Message ID | 20221216170922.21752-1-mdoucha@suse.cz |
---|---|
State | Accepted |
Headers | show |
Series | Add test for CVE 2022-4378 | expand |
Hello, Martin Doucha <mdoucha@suse.cz> writes: > Signed-off-by: Martin Doucha <mdoucha@suse.cz> > --- > runtest/cve | 1 + > testcases/cve/.gitignore | 1 + > testcases/cve/cve-2022-4378.c | 108 ++++++++++++++++++++++++++++++++++ > 3 files changed, 110 insertions(+) > create mode 100644 testcases/cve/cve-2022-4378.c > > diff --git a/runtest/cve b/runtest/cve > index fd0305aa3..1ba63c2a7 100644 > --- a/runtest/cve > +++ b/runtest/cve > @@ -76,3 +76,4 @@ cve-2022-0847 dirtypipe > cve-2022-2590 dirtyc0w_shmem > # Tests below may cause kernel memory leak > cve-2020-25704 perf_event_open03 > +cve-2022-4378 cve-2022-4378 > diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore > index eb0a8b37d..90e8b191c 100644 > --- a/testcases/cve/.gitignore > +++ b/testcases/cve/.gitignore > @@ -10,4 +10,5 @@ stack_clash > cve-2017-17052 > cve-2017-16939 > cve-2017-17053 > +cve-2022-4378 > icmp_rate_limit01 > diff --git a/testcases/cve/cve-2022-4378.c b/testcases/cve/cve-2022-4378.c > new file mode 100644 > index 000000000..e1c5df325 > --- /dev/null > +++ b/testcases/cve/cve-2022-4378.c > @@ -0,0 +1,108 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz> > + */ > + > +/*\ > + * CVE 2022-4378 > + * > + * Check that writing several pages worth of whitespace into /proc/sys files > + * does not cause kernel stack overflow. Kernel bug fixed in: > + * > + * commit bce9332220bd677d83b19d21502776ad555a0e73 > + * Author: Linus Torvalds <torvalds@linux-foundation.org> > + * Date: Mon Dec 5 12:09:06 2022 -0800 > + * > + * proc: proc_skip_spaces() shouldn't think it is working on C strings > + */ Haha, OK, merged with minor fix to null terminate tags array (detected by make check).
Hi Martin, > diff --git a/testcases/cve/cve-2022-4378.c > b/testcases/cve/cve-2022-4378.c > new file mode 100644 > index 000000000..e1c5df325 > --- /dev/null > +++ b/testcases/cve/cve-2022-4378.c > @@ -0,0 +1,108 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz> > + */ > + > +/*\ nit: you used /*\ docparse start comment, but without any [...] mark, thus nothing shows in generated docs. There should have been either normal C comment /* or docparse [...] mark. Kind regards, Petr > + * CVE 2022-4378 > + * > + * Check that writing several pages worth of whitespace into /proc/sys > files > + * does not cause kernel stack overflow. Kernel bug fixed in: > + * > + * commit bce9332220bd677d83b19d21502776ad555a0e73 > + * Author: Linus Torvalds <torvalds@linux-foundation.org> > + * Date: Mon Dec 5 12:09:06 2022 -0800 > + * > + * proc: proc_skip_spaces() shouldn't think it is working on C strings > + */ ...
On 2022-12-19 11:07, pvorel wrote: > Hi Martin, > >> diff --git a/testcases/cve/cve-2022-4378.c >> b/testcases/cve/cve-2022-4378.c >> new file mode 100644 >> index 000000000..e1c5df325 >> --- /dev/null >> +++ b/testcases/cve/cve-2022-4378.c >> @@ -0,0 +1,108 @@ >> +// SPDX-License-Identifier: GPL-2.0-or-later >> +/* >> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz> >> + */ >> + >> +/*\ > nit: you used /*\ docparse start comment, but without any [...] mark, > thus nothing shows in generated docs. > There should have been either normal C comment /* or docparse [...] > mark. I'm sorry, I was wrong, the text *appear* in generated docs, just without any header. Just the text contains too much details (given we have link to git commit in the table below): ... fixed in: commit bce9332220bd677d83b19d21502776ad555a0e73 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Mon Dec 5 12:09:06 2022 -0800 Kind regards, Petr > > Kind regards, > Petr > >> + * CVE 2022-4378 >> + * >> + * Check that writing several pages worth of whitespace into >> /proc/sys files >> + * does not cause kernel stack overflow. Kernel bug fixed in: >> + * >> + * commit bce9332220bd677d83b19d21502776ad555a0e73 >> + * Author: Linus Torvalds <torvalds@linux-foundation.org> >> + * Date: Mon Dec 5 12:09:06 2022 -0800 >> + * >> + * proc: proc_skip_spaces() shouldn't think it is working on C >> strings >> + */ > ...
Hello, pvorel <pvorel@suse.de> writes: > On 2022-12-19 11:07, pvorel wrote: >> Hi Martin, >> >>> diff --git a/testcases/cve/cve-2022-4378.c >>> b/testcases/cve/cve-2022-4378.c >>> new file mode 100644 >>> index 000000000..e1c5df325 >>> --- /dev/null >>> +++ b/testcases/cve/cve-2022-4378.c >>> @@ -0,0 +1,108 @@ >>> +// SPDX-License-Identifier: GPL-2.0-or-later >>> +/* >>> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz> >>> + */ >>> + >>> +/*\ >> nit: you used /*\ docparse start comment, but without any [...] mark, >> thus nothing shows in generated docs. >> There should have been either normal C comment /* or docparse [...] >> mark. > > I'm sorry, I was wrong, the text *appear* in generated docs, just > without any header. Perhaps make-check could validate the docparse string? > Just the text contains too much details (given we have link to git > commit in the table below): > > ... fixed in: > > commit bce9332220bd677d83b19d21502776ad555a0e73 Author: Linus Torvalds > <torvalds@linux-foundation.org> Date: Mon Dec 5 12:09:06 2022 -0800 I think it is fine to even copy and paste the whole commit message. If we list the wrong Git commit this may make it easier to see as well. > > Kind regards, > Petr > >> Kind regards, >> Petr >> >>> + * CVE 2022-4378 >>> + * >>> + * Check that writing several pages worth of whitespace into >>> /proc/sys files >>> + * does not cause kernel stack overflow. Kernel bug fixed in: >>> + * >>> + * commit bce9332220bd677d83b19d21502776ad555a0e73 >>> + * Author: Linus Torvalds <torvalds@linux-foundation.org> >>> + * Date: Mon Dec 5 12:09:06 2022 -0800 >>> + * >>> + * proc: proc_skip_spaces() shouldn't think it is working on C >>> strings >>> + */ >> ...
Hi Richie, > Hello, > pvorel <pvorel@suse.de> writes: > > On 2022-12-19 11:07, pvorel wrote: > >> Hi Martin, > >>> diff --git a/testcases/cve/cve-2022-4378.c > >>> b/testcases/cve/cve-2022-4378.c > >>> new file mode 100644 > >>> index 000000000..e1c5df325 > >>> --- /dev/null > >>> +++ b/testcases/cve/cve-2022-4378.c > >>> @@ -0,0 +1,108 @@ > >>> +// SPDX-License-Identifier: GPL-2.0-or-later > >>> +/* > >>> + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz> > >>> + */ > >>> + > >>> +/*\ > >> nit: you used /*\ docparse start comment, but without any [...] mark, > >> thus nothing shows in generated docs. > >> There should have been either normal C comment /* or docparse [...] > >> mark. > > I'm sorry, I was wrong, the text *appear* in generated docs, just > > without any header. > Perhaps make-check could validate the docparse string? +1, I was already thinking about it. It would not help in the case below, but it's definitely worth (error in JSON will be caught by CI, but why not to catch it early?) > > Just the text contains too much details (given we have link to git > > commit in the table below): > > ... fixed in: > > commit bce9332220bd677d83b19d21502776ad555a0e73 Author: Linus Torvalds > > <torvalds@linux-foundation.org> Date: Mon Dec 5 12:09:06 2022 -0800 > I think it is fine to even copy and paste the whole commit message. If > we list the wrong Git commit this may make it easier to see as well. I'd just use the format for "Fixes:": $ git log --pretty=format:"%h (\"%s\")" -1 bce9332220bd ("proc: proc_skip_spaces() shouldn't think it is working on C strings") Kind regards, Petr
diff --git a/runtest/cve b/runtest/cve index fd0305aa3..1ba63c2a7 100644 --- a/runtest/cve +++ b/runtest/cve @@ -76,3 +76,4 @@ cve-2022-0847 dirtypipe cve-2022-2590 dirtyc0w_shmem # Tests below may cause kernel memory leak cve-2020-25704 perf_event_open03 +cve-2022-4378 cve-2022-4378 diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore index eb0a8b37d..90e8b191c 100644 --- a/testcases/cve/.gitignore +++ b/testcases/cve/.gitignore @@ -10,4 +10,5 @@ stack_clash cve-2017-17052 cve-2017-16939 cve-2017-17053 +cve-2022-4378 icmp_rate_limit01 diff --git a/testcases/cve/cve-2022-4378.c b/testcases/cve/cve-2022-4378.c new file mode 100644 index 000000000..e1c5df325 --- /dev/null +++ b/testcases/cve/cve-2022-4378.c @@ -0,0 +1,108 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz> + */ + +/*\ + * CVE 2022-4378 + * + * Check that writing several pages worth of whitespace into /proc/sys files + * does not cause kernel stack overflow. Kernel bug fixed in: + * + * commit bce9332220bd677d83b19d21502776ad555a0e73 + * Author: Linus Torvalds <torvalds@linux-foundation.org> + * Date: Mon Dec 5 12:09:06 2022 -0800 + * + * proc: proc_skip_spaces() shouldn't think it is working on C strings + */ + +#include <stdlib.h> +#include "tst_test.h" + +static char *buf; +static unsigned int bufsize; +static int fd = -1; + +static struct testcase { + const char *path; + int err; +} testcase_list[] = { + {"/proc/sys/net/ipv4/icmp_ratelimit", EINVAL}, + {"/proc/sys/net/ipv4/icmp_ratemask", EINVAL}, + {"/proc/sys/net/ipv4/icmp_echo_ignore_all", EINVAL}, + {"/proc/sys/net/ipv4/tcp_probe_interval", EINVAL}, + {"/proc/sys/net/ipv4/tcp_keepalive_time", EINVAL}, + {"/proc/sys/net/ipv4/tcp_notsent_lowat", EINVAL}, + {"/proc/sys/net/ipv4/ip_local_reserved_ports", 0} +}; + +static void setup(void) +{ + tst_setup_netns(); + + bufsize = 2 * SAFE_SYSCONF(_SC_PAGESIZE); + buf = SAFE_MALLOC(bufsize); + memset(buf, '\n', bufsize); +} + +static void run(unsigned int n) +{ + const struct testcase *tc = testcase_list + n; + + if (access(tc->path, W_OK)) { + tst_res(TCONF | TERRNO, "Skipping %s", tc->path); + return; + } + + tst_res(TINFO, "Writing whitespace to %s", tc->path); + + fd = SAFE_OPEN(tc->path, O_WRONLY); + TEST(write(fd, buf, bufsize)); + SAFE_CLOSE(fd); + + if (TST_RET >= 0 && tc->err == 0) { + tst_res(TPASS, "write() passed as expected"); + } else if (TST_RET >= 0) { + tst_res(TFAIL, "write() unexpectedly passed"); + } else if (TST_RET != -1) { + tst_res(TFAIL | TTERRNO, "Invalid write() return value %ld", + TST_RET); + } else if (TST_ERR != tc->err) { + tst_res(TFAIL | TTERRNO, "write() returned unexpected error"); + } else { + tst_res(TPASS | TTERRNO, "write() failed as expected"); + } + + if (tst_taint_check()) + tst_res(TFAIL, "Kernel is vulnerable"); +} + +static void cleanup(void) +{ + if (fd >= 0) + SAFE_CLOSE(fd); + + if (buf) + free(buf); +} + +static struct tst_test test = { + .test = run, + .tcnt = ARRAY_SIZE(testcase_list), + .setup = setup, + .cleanup = cleanup, + .taint_check = TST_TAINT_W | TST_TAINT_D, + .needs_kconfigs = (const char *[]) { + "CONFIG_USER_NS=y", + "CONFIG_NET_NS=y", + NULL + }, + .save_restore = (const struct tst_path_val[]) { + {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP}, + {} + }, + .tags = (const struct tst_tag[]) { + {"linux-git", "bce9332220bd"}, + {"CVE", "2022-4378"}, + } +};
Signed-off-by: Martin Doucha <mdoucha@suse.cz> --- runtest/cve | 1 + testcases/cve/.gitignore | 1 + testcases/cve/cve-2022-4378.c | 108 ++++++++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 testcases/cve/cve-2022-4378.c