From f20a42e871e64ce34fac87d415a0f5718f7bae0c Mon Sep 17 00:00:00 2001
From: Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
Date: Thu, 28 Oct 2021 00:44:35 +0200
Subject: [PATCH] Kernel: Write test that crashes ProcFS

---
 Meta/build-root-filesystem.sh    |  4 +++
 Tests/Kernel/CMakeLists.txt      |  1 +
 Tests/Kernel/TestProcFSWrite.cpp | 43 ++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+)
 create mode 100644 Tests/Kernel/TestProcFSWrite.cpp

diff --git a/Meta/build-root-filesystem.sh b/Meta/build-root-filesystem.sh
index e11a7b97c81..8844ccdb573 100755
--- a/Meta/build-root-filesystem.sh
+++ b/Meta/build-root-filesystem.sh
@@ -106,6 +106,10 @@ if [ -f mnt/usr/Tests/Kernel/TestMemoryDeviceMmap ]; then
     chown 0:0 mnt/usr/Tests/Kernel/TestMemoryDeviceMmap
     chmod 4755 mnt/usr/Tests/Kernel/TestMemoryDeviceMmap
 fi
+if [ -f mnt/usr/Tests/Kernel/TestProcFSWrite ]; then
+    chown 0:0 mnt/usr/Tests/Kernel/TestProcFSWrite
+    chmod 4755 mnt/usr/Tests/Kernel/TestProcFSWrite
+fi
 
 chmod 0400 mnt/res/kernel.map
 chmod 0400 mnt/boot/Kernel
diff --git a/Tests/Kernel/CMakeLists.txt b/Tests/Kernel/CMakeLists.txt
index 18abcba55a6..2b1364a6671 100644
--- a/Tests/Kernel/CMakeLists.txt
+++ b/Tests/Kernel/CMakeLists.txt
@@ -40,6 +40,7 @@ set(LIBTEST_BASED_SOURCES
     TestMemoryDeviceMmap.cpp
     TestMunMap.cpp
     TestProcFS.cpp
+    TestProcFSWrite.cpp
 )
 
 foreach(libtest_source IN LISTS LIBTEST_BASED_SOURCES)
diff --git a/Tests/Kernel/TestProcFSWrite.cpp b/Tests/Kernel/TestProcFSWrite.cpp
new file mode 100644
index 00000000000..25595437770
--- /dev/null
+++ b/Tests/Kernel/TestProcFSWrite.cpp
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2021, Ben Wiederhake <BenWiederhake.GitHub@gmx.de>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include <LibTest/TestCase.h>
+#include <fcntl.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+
+TEST_CASE(check_root)
+{
+    auto uid = geteuid();
+    // This test only makes sense as root.
+    EXPECT_EQ(uid, 0u);
+
+    // Before we make the process dumpable, become "fully" root, so that the user cannot tamper with our memory:
+    EXPECT_EQ(setuid(0), 0);
+
+    // If running as setuid, the process is automatically marked as non-dumpable, which bars access to /proc/self/.
+    // However, that is the easiest guess for a /proc/$PID/ directory, so we'd like to use that.
+    // In order to do so, mark this process as dumpable:
+    EXPECT_EQ(prctl(PR_SET_DUMPABLE, 1, 0), 0);
+}
+
+TEST_CASE(root_writes_to_procfs)
+{
+    int fd = open("/proc/self/unveil", O_RDWR | O_APPEND | O_CREAT, 0666); // = 6
+    if (fd < 0) {
+        perror("open");
+        dbgln("fd was {}", fd);
+        FAIL("open failed?! See debugout");
+        return;
+    }
+
+    int rc = write(fd, "hello", 5);
+    perror("write");
+    dbgln("write rc = {}", rc);
+    if (rc >= 0) {
+        FAIL("Wrote successfully?!");
+    }
+}