[LTP] [PATCH 1/1] security: Test for uname26 exploit cve-2012-0957

Richard Palethorpe rpalethorpe@suse.com
Fri Feb 17 11:37:25 CET 2017 

Attempt to exploit the uname kernel memory leak which occurred when the
UNAME26 personality was set.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 testcases/kernel/security/uname/.gitignore      |  1 +
 testcases/kernel/security/uname/Makefile        | 20 ++++++
 testcases/kernel/security/uname/cve-2012-0957.c | 86 +++++++++++++++++++++++++
 3 files changed, 107 insertions(+)
 create mode 100644 testcases/kernel/security/uname/.gitignore
 create mode 100644 testcases/kernel/security/uname/Makefile
 create mode 100644 testcases/kernel/security/uname/cve-2012-0957.c

diff --git a/testcases/kernel/security/uname/.gitignore b/testcases/kernel/security/uname/.gitignore
new file mode 100644
index 000000000..e61b3fd25
--- /dev/null
+++ b/testcases/kernel/security/uname/.gitignore
@@ -0,0 +1 @@
+cve-2012-0957
diff --git a/testcases/kernel/security/uname/Makefile b/testcases/kernel/security/uname/Makefile
new file mode 100644
index 000000000..c4b6ce36b
--- /dev/null
+++ b/testcases/kernel/security/uname/Makefile
@@ -0,0 +1,20 @@
+# Copyright (c) 2017 Linux Test Project
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+top_srcdir		?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/uname/cve-2012-0957.c b/testcases/kernel/security/uname/cve-2012-0957.c
new file mode 100644
index 000000000..e5fb9c96d
--- /dev/null
+++ b/testcases/kernel/security/uname/cve-2012-0957.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Check that memory after the string terminator in all the utsname fields has
+ * been zeroed. cve-2012-0957 leaked kernel memory through the release field
+ * when the UNAME26 personality was set.
+ */
+
+#include <string.h>
+#include <sys/utsname.h>
+#include <sys/personality.h>
+#include "tst_test.h"
+
+#define UNAME26 0x0020000
+
+static int check_field(char *bytes, size_t length, char *field)
+{
+	size_t i = strlen(bytes) + 1;
+
+	for (; i < length; i++) {
+		if (bytes[i]) {
+			tst_res(TFAIL, "Bytes leaked in %s!", field);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+
+static void try_leak_bytes(void)
+{
+	struct utsname buf;
+
+	if (uname(&buf))
+		tst_brk(TBROK | TERRNO, "Call to uname failed");
+
+#define CHECK_FIELD(field_name) \
+	(check_field(buf.field_name, ARRAY_SIZE(buf.field_name), #field_name))
+
+	if (!(CHECK_FIELD(release) |
+	    CHECK_FIELD(sysname) |
+	    CHECK_FIELD(nodename) |
+	    CHECK_FIELD(version) |
+	    CHECK_FIELD(machine) |
+#ifdef _GNU_SOURCE
+	    CHECK_FIELD(domainname) |
+#endif
+		    0)) {
+		tst_res(TPASS, "All fields zeroed after string terminator");
+	}
+#undef CHECK_FIELD
+}
+
+static void run(unsigned int test_nr)
+{
+	if (!test_nr) {
+		tst_res(TINFO, "Calling uname with default personality");
+		try_leak_bytes();
+	} else {
+		if (personality(PER_LINUX | UNAME26) < 0)
+			tst_brk(TCONF | TERRNO,
+				"Could not change personality to UNAME26");
+		tst_res(TINFO, "Calling uname with UNAME26 personality");
+		try_leak_bytes();
+	}
+}
+
+static struct tst_test test = {
+	.tid = "cve-2012-0957",
+	.test = run,
+	.tcnt = 2,
+};
-- 
2.11.0

More information about the ltp mailing list