diff mbox series

Add test for CVE 2022-4378

Message ID 20221216170922.21752-1-mdoucha@suse.cz
State Accepted
Headers show
Series Add test for CVE 2022-4378 | expand

Commit Message

Martin Doucha Dec. 16, 2022, 5:09 p.m. UTC
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 runtest/cve                   |   1 +
 testcases/cve/.gitignore      |   1 +
 testcases/cve/cve-2022-4378.c | 108 ++++++++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 testcases/cve/cve-2022-4378.c

Comments

Richard Palethorpe Dec. 19, 2022, 9:30 a.m. UTC | #1
Hello,

Martin Doucha <mdoucha@suse.cz> writes:

> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
>  runtest/cve                   |   1 +
>  testcases/cve/.gitignore      |   1 +
>  testcases/cve/cve-2022-4378.c | 108 ++++++++++++++++++++++++++++++++++
>  3 files changed, 110 insertions(+)
>  create mode 100644 testcases/cve/cve-2022-4378.c
>
> diff --git a/runtest/cve b/runtest/cve
> index fd0305aa3..1ba63c2a7 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -76,3 +76,4 @@ cve-2022-0847 dirtypipe
>  cve-2022-2590 dirtyc0w_shmem
>  # Tests below may cause kernel memory leak
>  cve-2020-25704 perf_event_open03
> +cve-2022-4378 cve-2022-4378
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index eb0a8b37d..90e8b191c 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -10,4 +10,5 @@ stack_clash
>  cve-2017-17052
>  cve-2017-16939
>  cve-2017-17053
> +cve-2022-4378
>  icmp_rate_limit01
> diff --git a/testcases/cve/cve-2022-4378.c b/testcases/cve/cve-2022-4378.c
> new file mode 100644
> index 000000000..e1c5df325
> --- /dev/null
> +++ b/testcases/cve/cve-2022-4378.c
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
> + */
> +
> +/*\
> + * CVE 2022-4378
> + *
> + * Check that writing several pages worth of whitespace into /proc/sys files
> + * does not cause kernel stack overflow. Kernel bug fixed in:
> + *
> + * commit bce9332220bd677d83b19d21502776ad555a0e73
> + * Author: Linus Torvalds <torvalds@linux-foundation.org>
> + * Date:   Mon Dec 5 12:09:06 2022 -0800
> + *
> + * proc: proc_skip_spaces() shouldn't think it is working on C strings
> + */

Haha, OK, merged with minor fix to null terminate tags array (detected
by make check).
pvorel Dec. 19, 2022, 10:07 a.m. UTC | #2
Hi Martin,

> diff --git a/testcases/cve/cve-2022-4378.c 
> b/testcases/cve/cve-2022-4378.c
> new file mode 100644
> index 000000000..e1c5df325
> --- /dev/null
> +++ b/testcases/cve/cve-2022-4378.c
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
> + */
> +
> +/*\
nit: you used /*\ docparse start comment, but without any [...] mark,
thus nothing shows in generated docs.
There should have been either normal C comment /* or docparse [...] 
mark.

Kind regards,
Petr

> + * CVE 2022-4378
> + *
> + * Check that writing several pages worth of whitespace into /proc/sys 
> files
> + * does not cause kernel stack overflow. Kernel bug fixed in:
> + *
> + * commit bce9332220bd677d83b19d21502776ad555a0e73
> + * Author: Linus Torvalds <torvalds@linux-foundation.org>
> + * Date:   Mon Dec 5 12:09:06 2022 -0800
> + *
> + * proc: proc_skip_spaces() shouldn't think it is working on C strings
> + */
...
pvorel Dec. 19, 2022, 10:12 a.m. UTC | #3
On 2022-12-19 11:07, pvorel wrote:
> Hi Martin,
> 
>> diff --git a/testcases/cve/cve-2022-4378.c 
>> b/testcases/cve/cve-2022-4378.c
>> new file mode 100644
>> index 000000000..e1c5df325
>> --- /dev/null
>> +++ b/testcases/cve/cve-2022-4378.c
>> @@ -0,0 +1,108 @@
>> +// SPDX-License-Identifier: GPL-2.0-or-later
>> +/*
>> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
>> + */
>> +
>> +/*\
> nit: you used /*\ docparse start comment, but without any [...] mark,
> thus nothing shows in generated docs.
> There should have been either normal C comment /* or docparse [...] 
> mark.

I'm sorry, I was wrong, the text *appear* in generated docs, just 
without any header.
Just the text contains too much details (given we have link to git 
commit in the table below):

... fixed in:

commit bce9332220bd677d83b19d21502776ad555a0e73 Author: Linus Torvalds 
<torvalds@linux-foundation.org> Date: Mon Dec 5 12:09:06 2022 -0800

Kind regards,
Petr

> 
> Kind regards,
> Petr
> 
>> + * CVE 2022-4378
>> + *
>> + * Check that writing several pages worth of whitespace into 
>> /proc/sys files
>> + * does not cause kernel stack overflow. Kernel bug fixed in:
>> + *
>> + * commit bce9332220bd677d83b19d21502776ad555a0e73
>> + * Author: Linus Torvalds <torvalds@linux-foundation.org>
>> + * Date:   Mon Dec 5 12:09:06 2022 -0800
>> + *
>> + * proc: proc_skip_spaces() shouldn't think it is working on C 
>> strings
>> + */
> ...
Richard Palethorpe Dec. 19, 2022, 2:31 p.m. UTC | #4
Hello,

pvorel <pvorel@suse.de> writes:

> On 2022-12-19 11:07, pvorel wrote:
>> Hi Martin,
>> 
>>> diff --git a/testcases/cve/cve-2022-4378.c
>>> b/testcases/cve/cve-2022-4378.c
>>> new file mode 100644
>>> index 000000000..e1c5df325
>>> --- /dev/null
>>> +++ b/testcases/cve/cve-2022-4378.c
>>> @@ -0,0 +1,108 @@
>>> +// SPDX-License-Identifier: GPL-2.0-or-later
>>> +/*
>>> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
>>> + */
>>> +
>>> +/*\
>> nit: you used /*\ docparse start comment, but without any [...] mark,
>> thus nothing shows in generated docs.
>> There should have been either normal C comment /* or docparse [...]
>> mark.
>
> I'm sorry, I was wrong, the text *appear* in generated docs, just
> without any header.

Perhaps make-check could validate the docparse string?

> Just the text contains too much details (given we have link to git
> commit in the table below):
>
> ... fixed in:
>
> commit bce9332220bd677d83b19d21502776ad555a0e73 Author: Linus Torvalds
> <torvalds@linux-foundation.org> Date: Mon Dec 5 12:09:06 2022 -0800

I think it is fine to even copy and paste the whole commit message. If
we list the wrong Git commit this may make it easier to see as well.

>
> Kind regards,
> Petr
>
>> Kind regards,
>> Petr
>> 
>>> + * CVE 2022-4378
>>> + *
>>> + * Check that writing several pages worth of whitespace into
>>> /proc/sys files
>>> + * does not cause kernel stack overflow. Kernel bug fixed in:
>>> + *
>>> + * commit bce9332220bd677d83b19d21502776ad555a0e73
>>> + * Author: Linus Torvalds <torvalds@linux-foundation.org>
>>> + * Date:   Mon Dec 5 12:09:06 2022 -0800
>>> + *
>>> + * proc: proc_skip_spaces() shouldn't think it is working on C
>>> strings
>>> + */
>> ...
Petr Vorel Dec. 19, 2022, 11:58 p.m. UTC | #5
Hi Richie,

> Hello,

> pvorel <pvorel@suse.de> writes:

> > On 2022-12-19 11:07, pvorel wrote:
> >> Hi Martin,

> >>> diff --git a/testcases/cve/cve-2022-4378.c
> >>> b/testcases/cve/cve-2022-4378.c
> >>> new file mode 100644
> >>> index 000000000..e1c5df325
> >>> --- /dev/null
> >>> +++ b/testcases/cve/cve-2022-4378.c
> >>> @@ -0,0 +1,108 @@
> >>> +// SPDX-License-Identifier: GPL-2.0-or-later
> >>> +/*
> >>> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
> >>> + */
> >>> +
> >>> +/*\
> >> nit: you used /*\ docparse start comment, but without any [...] mark,
> >> thus nothing shows in generated docs.
> >> There should have been either normal C comment /* or docparse [...]
> >> mark.

> > I'm sorry, I was wrong, the text *appear* in generated docs, just
> > without any header.

> Perhaps make-check could validate the docparse string?

+1, I was already thinking about it.

It would not help in the case below, but it's definitely worth
(error in JSON will be caught by CI, but why not to catch it early?)

> > Just the text contains too much details (given we have link to git
> > commit in the table below):

> > ... fixed in:

> > commit bce9332220bd677d83b19d21502776ad555a0e73 Author: Linus Torvalds
> > <torvalds@linux-foundation.org> Date: Mon Dec 5 12:09:06 2022 -0800

> I think it is fine to even copy and paste the whole commit message. If
> we list the wrong Git commit this may make it easier to see as well.

I'd just use the format for "Fixes:":

$ git log --pretty=format:"%h (\"%s\")" -1
bce9332220bd ("proc: proc_skip_spaces() shouldn't think it is working on C strings")


Kind regards,
Petr
diff mbox series

Patch

diff --git a/runtest/cve b/runtest/cve
index fd0305aa3..1ba63c2a7 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -76,3 +76,4 @@  cve-2022-0847 dirtypipe
 cve-2022-2590 dirtyc0w_shmem
 # Tests below may cause kernel memory leak
 cve-2020-25704 perf_event_open03
+cve-2022-4378 cve-2022-4378
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index eb0a8b37d..90e8b191c 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -10,4 +10,5 @@  stack_clash
 cve-2017-17052
 cve-2017-16939
 cve-2017-17053
+cve-2022-4378
 icmp_rate_limit01
diff --git a/testcases/cve/cve-2022-4378.c b/testcases/cve/cve-2022-4378.c
new file mode 100644
index 000000000..e1c5df325
--- /dev/null
+++ b/testcases/cve/cve-2022-4378.c
@@ -0,0 +1,108 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
+ */
+
+/*\
+ * CVE 2022-4378
+ *
+ * Check that writing several pages worth of whitespace into /proc/sys files
+ * does not cause kernel stack overflow. Kernel bug fixed in:
+ *
+ * commit bce9332220bd677d83b19d21502776ad555a0e73
+ * Author: Linus Torvalds <torvalds@linux-foundation.org>
+ * Date:   Mon Dec 5 12:09:06 2022 -0800
+ *
+ * proc: proc_skip_spaces() shouldn't think it is working on C strings
+ */
+
+#include <stdlib.h>
+#include "tst_test.h"
+
+static char *buf;
+static unsigned int bufsize;
+static int fd = -1;
+
+static struct testcase {
+	const char *path;
+	int err;
+} testcase_list[] = {
+	{"/proc/sys/net/ipv4/icmp_ratelimit", EINVAL},
+	{"/proc/sys/net/ipv4/icmp_ratemask", EINVAL},
+	{"/proc/sys/net/ipv4/icmp_echo_ignore_all", EINVAL},
+	{"/proc/sys/net/ipv4/tcp_probe_interval", EINVAL},
+	{"/proc/sys/net/ipv4/tcp_keepalive_time", EINVAL},
+	{"/proc/sys/net/ipv4/tcp_notsent_lowat", EINVAL},
+	{"/proc/sys/net/ipv4/ip_local_reserved_ports", 0}
+};
+
+static void setup(void)
+{
+	tst_setup_netns();
+
+	bufsize = 2 * SAFE_SYSCONF(_SC_PAGESIZE);
+	buf = SAFE_MALLOC(bufsize);
+	memset(buf, '\n', bufsize);
+}
+
+static void run(unsigned int n)
+{
+	const struct testcase *tc = testcase_list + n;
+
+	if (access(tc->path, W_OK)) {
+		tst_res(TCONF | TERRNO, "Skipping %s", tc->path);
+		return;
+	}
+
+	tst_res(TINFO, "Writing whitespace to %s", tc->path);
+
+	fd = SAFE_OPEN(tc->path, O_WRONLY);
+	TEST(write(fd, buf, bufsize));
+	SAFE_CLOSE(fd);
+
+	if (TST_RET >= 0 && tc->err == 0) {
+		tst_res(TPASS, "write() passed as expected");
+	} else if (TST_RET >= 0) {
+		tst_res(TFAIL, "write() unexpectedly passed");
+	} else if (TST_RET != -1) {
+		tst_res(TFAIL | TTERRNO, "Invalid write() return value %ld",
+			TST_RET);
+	} else if (TST_ERR != tc->err) {
+		tst_res(TFAIL | TTERRNO, "write() returned unexpected error");
+	} else {
+		tst_res(TPASS | TTERRNO, "write() failed as expected");
+	}
+
+	if (tst_taint_check())
+		tst_res(TFAIL, "Kernel is vulnerable");
+}
+
+static void cleanup(void)
+{
+	if (fd >= 0)
+		SAFE_CLOSE(fd);
+
+	if (buf)
+		free(buf);
+}
+
+static struct tst_test test = {
+	.test = run,
+	.tcnt = ARRAY_SIZE(testcase_list),
+	.setup = setup,
+	.cleanup = cleanup,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_USER_NS=y",
+		"CONFIG_NET_NS=y",
+		NULL
+	},
+	.save_restore = (const struct tst_path_val[]) {
+		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
+		{}
+	},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "bce9332220bd"},
+		{"CVE", "2022-4378"},
+	}
+};