* [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase
@ 2019-05-27 9:41 Christian Amann
2019-05-27 13:54 ` Cyril Hrubis
0 siblings, 1 reply; 2+ messages in thread
From: Christian Amann @ 2019-05-27 9:41 UTC (permalink / raw)
To: ltp
Kernels between version 3.11 and 4.8 missing commit b98b0bc8
are vulnerable to a priviglege escalation exploit by overflowing
a socket send buffer size integer.
This test checks if the system is vulnerable by testing if a
negative buffer size can be set.
Signed-off-by: Christian Amann <camann@suse.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/setsockopt/.gitignore | 1 +
.../kernel/syscalls/setsockopt/setsockopt04.c | 65 ++++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt04.c
diff --git a/runtest/syscalls b/runtest/syscalls
index 04558a580..b06ad949e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1233,6 +1233,7 @@ setsid01 setsid01
setsockopt01 setsockopt01
setsockopt02 setsockopt02
setsockopt03 setsockopt03
+setsockopt04 setsockopt04
settimeofday01 settimeofday01
settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index d8fb0f3b4..603e2ad7a 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -1,3 +1,4 @@
/setsockopt01
/setsockopt02
/setsockopt03
+/setsockopt04
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt04.c b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
new file mode 100644
index 000000000..6cb4199ab
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 SUSE LLC
+ * Author: Christian Amann <camann@suse.com>
+ */
+/* Test for CVE-2016-9793
+ *
+ * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it
+ * is possible to pass a very high unsigned integer as send buffer size
+ * to a socket which is then interpreted as a negative value.
+ *
+ * This can be used to escalate privileges by every user that has the
+ * CAP_NET_ADMIN capability.
+ *
+ * For additional information about this CVE see:
+ * https://www.suse.com/security/cve/CVE-2016-9793/
+ */
+
+#include <sys/socket.h>
+#include "tst_test.h"
+#include "tst_safe_net.h"
+
+#define SNDBUF (0xffffff00)
+
+static int sockfd;
+
+static void run(void)
+{
+ unsigned int sndbuf, rec_sndbuf;
+ socklen_t optlen;
+
+ sndbuf = SNDBUF;
+ rec_sndbuf = 0;
+ optlen = sizeof(sndbuf);
+
+ SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen);
+ SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen);
+
+ tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf);
+ tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf);
+
+ if ((int)rec_sndbuf < 0)
+ tst_res(TFAIL, "Was able to set negative send buffer size!");
+ else
+ tst_res(TPASS, "Was unable to set negative send buffer size!");
+}
+
+static void setup(void)
+{
+ sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
+}
+
+static void cleanup(void)
+{
+ if (sockfd > 0)
+ SAFE_CLOSE(sockfd);
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .needs_root = 1,
+ .timeout = 20,
+};
--
2.16.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase
2019-05-27 9:41 [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase Christian Amann
@ 2019-05-27 13:54 ` Cyril Hrubis
0 siblings, 0 replies; 2+ messages in thread
From: Cyril Hrubis @ 2019-05-27 13:54 UTC (permalink / raw)
To: ltp
Hi!
I've removed the .timeout settings from the tst_test structure and
pushed, thanks.
As far as I can tell there is no point in tweaking the default timeout
for testcases that have runtime in miliseconds.
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-05-27 13:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-27 9:41 [LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase Christian Amann
2019-05-27 13:54 ` Cyril Hrubis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.