1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2018 Jann Horn <jannh@google.com>
4 * Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
5 */
6
7 /*
8 * CVE 2018-18445
9 *
10 * Check that eBPF verifier correctly handles 32-bit arithmetic, in particular
11 * the right bit shift instruction. It is an error if the BPF program passes
12 * verification regardless of whether it then causes any actual damage. Kernel
13 * bug fixed in:
14 *
15 * commit b799207e1e1816b09e7a5920fbb2d5fcf6edd681
16 * Author: Jann Horn <jannh@google.com>
17 * Date: Fri Oct 5 18:17:59 2018 +0200
18 *
19 * bpf: 32-bit RSH verification must truncate input before the ALU op
20 */
21
22 #include <stdio.h>
23 #include <string.h>
24
25 #include "config.h"
26 #include "tst_test.h"
27 #include "tst_taint.h"
28 #include "tst_capability.h"
29 #include "bpf_common.h"
30
31 #define CHECK_BPF_RET(x) ((x) >= 0 || ((x) == -1 && errno != EACCES))
32
33 static const char MSG[] = "Ahoj!";
34 static char *msg;
35
36 static char *log;
37 static union bpf_attr *attr;
38
load_prog(int fd)39 static int load_prog(int fd)
40 {
41 int ret;
42 struct bpf_insn insn[] = {
43 BPF_MOV64_IMM(BPF_REG_8, 2),
44 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 31),
45 BPF_ALU32_IMM(BPF_RSH, BPF_REG_8, 31),
46 BPF_ALU32_IMM(BPF_SUB, BPF_REG_8, 2),
47
48 // store r8 into map
49 BPF_LD_MAP_FD(BPF_REG_1, fd),
50 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
52 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
53 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
54 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
55 BPF_EXIT_INSN(),
56 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
57 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
58
59 BPF_MOV64_IMM(BPF_REG_0, 0),
60 BPF_EXIT_INSN()
61 };
62
63 bpf_init_prog_attr(attr, insn, sizeof(insn), log, BUFSIZE);
64 ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
65 CHECK_BPF_RET);
66
67 if (ret >= 0) {
68 tst_res(TINFO, "Verification log:");
69 fputs(log, stderr);
70 return ret;
71 }
72
73 if (ret < -1)
74 tst_brk(TBROK, "Invalid bpf() return value %d", ret);
75
76 if (!*log)
77 tst_brk(TBROK | TERRNO, "Failed to load BPF program");
78
79 tst_res(TPASS | TERRNO, "BPF program failed verification");
80 return ret;
81 }
82
setup(void)83 static void setup(void)
84 {
85 rlimit_bump_memlock();
86 memcpy(msg, MSG, sizeof(MSG));
87 }
88
run(void)89 static void run(void)
90 {
91 int map_fd, prog_fd;
92
93 map_fd = bpf_map_array_create(1);
94 prog_fd = load_prog(map_fd);
95
96 if (prog_fd >= 0) {
97 tst_res(TFAIL, "Malicious eBPF code passed verification. "
98 "Now let's try crashing the kernel.");
99 bpf_run_prog(prog_fd, msg, sizeof(MSG));
100 }
101
102 if (prog_fd >= 0)
103 SAFE_CLOSE(prog_fd);
104
105 SAFE_CLOSE(map_fd);
106 }
107
108 static struct tst_test test = {
109 .setup = setup,
110 .test_all = run,
111 .min_kver = "3.18",
112 .taint_check = TST_TAINT_W | TST_TAINT_D,
113 .caps = (struct tst_cap []) {
114 TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
115 {}
116 },
117 .bufs = (struct tst_buffers []) {
118 {&log, .size = BUFSIZE},
119 {&attr, .size = sizeof(*attr)},
120 {&msg, .size = sizeof(MSG)},
121 {}
122 },
123 .tags = (const struct tst_tag[]) {
124 {"linux-git", "b799207e1e18"},
125 {"CVE", "2018-18445"},
126 {}
127 }
128 };
129