From: Eric Biggers <ebiggers3@gmail.com>
To: keyrings@vger.kernel.org
Subject: [PATCH 2/2] syscalls/add_key03: add test for NULL payload with nonzero length
Date: Mon, 05 Jun 2017 17:48:11 +0000 [thread overview]
Message-ID: <20170605174811.95267-3-ebiggers3@gmail.com> (raw)
From: Eric Biggers <ebiggers@google.com>
Add a new test program to test that the add_key() syscall correctly
handles a NULL payload with nonzero length. Note that may cause a NULL
pointer dereference in unpatched kernels.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/.gitignore | 1 +
testcases/kernel/syscalls/add_key/add_key03.c | 104 ++++++++++++++++++++++++++
3 files changed, 106 insertions(+)
create mode 100644 testcases/kernel/syscalls/add_key/add_key03.c
diff --git a/runtest/syscalls b/runtest/syscalls
index 0c3c46e57..618089801 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -12,6 +12,7 @@ access04 access04
acct01 acct01
add_key01 add_key01
+add_key03 add_key03
adjtimex01 adjtimex01
adjtimex02 adjtimex02
diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
index 5b8df06f5..b5b428df5 100644
--- a/testcases/kernel/syscalls/.gitignore
+++ b/testcases/kernel/syscalls/.gitignore
@@ -7,6 +7,7 @@
/access/access04
/acct/acct01
/add_key/add_key01
+/add_key/add_key03
/adjtimex/adjtimex01
/adjtimex/adjtimex02
/alarm/alarm01
diff --git a/testcases/kernel/syscalls/add_key/add_key03.c b/testcases/kernel/syscalls/add_key/add_key03.c
new file mode 100644
index 000000000..21812710f
--- /dev/null
+++ b/testcases/kernel/syscalls/add_key/add_key03.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2017 Google, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "config.h"
+#ifdef HAVE_LINUX_KEYCTL_H
+# include <linux/keyctl.h>
+#endif
+#include "tst_test.h"
+#include "linux_syscall_numbers.h"
+
+/*
+ * Test that the add_key() syscall correctly handles a NULL payload with nonzero
+ * length. Specifically, it should fail with EFAULT rather than oopsing the
+ * kernel with a NULL pointer dereference or failing with EINVAL, as it did
+ * before (depending on the key type). This is a regression test for "KEYS: fix
+ * dereferencing NULL payload with nonzero length".
+ *
+ * Note that none of the key types that exhibited the NULL pointer dereference
+ * are guaranteed to be built into the kernel, so we just test as many as we
+ * can, in the hope of catching one. We also test with the "user" key type for
+ * good measure, although it was one of the types that failed with EINVAL rather
+ * than dereferencing NULL.
+ */
+
+#ifdef HAVE_LINUX_KEYCTL_H
+struct tcase {
+ const char *type;
+ size_t plen;
+} tcases[] = {
+ /*
+ * The payload length we test for each key type needs to pass initial
+ * validation but is otherwise arbitrary. Note: the "rxrpc_s" key type
+ * requires a payload of exactly 8 bytes.
+ */
+ { "asymmetric", 64 },
+ { "cifs.idmap", 64 },
+ { "cifs.spnego", 64 },
+ { "pkcs7_test", 64 },
+ { "rxrpc", 64 },
+ { "rxrpc_s", 8 },
+ { "user", 64 },
+};
+#endif /* HAVE_LINUX_KEYCTL_H */
+
+static void verify_add_key(unsigned int i)
+{
+#ifdef HAVE_LINUX_KEYCTL_H
+ TEST(tst_syscall(__NR_add_key, tcases[i].type, "abc:def",
+ NULL, tcases[i].plen, KEY_SPEC_PROCESS_KEYRING));
+
+ if (TEST_RETURN != -1) {
+ tst_res(TFAIL,
+ "add_key() with key type \"%s\" unexpectedly succeeded",
+ tcases[i].type);
+ return;
+ }
+
+ if (TEST_ERRNO = EFAULT) {
+ tst_res(TPASS, "received expected EFAULT with key type \"%s\"",
+ tcases[i].type);
+ return;
+ }
+
+ if (TEST_ERRNO = ENODEV) {
+ tst_res(TCONF, "kernel doesn't support key type \"%s\"",
+ tcases[i].type);
+ return;
+ }
+
+ /*
+ * It's possible for the "asymmetric" key type to be supported, but with
+ * no asymmetric key parsers registered. In that case, attempting to
+ * add a key of type asymmetric will fail with EBADMSG.
+ */
+ if (TEST_ERRNO = EBADMSG && !strcmp(tcases[i].type, "asymmetric")) {
+ tst_res(TCONF, "no asymmetric key parsers are registered");
+ return;
+ }
+
+ tst_res(TFAIL | TTERRNO, "unexpected error with key type \"%s\"",
+ tcases[i].type);
+#else
+ tst_brk(TCONF, "linux/keyctl.h was missing upon compilation.");
+#endif /* HAVE_LINUX_KEYCTL_H */
+}
+
+static struct tst_test test = {
+ .tcnt = ARRAY_SIZE(tcases),
+ .test = verify_add_key,
+};
--
2.13.0.506.g27d5fe0cd-goog
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers3@gmail.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH 2/2] syscalls/add_key03: add test for NULL payload with nonzero length
Date: Mon, 5 Jun 2017 10:48:11 -0700 [thread overview]
Message-ID: <20170605174811.95267-3-ebiggers3@gmail.com> (raw)
In-Reply-To: <20170605174811.95267-1-ebiggers3@gmail.com>
From: Eric Biggers <ebiggers@google.com>
Add a new test program to test that the add_key() syscall correctly
handles a NULL payload with nonzero length. Note that may cause a NULL
pointer dereference in unpatched kernels.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/.gitignore | 1 +
testcases/kernel/syscalls/add_key/add_key03.c | 104 ++++++++++++++++++++++++++
3 files changed, 106 insertions(+)
create mode 100644 testcases/kernel/syscalls/add_key/add_key03.c
diff --git a/runtest/syscalls b/runtest/syscalls
index 0c3c46e57..618089801 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -12,6 +12,7 @@ access04 access04
acct01 acct01
add_key01 add_key01
+add_key03 add_key03
adjtimex01 adjtimex01
adjtimex02 adjtimex02
diff --git a/testcases/kernel/syscalls/.gitignore b/testcases/kernel/syscalls/.gitignore
index 5b8df06f5..b5b428df5 100644
--- a/testcases/kernel/syscalls/.gitignore
+++ b/testcases/kernel/syscalls/.gitignore
@@ -7,6 +7,7 @@
/access/access04
/acct/acct01
/add_key/add_key01
+/add_key/add_key03
/adjtimex/adjtimex01
/adjtimex/adjtimex02
/alarm/alarm01
diff --git a/testcases/kernel/syscalls/add_key/add_key03.c b/testcases/kernel/syscalls/add_key/add_key03.c
new file mode 100644
index 000000000..21812710f
--- /dev/null
+++ b/testcases/kernel/syscalls/add_key/add_key03.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2017 Google, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "config.h"
+#ifdef HAVE_LINUX_KEYCTL_H
+# include <linux/keyctl.h>
+#endif
+#include "tst_test.h"
+#include "linux_syscall_numbers.h"
+
+/*
+ * Test that the add_key() syscall correctly handles a NULL payload with nonzero
+ * length. Specifically, it should fail with EFAULT rather than oopsing the
+ * kernel with a NULL pointer dereference or failing with EINVAL, as it did
+ * before (depending on the key type). This is a regression test for "KEYS: fix
+ * dereferencing NULL payload with nonzero length".
+ *
+ * Note that none of the key types that exhibited the NULL pointer dereference
+ * are guaranteed to be built into the kernel, so we just test as many as we
+ * can, in the hope of catching one. We also test with the "user" key type for
+ * good measure, although it was one of the types that failed with EINVAL rather
+ * than dereferencing NULL.
+ */
+
+#ifdef HAVE_LINUX_KEYCTL_H
+struct tcase {
+ const char *type;
+ size_t plen;
+} tcases[] = {
+ /*
+ * The payload length we test for each key type needs to pass initial
+ * validation but is otherwise arbitrary. Note: the "rxrpc_s" key type
+ * requires a payload of exactly 8 bytes.
+ */
+ { "asymmetric", 64 },
+ { "cifs.idmap", 64 },
+ { "cifs.spnego", 64 },
+ { "pkcs7_test", 64 },
+ { "rxrpc", 64 },
+ { "rxrpc_s", 8 },
+ { "user", 64 },
+};
+#endif /* HAVE_LINUX_KEYCTL_H */
+
+static void verify_add_key(unsigned int i)
+{
+#ifdef HAVE_LINUX_KEYCTL_H
+ TEST(tst_syscall(__NR_add_key, tcases[i].type, "abc:def",
+ NULL, tcases[i].plen, KEY_SPEC_PROCESS_KEYRING));
+
+ if (TEST_RETURN != -1) {
+ tst_res(TFAIL,
+ "add_key() with key type \"%s\" unexpectedly succeeded",
+ tcases[i].type);
+ return;
+ }
+
+ if (TEST_ERRNO == EFAULT) {
+ tst_res(TPASS, "received expected EFAULT with key type \"%s\"",
+ tcases[i].type);
+ return;
+ }
+
+ if (TEST_ERRNO == ENODEV) {
+ tst_res(TCONF, "kernel doesn't support key type \"%s\"",
+ tcases[i].type);
+ return;
+ }
+
+ /*
+ * It's possible for the "asymmetric" key type to be supported, but with
+ * no asymmetric key parsers registered. In that case, attempting to
+ * add a key of type asymmetric will fail with EBADMSG.
+ */
+ if (TEST_ERRNO == EBADMSG && !strcmp(tcases[i].type, "asymmetric")) {
+ tst_res(TCONF, "no asymmetric key parsers are registered");
+ return;
+ }
+
+ tst_res(TFAIL | TTERRNO, "unexpected error with key type \"%s\"",
+ tcases[i].type);
+#else
+ tst_brk(TCONF, "linux/keyctl.h was missing upon compilation.");
+#endif /* HAVE_LINUX_KEYCTL_H */
+}
+
+static struct tst_test test = {
+ .tcnt = ARRAY_SIZE(tcases),
+ .test = verify_add_key,
+};
--
2.13.0.506.g27d5fe0cd-goog
next reply other threads:[~2017-06-05 17:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-05 17:48 Eric Biggers [this message]
2017-06-05 17:48 ` [LTP] [PATCH 2/2] syscalls/add_key03: add test for NULL payload with nonzero length Eric Biggers
-- strict thread matches above, loose matches on Subject: below --
2017-06-06 12:06 Cyril Hrubis
2017-06-06 12:06 ` Cyril Hrubis
2017-06-06 17:06 ` Eric Biggers
2017-06-06 17:06 ` Eric Biggers
2017-06-06 11:55 [LTP] [PATCH 0/2] ltp: update add_key tests for nonempty NULL payload fix Cyril Hrubis
2017-06-06 11:55 ` Cyril Hrubis
2017-06-06 17:04 ` Eric Biggers
2017-06-06 17:04 ` Eric Biggers
2017-06-07 13:51 ` Cyril Hrubis
2017-06-07 13:51 ` Cyril Hrubis
2017-06-05 17:48 [PATCH 1/2] syscalls/add_key02: remove test Eric Biggers
2017-06-05 17:48 ` [LTP] " Eric Biggers
2017-06-05 17:48 [PATCH 0/2] ltp: update add_key tests for nonempty NULL payload fix Eric Biggers
2017-06-05 17:48 ` [LTP] " Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170605174811.95267-3-ebiggers3@gmail.com \
--to=ebiggers3@gmail.com \
--cc=keyrings@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.