[LTP] [PATCH v2 3/3] Add test for CVE 2023-1829
Martin Doucha
mdoucha@suse.cz
Fri Aug 4 15:28:03 CEST 2023
Fixes #1053
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
Changes since v1:
- Fixed typo in .gitignore
- Removed unnecessary TCA_TCINDEX_ACT attribute tree from filter config
- Added credit for the original reproducer
Reproducer was tested on both affected and fixed SLE-15SP5 kernels.
runtest/cve | 1 +
testcases/cve/.gitignore | 1 +
testcases/cve/tcindex01.c | 141 ++++++++++++++++++++++++++++++++++++++
3 files changed, 143 insertions(+)
create mode 100644 testcases/cve/tcindex01.c
diff --git a/runtest/cve b/runtest/cve
index 7d1e84f89..f9b36a182 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -84,6 +84,7 @@ cve-2021-38604 mq_notify03
cve-2022-0847 dirtypipe
cve-2022-2590 dirtyc0w_shmem
cve-2022-23222 bpf_prog07
+cve-2023-1829 tcindex01
# Tests below may cause kernel memory leak
cve-2020-25704 perf_event_open03
cve-2022-0185 fsconfig03
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 90e8b191c..3a2b2bed6 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -12,3 +12,4 @@ cve-2017-16939
cve-2017-17053
cve-2022-4378
icmp_rate_limit01
+tcindex01
diff --git a/testcases/cve/tcindex01.c b/testcases/cve/tcindex01.c
new file mode 100644
index 000000000..9bd7de9dd
--- /dev/null
+++ b/testcases/cve/tcindex01.c
@@ -0,0 +1,141 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2023 SUSE LLC
+ * Author: Marcos Paulo de Souza <mpdesouza@suse.com>
+ * LTP port: Martin Doucha <mdoucha@suse.cz>
+ */
+
+/*\
+ * CVE-2023-1829
+ *
+ * Test for use-after-free after removing tcindex traffic filter with certain
+ * parameters.
+ *
+ * Tcindex filter removed in:
+ *
+ * commit 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
+ * Author: Jamal Hadi Salim <jhs@mojatatu.com>
+ * Date: Tue Feb 14 08:49:14 2023 -0500
+ *
+ * net/sched: Retire tcindex classifier
+ */
+
+#include <linux/netlink.h>
+#include <linux/pkt_sched.h>
+#include <linux/pkt_cls.h>
+#include "tst_test.h"
+#include "tst_rtnetlink.h"
+#include "tst_netdevice.h"
+#include "lapi/sched.h"
+#include "lapi/if_ether.h"
+#include "lapi/rtnetlink.h"
+
+#define DEVNAME "ltp_dummy1"
+
+static const uint32_t qd_handle = TC_H_MAKE(1 << 16, 0);
+static const uint32_t clsid = TC_H_MAKE(1 << 16, 1);
+static const uint32_t shift = 10;
+static const uint16_t mask = 0xffff;
+
+/* rtnetlink payloads */
+static const struct tc_htb_glob qd_opt = {
+ .rate2quantum = 10,
+ .version = 3,
+ .defcls = 30
+};
+static struct tc_htb_opt cls_opt = {};
+
+/* htb qdisc and class options */
+static const struct tst_rtnl_attr_list qd_config[] = {
+ {TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+ {TCA_HTB_INIT, &qd_opt, sizeof(qd_opt), NULL},
+ {0, NULL, -1, NULL}
+ }},
+ {0, NULL, -1, NULL}
+};
+static const struct tst_rtnl_attr_list cls_config[] = {
+ {TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+ {TCA_HTB_PARMS, &cls_opt, sizeof(cls_opt), NULL},
+ {0, NULL, -1, NULL}
+ }},
+ {0, NULL, -1, NULL}
+};
+
+/* tcindex filter options */
+static const struct tst_rtnl_attr_list f_config[] = {
+ {TCA_OPTIONS, NULL, 0, (const struct tst_rtnl_attr_list[]){
+ {TCA_TCINDEX_MASK, &mask, sizeof(mask), NULL},
+ {TCA_TCINDEX_SHIFT, &shift, sizeof(shift), NULL},
+ {TCA_TCINDEX_CLASSID, &clsid, sizeof(clsid), NULL},
+ {0, NULL, -1, NULL}
+ }},
+ {0, NULL, -1, NULL}
+};
+
+static void setup(void)
+{
+ tst_setup_netns();
+ NETDEV_ADD_DEVICE(DEVNAME, "dummy");
+
+ cls_opt.rate.rate = cls_opt.ceil.rate = 256000;
+ cls_opt.buffer = 1000000 * 1600 / cls_opt.rate.rate;
+ cls_opt.cbuffer = 1000000 * 1600 / cls_opt.ceil.rate;
+}
+
+static void run(void)
+{
+ unsigned int i;
+
+ for (i = 0; i < 100; i++) {
+ NETDEV_ADD_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
+ "htb", qd_config);
+ NETDEV_ADD_TRAFFIC_CLASS(DEVNAME, qd_handle, clsid, "htb",
+ cls_config);
+ NETDEV_ADD_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP, 1,
+ "tcindex", f_config);
+ NETDEV_REMOVE_TRAFFIC_FILTER(DEVNAME, qd_handle, 10, ETH_P_IP,
+ 1, "tcindex");
+
+ /* Wait at least one jiffy for use-after-free */
+ usleep(10000);
+
+ NETDEV_REMOVE_QDISC(DEVNAME, AF_UNSPEC, TC_H_ROOT, qd_handle,
+ "htb");
+ }
+
+ if (tst_taint_check()) {
+ tst_res(TFAIL, "Kernel is vulnerable");
+ return;
+ }
+
+ tst_res(TPASS, "Nothing bad happened (yet)");
+}
+
+static void cleanup(void)
+{
+ NETDEV_REMOVE_DEVICE(DEVNAME);
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .taint_check = TST_TAINT_W | TST_TAINT_D,
+ .needs_kconfigs = (const char *[]) {
+ "CONFIG_VETH",
+ "CONFIG_USER_NS=y",
+ "CONFIG_NET_NS=y",
+ "CONFIG_NET_SCH_HTB",
+ "CONFIG_NET_CLS_TCINDEX",
+ NULL
+ },
+ .save_restore = (const struct tst_path_val[]) {
+ {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+ {}
+ },
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "8c710f75256b"},
+ {"CVE", "2023-1829"},
+ {}
+ }
+};
--
2.41.0
More information about the ltp
mailing list