167 lines
6.0 KiB
C
167 lines
6.0 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Copyright (c) 2021 SUSE LLC <rpalethorpe@suse.com>
|
|
* Based on reproducer by Nicolai Stange based on PoC Andy Nguyen
|
|
*/
|
|
/*\
|
|
* [Description]
|
|
*
|
|
* This will reproduce the bug on x86_64 in 32bit compatibility
|
|
* mode. It is most reliable with KASAN enabled. Otherwise it relies
|
|
* on the out-of-bounds write corrupting something which leads to a
|
|
* crash. It will run in other scenarious, but is not a test for the
|
|
* CVE.
|
|
*
|
|
* See https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
|
|
*
|
|
* Also below is Nicolai's detailed description of the bug itself.
|
|
*
|
|
* The problem underlying CVE-2021-22555 fixed by upstream commit
|
|
* b29c457a6511 ("netfilter: x_tables: fix compat match/target pad
|
|
* out-of-bound write") is that the (now removed) padding zeroing code
|
|
* in xt_compat_target_from_user() had been based on the premise that
|
|
* the user specified ->u.user.target_size, which will be considered
|
|
* for the target buffer allocation size, is greater or equal than
|
|
* what's needed to fit the corresponding xt_target instance's
|
|
* ->targetsize: if OTOH the user specified ->u.user.target_size is
|
|
* too small, then the memset() destination address calculated by
|
|
* adding ->targetsize to the payload start will not point at, but
|
|
* into or even past the padding. For the table's last entry's target
|
|
* record, this will result in an out-of-bounds write past the
|
|
* destination buffer allocated for the converted table. The code
|
|
* below will create a (compat) table such that the converted table's
|
|
* calculated size will fit exactly into a slab size of 1024 bytes and
|
|
* that the memset() in xt_compat_target_from_user() will write past
|
|
* this slab.
|
|
*
|
|
* The table will consist of
|
|
* - the mandatory struct compat_ipt_replace header,
|
|
* - a single entry consisting of
|
|
* - the mandatory compat_ipt_entry header
|
|
* - a single 'state' match entry of appropriate size for
|
|
* controlling the out-of-bounds write when converting
|
|
* the target entry following next,
|
|
* - a single 'REJECT' target entry.
|
|
* The kernel will transform this into a buffer containing (in
|
|
* this order)
|
|
* - a xt_table_info
|
|
* - a single entry consisting of
|
|
* - its ipt_entry header
|
|
* - a single 'state' match entry
|
|
* - followed by a single 'REJECT' target entry.
|
|
*
|
|
* The expected sizes for the 'state' match entries as well as the
|
|
* 'REJECT' target are the size of the base header struct (32 bytes)
|
|
* plus the size of an unsigned int (4 bytes) each. In the course of
|
|
* the compat => non-compat conversion, the kernel will insert four
|
|
* bytes of padding after the unsigned int payload (c.f. 'off'
|
|
* adjustments via xt_compat_match_offset() and
|
|
* xt_compat_target_offset() in xt_compat_match_from_user() and
|
|
* xt_compat_target_from_user() resp.). This code is based on the
|
|
* premise that the user sets the given ->u.user.match_size or
|
|
* ->u.user.target_size consistent to the COMPAT_XT_ALIGN()ed payload
|
|
* size as specified by the corresponding xt_match instance's
|
|
* ->matchsize or xt_target instance's ->targetsize. That is, the
|
|
* padding gets inserted unconditionally during the transformation,
|
|
* independent of the actual values of ->u.user.match_size or
|
|
* ->u.user.target_size and the result ends up getting layed out with
|
|
* proper alignment only if said values match the expectations. That's
|
|
* not a problem in itself, but this unconditional insertion of
|
|
* padding must be taken into account in the match_size calculation
|
|
* below.
|
|
*
|
|
* For the match_size calculation below, note that the chosen
|
|
* target slab size is 1024 and that
|
|
* - sizeof(xt_table_info) = 64
|
|
* - sizeof(ipt_entry) = 112
|
|
* - the kernel will insert four bytes of padding
|
|
* after the match and target entries each.
|
|
* - sizeof(struct xt_entry_target) = 32
|
|
*/
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include "tst_test.h"
|
|
#include "tst_safe_net.h"
|
|
#include "lapi/ip_tables.h"
|
|
|
|
static void *buffer;
|
|
|
|
void setup(void)
|
|
{
|
|
if (tst_kernel_bits() == 32 || sizeof(long) > 4) {
|
|
tst_res(TINFO,
|
|
"The vulnerability was only present in 32-bit compat mode");
|
|
}
|
|
|
|
tst_setup_netns();
|
|
}
|
|
|
|
void run(void)
|
|
{
|
|
const char *const res_fmt_str =
|
|
"setsockopt(%d, IPPROTO_IP, IPT_SO_SET_REPLACE, %p, 1)";
|
|
struct ipt_replace *ipt_replace = buffer;
|
|
struct ipt_entry *ipt_entry = &ipt_replace->entries[0];
|
|
struct xt_entry_match *xt_entry_match =
|
|
(struct xt_entry_match *)&ipt_entry->elems[0];
|
|
const size_t tgt_size = 32;
|
|
const size_t match_size = 1024 - 64 - 112 - 4 - tgt_size - 4;
|
|
struct xt_entry_target *xt_entry_tgt =
|
|
((struct xt_entry_target *) (&ipt_entry->elems[0] + match_size));
|
|
int fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
|
|
int result;
|
|
|
|
xt_entry_match->u.user.match_size = (u_int16_t)match_size;
|
|
strcpy(xt_entry_match->u.user.name, "state");
|
|
|
|
xt_entry_tgt->u.user.target_size = (u_int16_t)tgt_size;
|
|
strcpy(xt_entry_tgt->u.user.name, "REJECT");
|
|
|
|
ipt_entry->target_offset =
|
|
(__builtin_offsetof(struct ipt_entry, elems) + match_size);
|
|
ipt_entry->next_offset = ipt_entry->target_offset + tgt_size;
|
|
|
|
strcpy(ipt_replace->name, "filter");
|
|
ipt_replace->num_entries = 1;
|
|
ipt_replace->num_counters = 1;
|
|
ipt_replace->size = ipt_entry->next_offset;
|
|
|
|
TEST(setsockopt(fd, IPPROTO_IP, IPT_SO_SET_REPLACE, buffer, 1));
|
|
|
|
if (TST_RET == -1 && TST_ERR == ENOPROTOOPT)
|
|
tst_brk(TCONF | TTERRNO, res_fmt_str, fd, buffer);
|
|
|
|
result = (TST_RET == -1 && TST_ERR == EINVAL) ? TPASS : TFAIL;
|
|
tst_res(result | TTERRNO, res_fmt_str, fd, buffer);
|
|
|
|
SAFE_CLOSE(fd);
|
|
}
|
|
|
|
static struct tst_test test = {
|
|
.setup = setup,
|
|
.test_all = run,
|
|
.taint_check = TST_TAINT_W | TST_TAINT_D,
|
|
.forks_child = 1,
|
|
.bufs = (struct tst_buffers []) {
|
|
{&buffer, .size = 2048},
|
|
{},
|
|
},
|
|
.needs_kconfigs = (const char *[]) {
|
|
"CONFIG_NETFILTER_XT_MATCH_STATE",
|
|
"CONFIG_IP_NF_TARGET_REJECT",
|
|
"CONFIG_USER_NS=y",
|
|
"CONFIG_NET_NS=y",
|
|
NULL
|
|
},
|
|
.save_restore = (const struct tst_path_val[]) {
|
|
{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
|
|
{}
|
|
},
|
|
.tags = (const struct tst_tag[]) {
|
|
{"linux-git", "b29c457a6511"},
|
|
{"CVE", "2021-22555"},
|
|
{}
|
|
}
|
|
};
|