All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christian Amann <camann@suse.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase
Date: Mon, 27 May 2019 11:41:46 +0200	[thread overview]
Message-ID: <20190527094146.13561-1-camann@suse.com> (raw)

Kernels between version 3.11 and 4.8 missing commit b98b0bc8
are vulnerable to a priviglege escalation exploit by overflowing
a socket send buffer size integer.
This test checks if the system is vulnerable by testing if a
negative buffer size can be set.

Signed-off-by: Christian Amann <camann@suse.com>
---
 runtest/syscalls                                   |  1 +
 testcases/kernel/syscalls/setsockopt/.gitignore    |  1 +
 .../kernel/syscalls/setsockopt/setsockopt04.c      | 65 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt04.c

diff --git a/runtest/syscalls b/runtest/syscalls
index 04558a580..b06ad949e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1233,6 +1233,7 @@ setsid01 setsid01
 setsockopt01 setsockopt01
 setsockopt02 setsockopt02
 setsockopt03 setsockopt03
+setsockopt04 setsockopt04
 
 settimeofday01 settimeofday01
 settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index d8fb0f3b4..603e2ad7a 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -1,3 +1,4 @@
 /setsockopt01
 /setsockopt02
 /setsockopt03
+/setsockopt04
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt04.c b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
new file mode 100644
index 000000000..6cb4199ab
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 SUSE LLC
+ * Author: Christian Amann <camann@suse.com>
+ */
+/* Test for CVE-2016-9793
+ *
+ * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it
+ * is possible to pass a very high unsigned integer as send buffer size
+ * to a socket which is then interpreted as a negative value.
+ *
+ * This can be used to escalate privileges by every user that has the
+ * CAP_NET_ADMIN capability.
+ *
+ * For additional information about this CVE see:
+ * https://www.suse.com/security/cve/CVE-2016-9793/
+ */
+
+#include <sys/socket.h>
+#include "tst_test.h"
+#include "tst_safe_net.h"
+
+#define SNDBUF	(0xffffff00)
+
+static int sockfd;
+
+static void run(void)
+{
+	unsigned int sndbuf, rec_sndbuf;
+	socklen_t optlen;
+
+	sndbuf = SNDBUF;
+	rec_sndbuf = 0;
+	optlen = sizeof(sndbuf);
+
+	SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen);
+	SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen);
+
+	tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf);
+	tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf);
+
+	if ((int)rec_sndbuf < 0)
+		tst_res(TFAIL, "Was able to set negative send buffer size!");
+	else
+		tst_res(TPASS, "Was unable to set negative send buffer size!");
+}
+
+static void setup(void)
+{
+	sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
+}
+
+static void cleanup(void)
+{
+	if (sockfd > 0)
+		SAFE_CLOSE(sockfd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_root = 1,
+	.timeout = 20,
+};
-- 
2.16.4


             reply	other threads:[~2019-05-27  9:41 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-27  9:41 Christian Amann [this message]
2019-05-27 13:54 ` [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase Cyril Hrubis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190527094146.13561-1-camann@suse.com \
    --to=camann@suse.com \
    --cc=ltp@lists.linux.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.