1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
4 */
5 /* Test for CVE-2017-7308 on a raw socket's ring buffer
6 *
7 * Try to set tpacket_req3.tp_sizeof_priv to a value with the high bit set. So
8 * that tp_block_size < tp_sizeof_priv. If the vulnerability is present then
9 * this will cause an integer arithmetic overflow and the absurd
10 * tp_sizeof_priv value will be allowed. If it has been fixed then setsockopt
11 * will fail with EINVAL.
12 *
13 * We also try a good configuration to make sure it is not failing with EINVAL
14 * for some other reason.
15 *
16 * For a better and more interesting discussion of this CVE see:
17 * https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
18 */
19
20 #include <errno.h>
21 #include "tst_test.h"
22 #include "tst_safe_net.h"
23 #include "config.h"
24
25 #ifdef HAVE_LINUX_IF_PACKET_H
26 # include <linux/if_packet.h>
27 #endif
28
29 #ifdef HAVE_LINUX_IF_ETHER_H
30 # include <linux/if_ether.h>
31 #endif
32
33 #ifndef ETH_P_ALL
34 # define ETH_P_ALL 0x0003
35 #endif
36
37 #ifndef PACKET_RX_RING
38 # define PACKET_RX_RING 5
39 #endif
40
41 #ifndef PACKET_VERSION
42 # define PACKET_VERSION 10
43 #endif
44
45 #ifndef HAVE_STRUCT_TPACKET_REQ3
46 # define TPACKET_V3 2
47
48 struct tpacket_req3 {
49 unsigned int tp_block_size;
50 unsigned int tp_block_nr;
51 unsigned int tp_frame_size;
52 unsigned int tp_frame_nr;
53 unsigned int tp_retire_blk_tov;
54 unsigned int tp_sizeof_priv;
55 unsigned int tp_feature_req_word;
56 };
57 #endif
58
59 static int sk;
60 static long pgsz;
61
setup(void)62 static void setup(void)
63 {
64 pgsz = SAFE_SYSCONF(_SC_PAGESIZE);
65 }
66
cleanup(void)67 static void cleanup(void)
68 {
69 if (sk > 0)
70 SAFE_CLOSE(sk);
71 }
72
create_skbuf(unsigned int sizeof_priv)73 static int create_skbuf(unsigned int sizeof_priv)
74 {
75 int ver = TPACKET_V3;
76 struct tpacket_req3 req = {};
77
78 req.tp_block_size = pgsz;
79 req.tp_block_nr = 2;
80 req.tp_frame_size = req.tp_block_size;
81 req.tp_frame_nr = req.tp_block_nr;
82 req.tp_retire_blk_tov = 100;
83
84 req.tp_sizeof_priv = sizeof_priv;
85
86 sk = SAFE_SOCKET(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
87 TEST(setsockopt(sk, SOL_PACKET, PACKET_VERSION, &ver, sizeof(ver)));
88 if (TST_RET && TST_ERR == EINVAL)
89 tst_brk(TCONF | TTERRNO, "TPACKET_V3 not supported");
90 if (TST_RET)
91 tst_brk(TBROK | TTERRNO, "setsockopt(sk, SOL_PACKET, PACKET_VERSION, TPACKET_V3)");
92
93 return setsockopt(sk, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));
94 }
95
good_size(void)96 static void good_size(void)
97 {
98 TEST(create_skbuf(512));
99 if (TST_RET)
100 tst_brk(TBROK | TTERRNO, "Can't create ring buffer with good settings");
101
102 tst_res(TPASS, "Can create ring buffer with good settinegs");
103 }
104
bad_size(void)105 static void bad_size(void)
106 {
107 TEST(create_skbuf(3U << 30));
108 if (TST_RET && TST_ERR != EINVAL)
109 tst_brk(TBROK | TTERRNO, "Unexpected setsockopt() error");
110 if (TST_RET)
111 tst_res(TPASS | TTERRNO, "Refused bad tp_sizeof_priv value");
112 else
113 tst_res(TFAIL, "Allowed bad tp_sizeof_priv value");
114 }
115
run(unsigned int i)116 static void run(unsigned int i)
117 {
118 if (i == 0)
119 good_size();
120 else
121 bad_size();
122
123 SAFE_CLOSE(sk);
124 }
125
126 static struct tst_test test = {
127 .test = run,
128 .tcnt = 2,
129 .needs_root = 1,
130 .setup = setup,
131 .cleanup = cleanup,
132 .min_kver = "3.2",
133 };
134