1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (c) 2018 Michael Moese <mmoese@suse.com> 4f08c3bdfSopenharmony_ci */ 5f08c3bdfSopenharmony_ci/* 6f08c3bdfSopenharmony_ci * Test for CVE-2017-17052, original reproducer taken from kernel commit: 7f08c3bdfSopenharmony_ci * 2b7e8665b4ff51c034c55df3cff76518d1a9ee3a 8f08c3bdfSopenharmony_ci * 9f08c3bdfSopenharmony_ci * CAUTION!! 10f08c3bdfSopenharmony_ci * This test will crash unpatched kernels! 11f08c3bdfSopenharmony_ci * Use at your own risk! 12f08c3bdfSopenharmony_ci * 13f08c3bdfSopenharmony_ci */ 14f08c3bdfSopenharmony_ci 15f08c3bdfSopenharmony_ci#include <unistd.h> 16f08c3bdfSopenharmony_ci#include <pthread.h> 17f08c3bdfSopenharmony_ci#include <sys/wait.h> 18f08c3bdfSopenharmony_ci#include <sys/syscall.h> 19f08c3bdfSopenharmony_ci#include <sys/types.h> 20f08c3bdfSopenharmony_ci#include <stdlib.h> 21f08c3bdfSopenharmony_ci 22f08c3bdfSopenharmony_ci#include "tst_test.h" 23f08c3bdfSopenharmony_ci#include "tst_safe_pthread.h" 24f08c3bdfSopenharmony_ci#include "lapi/syscalls.h" 25f08c3bdfSopenharmony_ci 26f08c3bdfSopenharmony_ci#define RUNS 4 27f08c3bdfSopenharmony_ci#define EXEC_USEC 400000 28f08c3bdfSopenharmony_ci 29f08c3bdfSopenharmony_cistatic int *do_exit; 30f08c3bdfSopenharmony_ci 31f08c3bdfSopenharmony_cistatic void setup(void) 32f08c3bdfSopenharmony_ci{ 33f08c3bdfSopenharmony_ci do_exit = SAFE_MMAP(NULL, sizeof(*do_exit), PROT_READ|PROT_WRITE, 34f08c3bdfSopenharmony_ci MAP_SHARED | MAP_ANONYMOUS, -1, 0); 35f08c3bdfSopenharmony_ci 36f08c3bdfSopenharmony_ci *do_exit = 0; 37f08c3bdfSopenharmony_ci} 38f08c3bdfSopenharmony_ci 39f08c3bdfSopenharmony_cistatic void cleanup(void) 40f08c3bdfSopenharmony_ci{ 41f08c3bdfSopenharmony_ci SAFE_MUNMAP(do_exit, sizeof(*do_exit)); 42f08c3bdfSopenharmony_ci} 43f08c3bdfSopenharmony_ci 44f08c3bdfSopenharmony_cistatic void *mmap_thread(void *arg) 45f08c3bdfSopenharmony_ci{ 46f08c3bdfSopenharmony_ci for (;;) { 47f08c3bdfSopenharmony_ci SAFE_MMAP(NULL, 0x1000000, PROT_READ, 48f08c3bdfSopenharmony_ci MAP_POPULATE|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); 49f08c3bdfSopenharmony_ci } 50f08c3bdfSopenharmony_ci 51f08c3bdfSopenharmony_ci return arg; 52f08c3bdfSopenharmony_ci} 53f08c3bdfSopenharmony_ci 54f08c3bdfSopenharmony_cistatic void *fork_thread(void *arg) 55f08c3bdfSopenharmony_ci{ 56f08c3bdfSopenharmony_ci usleep(rand() % 10000); 57f08c3bdfSopenharmony_ci SAFE_FORK(); 58f08c3bdfSopenharmony_ci 59f08c3bdfSopenharmony_ci return arg; 60f08c3bdfSopenharmony_ci} 61f08c3bdfSopenharmony_ci 62f08c3bdfSopenharmony_cistatic void do_test_fork(void) 63f08c3bdfSopenharmony_ci{ 64f08c3bdfSopenharmony_ci int status; 65f08c3bdfSopenharmony_ci 66f08c3bdfSopenharmony_ci SAFE_FORK(); 67f08c3bdfSopenharmony_ci SAFE_FORK(); 68f08c3bdfSopenharmony_ci SAFE_FORK(); 69f08c3bdfSopenharmony_ci 70f08c3bdfSopenharmony_ci for(;;) { 71f08c3bdfSopenharmony_ci if (SAFE_FORK() == 0) { 72f08c3bdfSopenharmony_ci pthread_t t; 73f08c3bdfSopenharmony_ci 74f08c3bdfSopenharmony_ci SAFE_PTHREAD_CREATE(&t, NULL, mmap_thread, NULL); 75f08c3bdfSopenharmony_ci SAFE_PTHREAD_CREATE(&t, NULL, fork_thread, NULL); 76f08c3bdfSopenharmony_ci usleep(rand() % 10000); 77f08c3bdfSopenharmony_ci syscall(__NR_exit_group, 0); 78f08c3bdfSopenharmony_ci } 79f08c3bdfSopenharmony_ci SAFE_WAIT(&status); 80f08c3bdfSopenharmony_ci if (*do_exit) 81f08c3bdfSopenharmony_ci exit(0); 82f08c3bdfSopenharmony_ci } 83f08c3bdfSopenharmony_ci} 84f08c3bdfSopenharmony_ci 85f08c3bdfSopenharmony_cistatic void run(void) 86f08c3bdfSopenharmony_ci{ 87f08c3bdfSopenharmony_ci pid_t pid; 88f08c3bdfSopenharmony_ci int status; 89f08c3bdfSopenharmony_ci volatile int run = 0; 90f08c3bdfSopenharmony_ci 91f08c3bdfSopenharmony_ci while (run < RUNS) { 92f08c3bdfSopenharmony_ci *do_exit = 0; 93f08c3bdfSopenharmony_ci pid = SAFE_FORK(); 94f08c3bdfSopenharmony_ci 95f08c3bdfSopenharmony_ci if (pid == 0) { 96f08c3bdfSopenharmony_ci do_test_fork(); 97f08c3bdfSopenharmony_ci } else { 98f08c3bdfSopenharmony_ci usleep(EXEC_USEC); 99f08c3bdfSopenharmony_ci *do_exit = 1; 100f08c3bdfSopenharmony_ci } 101f08c3bdfSopenharmony_ci 102f08c3bdfSopenharmony_ci SAFE_WAIT(&status); 103f08c3bdfSopenharmony_ci if (WIFEXITED(status) && WEXITSTATUS(status) == 0) { 104f08c3bdfSopenharmony_ci tst_res(TINFO, "run %d passed", run); 105f08c3bdfSopenharmony_ci } else { 106f08c3bdfSopenharmony_ci tst_res(TFAIL, "child %s", tst_strstatus(status)); 107f08c3bdfSopenharmony_ci } 108f08c3bdfSopenharmony_ci 109f08c3bdfSopenharmony_ci run++; 110f08c3bdfSopenharmony_ci } 111f08c3bdfSopenharmony_ci 112f08c3bdfSopenharmony_ci if (run == RUNS) 113f08c3bdfSopenharmony_ci tst_res(TPASS, "kernel survived %d runs", run); 114f08c3bdfSopenharmony_ci else 115f08c3bdfSopenharmony_ci tst_res(TFAIL, "something strange happened"); 116f08c3bdfSopenharmony_ci} 117f08c3bdfSopenharmony_ci 118f08c3bdfSopenharmony_cistatic struct tst_test test = { 119f08c3bdfSopenharmony_ci .forks_child = 1, 120f08c3bdfSopenharmony_ci .cleanup = cleanup, 121f08c3bdfSopenharmony_ci .setup = setup, 122f08c3bdfSopenharmony_ci .test_all = run, 123f08c3bdfSopenharmony_ci .tags = (const struct tst_tag[]) { 124f08c3bdfSopenharmony_ci {"linux-git", "2b7e8665b4ff"}, 125f08c3bdfSopenharmony_ci {"CVE", "2017-17052"}, 126f08c3bdfSopenharmony_ci {} 127f08c3bdfSopenharmony_ci } 128f08c3bdfSopenharmony_ci}; 129