1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC
4 *
5 * Author: Christian Amann <camann@suse.com>
6 */
7 /*
8 * Regression test for CVE-2017-18344:
9 *
10 * In kernels prior to 4.14.8 sigevent.sigev_notify is not
11 * properly verified when calling timer_create(2) with the
12 * field being set to (SIGEV_SIGNAL | SIGEV_THREAD_ID).
13 * This can be used to read arbitrary kernel memory.
14 *
15 * For more info see: https://nvd.nist.gov/vuln/detail/CVE-2017-18344
16 * or commit: cef31d9af908
17 *
18 * This test uses an unused number instead of SIGEV_THREAD_ID to check
19 * if this field gets verified correctly.
20 */
21
22 #include <errno.h>
23 #include <signal.h>
24 #include <time.h>
25 #include "tst_test.h"
26 #include "lapi/common_timers.h"
27
28 #define RANDOM_UNUSED_NUMBER (54321)
29
run(void)30 static void run(void)
31 {
32 struct sigevent evp;
33 clock_t clock = CLOCK_MONOTONIC;
34 kernel_timer_t created_timer_id;
35
36 memset(&evp, 0, sizeof(evp));
37
38 evp.sigev_signo = SIGALRM;
39 evp.sigev_notify = SIGEV_SIGNAL | RANDOM_UNUSED_NUMBER;
40 evp._sigev_un._tid = getpid();
41
42 TEST(tst_syscall(__NR_timer_create, clock, &evp, &created_timer_id));
43
44 if (TST_RET != 0) {
45 if (TST_ERR == EINVAL) {
46 tst_res(TPASS | TTERRNO,
47 "timer_create() failed as expected");
48 } else {
49 tst_res(TFAIL | TTERRNO,
50 "timer_create() unexpectedly failed");
51 }
52 return;
53 }
54
55 tst_res(TFAIL,
56 "timer_create() succeeded for invalid notification type");
57
58 TEST(tst_syscall(__NR_timer_delete, created_timer_id));
59 if (TST_RET != 0) {
60 tst_res(TFAIL | TTERRNO, "Failed to delete timer %s",
61 get_clock_str(clock));
62 }
63 }
64
65 static struct tst_test test = {
66 .test_all = run,
67 .tags = (const struct tst_tag[]) {
68 {"CVE", "2017-18344"},
69 {"linux-git", "cef31d9af908"},
70 {}
71 }
72 };
73