From: Pavel Begunkov <[email protected]>
To: Jens Axboe <[email protected]>, [email protected]
Cc: Petr Vorel <[email protected]>
Subject: [PATCH liburing] a test for CVE-2020-29373 (AF_UNIX path resolution)
Date: Fri, 12 Feb 2021 21:02:07 +0000 [thread overview]
Message-ID: <43f46a40dbc37bebf78f14d7738d5195dbb64460.1613163628.git.asml.silence@gmail.com> (raw)
Add a regression test for CVE-2020-29373 where io-wq do path resolution
issuing sendmsg, but doesn't have proper fs set up.
Reported-by: Petr Vorel <[email protected]>
Signed-off-by: Pavel Begunkov <[email protected]>
---
test/Makefile | 2 +
test/sendmsg_fs_cve.c | 193 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 195 insertions(+)
create mode 100644 test/sendmsg_fs_cve.c
diff --git a/test/Makefile b/test/Makefile
index 157ff95..7751eff 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -111,6 +111,7 @@ test_targets += \
timeout-overflow \
unlink \
wakeup-hang \
+ sendmsg_fs_cve \
# EOL
all_targets += $(test_targets)
@@ -238,6 +239,7 @@ test_srcs := \
timeout.c \
unlink.c \
wakeup-hang.c \
+ sendmsg_fs_cve.c \
# EOL
test_objs := $(patsubst %.c,%.ol,$(patsubst %.cc,%.ol,$(test_srcs)))
diff --git a/test/sendmsg_fs_cve.c b/test/sendmsg_fs_cve.c
new file mode 100644
index 0000000..85f271b
--- /dev/null
+++ b/test/sendmsg_fs_cve.c
@@ -0,0 +1,193 @@
+/*
+ * repro-CVE-2020-29373 -- Reproducer for CVE-2020-29373.
+ *
+ * Copyright (c) 2021 SUSE
+ * Author: Nicolai Stange <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <unistd.h>
+#include <syscall.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "liburing.h"
+
+/*
+ * This attempts to make the kernel issue a sendmsg() to
+ * path from io_uring's async io_sq_wq_submit_work().
+ *
+ * Unfortunately, IOSQE_ASYNC is available only from kernel version
+ * 5.6 onwards. To still force io_uring to process the request
+ * asynchronously from io_sq_wq_submit_work(), queue a couple of
+ * auxiliary requests all failing with EAGAIN before. This is
+ * implemented by writing repeatedly to an auxiliary O_NONBLOCK
+ * AF_UNIX socketpair with a small SO_SNDBUF.
+ */
+static int try_sendmsg_async(const char * const path)
+{
+ int snd_sock, r;
+ struct io_uring ring;
+ char sbuf[16] = {};
+ struct iovec siov = { .iov_base = &sbuf, .iov_len = sizeof(sbuf) };
+ struct sockaddr_un addr = {};
+ struct msghdr msg = {
+ .msg_name = &addr,
+ .msg_namelen = sizeof(addr),
+ .msg_iov = &siov,
+ .msg_iovlen = 1,
+ };
+ struct io_uring_cqe *cqe;
+ struct io_uring_sqe *sqe;
+
+ snd_sock = socket(AF_UNIX, SOCK_DGRAM, 0);
+ if (snd_sock < 0) {
+ perror("socket(AF_UNIX)");
+ return -1;
+ }
+
+ addr.sun_family = AF_UNIX;
+ strcpy(addr.sun_path, path);
+
+ r = io_uring_queue_init(512, &ring, 0);
+ if (r < 0) {
+ fprintf(stderr, "ring setup failed: %d\n", r);
+ goto close_iour;
+ }
+
+ sqe = io_uring_get_sqe(&ring);
+ if (!sqe) {
+ fprintf(stderr, "get sqe failed\n");
+ r = -EFAULT;
+ goto close_iour;
+ }
+
+ /* the actual one supposed to fail with -ENOENT. */
+ io_uring_prep_sendmsg(sqe, snd_sock, &msg, 0);
+ sqe->flags = IOSQE_ASYNC;
+ sqe->user_data = 255;
+
+ r = io_uring_submit(&ring);
+ if (r != 1) {
+ fprintf(stderr, "sqe submit failed: %d\n", r);
+ r = -EFAULT;
+ goto close_iour;
+ }
+
+ r = io_uring_wait_cqe(&ring, &cqe);
+ if (r < 0) {
+ fprintf(stderr, "wait completion %d\n", r);
+ r = -EFAULT;
+ goto close_iour;
+ }
+ if (cqe->user_data != 255) {
+ fprintf(stderr, "user data %d\n", r);
+ r = -EFAULT;
+ goto close_iour;
+ }
+ if (cqe->res != -ENOENT) {
+ r = 3;
+ fprintf(stderr,
+ "error: cqe %i: res=%i, but expected -ENOENT\n",
+ (int)cqe->user_data, (int)cqe->res);
+ }
+ io_uring_cqe_seen(&ring, cqe);
+
+close_iour:
+ io_uring_queue_exit(&ring);
+ close(snd_sock);
+ return r;
+}
+
+int main(int argc, char *argv[])
+{
+ int r;
+ char tmpdir[] = "/tmp/tmp.XXXXXX";
+ int rcv_sock;
+ struct sockaddr_un addr = {};
+ pid_t c;
+ int wstatus;
+
+ if (!mkdtemp(tmpdir)) {
+ perror("mkdtemp()");
+ return 1;
+ }
+
+ rcv_sock = socket(AF_UNIX, SOCK_DGRAM, 0);
+ if (rcv_sock < 0) {
+ perror("socket(AF_UNIX)");
+ r = 1;
+ goto rmtmpdir;
+ }
+
+ addr.sun_family = AF_UNIX;
+ snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/sock", tmpdir);
+
+ r = bind(rcv_sock, (struct sockaddr *)&addr,
+ sizeof(addr));
+ if (r < 0) {
+ perror("bind()");
+ close(rcv_sock);
+ r = 1;
+ goto rmtmpdir;
+ }
+
+ c = fork();
+ if (!c) {
+ close(rcv_sock);
+
+ if (chroot(tmpdir)) {
+ perror("chroot()");
+ return 1;
+ }
+
+ r = try_sendmsg_async(addr.sun_path);
+ if (r < 0) {
+ /* system call failure */
+ r = 1;
+ } else if (r) {
+ /* test case failure */
+ r += 1;
+ }
+ return r;
+ }
+
+ if (waitpid(c, &wstatus, 0) == (pid_t)-1) {
+ perror("waitpid()");
+ r = 1;
+ goto rmsock;
+ }
+ if (!WIFEXITED(wstatus)) {
+ fprintf(stderr, "child got terminated\n");
+ r = 1;
+ goto rmsock;
+ }
+ r = WEXITSTATUS(wstatus);
+ if (r)
+ fprintf(stderr, "error: Test failed\n");
+rmsock:
+ close(rcv_sock);
+ unlink(addr.sun_path);
+rmtmpdir:
+ rmdir(tmpdir);
+ return r;
+}
--
2.24.0
next reply other threads:[~2021-02-12 21:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-12 21:02 Pavel Begunkov [this message]
2021-02-12 21:03 ` [PATCH liburing] a test for CVE-2020-29373 (AF_UNIX path resolution) Pavel Begunkov
2021-02-12 21:13 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43f46a40dbc37bebf78f14d7738d5195dbb64460.1613163628.git.asml.silence@gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox