1 /*
2  * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
3  *
4  * This program is free software: you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License as published by
6  * the Free Software Foundation, either version 2 of the License, or
7  * (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program. If not, see <http://www.gnu.org/licenses/>.
16  */
17 /*
18  * CVE-2016-7117
19  *
20  * This tests for a use after free caused by a race between recvmmsg() and
21  * close(). The exit path for recvmmsg() in (a2e2725541f: net: Introduce
22  * recvmmsg socket syscall) called fput() on the active file descriptor before
23  * checking the error state and setting the socket's error field.
24  *
25  * If one or more messages are received by recvmmsg() followed by one which
26  * fails, the socket's error field will be set. If just after recvmmsg() calls
27  * fput(), a call to close() is made on the same file descriptor there is a
28  * race between close() releasing the socket object and recvmmsg() setting its
29  * error field.
30  *
31  * fput() does not release a file descriptor's resources (e.g. a socket)
32  * immediatly, it queues them to be released just before a system call returns
33  * to user land. So the close() system call must call fput() after it is
34  * called in recvmmsg(), exit and release the resources all before the socket
35  * error is set.
36  *
37  * Usually if the vulnerability is present the test will be killed with a
38  * kernel null pointer exception. However this is not guaranteed to happen
39  * every time.
40  *
41  * The following was used for reference
42  * https://blog.lizzie.io/notes-about-cve-2016-7117.html
43  */
44 
45 #include <sys/wait.h>
46 #include <sys/types.h>
47 #include <sys/socket.h>
48 #include <sys/syscall.h>
49 #include <stdlib.h>
50 #include <errno.h>
51 
52 #include "tst_test.h"
53 #include "tst_safe_net.h"
54 #include "tst_timer.h"
55 #include "tst_fuzzy_sync.h"
56 
57 /* The bug was present in the kernel before recvmmsg was exposed by glibc */
58 #include "lapi/syscalls.h"
59 
60 #include "config.h"
61 
62 #define MSG "abcdefghijklmnop"
63 #define RECV_TIMEOUT 1
64 #define ATTEMPTS 0x1FFFFF
65 
66 #ifndef HAVE_STRUCT_MMSGHDR
67 struct mmsghdr {
68 	struct msghdr msg_hdr;
69 	unsigned int msg_len;
70 };
71 #endif
72 
73 static volatile int socket_fds[2];
74 static struct mmsghdr msghdrs[2] = {
75 	{
76 		.msg_hdr = {
77 			.msg_iov = &(struct iovec) {
78 				.iov_len = sizeof(MSG),
79 			},
80 			.msg_iovlen = 1
81 		}
82 	},
83 	{
84 		.msg_hdr = {
85 			.msg_iov = &(struct iovec) {
86 				.iov_base = (void *)(0xbadadd),
87 				.iov_len = ~0,
88 			},
89 			.msg_iovlen = 1
90 		}
91 	}
92 };
93 static char rbuf[sizeof(MSG)];
94 static struct timespec timeout = { .tv_sec = RECV_TIMEOUT };
95 static struct tst_fzsync_pair fzsync_pair;
96 static void *send_and_close(void *);
97 
setup(void)98 static void setup(void)
99 {
100 	fzsync_pair.min_samples = 10000;
101 
102 	tst_syscall(__NR_recvmmsg, 0, 0, 0, 0, 0);
103 
104 	tst_fzsync_pair_init(&fzsync_pair);
105 }
106 
cleanup(void)107 static void cleanup(void)
108 {
109 	close(socket_fds[0]);
110 	close(socket_fds[1]);
111 
112 	tst_fzsync_pair_cleanup(&fzsync_pair);
113 }
114 
send_and_close(void * arg)115 static void *send_and_close(void *arg)
116 {
117 	while (tst_fzsync_run_b(&fzsync_pair)) {
118 
119 		tst_fzsync_wait_b(&fzsync_pair);
120 		send(socket_fds[0], MSG, sizeof(MSG), 0);
121 		send(socket_fds[0], MSG, sizeof(MSG), 0);
122 
123 		close(socket_fds[0]);
124 
125 		tst_fzsync_start_race_b(&fzsync_pair);
126 		close(socket_fds[1]);
127 		tst_fzsync_end_race_b(&fzsync_pair);
128 	}
129 	return arg;
130 }
131 
run(void)132 static void run(void)
133 {
134 	int stat, too_early_count = 0;
135 
136 	msghdrs[0].msg_hdr.msg_iov->iov_base = (void *)&rbuf;
137 
138 	tst_fzsync_pair_reset(&fzsync_pair, send_and_close);
139 	while (tst_fzsync_run_a(&fzsync_pair)) {
140 
141 		if (socketpair(AF_LOCAL, SOCK_DGRAM, 0, (int *)socket_fds))
142 			tst_brk(TBROK | TERRNO, "Socket creation failed");
143 		tst_fzsync_wait_a(&fzsync_pair);
144 
145 		tst_fzsync_start_race_a(&fzsync_pair);
146 		stat = tst_syscall(__NR_recvmmsg,
147 				   socket_fds[1], msghdrs, 2, 0, &timeout);
148 		tst_fzsync_end_race_a(&fzsync_pair);
149 
150 		if (stat == 0)
151 			tst_res(TWARN, "No messages received, should be one");
152 		else if (stat < 0) {
153 			if (errno != EBADF) {
154 				tst_res(TWARN | TERRNO,
155 					"recvmmsg failed unexpectedly");
156 			} else {
157 				tst_fzsync_pair_add_bias(&fzsync_pair, 1);
158 				too_early_count++;
159 			}
160 		}
161 	}
162 
163 	tst_res(TPASS, "Nothing bad happened, probably.");
164 	tst_res(TINFO, "Socket was closed too early %d times", too_early_count);
165 }
166 
167 static struct tst_test test = {
168 	.test_all = run,
169 	.setup = setup,
170 	.cleanup = cleanup,
171 	.min_kver = "2.6.33",
172 };
173