1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2018 SUSE LLC <nstange@suse.de>
4 * Copyright (C) 2020 SUSE LLC <mdoucha@suse.cz>
5 *
6 * CVE-2018-7566
7 *
8 * Test for race condition when initializing client pool on /dev/snd/seq
9 * Kernel crash fixed in:
10 *
11 * commit d15d662e89fc667b90cd294b0eb45694e33144da
12 * Author: Takashi Iwai <tiwai@suse.de>
13 * Date: Mon Feb 12 15:20:51 2018 +0100
14 *
15 * ALSA: seq: Fix racy pool initializations
16 */
17
18 #include <linux/types.h>
19 #include <time.h>
20 #include <sound/asound.h>
21 #include <sound/asequencer.h>
22
23 #include "tst_test.h"
24 #include "tst_fuzzy_sync.h"
25
26 static int fd = -1;
27 static int client_id;
28 static struct snd_seq_remove_events rminfo = {
29 .remove_mode = SNDRV_SEQ_REMOVE_OUTPUT
30 };
31 static struct snd_seq_event ssev = {
32 .flags = SNDRV_SEQ_TIME_STAMP_TICK | SNDRV_SEQ_TIME_MODE_REL,
33 .queue = 0,
34 .type = SNDRV_SEQ_EVENT_USR0,
35 .time = { .tick = 10 }
36 };
37
38 static struct tst_fzsync_pair fzsync_pair;
39
reinit_pool(int pool_size)40 static void reinit_pool(int pool_size)
41 {
42 struct snd_seq_client_pool pconf = {
43 .output_pool = pool_size,
44 .client = client_id
45 };
46
47 ioctl(fd, SNDRV_SEQ_IOCTL_SET_CLIENT_POOL, &pconf);
48 }
49
race_ioctl(void)50 static void race_ioctl(void)
51 {
52 reinit_pool(512);
53 }
54
race_write(void)55 static void race_write(void)
56 {
57 TEST(write(fd, &ssev, sizeof(ssev)));
58 }
59
60 void (*testfunc_list[])(void) = {race_ioctl, race_write};
61
setup(void)62 static void setup(void)
63 {
64 struct snd_seq_queue_info qconf = { .queue = 0 };
65
66 errno = 0;
67 fd = open("/dev/snd/seq", O_RDWR);
68
69 if (fd == -1 && (errno == ENOENT || errno == EACCES))
70 tst_brk(TCONF | TERRNO, "Cannot open /dev/snd/seq");
71
72 if (fd < 0)
73 tst_brk(TBROK | TERRNO, "Cannot open /dev/snd/seq");
74
75 SAFE_IOCTL(fd, SNDRV_SEQ_IOCTL_CLIENT_ID, &client_id);
76 SAFE_IOCTL(fd, SNDRV_SEQ_IOCTL_CREATE_QUEUE, &qconf);
77 ssev.dest.client = client_id;
78
79 fzsync_pair.exec_loops = 1000000;
80 tst_fzsync_pair_init(&fzsync_pair);
81 }
82
cleanup(void)83 static void cleanup(void)
84 {
85 if (fd >= 0)
86 SAFE_CLOSE(fd);
87 tst_fzsync_pair_cleanup(&fzsync_pair);
88 }
89
thread_run(void * arg)90 static void *thread_run(void *arg)
91 {
92 while (tst_fzsync_run_b(&fzsync_pair)) {
93 tst_fzsync_start_race_b(&fzsync_pair);
94 reinit_pool(10);
95 tst_fzsync_end_race_b(&fzsync_pair);
96 }
97
98 return arg;
99 }
100
run(unsigned int n)101 static void run(unsigned int n)
102 {
103 tst_fzsync_pair_reset(&fzsync_pair, thread_run);
104
105 while (tst_fzsync_run_a(&fzsync_pair)) {
106 reinit_pool(5);
107 SAFE_IOCTL(fd, SNDRV_SEQ_IOCTL_REMOVE_EVENTS, &rminfo);
108 tst_fzsync_start_race_a(&fzsync_pair);
109 testfunc_list[n]();
110 tst_fzsync_end_race_a(&fzsync_pair);
111
112 if (tst_taint_check()) {
113 tst_res(TFAIL, "Kernel is vulnerable");
114 return;
115 }
116 }
117
118 tst_res(TPASS, "Nothing bad happened, probably");
119 }
120
121 static struct tst_test test = {
122 .test = run,
123 .tcnt = ARRAY_SIZE(testfunc_list),
124 .setup = setup,
125 .cleanup = cleanup,
126 .max_runtime = 60,
127 .taint_check = TST_TAINT_W | TST_TAINT_D,
128 .tags = (const struct tst_tag[]) {
129 {"linux-git", "d15d662e89fc"},
130 {"CVE", "2018-7566"},
131 {}
132 }
133 };
134