160 lines
		
	
	
	
		
			3.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			160 lines
		
	
	
	
		
			3.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0-or-later
 | |
| /*
 | |
|  * Author: Aleksa Sarai <cyphar@cyphar.com>
 | |
|  * Copyright (C) 2018-2019 SUSE LLC.
 | |
|  */
 | |
| 
 | |
| #define _GNU_SOURCE
 | |
| #include <errno.h>
 | |
| #include <fcntl.h>
 | |
| #include <sched.h>
 | |
| #include <sys/stat.h>
 | |
| #include <sys/types.h>
 | |
| #include <sys/mount.h>
 | |
| #include <sys/mman.h>
 | |
| #include <sys/prctl.h>
 | |
| #include <signal.h>
 | |
| #include <stdio.h>
 | |
| #include <stdlib.h>
 | |
| #include <stdbool.h>
 | |
| #include <string.h>
 | |
| #include <syscall.h>
 | |
| #include <limits.h>
 | |
| #include <unistd.h>
 | |
| 
 | |
| #include "../kselftest.h"
 | |
| #include "helpers.h"
 | |
| 
 | |
| /* Construct a test directory with the following structure:
 | |
|  *
 | |
|  * root/
 | |
|  * |-- a/
 | |
|  * |   `-- c/
 | |
|  * `-- b/
 | |
|  */
 | |
| int setup_testdir(void)
 | |
| {
 | |
| 	int dfd;
 | |
| 	char dirname[] = "/tmp/ksft-openat2-rename-attack.XXXXXX";
 | |
| 
 | |
| 	/* Make the top-level directory. */
 | |
| 	if (!mkdtemp(dirname))
 | |
| 		ksft_exit_fail_msg("setup_testdir: failed to create tmpdir\n");
 | |
| 	dfd = open(dirname, O_PATH | O_DIRECTORY);
 | |
| 	if (dfd < 0)
 | |
| 		ksft_exit_fail_msg("setup_testdir: failed to open tmpdir\n");
 | |
| 
 | |
| 	E_mkdirat(dfd, "a", 0755);
 | |
| 	E_mkdirat(dfd, "b", 0755);
 | |
| 	E_mkdirat(dfd, "a/c", 0755);
 | |
| 
 | |
| 	return dfd;
 | |
| }
 | |
| 
 | |
| /* Swap @dirfd/@a and @dirfd/@b constantly. Parent must kill this process. */
 | |
| pid_t spawn_attack(int dirfd, char *a, char *b)
 | |
| {
 | |
| 	pid_t child = fork();
 | |
| 	if (child != 0)
 | |
| 		return child;
 | |
| 
 | |
| 	/* If the parent (the test process) dies, kill ourselves too. */
 | |
| 	E_prctl(PR_SET_PDEATHSIG, SIGKILL);
 | |
| 
 | |
| 	/* Swap @a and @b. */
 | |
| 	for (;;)
 | |
| 		renameat2(dirfd, a, dirfd, b, RENAME_EXCHANGE);
 | |
| 	exit(1);
 | |
| }
 | |
| 
 | |
| #define NUM_RENAME_TESTS 2
 | |
| #define ROUNDS 400000
 | |
| 
 | |
| const char *flagname(int resolve)
 | |
| {
 | |
| 	switch (resolve) {
 | |
| 	case RESOLVE_IN_ROOT:
 | |
| 		return "RESOLVE_IN_ROOT";
 | |
| 	case RESOLVE_BENEATH:
 | |
| 		return "RESOLVE_BENEATH";
 | |
| 	}
 | |
| 	return "(unknown)";
 | |
| }
 | |
| 
 | |
| void test_rename_attack(int resolve)
 | |
| {
 | |
| 	int dfd, afd;
 | |
| 	pid_t child;
 | |
| 	void (*resultfn)(const char *msg, ...) = ksft_test_result_pass;
 | |
| 	int escapes = 0, other_errs = 0, exdevs = 0, eagains = 0, successes = 0;
 | |
| 
 | |
| 	struct open_how how = {
 | |
| 		.flags = O_PATH,
 | |
| 		.resolve = resolve,
 | |
| 	};
 | |
| 
 | |
| 	if (!openat2_supported) {
 | |
| 		how.resolve = 0;
 | |
| 		ksft_print_msg("openat2(2) unsupported -- using openat(2) instead\n");
 | |
| 	}
 | |
| 
 | |
| 	dfd = setup_testdir();
 | |
| 	afd = openat(dfd, "a", O_PATH);
 | |
| 	if (afd < 0)
 | |
| 		ksft_exit_fail_msg("test_rename_attack: failed to open 'a'\n");
 | |
| 
 | |
| 	child = spawn_attack(dfd, "a/c", "b");
 | |
| 
 | |
| 	for (int i = 0; i < ROUNDS; i++) {
 | |
| 		int fd;
 | |
| 		char *victim_path = "c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../../c/../..";
 | |
| 
 | |
| 		if (openat2_supported)
 | |
| 			fd = sys_openat2(afd, victim_path, &how);
 | |
| 		else
 | |
| 			fd = sys_openat(afd, victim_path, &how);
 | |
| 
 | |
| 		if (fd < 0) {
 | |
| 			if (fd == -EAGAIN)
 | |
| 				eagains++;
 | |
| 			else if (fd == -EXDEV)
 | |
| 				exdevs++;
 | |
| 			else if (fd == -ENOENT)
 | |
| 				escapes++; /* escaped outside and got ENOENT... */
 | |
| 			else
 | |
| 				other_errs++; /* unexpected error */
 | |
| 		} else {
 | |
| 			if (fdequal(fd, afd, NULL))
 | |
| 				successes++;
 | |
| 			else
 | |
| 				escapes++; /* we got an unexpected fd */
 | |
| 		}
 | |
| 		close(fd);
 | |
| 	}
 | |
| 
 | |
| 	if (escapes > 0)
 | |
| 		resultfn = ksft_test_result_fail;
 | |
| 	ksft_print_msg("non-escapes: EAGAIN=%d EXDEV=%d E<other>=%d success=%d\n",
 | |
| 		       eagains, exdevs, other_errs, successes);
 | |
| 	resultfn("rename attack with %s (%d runs, got %d escapes)\n",
 | |
| 		 flagname(resolve), ROUNDS, escapes);
 | |
| 
 | |
| 	/* Should be killed anyway, but might as well make sure. */
 | |
| 	E_kill(child, SIGKILL);
 | |
| }
 | |
| 
 | |
| #define NUM_TESTS NUM_RENAME_TESTS
 | |
| 
 | |
| int main(int argc, char **argv)
 | |
| {
 | |
| 	ksft_print_header();
 | |
| 	ksft_set_plan(NUM_TESTS);
 | |
| 
 | |
| 	test_rename_attack(RESOLVE_BENEATH);
 | |
| 	test_rename_attack(RESOLVE_IN_ROOT);
 | |
| 
 | |
| 	if (ksft_get_fail_cnt() + ksft_get_error_cnt() > 0)
 | |
| 		ksft_exit_fail();
 | |
| 	else
 | |
| 		ksft_exit_pass();
 | |
| }
 |