1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2017 Google, Inc.
4 */
5
6 /*
7 * Regression test for commit c9f838d104fe ("KEYS: fix
8 * keyctl_set_reqkey_keyring() to not leak thread keyrings"), a.k.a.
9 * CVE-2017-7472. This bug could be used to exhaust kernel memory, though it
10 * would take a while to do that and it would grind the test suite to a halt.
11 * Instead we do a quick check for whether the existing thread keyring is
12 * replaced when the default request-key destination is set to the thread
13 * keyring. It shouldn't be, but before the fix it was (and the old thread
14 * keyring was leaked).
15 */
16
17 #include <errno.h>
18
19 #include "tst_test.h"
20 #include "lapi/keyctl.h"
21
do_test(void)22 static void do_test(void)
23 {
24 key_serial_t tid_keyring;
25
26 TEST(keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_THREAD_KEYRING, 1));
27 if (TST_RET < 0)
28 tst_brk(TBROK | TTERRNO, "failed to create thread keyring");
29 tid_keyring = TST_RET;
30
31 TEST(keyctl(KEYCTL_SET_REQKEY_KEYRING, KEY_REQKEY_DEFL_THREAD_KEYRING));
32 if (TST_RET < 0)
33 tst_brk(TBROK | TTERRNO, "failed to set reqkey keyring");
34
35 TEST(keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_THREAD_KEYRING, 0));
36 if (TST_RET < 0)
37 tst_brk(TBROK | TTERRNO, "failed to get thread keyring ID");
38 if (TST_RET == tid_keyring)
39 tst_res(TPASS, "thread keyring was not leaked");
40 else
41 tst_res(TFAIL, "thread keyring was leaked!");
42 }
43
44 static struct tst_test test = {
45 .test_all = do_test,
46 .tags = (const struct tst_tag[]) {
47 {"CVE", "2017-7472"},
48 {"linux-git", "c9f838d104fe"},
49 {}
50 }
51 };
52