[LTP] [PATCH] syscalls/keyctl04: new test for thread keyring memory leak
Eric Biggers
ebiggers3@gmail.com
Fri Jul 28 23:13:13 CEST 2017
From: Eric Biggers <ebiggers@google.com>
Add a test for a kernel bug that allowed unprivileged programs to
exhaust kernel memory by leaking thread keyrings (CVE-2017-7472).
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/.gitignore | 1 +
testcases/kernel/syscalls/keyctl/keyctl04.c | 72 +++++++++++++++++++++++++++++
3 files changed, 74 insertions(+)
create mode 100644 testcases/kernel/syscalls/keyctl/keyctl04.c
diff --git a/runtest/syscalls b/runtest/syscalls
index 8e1f58731..5c7fd8e94 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -494,6 +494,7 @@ io_submit01 io_submit01
keyctl01 keyctl01
keyctl02 keyctl02
keyctl03 keyctl03
+keyctl04 keyctl04
kcmp01 kcmp01
kcmp02 kcmp02
diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
index 6e0af314c..e311ba3f8 100644
--- a/testcases/kernel/syscalls/.gitignore
+++ b/testcases/kernel/syscalls/.gitignore
@@ -457,6 +457,7 @@
/keyctl/keyctl01
/keyctl/keyctl02
/keyctl/keyctl03
+/keyctl/keyctl04
/kcmp/kcmp01
/kcmp/kcmp02
/kcmp/kcmp03
diff --git a/testcases/kernel/syscalls/keyctl/keyctl04.c b/testcases/kernel/syscalls/keyctl/keyctl04.c
new file mode 100644
index 000000000..c4a493b45
--- /dev/null
+++ b/testcases/kernel/syscalls/keyctl/keyctl04.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2017 Google, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program, if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Regression test for commit c9f838d104fe ("KEYS: fix
+ * keyctl_set_reqkey_keyring() to not leak thread keyrings"), a.k.a.
+ * CVE-2017-7472. This bug could be used to exhaust kernel memory, though it
+ * would take a while to do that and it would grind the test suite to a halt.
+ * Instead we do a quick check for whether the existing thread keyring is
+ * replaced when the default request-key destination is set to the thread
+ * keyring. It shouldn't be, but before the fix it was (and the old thread
+ * keyring was leaked).
+ */
+
+#include "config.h"
+#ifdef HAVE_LINUX_KEYCTL_H
+# include <linux/keyctl.h>
+#endif
+#include "tst_test.h"
+#include "linux_syscall_numbers.h"
+
+#ifdef HAVE_LINUX_KEYCTL_H
+
+static void do_test(void)
+{
+ int tid_keyring;
+
+ /* Create a thread keyring and remember its ID */
+ TEST(tst_syscall(__NR_keyctl, KEYCTL_GET_KEYRING_ID,
+ KEY_SPEC_THREAD_KEYRING, 1));
+ if (TEST_RETURN < 0)
+ tst_brk(TFAIL | TTERRNO, "failed to create thread keyring");
+ tid_keyring = TEST_RETURN;
+
+ /* Set the default request-key destination to the thread keyring */
+ TEST(tst_syscall(__NR_keyctl, KEYCTL_SET_REQKEY_KEYRING,
+ KEY_REQKEY_DEFL_THREAD_KEYRING));
+ if (TEST_RETURN < 0)
+ tst_brk(TFAIL | TTERRNO, "failed to set reqkey keyring");
+
+ /* Get the thread keyring ID again; it shouldn't have changed */
+ TEST(tst_syscall(__NR_keyctl, KEYCTL_GET_KEYRING_ID,
+ KEY_SPEC_THREAD_KEYRING, 0));
+ if (TEST_RETURN < 0)
+ tst_brk(TFAIL | TTERRNO, "failed to get thread keyring ID");
+ if (TEST_RETURN != tid_keyring)
+ tst_brk(TFAIL, "thread keyring was leaked!");
+
+ tst_res(TPASS, "thread keyring was not leaked");
+}
+
+static struct tst_test test = {
+ .test_all = do_test,
+};
+
+#else
+ TST_TEST_TCONF("linux/keyctl.h was missing upon compilation.");
+#endif /* HAVE_LINUX_KEYCTL_H */
--
2.14.0.rc0.400.g1c36432dff-goog
More information about the ltp
mailing list