Message ID | 20230213010924.12352-1-wegao@suse.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [v3] fsconfig03: New test CVE-2022-0185 | expand |
Hello, Wei Gao via ltp <ltp@lists.linux.it> writes: > There are reproducers available for CVE-2022-0185 > https://www.openwall.com/lists/oss-security/2022/01/25/14 > > Also with links or even a zip file for an exploit > https://github.com/Crusaders-of-Rust/CVE-2022-0185 > > The exploits are kind of complicated as they try to be complete, > but the exploitation vector is the fsconfig() syscall, > this case used for add some coverage to that to detect it. This looks like a very good test. IMO we have the most success with reproducers, but they are hard to write sometimes. Please state on which kernel(s) you reproduced the bug and whether you think the test will reliably reproduce the bug. From my 10 minutes research it looks like a reliable buffer overflow, but it's always hard to be certain without being very thorough. > > Signed-off-by: Wei Gao <wegao@suse.com> > --- > runtest/cve | 2 + > runtest/syscalls | 1 + > testcases/kernel/syscalls/fsconfig/.gitignore | 1 + > .../kernel/syscalls/fsconfig/fsconfig03.c | 89 +++++++++++++++++++ > 4 files changed, 93 insertions(+) > create mode 100644 testcases/kernel/syscalls/fsconfig/fsconfig03.c > > diff --git a/runtest/cve b/runtest/cve > index 1ba63c2a7..7da3ff853 100644 > --- a/runtest/cve > +++ b/runtest/cve > @@ -77,3 +77,5 @@ cve-2022-2590 dirtyc0w_shmem > # Tests below may cause kernel memory leak > cve-2020-25704 perf_event_open03 > cve-2022-4378 cve-2022-4378 > +# Tests below may cause kernel crash > +cve-2022-0185 fsconfig03 > diff --git a/runtest/syscalls b/runtest/syscalls > index ae37a1192..b4cde8071 100644 > --- a/runtest/syscalls > +++ b/runtest/syscalls > @@ -383,6 +383,7 @@ fremovexattr02 fremovexattr02 > > fsconfig01 fsconfig01 > fsconfig02 fsconfig02 > +fsconfig03 fsconfig03 > > fsmount01 fsmount01 > fsmount02 fsmount02 > diff --git a/testcases/kernel/syscalls/fsconfig/.gitignore b/testcases/kernel/syscalls/fsconfig/.gitignore > index 2bc54b827..cfedae5f7 100644 > --- a/testcases/kernel/syscalls/fsconfig/.gitignore > +++ b/testcases/kernel/syscalls/fsconfig/.gitignore > @@ -1,2 +1,3 @@ > /fsconfig01 > /fsconfig02 > +/fsconfig03 > diff --git a/testcases/kernel/syscalls/fsconfig/fsconfig03.c b/testcases/kernel/syscalls/fsconfig/fsconfig03.c > new file mode 100644 > index 000000000..8db76484e > --- /dev/null > +++ b/testcases/kernel/syscalls/fsconfig/fsconfig03.c > @@ -0,0 +1,89 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Copyright (c) 2022 Alejandro Guerrero <aguerrero@...lys.com> > + * Copyright (c) 2023 Wei Gao <wegao@suse.com> > + */ > + > + > +/*\ > + * [Description] > + * > + * Test for CVE-2022-0185. > + * > + * References links: > + * - https://www.openwall.com/lists/oss-security/2022/01/25/14 > + * - https://github.com/Crusaders-of-Rust/CVE-2022-0185 > + */ > + > +#include "tst_test.h" > +#include "lapi/fsmount.h" > + > +#define MNTPOINT "mntpoint" > + > +static int fd = -1; > + > +static void setup(void) > +{ > + fsopen_supported_by_kernel(); > + > + TEST(fd = fsopen(tst_device->fs_type, 0)); > + if (fd == -1) > + tst_brk(TBROK | TTERRNO, "fsopen() failed"); > + > +} > + > +static void cleanup(void) > +{ > + if (fd != -1) > + SAFE_CLOSE(fd); > +} > + > +static void run(void) > +{ > + char *val = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; > + long pagesize; > + > + pagesize = sysconf(_SC_PAGESIZE); > + if (pagesize == -1) > + tst_brk(TBROK, "sysconf(_SC_PAGESIZE) failed"); > + > + for (size_t i = 0; i < 5000; i++) { > + if (!strcmp(tst_device->fs_type, "btrfs")) { > + /* use same logic in kernel legacy_parse_param function */ > + if (i * (strlen(val) + 2) + (strlen(val) + 1) + 2 > (size_t)pagesize) { > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), > + EINVAL); > + if (!TST_PASS) > + return; > + } else { > + TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); > + if (TST_ERR) > + return; We need to close and reopen the FD inside run() otherwise the test fails on BTRFS with -i2 because we have already filled the buffer. > + } > + } else { > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), > + EINVAL); > + if (!TST_PASS) > + return; > + } > + } This loop can be rewritten so that there are less branches and indentation. This makes it easier to read. for (size_t i = 0; i < 5000; i++) { /* use same logic in kernel legacy_parse_param function */ const size_t len = i * (strlen(val) + 2) + (strlen(val) + 1) + 2; if (!strcmp(tst_device->fs_type, "btrfs") && len <= (size_t)pagesize) { TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); if (TST_ERR) return; } else { TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), EINVAL); if (!TST_PASS) return; } } Otherwise the test looks good. > + > + tst_res(TPASS, "fsconfig() overflow on %s haven't triggerred crash", > + tst_device->fs_type); > +} > + > +static struct tst_test test = { > + .test_all = run, > + .setup = setup, > + .cleanup = cleanup, > + .needs_root = 1, > + .format_device = 1, > + .mntpoint = MNTPOINT, > + .all_filesystems = 1, > + .skip_filesystems = (const char *const []){"ntfs", "vfat", NULL}, > + .tags = (const struct tst_tag[]) { > + {"linux-git", "722d94847de29"}, > + {"CVE", "2022-0185"}, > + {} > + } > +}; > -- > 2.35.3
On Tue, Feb 14, 2023 at 11:05:24AM +0000, Richard Palethorpe wrote: > Hello, > > > +static void run(void) > > +{ > > + char *val = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; > > + long pagesize; > > + > > + pagesize = sysconf(_SC_PAGESIZE); > > + if (pagesize == -1) > > + tst_brk(TBROK, "sysconf(_SC_PAGESIZE) failed"); > > + > > + for (size_t i = 0; i < 5000; i++) { > > + if (!strcmp(tst_device->fs_type, "btrfs")) { > > + /* use same logic in kernel legacy_parse_param function */ > > + if (i * (strlen(val) + 2) + (strlen(val) + 1) + 2 > (size_t)pagesize) { > > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), > > + EINVAL); > > + if (!TST_PASS) > > + return; > > + } else { > > + TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); > > + if (TST_ERR) > > + return; > > We need to close and reopen the FD inside run() otherwise the test fails > on BTRFS with -i2 because we have already filled the buffer. Thanks for your feedback, i have some quesiton on this comments: The error will happen when buffer is full filled on btrfs(means buffer len > pagesize), this is normal and current logic verfiy this logic for btrfs. Are you mean we need create another fd and continue do fsconfig on new fd once first fsconfig fails happen ? Correct me if i have misunderstanding. > > > + } > > + } else { > > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), > > + EINVAL); > > + if (!TST_PASS) > > + return; > > + } > > + } > > This loop can be rewritten so that there are less branches and > indentation. This makes it easier to read. > > for (size_t i = 0; i < 5000; i++) { > /* use same logic in kernel legacy_parse_param function */ > const size_t len = i * (strlen(val) + 2) + (strlen(val) + 1) + 2; > > if (!strcmp(tst_device->fs_type, "btrfs") && len <= (size_t)pagesize) { > TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); > if (TST_ERR) > return; > } else { > TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), > EINVAL); > if (!TST_PASS) > return; > } > } > > > > -- > > 2.35.3 > > > -- > Thank you, > Richard.
Hello, Wei Gao <wegao@suse.com> writes: > On Tue, Feb 14, 2023 at 11:05:24AM +0000, Richard Palethorpe wrote: >> Hello, >> >> > +static void run(void) >> > +{ >> > + char *val = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; >> > + long pagesize; >> > + >> > + pagesize = sysconf(_SC_PAGESIZE); >> > + if (pagesize == -1) >> > + tst_brk(TBROK, "sysconf(_SC_PAGESIZE) failed"); >> > + >> > + for (size_t i = 0; i < 5000; i++) { >> > + if (!strcmp(tst_device->fs_type, "btrfs")) { >> > + /* use same logic in kernel legacy_parse_param function */ >> > + if (i * (strlen(val) + 2) + (strlen(val) + 1) + 2 > (size_t)pagesize) { >> > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), >> > + EINVAL); >> > + if (!TST_PASS) >> > + return; >> > + } else { >> > + TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); >> > + if (TST_ERR) >> > + return; >> >> We need to close and reopen the FD inside run() otherwise the test fails >> on BTRFS with -i2 because we have already filled the buffer. > Thanks for your feedback, i have some quesiton on this comments: > The error will happen when buffer is full filled on btrfs(means buffer len > pagesize), this is normal > and current logic verfiy this logic for btrfs. I'm not sure you understand what "-i2" means. The run() function can be called multiple times in a loop. If you do ./fsconfig03 -i2 then you will see the test fails. That's because it executes run() twice and the second time TST_EXP_PASS_SILENT fails. > Are you mean we need create another fd and continue do fsconfig on new fd once first fsconfig fails happen ? Correct > me if i have misunderstanding. This would also work. > >> >> > + } >> > + } else { >> > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), >> > + EINVAL); >> > + if (!TST_PASS) >> > + return; >> > + } >> > + } >> >> This loop can be rewritten so that there are less branches and >> indentation. This makes it easier to read. >> >> for (size_t i = 0; i < 5000; i++) { >> /* use same logic in kernel legacy_parse_param function */ >> const size_t len = i * (strlen(val) + 2) + (strlen(val) + 1) + 2; >> >> if (!strcmp(tst_device->fs_type, "btrfs") && len <= (size_t)pagesize) { >> TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); >> if (TST_ERR) >> return; >> } else { >> TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), >> EINVAL); >> if (!TST_PASS) >> return; >> } >> } >> >> >> > -- >> > 2.35.3 >> >> >> -- >> Thank you, >> Richard.
On Thu, Feb 16, 2023 at 12:09:20PM +0000, Richard Palethorpe wrote: > Hello, > > >> We need to close and reopen the FD inside run() otherwise the test fails > >> on BTRFS with -i2 because we have already filled the buffer. > > Thanks for your feedback, i have some quesiton on this comments: > > The error will happen when buffer is full filled on btrfs(means buffer len > pagesize), this is normal > > and current logic verfiy this logic for btrfs. > > I'm not sure you understand what "-i2" means. The run() function can be > called multiple times in a loop. If you do ./fsconfig03 -i2 then you > will see the test fails. Yes, i do not understand "-i2" before but i know this now : ) I will update and will send new patch soon! > > That's because it executes run() twice and the second time > TST_EXP_PASS_SILENT fails. > > > Are you mean we need create another fd and continue do fsconfig on new fd once first fsconfig fails happen ? Correct > > me if i have misunderstanding. > > This would also work. > > > -- > Thank you, > Richard.
diff --git a/runtest/cve b/runtest/cve index 1ba63c2a7..7da3ff853 100644 --- a/runtest/cve +++ b/runtest/cve @@ -77,3 +77,5 @@ cve-2022-2590 dirtyc0w_shmem # Tests below may cause kernel memory leak cve-2020-25704 perf_event_open03 cve-2022-4378 cve-2022-4378 +# Tests below may cause kernel crash +cve-2022-0185 fsconfig03 diff --git a/runtest/syscalls b/runtest/syscalls index ae37a1192..b4cde8071 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -383,6 +383,7 @@ fremovexattr02 fremovexattr02 fsconfig01 fsconfig01 fsconfig02 fsconfig02 +fsconfig03 fsconfig03 fsmount01 fsmount01 fsmount02 fsmount02 diff --git a/testcases/kernel/syscalls/fsconfig/.gitignore b/testcases/kernel/syscalls/fsconfig/.gitignore index 2bc54b827..cfedae5f7 100644 --- a/testcases/kernel/syscalls/fsconfig/.gitignore +++ b/testcases/kernel/syscalls/fsconfig/.gitignore @@ -1,2 +1,3 @@ /fsconfig01 /fsconfig02 +/fsconfig03 diff --git a/testcases/kernel/syscalls/fsconfig/fsconfig03.c b/testcases/kernel/syscalls/fsconfig/fsconfig03.c new file mode 100644 index 000000000..8db76484e --- /dev/null +++ b/testcases/kernel/syscalls/fsconfig/fsconfig03.c @@ -0,0 +1,89 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2022 Alejandro Guerrero <aguerrero@...lys.com> + * Copyright (c) 2023 Wei Gao <wegao@suse.com> + */ + + +/*\ + * [Description] + * + * Test for CVE-2022-0185. + * + * References links: + * - https://www.openwall.com/lists/oss-security/2022/01/25/14 + * - https://github.com/Crusaders-of-Rust/CVE-2022-0185 + */ + +#include "tst_test.h" +#include "lapi/fsmount.h" + +#define MNTPOINT "mntpoint" + +static int fd = -1; + +static void setup(void) +{ + fsopen_supported_by_kernel(); + + TEST(fd = fsopen(tst_device->fs_type, 0)); + if (fd == -1) + tst_brk(TBROK | TTERRNO, "fsopen() failed"); + +} + +static void cleanup(void) +{ + if (fd != -1) + SAFE_CLOSE(fd); +} + +static void run(void) +{ + char *val = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; + long pagesize; + + pagesize = sysconf(_SC_PAGESIZE); + if (pagesize == -1) + tst_brk(TBROK, "sysconf(_SC_PAGESIZE) failed"); + + for (size_t i = 0; i < 5000; i++) { + if (!strcmp(tst_device->fs_type, "btrfs")) { + /* use same logic in kernel legacy_parse_param function */ + if (i * (strlen(val) + 2) + (strlen(val) + 1) + 2 > (size_t)pagesize) { + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), + EINVAL); + if (!TST_PASS) + return; + } else { + TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0)); + if (TST_ERR) + return; + } + } else { + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0), + EINVAL); + if (!TST_PASS) + return; + } + } + + tst_res(TPASS, "fsconfig() overflow on %s haven't triggerred crash", + tst_device->fs_type); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .needs_root = 1, + .format_device = 1, + .mntpoint = MNTPOINT, + .all_filesystems = 1, + .skip_filesystems = (const char *const []){"ntfs", "vfat", NULL}, + .tags = (const struct tst_tag[]) { + {"linux-git", "722d94847de29"}, + {"CVE", "2022-0185"}, + {} + } +};
There are reproducers available for CVE-2022-0185 https://www.openwall.com/lists/oss-security/2022/01/25/14 Also with links or even a zip file for an exploit https://github.com/Crusaders-of-Rust/CVE-2022-0185 The exploits are kind of complicated as they try to be complete, but the exploitation vector is the fsconfig() syscall, this case used for add some coverage to that to detect it. Signed-off-by: Wei Gao <wegao@suse.com> --- runtest/cve | 2 + runtest/syscalls | 1 + testcases/kernel/syscalls/fsconfig/.gitignore | 1 + .../kernel/syscalls/fsconfig/fsconfig03.c | 89 +++++++++++++++++++ 4 files changed, 93 insertions(+) create mode 100644 testcases/kernel/syscalls/fsconfig/fsconfig03.c