1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (c) 2022 xiaoshoukui <xiaoshoukui@ruijie.com.cn> 4f08c3bdfSopenharmony_ci */ 5f08c3bdfSopenharmony_ci 6f08c3bdfSopenharmony_ci/*\ 7f08c3bdfSopenharmony_ci * [Description] 8f08c3bdfSopenharmony_ci * 9f08c3bdfSopenharmony_ci * Test based on Syzkaller reproducer: 10f08c3bdfSopenharmony_ci * https://syzkaller.appspot.com/bug?extid=522643ab5729b0421998 11f08c3bdfSopenharmony_ci * 12f08c3bdfSopenharmony_ci * The VT_DISALLOCATE ioctl can free a virtual console while tty_release() is 13f08c3bdfSopenharmony_ci * still running, causing a use-after-free in con_shutdown(). This occurs 14f08c3bdfSopenharmony_ci * because VT_DISALLOCATE only considers a virtual console to be in-use if it 15f08c3bdfSopenharmony_ci * has a tty_struct with count > 0. But actually when count == 0, the tty is 16f08c3bdfSopenharmony_ci * still in the process of being closed. 17f08c3bdfSopenharmony_ci * 18f08c3bdfSopenharmony_ci * Fixed by commit: 19f08c3bdfSopenharmony_ci * 20f08c3bdfSopenharmony_ci * commit ca4463bf8438b403596edd0ec961ca0d4fbe0220 21f08c3bdfSopenharmony_ci * Author: Eric Biggers <ebiggers@google.com> 22f08c3bdfSopenharmony_ci * Date: Sat Mar 21 20:43:04 2020 -0700 23f08c3bdfSopenharmony_ci * 24f08c3bdfSopenharmony_ci * vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console 25f08c3bdfSopenharmony_ci */ 26f08c3bdfSopenharmony_ci 27f08c3bdfSopenharmony_ci#define _GNU_SOURCE 28f08c3bdfSopenharmony_ci 29f08c3bdfSopenharmony_ci#include <stdlib.h> 30f08c3bdfSopenharmony_ci#include <stdio.h> 31f08c3bdfSopenharmony_ci#include <errno.h> 32f08c3bdfSopenharmony_ci#include <termios.h> 33f08c3bdfSopenharmony_ci#include <linux/vt.h> 34f08c3bdfSopenharmony_ci#include "lapi/ioctl.h" 35f08c3bdfSopenharmony_ci 36f08c3bdfSopenharmony_ci#include "tst_test.h" 37f08c3bdfSopenharmony_ci#include "tst_safe_stdio.h" 38f08c3bdfSopenharmony_ci#include "tst_fuzzy_sync.h" 39f08c3bdfSopenharmony_ci 40f08c3bdfSopenharmony_ci#define BUF_SIZE 256 41f08c3bdfSopenharmony_cistatic char tty_path_a[BUF_SIZE]; 42f08c3bdfSopenharmony_cistatic char tty_path_b[BUF_SIZE]; 43f08c3bdfSopenharmony_cistatic int test_tty_port = 8; 44f08c3bdfSopenharmony_cistatic struct tst_fzsync_pair fzp; 45f08c3bdfSopenharmony_ci 46f08c3bdfSopenharmony_cistatic void *open_close(void *unused) 47f08c3bdfSopenharmony_ci{ 48f08c3bdfSopenharmony_ci while (tst_fzsync_run_b(&fzp)) { 49f08c3bdfSopenharmony_ci tst_fzsync_start_race_b(&fzp); 50f08c3bdfSopenharmony_ci int fd = SAFE_OPEN(tty_path_b, O_RDWR); 51f08c3bdfSopenharmony_ci 52f08c3bdfSopenharmony_ci SAFE_CLOSE(fd); 53f08c3bdfSopenharmony_ci tst_fzsync_end_race_b(&fzp); 54f08c3bdfSopenharmony_ci } 55f08c3bdfSopenharmony_ci 56f08c3bdfSopenharmony_ci return unused; 57f08c3bdfSopenharmony_ci} 58f08c3bdfSopenharmony_ci 59f08c3bdfSopenharmony_cistatic void do_test(void) 60f08c3bdfSopenharmony_ci{ 61f08c3bdfSopenharmony_ci int fd = SAFE_OPEN(tty_path_a, O_RDWR); 62f08c3bdfSopenharmony_ci 63f08c3bdfSopenharmony_ci tst_fzsync_pair_reset(&fzp, open_close); 64f08c3bdfSopenharmony_ci 65f08c3bdfSopenharmony_ci while (tst_fzsync_run_a(&fzp)) { 66f08c3bdfSopenharmony_ci tst_fzsync_start_race_a(&fzp); 67f08c3bdfSopenharmony_ci ioctl(fd, VT_DISALLOCATE, test_tty_port); 68f08c3bdfSopenharmony_ci tst_fzsync_end_race_a(&fzp); 69f08c3bdfSopenharmony_ci if (tst_taint_check()) { 70f08c3bdfSopenharmony_ci tst_res(TFAIL, "Kernel is vulnerable"); 71f08c3bdfSopenharmony_ci return; 72f08c3bdfSopenharmony_ci } 73f08c3bdfSopenharmony_ci } 74f08c3bdfSopenharmony_ci SAFE_CLOSE(fd); 75f08c3bdfSopenharmony_ci tst_res(TPASS, "Did not crash with VT_DISALLOCATE"); 76f08c3bdfSopenharmony_ci} 77f08c3bdfSopenharmony_ci 78f08c3bdfSopenharmony_cistatic void setup(void) 79f08c3bdfSopenharmony_ci{ 80f08c3bdfSopenharmony_ci sprintf(tty_path_a, "/dev/tty%d", test_tty_port + 1); 81f08c3bdfSopenharmony_ci sprintf(tty_path_b, "/dev/tty%d", test_tty_port); 82f08c3bdfSopenharmony_ci 83f08c3bdfSopenharmony_ci if (access(tty_path_a, F_OK) || access(tty_path_b, F_OK)) 84f08c3bdfSopenharmony_ci tst_brk(TCONF, "TTY(s) under test not available in system"); 85f08c3bdfSopenharmony_ci 86f08c3bdfSopenharmony_ci tst_fzsync_pair_init(&fzp); 87f08c3bdfSopenharmony_ci} 88f08c3bdfSopenharmony_ci 89f08c3bdfSopenharmony_cistatic void cleanup(void) 90f08c3bdfSopenharmony_ci{ 91f08c3bdfSopenharmony_ci tst_fzsync_pair_cleanup(&fzp); 92f08c3bdfSopenharmony_ci} 93f08c3bdfSopenharmony_ci 94f08c3bdfSopenharmony_cistatic struct tst_test test = { 95f08c3bdfSopenharmony_ci .test_all = do_test, 96f08c3bdfSopenharmony_ci .setup = setup, 97f08c3bdfSopenharmony_ci .cleanup = cleanup, 98f08c3bdfSopenharmony_ci .needs_root = 1, 99f08c3bdfSopenharmony_ci .taint_check = TST_TAINT_W | TST_TAINT_D, 100f08c3bdfSopenharmony_ci .max_runtime = 150, 101f08c3bdfSopenharmony_ci .tags = (const struct tst_tag[]) { 102f08c3bdfSopenharmony_ci {"CVE", "2020-36557"}, 103f08c3bdfSopenharmony_ci {"linux-git", "ca4463bf8438"}, 104f08c3bdfSopenharmony_ci {} 105f08c3bdfSopenharmony_ci } 106f08c3bdfSopenharmony_ci}; 107