1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2017 Fujitsu Ltd.
4 * Author: Guangwen Feng <fenggw-fnst@cn.fujitsu.com>
5 */
6
7 /*\
8 * [Description]
9 *
10 * Test for CVE-2016-7042, this regression test can crash the buggy kernel
11 * when the stack-protector is enabled, and the bug was fixed in kernel v4.9:
12 * 03dab869b7b2 ("KEYS: Fix short sprintf buffer in /proc/keys show function").
13 */
14
15 #include <errno.h>
16 #include <stdio.h>
17
18 #include "tst_test.h"
19 #include "lapi/keyctl.h"
20
21 #define PATH_KEYS "/proc/keys"
22
23 static key_serial_t key;
24 static int fd;
25
do_test(void)26 static void do_test(void)
27 {
28 char buf[BUFSIZ];
29
30 key = add_key("user", "ltptestkey", "a", 1, KEY_SPEC_SESSION_KEYRING);
31 if (key == -1)
32 tst_brk(TBROK, "Failed to add key");
33
34 if (keyctl(KEYCTL_UPDATE, key, "b", 1))
35 tst_brk(TBROK, "Failed to update key");
36
37 fd = SAFE_OPEN(PATH_KEYS, O_RDONLY);
38
39 tst_res(TINFO, "Attempting to crash the system");
40
41 SAFE_READ(0, fd, buf, BUFSIZ);
42
43 tst_res(TPASS, "Bug not reproduced");
44
45 SAFE_CLOSE(fd);
46
47 if (keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING))
48 tst_brk(TBROK, "Failed to unlink key");
49 key = 0;
50 }
51
setup(void)52 static void setup(void)
53 {
54 if (access(PATH_KEYS, F_OK))
55 tst_brk(TCONF, "%s does not exist", PATH_KEYS);
56 }
57
cleanup(void)58 static void cleanup(void)
59 {
60 if (key > 0 && keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING))
61 tst_res(TWARN, "Failed to unlink key");
62
63 if (fd > 0)
64 SAFE_CLOSE(fd);
65 }
66
67 static struct tst_test test = {
68 .setup = setup,
69 .cleanup = cleanup,
70 .test_all = do_test,
71 .tags = (const struct tst_tag[]) {
72 {"linux-git", "03dab869b7b2"},
73 {"CVE", "2016-7042"},
74 {}
75 }
76 };
77