1d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng/* 2d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Copyright (c) 2017 Fujitsu Ltd. 3d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Author: Guangwen Feng <fenggw-fnst@cn.fujitsu.com> 4d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * 5d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * This program is free software: you can redistribute it and/or modify 6d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * it under the terms of the GNU General Public License as published by 7d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * the Free Software Foundation, either version 2 of the License, or 8d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * (at your option) any later version. 9d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * 10d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * This program is distributed in the hope that it will be useful, 11d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * but WITHOUT ANY WARRANTY; without even the implied warranty of 12d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * GNU General Public License for more details. 14d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * 15d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * You should have received a copy of the GNU General Public License 16d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * along with this program, if not, see <http://www.gnu.org/licenses/>. 17d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng */ 18d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 19d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng/* 20d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Test for CVE-2016-7042, this regression test can crash the buggy kernel 21d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * when the stack-protector is enabled, and the bug was fixed in: 22d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * 23d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * commit 03dab869b7b239c4e013ec82aea22e181e441cfc 24d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Author: David Howells <dhowells@redhat.com> 25d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Date: Wed Oct 26 15:01:54 2016 +0100 26d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * 27d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * KEYS: Fix short sprintf buffer in /proc/keys show function 28d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng */ 29d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 30d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include <errno.h> 31d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include <stdio.h> 32d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 33d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include "tst_test.h" 34d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include "lapi/keyctl.h" 35d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 36d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#define PATH_KEYS "/proc/keys" 37d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 38d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic key_serial_t key; 39d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic int fd; 40d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 41d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic void do_test(void) 42d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng{ 43d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng char buf[BUFSIZ]; 44d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 45c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng key = add_key("user", "ltptestkey", "a", 1, KEY_SPEC_SESSION_KEYRING); 46d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng if (key == -1) 47d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_brk(TBROK, "Failed to add key"); 48d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 49c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng if (keyctl(KEYCTL_UPDATE, key, "b", 1)) 50d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_brk(TBROK, "Failed to update key"); 51d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 52d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng fd = SAFE_OPEN(PATH_KEYS, O_RDONLY); 53d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 54d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_res(TINFO, "Attempting to crash the system"); 55d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 56d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng SAFE_READ(0, fd, buf, BUFSIZ); 57d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 58d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_res(TPASS, "Bug not reproduced"); 59d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 60d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng SAFE_CLOSE(fd); 61d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 62c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng if (keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING)) 63d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_brk(TBROK, "Failed to unlink key"); 64d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng key = 0; 65d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng} 66d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 67d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic void setup(void) 68d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng{ 69d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng if (access(PATH_KEYS, F_OK)) 70d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_brk(TCONF, "%s does not exist", PATH_KEYS); 71d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng} 72d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 73d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic void cleanup(void) 74d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng{ 75c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng if (key > 0 && keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING)) 76d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng tst_res(TWARN, "Failed to unlink key"); 77d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 78d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng if (fd > 0) 79d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng SAFE_CLOSE(fd); 80d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng} 81d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng 82d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic struct tst_test test = { 83d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng .setup = setup, 84d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng .cleanup = cleanup, 85d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng .test_all = do_test, 86d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng}; 87