• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2018 Google, Inc.
4  */
5 
6 /*
7  * Regression test for commit 4dca6ea1d943 ("KEYS: add missing permission check
8  * for request_key() destination"), or CVE-2017-17807.  This bug allowed adding
9  * a key to a keyring given only Search permission to that keyring, rather than
10  * the expected Write permission.
11  *
12  * We test for the bug by trying to add a negatively instantiated key, since
13  * adding a negatively instantiated key using the bug was easy whereas adding a
14  * positively instantiated key required exploiting a race condition.
15  */
16 
17 #include <errno.h>
18 
19 #include "tst_test.h"
20 #include "lapi/keyctl.h"
21 
do_test(void)22 static void do_test(void)
23 {
24 	key_serial_t keyid;
25 	int saved_errno;
26 
27 	TEST(keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL));
28 	if (TST_RET < 0)
29 		tst_brk(TBROK | TTERRNO, "failed to join new session keyring");
30 
31 	TEST(keyctl(KEYCTL_SETPERM, KEY_SPEC_SESSION_KEYRING,
32 		    KEY_POS_SEARCH|KEY_POS_READ|KEY_POS_VIEW));
33 	if (TST_RET < 0) {
34 		tst_brk(TBROK | TTERRNO,
35 			"failed to set permissions on session keyring");
36 	}
37 
38 	TEST(keyctl(KEYCTL_SET_REQKEY_KEYRING,
39 		    KEY_REQKEY_DEFL_SESSION_KEYRING));
40 	if (TST_RET < 0) {
41 		tst_brk(TBROK | TTERRNO,
42 			"failed to set request-key default keyring");
43 	}
44 
45 	TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING,
46 		    &keyid, sizeof(keyid)));
47 	if (TST_RET < 0)
48 		tst_brk(TBROK | TTERRNO, "failed to read from session keyring");
49 	if (TST_RET != 0)
50 		tst_brk(TBROK, "session keyring is not empty");
51 
52 	TEST(request_key("user", "desc", "callout_info", 0));
53 	if (TST_RET != -1)
54 		tst_brk(TBROK, "request_key() unexpectedly succeeded");
55 	saved_errno = TST_ERR;
56 
57 	TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING,
58 		    &keyid, sizeof(keyid)));
59 	if (TST_RET < 0)
60 		tst_brk(TBROK | TTERRNO, "failed to read from session keyring");
61 	if (TST_RET != 0)
62 		tst_brk(TFAIL, "added key to keyring without permission");
63 
64 	TST_ERR = saved_errno;
65 	if (TST_ERR == EACCES) {
66 		tst_res(TPASS, "request_key() failed with EACCES as expected");
67 	} else {
68 		tst_res(TFAIL | TTERRNO,
69 			"request_key() failed with unexpected error code");
70 	}
71 }
72 
73 static struct tst_test test = {
74 	.test_all = do_test,
75 	.tags = (const struct tst_tag[]) {
76 		{"CVE", "2017-17807"},
77 		{"linux-git", "4dca6ea1d943"},
78 		{}
79 	}
80 };
81