1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC <mdoucha@suse.cz>
4 */
5
6 /*
7 * CVE-2018-1000204
8 *
9 * Test ioctl(SG_IO) and check that kernel doesn't leak data. Requires
10 * a read-accessible SCSI-compatible device (e.g. SATA disk). Running mem01
11 * test program before this one may increase the chance of successfully
12 * reproducing the bug.
13 *
14 * Leak fixed in:
15 *
16 * commit a45b599ad808c3c982fdcdc12b0b8611c2f92824
17 * Author: Alexander Potapenko <glider@google.com>
18 * Date: Fri May 18 16:23:18 2018 +0200
19 *
20 * scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
21 */
22
23 #include <sys/types.h>
24 #include <dirent.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <ctype.h>
28 #include <scsi/sg.h>
29 #include <sys/ioctl.h>
30 #include <stdio.h>
31 #include "tst_test.h"
32
33 #define BUF_SIZE 128 * 4096
34 #define CMD_SIZE 6
35
36 static int devfd = -1;
37 static char buffer[BUF_SIZE];
38 static unsigned char command[CMD_SIZE];
39 static struct sg_io_hdr query;
40
41 /* TODO: split this off to a separate SCSI library? */
find_generic_scsi_device(int access_flags)42 static const char *find_generic_scsi_device(int access_flags)
43 {
44 DIR *devdir;
45 struct dirent *ent;
46 int tmpfd;
47 static char devpath[PATH_MAX];
48
49 errno = 0;
50 devdir = opendir("/dev");
51
52 if (!devdir)
53 return NULL;
54
55 while ((ent = SAFE_READDIR(devdir))) {
56 /* The bug is most likely reproducible only on /dev/sg* */
57 if (strncmp(ent->d_name, "sg", 2) || !isdigit(ent->d_name[2]))
58 continue;
59
60 snprintf(devpath, PATH_MAX, "/dev/%s", ent->d_name);
61 /* access() makes incorrect assumptions about block devices */
62 tmpfd = open(devpath, access_flags);
63
64 if (tmpfd >= 0) {
65 SAFE_CLOSE(tmpfd);
66 SAFE_CLOSEDIR(devdir);
67 return devpath;
68 }
69 }
70
71 SAFE_CLOSEDIR(devdir);
72 return NULL;
73 }
74
setup(void)75 static void setup(void)
76 {
77 const char *devpath = find_generic_scsi_device(O_RDONLY);
78
79 if (!devpath)
80 tst_brk(TCONF, "Could not find any usable SCSI device");
81
82 tst_res(TINFO, "Found SCSI device %s", devpath);
83 devfd = SAFE_OPEN(devpath, O_RDONLY);
84 query.interface_id = 'S';
85 query.dxfer_direction = SG_DXFER_FROM_DEV;
86 query.cmd_len = CMD_SIZE;
87 query.dxfer_len = BUF_SIZE;
88 query.dxferp = buffer;
89 query.cmdp = command;
90 }
91
cleanup(void)92 static void cleanup(void)
93 {
94 if (devfd >= 0)
95 SAFE_CLOSE(devfd);
96 }
97
run(void)98 static void run(void)
99 {
100 size_t i;
101
102 memset(buffer, 0, BUF_SIZE);
103 TEST(ioctl(devfd, SG_IO, &query));
104
105 if (TST_RET != 0 && TST_RET != -1)
106 tst_brk(TBROK | TTERRNO, "Invalid ioctl() return value");
107
108 /* Check the output buffer even if ioctl() failed, just in case. */
109 for (i = 0; i < BUF_SIZE; i++) {
110 if (buffer[i]) {
111 tst_res(TFAIL, "Kernel memory leaked");
112 return;
113 }
114 }
115
116 tst_res(TPASS, "Output buffer is empty, no data leaked");
117 }
118
119 static struct tst_test test = {
120 .test_all = run,
121 .setup = setup,
122 .cleanup = cleanup,
123 .tags = (const struct tst_tag[]) {
124 {"linux-git", "e093c4be760e"},
125 {"CVE", "2018-1000204"},
126 {}
127 }
128 };
129