tests/unp_connect_thread_uaf.c

   1 /* This tests thread_t uaf vulnerability in the XNU kernel due to
   2  * a race condition in unp_connect
   3  */
   4
   5 #include <sys/un.h>
   6 #include <sys/socket.h>
   7 #include <pthread.h>
   8 #include <sys/proc_info.h>
   9 #include <libproc.h>
  10 #include <darwintest.h>
  11 #include <unistd.h>
  12
  13 int g_start = 0;
  14 int g_client = 0;
  15 int g_sever1 = 0;
  16 int g_sever2 = 0;
  17
  18 static void
  19 server_thread1(char* path)
  20 {
  21         struct sockaddr_un server_sockaddr;
  22         memset(&server_sockaddr, 0, sizeof(struct sockaddr_un));
  23         server_sockaddr.sun_family = AF_UNIX;
  24         strcpy(server_sockaddr.sun_path, path);
  25         unlink(server_sockaddr.sun_path);
  26
  27         int server_sock = socket(AF_UNIX, SOCK_STREAM, 0);
  28         g_sever1 = server_sock;
  29         T_ASSERT_POSIX_SUCCESS(bind(server_sock,
  30             (struct sockaddr *) &server_sockaddr, sizeof(server_sockaddr)), NULL);
  31
  32         /*********************************/
  33         /* Listen for any client sockets */
  34         /*********************************/
  35         T_ASSERT_POSIX_SUCCESS(listen(server_sock, -1), NULL);
  36
  37         return;
  38 }
  39
  40 static void
  41 server_thread2(char* path)
  42 {
  43         struct sockaddr_un server_sockaddr;
  44         memset(&server_sockaddr, 0, sizeof(struct sockaddr_un));
  45         server_sockaddr.sun_family = AF_UNIX;
  46         strcpy(server_sockaddr.sun_path, path);
  47         unlink(server_sockaddr.sun_path);
  48
  49         int server_sock = socket(AF_UNIX, SOCK_STREAM, 0);
  50         g_sever2 = server_sock;
  51         T_ASSERT_POSIX_SUCCESS(bind(server_sock,
  52             (struct sockaddr *) &server_sockaddr, sizeof(server_sockaddr)), NULL);
  53
  54         /*********************************/
  55         /* Listen for any client sockets */
  56         /*********************************/
  57         T_ASSERT_POSIX_SUCCESS(listen(server_sock, -1), NULL);
  58
  59         return;
  60 }
  61
  62 static void
  63 try_to_connect(char* path)
  64 {
  65         struct sockaddr_un server_sockaddr;
  66         memset(&server_sockaddr, 0, sizeof(struct sockaddr_un));
  67         server_sockaddr.sun_family = AF_UNIX;
  68         strcpy(server_sockaddr.sun_path, path);
  69         //unlink(server_sockaddr.sun_path);
  70
  71         while (g_start == 0) {
  72                 usleep(100);
  73         }
  74         int ret = connect(g_client, (struct sockaddr *)&server_sockaddr,
  75             sizeof(server_sockaddr));
  76
  77         T_ASSERT_TRUE(ret == 0 || errno == EALREADY || errno == EISCONN,
  78             "connect with ret: %d(%d)", ret, errno);
  79 }
  80
  81
  82 static void
  83 test_unp_connect_multithread()
  84 {
  85         int client_sock;
  86         char path[] = "/tmp/";
  87         char path1[256];
  88         char path2[256];
  89         char path3[256];
  90
  91         strncpy(path1, path, 255);
  92         strcat(path1, "/1");
  93         strncpy(path2, path, 255);
  94         strcat(path2, "/2");
  95         strncpy(path3, path, 255);
  96         strcat(path3, "/3");
  97
  98
  99         for (int i = 0; i < 1024; i++) {
 100                 T_SETUPBEGIN;
 101                 server_thread1(path1);
 102                 server_thread2(path2);
 103                 T_ASSERT_POSIX_SUCCESS(client_sock = socket(AF_UNIX, SOCK_STREAM, 0), NULL);
 104
 105                 unlink(path3);
 106                 struct sockaddr_un client_sockaddr;
 107                 client_sockaddr.sun_family = AF_UNIX;
 108                 strcpy(client_sockaddr.sun_path, path3);
 109                 T_ASSERT_POSIX_SUCCESS(bind(client_sock, (struct sockaddr *)&client_sockaddr,
 110                     sizeof(client_sockaddr)), NULL);
 111                 T_SETUPEND;
 112                 g_client = client_sock;
 113                 g_start = 0;
 114                 pthread_t runner1;
 115                 pthread_t runner2;
 116                 if (pthread_create(&runner1, 0, (void*)try_to_connect, path1)) {
 117                         T_ASSERT_FAIL("pthread_create failed");
 118                 }
 119
 120                 if (pthread_create(&runner2, 0, (void*)try_to_connect, path2)) {
 121                         T_ASSERT_FAIL("pthread_create failed");
 122                 }
 123                 usleep(300);
 124                 g_start = 1;
 125                 pthread_join(runner1, 0);
 126                 pthread_join(runner2, 0);
 127
 128                 usleep(3000);
 129
 130                 struct socket_fdinfo si_1 = {0};
 131                 proc_pidfdinfo(getpid(), g_sever1, PROC_PIDFDSOCKETINFO, &si_1,
 132                     sizeof(si_1));
 133                 struct socket_fdinfo si_2 = {0};
 134                 proc_pidfdinfo(getpid(), g_sever2, PROC_PIDFDSOCKETINFO, &si_2,
 135                     sizeof(si_2));
 136                 if (si_1.psi.soi_incqlen || si_2.psi.soi_incqlen) {
 137                         close(g_sever2);
 138                         close(g_sever1);
 139                 }
 140                 close(client_sock);
 141                 close(g_sever2);
 142                 close(g_sever1);
 143         }
 144 }
 145
 146 T_DECL(unp_connect_thread_uaf, "Uaf due to multithreaded unp_connect")
 147 {
 148         test_unp_connect_multithread();
 149 }