unplugged-system/external/ltp/testcases/cve/cve-2022-4378.c

// SPDX-License-Identifier: GPL-2.0-or-later
/*
 * Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>
 */

/*\
 * CVE 2022-4378
 *
 * Check that writing several pages worth of whitespace into /proc/sys files
 * does not cause kernel stack overflow. Kernel bug fixed in:
 *
 * commit bce9332220bd677d83b19d21502776ad555a0e73
 * Author: Linus Torvalds <torvalds@linux-foundation.org>
 * Date:   Mon Dec 5 12:09:06 2022 -0800
 *
 * proc: proc_skip_spaces() shouldn't think it is working on C strings
 */

#include <stdlib.h>
#include "tst_test.h"

static char *buf;
static unsigned int bufsize;
static int fd = -1;

static struct testcase {
	const char *path;
	int err;
} testcase_list[] = {
	{"/proc/sys/net/ipv4/icmp_ratelimit", EINVAL},
	{"/proc/sys/net/ipv4/icmp_ratemask", EINVAL},
	{"/proc/sys/net/ipv4/icmp_echo_ignore_all", EINVAL},
	{"/proc/sys/net/ipv4/tcp_probe_interval", EINVAL},
	{"/proc/sys/net/ipv4/tcp_keepalive_time", EINVAL},
	{"/proc/sys/net/ipv4/tcp_notsent_lowat", EINVAL},
	{"/proc/sys/net/ipv4/ip_local_reserved_ports", 0}
};

static void setup(void)
{
	tst_setup_netns();

	bufsize = 2 * SAFE_SYSCONF(_SC_PAGESIZE);
	buf = SAFE_MALLOC(bufsize);
	memset(buf, '\n', bufsize);
}

static void run(unsigned int n)
{
	const struct testcase *tc = testcase_list + n;

	if (access(tc->path, W_OK)) {
		tst_res(TCONF | TERRNO, "Skipping %s", tc->path);
		return;
	}

	tst_res(TINFO, "Writing whitespace to %s", tc->path);

	fd = SAFE_OPEN(tc->path, O_WRONLY);
	TEST(write(fd, buf, bufsize));
	SAFE_CLOSE(fd);

	if (TST_RET >= 0 && tc->err == 0) {
		tst_res(TPASS, "write() passed as expected");
	} else if (TST_RET >= 0) {
		tst_res(TFAIL, "write() unexpectedly passed");
	} else if (TST_RET != -1) {
		tst_res(TFAIL | TTERRNO, "Invalid write() return value %ld",
			TST_RET);
	} else if (TST_ERR != tc->err) {
		tst_res(TFAIL | TTERRNO, "write() returned unexpected error");
	} else {
		tst_res(TPASS | TTERRNO, "write() failed as expected");
	}

	if (tst_taint_check())
		tst_res(TFAIL, "Kernel is vulnerable");
}

static void cleanup(void)
{
	if (fd >= 0)
		SAFE_CLOSE(fd);

	if (buf)
		free(buf);
}

static struct tst_test test = {
	.test = run,
	.tcnt = ARRAY_SIZE(testcase_list),
	.setup = setup,
	.cleanup = cleanup,
	.taint_check = TST_TAINT_W | TST_TAINT_D,
	.needs_kconfigs = (const char *[]) {
		"CONFIG_USER_NS=y",
		"CONFIG_NET_NS=y",
		NULL
	},
	.save_restore = (const struct tst_path_val[]) {
		{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},
		{}
	},
	.tags = (const struct tst_tag[]) {
		{"linux-git", "bce9332220bd"},
		{"CVE", "2022-4378"},
		{}
	}
};
Initial commit: AOSP 14 with modifications for Unplugged OS 2025-10-06 13:59:42 +00:00			`// SPDX-License-Identifier: GPL-2.0-or-later`
			`/*`
			`* Copyright (C) 2022 SUSE LLC <mdoucha@suse.cz>`
			`*/`

			`/*\`
			`* CVE 2022-4378`
			`*`
			`* Check that writing several pages worth of whitespace into /proc/sys files`
			`* does not cause kernel stack overflow. Kernel bug fixed in:`
			`*`
			`* commit bce9332220bd677d83b19d21502776ad555a0e73`
			`* Author: Linus Torvalds <torvalds@linux-foundation.org>`
			`* Date: Mon Dec 5 12:09:06 2022 -0800`
			`*`
			`* proc: proc_skip_spaces() shouldn't think it is working on C strings`
			`*/`

			`#include <stdlib.h>`
			`#include "tst_test.h"`

			`static char *buf;`
			`static unsigned int bufsize;`
			`static int fd = -1;`

			`static struct testcase {`
			`const char *path;`
			`int err;`
			`} testcase_list[] = {`
			`{"/proc/sys/net/ipv4/icmp_ratelimit", EINVAL},`
			`{"/proc/sys/net/ipv4/icmp_ratemask", EINVAL},`
			`{"/proc/sys/net/ipv4/icmp_echo_ignore_all", EINVAL},`
			`{"/proc/sys/net/ipv4/tcp_probe_interval", EINVAL},`
			`{"/proc/sys/net/ipv4/tcp_keepalive_time", EINVAL},`
			`{"/proc/sys/net/ipv4/tcp_notsent_lowat", EINVAL},`
			`{"/proc/sys/net/ipv4/ip_local_reserved_ports", 0}`
			`};`

			`static void setup(void)`
			`{`
			`tst_setup_netns();`

			`bufsize = 2 * SAFE_SYSCONF(_SC_PAGESIZE);`
			`buf = SAFE_MALLOC(bufsize);`
			`memset(buf, '\n', bufsize);`
			`}`

			`static void run(unsigned int n)`
			`{`
			`const struct testcase *tc = testcase_list + n;`

			`if (access(tc->path, W_OK)) {`
			`tst_res(TCONF \| TERRNO, "Skipping %s", tc->path);`
			`return;`
			`}`

			`tst_res(TINFO, "Writing whitespace to %s", tc->path);`

			`fd = SAFE_OPEN(tc->path, O_WRONLY);`
			`TEST(write(fd, buf, bufsize));`
			`SAFE_CLOSE(fd);`

			`if (TST_RET >= 0 && tc->err == 0) {`
			`tst_res(TPASS, "write() passed as expected");`
			`} else if (TST_RET >= 0) {`
			`tst_res(TFAIL, "write() unexpectedly passed");`
			`} else if (TST_RET != -1) {`
			`tst_res(TFAIL \| TTERRNO, "Invalid write() return value %ld",`
			`TST_RET);`
			`} else if (TST_ERR != tc->err) {`
			`tst_res(TFAIL \| TTERRNO, "write() returned unexpected error");`
			`} else {`
			`tst_res(TPASS \| TTERRNO, "write() failed as expected");`
			`}`

			`if (tst_taint_check())`
			`tst_res(TFAIL, "Kernel is vulnerable");`
			`}`

			`static void cleanup(void)`
			`{`
			`if (fd >= 0)`
			`SAFE_CLOSE(fd);`

			`if (buf)`
			`free(buf);`
			`}`

			`static struct tst_test test = {`
			`.test = run,`
			`.tcnt = ARRAY_SIZE(testcase_list),`
			`.setup = setup,`
			`.cleanup = cleanup,`
			`.taint_check = TST_TAINT_W \| TST_TAINT_D,`
			`.needs_kconfigs = (const char *[]) {`
			`"CONFIG_USER_NS=y",`
			`"CONFIG_NET_NS=y",`
			`NULL`
			`},`
			`.save_restore = (const struct tst_path_val[]) {`
			`{"/proc/sys/user/max_user_namespaces", "1024", TST_SR_SKIP},`
			`{}`
			`},`
			`.tags = (const struct tst_tag[]) {`
			`{"linux-git", "bce9332220bd"},`
			`{"CVE", "2022-4378"},`
			`{}`
			`}`
			`};`