Loading...
/* * Copyright (c) 2017, 2025 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. The rights granted to you under the License * may not be used to create, or enable the creation or redistribution of, * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ /* * Test for flow divert mbuf double free vulnerability * * SO_FLOW_DIVERT_TOKEN is a socket option on the SOL_SOCKET layer. * The implementation in flow_divert_token_set() has incorrect error handling: * * If soopt_mcopyin() fails (e.g., with an invalid userspace pointer), * it frees the mbuf. However, flow_divert_token_set() isn't aware of * these semantics and also calls mbuf_freem() on the same mbuf, * resulting in a double-free. * * This test verifies the fix by attempting to trigger the condition * that would have caused the double-free. */ #include <darwintest.h> #include <sys/socket.h> T_GLOBAL_META( T_META_NAMESPACE("xnu.net"), T_META_RADAR_COMPONENT_NAME("xnu"), T_META_RADAR_COMPONENT_VERSION("networking") ); #define SO_FLOW_DIVERT_TOKEN 0x1106 T_DECL(flow_divert_mbuf_double_free, "test SO_FLOW_DIVERT_TOKEN with invalid pointer does not double-free mbuf", T_META_CHECK_LEAKS(false)) { int sock; sock = socket(PF_INET, SOCK_DGRAM, 0); T_ASSERT_POSIX_SUCCESS(sock, "socket(PF_INET, SOCK_DGRAM, 0)"); T_LOG("Testing SO_FLOW_DIVERT_TOKEN with invalid userspace pointer"); /* This should fail gracefully without causing a double-free */ int ret = setsockopt(sock, SOL_SOCKET, SO_FLOW_DIVERT_TOKEN, (void *)0x424242424242ULL, 100); if (ret == 0) { T_LOG("setsockopt succeeded unexpectedly"); } else { T_LOG("setsockopt failed as expected: %s", strerror(errno)); } close(sock); T_PASS("flow_divert_mbuf_double_free completed without crash"); } |