[LTP] [PATCH v1] syscalls/setsockopt04: Add CVE-2016-9793 testcase
Christian Amann
camann@suse.com
Mon May 27 11:41:46 CEST 2019
Kernels between version 3.11 and 4.8 missing commit b98b0bc8
are vulnerable to a priviglege escalation exploit by overflowing
a socket send buffer size integer.
This test checks if the system is vulnerable by testing if a
negative buffer size can be set.
Signed-off-by: Christian Amann <camann@suse.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/setsockopt/.gitignore | 1 +
.../kernel/syscalls/setsockopt/setsockopt04.c | 65 ++++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt04.c
diff --git a/runtest/syscalls b/runtest/syscalls
index 04558a580..b06ad949e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1233,6 +1233,7 @@ setsid01 setsid01
setsockopt01 setsockopt01
setsockopt02 setsockopt02
setsockopt03 setsockopt03
+setsockopt04 setsockopt04
settimeofday01 settimeofday01
settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index d8fb0f3b4..603e2ad7a 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -1,3 +1,4 @@
/setsockopt01
/setsockopt02
/setsockopt03
+/setsockopt04
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt04.c b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
new file mode 100644
index 000000000..6cb4199ab
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt04.c
@@ -0,0 +1,65 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 SUSE LLC
+ * Author: Christian Amann <camann@suse.com>
+ */
+/* Test for CVE-2016-9793
+ *
+ * With kernels between version 3.11 and 4.8 missing commit b98b0bc8 it
+ * is possible to pass a very high unsigned integer as send buffer size
+ * to a socket which is then interpreted as a negative value.
+ *
+ * This can be used to escalate privileges by every user that has the
+ * CAP_NET_ADMIN capability.
+ *
+ * For additional information about this CVE see:
+ * https://www.suse.com/security/cve/CVE-2016-9793/
+ */
+
+#include <sys/socket.h>
+#include "tst_test.h"
+#include "tst_safe_net.h"
+
+#define SNDBUF (0xffffff00)
+
+static int sockfd;
+
+static void run(void)
+{
+ unsigned int sndbuf, rec_sndbuf;
+ socklen_t optlen;
+
+ sndbuf = SNDBUF;
+ rec_sndbuf = 0;
+ optlen = sizeof(sndbuf);
+
+ SAFE_SETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUFFORCE, &sndbuf, optlen);
+ SAFE_GETSOCKOPT(sockfd, SOL_SOCKET, SO_SNDBUF, &rec_sndbuf, &optlen);
+
+ tst_res(TINFO, "Try to set send buffer size to: %u", sndbuf);
+ tst_res(TINFO, "Send buffer size was set to: %d", rec_sndbuf);
+
+ if ((int)rec_sndbuf < 0)
+ tst_res(TFAIL, "Was able to set negative send buffer size!");
+ else
+ tst_res(TPASS, "Was unable to set negative send buffer size!");
+}
+
+static void setup(void)
+{
+ sockfd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
+}
+
+static void cleanup(void)
+{
+ if (sockfd > 0)
+ SAFE_CLOSE(sockfd);
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .needs_root = 1,
+ .timeout = 20,
+};
--
2.16.4
More information about the ltp
mailing list