1*49cdfc7eSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0-or-later
2*49cdfc7eSAndroid Build Coastguard Worker /*
3*49cdfc7eSAndroid Build Coastguard Worker * Copyright (c) 2017 Richard Palethorpe <[email protected]>
4*49cdfc7eSAndroid Build Coastguard Worker * Based on repro-compatReleaseEntry.c by NCC group
5*49cdfc7eSAndroid Build Coastguard Worker */
6*49cdfc7eSAndroid Build Coastguard Worker
7*49cdfc7eSAndroid Build Coastguard Worker /*\
8*49cdfc7eSAndroid Build Coastguard Worker * [Description]
9*49cdfc7eSAndroid Build Coastguard Worker *
10*49cdfc7eSAndroid Build Coastguard Worker * Test for CVE-2016-4997
11*49cdfc7eSAndroid Build Coastguard Worker *
12*49cdfc7eSAndroid Build Coastguard Worker * For a full explanation of how the vulnerability works see:
13*49cdfc7eSAndroid Build Coastguard Worker * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
14*49cdfc7eSAndroid Build Coastguard Worker *
15*49cdfc7eSAndroid Build Coastguard Worker * The original vulnerability was present in the 32-bit compatibility system
16*49cdfc7eSAndroid Build Coastguard Worker * call, so the test should be compiled with -m32 and run on a 64-bit kernel.
17*49cdfc7eSAndroid Build Coastguard Worker * For simplicities sake the test requests root privileges instead of creating
18*49cdfc7eSAndroid Build Coastguard Worker * a user namespace.
19*49cdfc7eSAndroid Build Coastguard Worker */
20*49cdfc7eSAndroid Build Coastguard Worker
21*49cdfc7eSAndroid Build Coastguard Worker #include <stdint.h>
22*49cdfc7eSAndroid Build Coastguard Worker #include <sys/types.h>
23*49cdfc7eSAndroid Build Coastguard Worker #include <sys/socket.h>
24*49cdfc7eSAndroid Build Coastguard Worker #include <netinet/in.h>
25*49cdfc7eSAndroid Build Coastguard Worker #include <limits.h>
26*49cdfc7eSAndroid Build Coastguard Worker
27*49cdfc7eSAndroid Build Coastguard Worker #include "tst_test.h"
28*49cdfc7eSAndroid Build Coastguard Worker #include "tst_safe_net.h"
29*49cdfc7eSAndroid Build Coastguard Worker #include "tst_kernel.h"
30*49cdfc7eSAndroid Build Coastguard Worker
31*49cdfc7eSAndroid Build Coastguard Worker #include "lapi/ip_tables.h"
32*49cdfc7eSAndroid Build Coastguard Worker
33*49cdfc7eSAndroid Build Coastguard Worker #define TOO_SMALL_OFFSET 74
34*49cdfc7eSAndroid Build Coastguard Worker #define OFFSET_OVERWRITE 0xFFFF
35*49cdfc7eSAndroid Build Coastguard Worker #define NEXT_OFFSET (sizeof(struct ipt_entry) \
36*49cdfc7eSAndroid Build Coastguard Worker + sizeof(struct xt_entry_match) \
37*49cdfc7eSAndroid Build Coastguard Worker + sizeof(struct xt_entry_target))
38*49cdfc7eSAndroid Build Coastguard Worker #define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET)
39*49cdfc7eSAndroid Build Coastguard Worker
40*49cdfc7eSAndroid Build Coastguard Worker struct payload {
41*49cdfc7eSAndroid Build Coastguard Worker struct ipt_replace repl;
42*49cdfc7eSAndroid Build Coastguard Worker struct ipt_entry ent;
43*49cdfc7eSAndroid Build Coastguard Worker struct xt_entry_match match;
44*49cdfc7eSAndroid Build Coastguard Worker struct xt_entry_target targ;
45*49cdfc7eSAndroid Build Coastguard Worker char padding[PADDING];
46*49cdfc7eSAndroid Build Coastguard Worker struct xt_entry_target targ2;
47*49cdfc7eSAndroid Build Coastguard Worker };
48*49cdfc7eSAndroid Build Coastguard Worker
setup(void)49*49cdfc7eSAndroid Build Coastguard Worker static void setup(void)
50*49cdfc7eSAndroid Build Coastguard Worker {
51*49cdfc7eSAndroid Build Coastguard Worker if (tst_kernel_bits() == 32 || sizeof(long) > 4)
52*49cdfc7eSAndroid Build Coastguard Worker tst_res(TCONF,
53*49cdfc7eSAndroid Build Coastguard Worker "The vulnerability was only present in 32-bit compat mode");
54*49cdfc7eSAndroid Build Coastguard Worker }
55*49cdfc7eSAndroid Build Coastguard Worker
run(void)56*49cdfc7eSAndroid Build Coastguard Worker static void run(void)
57*49cdfc7eSAndroid Build Coastguard Worker {
58*49cdfc7eSAndroid Build Coastguard Worker int ret, sock_fd;
59*49cdfc7eSAndroid Build Coastguard Worker struct payload p = { 0 };
60*49cdfc7eSAndroid Build Coastguard Worker
61*49cdfc7eSAndroid Build Coastguard Worker sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
62*49cdfc7eSAndroid Build Coastguard Worker
63*49cdfc7eSAndroid Build Coastguard Worker strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name));
64*49cdfc7eSAndroid Build Coastguard Worker p.match.u.match_size = OFFSET_OVERWRITE;
65*49cdfc7eSAndroid Build Coastguard Worker
66*49cdfc7eSAndroid Build Coastguard Worker p.ent.next_offset = NEXT_OFFSET;
67*49cdfc7eSAndroid Build Coastguard Worker p.ent.target_offset = TOO_SMALL_OFFSET;
68*49cdfc7eSAndroid Build Coastguard Worker
69*49cdfc7eSAndroid Build Coastguard Worker p.repl.num_entries = 2;
70*49cdfc7eSAndroid Build Coastguard Worker p.repl.num_counters = 1;
71*49cdfc7eSAndroid Build Coastguard Worker p.repl.size = sizeof(struct payload);
72*49cdfc7eSAndroid Build Coastguard Worker p.repl.valid_hooks = 0;
73*49cdfc7eSAndroid Build Coastguard Worker
74*49cdfc7eSAndroid Build Coastguard Worker ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE,
75*49cdfc7eSAndroid Build Coastguard Worker &p, sizeof(struct payload));
76*49cdfc7eSAndroid Build Coastguard Worker tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret);
77*49cdfc7eSAndroid Build Coastguard Worker }
78*49cdfc7eSAndroid Build Coastguard Worker
79*49cdfc7eSAndroid Build Coastguard Worker static struct tst_test test = {
80*49cdfc7eSAndroid Build Coastguard Worker .setup = setup,
81*49cdfc7eSAndroid Build Coastguard Worker .test_all = run,
82*49cdfc7eSAndroid Build Coastguard Worker .needs_root = 1,
83*49cdfc7eSAndroid Build Coastguard Worker .tags = (const struct tst_tag[]){
84*49cdfc7eSAndroid Build Coastguard Worker {"linux-git", "ce683e5f9d04"},
85*49cdfc7eSAndroid Build Coastguard Worker {"CVE", "CVE-2016-4997"},
86*49cdfc7eSAndroid Build Coastguard Worker {}
87*49cdfc7eSAndroid Build Coastguard Worker }
88*49cdfc7eSAndroid Build Coastguard Worker };
89