_OFFSET; + + p.repl.num_entries = 2; + p.repl.num_counters = 1; + p.repl.size = sizeof(struct payload); + p.repl.valid_hooks = 0; + + ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE, + &p, sizeof(struct payload)); + tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret); +} + +static struct tst_test test = { + .min_kver = "2.6.32", + .setup = setup, + .test_all = run, + .needs_root = 1, +}; -- 2.12.2