1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com> 4 * Based on repro-compatReleaseEntry.c by NCC group 5 */ 6/* 7 * Test for CVE-2016-4997 8 * 9 * For a full explanation of how the vulnerability works see: 10 * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt 11 * 12 * The original vulnerability was present in the 32-bit compatibility system 13 * call, so the test should be compiled with -m32 and run on a 64-bit kernel. 14 * For simplicities sake the test requests root privliges instead of creating 15 * a user namespace. 16 */ 17 18#include <stdint.h> 19#include <sys/types.h> 20#include <sys/socket.h> 21#include <netinet/in.h> 22#include <limits.h> 23 24#include "tst_test.h" 25#include "tst_safe_net.h" 26#include "tst_kernel.h" 27 28#include "lapi/ip_tables.h" 29 30#define TOO_SMALL_OFFSET 74 31#define OFFSET_OVERWRITE 0xFFFF 32#define NEXT_OFFSET (sizeof(struct ipt_entry) \ 33 + sizeof(struct xt_entry_match) \ 34 + sizeof(struct xt_entry_target)) 35#define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET) 36 37struct payload { 38 struct ipt_replace repl; 39 struct ipt_entry ent; 40 struct xt_entry_match match; 41 struct xt_entry_target targ; 42 char padding[PADDING]; 43 struct xt_entry_target targ2; 44}; 45 46static void setup(void) 47{ 48 if (tst_kernel_bits() == 32 || sizeof(long) > 4) 49 tst_res(TCONF, 50 "The vulnerability was only present in 32-bit compat mode"); 51} 52 53static void run(void) 54{ 55 int ret, sock_fd; 56 struct payload p = { 0 }; 57 58 sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0); 59 60 strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name)); 61 p.match.u.match_size = OFFSET_OVERWRITE; 62 63 p.ent.next_offset = NEXT_OFFSET; 64 p.ent.target_offset = TOO_SMALL_OFFSET; 65 66 p.repl.num_entries = 2; 67 p.repl.num_counters = 1; 68 p.repl.size = sizeof(struct payload); 69 p.repl.valid_hooks = 0; 70 71 ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE, 72 &p, sizeof(struct payload)); 73 tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret); 74} 75 76static struct tst_test test = { 77 .setup = setup, 78 .test_all = run, 79 .needs_root = 1, 80 .tags = (const struct tst_tag[]){ 81 {"linux-git", "ce683e5f9d04"}, 82 {"CVE", "CVE-2016-4997"}, 83 {} 84 } 85}; 86