* [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation
@ 2021-07-07 7:18 Richard Palethorpe
2021-07-07 7:52 ` Richard Palethorpe
2021-07-07 8:35 ` Joerg Vehlow
0 siblings, 2 replies; 6+ messages in thread
From: Richard Palethorpe @ 2021-07-07 7:18 UTC (permalink / raw)
To: ltp
Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
runtest/cve | 1 +
runtest/syscalls | 1 +
testcases/kernel/syscalls/kill/.gitignore | 1 +
testcases/kernel/syscalls/kill/kill13.c | 35 +++++++++++++++++++++++
4 files changed, 38 insertions(+)
create mode 100644 testcases/kernel/syscalls/kill/kill13.c
diff --git a/runtest/cve b/runtest/cve
index 5a6ef966d..226b5ea44 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -49,6 +49,7 @@ cve-2018-5803 sctp_big_chunk
cve-2018-7566 snd_seq01
cve-2018-8897 ptrace09
cve-2018-9568 connect02
+cve-2018-10124 kill13
cve-2018-1000001 realpath01
cve-2018-1000199 ptrace08
cve-2018-1000204 ioctl_sg01
diff --git a/runtest/syscalls b/runtest/syscalls
index 98fe3c02e..0c1e16f9e 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -644,6 +644,7 @@ kill09 kill09
kill10 kill10
kill11 kill11
kill12 kill12
+kill13 kill13
lchown01 lchown01
lchown01_16 lchown01_16
diff --git a/testcases/kernel/syscalls/kill/.gitignore b/testcases/kernel/syscalls/kill/.gitignore
index 75fdaa561..810ed0200 100644
--- a/testcases/kernel/syscalls/kill/.gitignore
+++ b/testcases/kernel/syscalls/kill/.gitignore
@@ -8,3 +8,4 @@
/kill10
/kill11
/kill12
+/kill13
diff --git a/testcases/kernel/syscalls/kill/kill13.c b/testcases/kernel/syscalls/kill/kill13.c
new file mode 100644
index 000000000..b5afb653f
--- /dev/null
+++ b/testcases/kernel/syscalls/kill/kill13.c
@@ -0,0 +1,35 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
+ */
+
+/*\
+ * [Description]
+ *
+ * Reproducer of CVE-2018-10124; INT_MIN negation.
+ *
+ * Most likely this test will always pass without UBSAN
+ * enabled. Perhaps unless negating INT_MIN results in -1 or
+ * 0. However on my computer it just results in INT_MIN.
+ *
+ */
+
+#include <limits.h>
+#include <signal.h>
+#include "tst_test.h"
+
+static void run(void)
+{
+ TST_EXP_FAIL2(kill(INT_MIN, 1000), ESRCH,
+ "kill(INT_MIN, ...) fails with ESRCH");
+}
+
+static struct tst_test test = {
+ .test_all = run,
+ .taint_check = TST_TAINT_W | TST_TAINT_D,
+ .tags = (const struct tst_tag[]) {
+ {"linux-git", "4ea77014af0d"},
+ {"CVE", "CVE-2018-10124"},
+ {}
+ }
+};
--
2.31.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation
2021-07-07 7:18 [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation Richard Palethorpe
@ 2021-07-07 7:52 ` Richard Palethorpe
2021-07-07 8:35 ` Joerg Vehlow
1 sibling, 0 replies; 6+ messages in thread
From: Richard Palethorpe @ 2021-07-07 7:52 UTC (permalink / raw)
To: ltp
Richard Palethorpe <rpalethorpe@suse.com> writes:
> Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Fixes: https://github.com/linux-test-project/ltp/issues/323
> ---
> runtest/cve | 1 +
> runtest/syscalls | 1 +
> testcases/kernel/syscalls/kill/.gitignore | 1 +
> testcases/kernel/syscalls/kill/kill13.c | 35 +++++++++++++++++++++++
> 4 files changed, 38 insertions(+)
> create mode 100644 testcases/kernel/syscalls/kill/kill13.c
>
> diff --git a/runtest/cve b/runtest/cve
> index 5a6ef966d..226b5ea44 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -49,6 +49,7 @@ cve-2018-5803 sctp_big_chunk
> cve-2018-7566 snd_seq01
> cve-2018-8897 ptrace09
> cve-2018-9568 connect02
> +cve-2018-10124 kill13
> cve-2018-1000001 realpath01
> cve-2018-1000199 ptrace08
> cve-2018-1000204 ioctl_sg01
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 98fe3c02e..0c1e16f9e 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -644,6 +644,7 @@ kill09 kill09
> kill10 kill10
> kill11 kill11
> kill12 kill12
> +kill13 kill13
>
> lchown01 lchown01
> lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/kill/.gitignore b/testcases/kernel/syscalls/kill/.gitignore
> index 75fdaa561..810ed0200 100644
> --- a/testcases/kernel/syscalls/kill/.gitignore
> +++ b/testcases/kernel/syscalls/kill/.gitignore
> @@ -8,3 +8,4 @@
> /kill10
> /kill11
> /kill12
> +/kill13
> diff --git a/testcases/kernel/syscalls/kill/kill13.c b/testcases/kernel/syscalls/kill/kill13.c
> new file mode 100644
> index 000000000..b5afb653f
> --- /dev/null
> +++ b/testcases/kernel/syscalls/kill/kill13.c
> @@ -0,0 +1,35 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
> + */
> +
> +/*\
> + * [Description]
> + *
> + * Reproducer of CVE-2018-10124; INT_MIN negation.
> + *
> + * Most likely this test will always pass without UBSAN
> + * enabled. Perhaps unless negating INT_MIN results in -1 or
> + * 0. However on my computer it just results in INT_MIN.
> + *
> + */
> +
> +#include <limits.h>
> +#include <signal.h>
> +#include "tst_test.h"
> +
> +static void run(void)
> +{
> + TST_EXP_FAIL2(kill(INT_MIN, 1000), ESRCH,
> + "kill(INT_MIN, ...) fails with ESRCH");
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .taint_check = TST_TAINT_W | TST_TAINT_D,
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "4ea77014af0d"},
> + {"CVE", "CVE-2018-10124"},
> + {}
> + }
> +};
--
Thank you,
Richard.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation
2021-07-07 7:18 [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation Richard Palethorpe
2021-07-07 7:52 ` Richard Palethorpe
@ 2021-07-07 8:35 ` Joerg Vehlow
2021-07-07 8:48 ` Joerg Vehlow
1 sibling, 1 reply; 6+ messages in thread
From: Joerg Vehlow @ 2021-07-07 8:35 UTC (permalink / raw)
To: ltp
Hi Richard,
On 7/7/2021 9:18 AM, Richard Palethorpe via ltp wrote:
> Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
> ---
> runtest/cve | 1 +
> runtest/syscalls | 1 +
> testcases/kernel/syscalls/kill/.gitignore | 1 +
> testcases/kernel/syscalls/kill/kill13.c | 35 +++++++++++++++++++++++
> 4 files changed, 38 insertions(+)
> create mode 100644 testcases/kernel/syscalls/kill/kill13.c
>
> diff --git a/runtest/cve b/runtest/cve
> index 5a6ef966d..226b5ea44 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -49,6 +49,7 @@ cve-2018-5803 sctp_big_chunk
> cve-2018-7566 snd_seq01
> cve-2018-8897 ptrace09
> cve-2018-9568 connect02
> +cve-2018-10124 kill13
> cve-2018-1000001 realpath01
> cve-2018-1000199 ptrace08
> cve-2018-1000204 ioctl_sg01
> diff --git a/runtest/syscalls b/runtest/syscalls
> index 98fe3c02e..0c1e16f9e 100644
> --- a/runtest/syscalls
> +++ b/runtest/syscalls
> @@ -644,6 +644,7 @@ kill09 kill09
> kill10 kill10
> kill11 kill11
> kill12 kill12
> +kill13 kill13
>
> lchown01 lchown01
> lchown01_16 lchown01_16
> diff --git a/testcases/kernel/syscalls/kill/.gitignore b/testcases/kernel/syscalls/kill/.gitignore
> index 75fdaa561..810ed0200 100644
> --- a/testcases/kernel/syscalls/kill/.gitignore
> +++ b/testcases/kernel/syscalls/kill/.gitignore
> @@ -8,3 +8,4 @@
> /kill10
> /kill11
> /kill12
> +/kill13
> diff --git a/testcases/kernel/syscalls/kill/kill13.c b/testcases/kernel/syscalls/kill/kill13.c
> new file mode 100644
> index 000000000..b5afb653f
> --- /dev/null
> +++ b/testcases/kernel/syscalls/kill/kill13.c
> @@ -0,0 +1,35 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2021 SUSE LLC <rpalethorpe@suse.com>
> + */
> +
> +/*\
> + * [Description]
> + *
> + * Reproducer of CVE-2018-10124; INT_MIN negation.
> + *
> + * Most likely this test will always pass without UBSAN
> + * enabled. Perhaps unless negating INT_MIN results in -1 or
> + * 0. However on my computer it just results in INT_MIN.
Results in INT_MIN? What does this mean or did you meant to write
results in ESRCH?
Default negating int min in two's complement yields 0 (INT_MIN =
b1000... and negating means inverting the first bit -> thus 0).
> + *
> + */
> +
> +#include <limits.h>
> +#include <signal.h>
> +#include "tst_test.h"
> +
> +static void run(void)
> +{
> + TST_EXP_FAIL2(kill(INT_MIN, 1000), ESRCH,
> + "kill(INT_MIN, ...) fails with ESRCH");
If at some point the kernel decides to change the order of pid and
signal validation, it will probably return EINVAL.
Maybe using signal 0 would be better here? It does not "do" anything,
but validates the given pid.
Joerg
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation
2021-07-07 8:35 ` Joerg Vehlow
@ 2021-07-07 8:48 ` Joerg Vehlow
2021-07-07 10:01 ` Richard Palethorpe
0 siblings, 1 reply; 6+ messages in thread
From: Joerg Vehlow @ 2021-07-07 8:48 UTC (permalink / raw)
To: ltp
Hi,
On 7/7/2021 10:35 AM, Joerg Vehlow wrote:
> Hi Richard,
>
> On 7/7/2021 9:18 AM, Richard Palethorpe via ltp wrote:
>>
> Results in INT_MIN? What does this mean or did you meant to write
> results in ESRCH?
> Default negating int min in two's complement yields 0 (INT_MIN =
> b1000... and negating means inverting the first bit -> thus 0).
Nevermind... Just checked. Looks like somehow x86 keeps -INT_MIN.
Now I know what you mean with "results in INT_MIN"
Joerg
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation
2021-07-07 8:48 ` Joerg Vehlow
@ 2021-07-07 10:01 ` Richard Palethorpe
2021-07-07 10:16 ` Joerg Vehlow
0 siblings, 1 reply; 6+ messages in thread
From: Richard Palethorpe @ 2021-07-07 10:01 UTC (permalink / raw)
To: ltp
Hello Joerg,
Joerg Vehlow <lkml@jv-coder.de> writes:
> Hi,
>
> On 7/7/2021 10:35 AM, Joerg Vehlow wrote:
>> Hi Richard,
>>
>> On 7/7/2021 9:18 AM, Richard Palethorpe via ltp wrote:
>>>
>> Results in INT_MIN? What does this mean or did you meant to write
>> results in ESRCH?
>> Default negating int min in two's complement yields 0 (INT_MIN =
>> b1000... and negating means inverting the first bit -> thus 0).
> Nevermind... Just checked. Looks like somehow x86 keeps -INT_MIN.
> Now I know what you mean with "results in INT_MIN"
>
> Joerg
Actually this seems to be expected unless the CPU takes action to prvent
it. As you invert all the bits then add one in two's complement. So
inverting results in INT_MAX then we add one and overflow back to
INT_MIN.
It is undefined though so the CPU could decide to do something
else. OTOH it seems quite unlikely we will get anything other than
INT_MIN or INT_MAX. So I will set sig number to zero as you suggested
and we will just have to rely on UBSAN.
--
Thank you,
Richard.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation
2021-07-07 10:01 ` Richard Palethorpe
@ 2021-07-07 10:16 ` Joerg Vehlow
0 siblings, 0 replies; 6+ messages in thread
From: Joerg Vehlow @ 2021-07-07 10:16 UTC (permalink / raw)
To: ltp
Hi Richard,
On 7/7/2021 12:01 PM, Richard Palethorpe wrote:
> Hello Joerg,
>
> Joerg Vehlow <lkml@jv-coder.de> writes:
>
>> Hi,
>>
>> On 7/7/2021 10:35 AM, Joerg Vehlow wrote:
>>> Hi Richard,
>>>
>>> On 7/7/2021 9:18 AM, Richard Palethorpe via ltp wrote:
>>> Results in INT_MIN? What does this mean or did you meant to write
>>> results in ESRCH?
>>> Default negating int min in two's complement yields 0 (INT_MIN =
>>> b1000... and negating means inverting the first bit -> thus 0).
>> Nevermind... Just checked. Looks like somehow x86 keeps -INT_MIN.
>> Now I know what you mean with "results in INT_MIN"
>>
>> Joerg
> Actually this seems to be expected unless the CPU takes action to prvent
> it. As you invert all the bits then add one in two's complement. So
> inverting results in INT_MAX then we add one and overflow back to
> INT_MIN.
Ahh yes totally had the wrong model of * -1 in my head... Of course it
is invert everything and add +1.
That of course means -INT_MIN == INT_MIN.
>
> It is undefined though so the CPU could decide to do something
> else. OTOH it seems quite unlikely we will get anything other than
> INT_MIN or INT_MAX. So I will set sig number to zero as you suggested
> and we will just have to rely on UBSAN.
With this change:
Acked-by: Joerg Vehlow <joerg.vehlow@aox-tech.de>
J?rg
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-07-07 10:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-07 7:18 [LTP] [PATCH] kill13, CVE-2018-10124: Reproduce INT_MIN negation Richard Palethorpe
2021-07-07 7:52 ` Richard Palethorpe
2021-07-07 8:35 ` Joerg Vehlow
2021-07-07 8:48 ` Joerg Vehlow
2021-07-07 10:01 ` Richard Palethorpe
2021-07-07 10:16 ` Joerg Vehlow
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.