[LTP] [PATCH] cve-2017-16939: Improve and fix test

Fri Dec 2 12:42:05 CET 2022

The test was unable to reproduce the kernel bug because it needs to
send then netlink message twice and then close the socket. Sending it
just once is not enough.

Also remove unnecessary structures and code and use taint checks.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 testcases/cve/cve-2017-16939.c | 63 ++++++++++++++++++++--------------
 1 file changed, 38 insertions(+), 25 deletions(-)

diff --git a/testcases/cve/cve-2017-16939.c b/testcases/cve/cve-2017-16939.c
index e41fb274a..fc3500d57 100644
--- a/testcases/cve/cve-2017-16939.c
+++ b/testcases/cve/cve-2017-16939.c
@@ -29,50 +29,63 @@
 
 #define BUFSIZE 2048
 
-static int fd;
-static struct sockaddr_nl addr;
-
-struct msg_policy {
-	struct nlmsghdr msg;
-	char buf[BUFSIZE];
-};
-static struct msg_policy *p;
+static int fd = -1;
+static struct sockaddr_nl nl_addr;
+static struct nlmsghdr xfrm_msg;
 
 static void setup(void)
 {
 	tst_setup_netns();
 
-	fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
-	memset(&addr, 0, sizeof(struct sockaddr_nl));
-	addr.nl_family = AF_NETLINK;
-	addr.nl_pid = 0; /* packet goes into the kernel */
-	addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
+	nl_addr.nl_family = AF_NETLINK;
+	nl_addr.nl_pid = 0; /* packet goes into the kernel */
+	nl_addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
 
-	p = SAFE_MALLOC(sizeof(struct msg_policy));
-	memset(p, 0, sizeof(struct msg_policy));
+	xfrm_msg.nlmsg_len = NLMSG_LENGTH(0);
+	xfrm_msg.nlmsg_type = XFRM_MSG_GETPOLICY;
+	xfrm_msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
+	xfrm_msg.nlmsg_seq = 0x1;
+	xfrm_msg.nlmsg_pid = 2;
+}
 
-	p->msg.nlmsg_len = 0x10;
-	p->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
-	p->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI |  NLM_F_REQUEST;
-	p->msg.nlmsg_seq = 0x1;
-	p->msg.nlmsg_pid = 2;
+static void send_nlmsg(int fd, struct nlmsghdr *msg, struct sockaddr_nl *addr)
+{
+	SAFE_SENDTO(1, fd, (void *)msg, msg->nlmsg_len, 0,
+		    (struct sockaddr *)addr, sizeof(struct sockaddr_nl));
 }
 
 static void run(void)
 {
-	int var = 0x100;
+	fd = SAFE_SOCKET(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	SAFE_SETSOCKOPT_INT(fd, SOL_SOCKET, SO_RCVBUF, 0x100);
 
-	SAFE_SETSOCKOPT(fd, SOL_SOCKET, SO_RCVBUF, &var, sizeof(int));
-	SAFE_SENDTO(1, fd, (void *) &p->msg, p->msg.nlmsg_len, 0,
-		    (struct sockaddr *) &addr,
-		    sizeof(struct sockaddr_nl));
+	/* message must be sent twice to trigger the bug */
+	send_nlmsg(fd, &xfrm_msg, &nl_addr);
+	send_nlmsg(fd, &xfrm_msg, &nl_addr);
+	SAFE_CLOSE(fd);
+
+	/* wait for socket close callback to crash */
+	usleep(100000);
+
+	if (tst_taint_check()) {
+		tst_res(TFAIL, "Kernel is vulnerable");
+		return;
+	}
 
 	tst_res(TPASS, "Kernel seems to have survived");
 }
 
+static void cleanup(void)
+{
+	if (fd >= 0)
+		SAFE_CLOSE(fd);
+}
+
 static struct tst_test test = {
 	.setup = setup,
 	.test_all = run,
+	.cleanup = cleanup,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
 	.needs_kconfigs = (const char *[]) {
 		"CONFIG_USER_NS=y",
 		"CONFIG_NET_NS=y",
-- 
2.38.1

