[PATCH liburing] a test for CVE-2020-29373 (AF_UNIX path resolution)

[Pavel Begunkov <asml.silence@gmail.com>]

Add a regression test for CVE-2020-29373 where io-wq do path resolution
issuing sendmsg, but doesn't have proper fs set up.

Reported-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 test/Makefile         |   2 +
 test/sendmsg_fs_cve.c | 193 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 195 insertions(+)
 create mode 100644 test/sendmsg_fs_cve.c

diff --git a/test/Makefile b/test/Makefile
index 157ff95..7751eff 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -111,6 +111,7 @@ test_targets += \
 	timeout-overflow \
 	unlink \
 	wakeup-hang \
+	sendmsg_fs_cve \
 	# EOL
 
 all_targets += $(test_targets)
@@ -238,6 +239,7 @@ test_srcs := \
 	timeout.c \
 	unlink.c \
 	wakeup-hang.c \
+	sendmsg_fs_cve.c \
 	# EOL
 
 test_objs := $(patsubst %.c,%.ol,$(patsubst %.cc,%.ol,$(test_srcs)))
diff --git a/test/sendmsg_fs_cve.c b/test/sendmsg_fs_cve.c
new file mode 100644
index 0000000..85f271b
--- /dev/null
+++ b/test/sendmsg_fs_cve.c
@@ -0,0 +1,193 @@
+/*
+ * repro-CVE-2020-29373 -- Reproducer for CVE-2020-29373.
+ *
+ * Copyright (c) 2021 SUSE
+ * Author: Nicolai Stange <nstange@suse.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <unistd.h>
+#include <syscall.h>
+#include <stdio.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include "liburing.h"
+
+/*
+ * This attempts to make the kernel issue a sendmsg() to
+ * path from io_uring's async io_sq_wq_submit_work().
+ *
+ * Unfortunately, IOSQE_ASYNC is available only from kernel version
+ * 5.6 onwards. To still force io_uring to process the request
+ * asynchronously from io_sq_wq_submit_work(), queue a couple of
+ * auxiliary requests all failing with EAGAIN before. This is
+ * implemented by writing repeatedly to an auxiliary O_NONBLOCK
+ * AF_UNIX socketpair with a small SO_SNDBUF.
+ */
+static int try_sendmsg_async(const char * const path)
+{
+	int snd_sock, r;
+	struct io_uring ring;
+	char sbuf[16] = {};
+	struct iovec siov = { .iov_base = &sbuf, .iov_len = sizeof(sbuf) };
+	struct sockaddr_un addr = {};
+	struct msghdr msg = {
+		.msg_name = &addr,
+		.msg_namelen = sizeof(addr),
+		.msg_iov = &siov,
+		.msg_iovlen = 1,
+	};
+	struct io_uring_cqe *cqe;
+	struct io_uring_sqe *sqe;
+
+	snd_sock = socket(AF_UNIX, SOCK_DGRAM, 0);
+	if (snd_sock < 0) {
+		perror("socket(AF_UNIX)");
+		return -1;
+	}
+
+	addr.sun_family = AF_UNIX;
+	strcpy(addr.sun_path, path);
+
+	r = io_uring_queue_init(512, &ring, 0);
+	if (r < 0) {
+		fprintf(stderr, "ring setup failed: %d\n", r);
+		goto close_iour;
+	}
+
+	sqe = io_uring_get_sqe(&ring);
+	if (!sqe) {
+		fprintf(stderr, "get sqe failed\n");
+		r = -EFAULT;
+		goto close_iour;
+	}
+
+	/* the actual one supposed to fail with -ENOENT. */
+	io_uring_prep_sendmsg(sqe, snd_sock, &msg, 0);
+	sqe->flags = IOSQE_ASYNC;
+	sqe->user_data = 255;
+
+	r = io_uring_submit(&ring);
+	if (r != 1) {
+		fprintf(stderr, "sqe submit failed: %d\n", r);
+		r = -EFAULT;
+		goto close_iour;
+	}
+
+	r = io_uring_wait_cqe(&ring, &cqe);
+	if (r < 0) {
+		fprintf(stderr, "wait completion %d\n", r);
+		r = -EFAULT;
+		goto close_iour;
+	}
+	if (cqe->user_data != 255) {
+		fprintf(stderr, "user data %d\n", r);
+		r = -EFAULT;
+		goto close_iour;
+	}
+	if (cqe->res != -ENOENT) {
+		r = 3;
+		fprintf(stderr,
+			"error: cqe %i: res=%i, but expected -ENOENT\n",
+			(int)cqe->user_data, (int)cqe->res);
+	}
+	io_uring_cqe_seen(&ring, cqe);
+
+close_iour:
+	io_uring_queue_exit(&ring);
+	close(snd_sock);
+	return r;
+}
+
+int main(int argc, char *argv[])
+{
+	int r;
+	char tmpdir[] = "/tmp/tmp.XXXXXX";
+	int rcv_sock;
+	struct sockaddr_un addr = {};
+	pid_t c;
+	int wstatus;
+
+	if (!mkdtemp(tmpdir)) {
+		perror("mkdtemp()");
+		return 1;
+	}
+
+	rcv_sock = socket(AF_UNIX, SOCK_DGRAM, 0);
+	if (rcv_sock < 0) {
+		perror("socket(AF_UNIX)");
+		r = 1;
+		goto rmtmpdir;
+	}
+
+	addr.sun_family = AF_UNIX;
+	snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/sock", tmpdir);
+
+	r = bind(rcv_sock, (struct sockaddr *)&addr,
+		 sizeof(addr));
+	if (r < 0) {
+		perror("bind()");
+		close(rcv_sock);
+		r = 1;
+		goto rmtmpdir;
+	}
+
+	c = fork();
+	if (!c) {
+		close(rcv_sock);
+
+		if (chroot(tmpdir)) {
+			perror("chroot()");
+			return 1;
+		}
+
+		r = try_sendmsg_async(addr.sun_path);
+		if (r < 0) {
+			/* system call failure */
+			r = 1;
+		} else if (r) {
+			/* test case failure */
+			r += 1;
+		}
+		return r;
+	}
+
+	if (waitpid(c, &wstatus, 0) == (pid_t)-1) {
+		perror("waitpid()");
+		r = 1;
+		goto rmsock;
+	}
+	if (!WIFEXITED(wstatus)) {
+		fprintf(stderr, "child got terminated\n");
+		r = 1;
+		goto rmsock;
+	}
+	r = WEXITSTATUS(wstatus);
+	if (r)
+		fprintf(stderr, "error: Test failed\n");
+rmsock:
+	close(rcv_sock);
+	unlink(addr.sun_path);
+rmtmpdir:
+	rmdir(tmpdir);
+	return r;
+}
-- 
2.24.0