Home | History | Annotate | Download | only in cve 
      1 /*
      2  * Copyright (c) 2017 Richard Palethorpe <rpalethorpe (at) suse.com>
      3  *
      4  * This program is free software: you can redistribute it and/or modify
      5  * it under the terms of the GNU General Public License as published by
      6  * the Free Software Foundation, either version 2 of the License, or
      7  * (at your option) any later version.
      8  *
      9  * This program is distributed in the hope that it will be useful,
     10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
     11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     12  * GNU General Public License for more details.
     13  *
     14  * You should have received a copy of the GNU General Public License
     15  * along with this program. If not, see <http://www.gnu.org/licenses/>.
     16  */
     17 /*
     18  * CVE-2016-7117
     19  *
     20  * This tests for a use after free caused by a race between recvmmsg() and
     21  * close(). The exit path for recvmmsg() in (a2e2725541f: net: Introduce
     22  * recvmmsg socket syscall) called fput() on the active file descriptor before
     23  * checking the error state and setting the socket's error field.
     24  *
     25  * If one or more messages are received by recvmmsg() followed by one which
     26  * fails, the socket's error field will be set. If just after recvmmsg() calls
     27  * fput(), a call to close() is made on the same file descriptor there is a
     28  * race between close() releasing the socket object and recvmmsg() setting its
     29  * error field.
     30  *
     31  * fput() does not release a file descriptor's resources (e.g. a socket)
     32  * immediatly, it queues them to be released just before a system call returns
     33  * to user land. So the close() system call must call fput() after it is
     34  * called in recvmmsg(), exit and release the resources all before the socket
     35  * error is set.
     36  *
     37  * Usually if the vulnerability is present the test will be killed with a
     38  * kernel null pointer exception. However this is not guaranteed to happen
     39  * every time.
     40  *
     41  * The following was used for reference
     42  * https://blog.lizzie.io/notes-about-cve-2016-7117.html
     43  */
     44 
     45 #include <sys/wait.h>
     46 #include <sys/types.h>
     47 #include <sys/socket.h>
     48 #include <sys/syscall.h>
     49 #include <stdlib.h>
     50 #include <errno.h>
     51 
     52 #include "tst_test.h"
     53 #include "tst_safe_net.h"
     54 #include "tst_safe_pthread.h"
     55 #include "tst_timer.h"
     56 #include "tst_fuzzy_sync.h"
     57 
     58 /* The bug was present in the kernel before recvmmsg was exposed by glibc */
     59 #include "lapi/syscalls.h"
     60 
     61 #include "config.h"
     62 
     63 #define MSG "abcdefghijklmnop"
     64 #define RECV_TIMEOUT 1
     65 #define ATTEMPTS 0x1FFFFF
     66 
     67 #ifndef HAVE_STRUCT_MMSGHDR
     68 struct mmsghdr {
     69 	struct msghdr msg_hdr;
     70 	unsigned int msg_len;
     71 };
     72 #endif
     73 
     74 static volatile int socket_fds[2];
     75 static struct mmsghdr msghdrs[2] = {
     76 	{
     77 		.msg_hdr = {
     78 			.msg_iov = &(struct iovec) {
     79 				.iov_len = sizeof(MSG),
     80 			},
     81 			.msg_iovlen = 1
     82 		}
     83 	},
     84 	{
     85 		.msg_hdr = {
     86 			.msg_iov = &(struct iovec) {
     87 				.iov_base = (void *)(0xbadadd),
     88 				.iov_len = ~0,
     89 			},
     90 			.msg_iovlen = 1
     91 		}
     92 	}
     93 };
     94 static char rbuf[sizeof(MSG)];
     95 static struct timespec timeout = { .tv_sec = RECV_TIMEOUT };
     96 static struct tst_fzsync_pair fzsync_pair = TST_FZSYNC_PAIR_INIT;
     97 static pthread_t pt_send;
     98 static void *send_and_close(void *);
     99 
    100 static void setup(void)
    101 {
    102 	SAFE_PTHREAD_CREATE(&pt_send, 0, send_and_close, 0);
    103 }
    104 
    105 static void cleanup(void)
    106 {
    107 	close(socket_fds[0]);
    108 	close(socket_fds[1]);
    109 
    110 	if (pt_send) {
    111 		tst_fzsync_pair_exit(&fzsync_pair);
    112 		SAFE_PTHREAD_JOIN(pt_send, 0);
    113 	}
    114 }
    115 
    116 static void *send_and_close(void *arg)
    117 {
    118 	while (tst_fzsync_wait_update_b(&fzsync_pair)) {
    119 		send(socket_fds[0], MSG, sizeof(MSG), 0);
    120 		send(socket_fds[0], MSG, sizeof(MSG), 0);
    121 
    122 		tst_fzsync_delay_b(&fzsync_pair);
    123 
    124 		close(socket_fds[0]);
    125 		close(socket_fds[1]);
    126 		tst_fzsync_time_b(&fzsync_pair);
    127 		if (!tst_fzsync_wait_b(&fzsync_pair))
    128 			break;
    129 	}
    130 	return arg;
    131 }
    132 
    133 static void run(void)
    134 {
    135 	int i, stat, too_early_count = 0;
    136 
    137 	msghdrs[0].msg_hdr.msg_iov->iov_base = (void *)&rbuf;
    138 
    139 	for (i = 1; i < ATTEMPTS; i++) {
    140 		if (socketpair(AF_LOCAL, SOCK_DGRAM, 0, (int *)socket_fds))
    141 			tst_brk(TBROK | TERRNO, "Socket creation failed");
    142 
    143 		tst_fzsync_wait_update_a(&fzsync_pair);
    144 		tst_fzsync_delay_a(&fzsync_pair);
    145 
    146 		stat = tst_syscall(__NR_recvmmsg,
    147 				   socket_fds[1], msghdrs, 2, 0, &timeout);
    148 		tst_fzsync_time_a(&fzsync_pair);
    149 		if (stat < 0 && errno == EBADF)
    150 			too_early_count++;
    151 		else if (stat == 0)
    152 			tst_res(TWARN, "No messages received, should be one");
    153 		else if (stat < 0)
    154 			tst_res(TWARN | TERRNO, "recvmmsg failed unexpectedly");
    155 
    156 		tst_fzsync_wait_a(&fzsync_pair);
    157 	}
    158 
    159 	tst_res(TPASS, "Nothing happened after %d attempts", ATTEMPTS);
    160 }
    161 
    162 static struct tst_test test = {
    163 	.setup = setup,
    164 	.test_all = run,
    165 	.cleanup = cleanup,
    166 	.min_kver = "2.6.33",
    167 };
    168