1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright 2018 Google LLC
4 */
5
6 /*
7 * Regression test for commit f43f39958beb ("crypto: user - fix leaking
8 * uninitialized memory to userspace"), or CVE-2018-19854; it was also a
9 * re-introduction of CVE-2013-2547. This bug caused uninitialized kernel stack
10 * memory to be leaked in some string fields in the replies to CRYPTO_MSG_GETALG
11 * messages over NETLINK_CRYPTO. To try to detect the bug, this test dumps all
12 * algorithms using NLM_F_DUMP mode and checks all string fields for unexpected
13 * nonzero bytes.
14 */
15
16 #include <stdlib.h>
17
18 #include "tst_test.h"
19 #include "tst_crypto.h"
20 #include "tst_netlink.h"
21
22 /*
23 * include after <sys/socket.h> (via tst_test.h), to work around dependency bug
24 * in old kernel headers (https://www.spinics.net/lists/netdev/msg171764.html)
25 */
26 #include <linux/rtnetlink.h>
27
28 static struct tst_crypto_session ses = TST_CRYPTO_SESSION_INIT;
29
setup(void)30 static void setup(void)
31 {
32 tst_crypto_open(&ses);
33 }
34
do_check_for_leaks(const char * name,const char * value,size_t vlen)35 static void do_check_for_leaks(const char *name, const char *value, size_t vlen)
36 {
37 size_t i;
38
39 for (i = strnlen(value, vlen); i < vlen; i++) {
40 if (value[i] != '\0')
41 tst_brk(TFAIL, "information leak in field '%s'", name);
42 }
43 }
44
45 #define check_for_leaks(name, field) \
46 do_check_for_leaks(name, field, sizeof(field))
47
validate_attr(const struct rtattr * rta)48 static void validate_attr(const struct rtattr *rta)
49 {
50 switch (rta->rta_type) {
51 case CRYPTOCFGA_REPORT_LARVAL: {
52 const struct crypto_report_larval *p = RTA_DATA(rta);
53
54 check_for_leaks("crypto_report_larval::type", p->type);
55 break;
56 }
57 case CRYPTOCFGA_REPORT_HASH: {
58 const struct crypto_report_hash *p = RTA_DATA(rta);
59
60 check_for_leaks("crypto_report_hash::type", p->type);
61 break;
62 }
63 case CRYPTOCFGA_REPORT_BLKCIPHER: {
64 const struct crypto_report_blkcipher *p = RTA_DATA(rta);
65
66 check_for_leaks("crypto_report_blkcipher::type", p->type);
67 check_for_leaks("crypto_report_blkcipher::geniv", p->geniv);
68 break;
69 }
70 case CRYPTOCFGA_REPORT_AEAD: {
71 const struct crypto_report_aead *p = RTA_DATA(rta);
72
73 check_for_leaks("crypto_report_aead::type", p->type);
74 check_for_leaks("crypto_report_aead::geniv", p->geniv);
75 break;
76 }
77 case CRYPTOCFGA_REPORT_COMPRESS: {
78 const struct crypto_report_comp *p = RTA_DATA(rta);
79
80 check_for_leaks("crypto_report_comp::type", p->type);
81 break;
82 }
83 case CRYPTOCFGA_REPORT_RNG: {
84 const struct crypto_report_rng *p = RTA_DATA(rta);
85
86 check_for_leaks("crypto_report_rng::type", p->type);
87 break;
88 }
89 case CRYPTOCFGA_REPORT_CIPHER: {
90 const struct crypto_report_cipher *p = RTA_DATA(rta);
91
92 check_for_leaks("crypto_report_cipher::type", p->type);
93 break;
94 }
95 case CRYPTOCFGA_REPORT_AKCIPHER: {
96 const struct crypto_report_akcipher *p = RTA_DATA(rta);
97
98 check_for_leaks("crypto_report_akcipher::type", p->type);
99 break;
100 }
101 case CRYPTOCFGA_REPORT_KPP: {
102 const struct crypto_report_kpp *p = RTA_DATA(rta);
103
104 check_for_leaks("crypto_report_kpp::type", p->type);
105 break;
106 }
107 case CRYPTOCFGA_REPORT_ACOMP: {
108 const struct crypto_report_acomp *p = RTA_DATA(rta);
109
110 check_for_leaks("crypto_report_acomp::type", p->type);
111 break;
112 }
113 } /* end switch */
114 }
115
validate_one_alg(const struct nlmsghdr * nh)116 static void validate_one_alg(const struct nlmsghdr *nh)
117 {
118 const struct crypto_user_alg *alg = NLMSG_DATA(nh);
119 const struct rtattr *rta = (void *)alg + NLMSG_ALIGN(sizeof(*alg));
120 size_t remaining = NLMSG_PAYLOAD(nh, sizeof(*alg));
121
122 check_for_leaks("crypto_user_alg::cru_name", alg->cru_name);
123 check_for_leaks("crypto_user_alg::cru_driver_name",
124 alg->cru_driver_name);
125 check_for_leaks("crypto_user_alg::cru_module_name",
126 alg->cru_module_name);
127
128 while (RTA_OK(rta, remaining)) {
129 validate_attr(rta);
130 rta = RTA_NEXT(rta, remaining);
131 }
132 }
133
validate_alg_list(const void * buf,size_t remaining)134 static void validate_alg_list(const void *buf, size_t remaining)
135 {
136 const struct nlmsghdr *nh;
137
138 for (nh = buf; NLMSG_OK(nh, remaining);
139 nh = NLMSG_NEXT(nh, remaining)) {
140 if (nh->nlmsg_seq != ses.seq_num) {
141 tst_brk(TBROK,
142 "Message out of sequence; type=0%hx, seq_num=%u (not %u)",
143 nh->nlmsg_type, nh->nlmsg_seq, ses.seq_num);
144 }
145 if (nh->nlmsg_type == NLMSG_DONE)
146 return;
147 if (nh->nlmsg_type != CRYPTO_MSG_GETALG) {
148 tst_brk(TBROK,
149 "Unexpected message type; type=0x%hx, seq_num=%u",
150 nh->nlmsg_type, nh->nlmsg_seq);
151 }
152 validate_one_alg(nh);
153 }
154 }
155
run(void)156 static void run(void)
157 {
158 struct crypto_user_alg payload = { 0 };
159 struct nlmsghdr nh = {
160 .nlmsg_len = sizeof(payload),
161 .nlmsg_type = CRYPTO_MSG_GETALG,
162 .nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP,
163 .nlmsg_seq = ++(ses.seq_num),
164 .nlmsg_pid = 0,
165 };
166 /*
167 * Due to an apparent kernel bug, this API cannot be used incrementally,
168 * so we just use a large recvmsg() buffer. This is good enough since
169 * we don't necessarily have to check every algorithm for this test to
170 * be effective...
171 */
172 const size_t bufsize = 1048576;
173 void *buf = SAFE_MALLOC(bufsize);
174 size_t res;
175
176 SAFE_NETLINK_SEND(ses.fd, &nh, &payload);
177
178 res = SAFE_NETLINK_RECV(ses.fd, buf, bufsize);
179
180 validate_alg_list(buf, res);
181
182 free(buf);
183 tst_res(TPASS, "No information leaks found");
184 }
185
cleanup(void)186 static void cleanup(void)
187 {
188 tst_crypto_close(&ses);
189 }
190
191 static struct tst_test test = {
192 .setup = setup,
193 .test_all = run,
194 .cleanup = cleanup,
195 };
196