[LTP] [PATCH v5 1/3] lib: Add personality fallback and SAFE macro

[LTP] [PATCH v5 1/3] lib: Add personality fallback and SAFE macro

[Richard Palethorpe]

Add the macro SAFE_PERSONALITY as well as fallback logic for if
<sys/personality.h> is missing UNAME26.

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 include/lapi/personality.h | 30 ++++++++++++++++++++++++++++++
 include/tst_safe_macros.h  |  5 +++++
 lib/tst_safe_macros.c      | 14 ++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 include/lapi/personality.h

diff --git a/include/lapi/personality.h b/include/lapi/personality.h
new file mode 100644
index 000000000..5b5543805
--- /dev/null
+++ b/include/lapi/personality.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/* In the Linux kernel and glibc enums are (mostly) used for the constants,
+ * but in musl macros are used.
+ */
+
+#ifndef PERSONALITY_H
+#define PERSONALITY_H
+
+#include <sys/personality.h>
+
+#ifndef UNAME26
+# define UNAME26 0x0020000
+#endif
+
+#endif	/* PERSONALITY_H */
diff --git a/include/tst_safe_macros.h b/include/tst_safe_macros.h
index f23f765c2..1e034b8e2 100644
--- a/include/tst_safe_macros.h
+++ b/include/tst_safe_macros.h
@@ -443,4 +443,9 @@ int safe_fanotify_init(const char *file, const int lineno,
 #define SAFE_FANOTIFY_INIT(fan, mode)  \
 	safe_fanotify_init(__FILE__, __LINE__, (fan), (mode))
 
+int safe_personality(const char *filename, unsigned int lineno,
+		    unsigned long persona);
+#define SAFE_PERSONALITY(persona) safe_personality(__FILE__, __LINE__, persona)
+
+
 #endif /* SAFE_MACROS_H__ */
diff --git a/lib/tst_safe_macros.c b/lib/tst_safe_macros.c
index d4d81c6cd..b65a22b71 100644
--- a/lib/tst_safe_macros.c
+++ b/lib/tst_safe_macros.c
@@ -25,6 +25,7 @@
 #define TST_NO_DEFAULT_MAIN
 #include "tst_test.h"
 #include "tst_safe_macros.h"
+#include "lapi/personality.h"
 
 int safe_setpgid(const char *file, const int lineno, pid_t pid, pid_t pgid)
 {
@@ -75,3 +76,16 @@ int safe_fanotify_init(const char *file, const int lineno,
 
 	return rval;
 }
+
+int safe_personality(const char *filename, unsigned int lineno,
+		    unsigned long persona)
+{
+	int prev_persona = personality(persona);
+
+	if (prev_persona < 0) {
+		tst_brk_(filename, lineno, TBROK | TERRNO,
+			 "persona(%ld) failed", persona);
+	}
+
+	return prev_persona;
+}
-- 
2.14.1

[LTP] [PATCH v5 2/3] CVE-2012-0957: Use SAFE_PERSONALITY

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 testcases/cve/cve-2012-0957.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/testcases/cve/cve-2012-0957.c b/testcases/cve/cve-2012-0957.c
index f065735a1..096f49f69 100644
--- a/testcases/cve/cve-2012-0957.c
+++ b/testcases/cve/cve-2012-0957.c
@@ -26,10 +26,8 @@
 
 #include <string.h>
 #include <sys/utsname.h>
-#include <sys/personality.h>
 #include "tst_test.h"
-
-#define UNAME26 0x0020000
+#include "lapi/personality.h"
 
 static int check_field(char *bytes, size_t length, char *field)
 {
@@ -75,9 +73,7 @@ static void run(unsigned int test_nr)
 		tst_res(TINFO, "Calling uname with default personality");
 		try_leak_bytes();
 	} else {
-		if (personality(PER_LINUX | UNAME26) < 0)
-			tst_brk(TCONF | TERRNO,
-				"Could not change personality to UNAME26");
+		SAFE_PERSONALITY(PER_LINUX | UNAME26);
 		tst_res(TINFO, "Calling uname with UNAME26 personality");
 		try_leak_bytes();
 	}
-- 
2.14.1

[LTP] [PATCH v5 3/3] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Richard Palethorpe]

Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
---
 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2016-10044.c | 71 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100644 testcases/cve/cve-2016-10044.c

diff --git a/runtest/cve b/runtest/cve
index e789b6667..8c140b5cb 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -11,6 +11,7 @@ cve-2016-4997 cve-2016-4997
 cve-2016-5195 dirtyc0w
 cve-2016-7042 cve-2016-7042
 cve-2016-7117 cve-2016-7117
+cve-2016-10044 cve-2016-10044
 cve-2017-2618 cve-2017-2618
 cve-2017-2671 cve-2017-2671
 cve-2017-5669 cve-2017-5669
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 24036bc40..f76c39826 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -3,6 +3,7 @@ cve-2014-0196
 cve-2016-4997
 cve-2016-7042
 cve-2016-7117
+cve-2016-10044
 cve-2017-2618
 cve-2017-2671
 cve-2017-6951
diff --git a/testcases/cve/cve-2016-10044.c b/testcases/cve/cve-2016-10044.c
new file mode 100644
index 000000000..4861647a0
--- /dev/null
+++ b/testcases/cve/cve-2016-10044.c
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2017 Richard Palethorpe <rpalethorpe@suse.com>
+ * Copyright (c) 2016 Jan Horn <jann@thejh.net>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+/*
+ * Test for CVE-2016-10044, which was fixed in commit
+ * 22f6b4d34fcf039c aio: mark AIO pseudo-fs noexec.
+ *
+ * The test checks that we can not implicitly mark AIO mappings as
+ * executable using the READ_IMPLIES_EXEC personality.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include "lapi/syscalls.h"
+#include "lapi/personality.h"
+#include "tst_test.h"
+#include "tst_safe_stdio.h"
+
+static FILE *f;
+
+static void cleanup(void)
+{
+	if (f)
+		SAFE_FCLOSE(f);
+}
+
+static void run(void)
+{
+	uint64_t ctx = 0;
+	char perms[8], line[BUFSIZ];
+
+	SAFE_PERSONALITY(READ_IMPLIES_EXEC);
+	if (tst_syscall(__NR_io_setup, 1, &ctx))
+		tst_brk(TBROK | TERRNO, "Failed to create AIO context");
+
+	f = SAFE_FOPEN("/proc/self/maps", "r");
+	while (fgets(line, BUFSIZ, f) != NULL) {
+		if (strstr(line, "/[aio]") != NULL)
+			goto found_mapping;
+	}
+	tst_brk(TBROK, "Could not find mapping in /proc/self/maps");
+
+found_mapping:
+	if (sscanf(line, "%*x-%*x %s7", perms) < 0)
+		tst_brk(TBROK, "failed to find permission string in %s", line);
+	if (strchr(perms, (int)'x'))
+		tst_res(TFAIL, "AIO mapping is executable: %s!", perms);
+	else
+		tst_res(TPASS, "AIO mapping is not executable: %s", perms);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.cleanup = cleanup,
+	.min_kver = "2.6.8",
+};
-- 
2.14.1

[LTP] [PATCH v5 3/3] Test for CVE-2016-10044 mark AIO pseudo-fs noexec

[Cyril Hrubis]

Hi!
Pushed whole patchset, thanks.

And this test was pushed with a diff:

diff --git a/testcases/cve/cve-2016-10044.c b/testcases/cve/cve-2016-10044.c
index 4861647a0..7928d2765 100644
--- a/testcases/cve/cve-2016-10044.c
+++ b/testcases/cve/cve-2016-10044.c
@@ -62,6 +62,9 @@ found_mapping:
                tst_res(TFAIL, "AIO mapping is executable: %s!", perms);
        else
                tst_res(TPASS, "AIO mapping is not executable: %s", perms);
+
+       SAFE_FCLOSE(f);
+       f = NULL;
 }

That closes the file in a case that someone will run the test with -i, which
does not make much sense but I've added that for the sake of completness.

-- 
Cyril Hrubis
chrubis@suse.cz