* [LTP] [PATCH v1] Add test case for CVE-2018-11508
@ 2020-06-20 6:37 Nirav Parmar
2020-06-20 9:24 ` Petr Vorel
2020-08-11 14:07 ` Cyril Hrubis
0 siblings, 2 replies; 4+ messages in thread
From: Nirav Parmar @ 2020-06-20 6:37 UTC (permalink / raw)
To: ltp
This patch adds a new test case for adjtimex syscall. It checks if there
is any data leak from kernel while on calling adjtimex or not. This code
will pass the struct timex buffer filled with zero with some INVALID mode
to the system call adjtimex and therefore, it tends to fail. None of the
attributes will get initialized and before that, it must throw an error.
on reading the last attribute tai of the struct, if the attribute is non-
zero the test is considered to have failed, else the test is considered
to have passed.
Resolves #321
Signed-off-by: Nirav Parmar <niravparmar@zilogic.com>
Reviewed-by: Vijay Kumar B. <vijaykumar@zilogic.com>
---
runtest/syscalls | 1 +
testcases/kernel/syscalls/adjtimex/.gitignore | 1 +
.../kernel/syscalls/adjtimex/adjtimex03.c | 112 ++++++++++++++++++
3 files changed, 114 insertions(+)
create mode 100644 testcases/kernel/syscalls/adjtimex/adjtimex03.c
diff --git a/runtest/syscalls b/runtest/syscalls
index ee7e2a0d2..21a81cb4c 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -22,6 +22,7 @@ add_key05 add_key05
adjtimex01 adjtimex01
adjtimex02 adjtimex02
+adjtimex03 adjtimex03
alarm02 alarm02
alarm03 alarm03
diff --git a/testcases/kernel/syscalls/adjtimex/.gitignore b/testcases/kernel/syscalls/adjtimex/.gitignore
index d0c6dea83..bb3508855 100644
--- a/testcases/kernel/syscalls/adjtimex/.gitignore
+++ b/testcases/kernel/syscalls/adjtimex/.gitignore
@@ -1,2 +1,3 @@
/adjtimex01
/adjtimex02
+/adjtimex03
diff --git a/testcases/kernel/syscalls/adjtimex/adjtimex03.c b/testcases/kernel/syscalls/adjtimex/adjtimex03.c
new file mode 100644
index 000000000..d6c8d67e5
--- /dev/null
+++ b/testcases/kernel/syscalls/adjtimex/adjtimex03.c
@@ -0,0 +1,112 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) Zilogic Systems Pvt. Ltd, 2020. All Rights Reserved.
+ * Email: <code@zilogic.com>
+ *
+ * Based on testcases/kernel/syscalls/adjtimex/adjtimex01.c
+ * Copyright (c) Wipro Technologies Ltd, 2002.
+ *
+ * CVE-2018-11508
+ *
+ * Test 4-byte kernel data leak via adjtimex
+ *
+ * On calling the adjtimex() function call with invalid mode (let's say
+ * 0x8000), ideally all the parameters should return with null data. But,
+ * when we read the last parameter we will receive 4 bytes of kernel data.
+ * This proves that there are 4 bytes of info leaked. The bug was fixed in
+ * Kernel Version 4.16.9. Therefore, the below test case will only be
+ * applicable for the kernel version 4.16.9 and above.
+ *
+ * So basically, this test shall check whether there is any data leak.
+ * To test that, Pass struct timex buffer filled with zero with
+ * some INVALID mode to the system call adjtimex. Passing an invalid
+ * parameters will not call do_adjtimex() and before that, it shall throw
+ * an error(On error test shall not break). Therefore, none of the parameters
+ * will get initialized.
+ *
+ * On reading the last attribute tai of the struct, if the attribute is non-
+ * zero the test is considered to have failed, else the test is considered
+ * to have passed.
+ */
+
+#include <errno.h>
+#include <sys/timex.h>
+#include "tst_test.h"
+
+#define SET_MODE (ADJ_OFFSET | ADJ_FREQUENCY | ADJ_MAXERROR | ADJ_ESTERROR | \
+ ADJ_STATUS | ADJ_TIMECONST | ADJ_TICK)
+
+#define ADJ_ADJTIME 0x8000
+#define LOOPS 10
+
+static struct timex *tim_save;
+static struct timex *buf;
+
+void verify_adjtimex(void)
+{
+ int i;
+ int data_leak = 0;
+
+ for (i = 0; i < LOOPS; i++) {
+ memset(buf, 0, sizeof(struct timex));
+ buf->modes = ADJ_ADJTIME; /* Invalid mode */
+ TEST(adjtimex(buf));
+ if ((TST_RET == -1) && (TST_ERR == EINVAL)) {
+ tst_res(TINFO,
+ "expecting adjtimex() to fail with EINVAL"
+ "with mode 0x%x", ADJ_ADJTIME);
+ } else {
+ tst_brk(TBROK | TERRNO,
+ "adjtimex(): Unexpeceted error,"
+ "expecting EINVAL with mode 0x%x",
+ ADJ_ADJTIME);
+ }
+
+ tst_res(TINFO, "tai : 0x%08x", buf->tai);
+
+ if (buf->tai != 0) {
+ data_leak = 1;
+ break;
+ }
+ }
+ if (data_leak != 0)
+ tst_res(TFAIL, "Data leak observed");
+ else
+ tst_res(TPASS, "Data leak not observed");
+}
+
+static void setup(void)
+{
+ tim_save->modes = 0;
+ /* Save current parameters */
+ if ((adjtimex(tim_save)) == -1) {
+ tst_brk(TBROK | TERRNO,
+ "adjtimex(): failed to save current params");
+ }
+}
+
+static void cleanup(void)
+{
+ tim_save->modes = SET_MODE;
+
+ /* Restore saved parameters */
+ if ((adjtimex(tim_save)) == -1)
+ tst_res(TWARN, "Failed to restore saved parameters");
+}
+
+static struct tst_test test = {
+ .setup = setup,
+ .cleanup = cleanup,
+ .min_kver = "4.16.9",
+ .test_all = verify_adjtimex,
+ .bufs = (struct tst_buffers []) {
+ {&buf, .size = sizeof(*buf)},
+ {&tim_save, .size = sizeof(*tim_save)},
+ {},
+ },
+ .tags = (const struct tst_tag[]) {
+ {"CVE", "2018-11508"},
+ {"linux-git", "3a4d44b61625"},
+ {},
+ }
+};
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* [LTP] [PATCH v1] Add test case for CVE-2018-11508
2020-06-20 6:37 [LTP] [PATCH v1] Add test case for CVE-2018-11508 Nirav Parmar
@ 2020-06-20 9:24 ` Petr Vorel
2020-08-11 14:07 ` Cyril Hrubis
1 sibling, 0 replies; 4+ messages in thread
From: Petr Vorel @ 2020-06-20 9:24 UTC (permalink / raw)
To: ltp
Hi Nirav,
thanks for your patch!
...
> + * This proves that there are 4 bytes of info leaked. The bug was fixed in
> + * Kernel Version 4.16.9. Therefore, the below test case will only be
> + * applicable for the kernel version 4.16.9 and above.
This is IMHO wrong. The fix 3a4d44b61625 fixes 3a4d44b61625 ("ntp: Move adjtimex
related compat syscalls to native counterparts"), which was released in
v4.13-rc1.
...
> +static struct tst_test test = {
> + .setup = setup,
> + .cleanup = cleanup,
> + .min_kver = "4.16.9",
Thus there should be .min_kver = "4.13",
And most of the tests doesn't have .min_kver anyway, it might be removed
entirely.
> + .test_all = verify_adjtimex,
> + .bufs = (struct tst_buffers []) {
> + {&buf, .size = sizeof(*buf)},
> + {&tim_save, .size = sizeof(*tim_save)},
> + {},
> + },
> + .tags = (const struct tst_tag[]) {
> + {"CVE", "2018-11508"},
> + {"linux-git", "3a4d44b61625"},
> + {},
> + }
> +};
Kind regards,
Petr
^ permalink raw reply [flat|nested] 4+ messages in thread* [LTP] [PATCH v1] Add test case for CVE-2018-11508
2020-06-20 6:37 [LTP] [PATCH v1] Add test case for CVE-2018-11508 Nirav Parmar
2020-06-20 9:24 ` Petr Vorel
@ 2020-08-11 14:07 ` Cyril Hrubis
1 sibling, 0 replies; 4+ messages in thread
From: Cyril Hrubis @ 2020-08-11 14:07 UTC (permalink / raw)
To: ltp
Hi!
Pushed with some changes, explained below, thanks.
diff --git a/testcases/kernel/syscalls/adjtimex/adjtimex03.c b/testcases/kernel/syscalls/adjtimex/adjtimex03.c
index d6c8d67e5..263391c90 100644
--- a/testcases/kernel/syscalls/adjtimex/adjtimex03.c
+++ b/testcases/kernel/syscalls/adjtimex/adjtimex03.c
@@ -33,13 +33,9 @@
#include <sys/timex.h>
#include "tst_test.h"
-#define SET_MODE (ADJ_OFFSET | ADJ_FREQUENCY | ADJ_MAXERROR | ADJ_ESTERROR | \
- ADJ_STATUS | ADJ_TIMECONST | ADJ_TICK)
-
#define ADJ_ADJTIME 0x8000
#define LOOPS 10
-static struct timex *tim_save;
static struct timex *buf;
void verify_adjtimex(void)
@@ -54,7 +50,7 @@ void verify_adjtimex(void)
if ((TST_RET == -1) && (TST_ERR == EINVAL)) {
tst_res(TINFO,
"expecting adjtimex() to fail with EINVAL"
- "with mode 0x%x", ADJ_ADJTIME);
+ " with mode 0x%x", ADJ_ADJTIME);
} else {
tst_brk(TBROK | TERRNO,
"adjtimex(): Unexpeceted error,"
@@ -75,38 +71,15 @@ void verify_adjtimex(void)
tst_res(TPASS, "Data leak not observed");
}
-static void setup(void)
-{
- tim_save->modes = 0;
- /* Save current parameters */
- if ((adjtimex(tim_save)) == -1) {
- tst_brk(TBROK | TERRNO,
- "adjtimex(): failed to save current params");
- }
-}
-
-static void cleanup(void)
-{
- tim_save->modes = SET_MODE;
-
- /* Restore saved parameters */
- if ((adjtimex(tim_save)) == -1)
- tst_res(TWARN, "Failed to restore saved parameters");
-}
There is no point in saving and restoring anything if we pass invalid
mode.
static struct tst_test test = {
- .setup = setup,
- .cleanup = cleanup,
- .min_kver = "4.16.9",
Also we do not restrict regression test to any kernel version, this
would for example restrict the test from running on stable kernel trees
or distribution kernels where the fix should have been backported.
.test_all = verify_adjtimex,
.bufs = (struct tst_buffers []) {
{&buf, .size = sizeof(*buf)},
- {&tim_save, .size = sizeof(*tim_save)},
{},
},
.tags = (const struct tst_tag[]) {
{"CVE", "2018-11508"},
- {"linux-git", "3a4d44b61625"},
+ {"linux-git", "0a0b98734479"},
We put in the hash that fixed the problem, not the one that introduced
it. We do not track where bugs were introduced in LTP only where they
were fixed.
{},
}
};
--
Cyril Hrubis
chrubis@suse.cz
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [LTP] [PATCH v1] Add test case for CVE-2018-11508
@ 2020-06-22 9:49 niravparmar
0 siblings, 0 replies; 4+ messages in thread
From: niravparmar @ 2020-06-22 9:49 UTC (permalink / raw)
To: ltp
Hello petr,
The fix 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to
native counterparts"), was fixed in the v4.13-rc1. With this fix, the bug
introduced CVE-2018-11508. This bug was then resolved in v4.17-rc5. In
that case, shouldn't we test the 'CVE-2018-11508' bug after the kernel
version where it got resolved ?
Thanks and regards,
Nirav
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-08-11 14:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-06-20 6:37 [LTP] [PATCH v1] Add test case for CVE-2018-11508 Nirav Parmar
2020-06-20 9:24 ` Petr Vorel
2020-08-11 14:07 ` Cyril Hrubis
-- strict thread matches above, loose matches on Subject: below --
2020-06-22 9:49 niravparmar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox