[LTP] [PATCH v3 1/3] lib: Add personality fallback and SAFE macro

[LTP] [PATCH v3 1/3] lib: Add personality fallback and SAFE macro

[Richard Palethorpe]

Add the macro SAFE_PERSONALITY as well as fallback logic for if
<sys/personality.h> is missing or incomplete.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---

V3 - Use the renamed lapi/syscalls.h header

 configure.ac               |  3 +++
 include/lapi/personality.h | 53 ++++++++++++++++++++++++++++++++++++++++++++++
 include/tst_personality.h  | 28 ++++++++++++++++++++++++
 lib/tst_personality.c      | 33 +++++++++++++++++++++++++++++
 m4/ltp-personality.m4      | 24 +++++++++++++++++++++
 5 files changed, 141 insertions(+)
 create mode 100644 include/lapi/personality.h
 create mode 100644 include/tst_personality.h
 create mode 100644 lib/tst_personality.c
 create mode 100644 m4/ltp-personality.m4

diff --git a/configure.ac b/configure.ac
index 223241c78..c0e39ad64 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,10 +37,12 @@ AC_CHECK_HEADERS([ \
     mm.h \
     pthread.h \
     sys/xattr.h \
+    sys/personality.h \
     linux/genetlink.h \
     linux/mempolicy.h \
     linux/module.h \
     linux/netlink.h \
+    linux/personality.h \
     sys/epoll.h \
     sys/inotify.h \
     sys/fanotify.h \
@@ -193,5 +195,6 @@ LTP_CHECK_SYNC_ADD_AND_FETCH
 LTP_CHECK_BUILTIN_CLEAR_CACHE
 LTP_CHECK_MMSGHDR
 LTP_CHECK_UNAME_DOMAINNAME
+LTP_CHECK_PERSONALITY
 
 AC_OUTPUT
diff --git a/include/lapi/personality.h b/include/lapi/personality.h
new file mode 100644
index 000000000..11d2fc08b
--- /dev/null
+++ b/include/lapi/personality.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/* In the Linux kernel and glibc enums are (mostly) used for the constants,
+ * but in musl macros are used.
+ */
+
+#ifndef PERSONALITY_H
+#define PERSONALITY_H
+
+#include "config.h"
+
+#if defined(HAVE_SYS_PERSONALITY_H)
+#include <sys/personality.h>
+#elif defined(HAVE_LINUX_PERSONALITY_H)
+#include <linux/personality.h>
+#endif
+
+#ifndef HAVE_SYS_PERSONALITY_H
+#include "lapi/syscalls.h"
+
+static int personality(unsigned long persona)
+{
+	return tst_syscall(__NR_personality, persona);
+}
+#endif
+
+#if !(HAVE_DECL_UNAME26 == 1 || defined(UNAME26))
+#define UNAME26 0x0020000
+#endif
+
+#if !(HAVE_DECL_READ_IMPLIES_EXEC == 1 || defined(READ_IMPLIES_EXEC))
+#define READ_IMPLIES_EXEC 0x0400000
+#endif
+
+#if !(HAVE_DECL_PER_LINUX == 1 || defined(PER_LINUX))
+#define PER_LINUX 0
+#endif
+
+#endif	/* PERSONALITY_H */
diff --git a/include/tst_personality.h b/include/tst_personality.h
new file mode 100644
index 000000000..ff61f4607
--- /dev/null
+++ b/include/tst_personality.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef TST_PERSONALITY__
+#define TST_PERSONALITY__
+
+#include "lapi/personality.h"
+
+int tst_personality(const char *filename, unsigned int lineno,
+		    unsigned long persona);
+
+#define SAFE_PERSONALITY(persona) tst_personality(__FILE__, __LINE__, persona)
+
+#endif
diff --git a/lib/tst_personality.c b/lib/tst_personality.c
new file mode 100644
index 000000000..3f64331db
--- /dev/null
+++ b/lib/tst_personality.c
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define TST_NO_DEFAULT_MAIN
+#include "tst_test.h"
+#include "tst_personality.h"
+
+int tst_personality(const char *filename, unsigned int lineno,
+		    unsigned long persona)
+{
+	int prev_persona = personality(persona);
+
+	if (prev_persona < 0) {
+		tst_brk_(filename, lineno, TBROK | TERRNO,
+			 "persona(%ld) failed", persona);
+	}
+
+	return prev_persona;
+}
diff --git a/m4/ltp-personality.m4 b/m4/ltp-personality.m4
new file mode 100644
index 000000000..78a3bc231
--- /dev/null
+++ b/m4/ltp-personality.m4
@@ -0,0 +1,24 @@
+dnl Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+dnl
+dnl This program is free software;  you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY;  without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+dnl the GNU General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+AC_DEFUN([LTP_CHECK_PERSONALITY],[
+AC_CHECK_DECLS([UNAME26,READ_IMPLIES_EXEC,PER_LINUX],,,[
+#if defined(HAVE_SYS_PERSONALITY_H)
+#include <sys/personality.h>
+#elif defined(HAVE_LINUX_PERSONALITY_H)
+#include <linux/personality.h>
+#endif
+])
+])
-- 
2.13.3

[LTP] [PATCH v3 2/3] CVE-2012-0957: Use SAFE_PERSONALITY

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 testcases/cve/cve-2012-0957.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/testcases/cve/cve-2012-0957.c b/testcases/cve/cve-2012-0957.c
index f065735a1..3b92325d6 100644
--- a/testcases/cve/cve-2012-0957.c
+++ b/testcases/cve/cve-2012-0957.c
@@ -26,10 +26,8 @@
 
 #include <string.h>
 #include <sys/utsname.h>
-#include <sys/personality.h>
 #include "tst_test.h"
-
-#define UNAME26 0x0020000
+#include "tst_personality.h"
 
 static int check_field(char *bytes, size_t length, char *field)
 {
@@ -75,9 +73,7 @@ static void run(unsigned int test_nr)
 		tst_res(TINFO, "Calling uname with default personality");
 		try_leak_bytes();
 	} else {
-		if (personality(PER_LINUX | UNAME26) < 0)
-			tst_brk(TCONF | TERRNO,
-				"Could not change personality to UNAME26");
+		SAFE_PERSONALITY(PER_LINUX | UNAME26);
 		tst_res(TINFO, "Calling uname with UNAME26 personality");
 		try_leak_bytes();
 	}
-- 
2.13.3

[LTP] [PATCH v3 3/3] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2016-10044.c | 76 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 78 insertions(+)
 create mode 100644 testcases/cve/cve-2016-10044.c

diff --git a/runtest/cve b/runtest/cve
index 6e3e52d3a..b487c7d0f 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -4,6 +4,7 @@ cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
+cve-2016-10044 cve-2016-10044
 cve-2017-2671 cve-2017-2671
 cve-2017-5669 cve-2017-5669
 cve-2017-6951 cve-2017-6951
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 298cf81f2..2b514bd1a 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -2,6 +2,7 @@ cve-2012-0957
 cve-2014-0196
 cve-2016-4997
 cve-2016-7117
+cve-2016-10044
 cve-2017-2671
 cve-2017-6951
 cve-2017-5669
diff --git a/testcases/cve/cve-2016-10044.c b/testcases/cve/cve-2016-10044.c
new file mode 100644
index 000000000..ffbe44fdc
--- /dev/null
+++ b/testcases/cve/cve-2016-10044.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Copyright (c) 2016 Jan Horn <jann@thejh.net>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2016-10044, which was fixed in commit
+ * 22f6b4d34fcf039c aio: mark AIO pseudo-fs noexec.
+ *
+ * The test checks that we can not implicitly mark AIO mappings as
+ * executable using the READ_IMPLIES_EXEC personality.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include "lapi/syscalls.h"
+#include "tst_test.h"
+#include "tst_personality.h"
+#include "tst_safe_stdio.h"
+
+#define CONV_STR "%*x-%*x %s7"
+
+static FILE *f;
+
+static void cleanup(void)
+{
+	if (f != NULL)
+		SAFE_FCLOSE(f);
+}
+
+static void run(void)
+{
+	uint64_t ctx = 0;
+	pid_t pid = getpid();
+	char perms[8], line[BUFSIZ];
+	char maps_path[256];
+
+	SAFE_PERSONALITY(READ_IMPLIES_EXEC);
+	if (tst_syscall(__NR_io_setup, 1, &ctx))
+		tst_brk(TBROK | TERRNO, "Failed to create AIO context");
+
+	snprintf(maps_path, sizeof(maps_path), "/proc/%d/maps", pid);
+	f = SAFE_FOPEN(maps_path, "r");
+	while (fgets(line, BUFSIZ, f) != NULL) {
+		if (strstr(line, "/[aio]") != NULL)
+			goto found_mapping;
+	}
+	tst_brk(TBROK, "Could not find mapping in %s", maps_path);
+
+found_mapping:
+	if (sscanf(line, CONV_STR, perms) < 0)
+		tst_brk(TBROK, "failed find permission string in %s", line);
+	if (strchr(perms, (int)'x'))
+		tst_res(TFAIL, "AIO mapping is executable: %s!", perms);
+	else
+		tst_res(TPASS, "AIO mapping is not executable: %s", perms);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.cleanup = cleanup,
+	.min_kver = "2.6.8",
+};
-- 
2.13.3

[LTP] [PATCH v3 1/3] lib: Add personality fallback and SAFE macro

[Cyril Hrubis]

Hi!
> +#ifndef HAVE_SYS_PERSONALITY_H
> +#include "lapi/syscalls.h"
> +
> +static int personality(unsigned long persona)
> +{
> +	return tst_syscall(__NR_personality, persona);
> +}
> +#endif

Do we really need fallback personality() syscall? We do have tests that
call personality() syscall in LTP tree since forever and I do not
recall any problems.

All that should be needed here are plain old fallback definitions for
the few constants that may not be present on older distros.

I guess that UNAME26 would need it since that one is not present in the
sys/personality header. PER_LINUX should be defined for years as well as
READ_IMPLIES_EXEC.

> +#if !(HAVE_DECL_UNAME26 == 1 || defined(UNAME26))
> +#define UNAME26 0x0020000
> +#endif
> +
> +#if !(HAVE_DECL_READ_IMPLIES_EXEC == 1 || defined(READ_IMPLIES_EXEC))
> +#define READ_IMPLIES_EXEC 0x0400000
> +#endif
> +
> +#if !(HAVE_DECL_PER_LINUX == 1 || defined(PER_LINUX))
> +#define PER_LINUX 0
> +#endif
> +
> +#endif	/* PERSONALITY_H */
> diff --git a/include/tst_personality.h b/include/tst_personality.h
> new file mode 100644
> index 000000000..ff61f4607
> --- /dev/null
> +++ b/include/tst_personality.h
> @@ -0,0 +1,28 @@
> +/*
> + * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
> + *
> + * This program is free software: you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License as published by
> + * the Free Software Foundation, either version 2 of the License, or
> + * (at your option) any later version.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License
> + * along with this program. If not, see <http://www.gnu.org/licenses/>.
> + */
> +
> +#ifndef TST_PERSONALITY__
> +#define TST_PERSONALITY__
> +
> +#include "lapi/personality.h"
> +
> +int tst_personality(const char *filename, unsigned int lineno,
> +		    unsigned long persona);
         ^
	This should be called safe_personality() for consistency
	reasons.

And we may as well put it into the tst_safe_macros.h and safe_macros.c,
there is no good reason to keep it in a separate file as far as I can
tell.


-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v3 3/3] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Cyril Hrubis]

Hi!
> +#include <stdio.h>
> +#include <stdint.h>
> +#include <string.h>
> +#include "lapi/syscalls.h"
> +#include "tst_test.h"
> +#include "tst_personality.h"
> +#include "tst_safe_stdio.h"
> +
> +#define CONV_STR "%*x-%*x %s7"
> +
> +static FILE *f;
> +
> +static void cleanup(void)
> +{
> +	if (f != NULL)

Could be just

	if (f)
		SAFE_CLOSE(f);

> +		SAFE_FCLOSE(f);
> +}
> +
> +static void run(void)
> +{
> +	uint64_t ctx = 0;
> +	pid_t pid = getpid();
> +	char perms[8], line[BUFSIZ];
> +	char maps_path[256];
> +
> +	SAFE_PERSONALITY(READ_IMPLIES_EXEC);
> +	if (tst_syscall(__NR_io_setup, 1, &ctx))
> +		tst_brk(TBROK | TERRNO, "Failed to create AIO context");
> +
> +	snprintf(maps_path, sizeof(maps_path), "/proc/%d/maps", pid);

You can use the "/proc/self/maps" insetad and save yourself getpid() and
snprintf().

> +	f = SAFE_FOPEN(maps_path, "r");
> +	while (fgets(line, BUFSIZ, f) != NULL) {
> +		if (strstr(line, "/[aio]") != NULL)
> +			goto found_mapping;
> +	}

Here again, the != NULL is redundant.

> +	tst_brk(TBROK, "Could not find mapping in %s", maps_path);
> +
> +found_mapping:
> +	if (sscanf(line, CONV_STR, perms) < 0)
> +		tst_brk(TBROK, "failed find permission string in %s", line);

I fail to see why is the CONV_STR defined as a macro?

It's not like we use it twice or something.

> +	if (strchr(perms, (int)'x'))
> +		tst_res(TFAIL, "AIO mapping is executable: %s!", perms);
> +	else
> +		tst_res(TPASS, "AIO mapping is not executable: %s", perms);
> +}
> +
> +static struct tst_test test = {
> +	.test_all = run,
> +	.cleanup = cleanup,
> +	.min_kver = "2.6.8",
> +};
> -- 
> 2.13.3
> 
> 
> -- 
> Mailing list info: https://lists.linux.it/listinfo/ltp

-- 
Cyril Hrubis
chrubis@suse.cz