[LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase

Christian Amann camann@suse.com
Mon May 27 11:41:46 CEST 2019


Kernels between version 3.11 and 4.8 missing commit b98b0bc8
are vulnerable to a priviglege escalation exploit by overflowing
a socket send buffer size integer.
This test checks if the system is vulnerable by testing if a
negative buffer size can be set.

Signed-off-by: Christian Amann <camann@suse.com>
---
 runtest/syscalls                                   |  1 +
 testcases/kernel/syscalls/setsockopt/.gitignore    |  1 +
 .../kernel/syscalls/setsockopt/setsockopt04.c      | 65 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt04.c

diff --git a/runtest/syscalls b/runtest/syscalls
index 04558a580..b06ad949e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1233,6 +1233,7 @@ setsid01 setsid01
 setsockopt01 setsockopt01
 setsockopt02 setsockopt02
 setsockopt03 setsockopt03
+setsockopt04 setsockopt04
 
 settimeofday01 settimeofday01
 settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index d8fb0f3b4..603e2ad7a 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -1,3 +1,4 @@
 /setsockopt01
 /setsockopt02
 /setsockopt03
+/setsockopt04
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt04.c b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
new file mode 100644
index 000000000..6cb4199ab
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 SUSE LLC
+ * Author: Christian Amann <camann@suse.com>
+ */
+/* Test for CVE-2016-9793
+ *
+ * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it
+ * is possible to pass a very high unsigned integer as send buffer size
+ * to a socket which is then interpreted as a negative value.
+ *
+ * This can be used to escalate privileges by every user that has the
+ * CAP_NET_ADMIN capability.
+ *
+ * For additional information about this CVE see:
+ * https://www.suse.com/security/cve/CVE-2016-9793/
+ */
+
+#include <sys/socket.h>
+#include "tst_test.h"
+#include "tst_safe_net.h"
+
+#define SNDBUF	(0xffffff00)
+
+static int sockfd;
+
+static void run(void)
+{
+	unsigned int sndbuf, rec_sndbuf;
+	socklen_t optlen;
+
+	sndbuf = SNDBUF;
+	rec_sndbuf = 0;
+	optlen = sizeof(sndbuf);
+
+	SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen);
+	SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen);
+
+	tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf);
+	tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf);
+
+	if ((int)rec_sndbuf < 0)
+		tst_res(TFAIL, "Was able to set negative send buffer size!");
+	else
+		tst_res(TPASS, "Was unable to set negative send buffer size!");
+}
+
+static void setup(void)
+{
+	sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
+}
+
+static void cleanup(void)
+{
+	if (sockfd > 0)
+		SAFE_CLOSE(sockfd);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_root = 1,
+	.timeout = 20,
+};
-- 
2.16.4



More information about the ltp mailing list