[LTP] [PATCH v2] Add test keyctl08 for cve-2016-9604 on keyctl_join_session_keyring

Richard Palethorpe rpalethorpe@suse.com
Wed Nov 1 15:59:43 CET 2017


Check key names starting with "." are disallowed.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 include/lapi/keyctl.h                       |  5 ++++
 runtest/cve                                 |  1 +
 runtest/syscalls                            |  1 +
 testcases/kernel/syscalls/.gitignore        |  1 +
 testcases/kernel/syscalls/keyctl/keyctl08.c | 44 +++++++++++++++++++++++++++++
 5 files changed, 52 insertions(+)
 create mode 100644 testcases/kernel/syscalls/keyctl/keyctl08.c

diff --git a/include/lapi/keyctl.h b/include/lapi/keyctl.h
index 8e6beac0e..328e55763 100644
--- a/include/lapi/keyctl.h
+++ b/include/lapi/keyctl.h
@@ -65,6 +65,11 @@ static inline long keyctl(int cmd, ...)
 
 	return tst_syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
 }
+
+static inline key_serial_t keyctl_join_session_keyring(const char *name) {
+	return keyctl(KEYCTL_JOIN_SESSION_KEYRING, name);
+}
+
 #endif /* defined(HAVE_KEYUTILS_H) && defined(HAVE_LIBKEYUTILS) */
 
 /* special process keyring shortcut IDs */
diff --git a/runtest/cve b/runtest/cve
index 1719997cc..bea7b3b5b 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -11,6 +11,7 @@ cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7042 cve-2016-7042
 cve-2016-7117 cve-2016-7117
+cve-2016-9604 keyctl08
 cve-2016-10044 cve-2016-10044
 cve-2017-2618 cve-2017-2618
 cve-2017-2671 cve-2017-2671
diff --git a/runtest/syscalls b/runtest/syscalls
index 323947556..67c1ba7f0 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -505,6 +505,7 @@ keyctl04 keyctl04
 keyctl05 keyctl05
 keyctl06 keyctl06
 keyctl07 keyctl07
+keyctl08 keyctl08
 
 kcmp01 kcmp01
 kcmp02 kcmp02
diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
index a988e6b6e..805fe119e 100644
--- a/testcases/kernel/syscalls/.gitignore
+++ b/testcases/kernel/syscalls/.gitignore
@@ -466,6 +466,7 @@
 /keyctl/keyctl05
 /keyctl/keyctl06
 /keyctl/keyctl07
+/keyctl/keyctl08
 /kcmp/kcmp01
 /kcmp/kcmp02
 /kcmp/kcmp03
diff --git a/testcases/kernel/syscalls/keyctl/keyctl08.c b/testcases/kernel/syscalls/keyctl/keyctl08.c
new file mode 100644
index 000000000..fca5c34de
--- /dev/null
+++ b/testcases/kernel/syscalls/keyctl/keyctl08.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/* Check for CVE-2016-9604; that keys beginning with "." are disallowed.
+ *
+ * See commit ee8f844e3c5a73b999edf733df1c529d6503ec2f
+ */
+
+#include <errno.h>
+#include "tst_test.h"
+#include "lapi/keyctl.h"
+
+void run(void)
+{
+	if (keyctl_join_session_keyring(".builtin_trusted_keys") == -1) {
+		if (errno != EPERM) {
+			tst_brk(TBROK | TERRNO,
+				"keyctl_join_sessoin_keyring(...)");
+		}
+
+		tst_res(TPASS, "Denied access to .builtin_trusted_keys");
+	} else {
+		tst_res(TFAIL, "Allowed access to .builtin_trusted_keys");
+	}
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.needs_root = 1,
+	.min_kver = "2.6.13",
+};
-- 
2.14.3



More information about the ltp mailing list