From patchwork Wed Mar 14 14:54:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Palethorpe X-Patchwork-Id: 885834 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.com Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401ZWv4S3Gz9sTD for ; Thu, 15 Mar 2018 01:55:07 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id EECB73E76DE for ; Wed, 14 Mar 2018 15:55:04 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-4.smtp.seeweb.it (in-4.smtp.seeweb.it [217.194.8.4]) by picard.linux.it (Postfix) with ESMTP id AC2553E6DE7 for ; Wed, 14 Mar 2018 15:55:02 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-4.smtp.seeweb.it (Postfix) with ESMTPS id 4096F1001BDA for ; Wed, 14 Mar 2018 15:54:59 +0100 (CET) Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 82F09AE0C for ; Wed, 14 Mar 2018 14:54:59 +0000 (UTC) From: Richard Palethorpe To: ltp@lists.linux.it Date: Wed, 14 Mar 2018 15:54:26 +0100 Message-Id: <20180314145427.2738-1-rpalethorpe@suse.com> X-Mailer: git-send-email 2.16.2 X-Virus-Scanned: clamav-milter 0.99.2 at in-4.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-4.smtp.seeweb.it Cc: Richard Palethorpe , nstange@suse.de Subject: [LTP] [PATCH 1/2] lib: Add safe_recvmsg X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Identical to safe_sendmsg except *msg is not const. Signed-off-by: Richard Palethorpe Acked-by: Petr Vorel --- include/safe_net_fn.h | 3 +++ include/tst_safe_net.h | 3 +++ lib/safe_net.c | 23 +++++++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/include/safe_net_fn.h b/include/safe_net_fn.h index 2a19be875..89e5bf0cc 100644 --- a/include/safe_net_fn.h +++ b/include/safe_net_fn.h @@ -49,6 +49,9 @@ ssize_t safe_sendto(const char *file, const int lineno, char len_strict, ssize_t safe_sendmsg(const char *file, const int lineno, size_t msg_len, int sockfd, const struct msghdr *msg, int flags); +ssize_t safe_recvmsg(const char *file, const int lineno, size_t msg_len, + int sockfd, struct msghdr *msg, int flags); + int safe_bind(const char *file, const int lineno, void (cleanup_fn)(void), int socket, const struct sockaddr *address, socklen_t address_len); diff --git a/include/tst_safe_net.h b/include/tst_safe_net.h index 68e9f5cfb..d0c0a1dc5 100644 --- a/include/tst_safe_net.h +++ b/include/tst_safe_net.h @@ -54,6 +54,9 @@ #define SAFE_SENDMSG(msg_len, fd, msg, flags) \ safe_sendmsg(__FILE__, __LINE__, msg_len, fd, msg, flags) +#define SAFE_RECVMSG(msg_len, fd, msg, flags) \ + safe_recvmsg(__FILE__, __LINE__, msg_len, fd, msg, flags) + #define SAFE_BIND(socket, address, address_len) \ safe_bind(__FILE__, __LINE__, NULL, socket, address, \ address_len) diff --git a/lib/safe_net.c b/lib/safe_net.c index 9ea9d2b42..5ad478795 100644 --- a/lib/safe_net.c +++ b/lib/safe_net.c @@ -209,6 +209,29 @@ ssize_t safe_sendmsg(const char *file, const int lineno, size_t len, return rval; } +ssize_t safe_recvmsg(const char *file, const int lineno, size_t len, + int sockfd, struct msghdr *msg, int flags) +{ + ssize_t rval; + + rval = recvmsg(sockfd, msg, flags); + + if (rval == -1) { + tst_brkm(TBROK | TERRNO, NULL, + "%s:%d: recvmsg(%d, %p, %d) failed", + file, lineno, sockfd, msg, flags); + } + + if (len && (size_t)rval != len) { + tst_brkm(TBROK, NULL, + "%s:%d: recvmsg(%d, %p, %d) ret(%zd) != len(%zu)", + file, lineno, sockfd, msg, flags, rval, len); + } + + return rval; + +} + int safe_bind(const char *file, const int lineno, void (cleanup_fn)(void), int socket, const struct sockaddr *address, socklen_t address_len) From patchwork Wed Mar 14 14:54:27 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Palethorpe X-Patchwork-Id: 885835 X-Patchwork-Delegate: petr.vorel@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.linux.it (client-ip=213.254.12.146; helo=picard.linux.it; envelope-from=ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=suse.com Received: from picard.linux.it (picard.linux.it [213.254.12.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 401ZX4259gz9sT6 for ; Thu, 15 Mar 2018 01:55:15 +1100 (AEDT) Received: from picard.linux.it (localhost [IPv6:::1]) by picard.linux.it (Postfix) with ESMTP id 8D1753E76E5 for ; Wed, 14 Mar 2018 15:55:13 +0100 (CET) X-Original-To: ltp@lists.linux.it Delivered-To: ltp@picard.linux.it Received: from in-5.smtp.seeweb.it (in-5.smtp.seeweb.it [217.194.8.5]) by picard.linux.it (Postfix) with ESMTP id 6FD693E76D1 for ; Wed, 14 Mar 2018 15:55:12 +0100 (CET) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by in-5.smtp.seeweb.it (Postfix) with ESMTPS id AD28D6014B4 for ; Wed, 14 Mar 2018 15:55:11 +0100 (CET) Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id F102BACE5 for ; Wed, 14 Mar 2018 14:55:10 +0000 (UTC) From: Richard Palethorpe To: ltp@lists.linux.it Date: Wed, 14 Mar 2018 15:54:27 +0100 Message-Id: <20180314145427.2738-2-rpalethorpe@suse.com> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180314145427.2738-1-rpalethorpe@suse.com> References: <20180314145427.2738-1-rpalethorpe@suse.com> X-Virus-Scanned: clamav-milter 0.99.2 at in-5.smtp.seeweb.it X-Virus-Status: Clean X-Spam-Status: No, score=-0.0 required=7.0 tests=SPF_PASS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on in-5.smtp.seeweb.it Cc: Richard Palethorpe , nstange@suse.de Subject: [LTP] [PATCH 2/2] Add CVE-2017-18075, pcrypt mishandles freeing instances X-BeenThere: ltp@lists.linux.it X-Mailman-Version: 2.1.18 Precedence: list List-Id: Linux Test Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" Signed-off-by: Richard Palethorpe --- I can not find the original reproducer posted upstream. I assume it was created by syzkaller. This patch will not display error messages correctly without the previous TRERRNO patch I posted. runtest/cve | 1 + testcases/cve/.gitignore | 1 + testcases/cve/cve-2017-18075.c | 201 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 203 insertions(+) create mode 100644 testcases/cve/cve-2017-18075.c diff --git a/runtest/cve b/runtest/cve index 8b7cbe539..17ef5186d 100644 --- a/runtest/cve +++ b/runtest/cve @@ -32,3 +32,4 @@ cve-2017-5754 meltdown cve-2017-17052 cve-2017-17052 cve-2017-16939 cve-2017-16939 cve-2017-17053 cve-2017-17053 +cve-2017-18075 cve-2017-18075 diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore index b05c0ded6..e4dbb58c1 100644 --- a/testcases/cve/.gitignore +++ b/testcases/cve/.gitignore @@ -14,3 +14,4 @@ stack_clash cve-2017-17052 cve-2017-16939 cve-2017-17053 +cve-2017-18075 diff --git a/testcases/cve/cve-2017-18075.c b/testcases/cve/cve-2017-18075.c new file mode 100644 index 000000000..3723b0655 --- /dev/null +++ b/testcases/cve/cve-2017-18075.c @@ -0,0 +1,201 @@ +/* + * Copyright (c) 2018 SUSE + * Author: Nicolai Stange + * LTP conversion: Richard Palethorpe + * + * Based on the reproducer posted upstream so other copyrights may + * apply. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + * + * Test for CVE-2017-5754 - pcrypt mishandles freeing instances + * + * See commit d76c68109f37 crypto: pcrypt - fix freeing pcrypt instances. + * + * If the bug is present this will most likely crash your kernel. + */ + +#include +#include +#include +#include + +#include "tst_test.h" +#include "tst_safe_net.h" +#include "tst_taint.h" + +#define ATTEMPTS 10000 + +enum { + CRYPTO_MSG_BASE = 0x10, + CRYPTO_MSG_NEWALG = 0x10, + CRYPTO_MSG_DELALG, + CRYPTO_MSG_UPDATEALG, + CRYPTO_MSG_GETALG, + CRYPTO_MSG_DELRNG, + __CRYPTO_MSG_MAX +}; + +#define CRYPTO_MAX_ALG_NAME 64 +#define CRYPTO_MAX_NAME CRYPTO_MAX_ALG_NAME + +#define CRYPTO_ALG_TYPE_MASK 0x0000000f +#define CRYPTO_ALG_TYPE_AEAD 0x00000003 + +#ifndef NETLINK_CRYPTO +#define NETLINK_CRYPTO 21 +#endif + +struct crypto_user_alg { + char cru_name[CRYPTO_MAX_ALG_NAME]; + char cru_driver_name[CRYPTO_MAX_ALG_NAME]; + char cru_module_name[CRYPTO_MAX_ALG_NAME]; + uint32_t cru_type; + uint32_t cru_mask; + uint32_t cru_refcnt; + uint32_t cru_flags; +}; + +static void send_nl_msg(int fd, struct nlmsghdr *nh, void *payload) +{ + static unsigned int sequence_number; + struct sockaddr_nl sa = { .nl_family = AF_NETLINK }; + struct iovec iov[2] = { + {nh, sizeof(*nh)}, + {payload, nh->nlmsg_len - sizeof(*nh)} + }; + struct msghdr msg = { + .msg_name = &sa, + .msg_namelen = sizeof(sa), + .msg_iov = iov, + .msg_iovlen = 2 + }; + + nh->nlmsg_pid = 0; + nh->nlmsg_seq = ++sequence_number; + /* Request an ack from kernel by setting NLM_F_ACK */ + nh->nlmsg_flags |= NLM_F_ACK; + + SAFE_SENDMSG(nh->nlmsg_len, fd, &msg, 0); +} + +static int read_reply(int fd) +{ + int len; + char buf[4096]; + struct iovec iov = { buf, sizeof(buf) }; + struct sockaddr_nl sa; + struct msghdr msg = { + .msg_name = &sa, + .msg_namelen = sizeof(sa), + .msg_iov = &iov, + .msg_iovlen = 1 + }; + struct nlmsghdr *nh; + + len = SAFE_RECVMSG(0, fd, &msg, 0); + + for (nh = (struct nlmsghdr *) buf; + NLMSG_OK(nh, len); + nh = NLMSG_NEXT(nh, len)) { + /* The end of multipart message. */ + if (nh->nlmsg_type == NLMSG_DONE) + return 0; + + if (nh->nlmsg_type == NLMSG_ERROR) + return ((struct nlmsgerr *)NLMSG_DATA(nh))->error; + } + + return 0; +} + +static int add_alg(int fd, struct crypto_user_alg *a) +{ + int r; + struct nlmsghdr nh = { + .nlmsg_len = sizeof(struct nlmsghdr) + sizeof(*a), + .nlmsg_type = CRYPTO_MSG_NEWALG, + .nlmsg_flags = NLM_F_REQUEST, + }; + + send_nl_msg(fd, &nh, a); + + r = read_reply(fd); + if (r == -EEXIST) + return 0; + return r; +} + +static int del_alg(int fd, struct crypto_user_alg *a) +{ + int i; + struct timespec delay = { .tv_nsec = 1000000 }; + struct nlmsghdr nh = { + .nlmsg_len = sizeof(struct nlmsghdr) + sizeof(*a), + .nlmsg_type = CRYPTO_MSG_DELALG, + .nlmsg_flags = NLM_F_REQUEST, + }; + + for (i = 0; i < 1000; i++) { + send_nl_msg(fd, &nh, a); + + TEST(read_reply(fd)); + if (TEST_RETURN != -EBUSY) + break; + + if (nanosleep(&delay, NULL) && errno != EINTR) + tst_brk(TBROK | TERRNO, "nanosleep"); + } + + return TEST_RETURN; +} + +void setup(void) +{ + tst_taint_init(TST_TAINT_W | TST_TAINT_D); +} + +void run(void) +{ + int fd, i; + struct crypto_user_alg a = { + .cru_driver_name = "pcrypt(authenc(hmac(sha256-generic),cbc(aes-generic)))", + .cru_type = CRYPTO_ALG_TYPE_AEAD, + .cru_mask = CRYPTO_ALG_TYPE_MASK, + }; + + fd = SAFE_SOCKET(AF_NETLINK, SOCK_DGRAM, NETLINK_CRYPTO); + + for (i = 0; i < ATTEMPTS; ++i) { + TEST(add_alg(fd, &a)); + if (TEST_RETURN) + tst_brk(TBROK | TRERRNO, "add_alg"); + + TEST(del_alg(fd, &a)); + if (TEST_RETURN) + tst_brk(TBROK | TRERRNO, "del_alg"); + } + + if (tst_taint_check()) + tst_res(TFAIL, "Kernel has been tainted, check kernel log"); + else + tst_res(TPASS, "You are probably safe"); +} + +static struct tst_test test = { + .setup = setup, + .test_all = run, + .needs_root = 1, + .min_kver = "4.2.0", +};