[LTP] [PATCH] Add test for cve-2016-9604 on keyctl_join_session_keyring(".name")

Richard Palethorpe rpalethorpe@suse.com
Mon Oct 2 16:19:37 CEST 2017 

Check key names starting with "." are disallowed.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 include/lapi/keyctl.h         |  5 +++++
 runtest/cve                   |  1 +
 runtest/syscalls              |  1 +
 testcases/cve/.gitignore      |  1 +
 testcases/cve/Makefile        |  2 ++
 testcases/cve/cve-2016-9604.c | 44 +++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 54 insertions(+)
 create mode 100644 testcases/cve/cve-2016-9604.c

diff --git a/include/lapi/keyctl.h b/include/lapi/keyctl.h
index 3e7ce4708..2fc588a4a 100644
--- a/include/lapi/keyctl.h
+++ b/include/lapi/keyctl.h
@@ -63,6 +63,11 @@ static inline long keyctl(int cmd, ...)
 
 	return tst_syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
 }
+
+static inline key_serial_t keyctl_join_session_keyring(const char *name) {
+	return keyctl(KEYCTL_JOIN_SESSION_KEYRING, name);
+}
+
 #endif /* HAVE_KEYUTILS_H */
 
 #ifndef KEYCTL_GET_KEYRING_ID
diff --git a/runtest/cve b/runtest/cve
index 8c140b5cb..806adccfb 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -11,6 +11,7 @@ cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7042 cve-2016-7042
 cve-2016-7117 cve-2016-7117
+cve-2016-9604 cve-2016-9604
 cve-2016-10044 cve-2016-10044
 cve-2017-2618 cve-2017-2618
 cve-2017-2671 cve-2017-2671
diff --git a/runtest/syscalls b/runtest/syscalls
index 2362a231d..1952c6fd8 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -500,6 +500,7 @@ keyctl02 keyctl02
 keyctl03 keyctl03
 keyctl04 keyctl04
 keyctl05 keyctl05
+cve-2016-9604 cve-2016-9604
 
 kcmp01 kcmp01
 kcmp02 kcmp02
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index f76c39826..ecd1d745c 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -3,6 +3,7 @@ cve-2014-0196
 cve-2016-4997
 cve-2016-7042
 cve-2016-7117
+cve-2016-9604
 cve-2016-10044
 cve-2017-2618
 cve-2017-2671
diff --git a/testcases/cve/Makefile b/testcases/cve/Makefile
index 0905fd95c..88c2b15c4 100644
--- a/testcases/cve/Makefile
+++ b/testcases/cve/Makefile
@@ -30,4 +30,6 @@ cve-2014-0196:  LDLIBS += -lrt -lutil
 cve-2017-2671:	CFLAGS += -pthread
 cve-2017-2671:	LDLIBS += -lrt
 
+cve-2016-9604: 	LDLIBS += $(KEYUTILS_LIBS)
+
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/cve/cve-2016-9604.c b/testcases/cve/cve-2016-9604.c
new file mode 100644
index 000000000..fca5c34de
--- /dev/null
+++ b/testcases/cve/cve-2016-9604.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/* Check for CVE-2016-9604; that keys beginning with "." are disallowed.
+ *
+ * See commit ee8f844e3c5a73b999edf733df1c529d6503ec2f
+ */
+
+#include <errno.h>
+#include "tst_test.h"
+#include "lapi/keyctl.h"
+
+void run(void)
+{
+	if (keyctl_join_session_keyring(".builtin_trusted_keys") == -1) {
+		if (errno != EPERM) {
+			tst_brk(TBROK | TERRNO,
+				"keyctl_join_sessoin_keyring(...)");
+		}
+
+		tst_res(TPASS, "Denied access to .builtin_trusted_keys");
+	} else {
+		tst_res(TFAIL, "Allowed access to .builtin_trusted_keys");
+	}
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.needs_root = 1,
+	.min_kver = "2.6.13",
+};
-- 
2.14.1

More information about the ltp mailing list