1 /*
2 * Copyright (c) 2017 Fujitsu Ltd.
3 * Ported: Guangwen Feng <fenggw-fnst@cn.fujitsu.com>
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program, if not, see <http://www.gnu.org/licenses/>.
17 */
18
19 /*
20 * This is a regression test for the race between keyctl_read() and
21 * keyctl_revoke(), if the revoke happens between keyctl_read()
22 * checking the validity of a key and the key's semaphore being taken,
23 * then the key type read method will see a revoked key.
24 *
25 * This causes a problem for the user-defined key type because it
26 * assumes in its read method that there will always be a payload
27 * in a non-revoked key and doesn't check for a NULL pointer.
28 *
29 * This test can crash the buggy kernel, and the bug was fixed in:
30 *
31 * commit b4a1b4f5047e4f54e194681125c74c0aa64d637d
32 * Author: David Howells <dhowells@redhat.com>
33 * Date: Fri Dec 18 01:34:26 2015 +0000
34 *
35 * KEYS: Fix race between read and revoke
36 */
37
38 #include "config.h"
39 #include <errno.h>
40 #include <pthread.h>
41 #include <sys/types.h>
42 #ifdef HAVE_KEYUTILS_H
43 # include <keyutils.h>
44 #endif
45 #include "tst_safe_pthread.h"
46 #include "tst_test.h"
47
48 #ifdef HAVE_KEYUTILS_H
49
50 #define LOOPS 20000
51 #define PATH_KEY_COUNT_QUOTA "/proc/sys/kernel/keys/root_maxkeys"
52
53 static int orig_maxkeys;
54
do_read(void * arg)55 static void *do_read(void *arg)
56 {
57 key_serial_t key = (unsigned long)arg;
58 char buffer[4] = { 0 };
59
60 keyctl(KEYCTL_READ, key, buffer, 4);
61
62 return NULL;
63 }
64
do_revoke(void * arg)65 static void *do_revoke(void *arg)
66 {
67 key_serial_t key = (unsigned long)arg;
68
69 keyctl(KEYCTL_REVOKE, key);
70
71 return NULL;
72 }
73
do_test(void)74 static void do_test(void)
75 {
76 int i;
77 key_serial_t key;
78 pthread_t pth[4];
79
80 for (i = 0; i < LOOPS; i++) {
81 key = add_key("user", "ltptestkey", "foo", 3,
82 KEY_SPEC_PROCESS_KEYRING);
83 if (key == -1)
84 tst_brk(TBROK | TERRNO, "Failed to add key");
85
86 SAFE_PTHREAD_CREATE(&pth[0], NULL, do_read,
87 (void *)(unsigned long)key);
88 SAFE_PTHREAD_CREATE(&pth[1], NULL, do_revoke,
89 (void *)(unsigned long)key);
90 SAFE_PTHREAD_CREATE(&pth[2], NULL, do_read,
91 (void *)(unsigned long)key);
92 SAFE_PTHREAD_CREATE(&pth[3], NULL, do_revoke,
93 (void *)(unsigned long)key);
94
95 SAFE_PTHREAD_JOIN(pth[0], NULL);
96 SAFE_PTHREAD_JOIN(pth[1], NULL);
97 SAFE_PTHREAD_JOIN(pth[2], NULL);
98 SAFE_PTHREAD_JOIN(pth[3], NULL);
99 }
100
101 tst_res(TPASS, "Bug not reproduced");
102 }
103
setup(void)104 static void setup(void)
105 {
106 SAFE_FILE_SCANF(PATH_KEY_COUNT_QUOTA, "%d", &orig_maxkeys);
107 SAFE_FILE_PRINTF(PATH_KEY_COUNT_QUOTA, "%d", orig_maxkeys + LOOPS);
108 }
109
cleanup(void)110 static void cleanup(void)
111 {
112 if (orig_maxkeys > 0)
113 SAFE_FILE_PRINTF(PATH_KEY_COUNT_QUOTA, "%d", orig_maxkeys);
114 }
115
116 static struct tst_test test = {
117 .tid = "keyctl02",
118 .needs_root = 1,
119 .setup = setup,
120 .cleanup = cleanup,
121 .test_all = do_test,
122 };
123
124 #else
125 TST_TEST_TCONF("keyutils.h does not exist");
126 #endif /* HAVE_KEYUTILS_H */
127