[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[Martin Doucha]

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

This test is awfully slow but it checks for local root exploit.

 runtest/cve                                   |   1 +
 runtest/syscalls                              |   1 +
 .../kernel/syscalls/setsockopt/.gitignore     |   1 +
 testcases/kernel/syscalls/setsockopt/Makefile |   2 +
 .../kernel/syscalls/setsockopt/setsockopt06.c | 125 ++++++++++++++++++
 5 files changed, 130 insertions(+)
 create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt06.c

diff --git a/runtest/cve b/runtest/cve
index c2e9e8c89..786b5ee76 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -12,6 +12,7 @@ cve-2016-4997 setsockopt03
 cve-2016-5195 dirtyc0w
 cve-2016-7042 cve-2016-7042
 cve-2016-7117 cve-2016-7117
+cve-2016-8655 setsockopt06
 cve-2016-9604 keyctl08
 cve-2016-9793 setsockopt04
 cve-2016-10044 cve-2016-10044
diff --git a/runtest/syscalls b/runtest/syscalls
index cbab5730c..bdcd9a5b8 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1326,6 +1326,7 @@ setsockopt02 setsockopt02
 setsockopt03 setsockopt03
 setsockopt04 setsockopt04
 setsockopt05 setsockopt05
+setsockopt06 setsockopt06
 
 settimeofday01 settimeofday01
 settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index f4eabd92b..ad067c3e3 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -3,3 +3,4 @@
 /setsockopt03
 /setsockopt04
 /setsockopt05
+/setsockopt06
diff --git a/testcases/kernel/syscalls/setsockopt/Makefile b/testcases/kernel/syscalls/setsockopt/Makefile
index 044619fb8..1e80facd4 100644
--- a/testcases/kernel/syscalls/setsockopt/Makefile
+++ b/testcases/kernel/syscalls/setsockopt/Makefile
@@ -2,6 +2,8 @@
 # Copyright (c) International Business Machines  Corp., 2001
 
 top_srcdir		?= ../../../..
+setsockopt06:		CFLAGS += -pthread
+setsockopt06:		LDLIBS += -lrt
 
 include $(top_srcdir)/include/mk/testcases.mk
 
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt06.c b/testcases/kernel/syscalls/setsockopt/setsockopt06.c
new file mode 100644
index 000000000..ae2d170a7
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt06.c
@@ -0,0 +1,125 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
+ */
+
+/*
+ * CVE-2016-8655
+ *
+ * Check for race condition between packet_set_ring() and tp_version. On some
+ * kernels, this may lead to use-after-free. Kernel crash fixed in:
+ * 
+ *  commit 84ac7260236a49c79eede91617700174c2c19b0c
+ *  Author: Philip Pettersson <philip.pettersson@gmail.com>
+ *  Date:   Wed Nov 30 14:55:36 2016 -0800
+ *
+ *  packet: fix race condition in packet_set_ring
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/if_packet.h>
+#include <net/ethernet.h>
+#include <sched.h>
+
+#include "tst_test.h"
+#include "tst_fuzzy_sync.h"
+#include "tst_taint.h"
+
+static int sock = -1;
+static struct tst_fzsync_pair fzsync_pair;
+
+static void setup(void)
+{
+	int real_uid = getuid();
+	int real_gid = getgid();
+
+	tst_taint_init(TST_TAINT_W | TST_TAINT_D);
+
+	SAFE_UNSHARE(CLONE_NEWUSER);
+	SAFE_UNSHARE(CLONE_NEWNET);
+	SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
+	SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
+	SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+
+	fzsync_pair.exec_loops = 100000;
+	fzsync_pair.exec_time_p = 0.9;
+	tst_fzsync_pair_init(&fzsync_pair);
+}
+
+static void *thread_run(void *arg)
+{
+	int ret;
+	struct tpacket_req3 req = {
+		.tp_block_size = 4096,
+		.tp_block_nr = 1,
+		.tp_frame_size = 4096,
+		.tp_frame_nr = 1,
+		.tp_retire_blk_tov = 100
+	};
+
+	while (tst_fzsync_run_b(&fzsync_pair)) {
+		tst_fzsync_start_race_b(&fzsync_pair);
+		ret = setsockopt(sock, SOL_PACKET, PACKET_RX_RING, &req,
+			sizeof(req));
+		tst_fzsync_end_race_b(&fzsync_pair);
+
+		if (!ret)
+			tst_fzsync_pair_add_bias(&fzsync_pair, -10);
+	}
+
+	return arg;
+}
+
+static void run(void)
+{
+	int val = TPACKET_V1;
+
+	tst_fzsync_pair_reset(&fzsync_pair, thread_run);
+
+	while (tst_fzsync_run_a(&fzsync_pair)) {
+		sock = SAFE_SOCKET(AF_PACKET, SOCK_RAW, htons(ETH_P_IP));
+		SAFE_SETSOCKOPT_INT(sock, SOL_PACKET, PACKET_VERSION,
+			TPACKET_V3);
+		tst_fzsync_start_race_a(&fzsync_pair);
+		setsockopt(sock, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+		tst_fzsync_end_race_a(&fzsync_pair);
+		SAFE_CLOSE(sock);
+	}
+
+	/* setsockopt(PACKET_RX_RING) created a 100ms timer. Wait for it. */
+	usleep(300000);
+
+	if (tst_taint_check()) {
+		tst_res(TFAIL, "Kernel is vulnerable");
+		return;
+	}
+
+	tst_res(TPASS, "Nothing bad happened, probably");
+}
+
+static void cleanup(void)
+{
+	tst_fzsync_pair_cleanup(&fzsync_pair);
+
+	if (sock >= 0)
+		SAFE_CLOSE(sock);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_USER_NS=y",
+		"CONFIG_NET_NS=y",
+		NULL
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "84ac7260236a"},
+		{"CVE", "2016-8655"},
+		{}
+	}
+};
-- 
2.26.2

[LTP] [PATCH 2/2] Add test for CVE 2017-1000111

[Martin Doucha]

Fixes #497

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

The tiny race iteration limit is intentional. The bug is mostly harmless and
the setsockopt(PACKET_RX_RING) is really slow. Vulnerable kernels will fail
the test in 15 iterations or less. The test will run for about 30 seconds
on patches systems.

 runtest/cve                                   |   1 +
 runtest/syscalls                              |   1 +
 .../kernel/syscalls/setsockopt/.gitignore     |   1 +
 testcases/kernel/syscalls/setsockopt/Makefile |   4 +-
 .../kernel/syscalls/setsockopt/setsockopt07.c | 138 ++++++++++++++++++
 5 files changed, 143 insertions(+), 2 deletions(-)
 create mode 100644 testcases/kernel/syscalls/setsockopt/setsockopt07.c

diff --git a/runtest/cve b/runtest/cve
index 786b5ee76..339d57f23 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -40,6 +40,7 @@ cve-2017-16939 cve-2017-16939
 cve-2017-16995 bpf_prog03
 cve-2017-17053 cve-2017-17053
 cve-2017-18075 pcrypt_aead01
+cve-2017-1000111 setsockopt07
 cve-2017-1000112 setsockopt05
 cve-2017-1000380 snd_timer01
 cve-2018-5803 sctp_big_chunk
diff --git a/runtest/syscalls b/runtest/syscalls
index bdcd9a5b8..3d953fd22 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -1327,6 +1327,7 @@ setsockopt03 setsockopt03
 setsockopt04 setsockopt04
 setsockopt05 setsockopt05
 setsockopt06 setsockopt06
+setsockopt07 setsockopt07
 
 settimeofday01 settimeofday01
 settimeofday02 settimeofday02
diff --git a/testcases/kernel/syscalls/setsockopt/.gitignore b/testcases/kernel/syscalls/setsockopt/.gitignore
index ad067c3e3..1ca5b836b 100644
--- a/testcases/kernel/syscalls/setsockopt/.gitignore
+++ b/testcases/kernel/syscalls/setsockopt/.gitignore
@@ -4,3 +4,4 @@
 /setsockopt04
 /setsockopt05
 /setsockopt06
+/setsockopt07
diff --git a/testcases/kernel/syscalls/setsockopt/Makefile b/testcases/kernel/syscalls/setsockopt/Makefile
index 1e80facd4..678ada75a 100644
--- a/testcases/kernel/syscalls/setsockopt/Makefile
+++ b/testcases/kernel/syscalls/setsockopt/Makefile
@@ -2,8 +2,8 @@
 # Copyright (c) International Business Machines  Corp., 2001
 
 top_srcdir		?= ../../../..
-setsockopt06:		CFLAGS += -pthread
-setsockopt06:		LDLIBS += -lrt
+setsockopt06 setsockopt07:	CFLAGS += -pthread
+setsockopt06 setsockopt07:	LDLIBS += -lrt
 
 include $(top_srcdir)/include/mk/testcases.mk
 
diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt07.c b/testcases/kernel/syscalls/setsockopt/setsockopt07.c
new file mode 100644
index 000000000..69536068f
--- /dev/null
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt07.c
@@ -0,0 +1,138 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
+ */
+
+/*
+ * CVE-2017-1000111
+ *
+ * Check for race condition between packet_set_ring() and tp_reserve.
+ * The race allows you to set tp_reserve bigger than ring buffer size.
+ * While this will cause truncation of all incoming packets to 0 bytes,
+ * sanity checks in tpacket_rcv() prevent any exploitable buffer overflows.
+ * Race fixed in:
+ * 
+ *  commit c27927e372f0785f3303e8fad94b85945e2c97b7 (HEAD)
+ *  Author: Willem de Bruijn <willemb@google.com>
+ *  Date:   Thu Aug 10 12:41:58 2017 -0400
+ *
+ *  packet: fix tp_reserve race in packet_set_ring
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/if_packet.h>
+#include <net/ethernet.h>
+#include <sched.h>
+
+#include "tst_test.h"
+#include "tst_fuzzy_sync.h"
+#include "tst_taint.h"
+
+static int sock = -1;
+static struct tst_fzsync_pair fzsync_pair;
+
+static void setup(void)
+{
+	int real_uid = getuid();
+	int real_gid = getgid();
+
+	tst_taint_init(TST_TAINT_W | TST_TAINT_D);
+
+	SAFE_UNSHARE(CLONE_NEWUSER);
+	SAFE_UNSHARE(CLONE_NEWNET);
+	SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
+	SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
+	SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
+
+	/* Reproducing the bug on unpatched system takes <15 loops. The test
+	 * is slow and the bug is mostly harmless so don't waste too much
+	 * time.
+	 */
+	fzsync_pair.exec_loops = 500;
+	tst_fzsync_pair_init(&fzsync_pair);
+}
+
+static void *thread_run(void *arg)
+{
+	unsigned int val = 1 << 30;
+
+	while (tst_fzsync_run_b(&fzsync_pair)) {
+		tst_fzsync_start_race_b(&fzsync_pair);
+		setsockopt(sock, SOL_PACKET, PACKET_RESERVE, &val, sizeof(val));
+		tst_fzsync_end_race_b(&fzsync_pair);
+	}
+
+	return arg;
+}
+
+static void run(void)
+{
+	unsigned int val;
+	socklen_t vsize = sizeof(val);
+	struct tpacket_req3 req = {
+		.tp_block_size = 4096,
+		.tp_block_nr = 1,
+		.tp_frame_size = 4096,
+		.tp_frame_nr = 1,
+		.tp_retire_blk_tov = 100
+	};
+
+	tst_fzsync_pair_reset(&fzsync_pair, thread_run);
+
+	while (tst_fzsync_run_a(&fzsync_pair)) {
+		sock = SAFE_SOCKET(AF_PACKET, SOCK_RAW, htons(ETH_P_IP));
+		SAFE_SETSOCKOPT_INT(sock, SOL_PACKET, PACKET_VERSION,
+			TPACKET_V3);
+		tst_fzsync_start_race_a(&fzsync_pair);
+		TEST(setsockopt(sock, SOL_PACKET, PACKET_RX_RING, &req,
+			sizeof(req)));
+		tst_fzsync_end_race_a(&fzsync_pair);
+
+		SAFE_GETSOCKOPT(sock, SOL_PACKET, PACKET_RESERVE, &val, &vsize);
+		SAFE_CLOSE(sock);
+
+		if (TST_RET == -1 && TST_ERR == EINVAL) {
+			tst_fzsync_pair_add_bias(&fzsync_pair, 1);
+			continue;
+		}
+
+		if (TST_RET) {
+			tst_brk(TBROK | TTERRNO,
+				"Invalid setsockopt() return value");
+		}
+
+		if (val > req.tp_block_size){
+			tst_res(TFAIL, "PACKET_RESERVE checks bypassed");
+			return;
+		}
+	}
+
+	tst_res(TPASS, "Cannot reproduce bug");
+}
+
+static void cleanup(void)
+{
+	tst_fzsync_pair_cleanup(&fzsync_pair);
+
+	if (sock >= 0)
+		SAFE_CLOSE(sock);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.cleanup = cleanup,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_USER_NS=y",
+		"CONFIG_NET_NS=y",
+		NULL
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "c27927e372f0"},
+		{"CVE", "2017-1000111"},
+		{}
+	}
+};
-- 
2.26.2

[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[Petr Vorel]

Hi Martin,

> Signed-off-by: Martin Doucha <mdoucha@suse.cz>

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Both patches LGTM.

gcc 4 from CentOS 6 strikes again:

https://travis-ci.org/github/pevik/ltp/jobs/683350147
setsockopt06.c: In function 'thread_run':
setsockopt06.c:55: error: variable 'req' has initializer but incomplete type
setsockopt06.c:56: error: unknown field 'tp_block_size' specified in initializer
setsockopt06.c:56: warning: excess elements in struct initializer
setsockopt06.c:56: warning: (near initialization for 'req')
setsockopt06.c:57: error: unknown field 'tp_block_nr' specified in initializer
setsockopt06.c:57: warning: excess elements in struct initializer
setsockopt06.c:57: warning: (near initialization for 'req')
setsockopt06.c:58: error: unknown field 'tp_frame_size' specified in initializer
setsockopt06.c:58: warning: excess elements in struct initializer
setsockopt06.c:58: warning: (near initialization for 'req')
setsockopt06.c:59: error: unknown field 'tp_frame_nr' specified in initializer
setsockopt06.c:59: warning: excess elements in struct initializer
setsockopt06.c:59: warning: (near initialization for 'req')
setsockopt06.c:60: error: unknown field 'tp_retire_blk_tov' specified in initializer
setsockopt06.c:61: warning: excess elements in struct initializer
setsockopt06.c:61: warning: (near initialization for 'req')
setsockopt06.c:55: error: storage size of 'req' isn't known
setsockopt06.c:55: warning: unused variable 'req'
setsockopt06.c: In function 'run':
setsockopt06.c:84: error: 'TPACKET_V3' undeclared (first use in this function)
setsockopt06.c:84: error: (Each undeclared identifier is reported only once
setsockopt06.c:84: error: for each function it appears in.)

both tests need this definition, which is already in setsockopt02.c.

#ifndef HAVE_STRUCT_TPACKET_REQ3
# define TPACKET_V3 2

struct tpacket_req3 {
	unsigned int	tp_block_size;
	unsigned int	tp_block_nr;
	unsigned int	tp_frame_size;
	unsigned int	tp_frame_nr;
	unsigned int	tp_retire_blk_tov;
	unsigned int	tp_sizeof_priv;
	unsigned int	tp_feature_req_word;
};
#endif

I wanted to propose after release dropping gcc 4 support by deleting CentOS 6
from Travis (but maybe we should drop it even now). To keep the support, it'd be
good to add lapi/if_packet.h with this definition.

Kind regards,
Petr

[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[Cyril Hrubis]

Hi!
> I wanted to propose after release dropping gcc 4 support by deleting CentOS 6
> from Travis (but maybe we should drop it even now). To keep the support, it'd be
> good to add lapi/if_packet.h with this definition.

That mainly depends on if someone wants to still carry on supporting it.

Does someone out there still need CentOS 6?

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[Petr Vorel]

Hi,

> > I wanted to propose after release dropping gcc 4 support by deleting CentOS 6
> > from Travis (but maybe we should drop it even now). To keep the support, it'd be
> > good to add lapi/if_packet.h with this definition.

> That mainly depends on if someone wants to still carry on supporting it.

> Does someone out there still need CentOS 6?
Should we send separate RFC about dropping support for this oldest distro in
Travis? If nobody interested and unless it requires too much effort I'd keep it
for this release.

Kind regards,
Petr

[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[Martin Doucha]

On 05. 05. 20 15:17, Petr Vorel wrote:
> I wanted to propose after release dropping gcc 4 support by deleting CentOS 6
> from Travis (but maybe we should drop it even now). To keep the support, it'd be
> good to add lapi/if_packet.h with this definition.

I don't really care about CentOS 6 either way but I'll add the new LAPI
header and resubmit.

-- 
Martin Doucha   mdoucha@suse.cz
QA Engineer for Software Maintenance
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

[LTP] [PATCH 1/2] Add test for CVE 2016-8655

[Petr Vorel]

Hi Martin,

> On 05. 05. 20 15:17, Petr Vorel wrote:
> > I wanted to propose after release dropping gcc 4 support by deleting CentOS 6
> > from Travis (but maybe we should drop it even now). To keep the support, it'd be
> > good to add lapi/if_packet.h with this definition.

> I don't really care about CentOS 6 either way but I'll add the new LAPI
> header and resubmit.
Thanks a lot!

And we should really decide when drop it.

Kind regards,
Petr