* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
@ 2018-03-12 16:36 Alexey Kodanev
2018-03-20 14:00 ` Petr Vorel
2018-03-21 14:26 ` Richard Palethorpe
0 siblings, 2 replies; 7+ messages in thread
From: Alexey Kodanev @ 2018-03-12 16:36 UTC (permalink / raw)
To: ltp
There are two test-cases in runtest/cve:
* cve-2018-5803 - for over-sized INIT_ACK packet
* cve-2018-5803_2 - for over-sized INIT packet
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
include/lapi/socket.h | 4 +
runtest/cve | 2 +
testcases/cve/.gitignore | 1 +
testcases/cve/cve-2018-5803.c | 124 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 131 insertions(+), 0 deletions(-)
create mode 100644 testcases/cve/cve-2018-5803.c
diff --git a/include/lapi/socket.h b/include/lapi/socket.h
index 426906f..d58c460 100644
--- a/include/lapi/socket.h
+++ b/include/lapi/socket.h
@@ -45,6 +45,10 @@
# define SOCK_CLOEXEC 02000000
#endif
+#ifndef SOL_SCTP
+# define SOL_SCTP 132
+#endif
+
#ifndef SOL_UDPLITE
# define SOL_UDPLITE 136 /* UDP-Lite (RFC 3828) */
#endif
diff --git a/runtest/cve b/runtest/cve
index 0c385c6..826bb0b 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -30,3 +30,5 @@ cve-2017-17807 request_key04
cve-2017-1000364 stack_clash
cve-2017-5754 meltdown
cve-2017-17052 cve-2017-17052
+cve-2018-5803 cve-2018-5803
+cve-2018-5803_2 cve-2018-5803 -a 10000
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index c878069..31200c6 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -12,3 +12,4 @@ cve-2017-5669
meltdown
stack_clash
cve-2017-17052
+cve-2018-5803
diff --git a/testcases/cve/cve-2018-5803.c b/testcases/cve/cve-2018-5803.c
new file mode 100644
index 0000000..3f03d8a
--- /dev/null
+++ b/testcases/cve/cve-2018-5803.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it would be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Regression test-case for the crash caused by over-sized SCTP chunk,
+ * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new
+ * chunk in _sctp_make_chunk()")
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <sys/syscall.h>
+#include <fcntl.h>
+
+#include "tst_test.h"
+#include "tst_safe_stdio.h"
+#include "lapi/netinet_in.h"
+#include "lapi/socket.h"
+
+static int port;
+static int sfd, cfd;
+static struct sockaddr_in6 rmt, loc;
+
+static char *addr_param;
+static int addr_num = 3273;
+
+#ifndef SCTP_SOCKOPT_BINDX_ADD
+# define SCTP_SOCKOPT_BINDX_ADD 100
+#endif
+
+static void setup_server(void)
+{
+ loc.sin6_family = AF_INET6;
+ loc.sin6_addr = in6addr_loopback;
+
+ sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
+ SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc));
+
+ port = TST_GETSOCKPORT(sfd);
+ tst_res(TINFO, "sctp server listen on %d", port);
+
+ SAFE_LISTEN(sfd, 1);
+}
+
+static void setup_client(void)
+{
+ struct sockaddr_in6 addr_buf[addr_num];
+ int i;
+
+ cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
+ rmt.sin6_family = AF_INET6;
+ rmt.sin6_addr = in6addr_loopback;
+ rmt.sin6_port = htons(port);
+
+ tst_res(TINFO, "bind %d additional IP addresses", addr_num);
+
+ memset(addr_buf, 0, sizeof(addr_buf));
+ for (i = 0; i < addr_num; ++i) {
+ addr_buf[i].sin6_family = AF_INET6;
+ addr_buf[i].sin6_addr = in6addr_loopback;
+ }
+
+ SAFE_SETSOCKOPT(cfd, SOL_SCTP, SCTP_SOCKOPT_BINDX_ADD, addr_buf,
+ sizeof(addr_buf));
+}
+
+static void setup(void)
+{
+ if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
+ tst_brk(TBROK, "wrong address number '%s'", addr_param);
+
+ setup_server();
+ setup_client();
+}
+
+static void run(void)
+{
+ int pid = SAFE_FORK();
+
+ if (!pid) {
+ struct sockaddr_in6 addr6;
+ socklen_t addr_size = sizeof(addr6);
+
+ if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0)
+ tst_brk(TBROK | TERRNO, "accept() failed");
+ exit(0);
+ }
+
+ fcntl(cfd, F_SETFL, O_NONBLOCK);
+ connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt));
+
+ SAFE_KILL(pid, SIGKILL);
+ SAFE_WAITPID(pid, NULL, 0);
+
+ tst_res(TPASS, "test doesn't cause crash");
+}
+
+static struct tst_option options[] = {
+ {"a:", &addr_param, "-a number of additional IP address params"},
+ {NULL, NULL, NULL}
+};
+
+static struct tst_test test = {
+ .setup = setup,
+ .forks_child = 1,
+ .test_all = run,
+ .options = options
+};
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
2018-03-12 16:36 [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803 Alexey Kodanev
@ 2018-03-20 14:00 ` Petr Vorel
2018-03-21 11:28 ` Alexey Kodanev
2018-03-21 14:26 ` Richard Palethorpe
1 sibling, 1 reply; 7+ messages in thread
From: Petr Vorel @ 2018-03-20 14:00 UTC (permalink / raw)
To: ltp
Hi Alexey,
> There are two test-cases in runtest/cve:
> * cve-2018-5803 - for over-sized INIT_ACK packet
> * cve-2018-5803_2 - for over-sized INIT packet
> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
> ---
> include/lapi/socket.h | 4 +
> runtest/cve | 2 +
> testcases/cve/.gitignore | 1 +
> testcases/cve/cve-2018-5803.c | 124 +++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 131 insertions(+), 0 deletions(-)
> create mode 100644 testcases/cve/cve-2018-5803.c
> diff --git a/include/lapi/socket.h b/include/lapi/socket.h
> index 426906f..d58c460 100644
> --- a/include/lapi/socket.h
> +++ b/include/lapi/socket.h
> @@ -45,6 +45,10 @@
> # define SOCK_CLOEXEC 02000000
> #endif
> +#ifndef SOL_SCTP
> +# define SOL_SCTP 132
> +#endif
I suppose you deliberately don't include linux/socket.h where
SOL_SCTP is defined.
> +
> #ifndef SOL_UDPLITE
> # define SOL_UDPLITE 136 /* UDP-Lite (RFC 3828) */
> #endif
> diff --git a/runtest/cve b/runtest/cve
> index 0c385c6..826bb0b 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -30,3 +30,5 @@ cve-2017-17807 request_key04
> cve-2017-1000364 stack_clash
> cve-2017-5754 meltdown
> cve-2017-17052 cve-2017-17052
> +cve-2018-5803 cve-2018-5803
> +cve-2018-5803_2 cve-2018-5803 -a 10000
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index c878069..31200c6 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -12,3 +12,4 @@ cve-2017-5669
> meltdown
> stack_clash
> cve-2017-17052
> +cve-2018-5803
> diff --git a/testcases/cve/cve-2018-5803.c b/testcases/cve/cve-2018-5803.c
> new file mode 100644
> index 0000000..3f03d8a
> --- /dev/null
> +++ b/testcases/cve/cve-2018-5803.c
> @@ -0,0 +1,124 @@
> +/*
> + * Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation; either version 2 of
> + * the License, or (at your option) any later version.
> + *
> + * This program is distributed in the hope that it would be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program. If not, see <http://www.gnu.org/licenses/>.
> + *
> + * Regression test-case for the crash caused by over-sized SCTP chunk,
> + * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new
> + * chunk in _sctp_make_chunk()")
> + */
> +
> +#include <stdlib.h>
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +#include <netinet/in.h>
> +#include <netdb.h>
> +#include <sys/syscall.h>
> +#include <fcntl.h>
> +
> +#include "tst_test.h"
> +#include "tst_safe_stdio.h"
> +#include "lapi/netinet_in.h"
> +#include "lapi/socket.h"
> +
> +static int port;
> +static int sfd, cfd;
> +static struct sockaddr_in6 rmt, loc;
> +
> +static char *addr_param;
> +static int addr_num = 3273;
> +
> +#ifndef SCTP_SOCKOPT_BINDX_ADD
> +# define SCTP_SOCKOPT_BINDX_ADD 100
> +#endif
I suppose you deliberately don't include linux/sctp.h, where
SCTP_SOCKOPT_BINDX_ADD defined.
> +
> +static void setup_server(void)
> +{
> + loc.sin6_family = AF_INET6;
> + loc.sin6_addr = in6addr_loopback;
> +
> + sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
> + SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc));
> +
> + port = TST_GETSOCKPORT(sfd);
> + tst_res(TINFO, "sctp server listen on %d", port);
> +
> + SAFE_LISTEN(sfd, 1);
> +}
> +
> +static void setup_client(void)
> +{
> + struct sockaddr_in6 addr_buf[addr_num];
> + int i;
> +
> + cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
> + rmt.sin6_family = AF_INET6;
> + rmt.sin6_addr = in6addr_loopback;
> + rmt.sin6_port = htons(port);
> +
> + tst_res(TINFO, "bind %d additional IP addresses", addr_num);
> +
> + memset(addr_buf, 0, sizeof(addr_buf));
> + for (i = 0; i < addr_num; ++i) {
> + addr_buf[i].sin6_family = AF_INET6;
> + addr_buf[i].sin6_addr = in6addr_loopback;
> + }
> +
> + SAFE_SETSOCKOPT(cfd, SOL_SCTP, SCTP_SOCKOPT_BINDX_ADD, addr_buf,
> + sizeof(addr_buf));
> +}
> +
> +static void setup(void)
> +{
> + if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
> + tst_brk(TBROK, "wrong address number '%s'", addr_param);
> +
> + setup_server();
> + setup_client();
> +}
> +
> +static void run(void)
> +{
> + int pid = SAFE_FORK();
> +
> + if (!pid) {
> + struct sockaddr_in6 addr6;
> + socklen_t addr_size = sizeof(addr6);
> +
> + if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0)
> + tst_brk(TBROK | TERRNO, "accept() failed");
> + exit(0);
> + }
> +
> + fcntl(cfd, F_SETFL, O_NONBLOCK);
> + connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt));
Minor nit: you can use SAFE_CONNECT().
> +
> + SAFE_KILL(pid, SIGKILL);
> + SAFE_WAITPID(pid, NULL, 0);
> +
> + tst_res(TPASS, "test doesn't cause crash");
> +}
> +
> +static struct tst_option options[] = {
> + {"a:", &addr_param, "-a number of additional IP address params"},
> + {NULL, NULL, NULL}
> +};
> +
> +static struct tst_test test = {
> + .setup = setup,
> + .forks_child = 1,
> + .test_all = run,
> + .options = options
> +};
LGTM.
Tested-by: Petr Vorel <pvorel@suse.cz>
Found one BROK on EINVAL on setsockopt(), most of older kernels in VM don't crash, bug generate
heavy load.
Kind regards,
Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
2018-03-20 14:00 ` Petr Vorel
@ 2018-03-21 11:28 ` Alexey Kodanev
2018-03-22 17:34 ` Petr Vorel
2018-03-22 17:34 ` Petr Vorel
0 siblings, 2 replies; 7+ messages in thread
From: Alexey Kodanev @ 2018-03-21 11:28 UTC (permalink / raw)
To: ltp
On 03/20/2018 05:00 PM, Petr Vorel wrote:
> Hi Alexey,
>
>> There are two test-cases in runtest/cve:
>> * cve-2018-5803 - for over-sized INIT_ACK packet
>> * cve-2018-5803_2 - for over-sized INIT packet
>
>> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
>> ---
>> include/lapi/socket.h | 4 +
>> runtest/cve | 2 +
>> testcases/cve/.gitignore | 1 +
>> testcases/cve/cve-2018-5803.c | 124 +++++++++++++++++++++++++++++++++++++++++
>> 4 files changed, 131 insertions(+), 0 deletions(-)
>> create mode 100644 testcases/cve/cve-2018-5803.c
>
>> diff --git a/include/lapi/socket.h b/include/lapi/socket.h
>> index 426906f..d58c460 100644
>> --- a/include/lapi/socket.h
>> +++ b/include/lapi/socket.h
>> @@ -45,6 +45,10 @@
>> # define SOCK_CLOEXEC 02000000
>> #endif
>
>> +#ifndef SOL_SCTP
>> +# define SOL_SCTP 132
>> +#endif
> I suppose you deliberately don't include linux/socket.h where
> SOL_SCTP is defined.
Hi Petr,
Do you think we should include linux headers for consistency?
>> +
>> #ifndef SOL_UDPLITE
>> # define SOL_UDPLITE 136 /* UDP-Lite (RFC 3828) */
>> #endif
>> diff --git a/runtest/cve b/runtest/cve
>> index 0c385c6..826bb0b 100644
...
>> +
>> + if (!pid) {
>> + struct sockaddr_in6 addr6;
>> + socklen_t addr_size = sizeof(addr6);
>> +
>> + if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0)
>> + tst_brk(TBROK | TERRNO, "accept() failed");
>> + exit(0);
>> + }
>> +
>> + fcntl(cfd, F_SETFL, O_NONBLOCK);
>> + connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt));
> Minor nit: you can use SAFE_CONNECT().
>
No, it should fail in the kernels with the fix, on the second test-case when
we get over-sized INIT chunk, I think ENOMEM returns in that case.
>> +
>> + SAFE_KILL(pid, SIGKILL);
>> + SAFE_WAITPID(pid, NULL, 0);
>> +
>> + tst_res(TPASS, "test doesn't cause crash");
>> +}
>> +
>> +static struct tst_option options[] = {
>> + {"a:", &addr_param, "-a number of additional IP address params"},
>> + {NULL, NULL, NULL}
>> +};
>> +
>> +static struct tst_test test = {
>> + .setup = setup,
>> + .forks_child = 1,
>> + .test_all = run,
>> + .options = options
>> +};
>
> LGTM.
> Tested-by: Petr Vorel <pvorel@suse.cz>
> Found one BROK on EINVAL on setsockopt(), most of older kernels in VM don't crash, bug generate
> heavy load.
Does it happen with a single address parameter? We could also lower parameter
size in the second test, e.g. from 10000 to 4000.
Also change SOCK_STREAM to SOCK_SEQPACKET
diff --git a/testcases/cve/cve-2018-5803.c b/testcases/cve/cve-2018-5803.c
index 3f03d8a..6bee914 100644
--- a/testcases/cve/cve-2018-5803.c
+++ b/testcases/cve/cve-2018-5803.c
@@ -63,7 +63,7 @@ static void setup_client(void)
struct sockaddr_in6 addr_buf[addr_num];
int i;
- cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
+ cfd = SAFE_SOCKET(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
rmt.sin6_family = AF_INET6;
rmt.sin6_addr = in6addr_loopback;
rmt.sin6_port = htons(port);
I could also add IPv4 version...
Thanks,
Alexey
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
2018-03-12 16:36 [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803 Alexey Kodanev
2018-03-20 14:00 ` Petr Vorel
@ 2018-03-21 14:26 ` Richard Palethorpe
2018-03-21 15:12 ` Alexey Kodanev
1 sibling, 1 reply; 7+ messages in thread
From: Richard Palethorpe @ 2018-03-21 14:26 UTC (permalink / raw)
To: ltp
Hello Alexey,
Alexey Kodanev writes:
> There are two test-cases in runtest/cve:
> * cve-2018-5803 - for over-sized INIT_ACK packet
> * cve-2018-5803_2 - for over-sized INIT packet
Naming tests purely after a CVE number seems to have been a mistake on
my part because people are unable to recognise them. Could this be given
a more descriptive name and location (i.e something with net and sctp in
the name?). Of course it should still go in the cve runtest file.
>
> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
> ---
> include/lapi/socket.h | 4 +
> runtest/cve | 2 +
> testcases/cve/.gitignore | 1 +
> testcases/cve/cve-2018-5803.c | 124 +++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 131 insertions(+), 0 deletions(-)
> create mode 100644 testcases/cve/cve-2018-5803.c
>
> diff --git a/include/lapi/socket.h b/include/lapi/socket.h
> index 426906f..d58c460 100644
> --- a/include/lapi/socket.h
> +++ b/include/lapi/socket.h
> @@ -45,6 +45,10 @@
> # define SOCK_CLOEXEC 02000000
> #endif
>
> +#ifndef SOL_SCTP
> +# define SOL_SCTP 132
> +#endif
> +
> #ifndef SOL_UDPLITE
> # define SOL_UDPLITE 136 /* UDP-Lite (RFC 3828) */
> #endif
> diff --git a/runtest/cve b/runtest/cve
> index 0c385c6..826bb0b 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -30,3 +30,5 @@ cve-2017-17807 request_key04
> cve-2017-1000364 stack_clash
> cve-2017-5754 meltdown
> cve-2017-17052 cve-2017-17052
> +cve-2018-5803 cve-2018-5803
> +cve-2018-5803_2 cve-2018-5803 -a 10000
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index c878069..31200c6 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -12,3 +12,4 @@ cve-2017-5669
> meltdown
> stack_clash
> cve-2017-17052
> +cve-2018-5803
> diff --git a/testcases/cve/cve-2018-5803.c b/testcases/cve/cve-2018-5803.c
> new file mode 100644
> index 0000000..3f03d8a
> --- /dev/null
> +++ b/testcases/cve/cve-2018-5803.c
> @@ -0,0 +1,124 @@
> +/*
> + * Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation; either version 2 of
> + * the License, or (at your option) any later version.
> + *
> + * This program is distributed in the hope that it would be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program. If not, see <http://www.gnu.org/licenses/>.
> + *
> + * Regression test-case for the crash caused by over-sized SCTP chunk,
> + * fixed by upstream commit 07f2c7ab6f8d ("sctp: verify size of a new
> + * chunk in _sctp_make_chunk()")
> + */
> +
> +#include <stdlib.h>
> +#include <unistd.h>
> +#include <sys/types.h>
> +#include <sys/socket.h>
> +#include <netinet/in.h>
> +#include <netdb.h>
> +#include <sys/syscall.h>
> +#include <fcntl.h>
> +
> +#include "tst_test.h"
> +#include "tst_safe_stdio.h"
> +#include "lapi/netinet_in.h"
> +#include "lapi/socket.h"
> +
> +static int port;
> +static int sfd, cfd;
> +static struct sockaddr_in6 rmt, loc;
> +
> +static char *addr_param;
> +static int addr_num = 3273;
> +
> +#ifndef SCTP_SOCKOPT_BINDX_ADD
> +# define SCTP_SOCKOPT_BINDX_ADD 100
> +#endif
> +
> +static void setup_server(void)
> +{
> + loc.sin6_family = AF_INET6;
> + loc.sin6_addr = in6addr_loopback;
> +
> + sfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
> + SAFE_BIND(sfd, (struct sockaddr *)&loc, sizeof(loc));
> +
> + port = TST_GETSOCKPORT(sfd);
> + tst_res(TINFO, "sctp server listen on %d", port);
> +
> + SAFE_LISTEN(sfd, 1);
> +}
> +
> +static void setup_client(void)
> +{
> + struct sockaddr_in6 addr_buf[addr_num];
> + int i;
> +
> + cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
> + rmt.sin6_family = AF_INET6;
> + rmt.sin6_addr = in6addr_loopback;
> + rmt.sin6_port = htons(port);
> +
> + tst_res(TINFO, "bind %d additional IP addresses", addr_num);
> +
> + memset(addr_buf, 0, sizeof(addr_buf));
> + for (i = 0; i < addr_num; ++i) {
> + addr_buf[i].sin6_family = AF_INET6;
> + addr_buf[i].sin6_addr = in6addr_loopback;
> + }
> +
> + SAFE_SETSOCKOPT(cfd, SOL_SCTP, SCTP_SOCKOPT_BINDX_ADD, addr_buf,
> + sizeof(addr_buf));
> +}
> +
> +static void setup(void)
> +{
> + if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
> + tst_brk(TBROK, "wrong address number '%s'", addr_param);
> +
> + setup_server();
> + setup_client();
> +}
> +
> +static void run(void)
> +{
> + int pid = SAFE_FORK();
> +
> + if (!pid) {
> + struct sockaddr_in6 addr6;
> + socklen_t addr_size = sizeof(addr6);
> +
> + if (accept(sfd, (struct sockaddr *)&addr6, &addr_size) < 0)
> + tst_brk(TBROK | TERRNO, "accept() failed");
> + exit(0);
> + }
> +
> + fcntl(cfd, F_SETFL, O_NONBLOCK);
> + connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt));
> +
> + SAFE_KILL(pid, SIGKILL);
> + SAFE_WAITPID(pid, NULL, 0);
> +
> + tst_res(TPASS, "test doesn't cause crash");
> +}
> +
> +static struct tst_option options[] = {
> + {"a:", &addr_param, "-a number of additional IP address params"},
> + {NULL, NULL, NULL}
> +};
> +
> +static struct tst_test test = {
> + .setup = setup,
> + .forks_child = 1,
> + .test_all = run,
> + .options = options
> +};
> --
> 1.7.1
--
Thank you,
Richard.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
2018-03-21 14:26 ` Richard Palethorpe
@ 2018-03-21 15:12 ` Alexey Kodanev
0 siblings, 0 replies; 7+ messages in thread
From: Alexey Kodanev @ 2018-03-21 15:12 UTC (permalink / raw)
To: ltp
On 03/21/2018 05:26 PM, Richard Palethorpe wrote:
> Hello Alexey,
>
> Alexey Kodanev writes:
>
>> There are two test-cases in runtest/cve:
>> * cve-2018-5803 - for over-sized INIT_ACK packet
>> * cve-2018-5803_2 - for over-sized INIT packet
>
> Naming tests purely after a CVE number seems to have been a mistake on
> my part because people are unable to recognise them. Could this be given
> a more descriptive name and location (i.e something with net and sctp in
> the name?). Of course it should still go in the cve runtest file.
Hi Richard,
Sure, I'll move it to testcases/network/sctp/ and change the file name.
Thanks,
Alexey
^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
2018-03-21 11:28 ` Alexey Kodanev
@ 2018-03-22 17:34 ` Petr Vorel
2018-03-22 17:34 ` Petr Vorel
1 sibling, 0 replies; 7+ messages in thread
From: Petr Vorel @ 2018-03-22 17:34 UTC (permalink / raw)
To: ltp
Hi Alexey,
> Do you think we should include linux headers for consistency?
Yes, although both SOL_SCTP and SOL_UDPLITE are defined the same for all architectures and
probably never change, I'd include the header.
Actually SOL_UDPLITE is already defined in include/lapi/socket.h.
This file was added as wrapper for values <sys/socket.h> in aac9d1f0e by Xiao Yang,
I included sys/socket.h in that lapi file in 3fd5746a8
Later you added in 0bc572423 constants from linux/socket.h.
I don't know what is a best practise, but I'd include both files in include/lapi/socket.h
(they don't conflict) (or don't include neither of them):
#ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#endif
#ifdef HAVE_LINUX_SOCKET_H
# include <linux/socket.h>
#endif
> >> +
> >> #ifndef SOL_UDPLITE
> >> # define SOL_UDPLITE 136 /* UDP-Lite (RFC 3828) */
> >> #endif
As I wrote, this is already defined in include/lapi/socket.h.
> >> diff --git a/runtest/cve b/runtest/cve
> >> index 0c385c6..826bb0b 100644
> ...
> >> + fcntl(cfd, F_SETFL, O_NONBLOCK);
> >> + connect(cfd, (struct sockaddr *)&rmt, sizeof(rmt));
> > Minor nit: you can use SAFE_CONNECT().
> No, it should fail in the kernels with the fix, on the second test-case when
> we get over-sized INIT chunk, I think ENOMEM returns in that case.
Oh sorry, understand.
Kind regards,
Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803
2018-03-21 11:28 ` Alexey Kodanev
2018-03-22 17:34 ` Petr Vorel
@ 2018-03-22 17:34 ` Petr Vorel
1 sibling, 0 replies; 7+ messages in thread
From: Petr Vorel @ 2018-03-22 17:34 UTC (permalink / raw)
To: ltp
Hi Alexey,
> > LGTM.
> > Tested-by: Petr Vorel <pvorel@suse.cz>
> > Found one BROK on EINVAL on setsockopt(), most of older kernels in VM don't crash, bug generate
> > heavy load.
> Does it happen with a single address parameter? We could also lower parameter
> size in the second test, e.g. from 10000 to 4000.
I didn't notice before that it actually calls BUG() in skb_put(), test does not end.
Adding -a 4000 does not help.
> Also change SOCK_STREAM to SOCK_SEQPACKET
> diff --git a/testcases/cve/cve-2018-5803.c b/testcases/cve/cve-2018-5803.c
> index 3f03d8a..6bee914 100644
> --- a/testcases/cve/cve-2018-5803.c
> +++ b/testcases/cve/cve-2018-5803.c
> @@ -63,7 +63,7 @@ static void setup_client(void)
> struct sockaddr_in6 addr_buf[addr_num];
> int i;
> - cfd = SAFE_SOCKET(AF_INET6, SOCK_STREAM, IPPROTO_SCTP);
> + cfd = SAFE_SOCKET(AF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP);
> rmt.sin6_family = AF_INET6;
> rmt.sin6_addr = in6addr_loopback;
> rmt.sin6_port = htons(port);
> I could also add IPv4 version...
I have no idea if it's useful.
> Thanks,
> Alexey
Kind regards,
Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-03-22 17:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-12 16:36 [LTP] [PATCH] cve: new regression test-case for CVE-2018-5803 Alexey Kodanev
2018-03-20 14:00 ` Petr Vorel
2018-03-21 11:28 ` Alexey Kodanev
2018-03-22 17:34 ` Petr Vorel
2018-03-22 17:34 ` Petr Vorel
2018-03-21 14:26 ` Richard Palethorpe
2018-03-21 15:12 ` Alexey Kodanev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.