xref: /aosp_15_r20/external/ltp/testcases/cve/cve-2016-7042.c (revision 49cdfc7efb34551c7342be41a7384b9c40d7cab7) 
1*49cdfc7eSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0-or-later
2*49cdfc7eSAndroid Build Coastguard Worker /*
3*49cdfc7eSAndroid Build Coastguard Worker  * Copyright (c) 2017 Fujitsu Ltd.
4*49cdfc7eSAndroid Build Coastguard Worker  * Author: Guangwen Feng <[email protected]>
5*49cdfc7eSAndroid Build Coastguard Worker  */
6*49cdfc7eSAndroid Build Coastguard Worker 
7*49cdfc7eSAndroid Build Coastguard Worker /*
8*49cdfc7eSAndroid Build Coastguard Worker  * Test for CVE-2016-7042, this regression test can crash the buggy kernel
9*49cdfc7eSAndroid Build Coastguard Worker  * when the stack-protector is enabled, and the bug was fixed in:
10*49cdfc7eSAndroid Build Coastguard Worker  *
11*49cdfc7eSAndroid Build Coastguard Worker  *  commit 03dab869b7b239c4e013ec82aea22e181e441cfc
12*49cdfc7eSAndroid Build Coastguard Worker  *  Author: David Howells <[email protected]>
13*49cdfc7eSAndroid Build Coastguard Worker  *  Date:   Wed Oct 26 15:01:54 2016 +0100
14*49cdfc7eSAndroid Build Coastguard Worker  *
15*49cdfc7eSAndroid Build Coastguard Worker  *  KEYS: Fix short sprintf buffer in /proc/keys show function
16*49cdfc7eSAndroid Build Coastguard Worker  */
17*49cdfc7eSAndroid Build Coastguard Worker 
18*49cdfc7eSAndroid Build Coastguard Worker #include <errno.h>
19*49cdfc7eSAndroid Build Coastguard Worker #include <stdio.h>
20*49cdfc7eSAndroid Build Coastguard Worker 
21*49cdfc7eSAndroid Build Coastguard Worker #include "tst_test.h"
22*49cdfc7eSAndroid Build Coastguard Worker #include "lapi/keyctl.h"
23*49cdfc7eSAndroid Build Coastguard Worker 
24*49cdfc7eSAndroid Build Coastguard Worker #define PATH_KEYS	"/proc/keys"
25*49cdfc7eSAndroid Build Coastguard Worker 
26*49cdfc7eSAndroid Build Coastguard Worker static key_serial_t key;
27*49cdfc7eSAndroid Build Coastguard Worker static int fd;
28*49cdfc7eSAndroid Build Coastguard Worker 
do_test(void)29*49cdfc7eSAndroid Build Coastguard Worker static void do_test(void)
30*49cdfc7eSAndroid Build Coastguard Worker {
31*49cdfc7eSAndroid Build Coastguard Worker 	char buf[BUFSIZ];
32*49cdfc7eSAndroid Build Coastguard Worker 
33*49cdfc7eSAndroid Build Coastguard Worker 	key = add_key("user", "ltptestkey", "a", 1, KEY_SPEC_SESSION_KEYRING);
34*49cdfc7eSAndroid Build Coastguard Worker 	if (key == -1)
35*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK, "Failed to add key");
36*49cdfc7eSAndroid Build Coastguard Worker 
37*49cdfc7eSAndroid Build Coastguard Worker 	if (keyctl(KEYCTL_UPDATE, key, "b", 1))
38*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK, "Failed to update key");
39*49cdfc7eSAndroid Build Coastguard Worker 
40*49cdfc7eSAndroid Build Coastguard Worker 	fd = SAFE_OPEN(PATH_KEYS, O_RDONLY);
41*49cdfc7eSAndroid Build Coastguard Worker 
42*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TINFO, "Attempting to crash the system");
43*49cdfc7eSAndroid Build Coastguard Worker 
44*49cdfc7eSAndroid Build Coastguard Worker 	SAFE_READ(0, fd, buf, BUFSIZ);
45*49cdfc7eSAndroid Build Coastguard Worker 
46*49cdfc7eSAndroid Build Coastguard Worker 	tst_res(TPASS, "Bug not reproduced");
47*49cdfc7eSAndroid Build Coastguard Worker 
48*49cdfc7eSAndroid Build Coastguard Worker 	SAFE_CLOSE(fd);
49*49cdfc7eSAndroid Build Coastguard Worker 
50*49cdfc7eSAndroid Build Coastguard Worker 	if (keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING))
51*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TBROK, "Failed to unlink key");
52*49cdfc7eSAndroid Build Coastguard Worker 	key = 0;
53*49cdfc7eSAndroid Build Coastguard Worker }
54*49cdfc7eSAndroid Build Coastguard Worker 
setup(void)55*49cdfc7eSAndroid Build Coastguard Worker static void setup(void)
56*49cdfc7eSAndroid Build Coastguard Worker {
57*49cdfc7eSAndroid Build Coastguard Worker 	if (access(PATH_KEYS, F_OK))
58*49cdfc7eSAndroid Build Coastguard Worker 		tst_brk(TCONF, "%s does not exist", PATH_KEYS);
59*49cdfc7eSAndroid Build Coastguard Worker }
60*49cdfc7eSAndroid Build Coastguard Worker 
cleanup(void)61*49cdfc7eSAndroid Build Coastguard Worker static void cleanup(void)
62*49cdfc7eSAndroid Build Coastguard Worker {
63*49cdfc7eSAndroid Build Coastguard Worker 	if (key > 0 && keyctl(KEYCTL_UNLINK, key, KEY_SPEC_SESSION_KEYRING))
64*49cdfc7eSAndroid Build Coastguard Worker 		tst_res(TWARN, "Failed to unlink key");
65*49cdfc7eSAndroid Build Coastguard Worker 
66*49cdfc7eSAndroid Build Coastguard Worker 	if (fd > 0)
67*49cdfc7eSAndroid Build Coastguard Worker 		SAFE_CLOSE(fd);
68*49cdfc7eSAndroid Build Coastguard Worker }
69*49cdfc7eSAndroid Build Coastguard Worker 
70*49cdfc7eSAndroid Build Coastguard Worker static struct tst_test test = {
71*49cdfc7eSAndroid Build Coastguard Worker 	.setup = setup,
72*49cdfc7eSAndroid Build Coastguard Worker 	.cleanup = cleanup,
73*49cdfc7eSAndroid Build Coastguard Worker 	.test_all = do_test,
74*49cdfc7eSAndroid Build Coastguard Worker 	.tags = (const struct tst_tag[]) {
75*49cdfc7eSAndroid Build Coastguard Worker 		{"linux-git", "03dab869b7b2"},
76*49cdfc7eSAndroid Build Coastguard Worker 		{"CVE", "2016-7042"},
77*49cdfc7eSAndroid Build Coastguard Worker 		{}
78*49cdfc7eSAndroid Build Coastguard Worker 	}
79*49cdfc7eSAndroid Build Coastguard Worker };
80