1 /*
2 * Copyright (c) 2017 Fujitsu Ltd.
3 * Ported: Guangwen Feng <fenggw-fnst@cn.fujitsu.com>
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program, if not, see <http://www.gnu.org/licenses/>.
17 */
18
19 /*
20 * This is a regression test for the race between keyctl_read() and
21 * keyctl_revoke(), if the revoke happens between keyctl_read()
22 * checking the validity of a key and the key's semaphore being taken,
23 * then the key type read method will see a revoked key.
24 *
25 * This causes a problem for the user-defined key type because it
26 * assumes in its read method that there will always be a payload
27 * in a non-revoked key and doesn't check for a NULL pointer.
28 *
29 * This test can crash the buggy kernel, and the bug was fixed in:
30 *
31 * commit b4a1b4f5047e4f54e194681125c74c0aa64d637d
32 * Author: David Howells <dhowells@redhat.com>
33 * Date: Fri Dec 18 01:34:26 2015 +0000
34 *
35 * KEYS: Fix race between read and revoke
36 */
37
38 #include <errno.h>
39 #include <pthread.h>
40 #include <sys/types.h>
41
42 #include "tst_safe_pthread.h"
43 #include "tst_test.h"
44 #include "lapi/keyctl.h"
45
46 #define LOOPS 20000
47 #define PATH_KEY_COUNT_QUOTA "/proc/sys/kernel/keys/root_maxkeys"
48
49 static int orig_maxkeys;
50
do_read(void * arg)51 static void *do_read(void *arg)
52 {
53 key_serial_t key = (unsigned long)arg;
54 char buffer[4] = { 0 };
55
56 keyctl(KEYCTL_READ, key, buffer, 4);
57
58 return NULL;
59 }
60
do_revoke(void * arg)61 static void *do_revoke(void *arg)
62 {
63 key_serial_t key = (unsigned long)arg;
64
65 keyctl(KEYCTL_REVOKE, key);
66
67 return NULL;
68 }
69
do_test(void)70 static void do_test(void)
71 {
72 int i;
73 key_serial_t key;
74 pthread_t pth[4];
75
76 for (i = 0; i < LOOPS; i++) {
77 key = add_key("user", "ltptestkey", "foo", 3,
78 KEY_SPEC_PROCESS_KEYRING);
79 if (key == -1)
80 tst_brk(TBROK | TERRNO, "Failed to add key");
81
82 SAFE_PTHREAD_CREATE(&pth[0], NULL, do_read,
83 (void *)(unsigned long)key);
84 SAFE_PTHREAD_CREATE(&pth[1], NULL, do_revoke,
85 (void *)(unsigned long)key);
86 SAFE_PTHREAD_CREATE(&pth[2], NULL, do_read,
87 (void *)(unsigned long)key);
88 SAFE_PTHREAD_CREATE(&pth[3], NULL, do_revoke,
89 (void *)(unsigned long)key);
90
91 SAFE_PTHREAD_JOIN(pth[0], NULL);
92 SAFE_PTHREAD_JOIN(pth[1], NULL);
93 SAFE_PTHREAD_JOIN(pth[2], NULL);
94 SAFE_PTHREAD_JOIN(pth[3], NULL);
95 }
96
97 tst_res(TPASS, "Bug not reproduced");
98 }
99
setup(void)100 static void setup(void)
101 {
102 SAFE_FILE_SCANF(PATH_KEY_COUNT_QUOTA, "%d", &orig_maxkeys);
103 SAFE_FILE_PRINTF(PATH_KEY_COUNT_QUOTA, "%d", orig_maxkeys + LOOPS);
104 }
105
cleanup(void)106 static void cleanup(void)
107 {
108 if (orig_maxkeys > 0)
109 SAFE_FILE_PRINTF(PATH_KEY_COUNT_QUOTA, "%d", orig_maxkeys);
110 }
111
112 static struct tst_test test = {
113 .needs_root = 1,
114 .setup = setup,
115 .cleanup = cleanup,
116 .test_all = do_test,
117 };
118