• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2019 SUSE LLC
4  *
5  * Author:	Christian Amann <camann@suse.com>
6  */
7 /*
8  * Regression test for CVE-2017-18344:
9  *
10  * In kernels prior to 4.14.8 sigevent.sigev_notify is not
11  * properly verified when calling timer_create(2) with the
12  * field being set to (SIGEV_SIGNAL | SIGEV_THREAD_ID).
13  * This can be used to read arbitrary kernel memory.
14  *
15  * For more info see: https://nvd.nist.gov/vuln/detail/CVE-2017-18344
16  * or commit: cef31d9af908
17  *
18  * This test uses an unused number instead of SIGEV_THREAD_ID to check
19  * if this field gets verified correctly.
20  */
21 
22 #include <errno.h>
23 #include <signal.h>
24 #include <time.h>
25 #include "tst_test.h"
26 #include "lapi/common_timers.h"
27 
28 #define RANDOM_UNUSED_NUMBER (54321)
29 
run(void)30 static void run(void)
31 {
32 	struct sigevent evp;
33 	clock_t clock = CLOCK_MONOTONIC;
34 	kernel_timer_t created_timer_id;
35 
36 	memset(&evp, 0, sizeof(evp));
37 
38 	evp.sigev_signo  = SIGALRM;
39 	evp.sigev_notify = SIGEV_SIGNAL | RANDOM_UNUSED_NUMBER;
40 	evp._sigev_un._tid = getpid();
41 
42 	TEST(tst_syscall(__NR_timer_create, clock, &evp, &created_timer_id));
43 
44 	if (TST_RET != 0) {
45 		if (TST_ERR == EINVAL) {
46 			tst_res(TPASS | TTERRNO,
47 					"timer_create() failed as expected");
48 		} else {
49 			tst_res(TFAIL | TTERRNO,
50 					"timer_create() unexpectedly failed");
51 		}
52 		return;
53 	}
54 
55 	tst_res(TFAIL,
56 		"timer_create() succeeded for invalid notification type");
57 
58 	TEST(tst_syscall(__NR_timer_delete, created_timer_id));
59 	if (TST_RET != 0) {
60 		tst_res(TFAIL | TTERRNO, "Failed to delete timer %s",
61 			get_clock_str(clock));
62 	}
63 }
64 
65 static struct tst_test test = {
66 	.test_all = run,
67 	.tags = (const struct tst_tag[]) {
68 		{"CVE", "2017-18344"},
69 		{"linux-git", "cef31d9af908"},
70 		{}
71 	}
72 };
73