• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2017 Google, Inc.
4  */
5 
6 /*
7  * Regression test for two related bugs:
8  *
9  * (1) CVE-2017-15299, fixed by commit 60ff5b2f547a ("KEYS: don't let add_key()
10  *     update an uninstantiated key")
11  * (2) CVE-2017-15951, fixed by commit 363b02dab09b ("KEYS: Fix race between
12  *     updating and finding a negative key")
13  *
14  * We test for the bugs together because the reproduction steps are essentially
15  * the same: repeatedly try to add/update a key with add_key() while requesting
16  * it with request_key() in another task.  This reproduces both bugs:
17  *
18  * For CVE-2017-15299, add_key() has to run while the key being created by
19  * request_key() is still in the "uninstantiated" state.  For the "encrypted" or
20  * "trusted" key types (not guaranteed to be available) this caused a NULL
21  * pointer dereference in encrypted_update() or in trusted_update(),
22  * respectively.  For the "user" key type, this caused the WARN_ON() in
23  * construct_key() to be hit.
24  *
25  * For CVE-2017-15951, request_key() has to run while the key is "negatively
26  * instantiated" (from a prior request_key()) and is being concurrently changed
27  * to "positively instantiated" via add_key() updating it.  This race, which is
28  * a bit more difficult to reproduce, caused the task executing request_key() to
29  * dereference an invalid pointer in __key_link_begin().
30  */
31 
32 #include <errno.h>
33 #include <stdbool.h>
34 #include <stdlib.h>
35 #include <sys/wait.h>
36 
37 #include "tst_test.h"
38 #include "lapi/keyctl.h"
39 
40 static char *opt_bug;
41 
42 static struct tst_option options[] = {
43 	{"b:", &opt_bug,  "-b       Bug to test for (cve-2017-15299 or cve-2017-15951; default is both)"},
44 	{NULL, NULL, NULL}
45 };
46 
test_with_key_type(const char * type,const char * payload,int effort)47 static void test_with_key_type(const char *type, const char *payload,
48 			       int effort)
49 {
50 	int i;
51 	int status;
52 	pid_t add_key_pid;
53 	pid_t request_key_pid;
54 	bool info_only;
55 
56 	TEST(keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL));
57 	if (TST_RET < 0)
58 		tst_brk(TBROK | TTERRNO, "failed to join new session keyring");
59 
60 	TEST(add_key(type, "desc", payload, strlen(payload),
61 		     KEY_SPEC_SESSION_KEYRING));
62 	if (TST_RET < 0 && TST_ERR != EINVAL) {
63 		if (TST_ERR == ENODEV) {
64 			tst_res(TCONF, "kernel doesn't support key type '%s'",
65 				type);
66 			return;
67 		}
68 		tst_brk(TBROK | TTERRNO,
69 			"unexpected error checking whether key type '%s' is supported",
70 			type);
71 	}
72 
73 	/*
74 	 * Fork a subprocess which repeatedly tries to "add" a key of the given
75 	 * type.  This actually will try to update the key if it already exists.
76 	 * Depending on the state of the key, add_key() should either succeed or
77 	 * fail with one of several errors:
78 	 *
79 	 * (1) key didn't exist at all: either add_key() should succeed (if the
80 	 *     payload is valid), or it should fail with EINVAL (if the payload
81 	 *     is invalid; this is needed for the "encrypted" and "trusted" key
82 	 *     types because they have a quirk where the payload syntax differs
83 	 *     for creating new keys vs. updating existing keys)
84 	 *
85 	 * (2) key was negative: add_key() should succeed
86 	 *
87 	 * (3) key was uninstantiated: add_key() should wait for the key to be
88 	 *     negated, then fail with ENOKEY
89 	 *
90 	 * For now we also accept EDQUOT because the kernel frees up the keys
91 	 * quota asynchronously after keys are unlinked.  So it may be hit.
92 	 */
93 	add_key_pid = SAFE_FORK();
94 	if (add_key_pid == 0) {
95 		for (i = 0; i < 100 * effort; i++) {
96 			usleep(rand() % 1024);
97 			TEST(add_key(type, "desc", payload, strlen(payload),
98 				     KEY_SPEC_SESSION_KEYRING));
99 			if (TST_RET < 0 && TST_ERR != EINVAL &&
100 			    TST_ERR != ENOKEY && TST_ERR != EDQUOT) {
101 				tst_brk(TBROK | TTERRNO,
102 					"unexpected error adding key of type '%s'",
103 					type);
104 			}
105 			TEST(keyctl(KEYCTL_CLEAR, KEY_SPEC_SESSION_KEYRING));
106 			if (TST_RET < 0) {
107 				tst_brk(TBROK | TTERRNO,
108 					"unable to clear keyring");
109 			}
110 		}
111 		exit(0);
112 	}
113 
114 	request_key_pid = SAFE_FORK();
115 	if (request_key_pid == 0) {
116 		for (i = 0; i < 5000 * effort; i++) {
117 			TEST(request_key(type, "desc", "callout_info",
118 					 KEY_SPEC_SESSION_KEYRING));
119 			if (TST_RET < 0 && TST_ERR != ENOKEY &&
120 			    TST_ERR != ENOENT && TST_ERR != EDQUOT) {
121 				tst_brk(TBROK | TTERRNO,
122 					"unexpected error requesting key of type '%s'",
123 					type);
124 			}
125 		}
126 		exit(0);
127 	}
128 
129 	/*
130 	 * Verify that neither the add_key() nor the request_key() process
131 	 * crashed.  If the add_key() process crashed it is likely due to
132 	 * CVE-2017-15299, while if the request_key() process crashed it is
133 	 * likely due to CVE-2017-15951.  If testing for one of the bugs
134 	 * specifically, only pay attention to the corresponding process.
135 	 */
136 
137 	SAFE_WAITPID(add_key_pid, &status, 0);
138 	info_only = (opt_bug && strcmp(opt_bug, "cve-2017-15299") != 0);
139 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
140 		tst_res(info_only ? TINFO : TPASS,
141 			"didn't crash while updating key of type '%s'",
142 			type);
143 	} else if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL) {
144 		tst_res(info_only ? TINFO : TFAIL,
145 			"kernel oops while updating key of type '%s'",
146 			type);
147 	} else {
148 		tst_brk(TBROK, "add_key child %s", tst_strstatus(status));
149 	}
150 
151 	SAFE_WAITPID(request_key_pid, &status, 0);
152 	info_only = (opt_bug && strcmp(opt_bug, "cve-2017-15951") != 0);
153 	if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
154 		tst_res(info_only ? TINFO : TPASS,
155 			"didn't crash while requesting key of type '%s'",
156 			type);
157 	} else if (WIFSIGNALED(status) && WTERMSIG(status) == SIGKILL) {
158 		tst_res(info_only ? TINFO : TFAIL,
159 			"kernel oops while requesting key of type '%s'",
160 			type);
161 	} else {
162 		tst_brk(TBROK, "request_key child %s", tst_strstatus(status));
163 	}
164 }
165 
do_test(void)166 static void do_test(void)
167 {
168 	/*
169 	 * Briefly test the "encrypted" and/or "trusted" key types when
170 	 * availaible, mainly to reproduce CVE-2017-15299.
171 	 */
172 	test_with_key_type("encrypted", "update user:foo 32", 2);
173 	test_with_key_type("trusted", "update", 2);
174 
175 	/*
176 	 * Test the "user" key type for longer, mainly in order to reproduce
177 	 * CVE-2017-15951.  However, without the fix for CVE-2017-15299 as well,
178 	 * WARNs may show up in the kernel log.
179 	 *
180 	 * Note: the precise iteration count is arbitrary; it's just intended to
181 	 * be enough to give a decent chance of reproducing the bug, without
182 	 * wasting too much time.
183 	 */
184 	test_with_key_type("user", "payload", 20);
185 }
186 
187 static struct tst_test test = {
188 	.test_all = do_test,
189 	.forks_child = 1,
190 	.options = options,
191 	.tags = (const struct tst_tag[]) {
192 		{"CVE", "2017-15299"},
193 		{"linux-git", "60ff5b2f547a"},
194 		{"CVE", "2017-15951"},
195 		{"linux-git", "363b02dab09b"},
196 		{},
197 	}
198 };
199