1d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng/*
2d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Copyright (c) 2017 Fujitsu Ltd.
3d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Author: Guangwen Feng <fenggw-fnst@cn.fujitsu.com>
4d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *
5d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * This program is free software: you can redistribute it and/or modify
6d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * it under the terms of the GNU General Public License as published by
7d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * the Free Software Foundation, either version 2 of the License, or
8d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * (at your option) any later version.
9d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *
10d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * This program is distributed in the hope that it will be useful,
11d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * but WITHOUT ANY WARRANTY; without even the implied warranty of
12d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * GNU General Public License for more details.
14d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *
15d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * You should have received a copy of the GNU General Public License
16d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * along with this program, if not, see <http://www.gnu.org/licenses/>.
17d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng */
18d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
19d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng/*
20d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * Test for CVE-2016-7042, this regression test can crash the buggy kernel
21d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng * when the stack-protector is enabled, and the bug was fixed in:
22d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *
23d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *  commit 03dab869b7b239c4e013ec82aea22e181e441cfc
24d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *  Author: David Howells <dhowells@redhat.com>
25d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *  Date:   Wed Oct 26 15:01:54 2016 +0100
26d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *
27d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng *  KEYS: Fix short sprintf buffer in /proc/keys show function
28d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng */
29d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
30d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include <errno.h>
31d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include <stdio.h>
32d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
33d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include "tst_test.h"
34d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#include "lapi/keyctl.h"
35d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
36d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng#define PATH_KEYS	"/proc/keys"
37d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
38d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic key_serial_t key;
39d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic int fd;
40d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
41d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic void do_test(void)
42d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng{
43d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	char buf[BUFSIZ];
44d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
45c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng	key = add_key("user", "ltptestkey", "a", 1, KEY_SPEC_SESSION_KEYRING);
46d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	if (key == -1)
47d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng		tst_brk(TBROK, "Failed to add key");
48d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
49c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng	if (keyctl(KEYCTL_UPDATE, key, "b", 1))
50d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng		tst_brk(TBROK, "Failed to update key");
51d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
52d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	fd = SAFE_OPEN(PATH_KEYS, O_RDONLY);
53d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
54d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	tst_res(TINFO, "Attempting to crash the system");
55d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
56d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	SAFE_READ(0, fd, buf, BUFSIZ);
57d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
58d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	tst_res(TPASS, "Bug not reproduced");
59d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
60d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	SAFE_CLOSE(fd);
61d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
62c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng	if (keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING))
63d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng		tst_brk(TBROK, "Failed to unlink key");
64d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	key = 0;
65d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng}
66d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
67d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic void setup(void)
68d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng{
69d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	if (access(PATH_KEYS, F_OK))
70d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng		tst_brk(TCONF, "%s does not exist", PATH_KEYS);
71d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng}
72d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
73d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic void cleanup(void)
74d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng{
75c1c2efa10a0a5e8d9d9aa0bd02284f67a17d9475Guangwen Feng	if (key > 0 && keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING))
76d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng		tst_res(TWARN, "Failed to unlink key");
77d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
78d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	if (fd > 0)
79d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng		SAFE_CLOSE(fd);
80d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng}
81d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng
82d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Fengstatic struct tst_test test = {
83d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	.setup = setup,
84d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	.cleanup = cleanup,
85d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng	.test_all = do_test,
86d1fffb9c020c8b6fa7129d59a017c279fdb83d1bGuangwen Feng};
87