• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2019 Richard Palethorpe <rpalethorpe@suse.com>
4  * Original byte code was provided by jannh@google.com
5  *
6  * Check for the bug fixed by 95a762e2c8c942780948091f8f2a4f32fce1ac6f
7  * "bpf: fix incorrect sign extension in check_alu_op()"
8  * CVE-2017-16995
9  *
10  * This test is very similar to the reproducer found here:
11  * https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
12  *
13  * However it has been modified to try to corrupt the map struct instead of
14  * writing to a noncanonical pointer. This appears to be more reliable at
15  * producing stack traces and confirms we would be able to overwrite the ops
16  * function pointers, as suggested by Jan.
17  *
18  * If the eBPF code is loaded then this is considered a failure regardless of
19  * whether it is able to cause any visible damage.
20  */
21 
22 #include <string.h>
23 #include <stdio.h>
24 #include <inttypes.h>
25 
26 #include "config.h"
27 #include "tst_test.h"
28 #include "tst_capability.h"
29 #include "lapi/socket.h"
30 #include "lapi/bpf.h"
31 #include "bpf_common.h"
32 
33 #define LOG_SIZE (1024 * 1024)
34 
35 static const char MSG[] = "Ahoj!";
36 static char *msg;
37 
38 static char *log;
39 static uint32_t *key;
40 static uint64_t *val;
41 static union bpf_attr *attr;
42 
load_prog(int fd)43 static int load_prog(int fd)
44 {
45 	static struct bpf_insn *prog;
46 	struct bpf_insn insn[] = {
47 		BPF_LD_MAP_FD(BPF_REG_1, fd),
48 
49 		// fill r0 with pointer to map value
50 		BPF_MOV64_REG(BPF_REG_8, BPF_REG_10),
51 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, -4), // allocate 4 bytes stack
52 		BPF_MOV32_IMM(BPF_REG_2, 0),
53 		BPF_STX_MEM(BPF_W, BPF_REG_8, BPF_REG_2, 0),
54 		BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
55 		BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
56 		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
57 		BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit
58 		BPF_EXIT_INSN(), // exit
59 
60 		// r1 = 0xffff'ffff, mistreated as 0xffff'ffff'ffff'ffff
61 		BPF_MOV32_IMM(BPF_REG_1, -1),
62 		// r1 = 0x1'0000'0000, mistreated as 0
63 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
64 		// r1 = 64, mistreated as 0
65 		BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 26),
66 
67 		// Write actual value of r1 to map for debugging this test
68 		BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
69 
70 		// Corrupt the map meta-data which comes before the map data
71 		BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
72 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
73 
74 		BPF_MOV64_IMM(BPF_REG_3, 0xdeadbeef),
75 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
76 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
77 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
78 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
79 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
80 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
81 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
82 
83 		// terminate to make the verifier happy
84 		BPF_MOV32_IMM(BPF_REG_0, 0),
85 		BPF_EXIT_INSN()
86 	};
87 
88 	if (!prog)
89 		prog = tst_alloc(sizeof(insn));
90 	memcpy(prog, insn, sizeof(insn));
91 
92 	memset(attr, 0, sizeof(*attr));
93 	attr->prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
94 	attr->insns = ptr_to_u64(prog);
95 	attr->insn_cnt = ARRAY_SIZE(insn);
96 	attr->license = ptr_to_u64("GPL");
97 	attr->log_buf = ptr_to_u64(log);
98 	attr->log_size = LOG_SIZE;
99 	attr->log_level = 1;
100 
101 	TEST(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)));
102 	if (TST_RET == -1) {
103 		if (log[0] != 0)
104 			tst_res(TPASS | TTERRNO, "Failed verification");
105 		else
106 			tst_brk(TBROK | TTERRNO, "Failed to load program");
107 	} else {
108 		tst_res(TINFO, "Verification log:");
109 		fputs(log, stderr);
110 	}
111 
112 	return TST_RET;
113 }
114 
setup(void)115 static void setup(void)
116 {
117 	rlimit_bump_memlock();
118 	memcpy(msg, MSG, sizeof(MSG));
119 }
120 
run(void)121 static void run(void)
122 {
123 	int map_fd, prog_fd;
124 	int sk[2];
125 
126 	memset(attr, 0, sizeof(*attr));
127 	attr->map_type = BPF_MAP_TYPE_ARRAY;
128 	attr->key_size = 4;
129 	attr->value_size = 8;
130 	attr->max_entries = 32;
131 
132 	map_fd = bpf_map_create(attr);
133 
134 	memset(attr, 0, sizeof(*attr));
135 	attr->map_fd = map_fd;
136 	attr->key = ptr_to_u64(key);
137 	attr->value = ptr_to_u64(val);
138 	attr->flags = BPF_ANY;
139 
140 	TEST(bpf(BPF_MAP_UPDATE_ELEM, attr, sizeof(*attr)));
141 	if (TST_RET == -1)
142 		tst_brk(TBROK | TTERRNO, "Failed to lookup map element");
143 
144 	prog_fd = load_prog(map_fd);
145 	if (prog_fd == -1)
146 		goto exit;
147 
148 	tst_res(TFAIL, "Loaded bad eBPF, now we will run it and maybe crash");
149 
150 	SAFE_SOCKETPAIR(AF_UNIX, SOCK_DGRAM, 0, sk);
151 	SAFE_SETSOCKOPT(sk[1], SOL_SOCKET, SO_ATTACH_BPF,
152 			&prog_fd, sizeof(prog_fd));
153 
154 	SAFE_WRITE(1, sk[0], msg, sizeof(MSG));
155 
156 	memset(attr, 0, sizeof(*attr));
157 	attr->map_fd = map_fd;
158 	attr->key = ptr_to_u64(key);
159 	attr->value = ptr_to_u64(val);
160 	*key = 0;
161 
162 	TEST(bpf(BPF_MAP_LOOKUP_ELEM, attr, sizeof(*attr)));
163 	if (TST_RET == -1)
164 		tst_res(TFAIL | TTERRNO, "array map lookup");
165 	else
166 		tst_res(TINFO, "Pointer offset was 0x%"PRIx64, *val);
167 
168 	SAFE_CLOSE(sk[0]);
169 	SAFE_CLOSE(sk[1]);
170 	SAFE_CLOSE(prog_fd);
171 exit:
172 	SAFE_CLOSE(map_fd);
173 }
174 
175 static struct tst_test test = {
176 	.setup = setup,
177 	.test_all = run,
178 	.min_kver = "3.18",
179 	.caps = (struct tst_cap []) {
180 		TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
181 		{}
182 	},
183 	.bufs = (struct tst_buffers []) {
184 		{&key, .size = sizeof(*key)},
185 		{&val, .size = sizeof(*val)},
186 		{&log, .size = LOG_SIZE},
187 		{&attr, .size = sizeof(*attr)},
188 		{&msg, .size = sizeof(MSG)},
189 		{},
190 	},
191 	.tags = (const struct tst_tag[]) {
192 		{"linux-git", "95a762e2c8c9"},
193 		{"CVE", "2017-16995"},
194 		{}
195 	}
196 };
197