1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later 2f08c3bdfSopenharmony_ci/* 3f08c3bdfSopenharmony_ci * Copyright (c) 2018 SUSE 4f08c3bdfSopenharmony_ci * Author: Nicolai Stange <nstange@suse.de> 5f08c3bdfSopenharmony_ci * LTP conversion: Richard Palethorpe <rpalethorpe@suse.com> 6f08c3bdfSopenharmony_ci * 7f08c3bdfSopenharmony_ci * Originally found by syzkaller: 8f08c3bdfSopenharmony_ci * https://groups.google.com/forum/#!topic/syzkaller-bugs/NKn_ivoPOpk 9f08c3bdfSopenharmony_ci * 10f08c3bdfSopenharmony_ci * Test for CVE-2017-18075 - pcrypt mishandles freeing instances. 11f08c3bdfSopenharmony_ci * 12f08c3bdfSopenharmony_ci * The test works by adding and then removing pcrypt-AEAD instances. 13f08c3bdfSopenharmony_ci * See commit d76c68109f37 crypto: pcrypt - fix freeing pcrypt instances. 14f08c3bdfSopenharmony_ci * 15f08c3bdfSopenharmony_ci * If the bug is present then this will probably crash the kernel, but also 16f08c3bdfSopenharmony_ci * sometimes the test simply times out. 17f08c3bdfSopenharmony_ci */ 18f08c3bdfSopenharmony_ci 19f08c3bdfSopenharmony_ci#include <errno.h> 20f08c3bdfSopenharmony_ci#include <time.h> 21f08c3bdfSopenharmony_ci 22f08c3bdfSopenharmony_ci#include "tst_test.h" 23f08c3bdfSopenharmony_ci#include "tst_safe_net.h" 24f08c3bdfSopenharmony_ci#include "tst_taint.h" 25f08c3bdfSopenharmony_ci#include "tst_crypto.h" 26f08c3bdfSopenharmony_ci 27f08c3bdfSopenharmony_ci#define ATTEMPTS 10000 28f08c3bdfSopenharmony_ci 29f08c3bdfSopenharmony_cistatic struct tst_crypto_session ses = TST_CRYPTO_SESSION_INIT; 30f08c3bdfSopenharmony_ci 31f08c3bdfSopenharmony_civoid setup(void) 32f08c3bdfSopenharmony_ci{ 33f08c3bdfSopenharmony_ci tst_crypto_open(&ses); 34f08c3bdfSopenharmony_ci} 35f08c3bdfSopenharmony_ci 36f08c3bdfSopenharmony_civoid run(void) 37f08c3bdfSopenharmony_ci{ 38f08c3bdfSopenharmony_ci int i; 39f08c3bdfSopenharmony_ci struct crypto_user_alg a = { 40f08c3bdfSopenharmony_ci .cru_driver_name = "pcrypt(authenc(hmac(sha256-generic),cbc(aes-generic)))", 41f08c3bdfSopenharmony_ci .cru_type = CRYPTO_ALG_TYPE_AEAD, 42f08c3bdfSopenharmony_ci .cru_mask = CRYPTO_ALG_TYPE_MASK, 43f08c3bdfSopenharmony_ci }; 44f08c3bdfSopenharmony_ci 45f08c3bdfSopenharmony_ci for (i = 0; i < ATTEMPTS; ++i) { 46f08c3bdfSopenharmony_ci TEST(tst_crypto_add_alg(&ses, &a)); 47f08c3bdfSopenharmony_ci if (TST_RET && TST_RET == -ENOENT) { 48f08c3bdfSopenharmony_ci tst_brk(TCONF | TRERRNO, 49f08c3bdfSopenharmony_ci "pcrypt, hmac, sha256, cbc or aes not supported"); 50f08c3bdfSopenharmony_ci } 51f08c3bdfSopenharmony_ci if (TST_RET && TST_RET != -EEXIST) 52f08c3bdfSopenharmony_ci tst_brk(TBROK | TRERRNO, "add_alg"); 53f08c3bdfSopenharmony_ci 54f08c3bdfSopenharmony_ci TEST(tst_crypto_del_alg(&ses, &a)); 55f08c3bdfSopenharmony_ci if (TST_RET) 56f08c3bdfSopenharmony_ci tst_brk(TBROK | TRERRNO, "del_alg"); 57f08c3bdfSopenharmony_ci 58f08c3bdfSopenharmony_ci if (!tst_remaining_runtime()) { 59f08c3bdfSopenharmony_ci tst_res(TINFO, "Time limit reached, stopping at " 60f08c3bdfSopenharmony_ci "%d iterations", i); 61f08c3bdfSopenharmony_ci break; 62f08c3bdfSopenharmony_ci } 63f08c3bdfSopenharmony_ci } 64f08c3bdfSopenharmony_ci 65f08c3bdfSopenharmony_ci tst_res(TPASS, "Nothing bad appears to have happened"); 66f08c3bdfSopenharmony_ci} 67f08c3bdfSopenharmony_ci 68f08c3bdfSopenharmony_civoid cleanup(void) 69f08c3bdfSopenharmony_ci{ 70f08c3bdfSopenharmony_ci tst_crypto_close(&ses); 71f08c3bdfSopenharmony_ci} 72f08c3bdfSopenharmony_ci 73f08c3bdfSopenharmony_cistatic struct tst_test test = { 74f08c3bdfSopenharmony_ci .setup = setup, 75f08c3bdfSopenharmony_ci .test_all = run, 76f08c3bdfSopenharmony_ci .cleanup = cleanup, 77f08c3bdfSopenharmony_ci .needs_root = 1, 78f08c3bdfSopenharmony_ci .max_runtime = 300, 79f08c3bdfSopenharmony_ci .tags = (const struct tst_tag[]) { 80f08c3bdfSopenharmony_ci {"linux-git", "d76c68109f37"}, 81f08c3bdfSopenharmony_ci {"CVE", "2017-18075"}, 82f08c3bdfSopenharmony_ci {} 83f08c3bdfSopenharmony_ci } 84f08c3bdfSopenharmony_ci}; 85