1*8d741a5dSApple OSS Distributions /*
2*8d741a5dSApple OSS Distributions * Proof of Concept / Test Case
3*8d741a5dSApple OSS Distributions * XNU: aio_work_thread use-after-free for AIO_FSYNC entries
4*8d741a5dSApple OSS Distributions */
5*8d741a5dSApple OSS Distributions #include <err.h>
6*8d741a5dSApple OSS Distributions #include <stdarg.h>
7*8d741a5dSApple OSS Distributions #include <stdint.h>
8*8d741a5dSApple OSS Distributions #include <stdio.h>
9*8d741a5dSApple OSS Distributions #include <stdlib.h>
10*8d741a5dSApple OSS Distributions #include <string.h>
11*8d741a5dSApple OSS Distributions #include <strings.h>
12*8d741a5dSApple OSS Distributions
13*8d741a5dSApple OSS Distributions #include <sys/aio.h>
14*8d741a5dSApple OSS Distributions #include <unistd.h>
15*8d741a5dSApple OSS Distributions #include <darwintest.h>
16*8d741a5dSApple OSS Distributions #include <time.h>
17*8d741a5dSApple OSS Distributions
18*8d741a5dSApple OSS Distributions T_GLOBAL_META(
19*8d741a5dSApple OSS Distributions T_META_NAMESPACE("xnu.fd"),
20*8d741a5dSApple OSS Distributions T_META_RUN_CONCURRENTLY(true));
21*8d741a5dSApple OSS Distributions
22*8d741a5dSApple OSS Distributions #define NREQUESTS 8
23*8d741a5dSApple OSS Distributions
24*8d741a5dSApple OSS Distributions static void
attempt(int fd)25*8d741a5dSApple OSS Distributions attempt(int fd)
26*8d741a5dSApple OSS Distributions {
27*8d741a5dSApple OSS Distributions struct aiocb ap[NREQUESTS];
28*8d741a5dSApple OSS Distributions size_t n;
29*8d741a5dSApple OSS Distributions unsigned char c;
30*8d741a5dSApple OSS Distributions
31*8d741a5dSApple OSS Distributions for (n = 0; n < NREQUESTS; ++n) {
32*8d741a5dSApple OSS Distributions ap[n].aio_fildes = fd;
33*8d741a5dSApple OSS Distributions ap[n].aio_nbytes = 1;
34*8d741a5dSApple OSS Distributions ap[n].aio_buf = &c;
35*8d741a5dSApple OSS Distributions ap[n].aio_sigevent.sigev_notify = SIGEV_NONE;
36*8d741a5dSApple OSS Distributions }
37*8d741a5dSApple OSS Distributions
38*8d741a5dSApple OSS Distributions /*
39*8d741a5dSApple OSS Distributions * fire them off and exit.
40*8d741a5dSApple OSS Distributions */
41*8d741a5dSApple OSS Distributions for (n = 0; n < NREQUESTS; ++n) {
42*8d741a5dSApple OSS Distributions aio_fsync((n & 1) ? O_SYNC : O_DSYNC, &ap[n]);
43*8d741a5dSApple OSS Distributions }
44*8d741a5dSApple OSS Distributions
45*8d741a5dSApple OSS Distributions exit(0);
46*8d741a5dSApple OSS Distributions }
47*8d741a5dSApple OSS Distributions
48*8d741a5dSApple OSS Distributions T_DECL(lio_listio_race_63669270, "test for the lightspeed/unc0ver UaF", T_META_TAG_VM_PREFERRED)
49*8d741a5dSApple OSS Distributions {
50*8d741a5dSApple OSS Distributions pid_t child;
51*8d741a5dSApple OSS Distributions int fd;
52*8d741a5dSApple OSS Distributions char path[128];
53*8d741a5dSApple OSS Distributions uint64_t end = clock_gettime_nsec_np(CLOCK_UPTIME_RAW) + 10 * NSEC_PER_SEC;
54*8d741a5dSApple OSS Distributions
55*8d741a5dSApple OSS Distributions /* we need a valid fd: */
56*8d741a5dSApple OSS Distributions strcpy(path, "/tmp/aio_fsync_uaf.XXXXXX");
57*8d741a5dSApple OSS Distributions T_EXPECT_POSIX_SUCCESS(fd = mkstemp(path), "mkstemp");
58*8d741a5dSApple OSS Distributions T_EXPECT_POSIX_SUCCESS(unlink(path), "unlink");
59*8d741a5dSApple OSS Distributions
60*8d741a5dSApple OSS Distributions T_LOG("starting...");
61*8d741a5dSApple OSS Distributions do {
62*8d741a5dSApple OSS Distributions switch ((child = fork())) {
63*8d741a5dSApple OSS Distributions case -1: T_FAIL("fork");
64*8d741a5dSApple OSS Distributions case 0: attempt(fd);
65*8d741a5dSApple OSS Distributions }
66*8d741a5dSApple OSS Distributions
67*8d741a5dSApple OSS Distributions T_QUIET; T_EXPECT_POSIX_SUCCESS(waitpid(child, NULL, 0), "waitpid");
68*8d741a5dSApple OSS Distributions } while (clock_gettime_nsec_np(CLOCK_UPTIME_RAW) < end);
69*8d741a5dSApple OSS Distributions
70*8d741a5dSApple OSS Distributions T_PASS("the system didn't panic");
71*8d741a5dSApple OSS Distributions }
72