1f08c3bdfSopenharmony_ci// SPDX-License-Identifier: GPL-2.0-or-later
2f08c3bdfSopenharmony_ci/*
3f08c3bdfSopenharmony_ci * Copyright (c) Crackerjack Project., 2007
4f08c3bdfSopenharmony_ci * Copyright (c) 2017 Google, Inc.
5f08c3bdfSopenharmony_ci *
6f08c3bdfSopenharmony_ci * Test that the add_key() syscall correctly handles a NULL payload with nonzero
7f08c3bdfSopenharmony_ci * length.  Specifically, it should fail with EFAULT rather than oopsing the
8f08c3bdfSopenharmony_ci * kernel with a NULL pointer dereference or failing with EINVAL, as it did
9f08c3bdfSopenharmony_ci * before (depending on the key type).  This is a regression test for commit
10f08c3bdfSopenharmony_ci * 5649645d725c ("KEYS: fix dereferencing NULL payload with nonzero length").
11f08c3bdfSopenharmony_ci *
12f08c3bdfSopenharmony_ci * Note that none of the key types that exhibited the NULL pointer dereference
13f08c3bdfSopenharmony_ci * are guaranteed to be built into the kernel, so we just test as many as we
14f08c3bdfSopenharmony_ci * can, in the hope of catching one.  We also test with the "user" key type for
15f08c3bdfSopenharmony_ci * good measure, although it was one of the types that failed with EINVAL rather
16f08c3bdfSopenharmony_ci * than dereferencing NULL.
17f08c3bdfSopenharmony_ci *
18f08c3bdfSopenharmony_ci * This has been assigned CVE-2017-15274.
19f08c3bdfSopenharmony_ci */
20f08c3bdfSopenharmony_ci
21f08c3bdfSopenharmony_ci#include <errno.h>
22f08c3bdfSopenharmony_ci
23f08c3bdfSopenharmony_ci#include "tst_test.h"
24f08c3bdfSopenharmony_ci#include "lapi/keyctl.h"
25f08c3bdfSopenharmony_ci
26f08c3bdfSopenharmony_cistruct tcase {
27f08c3bdfSopenharmony_ci	const char *type;
28f08c3bdfSopenharmony_ci	size_t plen;
29f08c3bdfSopenharmony_ci} tcases[] = {
30f08c3bdfSopenharmony_ci	/*
31f08c3bdfSopenharmony_ci	 * The payload length we test for each key type needs to pass initial
32f08c3bdfSopenharmony_ci	 * validation but is otherwise arbitrary.  Note: the "rxrpc_s" key type
33f08c3bdfSopenharmony_ci	 * requires a payload of exactly 8 bytes.
34f08c3bdfSopenharmony_ci	 */
35f08c3bdfSopenharmony_ci	{ "asymmetric",		64 },
36f08c3bdfSopenharmony_ci	{ "cifs.idmap",		64 },
37f08c3bdfSopenharmony_ci	{ "cifs.spnego",	64 },
38f08c3bdfSopenharmony_ci	{ "pkcs7_test",		64 },
39f08c3bdfSopenharmony_ci	{ "rxrpc",		64 },
40f08c3bdfSopenharmony_ci	{ "rxrpc_s",		 8 },
41f08c3bdfSopenharmony_ci	{ "user",		64 },
42f08c3bdfSopenharmony_ci	{ "logon",              64 },
43f08c3bdfSopenharmony_ci	{ "big_key",            64 },
44f08c3bdfSopenharmony_ci};
45f08c3bdfSopenharmony_ci
46f08c3bdfSopenharmony_cistatic void verify_add_key(unsigned int i)
47f08c3bdfSopenharmony_ci{
48f08c3bdfSopenharmony_ci	TEST(add_key(tcases[i].type,
49f08c3bdfSopenharmony_ci		"abc:def", NULL, tcases[i].plen, KEY_SPEC_PROCESS_KEYRING));
50f08c3bdfSopenharmony_ci
51f08c3bdfSopenharmony_ci	if (TST_RET != -1) {
52f08c3bdfSopenharmony_ci		tst_res(TFAIL,
53f08c3bdfSopenharmony_ci			"add_key() with key type '%s' unexpectedly succeeded",
54f08c3bdfSopenharmony_ci			tcases[i].type);
55f08c3bdfSopenharmony_ci		return;
56f08c3bdfSopenharmony_ci	}
57f08c3bdfSopenharmony_ci
58f08c3bdfSopenharmony_ci	if (TST_ERR == EFAULT) {
59f08c3bdfSopenharmony_ci		tst_res(TPASS, "received expected EFAULT with key type '%s'",
60f08c3bdfSopenharmony_ci			tcases[i].type);
61f08c3bdfSopenharmony_ci		return;
62f08c3bdfSopenharmony_ci	}
63f08c3bdfSopenharmony_ci
64f08c3bdfSopenharmony_ci	if (TST_ERR == ENODEV) {
65f08c3bdfSopenharmony_ci		tst_res(TCONF, "kernel doesn't support key type '%s'",
66f08c3bdfSopenharmony_ci			tcases[i].type);
67f08c3bdfSopenharmony_ci		return;
68f08c3bdfSopenharmony_ci	}
69f08c3bdfSopenharmony_ci
70f08c3bdfSopenharmony_ci	/*
71f08c3bdfSopenharmony_ci	 * It's possible for the "asymmetric" key type to be supported, but with
72f08c3bdfSopenharmony_ci	 * no asymmetric key parsers registered.  In that case, attempting to
73f08c3bdfSopenharmony_ci	 * add a key of type asymmetric will fail with EBADMSG.
74f08c3bdfSopenharmony_ci	 */
75f08c3bdfSopenharmony_ci	if (TST_ERR == EBADMSG && !strcmp(tcases[i].type, "asymmetric")) {
76f08c3bdfSopenharmony_ci		tst_res(TCONF, "no asymmetric key parsers are registered");
77f08c3bdfSopenharmony_ci		return;
78f08c3bdfSopenharmony_ci	}
79f08c3bdfSopenharmony_ci
80f08c3bdfSopenharmony_ci	tst_res(TFAIL | TTERRNO, "unexpected error with key type '%s'",
81f08c3bdfSopenharmony_ci		tcases[i].type);
82f08c3bdfSopenharmony_ci}
83f08c3bdfSopenharmony_ci
84f08c3bdfSopenharmony_cistatic struct tst_test test = {
85f08c3bdfSopenharmony_ci	.tcnt = ARRAY_SIZE(tcases),
86f08c3bdfSopenharmony_ci	.test = verify_add_key,
87f08c3bdfSopenharmony_ci	.tags = (const struct tst_tag[]) {
88f08c3bdfSopenharmony_ci		{"linux-git", "5649645d725c"},
89f08c3bdfSopenharmony_ci		{"CVE", "2017-15274"},
90f08c3bdfSopenharmony_ci		{}
91f08c3bdfSopenharmony_ci	}
92f08c3bdfSopenharmony_ci};
93