android13/external/ltp/testcases/kernel/syscalls/setsockopt/setsockopt06.c

134 lines
2.9 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
*/
/*
* CVE-2016-8655
*
* Check for race condition between packet_set_ring() and tp_version. On some
* kernels, this may lead to use-after-free. Kernel crash fixed in:
*
* commit 84ac7260236a49c79eede91617700174c2c19b0c
* Author: Philip Pettersson <philip.pettersson@gmail.com>
* Date: Wed Nov 30 14:55:36 2016 -0800
*
* packet: fix race condition in packet_set_ring
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sched.h>
#include "tst_test.h"
#include "tst_fuzzy_sync.h"
#include "lapi/if_packet.h"
#include "lapi/if_ether.h"
static int sock = -1;
static struct tst_fzsync_pair fzsync_pair;
static void setup(void)
{
int real_uid = getuid();
int real_gid = getgid();
SAFE_UNSHARE(CLONE_NEWUSER);
SAFE_UNSHARE(CLONE_NEWNET);
SAFE_FILE_PRINTF("/proc/self/setgroups", "deny");
SAFE_FILE_PRINTF("/proc/self/uid_map", "0 %d 1", real_uid);
SAFE_FILE_PRINTF("/proc/self/gid_map", "0 %d 1", real_gid);
fzsync_pair.exec_loops = 100000;
fzsync_pair.exec_time_p = 0.9;
tst_fzsync_pair_init(&fzsync_pair);
}
static void *thread_run(void *arg)
{
int ret;
struct tpacket_req3 req = {
.tp_block_size = 4096,
.tp_block_nr = 1,
.tp_frame_size = 4096,
.tp_frame_nr = 1,
.tp_retire_blk_tov = 100
};
while (tst_fzsync_run_b(&fzsync_pair)) {
tst_fzsync_start_race_b(&fzsync_pair);
ret = setsockopt(sock, SOL_PACKET, PACKET_RX_RING, &req,
sizeof(req));
tst_fzsync_end_race_b(&fzsync_pair);
if (!ret)
tst_fzsync_pair_add_bias(&fzsync_pair, -10);
}
return arg;
}
static void run(void)
{
int val1 = TPACKET_V1, val3 = TPACKET_V3;
tst_fzsync_pair_reset(&fzsync_pair, thread_run);
while (tst_fzsync_run_a(&fzsync_pair)) {
sock = SAFE_SOCKET(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
TEST(setsockopt(sock, SOL_PACKET, PACKET_VERSION, &val3,
sizeof(val3)));
if (TST_RET == -1 && TST_ERR == EINVAL)
tst_brk(TCONF | TTERRNO, "TPACKET_V3 not supported");
if (TST_RET) {
tst_brk(TBROK | TTERRNO,
"setsockopt(PACKET_VERSION, TPACKET_V3");
}
tst_fzsync_start_race_a(&fzsync_pair);
setsockopt(sock, SOL_PACKET, PACKET_VERSION, &val1,
sizeof(val1));
tst_fzsync_end_race_a(&fzsync_pair);
SAFE_CLOSE(sock);
}
/* setsockopt(PACKET_RX_RING) created a 100ms timer. Wait for it. */
usleep(300000);
if (tst_taint_check()) {
tst_res(TFAIL, "Kernel is vulnerable");
return;
}
tst_res(TPASS, "Nothing bad happened, probably");
}
static void cleanup(void)
{
tst_fzsync_pair_cleanup(&fzsync_pair);
if (sock >= 0)
SAFE_CLOSE(sock);
}
static struct tst_test test = {
.test_all = run,
.setup = setup,
.cleanup = cleanup,
.taint_check = TST_TAINT_W | TST_TAINT_D,
.needs_kconfigs = (const char *[]) {
"CONFIG_USER_NS=y",
"CONFIG_NET_NS=y",
NULL
},
.tags = (const struct tst_tag[]) {
{"linux-git", "84ac7260236a"},
{"CVE", "2016-8655"},
{}
}
};