| 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
|---|
| 2 | /* |
|---|
| 3 | * Author: Aleksa Sarai <cyphar@cyphar.com> |
|---|
| 4 | * Copyright (C) 2018-2019 SUSE LLC. |
|---|
| 5 | */ |
|---|
| 6 | |
|---|
| 7 | #define _GNU_SOURCE |
|---|
| 8 | #include <errno.h> |
|---|
| 9 | #include <fcntl.h> |
|---|
| 10 | #include <sched.h> |
|---|
| 11 | #include <sys/stat.h> |
|---|
| 12 | #include <sys/types.h> |
|---|
| 13 | #include <sys/mount.h> |
|---|
| 14 | #include <sys/mman.h> |
|---|
| 15 | #include <sys/prctl.h> |
|---|
| 16 | #include <signal.h> |
|---|
| 17 | #include <stdio.h> |
|---|
| 18 | #include <stdlib.h> |
|---|
| 19 | #include <stdbool.h> |
|---|
| 20 | #include <string.h> |
|---|
| 21 | #include <syscall.h> |
|---|
| 22 | #include <limits.h> |
|---|
| 23 | #include <unistd.h> |
|---|
| 24 | |
|---|
| 25 | #include "../kselftest.h" |
|---|
| 26 | #include "helpers.h" |
|---|
| 27 | |
|---|
| 28 | /* Construct a test directory with the following structure: |
|---|
| 29 | * |
|---|
| 30 | * root/ |
|---|
| 31 | * |-- a/ |
|---|
| 32 | * | `-- c/ |
|---|
| 33 | * `-- b/ |
|---|
| 34 | */ |
|---|
| 35 | int setup_testdir(void) |
|---|
| 36 | { |
|---|
| 37 | int dfd; |
|---|
| 38 | char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX" ; |
|---|
| 39 | |
|---|
| 40 | /* Make the top-level directory. */ |
|---|
| 41 | if (!mkdtemp(dirname)) |
|---|
| 42 | ksft_exit_fail_msg(msg: "setup_testdir: failed to create tmpdir\n" ); |
|---|
| 43 | dfd = open(dirname, O_PATH | O_DIRECTORY); |
|---|
| 44 | if (dfd < 0) |
|---|
| 45 | ksft_exit_fail_msg(msg: "setup_testdir: failed to open tmpdir\n" ); |
|---|
| 46 | |
|---|
| 47 | E_mkdirat(dfd, "a" , 0755); |
|---|
| 48 | E_mkdirat(dfd, "b" , 0755); |
|---|
| 49 | E_mkdirat(dfd, "a/c" , 0755); |
|---|
| 50 | |
|---|
| 51 | return dfd; |
|---|
| 52 | } |
|---|
| 53 | |
|---|
| 54 | /* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */ |
|---|
| 55 | pid_t spawn_attack(int dirfd, char *a, char *b) |
|---|
| 56 | { |
|---|
| 57 | pid_t child = fork(); |
|---|
| 58 | if (child != 0) |
|---|
| 59 | return child; |
|---|
| 60 | |
|---|
| 61 | /* If the parent (the test process) dies, kill ourselves too. */ |
|---|
| 62 | E_prctl(PR_SET_PDEATHSIG, SIGKILL); |
|---|
| 63 | |
|---|
| 64 | /* Swap @a and @b. */ |
|---|
| 65 | for (;;) |
|---|
| 66 | renameat2(dirfd, a, dirfd, b, RENAME_EXCHANGE); |
|---|
| 67 | exit(1); |
|---|
| 68 | } |
|---|
| 69 | |
|---|
| 70 | #define NUM_RENAME_TESTS 2 |
|---|
| 71 | #define ROUNDS 400000 |
|---|
| 72 | |
|---|
| 73 | const char *flagname(int resolve) |
|---|
| 74 | { |
|---|
| 75 | switch (resolve) { |
|---|
| 76 | case RESOLVE_IN_ROOT: |
|---|
| 77 | return "RESOLVE_IN_ROOT" ; |
|---|
| 78 | case RESOLVE_BENEATH: |
|---|
| 79 | return "RESOLVE_BENEATH" ; |
|---|
| 80 | } |
|---|
| 81 | return "(unknown)" ; |
|---|
| 82 | } |
|---|
| 83 | |
|---|
| 84 | void test_rename_attack(int resolve) |
|---|
| 85 | { |
|---|
| 86 | int dfd, afd; |
|---|
| 87 | pid_t child; |
|---|
| 88 | void (*resultfn)(const char *msg, ...) = ksft_test_result_pass; |
|---|
| 89 | int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0; |
|---|
| 90 | |
|---|
| 91 | struct open_how how = { |
|---|
| 92 | .flags = O_PATH, |
|---|
| 93 | .resolve = resolve, |
|---|
| 94 | }; |
|---|
| 95 | |
|---|
| 96 | if (!openat2_supported) { |
|---|
| 97 | how.resolve = 0; |
|---|
| 98 | ksft_print_msg(msg: "openat2(2) unsupported -- using openat(2) instead\n" ); |
|---|
| 99 | } |
|---|
| 100 | |
|---|
| 101 | dfd = setup_testdir(); |
|---|
| 102 | afd = openat(dfd, "a" , O_PATH); |
|---|
| 103 | if (afd < 0) |
|---|
| 104 | ksft_exit_fail_msg(msg: "test_rename_attack: failed to open 'a'\n" ); |
|---|
| 105 | |
|---|
| 106 | child = spawn_attack(dirfd: dfd, a: "a/c" , b: "b" ); |
|---|
| 107 | |
|---|
| 108 | for (int i = 0; i < ROUNDS; i++) { |
|---|
| 109 | int fd; |
|---|
| 110 | char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../.." ; |
|---|
| 111 | |
|---|
| 112 | if (openat2_supported) |
|---|
| 113 | fd = sys_openat2(dfd: afd, path: victim_path, how: &how); |
|---|
| 114 | else |
|---|
| 115 | fd = sys_openat(dfd: afd, path: victim_path, how: &how); |
|---|
| 116 | |
|---|
| 117 | if (fd < 0) { |
|---|
| 118 | if (fd == -EAGAIN) |
|---|
| 119 | eagains++; |
|---|
| 120 | else if (fd == -EXDEV) |
|---|
| 121 | exdevs++; |
|---|
| 122 | else if (fd == -ENOENT) |
|---|
| 123 | escapes++; /* escaped outside and got ENOENT... */ |
|---|
| 124 | else |
|---|
| 125 | other_errs++; /* unexpected error */ |
|---|
| 126 | } else { |
|---|
| 127 | if (fdequal(fd, dfd: afd, NULL)) |
|---|
| 128 | successes++; |
|---|
| 129 | else |
|---|
| 130 | escapes++; /* we got an unexpected fd */ |
|---|
| 131 | } |
|---|
| 132 | close(fd); |
|---|
| 133 | } |
|---|
| 134 | |
|---|
| 135 | if (escapes > 0) |
|---|
| 136 | resultfn = ksft_test_result_fail; |
|---|
| 137 | ksft_print_msg(msg: "non-escapes: EAGAIN=%d EXDEV=%d E<other>=%d success=%d\n" , |
|---|
| 138 | eagains, exdevs, other_errs, successes); |
|---|
| 139 | resultfn("rename attack with %s (%d runs, got %d escapes)\n" , |
|---|
| 140 | flagname(resolve), ROUNDS, escapes); |
|---|
| 141 | |
|---|
| 142 | /* Should be killed anyway, but might as well make sure. */ |
|---|
| 143 | E_kill(child, SIGKILL); |
|---|
| 144 | } |
|---|
| 145 | |
|---|
| 146 | #define NUM_TESTS NUM_RENAME_TESTS |
|---|
| 147 | |
|---|
| 148 | int main(int argc, char **argv) |
|---|
| 149 | { |
|---|
| 150 | ksft_print_header(); |
|---|
| 151 | ksft_set_plan(NUM_TESTS); |
|---|
| 152 | |
|---|
| 153 | test_rename_attack(RESOLVE_BENEATH); |
|---|
| 154 | test_rename_attack(RESOLVE_IN_ROOT); |
|---|
| 155 | |
|---|
| 156 | if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0) |
|---|
| 157 | ksft_exit_fail(); |
|---|
| 158 | else |
|---|
| 159 | ksft_exit_pass(); |
|---|
| 160 | } |
|---|
| 161 | |
|---|
