[LTP] [PATCH 0/4] CVE-2016-10044 and SAFE_PERSONALITY

[LTP] [PATCH 0/4] CVE-2016-10044 and SAFE_PERSONALITY

[Richard Palethorpe]

This patch requires the previous CVE patch set!

It adds a test for CVE-2016-10044 and introduces the SAFE_PERSONALITY macro
since this is the second test I have written which uses the personality
syscall.

Richard Palethorpe (4):
  configure.ac: Add check for aio_abi.h
  lib: Add personality fallback and SAFE macro
  CVE-2012-0957: Use SAFE_PERSONALITY
  Test for CVE-2016-10044 mark AIO pseudo-fs noexec

 configure.ac                   |  4 ++
 include/lapi/personality.h     | 48 ++++++++++++++++++++++
 include/tst_personality.h      | 28 +++++++++++++
 lib/tst_personality.c          | 33 +++++++++++++++
 m4/ltp-personality.m4          | 24 +++++++++++
 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2012-0957.c  |  8 +---
 testcases/cve/cve-2016-10044.c | 92 ++++++++++++++++++++++++++++++++++++++++++
 9 files changed, 233 insertions(+), 6 deletions(-)
 create mode 100644 include/lapi/personality.h
 create mode 100644 include/tst_personality.h
 create mode 100644 lib/tst_personality.c
 create mode 100644 m4/ltp-personality.m4
 create mode 100644 testcases/cve/cve-2016-10044.c

-- 
2.13.2

[LTP] [PATCH 1/4] configure.ac: Add check for aio_abi.h

[Richard Palethorpe]

Not all aio tests need aiolib, sometimes aio_abi.h is good enough if it exists.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index 658003972..a5032bf42 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,6 +37,7 @@ AC_CHECK_HEADERS([ \
     mm.h \
     pthread.h \
     sys/xattr.h \
+    linux/aio_abi.h \
     linux/genetlink.h \
     linux/mempolicy.h \
     linux/module.h \
-- 
2.13.2

[LTP] [PATCH 2/4] lib: Add personality fallback and SAFE macro

[Richard Palethorpe]

Add the macro SAFE_PERSONALITY as well as fallback logic for if
<sys/personality.h> is missing or incomplete.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 configure.ac               |  3 +++
 include/lapi/personality.h | 48 ++++++++++++++++++++++++++++++++++++++++++++++
 include/tst_personality.h  | 28 +++++++++++++++++++++++++++
 lib/tst_personality.c      | 33 +++++++++++++++++++++++++++++++
 m4/ltp-personality.m4      | 24 +++++++++++++++++++++++
 5 files changed, 136 insertions(+)
 create mode 100644 include/lapi/personality.h
 create mode 100644 include/tst_personality.h
 create mode 100644 lib/tst_personality.c
 create mode 100644 m4/ltp-personality.m4

diff --git a/configure.ac b/configure.ac
index a5032bf42..02b24e18c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,11 +37,13 @@ AC_CHECK_HEADERS([ \
     mm.h \
     pthread.h \
     sys/xattr.h \
+    sys/personality.h \
     linux/aio_abi.h \
     linux/genetlink.h \
     linux/mempolicy.h \
     linux/module.h \
     linux/netlink.h \
+    linux/personality.h \
     sys/epoll.h \
     sys/inotify.h \
     sys/fanotify.h \
@@ -195,5 +197,6 @@ LTP_CHECK_SYNC_ADD_AND_FETCH
 LTP_CHECK_BUILTIN_CLEAR_CACHE
 LTP_CHECK_MMSGHDR
 LTP_CHECK_UNAME_DOMAINNAME
+LTP_CHECK_PERSONALITY
 
 AC_OUTPUT
diff --git a/include/lapi/personality.h b/include/lapi/personality.h
new file mode 100644
index 000000000..1168d0744
--- /dev/null
+++ b/include/lapi/personality.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/* In the Linux kernel and glibc enums are (mostly) used for the constants,
+ * but in musl macros are used.
+ */
+
+#include "config.h"
+
+#if defined(HAVE_SYS_PERSONALITY_H)
+#include <sys/personality.h>
+#elif defined(HAVE_LINUX_PERSONALITY_H)
+#include <linux/personality.h>
+#endif
+
+#ifndef HAVE_SYS_PERSONALITY_H
+#include "linux_syscall_numbers.h"
+
+static int personality(unsigned long persona)
+{
+	return tst_syscall(__NR_personality, persona);
+}
+#endif
+
+#if !(HAVE_DECL_UNAME26 == 1 || defined(UNAME26))
+#define UNAME26 0x0020000
+#endif
+
+#if !(HAVE_DECL_READ_IMPLIES_EXEC == 1 || defined(READ_IMPLIES_EXEC))
+#define READ_IMPLIES_EXEC 0x0400000
+#endif
+
+#if !(HAVE_DECL_PER_LINUX == 1 || defined(PER_LINUX))
+#define PER_LINUX 0
+#endif
diff --git a/include/tst_personality.h b/include/tst_personality.h
new file mode 100644
index 000000000..ff61f4607
--- /dev/null
+++ b/include/tst_personality.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef TST_PERSONALITY__
+#define TST_PERSONALITY__
+
+#include "lapi/personality.h"
+
+int tst_personality(const char *filename, unsigned int lineno,
+		    unsigned long persona);
+
+#define SAFE_PERSONALITY(persona) tst_personality(__FILE__, __LINE__, persona)
+
+#endif
diff --git a/lib/tst_personality.c b/lib/tst_personality.c
new file mode 100644
index 000000000..3f64331db
--- /dev/null
+++ b/lib/tst_personality.c
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define TST_NO_DEFAULT_MAIN
+#include "tst_test.h"
+#include "tst_personality.h"
+
+int tst_personality(const char *filename, unsigned int lineno,
+		    unsigned long persona)
+{
+	int prev_persona = personality(persona);
+
+	if (prev_persona < 0) {
+		tst_brk_(filename, lineno, TBROK | TERRNO,
+			 "persona(%ld) failed", persona);
+	}
+
+	return prev_persona;
+}
diff --git a/m4/ltp-personality.m4 b/m4/ltp-personality.m4
new file mode 100644
index 000000000..78a3bc231
--- /dev/null
+++ b/m4/ltp-personality.m4
@@ -0,0 +1,24 @@
+dnl Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+dnl
+dnl This program is free software;  you can redistribute it and/or modify
+dnl it under the terms of the GNU General Public License as published by
+dnl the Free Software Foundation; either version 2 of the License, or
+dnl (at your option) any later version.
+dnl
+dnl This program is distributed in the hope that it will be useful,
+dnl but WITHOUT ANY WARRANTY;  without even the implied warranty of
+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+dnl the GNU General Public License for more details.
+dnl
+dnl You should have received a copy of the GNU General Public License
+dnl along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+AC_DEFUN([LTP_CHECK_PERSONALITY],[
+AC_CHECK_DECLS([UNAME26,READ_IMPLIES_EXEC,PER_LINUX],,,[
+#if defined(HAVE_SYS_PERSONALITY_H)
+#include <sys/personality.h>
+#elif defined(HAVE_LINUX_PERSONALITY_H)
+#include <linux/personality.h>
+#endif
+])
+])
-- 
2.13.2

[LTP] [PATCH 3/4] CVE-2012-0957: Use SAFE_PERSONALITY

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 testcases/cve/cve-2012-0957.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/testcases/cve/cve-2012-0957.c b/testcases/cve/cve-2012-0957.c
index f065735a1..3b92325d6 100644
--- a/testcases/cve/cve-2012-0957.c
+++ b/testcases/cve/cve-2012-0957.c
@@ -26,10 +26,8 @@
 
 #include <string.h>
 #include <sys/utsname.h>
-#include <sys/personality.h>
 #include "tst_test.h"
-
-#define UNAME26 0x0020000
+#include "tst_personality.h"
 
 static int check_field(char *bytes, size_t length, char *field)
 {
@@ -75,9 +73,7 @@ static void run(unsigned int test_nr)
 		tst_res(TINFO, "Calling uname with default personality");
 		try_leak_bytes();
 	} else {
-		if (personality(PER_LINUX | UNAME26) < 0)
-			tst_brk(TCONF | TERRNO,
-				"Could not change personality to UNAME26");
+		SAFE_PERSONALITY(PER_LINUX | UNAME26);
 		tst_res(TINFO, "Calling uname with UNAME26 personality");
 		try_leak_bytes();
 	}
-- 
2.13.2

[LTP] [PATCH 4/4] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---

The parsing of the maps file is a bit messy. I originally tried using
SAFE_FILE_LINES_SCANF, but the problem is that scanf fills in the arguments
even if it didn't match the whole line.

 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2016-10044.c | 92 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 94 insertions(+)
 create mode 100644 testcases/cve/cve-2016-10044.c

diff --git a/runtest/cve b/runtest/cve
index 32a39cf80..c8b90de70 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -4,6 +4,7 @@ cve-2014-0196 cve-2014-0196
 cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7117 cve-2016-7117
+cve-2016-10044 cve-2016-10044
 cve-2017-2671 cve-2017-2671
 cve-2017-5669 cve-2017-5669
 cve-2017-6951 cve-2017-6951
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index b83372b08..9bbf7bdb2 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -2,6 +2,7 @@ cve-2012-0957
 cve-2014-0196
 cve-2016-4997
 cve-2016-7117
+cve-2016-10044
 cve-2017-2671
 cve-2017-5669
 cve-2017-6951
diff --git a/testcases/cve/cve-2016-10044.c b/testcases/cve/cve-2016-10044.c
new file mode 100644
index 000000000..fcfb89710
--- /dev/null
+++ b/testcases/cve/cve-2016-10044.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Copyright (c) 2016 Jan Horn <jann@thejh.net>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2016-10044, which was fixed in commit
+ * 22f6b4d34fcf039c aio: mark AIO pseudo-fs noexec.
+ *
+ * The test checks that we can not implicitly mark AIO mappings as
+ * executable using the READ_IMPLIES_EXEC personality.
+ */
+
+#include "tst_test.h"
+
+#ifdef HAVE_LINUX_AIO_ABI_H
+
+#include <stdio.h>
+#include <string.h>
+#include <linux_syscall_numbers.h>
+#include <linux/aio_abi.h>
+#include "tst_personality.h"
+#include "tst_safe_stdio.h"
+
+#define CONV_STR "%*x-%*x %s7"
+
+static FILE *f;
+
+static void cleanup(void)
+{
+	if (f != NULL)
+		SAFE_FCLOSE(f);
+}
+
+static void run(void)
+{
+	aio_context_t ctx = 0;
+	pid_t pid = getpid();
+	char perms[8], line[BUFSIZ];
+	char maps_path[256];
+
+	SAFE_PERSONALITY(READ_IMPLIES_EXEC);
+	if (tst_syscall(__NR_io_setup, 1, &ctx))
+		tst_brk(TBROK | TERRNO, "Failed to create AIO context");
+
+	snprintf(maps_path, sizeof(maps_path), "/proc/%d/maps", pid);
+	f = SAFE_FOPEN(maps_path, "r");
+	while (fgets(line, BUFSIZ, f) != NULL) {
+		if (strstr(line, "/[aio]") != NULL)
+			goto found_mapping;
+	}
+	tst_brk(TBROK, "Could not find mapping in %s", maps_path);
+
+found_mapping:
+	if (sscanf(line, CONV_STR, perms) < 0)
+		tst_brk(TBROK, "failed find permission string in %s", line);
+	if (strchr(perms, (int)'x'))
+		tst_res(TFAIL, "AIO mapping is executable: %s!", perms);
+	else
+		tst_res(TPASS, "AIO mapping is not executable: %s", perms);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.cleanup = cleanup,
+	.min_kver = "2.6.8",
+};
+
+#else
+
+static void run(void)
+{
+	tst_res(TCONF, "<linux/aio_abi.h> is missing");
+}
+
+static struct tst_test test = {
+	.test_all = run,
+};
+
+#endif
-- 
2.13.2

[LTP] [PATCH 4/4] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Jan Stancek]

----- Original Message -----
...
> +
> +#include "tst_test.h"
> +
> +#ifdef HAVE_LINUX_AIO_ABI_H
> +
> +#include <stdio.h>
> +#include <string.h>
> +#include <linux_syscall_numbers.h>
> +#include <linux/aio_abi.h>

Hi,

from LTP docs:
"Don't use +linux/+ headers if at all possible. Usually they are replaced with
+sys/+ headers as things work their way into glibc.  Furthermore, +linux/+
headers get shuffled around a lot more than their +sys/+ counterparts it
seems."

If we really have to use linux header then I'd suggest a configure check
that also checks it's compilable.

Regards,
Jan

[LTP] [PATCH 4/4] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Richard Palethorpe]

Hello Jan,

Jan Stancek writes:

> ----- Original Message -----
> ...
>> +
>> +#include "tst_test.h"
>> +
>> +#ifdef HAVE_LINUX_AIO_ABI_H
>> +
>> +#include <stdio.h>
>> +#include <string.h>
>> +#include <linux_syscall_numbers.h>
>> +#include <linux/aio_abi.h>
>
> Hi,
>
> from LTP docs:
> "Don't use +linux/+ headers if at all possible. Usually they are replaced with
> +sys/+ headers as things work their way into glibc.  Furthermore, +linux/+
> headers get shuffled around a lot more than their +sys/+ counterparts it
> seems."

Ah, thanks for pointing that out.

>
> If we really have to use linux header then I'd suggest a configure check
> that also checks it's compilable.
>
> Regards,
> Jan

As far as I am aware the alternatives are to use libaio, which seems
like overkill for this test. Or to include the AIO ABI definitions
inside the test. I don't think there is a comparable sys/ header.

I don't really mind using libaio if that is preferred?

--
Thank you,
Richard.

[LTP] [PATCH 4/4] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Cyril Hrubis]

Hi!
> As far as I am aware the alternatives are to use libaio, which seems
> like overkill for this test. Or to include the AIO ABI definitions
> inside the test. I don't think there is a comparable sys/ header.
> 
> I don't really mind using libaio if that is preferred?

The test only needs aio context type we may as well pass a pointer to
unsigned long to the syscall and be done with it...

-- 
Cyril Hrubis
chrubis@suse.cz