From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.4 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD72BC433E9 for ; Fri, 12 Feb 2021 21:07:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85265601FF for ; Fri, 12 Feb 2021 21:07:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231896AbhBLVHy (ORCPT ); Fri, 12 Feb 2021 16:07:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38508 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231731AbhBLVHs (ORCPT ); Fri, 12 Feb 2021 16:07:48 -0500 Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E831DC061574 for ; Fri, 12 Feb 2021 13:07:07 -0800 (PST) Received: by mail-wr1-x42a.google.com with SMTP id g10so885249wrx.1 for ; Fri, 12 Feb 2021 13:07:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:references:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=pg1BkuPrbfd18fqyZpBd/KhweFR9SeT087f4mgUF+rU=; b=jFUq+7kEzfrtcM1dpD4ryIF82ZLDdc+domyOB3JyTdgVKWAX3eIFTGkxgd4+hjIxbP /fEBUzV7vIxy08cJFXb3UdicdEvAaY6CvVKbySMaPZ8IYXwqgv36hKATjcJO1pj0lqvC kV+ojMvcB3BSc+5x+JzJd8s/8uPYirsyRfmfR/IkH4DBuXBwOPz45egjooICq9HMfSPZ ZWF8z+yyIZHLC8OvfPwDtObu3rwPVPbdwUNmaKrC0+jEeB7seXJpoDACi9qZW7KFN2pc oYynkK0vwAHreurhazuje1HeLf9HpBhAcX5aIlH1ojk4d28nHKLIq1QRpHmcAudPi/XV kkdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=pg1BkuPrbfd18fqyZpBd/KhweFR9SeT087f4mgUF+rU=; b=a89W4BYL8NtnO++JMBH0WP7cxyTp90V+EZt+seU7CDSOdPbaKJ7iQr7UgnRwtonizX QcC9feQd7ur3dvETONrkSGvnn7nKYYeeWDbZRPQldqqH2hTar0XB1/uhitUm5QXNHeTy guYUTtxgPQDF/R3tKK/R5YpGtQ7QED2E0zN8ds3WrIC4TKYow+bi10EaX+U+ndy5Iak1 QAJT/04Bph4jxvbVKskVjjmhBjd/YMHWK23iG6kP6Nyz842VLYC2h2bwL5aAKdO34Y1f PeN7Q4m21HQOZTWMRZhD/P3sAtTpGSnFuhEdYmfmMVrLBcajmhb5RDSob7cWNpOOebqH emCg== X-Gm-Message-State: AOAM532LfehhlYPwGI8m8rC+sWr1+LFpJO/oaqQU9LkBsvufmU8N7m3g 0E2qBn/+3PS785X8i7OfcRmS6vqseS92Gg== X-Google-Smtp-Source: ABdhPJzfadkkziQcal7vdCW5bYeL6a78aJMkwTayTdecC4xJJ2vGzRUfpqvV6f55v7e5KRmRkiqFKg== X-Received: by 2002:adf:f54c:: with SMTP id j12mr5456136wrp.175.1613164026712; Fri, 12 Feb 2021 13:07:06 -0800 (PST) Received: from [192.168.8.115] ([185.69.144.228]) by smtp.gmail.com with ESMTPSA id s10sm12316085wrm.5.2021.02.12.13.07.05 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 12 Feb 2021 13:07:06 -0800 (PST) Subject: Re: [PATCH liburing] a test for CVE-2020-29373 (AF_UNIX path resolution) From: Pavel Begunkov To: Jens Axboe , io-uring@vger.kernel.org Cc: Petr Vorel References: <43f46a40dbc37bebf78f14d7738d5195dbb64460.1613163628.git.asml.silence@gmail.com> Autocrypt: addr=asml.silence@gmail.com; prefer-encrypt=mutual; keydata= mQINBFmKBOQBEAC76ZFxLAKpDw0bKQ8CEiYJRGn8MHTUhURL02/7n1t0HkKQx2K1fCXClbps bdwSHrhOWdW61pmfMbDYbTj6ZvGRvhoLWfGkzujB2wjNcbNTXIoOzJEGISHaPf6E2IQx1ik9 6uqVkK1OMb7qRvKH0i7HYP4WJzYbEWVyLiAxUj611mC9tgd73oqZ2pLYzGTqF2j6a/obaqha +hXuWTvpDQXqcOZJXIW43atprH03G1tQs7VwR21Q1eq6Yvy2ESLdc38EqCszBfQRMmKy+cfp W3U9Mb1w0L680pXrONcnlDBCN7/sghGeMHjGKfNANjPc+0hzz3rApPxpoE7HC1uRiwC4et83 CKnncH1l7zgeBT9Oa3qEiBlaa1ZCBqrA4dY+z5fWJYjMpwI1SNp37RtF8fKXbKQg+JuUjAa9 Y6oXeyEvDHMyJYMcinl6xCqCBAXPHnHmawkMMgjr3BBRzODmMr+CPVvnYe7BFYfoajzqzq+h EyXSl3aBf0IDPTqSUrhbmjj5OEOYgRW5p+mdYtY1cXeK8copmd+fd/eTkghok5li58AojCba jRjp7zVOLOjDlpxxiKhuFmpV4yWNh5JJaTbwCRSd04sCcDNlJj+TehTr+o1QiORzc2t+N5iJ NbILft19Izdn8U39T5oWiynqa1qCLgbuFtnYx1HlUq/HvAm+kwARAQABtDFQYXZlbCBCZWd1 bmtvdiAoc2lsZW5jZSkgPGFzbWwuc2lsZW5jZUBnbWFpbC5jb20+iQJOBBMBCAA4FiEE+6Ju PTjTbx479o3OWt5b1Glr+6UFAlmKBOQCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ Wt5b1Glr+6WxZA//QueaKHzgdnOikJ7NA/Vq8FmhRlwgtP0+E+w93kL+ZGLzS/cUCIjn2f4Q Mcutj2Neg0CcYPX3b2nJiKr5Vn0rjJ/suiaOa1h1KzyNTOmxnsqE5fmxOf6C6x+NKE18I5Jy xzLQoktbdDVA7JfB1itt6iWSNoOTVcvFyvfe5ggy6FSCcP+m1RlR58XxVLH+qlAvxxOeEr/e aQfUzrs7gqdSd9zQGEZo0jtuBiB7k98t9y0oC9Jz0PJdvaj1NZUgtXG9pEtww3LdeXP/TkFl HBSxVflzeoFaj4UAuy8+uve7ya/ECNCc8kk0VYaEjoVrzJcYdKP583iRhOLlZA6HEmn/+Gh9 4orG67HNiJlbFiW3whxGizWsrtFNLsSP1YrEReYk9j1SoUHHzsu+ZtNfKuHIhK0sU07G1OPN 2rDLlzUWR9Jc22INAkhVHOogOcc5ajMGhgWcBJMLCoi219HlX69LIDu3Y34uIg9QPZIC2jwr 24W0kxmK6avJr7+n4o8m6sOJvhlumSp5TSNhRiKvAHB1I2JB8Q1yZCIPzx+w1ALxuoWiCdwV M/azguU42R17IuBzK0S3hPjXpEi2sK/k4pEPnHVUv9Cu09HCNnd6BRfFGjo8M9kZvw360gC1 reeMdqGjwQ68o9x0R7NBRrtUOh48TDLXCANAg97wjPoy37dQE7e5Ag0EWYoE5AEQAMWS+aBV IJtCjwtfCOV98NamFpDEjBMrCAfLm7wZlmXy5I6o7nzzCxEw06P2rhzp1hIqkaab1kHySU7g dkpjmQ7Jjlrf6KdMP87mC/Hx4+zgVCkTQCKkIxNE76Ff3O9uTvkWCspSh9J0qPYyCaVta2D1 Sq5HZ8WFcap71iVO1f2/FEHKJNz/YTSOS/W7dxJdXl2eoj3gYX2UZNfoaVv8OXKaWslZlgqN jSg9wsTv1K73AnQKt4fFhscN9YFxhtgD/SQuOldE5Ws4UlJoaFX/yCoJL3ky2kC0WFngzwRF Yo6u/KON/o28yyP+alYRMBrN0Dm60FuVSIFafSqXoJTIjSZ6olbEoT0u17Rag8BxnxryMrgR dkccq272MaSS0eOC9K2rtvxzddohRFPcy/8bkX+t2iukTDz75KSTKO+chce62Xxdg62dpkZX xK+HeDCZ7gRNZvAbDETr6XI63hPKi891GeZqvqQVYR8e+V2725w+H1iv3THiB1tx4L2bXZDI DtMKQ5D2RvCHNdPNcZeldEoJwKoA60yg6tuUquvsLvfCwtrmVI2rL2djYxRfGNmFMrUDN1Xq F3xozA91q3iZd9OYi9G+M/OA01husBdcIzj1hu0aL+MGg4Gqk6XwjoSxVd4YT41kTU7Kk+/I 5/Nf+i88ULt6HanBYcY/+Daeo/XFABEBAAGJAjYEGAEIACAWIQT7om49ONNvHjv2jc5a3lvU aWv7pQUCWYoE5AIbDAAKCRBa3lvUaWv7pfmcEACKTRQ28b1y5ztKuLdLr79+T+LwZKHjX++P 4wKjEOECCcB6KCv3hP+J2GCXDOPZvdg/ZYZafqP68Yy8AZqkfa4qPYHmIdpODtRzZSL48kM8 LRzV8Rl7J3ItvzdBRxf4T/Zseu5U6ELiQdCUkPGsJcPIJkgPjO2ROG/ZtYa9DvnShNWPlp+R uPwPccEQPWO/NP4fJl2zwC6byjljZhW5kxYswGMLBwb5cDUZAisIukyAa8Xshdan6C2RZcNs rB3L7vsg/R8UCehxOH0C+NypG2GqjVejNZsc7bgV49EOVltS+GmGyY+moIzxsuLmT93rqyII 5rSbbcTLe6KBYcs24XEoo49Zm9oDA3jYvNpeYD8rDcnNbuZh9kTgBwFN41JHOPv0W2FEEWqe JsCwQdcOQ56rtezdCJUYmRAt3BsfjN3Jn3N6rpodi4Dkdli8HylM5iq4ooeb5VkQ7UZxbCWt UVMKkOCdFhutRmYp0mbv2e87IK4erwNHQRkHUkzbsuym8RVpAZbLzLPIYK/J3RTErL6Z99N2 m3J6pjwSJY/zNwuFPs9zGEnRO4g0BUbwGdbuvDzaq6/3OJLKohr5eLXNU3JkT+3HezydWm3W OPhauth7W0db74Qd49HXK0xe/aPrK+Cp+kU1HRactyNtF8jZQbhMCC8vMGukZtWaAwpjWiiH bA== Message-ID: <53d0db2d-2692-887f-2eb1-947ef0713518@gmail.com> Date: Fri, 12 Feb 2021 21:03:19 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0 MIME-Version: 1.0 In-Reply-To: <43f46a40dbc37bebf78f14d7738d5195dbb64460.1613163628.git.asml.silence@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org On 12/02/2021 21:02, Pavel Begunkov wrote: > Add a regression test for CVE-2020-29373 where io-wq do path resolution > issuing sendmsg, but doesn't have proper fs set up. Jens, what about licenses? The original test is GPLv2 > > Reported-by: Petr Vorel > Signed-off-by: Pavel Begunkov > --- > test/Makefile | 2 + > test/sendmsg_fs_cve.c | 193 ++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 195 insertions(+) > create mode 100644 test/sendmsg_fs_cve.c > > diff --git a/test/Makefile b/test/Makefile > index 157ff95..7751eff 100644 > --- a/test/Makefile > +++ b/test/Makefile > @@ -111,6 +111,7 @@ test_targets += \ > timeout-overflow \ > unlink \ > wakeup-hang \ > + sendmsg_fs_cve \ > # EOL > > all_targets += $(test_targets) > @@ -238,6 +239,7 @@ test_srcs := \ > timeout.c \ > unlink.c \ > wakeup-hang.c \ > + sendmsg_fs_cve.c \ > # EOL > > test_objs := $(patsubst %.c,%.ol,$(patsubst %.cc,%.ol,$(test_srcs))) > diff --git a/test/sendmsg_fs_cve.c b/test/sendmsg_fs_cve.c > new file mode 100644 > index 0000000..85f271b > --- /dev/null > +++ b/test/sendmsg_fs_cve.c > @@ -0,0 +1,193 @@ > +/* > + * repro-CVE-2020-29373 -- Reproducer for CVE-2020-29373. > + * > + * Copyright (c) 2021 SUSE > + * Author: Nicolai Stange > + * > + * This program is free software; you can redistribute it and/or > + * modify it under the terms of the GNU General Public License > + * as published by the Free Software Foundation; either version 2 > + * of the License, or (at your option) any later version. > + * > + * This program is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU General Public License for more details. > + * > + * You should have received a copy of the GNU General Public License > + * along with this program; if not, see . > + */ > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include "liburing.h" > + > +/* > + * This attempts to make the kernel issue a sendmsg() to > + * path from io_uring's async io_sq_wq_submit_work(). > + * > + * Unfortunately, IOSQE_ASYNC is available only from kernel version > + * 5.6 onwards. To still force io_uring to process the request > + * asynchronously from io_sq_wq_submit_work(), queue a couple of > + * auxiliary requests all failing with EAGAIN before. This is > + * implemented by writing repeatedly to an auxiliary O_NONBLOCK > + * AF_UNIX socketpair with a small SO_SNDBUF. > + */ > +static int try_sendmsg_async(const char * const path) > +{ > + int snd_sock, r; > + struct io_uring ring; > + char sbuf[16] = {}; > + struct iovec siov = { .iov_base = &sbuf, .iov_len = sizeof(sbuf) }; > + struct sockaddr_un addr = {}; > + struct msghdr msg = { > + .msg_name = &addr, > + .msg_namelen = sizeof(addr), > + .msg_iov = &siov, > + .msg_iovlen = 1, > + }; > + struct io_uring_cqe *cqe; > + struct io_uring_sqe *sqe; > + > + snd_sock = socket(AF_UNIX, SOCK_DGRAM, 0); > + if (snd_sock < 0) { > + perror("socket(AF_UNIX)"); > + return -1; > + } > + > + addr.sun_family = AF_UNIX; > + strcpy(addr.sun_path, path); > + > + r = io_uring_queue_init(512, &ring, 0); > + if (r < 0) { > + fprintf(stderr, "ring setup failed: %d\n", r); > + goto close_iour; > + } > + > + sqe = io_uring_get_sqe(&ring); > + if (!sqe) { > + fprintf(stderr, "get sqe failed\n"); > + r = -EFAULT; > + goto close_iour; > + } > + > + /* the actual one supposed to fail with -ENOENT. */ > + io_uring_prep_sendmsg(sqe, snd_sock, &msg, 0); > + sqe->flags = IOSQE_ASYNC; > + sqe->user_data = 255; > + > + r = io_uring_submit(&ring); > + if (r != 1) { > + fprintf(stderr, "sqe submit failed: %d\n", r); > + r = -EFAULT; > + goto close_iour; > + } > + > + r = io_uring_wait_cqe(&ring, &cqe); > + if (r < 0) { > + fprintf(stderr, "wait completion %d\n", r); > + r = -EFAULT; > + goto close_iour; > + } > + if (cqe->user_data != 255) { > + fprintf(stderr, "user data %d\n", r); > + r = -EFAULT; > + goto close_iour; > + } > + if (cqe->res != -ENOENT) { > + r = 3; > + fprintf(stderr, > + "error: cqe %i: res=%i, but expected -ENOENT\n", > + (int)cqe->user_data, (int)cqe->res); > + } > + io_uring_cqe_seen(&ring, cqe); > + > +close_iour: > + io_uring_queue_exit(&ring); > + close(snd_sock); > + return r; > +} > + > +int main(int argc, char *argv[]) > +{ > + int r; > + char tmpdir[] = "/tmp/tmp.XXXXXX"; > + int rcv_sock; > + struct sockaddr_un addr = {}; > + pid_t c; > + int wstatus; > + > + if (!mkdtemp(tmpdir)) { > + perror("mkdtemp()"); > + return 1; > + } > + > + rcv_sock = socket(AF_UNIX, SOCK_DGRAM, 0); > + if (rcv_sock < 0) { > + perror("socket(AF_UNIX)"); > + r = 1; > + goto rmtmpdir; > + } > + > + addr.sun_family = AF_UNIX; > + snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/sock", tmpdir); > + > + r = bind(rcv_sock, (struct sockaddr *)&addr, > + sizeof(addr)); > + if (r < 0) { > + perror("bind()"); > + close(rcv_sock); > + r = 1; > + goto rmtmpdir; > + } > + > + c = fork(); > + if (!c) { > + close(rcv_sock); > + > + if (chroot(tmpdir)) { > + perror("chroot()"); > + return 1; > + } > + > + r = try_sendmsg_async(addr.sun_path); > + if (r < 0) { > + /* system call failure */ > + r = 1; > + } else if (r) { > + /* test case failure */ > + r += 1; > + } > + return r; > + } > + > + if (waitpid(c, &wstatus, 0) == (pid_t)-1) { > + perror("waitpid()"); > + r = 1; > + goto rmsock; > + } > + if (!WIFEXITED(wstatus)) { > + fprintf(stderr, "child got terminated\n"); > + r = 1; > + goto rmsock; > + } > + r = WEXITSTATUS(wstatus); > + if (r) > + fprintf(stderr, "error: Test failed\n"); > +rmsock: > + close(rcv_sock); > + unlink(addr.sun_path); > +rmtmpdir: > + rmdir(tmpdir); > + return r; > +} > -- Pavel Begunkov