From patchwork Tue Sep 1 13:46:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1355000 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=2001:1418:10:5::2; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [IPv6:2001:1418:10:5::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BgpJM2Wxgz9sTN for ; Tue, 1 Sep 2020 23:46:24 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id CFAED3C2EFD for ; Tue, 1 Sep 2020 15:46:16 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-6.smtp.seeweb.it (in-6.smtp.seeweb.it [217.194.8.6]) by picard.linux.it (Postfix) with ESMTP id 610233C181A for ; Tue, 1 Sep 2020 15:46:15 +0200 (CEST) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-6.smtp.seeweb.it (Postfix) with ESMTPS id D440B1400F91 for ; Tue, 1 Sep 2020 15:46:14 +0200 (CEST) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 73F48AC55 for ; Tue, 1 Sep 2020 13:46:14 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Tue, 1 Sep 2020 15:46:12 +0200 Message-Id: <20200901134613.20839-1-mdoucha@suse.cz> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-6.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-6.smtp.seeweb.it Subject: [LTP] [PATCH v2 1/2] Add SAFE_TIMER_*() functions to tst_safe_clocks.h X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Signed-off-by: Martin Doucha --- Changes since v1: None include/tst_safe_clocks.h | 90 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/include/tst_safe_clocks.h b/include/tst_safe_clocks.h index 4cb5f41ed..5909f4083 100644 --- a/include/tst_safe_clocks.h +++ b/include/tst_safe_clocks.h @@ -55,6 +55,83 @@ static inline void safe_clock_settime(const char *file, const int lineno, } } +static inline int safe_timer_create(const char *file, const int lineno, + clockid_t clockid, struct sigevent *sevp, timer_t *timerid) +{ + int ret; + + errno = 0; + ret = timer_create(clockid, sevp, timerid); + + if (ret == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "timer_create(%s) failed", tst_clock_name(clockid)); + } else if (ret) { + tst_brk_(file, lineno, TBROK | TERRNO, + "Invalid timer_create(%s) return value %d", + tst_clock_name(clockid), ret); + } + + return ret; +} + +static inline int safe_timer_settime(const char *file, const int lineno, + timer_t timerid, int flags, const struct itimerspec *new_value, + struct itimerspec *old_value) +{ + int ret; + + errno = 0; + ret = timer_settime(timerid, flags, new_value, old_value); + + if (ret == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "timer_settime() failed"); + } else if (ret) { + tst_brk_(file, lineno, TBROK | TERRNO, + "Invalid timer_settime() return value %d", ret); + } + + return ret; +} + +static inline int safe_timer_gettime(const char *file, const int lineno, + timer_t timerid, struct itimerspec *curr_value) +{ + int ret; + + errno = 0; + ret = timer_gettime(timerid, curr_value); + + if (ret == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, + "timer_gettime() failed"); + } else if (ret) { + tst_brk_(file, lineno, TBROK | TERRNO, + "Invalid timer_gettime() return value %d", ret); + } + + return ret; +} + +static inline int safe_timer_delete(const char *file, const int lineno, + timer_t timerid) +{ + int ret; + + errno = 0; + ret = timer_delete(timerid); + + if (ret == -1) { + tst_brk_(file, lineno, TBROK | TERRNO, "timer_delete() failed"); + } else if (ret) { + tst_brk_(file, lineno, TBROK | TERRNO, + "Invalid timer_delete() return value %d", ret); + } + + return ret; +} + #define SAFE_CLOCK_GETRES(clk_id, res)\ safe_clock_getres(__FILE__, __LINE__, (clk_id), (res)) @@ -64,4 +141,17 @@ static inline void safe_clock_settime(const char *file, const int lineno, #define SAFE_CLOCK_SETTIME(clk_id, tp)\ safe_clock_settime(__FILE__, __LINE__, (clk_id), (tp)) +#define SAFE_TIMER_CREATE(clockid, sevp, timerid)\ + safe_timer_create(__FILE__, __LINE__, (clockid), (sevp), (timerid)) + +#define SAFE_TIMER_SETTIME(timerid, flags, new_value, old_value)\ + safe_timer_settime(__FILE__, __LINE__, (timerid), (flags),\ + (new_value), (old_value)) + +#define SAFE_TIMER_GETTIME(timerid, curr_value)\ + safe_timer_gettime(__FILE__, __LINE__, (timerid), (curr_value)) + +#define SAFE_TIMER_DELETE(timerid)\ + safe_timer_delete(__FILE__, __LINE__, timerid) + #endif /* SAFE_CLOCKS_H__ */ From patchwork Tue Sep 1 13:46:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Martin Doucha X-Patchwork-Id: 1355001 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.cz Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BgpJQ4svsz9sTN for ; Tue, 1 Sep 2020 23:46:30 +1000 (AEST) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 1BA983C551E for ; Tue, 1 Sep 2020 15:46:26 +0200 (CEST) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-3.smtp.seeweb.it (in-3.smtp.seeweb.it [IPv6:2001:4b78:1:20::3]) by picard.linux.it (Postfix) with ESMTP id 6A6AF3C2DA1 for ; Tue, 1 Sep 2020 15:46:15 +0200 (CEST) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-3.smtp.seeweb.it (Postfix) with ESMTPS id C961E1A007ED for ; Tue, 1 Sep 2020 15:46:14 +0200 (CEST) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 7A6FBAC58 for ; Tue, 1 Sep 2020 13:46:14 +0000 (UTC) From: Martin Doucha To: ltp@lists.linux.it Date: Tue, 1 Sep 2020 15:46:13 +0200 Message-Id: <20200901134613.20839-2-mdoucha@suse.cz> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200901134613.20839-1-mdoucha@suse.cz> References: <20200901134613.20839-1-mdoucha@suse.cz> MIME-Version: 1.0 X-Virus-Scanned: clamav-milter 0.102.4 at in-3.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=0.0 required=7.0 tests=SPF_HELO_NONE,SPF_PASS autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on in-3.smtp.seeweb.it Subject: [LTP] [PATCH v2 2/2] Add test for CVE 2018-12896 X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Fixes #353 Signed-off-by: Martin Doucha --- Changes since v1: - Fix running the test with -i parameter - Move checks out of signal handler to make it async safe runtest/cve | 1 + runtest/syscalls | 1 + .../kernel/syscalls/timer_settime/.gitignore | 1 + .../syscalls/timer_settime/timer_settime03.c | 123 ++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 testcases/kernel/syscalls/timer_settime/timer_settime03.c diff --git a/runtest/cve b/runtest/cve index a2ca8d27c..07c69e8ff 100644 --- a/runtest/cve +++ b/runtest/cve @@ -52,6 +52,7 @@ cve-2018-9568 connect02 cve-2018-1000001 realpath01 cve-2018-1000199 ptrace08 cve-2018-1000204 ioctl_sg01 +cve-2018-12896 timer_settime03 cve-2018-18445 bpf_prog04 cve-2018-18559 bind06 cve-2018-19854 crypto_user01 diff --git a/runtest/syscalls b/runtest/syscalls index a6ab75ba7..398145f65 100644 --- a/runtest/syscalls +++ b/runtest/syscalls @@ -1543,6 +1543,7 @@ timer_gettime01 timer_gettime01 timer_settime01 timer_settime01 timer_settime02 timer_settime02 +timer_settime03 timer_settime03 tkill01 tkill01 tkill02 tkill02 diff --git a/testcases/kernel/syscalls/timer_settime/.gitignore b/testcases/kernel/syscalls/timer_settime/.gitignore index e1ed3ef17..2541a5b57 100644 --- a/testcases/kernel/syscalls/timer_settime/.gitignore +++ b/testcases/kernel/syscalls/timer_settime/.gitignore @@ -1,2 +1,3 @@ /timer_settime01 /timer_settime02 +/timer_settime03 diff --git a/testcases/kernel/syscalls/timer_settime/timer_settime03.c b/testcases/kernel/syscalls/timer_settime/timer_settime03.c new file mode 100644 index 000000000..4cc1f8bd8 --- /dev/null +++ b/testcases/kernel/syscalls/timer_settime/timer_settime03.c @@ -0,0 +1,123 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) 2019 SUSE LLC + */ + +/* + * CVE 2018-12896 + * + * Check for possible overflow of posix timer overrun counter. Create + * a CLOCK_REALTIME timer, set extremely low timer interval and expiration + * value just right to cause overrun overflow into negative values, start + * the timer with TIMER_ABSTIME flag to cause overruns immediately. Then just + * check the overrun counter in the timer signal handler. On a patched system, + * the value returned by timer_getoverrun() should be capped at INT_MAX and + * not allowed to overflow into negative range. Bug fixed in: + * + * commit 78c9c4dfbf8c04883941445a195276bb4bb92c76 + * Author: Thomas Gleixner + * Date: Tue Jun 26 15:21:32 2018 +0200 + * + * posix-timers: Sanitize overrun handling + */ + +#include +#include +#include +#include + +#include "tst_test.h" +#include "tst_safe_clocks.h" + +static timer_t timer; +static volatile int handler_called, overrun, saved_errno; + +static void sighandler(int sig LTP_ATTRIBUTE_UNUSED) +{ + struct itimerspec spec; + + /* + * Signal handler will be called twice in total because kernel will + * schedule another pending signal before the timer gets disabled. + */ + if (handler_called) + return; + + errno = 0; + overrun = timer_getoverrun(timer); + saved_errno = errno; + memset(&spec, 0, sizeof(struct itimerspec)); + SAFE_TIMER_SETTIME(timer, 0, &spec, NULL); + handler_called = 1; +} + +static void setup(void) +{ + struct sigevent sev; + + memset(&sev, 0, sizeof(struct sigevent)); + sev.sigev_notify = SIGEV_SIGNAL; + sev.sigev_signo = SIGUSR1; + + SAFE_SIGNAL(SIGUSR1, sighandler); + SAFE_TIMER_CREATE(CLOCK_REALTIME, &sev, &timer); +} + +static void run(void) +{ + int handler_delay = INT_MAX / 7; + long nsec; + struct itimerspec spec; + + handler_called = 0; + memset(&spec, 0, sizeof(struct itimerspec)); + SAFE_CLOCK_GETTIME(CLOCK_REALTIME, &spec.it_value); + nsec = (handler_delay % 100000000) * 10L; + + if (nsec > spec.it_value.tv_nsec) { + spec.it_value.tv_sec -= 1; + spec.it_value.tv_nsec += 1000000000; + } + + /* spec.it_value = now - 1.4 * max overrun value */ + /* IOW, overflow will land right in the middle of negative range */ + spec.it_value.tv_sec -= handler_delay / 100000000; + spec.it_value.tv_nsec -= nsec; + spec.it_interval.tv_nsec = 1; + + SAFE_TIMER_SETTIME(timer, TIMER_ABSTIME, &spec, NULL); + while (!handler_called); + errno = saved_errno; + + if (overrun == -1) + tst_brk(TBROK | TERRNO, "Error reading timer overrun count"); + + if (overrun == INT_MAX) { + tst_res(TPASS, "Timer overrun count is capped"); + return; + } + + if (overrun < 0) { + tst_res(TFAIL, "Timer overrun counter overflow"); + return; + } + + tst_res(TFAIL, "Timer overrun counter is wrong: %d; expected %d or " + "negative number", overrun, INT_MAX); +} + +static void cleanup(void) +{ + SAFE_TIMER_DELETE(timer); +} + +static struct tst_test test = { + .test_all = run, + .setup = setup, + .cleanup = cleanup, + .tags = (const struct tst_tag[]) { + {"linux-git", "78c9c4dfbf8c"}, + {"CVE", "2018-12896"}, + {} + } +};