xref: /aosp_15_r20/external/ltp/testcases/kernel/syscalls/setsockopt/setsockopt03.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Richard Palethorpe <[email protected]>
4  * Based on repro-compatReleaseEntry.c by NCC group
5  */
6 
7 /*\
8  * [Description]
9  *
10  * Test for CVE-2016-4997
11  *
12  * For a full explanation of how the vulnerability works see:
13  * https://github.com/nccgroup/TriforceLinuxSyscallFuzzer/tree/master/crash_reports/report_compatIpt
14  *
15  * The original vulnerability was present in the 32-bit compatibility system
16  * call, so the test should be compiled with -m32 and run on a 64-bit kernel.
17  * For simplicities sake the test requests root privileges instead of creating
18  * a user namespace.
19  */
20 
21 #include <stdint.h>
22 #include <sys/types.h>
23 #include <sys/socket.h>
24 #include <netinet/in.h>
25 #include <limits.h>
26 
27 #include "tst_test.h"
28 #include "tst_safe_net.h"
29 #include "tst_kernel.h"
30 
31 #include "lapi/ip_tables.h"
32 
33 #define TOO_SMALL_OFFSET 74
34 #define OFFSET_OVERWRITE 0xFFFF
35 #define NEXT_OFFSET (sizeof(struct ipt_entry)		\
36 		     + sizeof(struct xt_entry_match)	\
37 		     + sizeof(struct xt_entry_target))
38 #define PADDING (OFFSET_OVERWRITE - NEXT_OFFSET)
39 
40 struct payload {
41 	struct ipt_replace repl;
42 	struct ipt_entry ent;
43 	struct xt_entry_match match;
44 	struct xt_entry_target targ;
45 	char padding[PADDING];
46 	struct xt_entry_target targ2;
47 };
48 
setup(void)49 static void setup(void)
50 {
51 	if (tst_kernel_bits() == 32 || sizeof(long) > 4)
52 		tst_res(TCONF,
53 			"The vulnerability was only present in 32-bit compat mode");
54 }
55 
run(void)56 static void run(void)
57 {
58 	int ret, sock_fd;
59 	struct payload p = { 0 };
60 
61 	sock_fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
62 
63 	strncpy(p.match.u.user.name, "icmp", sizeof(p.match.u.user.name));
64 	p.match.u.match_size = OFFSET_OVERWRITE;
65 
66 	p.ent.next_offset = NEXT_OFFSET;
67 	p.ent.target_offset = TOO_SMALL_OFFSET;
68 
69 	p.repl.num_entries = 2;
70 	p.repl.num_counters = 1;
71 	p.repl.size = sizeof(struct payload);
72 	p.repl.valid_hooks = 0;
73 
74 	ret = setsockopt(sock_fd, SOL_IP, IPT_SO_SET_REPLACE,
75 			 &p, sizeof(struct payload));
76 	tst_res(TPASS | TERRNO, "We didn't cause a crash, setsockopt returned %d", ret);
77 }
78 
79 static struct tst_test test = {
80 	.setup = setup,
81 	.test_all = run,
82 	.needs_root = 1,
83 	.tags = (const struct tst_tag[]){
84 		{"linux-git", "ce683e5f9d04"},
85 		{"CVE", "CVE-2016-4997"},
86 		{}
87 	}
88 };
89