1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2018 Jann Horn <jannh@google.com>
4 * Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
5 */
6
7 /*\
8 * [Description]
9 *
10 * CVE 2018-18445
11 *
12 * Check that eBPF verifier correctly handles 32-bit arithmetic, in particular
13 * the right bit shift instruction. It is an error if the BPF program passes
14 * verification regardless of whether it then causes any actual damage. Kernel
15 * bug fixed in:
16 * b799207e1e18 ("bpf: 32-bit RSH verification must truncate input before the ALU op")
17 */
18
19 #include <stdio.h>
20 #include <string.h>
21
22 #include "config.h"
23 #include "tst_test.h"
24 #include "tst_taint.h"
25 #include "tst_capability.h"
26 #include "bpf_common.h"
27
28 #define CHECK_BPF_RET(x) ((x) >= 0 || ((x) == -1 && errno != EACCES))
29
30 static const char MSG[] = "Ahoj!";
31 static char *msg;
32
33 static char *log;
34 static union bpf_attr *attr;
35
load_prog(int fd)36 static int load_prog(int fd)
37 {
38 int ret;
39 struct bpf_insn insn[] = {
40 BPF_MOV64_IMM(BPF_REG_8, 2),
41 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 31),
42 BPF_ALU32_IMM(BPF_RSH, BPF_REG_8, 31),
43 BPF_ALU32_IMM(BPF_SUB, BPF_REG_8, 2),
44
45 // store r8 into map
46 BPF_LD_MAP_FD(BPF_REG_1, fd),
47 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
48 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
49 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
50 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
51 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
52 BPF_EXIT_INSN(),
53 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
54 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
55
56 BPF_MOV64_IMM(BPF_REG_0, 0),
57 BPF_EXIT_INSN()
58 };
59
60 bpf_init_prog_attr(attr, insn, sizeof(insn), log, BUFSIZE);
61 ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
62 CHECK_BPF_RET);
63
64 if (ret >= 0) {
65 tst_res(TINFO, "Verification log:");
66 fputs(log, stderr);
67 return ret;
68 }
69
70 if (ret < -1)
71 tst_brk(TBROK, "Invalid bpf() return value %d", ret);
72
73 if (!*log)
74 tst_brk(TBROK | TERRNO, "Failed to load BPF program");
75
76 tst_res(TPASS | TERRNO, "BPF program failed verification");
77 return ret;
78 }
79
setup(void)80 static void setup(void)
81 {
82 rlimit_bump_memlock();
83 memcpy(msg, MSG, sizeof(MSG));
84 }
85
run(void)86 static void run(void)
87 {
88 int map_fd, prog_fd;
89
90 map_fd = bpf_map_array_create(1);
91 prog_fd = load_prog(map_fd);
92
93 if (prog_fd >= 0) {
94 tst_res(TFAIL, "Malicious eBPF code passed verification. "
95 "Now let's try crashing the kernel.");
96 bpf_run_prog(prog_fd, msg, sizeof(MSG));
97 }
98
99 if (prog_fd >= 0)
100 SAFE_CLOSE(prog_fd);
101
102 SAFE_CLOSE(map_fd);
103 }
104
105 static struct tst_test test = {
106 .setup = setup,
107 .test_all = run,
108 .taint_check = TST_TAINT_W | TST_TAINT_D,
109 .caps = (struct tst_cap []) {
110 TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
111 {}
112 },
113 .bufs = (struct tst_buffers []) {
114 {&log, .size = BUFSIZE},
115 {&attr, .size = sizeof(*attr)},
116 {&msg, .size = sizeof(MSG)},
117 {}
118 },
119 .tags = (const struct tst_tag[]) {
120 {"linux-git", "b799207e1e18"},
121 {"CVE", "2018-18445"},
122 {}
123 }
124 };
125