* [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants @ 2018-01-09 22:08 Eric Biggers 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers 2018-01-10 0:56 ` [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants James Morris 0 siblings, 2 replies; 7+ messages in thread From: Eric Biggers @ 2018-01-09 22:08 UTC (permalink / raw) To: ltp From: Eric Biggers <ebiggers@google.com> Add the key permission constants to keyctl.h so that they don't have to be defined in each test that uses them. Signed-off-by: Eric Biggers <ebiggers@google.com> --- include/lapi/keyctl.h | 35 +++++++++++++++++++++++++++++ testcases/kernel/syscalls/keyctl/keyctl05.c | 3 --- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/include/lapi/keyctl.h b/include/lapi/keyctl.h index 4b8098a59..5f6ddaae3 100644 --- a/include/lapi/keyctl.h +++ b/include/lapi/keyctl.h @@ -144,4 +144,39 @@ static inline key_serial_t keyctl_join_session_keyring(const char *name) { # define KEYCTL_SET_TIMEOUT 15 #endif +/* key permissions */ +#ifndef KEY_POS_VIEW +# define KEY_POS_VIEW 0x01000000 +# define KEY_POS_READ 0x02000000 +# define KEY_POS_WRITE 0x04000000 +# define KEY_POS_SEARCH 0x08000000 +# define KEY_POS_LINK 0x10000000 +# define KEY_POS_SETATTR 0x20000000 +# define KEY_POS_ALL 0x3f000000 + +# define KEY_USR_VIEW 0x00010000 +# define KEY_USR_READ 0x00020000 +# define KEY_USR_WRITE 0x00040000 +# define KEY_USR_SEARCH 0x00080000 +# define KEY_USR_LINK 0x00100000 +# define KEY_USR_SETATTR 0x00200000 +# define KEY_USR_ALL 0x003f0000 + +# define KEY_GRP_VIEW 0x00000100 +# define KEY_GRP_READ 0x00000200 +# define KEY_GRP_WRITE 0x00000400 +# define KEY_GRP_SEARCH 0x00000800 +# define KEY_GRP_LINK 0x00001000 +# define KEY_GRP_SETATTR 0x00002000 +# define KEY_GRP_ALL 0x00003f00 + +# define KEY_OTH_VIEW 0x00000001 +# define KEY_OTH_READ 0x00000002 +# define KEY_OTH_WRITE 0x00000004 +# define KEY_OTH_SEARCH 0x00000008 +# define KEY_OTH_LINK 0x00000010 +# define KEY_OTH_SETATTR 0x00000020 +# define KEY_OTH_ALL 0x0000003f +#endif /* !KEY_POS_VIEW */ + #endif /* KEYCTL_H__ */ diff --git a/testcases/kernel/syscalls/keyctl/keyctl05.c b/testcases/kernel/syscalls/keyctl/keyctl05.c index 9ba61200c..c04d1f5b0 100644 --- a/testcases/kernel/syscalls/keyctl/keyctl05.c +++ b/testcases/kernel/syscalls/keyctl/keyctl05.c @@ -43,9 +43,6 @@ #include "tst_test.h" #include "lapi/keyctl.h" -#define KEY_POS_WRITE 0x04000000 -#define KEY_POS_ALL 0x3f000000 - /* * A valid payload for the "asymmetric" key type. This is an x509 certificate * in DER format, generated using: -- 2.16.0.rc1.238.g530d649a79-goog ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug 2018-01-09 22:08 [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants Eric Biggers @ 2018-01-09 22:08 ` Eric Biggers 2018-01-10 0:56 ` James Morris ` (3 more replies) 2018-01-10 0:56 ` [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants James Morris 1 sibling, 4 replies; 7+ messages in thread From: Eric Biggers @ 2018-01-09 22:08 UTC (permalink / raw) To: ltp From: Eric Biggers <ebiggers@google.com> Add a test for a bug that allowed the request_key() system call to be used to add a key to a keyring using only Search permission. This bug was assigned CVE-2017-17807. Signed-off-by: Eric Biggers <ebiggers@google.com> --- No changes since v1, just added a patch preceding this one. include/lapi/keyctl.h | 4 + runtest/cve | 1 + runtest/syscalls | 1 + .../kernel/syscalls/request_key/request_key04.c | 87 ++++++++++++++++++++++ 4 files changed, 93 insertions(+) create mode 100644 testcases/kernel/syscalls/request_key/request_key04.c diff --git a/include/lapi/keyctl.h b/include/lapi/keyctl.h index 5f6ddaae3..8ad8db64f 100644 --- a/include/lapi/keyctl.h +++ b/include/lapi/keyctl.h @@ -99,6 +99,10 @@ static inline key_serial_t keyctl_join_session_keyring(const char *name) { # define KEY_REQKEY_DEFL_THREAD_KEYRING 1 #endif +#ifndef KEY_REQKEY_DEFL_SESSION_KEYRING +# define KEY_REQKEY_DEFL_SESSION_KEYRING 3 +#endif + #ifndef KEY_REQKEY_DEFL_DEFAULT # define KEY_REQKEY_DEFL_DEFAULT 0 #endif diff --git a/runtest/cve b/runtest/cve index 5d124083e..b69f40c65 100644 --- a/runtest/cve +++ b/runtest/cve @@ -25,5 +25,6 @@ cve-2017-15274 add_key02 cve-2017-15299 request_key03 -b cve-2017-15299 cve-2017-15537 ptrace07 cve-2017-15951 request_key03 -b cve-2017-15951 +cve-2017-17807 request_key04 cve-2017-1000364 stack_clash cve-2017-5754 meltdown diff --git a/runtest/syscalls b/runtest/syscalls index 97fc64300..94efd2305 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -935,6 +935,7 @@ request_key01 request_key01 request_key02 request_key02 request_key03 request_key03 cve-2017-6951 cve-2017-6951 +request_key04 request_key04 rmdir01 rmdir01 rmdir02 rmdir02 diff --git a/testcases/kernel/syscalls/request_key/request_key04.c b/testcases/kernel/syscalls/request_key/request_key04.c new file mode 100644 index 000000000..878b0de00 --- /dev/null +++ b/testcases/kernel/syscalls/request_key/request_key04.c @@ -0,0 +1,87 @@ +/* + * Copyright (c) 2018 Google, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program, if not, see <http://www.gnu.org/licenses/>. + */ + +/* + * Regression test for commit 4dca6ea1d943 ("KEYS: add missing permission check + * for request_key() destination"), or CVE-2017-17807. This bug allowed adding + * a key to a keyring given only Search permission to that keyring, rather than + * the expected Write permission. + * + * We test for the bug by trying to add a negatively instantiated key, since + * adding a negatively instantiated key using the bug was easy whereas adding a + * positively instantiated key required exploiting a race condition. + */ + +#include <errno.h> + +#include "tst_test.h" +#include "lapi/keyctl.h" + +static void do_test(void) +{ + key_serial_t keyid; + int saved_errno; + + TEST(keyctl(KEYCTL_JOIN_SESSION_KEYRING, NULL)); + if (TEST_RETURN < 0) + tst_brk(TBROK | TTERRNO, "failed to join new session keyring"); + + TEST(keyctl(KEYCTL_SETPERM, KEY_SPEC_SESSION_KEYRING, + KEY_POS_SEARCH|KEY_POS_READ|KEY_POS_VIEW)); + if (TEST_RETURN < 0) { + tst_brk(TBROK | TTERRNO, + "failed to set permissions on session keyring"); + } + + TEST(keyctl(KEYCTL_SET_REQKEY_KEYRING, + KEY_REQKEY_DEFL_SESSION_KEYRING)); + if (TEST_RETURN < 0) { + tst_brk(TBROK | TTERRNO, + "failed to set request-key default keyring"); + } + + TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING, + &keyid, sizeof(keyid))); + if (TEST_RETURN < 0) + tst_brk(TBROK | TTERRNO, "failed to read from session keyring"); + if (TEST_RETURN != 0) + tst_brk(TBROK, "session keyring is not empty"); + + TEST(request_key("user", "desc", "callout_info", 0)); + if (TEST_RETURN != -1) + tst_brk(TBROK, "request_key() unexpectedly succeeded"); + saved_errno = TEST_ERRNO; + + TEST(keyctl(KEYCTL_READ, KEY_SPEC_SESSION_KEYRING, + &keyid, sizeof(keyid))); + if (TEST_RETURN < 0) + tst_brk(TBROK | TTERRNO, "failed to read from session keyring"); + if (TEST_RETURN != 0) + tst_brk(TFAIL, "added key to keyring without permission"); + + TEST_ERRNO = saved_errno; + if (TEST_ERRNO == EACCES) { + tst_res(TPASS, "request_key() failed with EACCES as expected"); + } else { + tst_res(TBROK | TTERRNO, + "request_key() failed with unexpected error code"); + } +} + +static struct tst_test test = { + .test_all = do_test, +}; -- 2.16.0.rc1.238.g530d649a79-goog ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers @ 2018-01-10 0:56 ` James Morris 2018-01-10 9:42 ` Richard Palethorpe ` (2 subsequent siblings) 3 siblings, 0 replies; 7+ messages in thread From: James Morris @ 2018-01-10 0:56 UTC (permalink / raw) To: ltp On Tue, 9 Jan 2018, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Add a test for a bug that allowed the request_key() system call to be > used to add a key to a keyring using only Search permission. This bug > was assigned CVE-2017-17807. > > Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: James Morris <james.l.morris@oracle.com> -- James Morris <james.l.morris@oracle.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers 2018-01-10 0:56 ` James Morris @ 2018-01-10 9:42 ` Richard Palethorpe 2018-01-10 11:12 ` Petr Vorel 2018-01-19 15:22 ` Cyril Hrubis 3 siblings, 0 replies; 7+ messages in thread From: Richard Palethorpe @ 2018-01-10 9:42 UTC (permalink / raw) To: ltp Hello Eric, Eric Biggers writes: > From: Eric Biggers <ebiggers@google.com> > > Add a test for a bug that allowed the request_key() system call to be > used to add a key to a keyring using only Search permission. This bug > was assigned CVE-2017-17807. > > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > > No changes since v1, just added a patch preceding this one. > > include/lapi/keyctl.h | 4 + > runtest/cve | 1 + > runtest/syscalls | 1 + > .../kernel/syscalls/request_key/request_key04.c | 87 ++++++++++++++++++++++ > 4 files changed, 93 insertions(+) > create mode 100644 testcases/kernel/syscalls/request_key/request_key04.c Only issue is that you are missing .gitignore entry. Otherwise LGTM. -- Thank you, Richard. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers 2018-01-10 0:56 ` James Morris 2018-01-10 9:42 ` Richard Palethorpe @ 2018-01-10 11:12 ` Petr Vorel 2018-01-19 15:22 ` Cyril Hrubis 3 siblings, 0 replies; 7+ messages in thread From: Petr Vorel @ 2018-01-10 11:12 UTC (permalink / raw) To: ltp > From: Eric Biggers <ebiggers@google.com> > Add a test for a bug that allowed the request_key() system call to be > used to add a key to a keyring using only Search permission. This bug > was assigned CVE-2017-17807. > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- LGTM both commits. BTW it might be worth to define SAFE_KEYCTL(). Kind regards, Petr ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers ` (2 preceding siblings ...) 2018-01-10 11:12 ` Petr Vorel @ 2018-01-19 15:22 ` Cyril Hrubis 3 siblings, 0 replies; 7+ messages in thread From: Cyril Hrubis @ 2018-01-19 15:22 UTC (permalink / raw) To: ltp Hi! I've amended this commit with .gitignore entry and pushed the patches, thanks. -- Cyril Hrubis chrubis@suse.cz ^ permalink raw reply [flat|nested] 7+ messages in thread
* [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants 2018-01-09 22:08 [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants Eric Biggers 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers @ 2018-01-10 0:56 ` James Morris 1 sibling, 0 replies; 7+ messages in thread From: James Morris @ 2018-01-10 0:56 UTC (permalink / raw) To: ltp On Tue, 9 Jan 2018, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Add the key permission constants to keyctl.h so that they don't have to > be defined in each test that uses them. > > Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: James Morris <james.l.morris@oracle.com> -- James Morris <james.l.morris@oracle.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-01-19 15:22 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-01-09 22:08 [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants Eric Biggers 2018-01-09 22:08 ` [LTP] [PATCH v2 2/2] syscalls/request_key04: new test for request_key() permission check bug Eric Biggers 2018-01-10 0:56 ` James Morris 2018-01-10 9:42 ` Richard Palethorpe 2018-01-10 11:12 ` Petr Vorel 2018-01-19 15:22 ` Cyril Hrubis 2018-01-10 0:56 ` [LTP] [PATCH v2 1/2] lapi/keyctl.h: add key permission constants James Morris
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox