• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
4  */
5 
6 /*\
7  * [Description]
8  *
9  * Test for CVE-2016-7117, which was fixed in kernel v4.6:
10  * 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path").
11  *
12  * Tests for a use after free caused by a race between recvmmsg() and close().
13  * The exit path for recvmmsg() in (a2e2725541f: net: Introduce recvmmsg socket
14  * syscall) called fput() on the active file descriptor before checking the
15  * error state and setting the socket's error field.
16  *
17  * If one or more messages are received by recvmmsg() followed by one which
18  * fails, the socket's error field will be set. If just after recvmmsg() calls
19  * fput(), a call to close() is made on the same file descriptor there is a
20  * race between close() releasing the socket object and recvmmsg() setting its
21  * error field.
22  *
23  * fput() does not release a file descriptor's resources (e.g. a socket)
24  * immediatly, it queues them to be released just before a system call returns
25  * to user land. So the close() system call must call fput() after it is
26  * called in recvmmsg(), exit and release the resources all before the socket
27  * error is set.
28  *
29  * Usually if the vulnerability is present the test will be killed with a
30  * kernel null pointer exception. However this is not guaranteed to happen
31  * every time.
32  *
33  * The following was used for reference
34  * https://blog.lizzie.io/notes-about-cve-2016-7117.html
35  */
36 
37 #include "config.h"
38 
39 #include <sys/wait.h>
40 #include <sys/types.h>
41 #include <sys/socket.h>
42 #include <sys/syscall.h>
43 #include <stdlib.h>
44 #include <errno.h>
45 
46 #include "tst_test.h"
47 #include "tst_safe_net.h"
48 #include "tst_timer.h"
49 #include "tst_fuzzy_sync.h"
50 
51 /* The bug was present in the kernel before recvmmsg was exposed by glibc */
52 #include "lapi/syscalls.h"
53 #include "lapi/socket.h"
54 
55 #define MSG "abcdefghijklmnop"
56 #define RECV_TIMEOUT 1
57 #define ATTEMPTS 0x1FFFFF
58 
59 static volatile int socket_fds[2];
60 static struct mmsghdr msghdrs[2] = {
61 	{
62 		.msg_hdr = {
63 			.msg_iov = &(struct iovec) {
64 				.iov_len = sizeof(MSG),
65 			},
66 			.msg_iovlen = 1
67 		}
68 	},
69 	{
70 		.msg_hdr = {
71 			.msg_iov = &(struct iovec) {
72 				.iov_base = (void *)(0xbadadd),
73 				.iov_len = ~0,
74 			},
75 			.msg_iovlen = 1
76 		}
77 	}
78 };
79 static char rbuf[sizeof(MSG)];
80 static struct timespec timeout = { .tv_sec = RECV_TIMEOUT };
81 static struct tst_fzsync_pair fzsync_pair;
82 static void *send_and_close(void *);
83 
setup(void)84 static void setup(void)
85 {
86 	fzsync_pair.min_samples = 10000;
87 
88 	tst_syscall(__NR_recvmmsg, 0, 0, 0, 0, 0);
89 
90 	tst_fzsync_pair_init(&fzsync_pair);
91 }
92 
cleanup(void)93 static void cleanup(void)
94 {
95 	close(socket_fds[0]);
96 	close(socket_fds[1]);
97 
98 	tst_fzsync_pair_cleanup(&fzsync_pair);
99 }
100 
send_and_close(void * arg)101 static void *send_and_close(void *arg)
102 {
103 	while (tst_fzsync_run_b(&fzsync_pair)) {
104 
105 		tst_fzsync_wait_b(&fzsync_pair);
106 		send(socket_fds[0], MSG, sizeof(MSG), 0);
107 		send(socket_fds[0], MSG, sizeof(MSG), 0);
108 
109 		close(socket_fds[0]);
110 
111 		tst_fzsync_start_race_b(&fzsync_pair);
112 		close(socket_fds[1]);
113 		tst_fzsync_end_race_b(&fzsync_pair);
114 	}
115 	return arg;
116 }
117 
run(void)118 static void run(void)
119 {
120 	int stat, too_early_count = 0;
121 
122 	msghdrs[0].msg_hdr.msg_iov->iov_base = (void *)&rbuf;
123 
124 	tst_fzsync_pair_reset(&fzsync_pair, send_and_close);
125 	while (tst_fzsync_run_a(&fzsync_pair)) {
126 
127 		SAFE_SOCKETPAIR(AF_LOCAL, SOCK_DGRAM, 0, (int *)socket_fds);
128 		tst_fzsync_wait_a(&fzsync_pair);
129 
130 		tst_fzsync_start_race_a(&fzsync_pair);
131 		stat = tst_syscall(__NR_recvmmsg,
132 				   socket_fds[1], msghdrs, 2, 0, &timeout);
133 		tst_fzsync_end_race_a(&fzsync_pair);
134 
135 		if (stat == 0)
136 			tst_res(TWARN, "No messages received, should be one");
137 		else if (stat < 0) {
138 			if (errno != EBADF) {
139 				tst_res(TWARN | TERRNO,
140 					"recvmmsg failed unexpectedly");
141 			} else {
142 				tst_fzsync_pair_add_bias(&fzsync_pair, 1);
143 				too_early_count++;
144 			}
145 		}
146 	}
147 
148 	tst_res(TPASS, "Nothing bad happened, probably");
149 	tst_res(TINFO, "Socket was closed too early %d times", too_early_count);
150 }
151 
152 static struct tst_test test = {
153 	.test_all = run,
154 	.setup = setup,
155 	.cleanup = cleanup,
156 	.runtime = 60,
157 	.tags = (const struct tst_tag[]) {
158 		{"linux-git", "34b88a68f26a"},
159 		{"CVE", "2016-7117"},
160 		{}
161 	}
162 };
163