[LTP] [PATCH v2] Add test for CVE 2018-1000204
Martin Doucha
mdoucha@suse.cz
Tue Mar 10 16:27:28 CET 2020
Fixes #334
Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
Changes since v1:
- Code style fixes
- Simpler path concatenation find_generic_scsi_device()
- Added test to syscalls runfiles
- Added compiled test program to .gitignore
runtest/cve | 1 +
runtest/syscalls | 2 +
testcases/kernel/syscalls/ioctl/.gitignore | 1 +
testcases/kernel/syscalls/ioctl/ioctl_sg01.c | 128 +++++++++++++++++++
4 files changed, 132 insertions(+)
create mode 100644 testcases/kernel/syscalls/ioctl/ioctl_sg01.c
diff --git a/runtest/cve b/runtest/cve
index 36c5ba1d6..46f63738f 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -40,4 +40,5 @@ cve-2017-18075 pcrypt_aead01
cve-2017-1000380 snd_timer01
cve-2018-5803 sctp_big_chunk
cve-2018-1000001 realpath01
+cve-2018-1000204 ioctl_sg01
cve-2018-19854 crypto_user01
diff --git a/runtest/syscalls b/runtest/syscalls
index 06d96470c..30ea8be21 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -516,6 +516,8 @@ ioctl_ns05 ioctl_ns05
ioctl_ns06 ioctl_ns06
ioctl_ns07 ioctl_ns07
+ioctl_sg01 ioctl_sg01
+
inotify_init1_01 inotify_init1_01
inotify_init1_02 inotify_init1_02
diff --git a/testcases/kernel/syscalls/ioctl/.gitignore b/testcases/kernel/syscalls/ioctl/.gitignore
index 2551ffb7f..97fbb9681 100644
--- a/testcases/kernel/syscalls/ioctl/.gitignore
+++ b/testcases/kernel/syscalls/ioctl/.gitignore
@@ -13,3 +13,4 @@
/ioctl_ns05
/ioctl_ns06
/ioctl_ns07
+/ioctl_sg01
diff --git a/testcases/kernel/syscalls/ioctl/ioctl_sg01.c b/testcases/kernel/syscalls/ioctl/ioctl_sg01.c
new file mode 100644
index 000000000..046758e50
--- /dev/null
+++ b/testcases/kernel/syscalls/ioctl/ioctl_sg01.c
@@ -0,0 +1,128 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 SUSE LLC <mdoucha@suse.cz>
+ */
+
+/*
+ * CVE-2018-1000204
+ *
+ * Test ioctl(SG_IO) and check that kernel doesn't leak data. Requires
+ * a read-accessible SCSI-compatible device (e.g. SATA disk). Running mem01
+ * test program before this one may increase the chance of successfully
+ * reproducing the bug.
+ *
+ * Leak fixed in:
+ *
+ * commit a45b599ad808c3c982fdcdc12b0b8611c2f92824
+ * Author: Alexander Potapenko <glider@google.com>
+ * Date: Fri May 18 16:23:18 2018 +0200
+ *
+ * scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
+ */
+
+#include <sys/types.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <scsi/sg.h>
+#include <sys/ioctl.h>
+#include <stdio.h>
+#include "tst_test.h"
+
+#define BUF_SIZE 128 * 4096
+#define CMD_SIZE 6
+
+static int devfd = -1;
+static char buffer[BUF_SIZE];
+static unsigned char command[CMD_SIZE];
+static struct sg_io_hdr query;
+
+/* TODO: split this off to a separate SCSI library? */
+static const char *find_generic_scsi_device(int access_flags)
+{
+ DIR *devdir;
+ struct dirent *ent;
+ int tmpfd;
+ static char devpath[PATH_MAX];
+
+ errno = 0;
+ devdir = opendir("/dev");
+
+ if (!devdir)
+ return NULL;
+
+ while ((ent = SAFE_READDIR(devdir))) {
+ /* The bug is most likely reproducible only on /dev/sg* */
+ if (strncmp(ent->d_name, "sg", 2) || !isdigit(ent->d_name[2]))
+ continue;
+
+ snprintf(devpath, PATH_MAX, "/dev/%s", ent->d_name);
+ /* access() makes incorrect assumptions about block devices */
+ tmpfd = open(devpath, access_flags);
+
+ if (tmpfd >= 0) {
+ SAFE_CLOSE(tmpfd);
+ SAFE_CLOSEDIR(devdir);
+ return devpath;
+ }
+ }
+
+ SAFE_CLOSEDIR(devdir);
+ return NULL;
+}
+
+static void setup(void)
+{
+ const char *devpath = find_generic_scsi_device(O_RDONLY);
+
+ if (!devpath)
+ tst_brk(TCONF, "Could not find any usable SCSI device");
+
+ tst_res(TINFO, "Found SCSI device %s", devpath);
+ devfd = SAFE_OPEN(devpath, O_RDONLY);
+ query.interface_id = 'S';
+ query.dxfer_direction = SG_DXFER_FROM_DEV;
+ query.cmd_len = CMD_SIZE;
+ query.dxfer_len = BUF_SIZE;
+ query.dxferp = buffer;
+ query.cmdp = command;
+}
+
+static void cleanup(void)
+{
+ if (devfd >= 0)
+ SAFE_CLOSE(devfd);
+}
+
+static void run(void)
+{
+ size_t i;
+
+ memset(buffer, 0, BUF_SIZE);
+ TEST(ioctl(devfd, SG_IO, &query));
+
+ if (TST_RET != 0 && TST_RET != -1)
+ tst_brk(TBROK | TTERRNO, "Invalid ioctl() return value");
+
+ /* Check the output buffer even if ioctl() failed, just in case. */
+ for (i = 0; i < BUF_SIZE; i++) {
+ if (buffer[i]) {
+ tst_res(TFAIL, "Kernel memory leaked");
+ return;
+ }
+ }
+
+ tst_res(TPASS, "Output buffer is empty, no data leaked");
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .setup = setup,
+ .cleanup = cleanup,
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "e093c4be760e"},
+ {"CVE", "2018-1000204"},
+ {}
+ }
+};
--
2.25.1
More information about the ltp
mailing list