• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2018 Google, Inc.
4  * Copyright (c) Linux Test Project, 2018-2024
5  */
6 
7 /*\
8  * [Description]
9  *
10  * Regression test for commit 4dca6ea1d943 ("KEYS: add missing permission check
11  * for request_key() destination"), or CVE-2017-17807.  This bug allowed adding
12  * a key to a keyring given only Search permission to that keyring, rather than
13  * the expected Write permission.
14  *
15  * We test for the bug by trying to add a negatively instantiated key, since
16  * adding a negatively instantiated key using the bug was easy whereas adding a
17  * positively instantiated key required exploiting a race condition.
18  */
19 
20 #include <errno.h>
21 
22 #include "tst_test.h"
23 #include "lapi/keyctl.h"
24 
do_test(void)25 static void do_test(void)
26 {
27 	key_serial_t keyid;
28 	int saved_errno;
29 
30 	TEST(keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL));
31 	if (TST_RET < 0)
32 		tst_brk(TBROK | TTERRNO, "failed to join new session keyring");
33 
34 	TEST(keyctl(KEYCTL_SETPERM, KEY_SPEC_SESSION_KEYRING,
35 		    KEY_POS_SEARCH|KEY_POS_READ|KEY_POS_VIEW));
36 	if (TST_RET < 0) {
37 		tst_brk(TBROK | TTERRNO,
38 			"failed to set permissions on session keyring");
39 	}
40 
41 	TEST(keyctl(KEYCTL_SET_REQKEY_KEYRING,
42 		    KEY_REQKEY_DEFL_SESSION_KEYRING));
43 	if (TST_RET < 0) {
44 		tst_brk(TBROK | TTERRNO,
45 			"failed to set request-key default keyring");
46 	}
47 
48 	TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING,
49 		    &keyid, sizeof(keyid)));
50 	if (TST_RET < 0)
51 		tst_brk(TBROK | TTERRNO, "failed to read from session keyring");
52 	if (TST_RET != 0)
53 		tst_brk(TBROK, "session keyring is not empty");
54 
55 	TEST(request_key("user", "desc", "callout_info", 0));
56 	if (TST_RET != -1)
57 		tst_brk(TBROK, "request_key() unexpectedly succeeded");
58 	saved_errno = TST_ERR;
59 
60 	TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING,
61 		    &keyid, sizeof(keyid)));
62 	if (TST_RET < 0)
63 		tst_brk(TBROK | TTERRNO, "failed to read from session keyring");
64 	if (TST_RET != 0)
65 		tst_brk(TFAIL, "added key to keyring without permission");
66 
67 	TST_ERR = saved_errno;
68 	if (TST_ERR == EACCES) {
69 		tst_res(TPASS, "request_key() failed with EACCES as expected");
70 	} else {
71 		tst_res(TFAIL | TTERRNO,
72 			"request_key() failed with unexpected error code");
73 	}
74 }
75 
76 static struct tst_test test = {
77 	.test_all = do_test,
78 	.tags = (const struct tst_tag[]) {
79 		{"CVE", "2017-17807"},
80 		{"linux-git", "4dca6ea1d943"},
81 		{}
82 	}
83 };
84