Re: [LTP] [PATCH] Add setsockopt10 TLS ULP UAF CVE-2023-0461

[Richard Palethorpe <rpalethorpe@suse.de>]

Hello,

Petr Vorel <pvorel@suse.cz> writes:

> Hi Richie, Cyril,
>
>> >> On NixOS:
>
>> >> $ ./setsockopt10
>> >> tst_kconfig.c:87: TINFO: Parsing kernel config '/proc/config.gz'
>> >> tst_kernel.c:110: TWARN: expected file /lib/modules/6.5.5/modules.dep does not exist or not a file
>> >> tst_kernel.c:110: TWARN: expected file /lib/modules/6.5.5/modules.builtin does not exist or not a file
>
> For my info: this comes from Cyrils suggestion to use .needs_drivers.
>
>> > Can you strace modprobe to see what is different on the system, these
>> > files have to be installed somewhere in order for modprobe to actually
>> > work...
>
>> They will be in /nix/store/<kernel package hash>/.../modules or similar.
>> I can probably make it work on NixOS by creating a nix file, but I think
>> there is a bigger issue.
>
> "NixOS is a Linux distribution built on top of the Nix package manager." [1]
>
> I have no idea why Linux distro needs non-standard patch. IMHO we can take patch
> which detects NixOS and use it's path, but for the distro itself would be better
> if it has at least symlink to the standard path (i.e. it'd be worth to report
> it).

Only if you can point to a specification and NixOS accepts that spec. If
it is not in POSIX then it is unlikely to get through. There is not even
a /lib in NixOS. Any absolute paths interfere with reproducibility,
isolation and such. To see how such a discussion is likey to go see this
thread on /bin/bash:
https://discourse.nixos.org/t/add-bin-bash-to-avoid-unnecessary-pain/5673

OTOH all we need is a Nix file which creates the symlinks (or patches
LTP) and specifies the LTPs deps to create a reproducible build of LTP
in Nix. At some point I'll add it to CI.

However this doesn't help other distro's or embedded systems that we
don't personally use.

>
> As Cyril noted we have .needs_drivers, but that's also require config files in
> /lib/modules. But setsockopt10 could also benefit from .modprobe patchset [2],
> particularly [3]. i.e. instead of asking for CONFIG_TLS "modprobe tls" could
> work. But currently we also expect modules.builtin is in /lib/modules. We could
> rethink that (e.g. introduce variable which ignores the check, or allows to pass
> path the correct prefix of the directory or remove
> tst_check_builtin_driver(name), which is based on parsing modules.builtin).
>
> But for broader discussion please comment on the patchset itself.
>
> And now something completely different: root vs. normal user:
> $ find /lib/modules/$(uname -r) |grep tls
> ...
> /lib/modules/6.5.0-1-amd64/kernel/net/tls/tls.ko
>
> But this does not work, when run as user:
> $ ./setsockopt10
> ...
> setsockopt10.c:96: TINFO: child: Listen for tcp1 connection
> setsockopt10.c:133: TINFO: parent: Connect for tcp0 connection
> setsockopt10.c:138: TCONF: parent: setsockopt failed: The TLS module is probably not loaded: ENOENT (2)
> tst_test.c:1622: TINFO: Killed the leftover descendant processes
>
> Maybe that has been discussed, but I'd really request the root, because it works
> with it:

Yes, I did say why I don't want to require root in the previous
message. However I'll take this to the patchset thread you posted.

>
> # ./setsockopt10
> ...
> setsockopt10.c:145: TINFO: parent: Disconnect by setting unspec address
> setsockopt10.c:153: TPASS: parent: Can't listen on disconnected TLS socket: EINVAL (22)
> setsockopt10.c:110: TINFO: child: connect for tcp2 connection
> setsockopt10.c:114: TINFO: child: could not connect to tcp1: ECONNREFUSED (111)
>
> Kind regards,
> Petr
>
> [1] https://en.wikipedia.org/wiki/NixOS
> [2] https://patchwork.ozlabs.org/project/ltp/list/?series=377451&state=*
> [3] https://patchwork.ozlabs.org/project/ltp/patch/20231013074748.702214-3-pvorel@suse.cz/


-- 
Thank you,
Richard.

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp