[v2] security/dirtyc0w_shmem: Add new test for CVE-2022-2590

This test is based on the original reproducer [1] written by me.
The LTP adaption is implemented similar to the original dirtyc0w
test.

Try handling absence of userfaultfd minor fault mode support for
shmem gracefully.

[1] https://seclists.org/oss-sec/2022/q3/128

Cc: Cyril Hrubis <chrubis@suse.cz>
Signed-off-by: David Hildenbrand <david@redhat.com>
---

v1 -> v2:
* Use proper [Description] comment
* Make "child_early_exit" variable volatile as it's modified from a signal
  handler
* Use SAFE_FILE_PRINTF()+SAFE_CHMOD()
* Add ".needs_tmpdir" flag

---
 runtest/cve                                   |   1 +
 runtest/syscalls                              |   1 +
 .../kernel/security/dirtyc0w_shmem/.gitignore |   2 +
 .../kernel/security/dirtyc0w_shmem/Makefile   |   8 +
 .../security/dirtyc0w_shmem/dirtyc0w_shmem.c  | 121 +++++++++
 .../dirtyc0w_shmem/dirtyc0w_shmem_child.c     | 241 ++++++++++++++++++
 6 files changed, 374 insertions(+)
 create mode 100644 testcases/kernel/security/dirtyc0w_shmem/.gitignore
 create mode 100644 testcases/kernel/security/dirtyc0w_shmem/Makefile
 create mode 100644 testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem.c
 create mode 100644 testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c

Hi David,

> This test is based on the original reproducer [1] written by me.
> The LTP adaption is implemented similar to the original dirtyc0w
> test.

> Try handling absence of userfaultfd minor fault mode support for
> shmem gracefully.

Thanks a lot, merged.

Kind regards,
Petr

Hi,

On 23. 11. 22 11:35, David Hildenbrand wrote:
> +	pid = SAFE_FORK();
> +	if (!pid) {
> +		SAFE_SETGID(nobody_gid);
> +		SAFE_SETUID(nobody_uid);
> +		SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);

Manpage says that the last argument of execlp() must be (char*)NULL, 
including the explicit typecast.

> +#else /* UFFD_FEATURE_MINOR_SHMEM */
> +#include "tst_test.h"
> +TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
> +#endif /* UFFD_FEATURE_MINOR_SHMEM */

When the child exits through this TST_TEST_TCONF(), the 
TST_CHECKPOINT_WAIT() in parent will fail. The parent process should not 
even fork() when UFFD_FEATURE_MINOR_SHMEM is not defined in config.h.

Hi Martin,

> Hi,

> On 23. 11. 22 11:35, David Hildenbrand wrote:
> > +	pid = SAFE_FORK();
> > +	if (!pid) {
> > +		SAFE_SETGID(nobody_gid);
> > +		SAFE_SETUID(nobody_uid);
> > +		SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);

> Manpage says that the last argument of execlp() must be (char*)NULL,
> including the explicit typecast.
I was too fast here (already merged).

You're right, although we use execlp() or SAFE_EXECLP with just NULL on many
places, including testing execlp() itself in execlp01.c. I guess we should fix
that.

> > +#else /* UFFD_FEATURE_MINOR_SHMEM */
> > +#include "tst_test.h"
> > +TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
> > +#endif /* UFFD_FEATURE_MINOR_SHMEM */

> When the child exits through this TST_TEST_TCONF(), the
> TST_CHECKPOINT_WAIT() in parent will fail. The parent process should not
> even fork() when UFFD_FEATURE_MINOR_SHMEM is not defined in config.h.
+1, this should be fixed. Please let us know if you don't have time to send fix
yourself.

Kind regards,
Petr

On 25.11.22 10:53, Martin Doucha wrote:
> Hi,
> 

Hi Martin,

> On 23. 11. 22 11:35, David Hildenbrand wrote:
>> +	pid = SAFE_FORK();
>> +	if (!pid) {
>> +		SAFE_SETGID(nobody_gid);
>> +		SAFE_SETUID(nobody_uid);
>> +		SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);
> 
> Manpage says that the last argument of execlp() must be (char*)NULL,
> including the explicit typecast.

$ git grep SAFE_EXECLP | grep NULL
testcases/kernel/connectors/pec/event_generator.c:      SAFE_EXECLP(prog_name, prog_name, "-e", "exec", "-n", buf, NULL);
testcases/kernel/security/dirtyc0w/dirtyc0w.c:          SAFE_EXECLP("dirtyc0w_child", "dirtyc0w_child",NULL);
testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem.c:              SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);
testcases/kernel/syscalls/pipe2/pipe2_02.c:             SAFE_EXECLP(TESTBIN, TESTBIN, buf, NULL);
testcases/kernel/syscalls/setpgid/setpgid03.c:          SAFE_EXECLP(TEST_APP, TEST_APP, NULL);
testcases/kernel/syscalls/setrlimit/setrlimit04.c:              SAFE_EXECLP("/bin/true", "/bin/true", NULL);

> 
>> +#else /* UFFD_FEATURE_MINOR_SHMEM */
>> +#include "tst_test.h"
>> +TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
>> +#endif /* UFFD_FEATURE_MINOR_SHMEM */
> 
> When the child exits through this TST_TEST_TCONF(), the
> TST_CHECKPOINT_WAIT() in parent will fail. The parent process should not
> even fork() when UFFD_FEATURE_MINOR_SHMEM is not defined in config.h.

Thanks, you're right, that's the remaining case that doesn't
make the checkpoint happy.

I tried handling TCONF in the parent and it got all very ugly.
The following should do the trick:


 From fb13df0ea9e477b8e903d3ef4df317e548200a86 Mon Sep 17 00:00:00 2001
From: David Hildenbrand <david@redhat.com>
Date: Fri, 25 Nov 2022 05:12:26 -0500
Subject: [PATCH v1] security/dirtyc0w_shmem: Fix test result when
  UFFD_FEATURE_MINOR_SHMEM is missing

We have make the checkpoint happy, otherwise our parent process will run
into a timeout.

Reported-by: Martin Doucha <mdoucha@suse.cz>
Signed-off-by: David Hildenbrand <david@redhat.com>
---
  .../security/dirtyc0w_shmem/dirtyc0w_shmem_child.c   | 12 ++++++++----
  1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c b/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c
index cb2e9df0c..eac128e5d 100644
--- a/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c
+++ b/testcases/kernel/security/dirtyc0w_shmem/dirtyc0w_shmem_child.c
@@ -24,12 +24,12 @@
  #include <linux/userfaultfd.h>
  #endif
  
-#ifdef UFFD_FEATURE_MINOR_SHMEM
-
  #define TST_NO_DEFAULT_MAIN
  #include "tst_test.h"
  #include "tst_safe_macros.h"
  #include "tst_safe_pthread.h"
+
+#ifdef UFFD_FEATURE_MINOR_SHMEM
  #include "lapi/syscalls.h"
  
  #define TMP_DIR "tmp_dirtyc0w_shmem"
@@ -236,6 +236,10 @@ int main(void)
  	return 0;
  }
  #else /* UFFD_FEATURE_MINOR_SHMEM */
-#include "tst_test.h"
-TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
+int main(void)
+{
+	tst_reinit();
+	TST_CHECKPOINT_WAKE(0);
+	tst_brk(TCONF, "System does not have userfaultfd minor fault support for shmem");
+}
  #endif /* UFFD_FEATURE_MINOR_SHMEM */

On 25.11.22 11:06, Petr Vorel wrote:
> Hi Martin,
> 
>> Hi,
> 
>> On 23. 11. 22 11:35, David Hildenbrand wrote:
>>> +	pid = SAFE_FORK();
>>> +	if (!pid) {
>>> +		SAFE_SETGID(nobody_gid);
>>> +		SAFE_SETUID(nobody_uid);
>>> +		SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);
> 
>> Manpage says that the last argument of execlp() must be (char*)NULL,
>> including the explicit typecast.
> I was too fast here (already merged).
> 
> You're right, although we use execlp() or SAFE_EXECLP with just NULL on many
> places, including testing execlp() itself in execlp01.c. I guess we should fix
> that.

See my other mail, it's the case on all instances that pass NULL (and I 
don't really see the need to do this when working with NULL.

> 
>>> +#else /* UFFD_FEATURE_MINOR_SHMEM */
>>> +#include "tst_test.h"
>>> +TST_TEST_TCONF("System does not have userfaultfd minor fault support for shmem");
>>> +#endif /* UFFD_FEATURE_MINOR_SHMEM */
> 
>> When the child exits through this TST_TEST_TCONF(), the
>> TST_CHECKPOINT_WAIT() in parent will fail. The parent process should not
>> even fork() when UFFD_FEATURE_MINOR_SHMEM is not defined in config.h.
> +1, this should be fixed. Please let us know if you don't have time to send fix
> yourself.

Let me know if I should send the fixup as an official, separate patch.

Thanks all!

On 25. 11. 22 11:20, David Hildenbrand wrote:
> See my other mail, it's the case on all instances that pass NULL (and I 
> don't really see the need to do this when working with NULL.

NULL may be defined as simple integer 0. When int is 32bit and pointers 
64bit, this will cause trouble in variadic functions such as execlp(). 
You do not need to remind us that LTP tests have lots of bugs, we know.

On 25.11.22 11:25, Martin Doucha wrote:
> On 25. 11. 22 11:20, David Hildenbrand wrote:
>> See my other mail, it's the case on all instances that pass NULL (and I
>> don't really see the need to do this when working with NULL.
> 
> NULL may be defined as simple integer 0. When int is 32bit and pointers
> 64bit, this will cause trouble in variadic functions such as execlp().
> You do not need to remind us that LTP tests have lots of bugs, we know.

I can send a fixup patch for all these instances.

On 23. 11. 22 11:35, David Hildenbrand wrote:
> +	uffdio_api.api = UFFD_API;
> +	uffdio_api.features = UFFD_FEATURE_MINOR_SHMEM;
> +	TEST(ioctl(uffd, UFFDIO_API, &uffdio_api));
> +	if (TST_RET < 0) {

One more thing, checking just the ioctl() return value here is not 
enough. You need to check that uffdio_api.features still includes the 
UFFD_FEATURE_MINOR_SHMEM flag after the call. PPC64 does not seem to 
support it on kernel 5.14 and the ioctl() still succeeds there.

Hi Martin, David,

> On 23. 11. 22 11:35, David Hildenbrand wrote:
> > +	uffdio_api.api = UFFD_API;
> > +	uffdio_api.features = UFFD_FEATURE_MINOR_SHMEM;
> > +	TEST(ioctl(uffd, UFFDIO_API, &uffdio_api));
> > +	if (TST_RET < 0) {

> One more thing, checking just the ioctl() return value here is not enough.
> You need to check that uffdio_api.features still includes the
> UFFD_FEATURE_MINOR_SHMEM flag after the call. PPC64 does not seem to support
> it on kernel 5.14 and the ioctl() still succeeds there.
Very good catch, thanks!

David, please send official patch (speedups merging). Thanks a lot!

Kind regards,
Petr

> On 25.11.22 11:25, Martin Doucha wrote:
> > On 25. 11. 22 11:20, David Hildenbrand wrote:
> > > See my other mail, it's the case on all instances that pass NULL (and I
> > > don't really see the need to do this when working with NULL.

> > NULL may be defined as simple integer 0. When int is 32bit and pointers
> > 64bit, this will cause trouble in variadic functions such as execlp().
> > You do not need to remind us that LTP tests have lots of bugs, we know.

> I can send a fixup patch for all these instances.

Thank you!

Kind regards,
Petr

On 25.11.22 11:39, Petr Vorel wrote:
> Hi Martin, David,
> 
>> On 23. 11. 22 11:35, David Hildenbrand wrote:
>>> +	uffdio_api.api = UFFD_API;
>>> +	uffdio_api.features = UFFD_FEATURE_MINOR_SHMEM;
>>> +	TEST(ioctl(uffd, UFFDIO_API, &uffdio_api));
>>> +	if (TST_RET < 0) {
> 
>> One more thing, checking just the ioctl() return value here is not enough.
>> You need to check that uffdio_api.features still includes the
>> UFFD_FEATURE_MINOR_SHMEM flag after the call. PPC64 does not seem to support
>> it on kernel 5.14 and the ioctl() still succeeds there.
> Very good catch, thanks!
> 
> David, please send official patch (speedups merging). Thanks a lot!

Interesting, thanks for testing! Will fix that as well and send a 
combined patch.

On 25.11.22 11:39, Petr Vorel wrote:
>> On 25.11.22 11:25, Martin Doucha wrote:
>>> On 25. 11. 22 11:20, David Hildenbrand wrote:
>>>> See my other mail, it's the case on all instances that pass NULL (and I
>>>> don't really see the need to do this when working with NULL.
> 
>>> NULL may be defined as simple integer 0. When int is 32bit and pointers
>>> 64bit, this will cause trouble in variadic functions such as execlp().
>>> You do not need to remind us that LTP tests have lots of bugs, we know.
> 
>> I can send a fixup patch for all these instances.
> 
> Thank you!

The list of SAFE_EXEC* was fairly short, now I discovered manual execl*
usage... let me get a patch ready to fix all these :)

Hi!
> > +	pid = SAFE_FORK();
> > +	if (!pid) {
> > +		SAFE_SETGID(nobody_gid);
> > +		SAFE_SETUID(nobody_uid);
> > +		SAFE_EXECLP("dirtyc0w_shmem_child", "dirtyc0w_shmem_child", NULL);
> 
> Manpage says that the last argument of execlp() must be (char*)NULL, 
> including the explicit typecast.

I wonder if this is actually valid. Do you know in which way is
different ((char*)0) from ((void*)0) ?

On 25. 11. 22 15:22, Cyril Hrubis wrote:
>> Manpage says that the last argument of execlp() must be (char*)NULL,
>> including the explicit typecast.
> 
> I wonder if this is actually valid. Do you know in which way is
> different ((char*)0) from ((void*)0) ?

I think the point is that there's no guarantee that NULL will actually 
be defined as (void*)0. It can be defined as a plain integer instead. 
And it *IS* defined as plain integer when the header is #included in C++.

Hi!
> I think the point is that there's no guarantee that NULL will actually 
> be defined as (void*)0. It can be defined as a plain integer instead. 
> And it *IS* defined as plain integer when the header is #included in C++.

NULL is required to be 0 cast to void* in POSIX.

https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/stddef.h.html

So at least on POSIX-like systems in C NULL must be ((void*)0)