@@ -60,3 +60,4 @@ cve-2019-8912 af_alg07
cve-2020-11494 pty04
cve-2020-14386 sendto03
cve-2020-14416 pty03
+cve-2020-29373 io_uring02
@@ -1712,3 +1712,4 @@ statx07 statx07
membarrier01 membarrier01
io_uring01 io_uring01
+io_uring02 io_uring02
new file mode 100644
@@ -0,0 +1,197 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2021 SUSE LLC
+ * Author: Nicolai Stange <nstange@suse.de>
+ * LTP port: Martin Doucha <mdoucha@suse.cz>
+ *
+ * CVE-2020-29373
+ *
+ * Check that io_uring does not bypass chroot. Fixed in:
+ *
+ * commit ff002b30181d30cdfbca316dadd099c3ca0d739c
+ * Author: Jens Axboe <axboe@kernel.dk>
+ * Date: Fri Feb 7 16:05:21 2020 -0700
+ *
+ * io_uring: grab ->fs as part of async preparation
+ */
+
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include "tst_test.h"
+#include "tst_safe_io_uring.h"
+
+#define CHROOT_DIR "test_root"
+#define SOCK_NAME "sock"
+#define SPAM_MARK 0xfa7
+#define BEEF_MARK 0xbeef
+
+static struct sockaddr_un addr;
+static int sendsock = -1, recvsock = -1, sockpair[2] = {-1, -1};
+static struct io_uring_params params;
+static struct tst_io_uring uring = { .fd = -1 };
+static char buf[16];
+static struct iovec iov = {
+ .iov_base = buf,
+ .iov_len = sizeof(buf)
+};
+
+static struct msghdr spam_header = {
+ .msg_name = NULL,
+ .msg_namelen = 0,
+ .msg_iov = &iov,
+ .msg_iovlen = 1
+};
+
+static struct msghdr beef_header = {
+ .msg_name = &addr,
+ .msg_namelen = sizeof(addr),
+ .msg_iov = &iov,
+ .msg_iovlen = 1
+};
+
+static void setup(void)
+{
+ char *tmpdir = tst_get_tmpdir();
+ int ret;
+
+ addr.sun_family = AF_UNIX;
+ ret = snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/%s", tmpdir,
+ SOCK_NAME);
+ free(tmpdir);
+
+ if (ret >= (int)sizeof(addr.sun_path))
+ tst_brk(TBROK, "Tempdir path is too long");
+
+ io_uring_setup_supported_by_kernel();
+
+ sendsock = SAFE_SOCKET(AF_UNIX, SOCK_DGRAM, 0);
+ recvsock = SAFE_SOCKET(AF_UNIX, SOCK_DGRAM, 0);
+ SAFE_BIND(recvsock, (struct sockaddr *)&addr, sizeof(addr));
+
+ SAFE_MKDIR(CHROOT_DIR, 0755);
+ SAFE_CHROOT(CHROOT_DIR);
+}
+
+static void run(void)
+{
+ uint32_t i, count, tail;
+ int beef_found = 0;
+ struct io_uring_sqe *sqe_ptr;
+ const struct io_uring_cqe *cqe_ptr;
+
+ SAFE_SOCKETPAIR(AF_UNIX, SOCK_DGRAM, 0, sockpair);
+ SAFE_SETSOCKOPT_INT(sockpair[0], SOL_SOCKET, SO_SNDBUF,
+ 32+sizeof(buf));
+ SAFE_FCNTL(sockpair[0], F_SETFL, O_NONBLOCK);
+
+ SAFE_IO_URING_INIT(512, ¶ms, &uring);
+ sqe_ptr = uring.sqr_entries;
+
+ /* Add spam requests to force async processing of the real test */
+ for (i = 0, tail = *uring.sqr_tail; i < 255; i++, tail++, sqe_ptr++) {
+ memset(sqe_ptr, 0, sizeof(*sqe_ptr));
+ sqe_ptr->opcode = IORING_OP_SENDMSG;
+ sqe_ptr->flags = IOSQE_IO_DRAIN;
+ sqe_ptr->fd = sockpair[0];
+ sqe_ptr->addr = (__u64)&spam_header;
+ sqe_ptr->user_data = SPAM_MARK;
+ uring.sqr_array[tail & *uring.sqr_mask] = i;
+ }
+
+ /* Add the real test to queue */
+ memset(sqe_ptr, 0, sizeof(*sqe_ptr));
+ sqe_ptr->opcode = IORING_OP_SENDMSG;
+ sqe_ptr->flags = IOSQE_IO_DRAIN;
+ sqe_ptr->fd = sendsock;
+ sqe_ptr->addr = (__u64)&beef_header;
+ sqe_ptr->user_data = BEEF_MARK;
+ uring.sqr_array[tail & *uring.sqr_mask] = i;
+ count = ++i;
+ tail++;
+
+ __atomic_store(uring.sqr_tail, &tail, __ATOMIC_RELEASE);
+ SAFE_IO_URING_ENTER(1, uring.fd, count, count, IORING_ENTER_GETEVENTS,
+ NULL);
+
+ /* Check test results */
+ __atomic_load(uring.cqr_tail, &tail, __ATOMIC_ACQUIRE);
+
+ for (i = *uring.cqr_head; i != tail; i++, count--) {
+ cqe_ptr = uring.cqr_entries + (i & *uring.cqr_mask);
+ TST_ERR = -cqe_ptr->res;
+
+ if (cqe_ptr->user_data == SPAM_MARK) {
+ if (cqe_ptr->res >= 0 || cqe_ptr->res == -EAGAIN)
+ continue;
+
+ tst_res(TFAIL | TTERRNO,
+ "Spam request failed unexpectedly");
+ continue;
+ }
+
+ if (cqe_ptr->user_data != BEEF_MARK) {
+ tst_res(TFAIL, "Unexpected entry in completion queue");
+ count++;
+ continue;
+ }
+
+ beef_found = 1;
+
+ if (cqe_ptr->res >= 0) {
+ tst_res(TFAIL, "Write outside chroot succeeded.");
+ } else if (cqe_ptr->res != -ENOENT) {
+ tst_res(TFAIL | TTERRNO,
+ "Write outside chroot failed unexpectedly");
+ } else {
+ tst_res(TPASS,
+ "Write outside chroot failed as expected");
+ }
+ }
+
+ __atomic_store(uring.cqr_head, &i, __ATOMIC_RELEASE);
+
+ if (!beef_found)
+ tst_res(TFAIL, "Write outside chroot result not found");
+
+ if (count)
+ tst_res(TFAIL, "Wrong number of entries in completion queue");
+
+ /* iteration cleanup */
+ SAFE_IO_URING_CLOSE(&uring);
+ SAFE_CLOSE(sockpair[0]);
+ SAFE_CLOSE(sockpair[1]);
+}
+
+static void cleanup(void)
+{
+ if (uring.fd >= 0)
+ SAFE_IO_URING_CLOSE(&uring);
+
+ if (sockpair[0] >= 0) {
+ SAFE_CLOSE(sockpair[0]);
+ SAFE_CLOSE(sockpair[1]);
+ }
+
+ if (recvsock >= 0)
+ SAFE_CLOSE(recvsock);
+
+ if (sendsock >= 0)
+ SAFE_CLOSE(sendsock);
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .needs_tmpdir = 1,
+ .caps = (struct tst_cap []) {
+ TST_CAP(TST_CAP_REQ, CAP_SYS_CHROOT),
+ {}
+ },
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "ff002b30181d"},
+ {"CVE", "2020-29373"},
+ {}
+ }
+};
Fixes #770 Signed-off-by: Martin Doucha <mdoucha@suse.cz> --- runtest/cve | 1 + runtest/syscalls | 1 + .../kernel/syscalls/io_uring/io_uring02.c | 197 ++++++++++++++++++ 3 files changed, 199 insertions(+) create mode 100644 testcases/kernel/syscalls/io_uring/io_uring02.c