1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2018 Jann Horn <jannh@google.com>
4 * Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
5 */
6
7 /*
8 * CVE 2018-18445
9 *
10 * Check that eBPF verifier correctly handles 32-bit arithmetic, in particular
11 * the right bit shift instruction. It is an error if the BPF program passes
12 * verification regardless of whether it then causes any actual damage. Kernel
13 * bug fixed in:
14 *
15 * commit b799207e1e1816b09e7a5920fbb2d5fcf6edd681
16 * Author: Jann Horn <jannh@google.com>
17 * Date: Fri Oct 5 18:17:59 2018 +0200
18 *
19 * bpf: 32-bit RSH verification must truncate input before the ALU op
20 */
21
22 #include <stdio.h>
23 #include <string.h>
24
25 #include "config.h"
26 #include "tst_test.h"
27 #include "tst_taint.h"
28 #include "tst_capability.h"
29 #include "bpf_common.h"
30
31 #define BUFSIZE 8192
32 #define CHECK_BPF_RET(x) ((x) >= 0 || ((x) == -1 && errno != EACCES))
33
34 static const char MSG[] = "Ahoj!";
35 static char *msg;
36
37 static char *log;
38 static union bpf_attr *attr;
39
load_prog(int fd)40 static int load_prog(int fd)
41 {
42 int ret;
43 struct bpf_insn insn[] = {
44 BPF_MOV64_IMM(BPF_REG_8, 2),
45 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 31),
46 BPF_ALU32_IMM(BPF_RSH, BPF_REG_8, 31),
47 BPF_ALU32_IMM(BPF_SUB, BPF_REG_8, 2),
48
49 // store r8 into map
50 BPF_LD_MAP_FD(BPF_REG_1, fd),
51 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
52 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
53 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
54 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
55 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
56 BPF_EXIT_INSN(),
57 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
58 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
59
60 BPF_MOV64_IMM(BPF_REG_0, 0),
61 BPF_EXIT_INSN()
62 };
63
64 bpf_init_prog_attr(attr, insn, sizeof(insn), log, BUFSIZE);
65 ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
66 CHECK_BPF_RET);
67
68 if (ret >= 0) {
69 tst_res(TINFO, "Verification log:");
70 fputs(log, stderr);
71 return ret;
72 }
73
74 if (ret < -1)
75 tst_brk(TBROK, "Invalid bpf() return value %d", ret);
76
77 if (!*log)
78 tst_brk(TBROK | TERRNO, "Failed to load BPF program");
79
80 tst_res(TPASS | TERRNO, "BPF program failed verification");
81 return ret;
82 }
83
setup(void)84 static void setup(void)
85 {
86 rlimit_bump_memlock();
87 memcpy(msg, MSG, sizeof(MSG));
88 }
89
run(void)90 static void run(void)
91 {
92 int map_fd, prog_fd;
93
94 map_fd = bpf_map_array_create(1);
95 prog_fd = load_prog(map_fd);
96
97 if (prog_fd >= 0) {
98 tst_res(TFAIL, "Malicious eBPF code passed verification. "
99 "Now let's try crashing the kernel.");
100 bpf_run_prog(prog_fd, msg, sizeof(MSG));
101 }
102
103 if (prog_fd >= 0)
104 SAFE_CLOSE(prog_fd);
105
106 SAFE_CLOSE(map_fd);
107 }
108
109 static struct tst_test test = {
110 .setup = setup,
111 .test_all = run,
112 .min_kver = "3.18",
113 .taint_check = TST_TAINT_W | TST_TAINT_D,
114 .caps = (struct tst_cap []) {
115 TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
116 {}
117 },
118 .bufs = (struct tst_buffers []) {
119 {&log, .size = BUFSIZE},
120 {&attr, .size = sizeof(*attr)},
121 {&msg, .size = sizeof(MSG)},
122 {}
123 },
124 .tags = (const struct tst_tag[]) {
125 {"linux-git", "b799207e1e18"},
126 {"CVE", "2018-18445"},
127 {}
128 }
129 };
130