[v5] fsconfig03: New test CVE-2022-0185

Message ID	20230228032254.13992-1-wegao@suse.com
State	Accepted
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> To: ltp@lists.linux.it Date: Mon, 27 Feb 2023 22:22:54 -0500 Message-Id: <20230228032254.13992-1-wegao@suse.com> In-Reply-To: <20230216235218.25757-1-wegao@suse.com> References: <20230216235218.25757-1-wegao@suse.com> MIME-Version: 1.0 Subject: [LTP] [PATCH v5] fsconfig03: New test CVE-2022-0185 Precedence: list From: Wei Gao via ltp <ltp@lists.linux.it> Reply-To: Wei Gao <wegao@suse.com> Cc: Richard Palethorpe <rpalethorpe@suse.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	[v5] fsconfig03: New test CVE-2022-0185 \| expand [v5] fsconfig03: New test CVE-2022-0185

Message ID

20230228032254.13992-1-wegao@suse.com

State

Accepted

Headers

To: ltp@lists.linux.it
Date: Mon, 27 Feb 2023 22:22:54 -0500
Message-Id: <20230228032254.13992-1-wegao@suse.com>
In-Reply-To: <20230216235218.25757-1-wegao@suse.com>
References: <20230216235218.25757-1-wegao@suse.com>
MIME-Version: 1.0
Subject: [LTP] [PATCH v5] fsconfig03: New test CVE-2022-0185
Precedence: list
From: Wei Gao via ltp <ltp@lists.linux.it>
Reply-To: Wei Gao <wegao@suse.com>
Cc: Richard Palethorpe <rpalethorpe@suse.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

Series

[v5] fsconfig03: New test CVE-2022-0185 | expand

Commit Message

Wei Gao Feb. 28, 2023, 3:22 a.m. UTC

There are reproducers available for CVE-2022-0185
https://www.openwall.com/lists/oss-security/2022/01/25/14

Also with links or even a zip file for an exploit
https://github.com/Crusaders-of-Rust/CVE-2022-0185

The exploits are kind of complicated as they try to be complete,
but the exploitation vector is the fsconfig() syscall,
this case used for add some coverage to that to detect it.

When kernel < v5.15.16, you can easily reproduce crash use test case
without check error and return logic in loop.

I have used this test case trigger 5.14.1 kernel crash with ext2/4.

Signed-off-by: Wei Gao <wegao@suse.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Richard Palethorpe <rpalethorpe@suse.com>
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
---
 runtest/cve                                   |  2 +
 runtest/syscalls                              |  1 +
 testcases/kernel/syscalls/fsconfig/.gitignore |  1 +
 .../kernel/syscalls/fsconfig/fsconfig03.c     | 79 +++++++++++++++++++
 4 files changed, 83 insertions(+)
 create mode 100644 testcases/kernel/syscalls/fsconfig/fsconfig03.c

diff --git a/runtest/cve b/runtest/cve
index 1ba63c2a7..7da3ff853 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -77,3 +77,5 @@  cve-2022-2590 dirtyc0w_shmem
 # Tests below may cause kernel memory leak
 cve-2020-25704 perf_event_open03
 cve-2022-4378 cve-2022-4378
+# Tests below may cause kernel crash
+cve-2022-0185 fsconfig03
diff --git a/runtest/syscalls b/runtest/syscalls
index ae37a1192..b4cde8071 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -383,6 +383,7 @@  fremovexattr02 fremovexattr02
 
 fsconfig01 fsconfig01
 fsconfig02 fsconfig02
+fsconfig03 fsconfig03
 
 fsmount01 fsmount01
 fsmount02 fsmount02
diff --git a/testcases/kernel/syscalls/fsconfig/.gitignore b/testcases/kernel/syscalls/fsconfig/.gitignore
index 2bc54b827..cfedae5f7 100644
--- a/testcases/kernel/syscalls/fsconfig/.gitignore
+++ b/testcases/kernel/syscalls/fsconfig/.gitignore
@@ -1,2 +1,3 @@ 
 /fsconfig01
 /fsconfig02
+/fsconfig03
diff --git a/testcases/kernel/syscalls/fsconfig/fsconfig03.c b/testcases/kernel/syscalls/fsconfig/fsconfig03.c
new file mode 100644
index 000000000..c2e908221
--- /dev/null
+++ b/testcases/kernel/syscalls/fsconfig/fsconfig03.c
@@ -0,0 +1,79 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2022 Alejandro Guerrero <aguerrero@...lys.com>
+ * Copyright (c) 2023 Wei Gao <wegao@suse.com>
+ */
+
+
+/*\
+ * [Description]
+ *
+ * Test for CVE-2022-0185.
+ *
+ * References links:
+ * - https://www.openwall.com/lists/oss-security/2022/01/25/14
+ * - https://github.com/Crusaders-of-Rust/CVE-2022-0185
+ */
+
+#include "tst_test.h"
+#include "lapi/fsmount.h"
+
+#define MNTPOINT	"mntpoint"
+
+static int fd = -1;
+
+static void setup(void)
+{
+	fsopen_supported_by_kernel();
+}
+
+static void run(void)
+{
+	char *val = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+	long pagesize;
+
+	TEST(fd = fsopen(tst_device->fs_type, 0));
+	if (fd == -1)
+		tst_brk(TBROK | TTERRNO, "fsopen() failed");
+
+	pagesize = sysconf(_SC_PAGESIZE);
+	if (pagesize == -1)
+		tst_brk(TBROK, "sysconf(_SC_PAGESIZE) failed");
+
+	for (size_t i = 0; i < 5000; i++) {
+		/* use same logic in kernel legacy_parse_param function */
+		const size_t len = i * (strlen(val) + 2) + (strlen(val) + 1) + 2;
+
+		if (!strcmp(tst_device->fs_type, "btrfs") && len <= (size_t)pagesize) {
+			TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0));
+			if (TST_ERR)
+				return;
+		} else {
+			TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0),
+					    EINVAL);
+			if (!TST_PASS)
+				return;
+		}
+	}
+
+	if (fd != -1)
+		SAFE_CLOSE(fd);
+
+	tst_res(TPASS, "fsconfig() overflow on %s haven't triggerred crash",
+			tst_device->fs_type);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.setup = setup,
+	.needs_root = 1,
+	.format_device = 1,
+	.mntpoint = MNTPOINT,
+	.all_filesystems = 1,
+	.skip_filesystems = (const char *const []){"ntfs", "vfat", NULL},
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "722d94847de29"},
+		{"CVE", "2022-0185"},
+		{}
+	}
+};

[v5] fsconfig03: New test CVE-2022-0185

Commit Message

Patch