• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2019 Richard Palethorpe <rpalethorpe@suse.com>
4  * Original byte code was provided by Jann Horn <jannh@google.com>
5  */
6 
7 /*\
8  * [Description]
9  *
10  * CVE-2017-16995
11  *
12  * Test for the bug fixed by kernel commit
13  * 95a762e2c8c9 ("bpf: fix incorrect sign extension in check_alu_op()")
14  *
15  * The test is very similar to the original reproducer:
16  * https://bugs.chromium.org/p/project-zero/issues/detail?id=1454
17  *
18  * However it has been modified to try to corrupt the map struct instead of
19  * writing to a noncanonical pointer. This appears to be more reliable at
20  * producing stack traces and confirms we would be able to overwrite the ops
21  * function pointers, as suggested by Jan Horn.
22  *
23  * If the eBPF code is loaded then this is considered a failure regardless of
24  * whether it is able to cause any visible damage.
25  */
26 
27 #include <string.h>
28 #include <stdio.h>
29 #include <inttypes.h>
30 
31 #include "config.h"
32 #include "tst_test.h"
33 #include "tst_capability.h"
34 #include "bpf_common.h"
35 
36 #define LOG_SIZE (1024 * 1024)
37 
38 #define CHECK_BPF_RET(x) ((x) >= 0 || ((x) == -1 && errno != EPERM))
39 
40 static const char MSG[] = "Ahoj!";
41 static char *msg;
42 
43 static char *log;
44 static uint32_t *key;
45 static uint64_t *val;
46 static union bpf_attr *attr;
47 
load_prog(int fd)48 static int load_prog(int fd)
49 {
50 	int ret;
51 
52 	struct bpf_insn insn[] = {
53 		BPF_LD_MAP_FD(BPF_REG_1, fd),
54 
55 		// fill r0 with pointer to map value
56 		BPF_MOV64_REG(BPF_REG_8, BPF_REG_10),
57 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, -4), // allocate 4 bytes stack
58 		BPF_MOV32_IMM(BPF_REG_2, 0),
59 		BPF_STX_MEM(BPF_W, BPF_REG_8, BPF_REG_2, 0),
60 		BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
61 		BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
62 		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
63 		BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit
64 		BPF_EXIT_INSN(), // exit
65 
66 		// r1 = 0xffff'ffff, mistreated as 0xffff'ffff'ffff'ffff
67 		BPF_MOV32_IMM(BPF_REG_1, -1),
68 		// r1 = 0x1'0000'0000, mistreated as 0
69 		BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
70 		// r1 = 64, mistreated as 0
71 		BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 26),
72 
73 		// Write actual value of r1 to map for debugging this test
74 		BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
75 
76 		// Corrupt the map meta-data which comes before the map data
77 		BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
78 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
79 
80 		BPF_MOV64_IMM(BPF_REG_3, 0xdeadbeef),
81 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
82 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
83 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
84 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
85 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
86 		BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
87 		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
88 
89 		// terminate to make the verifier happy
90 		BPF_MOV32_IMM(BPF_REG_0, 0),
91 		BPF_EXIT_INSN()
92 	};
93 
94 	bpf_init_prog_attr(attr, insn, sizeof(insn), log, LOG_SIZE);
95 	ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
96 		CHECK_BPF_RET);
97 
98 	if (ret < -1)
99 		tst_brk(TBROK, "Invalid bpf() return value %d", ret);
100 
101 	if (ret >= 0) {
102 		tst_res(TINFO, "Verification log:");
103 		fputs(log, stderr);
104 		return ret;
105 	}
106 
107 	if (log[0] == 0)
108 		tst_brk(TBROK | TERRNO, "Failed to load program");
109 
110 	tst_res(TPASS | TERRNO, "Failed verification");
111 	return ret;
112 }
113 
setup(void)114 static void setup(void)
115 {
116 	rlimit_bump_memlock();
117 	memcpy(msg, MSG, sizeof(MSG));
118 }
119 
run(void)120 static void run(void)
121 {
122 	int map_fd, prog_fd;
123 
124 	map_fd = bpf_map_array_create(32);
125 
126 	memset(attr, 0, sizeof(*attr));
127 	attr->map_fd = map_fd;
128 	attr->key = ptr_to_u64(key);
129 	attr->value = ptr_to_u64(val);
130 	attr->flags = BPF_ANY;
131 
132 	TEST(bpf(BPF_MAP_UPDATE_ELEM, attr, sizeof(*attr)));
133 	if (TST_RET == -1)
134 		tst_brk(TBROK | TTERRNO, "Failed to lookup map element");
135 
136 	prog_fd = load_prog(map_fd);
137 	if (prog_fd == -1)
138 		goto exit;
139 
140 	tst_res(TFAIL, "Loaded bad eBPF, now we will run it and maybe crash");
141 
142 	bpf_run_prog(prog_fd, msg, sizeof(MSG));
143 	SAFE_CLOSE(prog_fd);
144 
145 	*key = 0;
146 	bpf_map_array_get(map_fd, key, val);
147 	tst_res(TINFO, "Pointer offset was 0x%"PRIx64, *val);
148 exit:
149 	SAFE_CLOSE(map_fd);
150 }
151 
152 static struct tst_test test = {
153 	.setup = setup,
154 	.test_all = run,
155 	.caps = (struct tst_cap []) {
156 		TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
157 		{}
158 	},
159 	.bufs = (struct tst_buffers []) {
160 		{&key, .size = sizeof(*key)},
161 		{&val, .size = sizeof(*val)},
162 		{&log, .size = LOG_SIZE},
163 		{&attr, .size = sizeof(*attr)},
164 		{&msg, .size = sizeof(MSG)},
165 		{},
166 	},
167 	.tags = (const struct tst_tag[]) {
168 		{"linux-git", "95a762e2c8c9"},
169 		{"CVE", "2017-16995"},
170 		{}
171 	}
172 };
173