1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (c) 2018 Jann Horn <jannh@google.com> 4 * Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz> 5 */ 6 7/* 8 * CVE 2018-18445 9 * 10 * Check that eBPF verifier correctly handles 32-bit arithmetic, in particular 11 * the right bit shift instruction. It is an error if the BPF program passes 12 * verification regardless of whether it then causes any actual damage. Kernel 13 * bug fixed in: 14 * 15 * commit b799207e1e1816b09e7a5920fbb2d5fcf6edd681 16 * Author: Jann Horn <jannh@google.com> 17 * Date: Fri Oct 5 18:17:59 2018 +0200 18 * 19 * bpf: 32-bit RSH verification must truncate input before the ALU op 20 */ 21 22#include <stdio.h> 23#include <string.h> 24 25#include "config.h" 26#include "tst_test.h" 27#include "tst_taint.h" 28#include "tst_capability.h" 29#include "bpf_common.h" 30 31#define CHECK_BPF_RET(x) ((x) >= 0 || ((x) == -1 && errno != EACCES)) 32 33static const char MSG[] = "Ahoj!"; 34static char *msg; 35 36static char *log; 37static union bpf_attr *attr; 38 39static int load_prog(int fd) 40{ 41 int ret; 42 struct bpf_insn insn[] = { 43 BPF_MOV64_IMM(BPF_REG_8, 2), 44 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 31), 45 BPF_ALU32_IMM(BPF_RSH, BPF_REG_8, 31), 46 BPF_ALU32_IMM(BPF_SUB, BPF_REG_8, 2), 47 48 // store r8 into map 49 BPF_LD_MAP_FD(BPF_REG_1, fd), 50 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 51 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 52 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 53 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 54 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 55 BPF_EXIT_INSN(), 56 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 57 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0), 58 59 BPF_MOV64_IMM(BPF_REG_0, 0), 60 BPF_EXIT_INSN() 61 }; 62 63 bpf_init_prog_attr(attr, insn, sizeof(insn), log, BUFSIZE); 64 ret = TST_RETRY_FUNC(bpf(BPF_PROG_LOAD, attr, sizeof(*attr)), 65 CHECK_BPF_RET); 66 67 if (ret >= 0) { 68 tst_res(TINFO, "Verification log:"); 69 fputs(log, stderr); 70 return ret; 71 } 72 73 if (ret < -1) 74 tst_brk(TBROK, "Invalid bpf() return value %d", ret); 75 76 if (!*log) 77 tst_brk(TBROK | TERRNO, "Failed to load BPF program"); 78 79 tst_res(TPASS | TERRNO, "BPF program failed verification"); 80 return ret; 81} 82 83static void setup(void) 84{ 85 rlimit_bump_memlock(); 86 memcpy(msg, MSG, sizeof(MSG)); 87} 88 89static void run(void) 90{ 91 int map_fd, prog_fd; 92 93 map_fd = bpf_map_array_create(1); 94 prog_fd = load_prog(map_fd); 95 96 if (prog_fd >= 0) { 97 tst_res(TFAIL, "Malicious eBPF code passed verification. " 98 "Now let's try crashing the kernel."); 99 bpf_run_prog(prog_fd, msg, sizeof(MSG)); 100 } 101 102 if (prog_fd >= 0) 103 SAFE_CLOSE(prog_fd); 104 105 SAFE_CLOSE(map_fd); 106} 107 108static struct tst_test test = { 109 .setup = setup, 110 .test_all = run, 111 .min_kver = "3.18", 112 .taint_check = TST_TAINT_W | TST_TAINT_D, 113 .caps = (struct tst_cap []) { 114 TST_CAP(TST_CAP_DROP, CAP_SYS_ADMIN), 115 {} 116 }, 117 .bufs = (struct tst_buffers []) { 118 {&log, .size = BUFSIZE}, 119 {&attr, .size = sizeof(*attr)}, 120 {&msg, .size = sizeof(MSG)}, 121 {} 122 }, 123 .tags = (const struct tst_tag[]) { 124 {"linux-git", "b799207e1e18"}, 125 {"CVE", "2018-18445"}, 126 {} 127 } 128}; 129