130 lines
2.9 KiB
C
130 lines
2.9 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (c) 2018 Jann Horn <jannh@google.com>
|
|
* Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
|
|
*/
|
|
|
|
/*
|
|
* CVE 2018-18445
|
|
*
|
|
* Check that eBPF verifier correctly handles 32-bit arithmetic, in particular
|
|
* the right bit shift instruction. It is an error if the BPF program passes
|
|
* verification regardless of whether it then causes any actual damage. Kernel
|
|
* bug fixed in:
|
|
*
|
|
* commit b799207e1e1816b09e7a5920fbb2d5fcf6edd681
|
|
* Author: Jann Horn <jannh@google.com>
|
|
* Date: Fri Oct 5 18:17:59 2018 +0200
|
|
*
|
|
* bpf: 32-bit RSH verification must truncate input before the ALU op
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
#include "config.h"
|
|
#include "tst_test.h"
|
|
#include "tst_taint.h"
|
|
#include "tst_capability.h"
|
|
#include "bpf_common.h"
|
|
|
|
#define BUFSIZE 8192
|
|
#define CHECK_BPF_RET(x) ((x) >= 0 || ((x) == -1 && errno != EACCES))
|
|
|
|
static const char MSG[] = "Ahoj!";
|
|
static char *msg;
|
|
|
|
static char *log;
|
|
static union bpf_attr *attr;
|
|
|
|
static int load_prog(int fd)
|
|
{
|
|
int ret;
|
|
struct bpf_insn insn[] = {
|
|
BPF_MOV64_IMM(BPF_REG_8, 2),
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 31),
|
|
BPF_ALU32_IMM(BPF_RSH, BPF_REG_8, 31),
|
|
BPF_ALU32_IMM(BPF_SUB, BPF_REG_8, 2),
|
|
|
|
// store r8 into map
|
|
BPF_LD_MAP_FD(BPF_REG_1, fd),
|
|
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
|
|
BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
|
|
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
|
|
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
|
|
BPF_EXIT_INSN(),
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
|
|
BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
BPF_EXIT_INSN()
|
|
};
|
|
|
|
bpf_init_prog_attr(attr, insn, sizeof(insn), log, BUFSIZE);
|
|
ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)),
|
|
CHECK_BPF_RET);
|
|
|
|
if (ret >= 0) {
|
|
tst_res(TINFO, "Verification log:");
|
|
fputs(log, stderr);
|
|
return ret;
|
|
}
|
|
|
|
if (ret < -1)
|
|
tst_brk(TBROK, "Invalid bpf() return value %d", ret);
|
|
|
|
if (!*log)
|
|
tst_brk(TBROK | TERRNO, "Failed to load BPF program");
|
|
|
|
tst_res(TPASS | TERRNO, "BPF program failed verification");
|
|
return ret;
|
|
}
|
|
|
|
static void setup(void)
|
|
{
|
|
rlimit_bump_memlock();
|
|
memcpy(msg, MSG, sizeof(MSG));
|
|
}
|
|
|
|
static void run(void)
|
|
{
|
|
int map_fd, prog_fd;
|
|
|
|
map_fd = bpf_map_array_create(1);
|
|
prog_fd = load_prog(map_fd);
|
|
|
|
if (prog_fd >= 0) {
|
|
tst_res(TFAIL, "Malicious eBPF code passed verification. "
|
|
"Now let's try crashing the kernel.");
|
|
bpf_run_prog(prog_fd, msg, sizeof(MSG));
|
|
}
|
|
|
|
if (prog_fd >= 0)
|
|
SAFE_CLOSE(prog_fd);
|
|
|
|
SAFE_CLOSE(map_fd);
|
|
}
|
|
|
|
static struct tst_test test = {
|
|
.setup = setup,
|
|
.test_all = run,
|
|
.min_kver = "3.18",
|
|
.taint_check = TST_TAINT_W | TST_TAINT_D,
|
|
.caps = (struct tst_cap []) {
|
|
TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN),
|
|
{}
|
|
},
|
|
.bufs = (struct tst_buffers []) {
|
|
{&log, .size = BUFSIZE},
|
|
{&attr, .size = sizeof(*attr)},
|
|
{&msg, .size = sizeof(MSG)},
|
|
{}
|
|
},
|
|
.tags = (const struct tst_tag[]) {
|
|
{"linux-git", "b799207e1e18"},
|
|
{"CVE", "2018-18445"},
|
|
{}
|
|
}
|
|
};
|