[LTP] [PATCH] syscalls/keyctl04: new test for thread keyring memory leak

Richard Palethorpe rpalethorpe@suse.de
Mon Jul 31 09:58:19 CEST 2017 

Hello Eric,

Eric Biggers writes:

> From: Eric Biggers <ebiggers@google.com>
>
> Add a test for a kernel bug that allowed unprivileged programs to
> exhaust kernel memory by leaking thread keyrings (CVE-2017-7472).

Thanks for contributing this test! We now have a directory
(testcases/cve) and runtest file dedicated to CVE regression tests. So
please atleast add it to the CVE runtest file.

>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  runtest/syscalls                            |  1 +
>  testcases/kernel/syscalls/.gitignore        |  1 +
>  testcases/kernel/syscalls/keyctl/keyctl04.c | 72 +++++++++++++++++++++++++++++
>  3 files changed, 74 insertions(+)
>  create mode 100644 testcases/kernel/syscalls/keyctl/keyctl04.c
>
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 8e1f58731..5c7fd8e94 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -494,6 +494,7 @@ io_submit01 io_submit01
>  keyctl01 keyctl01
>  keyctl02 keyctl02
>  keyctl03 keyctl03
> +keyctl04 keyctl04
>
>  kcmp01 kcmp01
>  kcmp02 kcmp02
> diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
> index 6e0af314c..e311ba3f8 100644
> --- a/testcases/kernel/syscalls/.gitignore
> +++ b/testcases/kernel/syscalls/.gitignore
> @@ -457,6 +457,7 @@
>  /keyctl/keyctl01
>  /keyctl/keyctl02
>  /keyctl/keyctl03
> +/keyctl/keyctl04
>  /kcmp/kcmp01
>  /kcmp/kcmp02
>  /kcmp/kcmp03
> diff --git a/testcases/kernel/syscalls/keyctl/keyctl04.c b/testcases/kernel/syscalls/keyctl/keyctl04.c
> new file mode 100644
> index 000000000..c4a493b45
> --- /dev/null
> +++ b/testcases/kernel/syscalls/keyctl/keyctl04.c
> @@ -0,0 +1,72 @@
> +/*
> + * Copyright (c) 2017 Google, Inc.
> + *
> + * This program is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program, if not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +/*
> + * Regression test for commit c9f838d104fe ("KEYS: fix
> + * keyctl_set_reqkey_keyring() to not leak thread keyrings"), a.k.a.
> + * CVE-2017-7472.  This bug could be used to exhaust kernel memory, though it
> + * would take a while to do that and it would grind the test suite to a halt.
> + * Instead we do a quick check for whether the existing thread keyring is
> + * replaced when the default request-key destination is set to the thread
> + * keyring.  It shouldn't be, but before the fix it was (and the old thread
> + * keyring was leaked).
> + */
> +
> +#include "config.h"
> +#ifdef HAVE_LINUX_KEYCTL_H
> +# include <linux/keyctl.h>
> +#endif

Please just include the definitions for keyctl in the test like:
https://github.com/richiejp/ltp/blob/cve/testcases/cve/cve-2016-7042.c
The vulnerability is still exploitable on systems without this header.

On a related note; we should create a fallback header in include/lapi
for keyutils as there are a few tests which use it.

> +#include "tst_test.h"
> +#include "linux_syscall_numbers.h"
> +
> +#ifdef HAVE_LINUX_KEYCTL_H
> +
> +static void do_test(void)
> +{
> +	int tid_keyring;
> +
> +	/* Create a thread keyring and remember its ID */

Inline comments are frowned upon. The man page explains what this system
call does.

> +	TEST(tst_syscall(__NR_keyctl, KEYCTL_GET_KEYRING_ID,
> +			 KEY_SPEC_THREAD_KEYRING, 1));
> +	if (TEST_RETURN < 0)
> +		tst_brk(TFAIL | TTERRNO, "failed to create thread
> keyring");

This should be TBROK as we don't know if the keyring could be leaked from
this result. So the test is broken if this happens, not failed.

> +	tid_keyring = TEST_RETURN;
> +
> +	/* Set the default request-key destination to the thread keyring */
> +	TEST(tst_syscall(__NR_keyctl, KEYCTL_SET_REQKEY_KEYRING,
> +			 KEY_REQKEY_DEFL_THREAD_KEYRING));
> +	if (TEST_RETURN < 0)
> +		tst_brk(TFAIL | TTERRNO, "failed to set reqkey keyring");
> +
> +	/* Get the thread keyring ID again; it shouldn't have changed */
> +	TEST(tst_syscall(__NR_keyctl, KEYCTL_GET_KEYRING_ID,
> +			 KEY_SPEC_THREAD_KEYRING, 0));
> +	if (TEST_RETURN < 0)
> +		tst_brk(TFAIL | TTERRNO, "failed to get thread keyring ID");
> +	if (TEST_RETURN != tid_keyring)
> +		tst_brk(TFAIL, "thread keyring was leaked!");

Strictly speaking, this should be tst_res(TFAIL...) and
tst_res(TPASS...) should be in the other arm of the if statement.

> +
> +	tst_res(TPASS, "thread keyring was not leaked");
> +}
> +
> +static struct tst_test test = {
> +	.test_all = do_test,
> +};
> +
> +#else
> +	TST_TEST_TCONF("linux/keyctl.h was missing upon compilation.");
> +#endif /* HAVE_LINUX_KEYCTL_H */
> --
> 2.14.0.rc0.400.g1c36432dff-goog


--
Thank you,
Richard.

More information about the ltp mailing list