1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2022 SUSE LLC <[email protected]>
4 */
5
6 /*\
7 * CVE 2022-4378
8 *
9 * Check that writing several pages worth of whitespace into /proc/sys files
10 * does not cause kernel stack overflow. Kernel bug fixed in:
11 *
12 * commit bce9332220bd677d83b19d21502776ad555a0e73
13 * Author: Linus Torvalds <[email protected]>
14 * Date: Mon Dec 5 12:09:06 2022 -0800
15 *
16 * proc: proc_skip_spaces() shouldn't think it is working on C strings
17 */
18
19 #include <stdlib.h>
20 #include "tst_test.h"
21
22 static char *buf;
23 static unsigned int bufsize;
24 static int fd = -1;
25
26 static struct testcase {
27 const char *path;
28 int err;
29 } testcase_list[] = {
30 {"/proc/sys/net/ipv4/icmp_ratelimit", EINVAL},
31 {"/proc/sys/net/ipv4/icmp_ratemask", EINVAL},
32 {"/proc/sys/net/ipv4/icmp_echo_ignore_all", EINVAL},
33 {"/proc/sys/net/ipv4/tcp_probe_interval", EINVAL},
34 {"/proc/sys/net/ipv4/tcp_keepalive_time", EINVAL},
35 {"/proc/sys/net/ipv4/tcp_notsent_lowat", EINVAL},
36 {"/proc/sys/net/ipv4/ip_local_reserved_ports", 0}
37 };
38
setup(void)39 static void setup(void)
40 {
41 tst_setup_netns();
42
43 bufsize = 2 * SAFE_SYSCONF(_SC_PAGESIZE);
44 buf = SAFE_MALLOC(bufsize);
45 memset(buf, '\n', bufsize);
46 }
47
run(unsigned int n)48 static void run(unsigned int n)
49 {
50 const struct testcase *tc = testcase_list + n;
51
52 if (access(tc->path, W_OK)) {
53 tst_res(TCONF | TERRNO, "Skipping %s", tc->path);
54 return;
55 }
56
57 tst_res(TINFO, "Writing whitespace to %s", tc->path);
58
59 fd = SAFE_OPEN(tc->path, O_WRONLY);
60 TEST(write(fd, buf, bufsize));
61 SAFE_CLOSE(fd);
62
63 if (TST_RET >= 0 && tc->err == 0) {
64 tst_res(TPASS, "write() passed as expected");
65 } else if (TST_RET >= 0) {
66 tst_res(TFAIL, "write() unexpectedly passed");
67 } else if (TST_RET != -1) {
68 tst_res(TFAIL | TTERRNO, "Invalid write() return value %ld",
69 TST_RET);
70 } else if (TST_ERR != tc->err) {
71 tst_res(TFAIL | TTERRNO, "write() returned unexpected error");
72 } else {
73 tst_res(TPASS | TTERRNO, "write() failed as expected");
74 }
75
76 if (tst_taint_check())
77 tst_res(TFAIL, "Kernel is vulnerable");
78 }
79
cleanup(void)80 static void cleanup(void)
81 {
82 if (fd >= 0)
83 SAFE_CLOSE(fd);
84
85 if (buf)
86 free(buf);
87 }
88
89 static struct tst_test test = {
90 .test = run,
91 .tcnt = ARRAY_SIZE(testcase_list),
92 .setup = setup,
93 .cleanup = cleanup,
94 .taint_check = TST_TAINT_W | TST_TAINT_D,
95 .needs_kconfigs = (const char *[]) {
96 "CONFIG_USER_NS=y",
97 "CONFIG_NET_NS=y",
98 NULL
99 },
100 .save_restore = (const struct tst_path_val[]) {
101 {"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
102 {}
103 },
104 .tags = (const struct tst_tag[]) {
105 {"linux-git", "bce9332220bd"},
106 {"CVE", "2022-4378"},
107 {}
108 }
109 };
110