1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2019 SUSE LLC <[email protected]>
4 */
5
6 /*\
7 * [Description]
8 *
9 * CVE-2018-1000204
10 *
11 * Test ioctl(SG_IO) and check that kernel doesn't leak data. Requires
12 * a read-accessible generic SCSI device (e.g. a DVD drive).
13 *
14 * Leak fixed in:
15 *
16 * commit a45b599ad808c3c982fdcdc12b0b8611c2f92824
17 * Author: Alexander Potapenko <[email protected]>
18 * Date: Fri May 18 16:23:18 2018 +0200
19 *
20 * scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
21 */
22
23 #include <sys/types.h>
24 #include <dirent.h>
25 #include <fcntl.h>
26 #include <unistd.h>
27 #include <ctype.h>
28 #include <scsi/sg.h>
29 #include <sys/ioctl.h>
30 #include <stdio.h>
31 #include "tst_test.h"
32 #include "tst_memutils.h"
33
34 #define BUF_SIZE (128 * 4096)
35 #define CMD_SIZE 6
36
37 static int devfd = -1;
38 static char buffer[BUF_SIZE];
39 static unsigned char command[CMD_SIZE];
40 static struct sg_io_hdr query;
41
42 /* TODO: split this off to a separate SCSI library? */
find_generic_scsi_device(int access_flags)43 static const char *find_generic_scsi_device(int access_flags)
44 {
45 DIR *devdir;
46 struct dirent *ent;
47 int tmpfd;
48 static char devpath[PATH_MAX];
49
50 errno = 0;
51 devdir = opendir("/dev");
52
53 if (!devdir)
54 return NULL;
55
56 while ((ent = SAFE_READDIR(devdir))) {
57 /* The bug is most likely reproducible only on /dev/sg* */
58 if (strncmp(ent->d_name, "sg", 2) || !isdigit(ent->d_name[2]))
59 continue;
60
61 snprintf(devpath, PATH_MAX, "/dev/%s", ent->d_name);
62 /* access() makes incorrect assumptions about block devices */
63 tmpfd = open(devpath, access_flags);
64
65 if (tmpfd >= 0) {
66 SAFE_CLOSE(tmpfd);
67 SAFE_CLOSEDIR(devdir);
68 return devpath;
69 }
70 }
71
72 SAFE_CLOSEDIR(devdir);
73 return NULL;
74 }
75
setup(void)76 static void setup(void)
77 {
78 const char *devpath = find_generic_scsi_device(O_RDONLY);
79
80 if (!devpath)
81 tst_brk(TCONF, "Could not find any usable SCSI device");
82
83 tst_res(TINFO, "Found SCSI device %s", devpath);
84
85 /* Pollute some memory to avoid false negatives */
86 tst_pollute_memory(0, 0x42);
87
88 devfd = SAFE_OPEN(devpath, O_RDONLY);
89 query.interface_id = 'S';
90 query.dxfer_direction = SG_DXFER_FROM_DEV;
91 query.cmd_len = CMD_SIZE;
92 query.dxfer_len = BUF_SIZE;
93 query.dxferp = buffer;
94 query.cmdp = command;
95 }
96
cleanup(void)97 static void cleanup(void)
98 {
99 if (devfd >= 0)
100 SAFE_CLOSE(devfd);
101 }
102
run(void)103 static void run(void)
104 {
105 size_t i, j;
106
107 memset(buffer, 0, BUF_SIZE);
108
109 for (i = 0; i < 100; i++) {
110 TEST(ioctl(devfd, SG_IO, &query));
111
112 if (TST_RET != 0 && TST_RET != -1)
113 tst_brk(TBROK|TTERRNO, "Invalid ioctl() return value");
114
115 /* Check the buffer even if ioctl() failed, just in case. */
116 for (j = 0; j < BUF_SIZE; j++) {
117 if (buffer[j]) {
118 tst_res(TFAIL, "Kernel memory leaked");
119 return;
120 }
121 }
122 }
123
124 tst_res(TPASS, "Output buffer is empty, no data leaked");
125 }
126
127 static struct tst_test test = {
128 .test_all = run,
129 .setup = setup,
130 .cleanup = cleanup,
131 .max_runtime = 3600,
132 .tags = (const struct tst_tag[]) {
133 {"linux-git", "a45b599ad808"},
134 {"CVE", "2018-1000204"},
135 {}
136 }
137 };
138