• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
4  */
5 
6 /*\
7  * [Description]
8  *
9  * Test for CVE-2022-4378 fixed in kernel v6.1:
10  * bce9332220bd ("proc: proc_skip_spaces() shouldn't think it is working on C strings").
11  *
12  * Check that writing several pages worth of whitespace into /proc/sys files
13  * does not cause kernel stack overflow.
14  */
15 
16 #include <stdlib.h>
17 #include "tst_test.h"
18 
19 static char *buf;
20 static unsigned int bufsize;
21 static int fd = -1;
22 
23 static struct testcase {
24 	const char *path;
25 	int err;
26 } testcase_list[] = {
27 	{"/proc/sys/net/ipv4/icmp_ratelimit", EINVAL},
28 	{"/proc/sys/net/ipv4/icmp_ratemask", EINVAL},
29 	{"/proc/sys/net/ipv4/icmp_echo_ignore_all", EINVAL},
30 	{"/proc/sys/net/ipv4/tcp_probe_interval", EINVAL},
31 	{"/proc/sys/net/ipv4/tcp_keepalive_time", EINVAL},
32 	{"/proc/sys/net/ipv4/tcp_notsent_lowat", EINVAL},
33 	{"/proc/sys/net/ipv4/ip_local_reserved_ports", 0}
34 };
35 
setup(void)36 static void setup(void)
37 {
38 	tst_setup_netns();
39 
40 	bufsize = 2 * SAFE_SYSCONF(_SC_PAGESIZE);
41 	buf = SAFE_MALLOC(bufsize);
42 	memset(buf, '\n', bufsize);
43 }
44 
run(unsigned int n)45 static void run(unsigned int n)
46 {
47 	const struct testcase *tc = testcase_list + n;
48 
49 	if (access(tc->path, W_OK)) {
50 		tst_res(TCONF | TERRNO, "Skipping %s", tc->path);
51 		return;
52 	}
53 
54 	tst_res(TINFO, "Writing whitespace to %s", tc->path);
55 
56 	fd = SAFE_OPEN(tc->path, O_WRONLY);
57 	TEST(write(fd, buf, bufsize));
58 	SAFE_CLOSE(fd);
59 
60 	if (TST_RET >= 0 && tc->err == 0) {
61 		tst_res(TPASS, "write() passed as expected");
62 	} else if (TST_RET >= 0) {
63 		tst_res(TFAIL, "write() unexpectedly passed");
64 	} else if (TST_RET != -1) {
65 		tst_res(TFAIL | TTERRNO, "Invalid write() return value %ld",
66 			TST_RET);
67 	} else if (TST_ERR != tc->err) {
68 		tst_res(TFAIL | TTERRNO, "write() returned unexpected error");
69 	} else {
70 		tst_res(TPASS | TTERRNO, "write() failed as expected");
71 	}
72 
73 	if (tst_taint_check())
74 		tst_res(TFAIL, "Kernel is vulnerable");
75 }
76 
cleanup(void)77 static void cleanup(void)
78 {
79 	if (fd >= 0)
80 		SAFE_CLOSE(fd);
81 
82 	if (buf)
83 		free(buf);
84 }
85 
86 static struct tst_test test = {
87 	.test = run,
88 	.tcnt = ARRAY_SIZE(testcase_list),
89 	.setup = setup,
90 	.cleanup = cleanup,
91 	.taint_check = TST_TAINT_W | TST_TAINT_D,
92 	.needs_kconfigs = (const char *[]) {
93 		"CONFIG_USER_NS=y",
94 		"CONFIG_NET_NS=y",
95 		NULL
96 	},
97 	.save_restore = (const struct tst_path_val[]) {
98 		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
99 		{}
100 	},
101 	.tags = (const struct tst_tag[]) {
102 		{"linux-git", "bce9332220bd"},
103 		{"CVE", "2022-4378"},
104 		{}
105 	}
106 };
107